Thursday, June 17, 2010

Music Editor

Transcribing musical scores from one key to another or from one instrument to another can be painful and somewhat time consuming. While playing the Cello, I find myself needing to often transcribe music from Violin down to Cello so I can play it as a solo Cello piece. However, finding a musical note editor that allows you do this easily and cheaply is difficult.

For the past few months I have spent part of my research time each week searching for a good easy to use tool that was highly flexibly. I have looked at tools for Linux, tools that run on Mac, and also tools that run on Windows. There are lots of great tools out there, and it seems like a lot of musicians love and use either Sibelius (http://www.sibelius.com/) or Finale (http://www.finalemusic.com/). Both of these are great tools, though somewhat restrictive and very expensive.

Most of the Linux community uses and talks about MuseScrore, NtEd, NoteEdit, Rosegarden, Lilypond and a few others. But in the traditional Linux world, most of these tools are either somewhat unstable, lack core features, or are just not intuitive and easy to use.

None of these tools really worked for me, and the ones that got close, were very expensive. The problem was I was looking for a tool that would allow me to move stuff around the score as I needed, something that would allow me to expand a measure or add any type of extra notation details that I wanted to add. Even the idea of just writing arbitrary text to the score proved to be impossible with most tools. I hated the idea of writing the score, printing it out, and then hand writing extra details. I wanted to be able to do it all on the original and have it print out all nice and pretty. Some of the basic things I wanted to be able to do were: 1) add Suzuki style fingering, 2) add notation to keep track of which string I was planning on playing the note on, and 3) add some details to help me remember when I needed to shift or extend and which position it was in.

After trying most of the tools out there I gave up and resorted to the idea that I would just do this the very long way and do it in graphics program like Photoshop. But then I had the idea that I could just do this in Visio if I had the stencils. It would be pretty easy to make the stencil I needed, it would just take a lot of time.  But once I had them it would be super easy to create and edit my scores since I use Visio nearly every day at work and love the flexibility that it offers. So I went looking on the Internet and found a site that had already done a lot of the work for me. Colleen Kobe has created a whole set of Visio stencils for musical score editing.  These stencils are wonderful and I will say that the $30.00 she charges is well worth it. I bought the stencils and have been so happy with what I can do with them.

The Visio stencils I bought are called “Staff Scribe” and can be purchased at http://www.colleenkobestudios.com/music.html. After playing around with creating some scores, I love the flexibility that Visio gives. Now some users might not care for the granular controls or the extra flexibility but it works for me.  Also some users may complain that it takes a little too long to do basic things, my advise to that is that as you get more comfortable with Visio, it will be faster.I Colleen has done a wonderful job building these stencils and I would suggest you get them if you have a copy of Visio and are comfortable using Visio.

After using the Staff Scribe stencil kit for a few days I noticed that a few things were missing and have since created my own add-on stencil to this kit that you can download from here for free. This stencil is designed to be used with Colleen’s Staff Scribe stencils and is not much use with out it. Also I followed her her naming convention I have called my stencil “Staff Scribe--Extras.vss”.

I am also attaching some Cello major scale and arpeggio fingering guides that I have recently put together to help young Cello players learn their scales, the notes, and the fingerings.  Enjoy.


Thursday, June 3, 2010

Much Ado About Android – part II

Before we start talking about hacking your Android phone and doing neat little things to it, we need to go over all of the bits and pieces that are needed. Now this series of posts is not designed to be a complete step by step for every Android device out there. It is however, designed to be a complete walk through of what I did to hack my HTC Magic. My hope is that this will give you the foundation from which you can gather the right information for your device. As we all know, trying to piece this information together from Internet forums can be painful. NOTE: You need to be really careful when modifying embedded devices like a phone. If you do things wrong, in the wrong order, or if you do not have enough patience you can brick your device. Bricking your device means that you have turned it in to a very expensive paper weight and that it is dead and unusable as an electronic device. Make sure you spend some time doing your research into issues that people are having with your specific phone and do not assume that just because it is an HTC Magic like mine that it is exactly the same as mine. Internal motherboards, chips, radios, etc can be different and you need to gather all of that information. Further, you do this at your own risk and your millage may very. I am not responsible in anyway for anything that you do or do not do with the information found in these posts. If you brick your phone, I am sorry, but it is not my fault.

Step 1 - The first thing that you are going to need to do is download and install the Android SDK (Software Developer Kit) for your OS. I will be doing all of my examples from Linux, but tutorials are out there for Windows and MAC. You can download the SDK from http://developer.android.com/sdk/index.html. Follow the install guide to get this setup. I installed mine at /local/android-sdk/

Step 2 - If you have an HTC device you will need to download the fastboot tool from the HTC developer site. This download can be found at: http://developer.htc.com/adp.html. Unzip this file to the /local/android-sdk/tools/ directory. You will need to “chmod 755 fastboot” to make it executable too. If HTC did not make your device, then you will need to find something similar from the vendor that made your phone.

Step 3 - Enable the “USB Debugging” feature on your device. You can do this by pressing: The MENU key -> Settings -> Applications -> Development and then enabling USB debugging. This is important as we want to tell the phone that we are going to be doing development on it and to expect commands to be delivered to the phone over the USB connection.

Step 4 - We need to tell our Linux USB stack how to deal with the HTC phone so that we can talk to it via the Android SDK and HTC fastboot tools. You can see documentation for this at: http://developer.android.com/guide/developing/device.html. For Ubuntu 9.04 and 9.10 you can do this by creating the following file: /etc/udev/rules.d/51-android.rules and adding the following to it:
SUBSYSTEM=="usb", SYSFS{idVendor}=="0bb4", MODE="0666"
chmod a+r /etc/udev/rules.d/51-android.rules

Step 5 – Gather build information about your phone. You can get this information by pressing: The MENU key -> Settings -> About phone. This information will help you when you need to go look for specific details about your device. My HTC Magic had the following from the factory.
HTC Magic
Firmware version: 1.5
Baseband version: 62.52S.20.18U_3.22.20.17
Kernel version: 2.6.27-357975db herbert@and18-2 #1069
Build number: 2.16.707.3 146733 CL#32934 release-keys

In my next post I will talk about ROMs, the various boot loaders and how to get more details about your phone, the type of motherboard it has, what kind of radio firmware is loaded, what kind of bootloader it has, etc. We will also get a recovery ROM loaded and installed.

Saturday, May 29, 2010

Much Ado About Android – part I

After years of dealing with completely frustrating and useless Windows mobile cellular devices I decide it was time to jump on the inevitable bandwagon of Google and their Android platform. The reason I choose Android over the iPhone is I like the idea of a little more freedom and while I do not agree with all of Google’s business practices, I appreciate that their prison is little more accommodating. Now, every technology platform is its own little prison, regardless of what people will even say about Linux or FreeBSD.

When it comes to vendors, hands down, Apple makes the nicest and most comfortable prisons. Microsoft makes functional prisons that appear to work seamlessly so long as you can tolerate all of the constant maintenance, damp infected rooms, and doors that should lead to bliss but only lead to dead ends. The Google prison is very similar to Apple’s but not quite as refined or clean. The trade off is that Google lets you out of your cell from time to time and even lets you share food and toys with your neighbors. And if you are adventurous enough and willing to go through all the hoops you can even leave the prison for short periods of time to go get your own soda and desert. All in all Apple and Google make very similar and wonderful prisons, but I choose Google Android.

Before I get carried away and you all think I am hook-line-and-sinker in love with Google; Google is evil and stores and tracks way too much information about what we do, what we like, and how we use our computers and the Internet. The reason I am okay with Google compared to the tactics that Microsoft employs is that Google does not force their technology down our throats. Now if Google decided that you could only use their search engine from certain computers, of that you could only access GMail through Chrome, or if they created their own language that you were forced to use to access any of your data stored on their cloud, I would definitely lump them in to the Microsoft camp and boycott them. But I digress; this post is not about my views of why and how Microsoft failed when they could have so easily taken over the world.

The phone I purchased was an unlocked version of the HTC Magic (same as the T-Mobile myTouch 3G, just an unlocked version). This phone shipped with version 1.5 of the Android OS commonly referred to by its code name of Cupcake (Version 1.6 has a code name of Donut for example, 2.0/2.1 is called Eclair, and 2.2 is called Froyo). Now as you can see, version 1.5 is really starting show its age. Eclair is out and Froyo is quickly on its way. So I decided I was going to take Google’s pledge to the test and try and take my phone out for a walk and see about updating its code.

So following all the buzz about newer features and the beauty of the Android platform I spent the better part of the weekend reading and reading and reading about all the bits and pieces that are needed to get your phone “hacked”, “rooted”, and upgraded. Now I must say that there is a LOT of information out there about how to do this and do that, and the folks over at http://forum.xda-developers.com and http://androidcommunity.com have a plethora of information. However, like all things Linux it is a PAIN-IN-THE-BACKSIDE to try and piece it all together. Linux people and developers are often of the mindset that it is it out there somewhere in some nasty forum list somewhere and that you need to read every meaningless post for hours and hours to find the one nugget of information that you need.

Over the next few days/weeks I am going to write a series of short posts that talk about the various bits and pieces and how they all bolt together so that you do not need to spend hours trying figure out what is what.

Friday, January 8, 2010

768 bit RSA is Broken!

In today's electronic world nearly all sensitive electronic communication is protected by a process that we commonly know as encryption. To the common user, encryption means SSL and SSL is all there is. In reality, SSL is only one tool in the entire encryption toolkit, and encryption is only one part of cryptography.

When we peel back the layers of the onion, modern encryption is all about mathematical hard problems. Meaning, that the mathematical functions are easy to process one way and very difficult to process in the reverse without a specific piece of information. Take for example the RSA algorithm that has been protecting internet e-commerce for years and is the common algorithm used for the creation of nearly all digital certificates. At the very foundation, RSA is about dealing with two very large prime numbers. These two large prime numbers are multiplied together to create a new number. This new number is then used in the algorithm to encrypted your data. Now the mathematical hard problem is that given the new number it is very difficult to factor that new number down to the two original prime numbers that created it. Fundamentally all that is protecting your private data and your e-commerce transactions is a mathematical hard problem that is only “hard” until someone comes a long and finds a way around it.

On January 7th 2010, a group posted a white paper[1] discussing in detail how they have factored and effectively broken 768 bit RSA encryption. Now, there is no need to go jump off the Golden Gate bridge yet, most all of your banking transactions are currently using 1024 bit RSA or 2048 bit RSA keys. But understand that mathematical hard problems are only “hard” problems until someone finds a neat way of making it no longer a hard problem. If you would like some light reading, the white paper can be found here: http://eprint.iacr.org/2010/006.pdf

So the advice I would give is be careful and always use the latest encryption methods available. Further never trust people that will make blanket statements to the effect that you have nothing to worry about because it will take billions of years to crack the encryption and that the Sun will have already gone super nova.

[1] Factorization of a 768-bit RSA modulus version 1.0, January 7, 2010, http://eprint.iacr.org/2010/006.pdf

Wednesday, December 30, 2009

Protecting Consumers by Solving Credit Card Theft

Over the past month of so, I have spent a lot of time thinking about the various weak points in the consumer privacy and protection space. Everything from the risks of smart phones, to the increasing risks of social networking, to the never ending problem of credit card theft.

The problem that seems so easy to solve and the one that would have the biggest benefit to not only consumers but financial institutions is to fix the credit card theft problem. When we look at this problem deep down, it is very simple. You use your credit card somewhere and either the clerk or server makes a copy of your account number and CVV code (3 digit code on the back of the card) or the system processing the card stores that information and is later compromised through various malicious attack vectors. Once this account number and CVV is in the hands of someone else, if can be freely used and abused and or sold to be used and abused by someone else.

The simple solution to this problem is to marry the token code technology that has been providing trusted mutli-factor authentication for years in to the credit card. Meaning that your credit card would look very similar to RSA's SecurID 900 series token cards, as seen here http://www.rsa.com/node.aspx?id=1158.

Token code technology provides a changing one time use number (called a token code) that is good for 60 seconds and then changes to a new number that is then good for 60 seconds. So in the event that some one did steal your credit card number, CVV code, and they wrote down the current token value that is being displayed on the card, they would have to use that within 60 seconds and they would only be allowed to use it once. After the 60 seconds were up, the token code would not work. This would prevent all credit card number theft and would limit credit card issues to physical theft of the actual card itself.

The token code verification process would work very similar to the way credit card companies will some times ask for you to enter your zip code during a transaction to verify that you are the owner of the card. But the token code can not be stolen and reused. It can not be socially engineered. A cyber-criminal would have to physically have possession of the card to use it.

Given that token codes can only be used once and they are only good for 60 seconds, this greatly reduces if not eliminates the risk to consumers and financial institutions, however, it does introduce two very solvable draw backs:

1) You would need to replace all existing cards with token cards, which are not cheap. However, it could be argued that financial institutions spend far more than the cost of the tokens in dealing with fraud each year. Financial institutions could also offer this as a service to consumers and say that for a $10.00 one time fee, we will give you a card that you do not have to worry about the number being stolen.

2) What do you do with quick pay on-line sites like Amazon.com and automatic bill pay sites that allow consumers to store their card on file for quick and easy checkout. To solve this problem there would be an authentication process that would require the consumer to log in to the their credit card company's web site and authorize an existing successful token based transaction to be repeatable and tokenless. Therefore you would need to have one successful token based purchase in order to set this up which would guarantee that you were in possession of the card during the first transaction. You could then further set restrictions on how many tokenless transactions from a specific web site or company could be made per period of time or how large of a dollar value could be charged tokenless per period of time.

If credit card companies made this very simple change, it would greatly reduce or eliminate all of the issues with credit card number theft. This could save financial institutions an enormous amount of money each year in dealing with fraud and would increase consumer confidence in the protection of their credit card information.

Thursday, October 1, 2009

A place to start

For the past couple of years I have toyed with the idea of starting a blog where I could illustrate and talk about things that are of interest to me and discuss some of the research I do on a daily basis, however, to this date I have been reluctant to start one. Posting routinely to a blog, like posting to any other form of social network site, carries a high value in my risk matrix. But more on my views of social networking and mass transparent communication at a later time.

While this blog will not be entirely devoted to technical and security related posted as the first post will illustrate, I do plan on spending a lot of time discussing my day to day research and the risks that we face from an On-line World. For those that have attended or heard one of my presentations at a security or trade show conference a lot of what I talk about here, will be the details behind what I talk about in class.

With that said, I have been wondering how best to start this blog. After a week or so of thought and the experience I had last night at dinner, I find it fitting that I should start this blog talking about food. For those that know me personally, I can hear you laughing as it must seem to you that all I do is talk about food..

The other day an associate of mine had taken me to Anthony's at Point Defiance (http://anthonys.com) near Tacoma WA for lunch and the atmosphere, the views, and most importantly the food was wonderful.

Typically I need to visit a restaurant ten times before I will rate it and or recommend it, but after eating lunch I went ahead and added Anthony's to my google map of places to eat. Lunch was that good. For the curious, I had a halibut dish that was grilled and covered in a white sauce. (Their on-line menus are “samples” and do not list the item I had). Next time I go back I will make exact note of what I had ordered.

My general process and criteria for rating a restaurant is, I look for deviations in quality of the various items on the menu, I look for consistency with a single item across multiple visits, the atmosphere and cleanliness of the facility are important and lastly the overall experience as it relates to the staff and the presentation of the food helps me decide if I will one go back, and two if I will recommend it to friends.

So given my experience with lunch I was really excited to go back and try something else on the menu. So I asked my GPS device where the nearest Anthony's was to my hotel and went there for dinner the following night. My two big tests for seafood restaurants are; 1) can they actually make a good fish-n-chips and 2) are their deserts compliments to the subtleties of the fish or do they over power them.

I arrived at Anthony's HomePort Des Moines around 8:00 PM and very hungry, never a good sign for me on a fully unverified restaurant, but I had high hopes that my lunch at Anthony's was not a fluke. For starters, finding this particular restaurant was very difficult, the signage and lighting was very poor. And once inside, you have to walk up stairs to find the restaurant. The restaurant you walk into on the ground floor is not Anthony's which makes things very confusing. The hostess that greeted me was nice, though you could tell she was having a really bad day or had brought her wows from home with her to work. The restaurant was nice and though I could barely see out the wall of windows due to the darkness of the night, it was obvious that in the day light the views would be wonderful.

I ordered Fish-n-Chips and from here things went down hill. My dinner came and I began to eat and much to my frustration the Alaskan Cod was awful. The fish smelled fishy (which I have learned means the fish is not fresh) which does not make sense when the restaurant claims fresh fish and sits on the Puget Sound. The breading on the fish was excessively oily and sticky which also not a good sign. The fries were okay, but my stomach was revolting and I was only able to eat about half of my dinner.

When the server came to clear the table I asked for a desert menu, something I usually do not do till about the fifth visit, but I was hoping for something to remove the taste and fill my stomach. When a restaurant offers a signature dish or a named dish, I usually start with that. This time I ordered their signature desert, a Blackberry Cobbler. Wow, another disaster of a dish. The desert comes in a medium sized bowl with a hard crust layer and a massive amount of ice cream on top. Almost like they knew the desert is not good so they need to add extra ice cream to compensate. The crust tasted like cardboard and was a good ¼ inch thick. The cobbler was so thin it could have been blackberry soup. Definitely not a cobbler and not something I will ever have again.

So while my lunch at their Port Defiance location was wonderful, my dinner at their HomePort Des Moines location was awful. I will try and eat lunch their again before I head home, maybe I can verify if things were really just a fluke on my first visit. But for now it is looking questionable on whether or not they will get a positive rating.

The one thing that just baffles me is how a restaurant like this can mess up Fish-n-Chips. If you can make all of the great creme sauces for Halibut and Salmon dishes how is it that you can not make a good breading and cook it in hot enough oil so that it does not saturate the food and make it taste like you are eating lard. For the record the best Fish-n-Chips, in my opinion, is at Trolls up in British Columbia Canada at Horseshoe Bay, and second best place for Fish-n-Chips is at a brew pub in a suburb of Salt Lake, Utah, called Hoppers.