Wednesday, December 10, 2008

Finaly

After two years of planning, researching, working on other things I finally released something I wanted to release: "Free SSL sniffer". The night I worked on it I decided that I will release it nomatter what, I worked until 7am and when I had something working I uploaded it to the web, that was a long night.

The next day I smoothed some roughed edges and went on submiting it to freeware directories. I also made a movie showing how I manage to redirect HTTPS site to another, but meanwhile I don't publish the movie.


Barak

Monday, November 24, 2008

Three new releases

Today was an extremly busy day, I release three new open-source projects to the world which meant, packaging, writing html pages, pdf guides, nothing that is really programming :)

The releases are:

TCP/IP Library V5.1

New features are two classes that implement asynchronous TCP encrypted by SSL using OpenSSL (I wrote about it in my first post) and asynchronous TCP encrypted by BlowFish algorithm.

Aho-Corasick search algorithm

This is one of the best multiple string search algorithm, me and my friend Eyal brainstormed about string search algorithms for parental control, my old algorithm was unefficient, something in the likes of O((k^2)*log(n)), k - number of letters in the searched string, n - the number of words in the dictionary, and now with the new Aho-Corasick algorithm it dropped down to O(n+k), k - number of letters in the search string, k - longest dictionary word length, quite a difference :)

Komodia's Relay

This is an open-source relay that I release a long time ago, I decided to post a compiled version of it today after I used it myself to simulate port-forwarding on my machine to allow a friend to use SSH to connect to a VM linux machine (to test a new project of mine)

This was a long productive day, I'm very happy :)

Barak

Tuesday, November 11, 2008

Marketing

Good news, I just finished the newest class that I'm going to publish as part of V5.1 of the TCP/IP library, a symmetrical encrypted socket. I'm using the Blowfish algorithm, since I have a very easy implementation class of this encryption and there aren't any export restrictions. Before using this class I thought of using CryptoPP (http://www.cryptopp.com/) however the "release" version of this library is 18mb which was a big no for me.

There are two kinds of products that you can market, products with existing markets, and you only need to be better than the competition and products without a market, which means the market is new and you will have to let the market know you exist.

Lets take a case scenario, my friend Zak product (http://www.reimage.com) is fixing the XP OS. Suppose he will want to market his product, he will need to advertise the same way as his competition is advertising, a good keyword to advertise with would be "XP Repair". I want to advertise my Komodia Redirector (http://www.komodia.com/index.php?page=redirector.html), which words to use? How do I reach my target costumers? There's no competition, my product is the only one that is on the market. The way I currently market it is by bringing people into my website for information about components that such a product will use, e.g. suppose you come to my shop and buy an engine, gear, oil, fuel, I can assume you want to create a car, so when people come to my site and look for LSP, the Redirector will probably be a product that they will be interested in.

Barak

Sunday, November 9, 2008

In love with my code

A problem I've been having for a long time is the fact that I "fall in love" with my code. I consider myself as an artist and my code as my art, the problem arises when I'm choosing a path based upon the code I'm going to write, usualy I find a certain technology more appealing to me and I use it but sometimes the time to finish that piece of code will be longer then it would if I had picked another "less sexy" technology. As I grew up and matured I looked back to the times I made choices which today looks like a complete waste of time, I don't regret these choices because I learned new technologies which I wouldn't learn otherwise.

As an army programmer and as a programmer working as an employee in another company which I was after my army service was over - making such "mistakes" doesn't cost you money, now that I own my own company these mistakes do cost money and avoiding them is a must.

I have many conversations with my friend: Zak Dechovich the founder and CEO of Reimage (http://www.reimage.com/) about marketing and time to market, as an ex programmer he understand where I'm comming from because he experienced it first hand in marketing his "XP repair" product. In a conversation we had a month ago I told him that I have a product that is 70% ready that can filter traffic based on keywords, he asked whether I can release something to the market right now? I told him that I can take the redirecting platform (http://www.komodia.com/index.php?page=redirector.html) and start to market this version within a week, and so I did, that was a good advise on this part and a wise decision on mine.

Today I made another decision, I have core functionality of an "SSL" hijacker which allows me to inspect and modify encrypted SSL data without alerting the browser, however the communication module I wrote which is based on shared memory and named pipes is too slow for me and it reaches a stage that it is so complex that finishing it would take three months. I sat down to see what are my alternatives and found a solution that would enable me to release it in two to three weeks, a good solution that will be more stable then my original one, it's a little "less sexy" but as the artists of the past, I need to walk the fine line between doing my art and pleasing my patron, my patron is the "bottom line" :)

I'm happy I'm able to make such decisions because using a simpler and cleaner technologies means a more stable product, which is easier to understand and maintain. My friend Zak quotes civilization IV: "A product is perfect when you can no longer remove features from it".

Barak

Wednesday, November 5, 2008

SSL over TCP/IP

This is my first post in blogspot, this is not my first post ever, I do have a personal blog written in hebrew in which I'm anonymous, I decided to open this blog to talk about my technical experiences, something I can't do in my personal blog.

So without further adieu lets go into the technical nitty gritty :)

Currently I'm working on a project that needs to take unsecure traffic on one end, and send this data using SSL to another secure location, the interception is done using LSP and I've decided to use my redirector product (http://www.komodia.com/index.php?page=redirector.html) as a base platform. Currently the redirector doesn't support SSL and takes and outputs normal traffic, if the traffic is encrypted it can only redirect it as is, changes will be noted by initiating or ending party.

So....I thought, lets change the redirector to output SSL on one end, and since I'm an avid user of C++ design patterns and didn't wish to rewrite the "redirector" or refactor the entire code base I've decided to create a socket class based on my TCP/IP library (http://www.komodia.com/index.php?page=newtools.html) CTCPSocketAsync. Naturally I thought of OpenSSL as the library to use, I researched if it's possible to use asynchronous sockets and OpenSSL and I came across this nice project (http://www.lenholgate.com/archives/000456.html) that included a source code of SSL using asynchronous sockets based on MFC framework (something I try to avoid, which made me start writing the TCP/IP library back in the days), but it gave me a good start to learn and understand how OpenSSL operates.

I started with compiling the OpenSSL, it wasn't hard, I still remember the time it took me to compile Mozila/NSS platform, arghhh, I used this nice guide to help me (http://www.devside.net/guides/windows/openssl), then I assembled OpenSSL code on top of a new class called CTCPSocketAsyncSSL (how original), at first some concepts in the sample I learned from weren't clear, however after debugging my code I understood what and why. I took a different approach then the sample, I like to keep infrastructure operations and I count SSL handshake as such, under the hood, if the user wants to do something with that, I allow it, but for most users they don't really care, all they want it Send/Receive and that's it.

After two nights and 1500 lines of code, I got the class to work as SSL client, and I will finish the class tomorrow to be a SSL server as well. After I got the class working I was excited because I'm planning to release version 5.1 of the library and as far as I know there aren't good open source asynchronous socket soluttions (I don't like GPL because it hinders you, you can't use it in commercial applications!) and of course other solutions cost money. V5.1 is going to change this, I think I will release it in one or two weeks, still got to finish some other work before I can dedicate the time needed to release the new version.

So now what? I will incorporate the SSL code into the redirector and then I'll see which SSL solution I will deploy on a Linux machine, would it be perl script or Squid proxy server?

Until next time,
Barak