Sunday, August 14, 2016

The new Bitsum

For those that haven't checked out Bitsum lately, you should really take a look at what they have going on! Their research into macro-level CPU optimization continues to really make a difference!

Thursday, April 30, 2015

Using developer source code revision control tools to keep your server secure

The largest fear of any server admin is a breach. No matter how cautious you are, it can happen. (e.g. 0 day exploit)

One of the ways you can help protect your server is by making sure you keep critical files under version control systems like Git or Subversion (SVN). Then you can monitor for any file system changes, any remote access trojans inserted, etc.. Of course, limitations apply if the server is fully compromised, rootkit style.

After all, these days, a web site *is* indeed a code base.
We at Bitsum do everything we can to keep what limited data we store (basically your name and contact info) secure.

Bing adverts may direct you to malware laden copy of Google Chrome

As we'e seen with VLC and other open projects at adwords, the fraudsters love to rebundle and advertise. They've done the same with Google Chrome at Bing:

Noe that I've written about this several times in few places. Too many blogs, forums, and social networks - not sure where to post any more. Lesson here: Be careful out there!

Thursday, May 2, 2013

How installer bundle companies solicit developers

If you ever wondered how freeware/shareware developers are solicited by installer bundle companies, here's an example I received recently:

Dear Software Developer, Did you know that you could be earning money every time someone downloads your software? 
In fact, hundreds of developers just like you are already turning downloads into profits through partnership with SweetPacks. My name is Limor Garten, and I am a partnership manager at SweetPacks ( 
We create monetization opportunities from software installations through websites such asCNET (, and MetaInstaller. To find out about how you could earn money with every software download, please contact me directly at or leave your details at Thanks very much,J******* M*****SweetPacks Team

It's long past time that companies who sign up for such abusive installer bundles start being penalized for harming the integrity, performance, and overall experience of countless PCs, and contributing to a general lack of trust for all third-party applications.

What are installer bundles?

For those that don't know, installer bundles are those deceptive, unwanted, additional pieces of software, often browser toolbars/add-ons, that present themselves in an intentionally easy to miss little checkbox during installation of some Windows software, particularly freeware and shareware. This terrible industry is so profitable that free, open source software is often repackaged with these bundles, then advertised and distributed by some random 'download site'.

Sunday, April 14, 2013

Binary Interleaving: A technique to obfuscate data structures

Binary Interleaving (or Data Interleaving) is a term I made up to reflect an idea I've been contemplating lately; interleaving the bits of a set of variables into a single binary blob. Any number and types of variables could be interleaved together. Access to variables in the interleaved blob can even be on-demand, with a controller class encoding or decoding variables on the fly.

What in the World?

Data Interleaving is the process of translating any number of variables to a single binary blob by interleaving the bits of the variables. This obfuscates the variables in memory or external storage. The entire blob need not be decoded to access member variables, though it can be for improved performance.


This will help complicate reverse engineering of code. It will particularly deter identifying data types and variables. Plaintext is also well obfuscated with this interleave.

Interleave Map

The variables to be encoded could be defined by an array of byte sizes of those variables and, optionally, pointers to a location in memory to retrieve or store their reconstituted form. In the case of on-demand access to an interleaved blob, individual variables can be decoded and re-encoded on the fly, so buffers for reconstituted storage are optional (though they may be temporarily reconstituted by the controller class as members are modified).

The members of the bitwise interleave can be referenced in the source code via their indices. For instance, index 0 may be MY_VARIABLE_INSTANCE. By passing the variable index to an interleave blob controller class, it knows the size and, optionally, a pointer for constituted storage.

Member data types can be anything. They need not be similar. When one variable ends, it is simply ended. See a few paragraphs below for what happens when a single variable is longer than the others.
    /* member information */
    /* optional pointer to its normal, constituted storage location */
    /*  (for use in encoding and decoding the member) */
    /* and the size of the member */
    class CInterleaveMember
      void *pvConstitutedStore;
      unsigned long nMemberByteSize;
    CInterleaveMember aInterleaveMap[]
      { szSomeString, sizeof(szSomeString) },
      { &nIntegerMan, sizeof(nIntegerMan) },
      { &cMyClass , sizeof(cMyClass) };
    void *pBLOB;  /* interleaved data stored in a allocated blob */
The total size of the blob need not be stored, as it is the sum of all member sizes in the interleave map. The interleave map provides everything we need to know.

The Process

In case it is not clear, the process for the interleave would go something like this: The array of members is 'walked', putting or getting the current bit index from each member variable, advancing to the next bit index after the entire array has been walked. When a member variable is full of bits (exhausted), it is skipped in subsequent interleave iterations (more on long vars later).

For simplicity, let me define a few variables in bits only (not matching above):
    szSomeString 0 1 1 1 0 0 1 0
    nIntegerMan  1 1 1 0 0 0 1 1 1 0 0 1 0 0 0 1
    cMyClass     0 0 0 1

For the interleave, a bit is taken from each variable in succession.
    First iteration of the interleave, get first bit from each ...
     0 1 0
    Next iteration(s), get the next bit from each ...
     0 1 0 1 1 0
     0 1 0 1 1 0 1 1 0

When a Member is Longer than the Others

In the case where one variable is much longer than the others, thus having no pair to encode with, one could use a simple XOR, and/or toss in redundant, unused data from the prior members. Any number of strategies are possible to prevent plaintext storage in the case of an abnormally long variable not having an interleave partner for its ending bits.

Sample Code

For example, the following represents a high-level view of the calls to a fictional class facilitating Binary Interleaving:

    /* These get stored in an bitwise interleave in the binary blob */
    char szSomeString = "Is there anybody out there?";
    unsigned long nIntegerMan = 0x9090;
    MyClass cMyClass("whoopie");
    class CInterleaveMember
      void *pvConstitutedStore;
      unsigned long nMemberByteSize;
    CInterleaveMember aInterleaveMap[]
      { szSomeString, sizeof(szSomeString) },
      { &nIntegerMan, sizeof(nIntegerMan) },
      { &cMyClass , sizeof(cMyClass) };
    /* NOTE: Total blob size is the of members of Interleave Map */
    typedef enum
    } InterleavedVariables;
    void *pBinaryBlob;  /* dynamically allocated blob storage */
    /* Fictional class constructor, passing the interleave map to it */
    /* From the interleave map, it can calculate the total blob size */
    /* then dynamically allocate storage for the blob. */
    CBitInterleaver cBitInterleave(aInterleaveMap);
    /* If the blob is externally loaded, or needs ext stored, we */
    /* may need to get access to the blob buffer. Fictional example: */
    /* We know the blob size from map! The input size is for safety. */
    cBitInterleave.SetBlob(pIncomingBlob, nSrcBufferSize);
    /* Or we can get the blob */
    /* Example to encode or decode the entire blob to constituted */
    /* storage. We already provided the map, and it decodes or encode*/
    /* to the listed pointers.
    /* Example call to decode a member of the array */
    /* We pass it the INDEX into the MAP, and dest buffer */
    /* From the Index of _nIntegerman, we ALREADY know the size */
    /* The out size is for safety. */
    cBitInterleave.GetVariable(_nIntegerMan, &nIntegerMan, sizeof(nIntegerMan));
    /* OR we can use the default storage address in interleave map */    
    /* Example call to encode a member of the array */
    /* We pass it the INDEX into the MAP, and input reference */
    cBitInterleave.SetVariable(_szSomeString, &szSomeString, sizeof(szSomeString));

Thursday, April 4, 2013

Feedly and RSS Subscription Extension

If you use the RSS Subscription Extension for Chrome and want Feedly support, here's how. As some may know, this extension adds a feed icon to any page that offers up RSS feeds. This allows you to easily click to subscribe.

When you click on the icon, there is a drop-down list of available news readers. Right now, only a couple are listed, after the announced death of Google Reader. You can, however, add a new one. To do this, you'll simply need the URL that is used to add feeds to the reader. Chrome inserts the RSS feed URL via a variable replacement (%s). If you don't see this list, you may have selected a default reader, and can access the list via the Options for this extension.

The URL you need is:[action.subscribe

Just paste it in when you click 'Add', and name the reader whatever (e.g. feedly). From that point forward, you have easy access to RSS feeds.

Wednesday, April 3, 2013

Apache mod_qos Server Status

For those that haven't seen mod_qos's server_status page, it's pretty nifty, and allows for some operations right there on the Apache server-status page! This page is, of course, accessible over HTTP at /server-status. for Apache servers where it has not been disabled, and you have access. For instance,

It is a shame that mod_qos has not been ported to Apache 2.4 yet. I am not sure what blockers exist, or if it has been deprecated in its entirety. Perhaps a reader will know...