A couple months ago while I was trying to make some decent progress on Nuubz when I came to a point that I realized I needed to start and do some serious work on an unrelated project before I could advance what I wanted to work on. In particular, I wanted to move the system/site security forward, which I hope will lead to better comment spam prevention and better all around security. I already had a plan in place, I just needed to actually implement it.

Enter Project Indigo. Or at least *MY* Project Indigo.

Some years ago, while working at a web hosting company, I noticed that people kept trying to break into a site of mine for which I literally had no content. There was a single, simple HTML file saying “There’s nothing here yet.” So, I quickly wrote a script and database to record those attacks. That system has been tracking these attacks for 6 years. Last year, I noticed an abundance of brute force ssh attacks on the server as well, and started recording those in a separate system. I decided to put this data together in a security web site project to help the masses, and myself, but I just didn’t get around to doing it until Nuubz prodded me to do so.

So, I put an old domain name I owned to use and Project Indigo was born. I still have a lot to do on it, including actually providing some useful information beyond some statistics on the home page, but as you can see, it’s receiving live information currently from two virtual private servers. (I’m getting ready to shut one down, however.) There have been over 700,000 SSH attacks detected and reported to the system as of this moment, while only 2,700 “404” attacks. I emphasize “404” attacks because these are just pure page not found attacks; in my honeypot site, these are requests for pages that don’t currently and have never existed on the site, and don’t have any additional attack parameters. There’s another similar attack that I’m simply calling “web attacks” that aren’t yet reported, these are (again on my honeypot sites) page requests with GET, POST, and/or cookie values that were never requested, used, or expected on the site, regardless of whether the requested page has existed or not. (Again, on the honeypot site, most of the pages that have been targeted have never existed.)

I’m still debating whether I should try to make a business out of this or not, but I’m willing to accept donations. I’ll provide that information when I make it possible to register an account on the site and put a little more polish into it. In the mean time, some attack data is available on Google if you search for “site:prjindigo.com” and machine readable data on a given IP address is available at https://www.prjindigo.com/data/<ip address>.json . Both IPv4 and IPv6 addresses are supported though I’ve only seen a few v6 addresses enter the system at this point. (Be sure to URL encode IPv6 addresses.)

I have created a Github repo for the honeypot software, which is still in active development as well, and I’m working on a Go language program to report the data and possibly parse log files to get ssh failure data. (I’m still unsure about using Go to parse that data as the log files may change from OS to OS.) Don’t rush out and clone either repo yet, both depend on client identifiers and encryption keys that depend on having an account at the Project Indigo website, which, as I indicated above, isn’t quite ready for that yet. But I’ll be sure to post here when the time has come.

Over the last week, despite my other obligations, I’ve been a bit busy with my published Android applications. Among other things, I fixed a few annoying bugs in Sylence culminating in a series of releases last week, and today I published the long awaited update to Gas Up.
I am disappointed in this release, beta 5, of Gas Up however.  A feature I spent a fair amount of time figuring out seems to be working on only one of my three Android devices. That feature is the ability to double tap on the map and enter a gas price/station at that location. It works properly on my G1 running Android 1.6, but is missing from my Huawei Ascend (Android 2.1) and Nexus One (Android 2.3.3). I’m not going to dig around and fix this issue at this point; instead I’m going to do a complete rewrite of Gas Up because I have learned a significant amount about Android since I started development on Gas Up nearly a year ago. I’m sure it will be quite some time before I complete the next iteration, but I’m even more sure it will be better than ever.

Although I’m a couple weeks behind on this, I thought I’d note that I fixed the cookie parsing in the HTTP add-on in Themis, and cookie handling is probably working better than ever at the moment. This isn’t to say I’m done with it; I need to go back in and fix a few curious issues with non-standard dates, empty cookie values, and restricting the maximum length of both a cookie name and value, but I can say that it’s significantly better than it was. I’m also considering moving the cookie system into a plug-in of its own; which it originally was.

The reason is that while cookies are only sent over HTTP connections, Javascript can initiate HTTP connections and manipulate cookies as well. This can be somewhat dangerous, and PHP along with other web scripting languages have [relatively] recently started adding a new optional flag to mark cookies as HTTP only to their headers. While I’ve added support for this to the cookie system in Themis, it’s somewhat meaningless at the moment: there’s an old Javascript implementation in the source tree, but it’s completely unused at the moment and isn’t attached in any way to the Themis DOM system. However, once we have a renderer, and Mark is working on that currently, then we will start to need a Javascript interpreter, and that in turn will lead back to proper cookie handling.

In addition, I’m now faced with adding configuration options for the cookie system, and it would be easier to manipulate those settings in the preferences window if the cookie system was in its own separate plug-in. This isn’t going to happen tomorrow, so don’t worry about it right now, but this is going to be a change in the future.

On other subjects, thinking about Javascript has got me wondering if Themis should use the binaries that are currently in the repository, try to get updated versions compiled, try to use a different existing Javascript implementation, or write our own. I had hoped to use V8 from Google’s Chrome, but it requires GCC 4 which isn’t available on BeOS though it is available on Haiku, but I haven’t managed to get it compiled due to a series of oversights within the Haiku community. I’m not going to put blame on any one person or organization, but I will say that getting scons working seems to be impossible on Haiku, so I can’t even test V8 at this point. Also, since the Themis project is about learning browser design, I’m leaning heavily on the “write our own” side of things now, though it would probably take years to get a version that’s as complete as today’s Javascript demands, and then I’d be playing catch up forever. Still, that’s on my mind…

As of today, this semester is over for me and I am already working hard again. While I haven’t touched Gas Up today, I have started on another project I’ve been meaning to do for a while now. This new project is called Sylence and is fairly simple and straight-forward: it is a scheduler for silencing your phone. For more than a year, I had been using FoxyRing to silence my phone as needed, taking advantage of the widget that would let me silence my phone for up to 5 hours at a time, but I found that I would occasionally forget to use it before I entered a class. So, I did the logical thing, and wrote the author(s) to ask them to add a scheduling feature. Let’s just say I got a negative response, and I’m still not sure why.

So, for months I mulled over the idea of writing my own, but didn’t do anything about it. Tonight, after watching the FoxyRing service crash yet again for no apparent reason, I uninstalled the app, and vowed to do something about it. Since I just finished my finals today, I got started on the app. At this point, I don’t know if I’ll make it free or attach a low price (I’m figuring around $1.00), but I’ll be putting it in the Android Market as soon as I deem it done, or at least done enough to use. Eventually I think I’ll add a widget similar to what FoxyRing offered, but right now I’m not sure how far I’ll push this new little app.

On the Gas Up front, I will be doing some heavy coding on it in the next week, and I’m going to try to get Beta 5 out and about by the end of next week.

Earlier this evening, out of the blue, I get an email from AppsLib.com indicating that my registration for the site was successful. A few minutes later, I got an email stating that Gas Up had been uploaded for review, potentially making it a “Vetted” app for the ArchOS tablets.

The problem is, I didn’t register with AppsLib.com, nor did I upload a copy of Gas Up to them for review and testing. This wouldn’t be a problem if Bad Luck Software were a real company, with employees, but considering that all of BLS consists of me, my imagination, and my often tired [if not broken] fingers, this is a bit of a problem.

What I think has happened is that they have some how managed to skim applications en-masse  from the Android Market, and automatically started the registration process and approval process on hundreds if not thousands of apps found there. Now, considering that I haven’t yet completed beta 5 of Gas Up, which will offer some stability improvements among other things, I wouldn’t bet it passing any serious testing such that ArchOS/AppsLib may be planning. So why would I submit it for such testing?

What’s even funnier, is that as I wrote that last paragraph, I got another email stating that Gas Up runs properly on Archos Tablets. In fact “Suzane” said “Your application is very funny and well done!” While I like to think my sense of humor is pretty good, and that the stories I write have some amount of twisted humor, personally I don’t find anything funny about Gas Up.

Well, getting around to the point of this little entry, I’ve now sent them two emails requesting that Gas Up be removed from AppsLib.com because I didn’t authorize it to be distributed through any means other than Android Market. Perhaps if they had contacted me first, requesting permission to add it to their application marketplace, or for me to join them and do the upload myself, I might have considered allowing it. Yes, Gas Up and I could benefit from additional distribution avenues, and it might even be important if Gas Up were a paid application. But I’m committed to keeping Gas Up free for as long as I develop and own the rights to it. (I will acknowledge that the more people use it, the higher the chances are that I’ll get donations, but I’m trying to make a point here…) Just grabbing my app from the Market or from an installed device, uploading it, and then sending me emails like this is something I asked for amounts to piracy and fraud. And it ticks me off that a company trying to be legitimate would go about something this simple the wrong way.

I’m not impressed by this, and though I had thought to buy an Archos tablet at some point, I’m now going to steer clear of them.

8/17 12:33 am Update: At approximately 5 am, Monday August 16th, I received an email stating that Gas Up would be removed from AppsLib.com, and as of now at least it is indeed gone. After a weekend of thinking about this, I really wish they had taken a different approach to getting my app on their systems; if I had been approached first, I’m sure they wouldn’t have gotten my ire, and I wouldn’t have had to worry and wonder about the steps necessary to get it forcibly removed from their systems if they failed to cooperate.

I just posted the latest beta release, #4, of Gas Up to the Android Market. This version should end the crashes that no one’s been mentioning, but that I myself have been experiencing in the emulator as well as on my Nexus One when exiting the app. While this version of the application may not appear to be any different from the last release, it should be more stable, perhaps a bit quicker, and update more frequently. In addition, there’s a new feature for Android 2.0.1 users or above: when you tap a gas station, you will have the ability to use Google Maps or Navigate (depending on which you have installed) to navigate to the tapped gas station. Android 1.6 and 2.0 users will not have this option.

I just managed to get Gas Up to the final functionality milestone! I still need to go through it, and fix a number of issues and rework a few things, but Gas Up can now submit, retrieve, and display gas prices in the displayed map area.

If I had beta testers, I’d be urging them to test out this build _

This is just a quick status update on Gas Up…

The basic application concept is nearing completion, and I’ve managed to get server data to the app and properly processed once there. I’ve still got a lot of server-app communication code to work out and implement, but everything is going pretty smoothly. The biggest headache I’ve had so far was getting a spinner (drop down menu) control to get data from a content provider (database access point more or less) and display it properly. With the exception of one line of code, my code was correct. The problem was that I was under the impression that the spinner needed me to provide a text view which it would use to write data; it turns out it already has one, and I had to specify it in just the right place… Needless to say, that wasted about two days of my development time…

Nonetheless, I’ll post a pair of screen shots here later.

Oh, and I’m having trouble finding people to test the application and be early adopters… Maybe it’s just that I’m not drawing much attention to this site (as in none at the moment), or perhaps it’s that I’m not using the proper marketing methods. I’d hate for this app to get uploaded to the Android Market with absolutely no data but that little amount I can put in myself… The comments and ratings will be brutal, but ultimately I don’t really care about those right now. Once the app is live, and people are hopefully entering data on a regular basis, then I’ll care.

Screen shots as promised. The first is a screen shot from my Nexus One. It’s showing an overlay icon somewhere over Mexico, but that’s beside the point. Th

e screen shot is merely to give an idea of what to expect… 🙂 With this screen shot, you see two of the three tabs that are present in the application; the third one, Donate, is currently disabled despite being complete. (There’s just no point in having the donations system enabled when the application has no data and no users.)

The application starts up on the Stations tab and theoretically will display gas stations within the viewing range of the map. Scroll the map around or zoom in and out, and the results will change. Eventually.

The second tab, Submit Price, is shown in this screen shot from the emulator. (I don’t have that screenshot app on my phone, yet, and I didn’t want to take a screen shot that would include my home address, so I used the emulator and the longitude & latitude of a gas station known to me.) This tab includes everything you need to submit a gas price back to the system. ALWAYS SUBMIT THE PRICE WHILE YOU ARE AT THE GAS STATION! Note the address listed for “Associated Address”. This is submitted to the server as the recorded location of the gas station being entered. Unless you want to share your address with everyone, submit at the gas station! (Admittedly, no one will know it’s your particular address, but I won’t be held responsible for angry and confused gas seekers showing up at your house in the middle of the night.)

I finally gave in and decided to stop trying to code a kick-ass site from scratch for myself and my development interests, and instead using something off the shelf. By doing so, I should be able to keep in touch a lot better with those that are actually interested in what I do programmatically.

Any ways, this summer I’m keeping myself extremely stretched thin as I wait for the Fall 2010 semester to begin at Oakland University. I’m working with someone on a social network that I shall henceforth mention very little until it’s ready to launch, trying to get back into development on Themis, working on developing a dating web site from scratch, and probably a few other things that I’ve forgotten to mention.

Nonetheless, I’m open to working on other projects as well, especially paying ones. So be sure to let me know if you’ve got something you’d like my eyes on.