The Bright Brown band and the Marmottard

Some friends have sent me some photos of the concert as I don’t have any camera myself. I might update this post later, but for now this is the only picture I could get that more or less display all five members of the band. Of course the one we see the less is the bassist. Always those fucking bassists, staying hidden, the shadow men.
From left to right:

• Sue san, on guitar and on voice, and also the Bright Brown’s owner;
• Jehan, myself on harmonica and voice (Marmot was here too but he stayed hidden as well);
• Hideki, on drums;
• Blues’n Curtain, which we usually rather call Shimo out of stage, on guitar and voice;
• Gedy, on bass and voice (though I don’t remember if he sang during this concert).

This photo has been taken by my friend Matthew. Other photos of the serie are over there: Jehan blues gig, by Matthew Romaine.
I may update with more photos or videos (or link to them) later when friends send them and when I am not too lazy to upload them.

- day：　7月31日
- open 20:00
- start 20:30
- location：blues bar “Bright Brown”, 中野.東京 (Nakano, Tokyo)

See http://www011.upp.so-net.ne.jp/nakano-BB/schedule/index.html for the details:

Jehan “Takagi” Pages (h,vo)
壮行会パーティー with
BLUES’n CURTAIN (g,vo)
Sue～ (g,vo)
GEDY (b)
中山英貴 (dr)

円1000

And here for direction: http://www011.upp.so-net.ne.jp/nakano-BB/map/index.html.
Very close (2 or 3 minutes walk) to Nakano station (中野駅).

Anyway see you all!

Disclaimer:
this article is the first of several whose goal is to answer, in simple terms, these questions:

When is my internet connection secured? What means “secured” anyway? Can I safely send personal information? My credit card’s number as well?

I recently thought about the fact that securization on Internet is hardly understood even by some computer scientists, so let’s not talk about casual users… Yet we work for the casual user, not for us, so in this article, I will try to explain how it works and why.

I will focus on web examples (what you see in your web browser: Mozilla Firefox, Konqueror, Safari, Internet Explorer, Google Chrome…) as it is probably the most common, hence most understandable, internet usage.^[1]

To understand my point, you have probably seen (though maybe did not take care about) details showing when a shopping/bank website was secured. In Mozilla Firefox for instance, you would get these two signs:

1. a lock logo at the bottom right of the page
2. a blue band in the address bar with the name the website has been “certified” under^[2].

Oppositely badly certified websites will cause your browser to generate a warning.

So what is all this shit? How are connection secured? This article will try and explain this in three posts:

1. In the current post, I explain why the web cannot absolutely be trusted basically.
2. In the next post, I will describe the common solution to the problems and dangers brought to light in the first post.
3. At last I will give some good practices about “how to use the web safely”.

History and state of the arts of the networks

If the newest technologies takes security into account, older ones, which are still the most used didn’t care at all. Thus we know some of the consequences: scams on the internet everywhere, and more direct computer attacks.

Actually attack’s methods are often similar to what has always existed in the world, simply this is a new medium.

Social approach to scam: social engineering

Social engineering is what I would call the “dare-you” method: you come in front of your victim and pretend to be someone else. Maybe have you seen the movie « Catch Me If You Can » (romanticized movie about the youth of an actual guy, Frank Abagnale). That’s it.
In history, it has been done physically, by letter, phone, in any way of communication. Internet is just one of the more recent ones.

You have probably received by emails spams from people pretending being a bank, a famous website ou internet service. Usually they want “you to be wealthy” (which means rather that they want your wealth… for them). That’s one of the internet versions of scam.

Technical approach to scam

Internet has been built over several protocols (computer languages) without any security consideration (as I was saying before). Moreover there is also a physical problem: data communication do anyway go through many “unknown” machines before even getting to the finale recipient.

So first issue: any data sent on Internet can be intercepted, read, filtered.

Moreover Internet use some kind of worldwide web address book which is not really secure as well by default, hence forgeable.^[3]

Second issue: the recipient might not always be who you think it is.

Finally the older “applicative” protocols (actually carrying your data) were not checking whether your data has not been modified upon destination.

Third issue: data may have been modified during transportation

So there is a simple comparison: consider that you were sending a paper letter but you are not sure it won’t be read by some malevolent people (first issue), nor even that it will arrive to the recipient (second issue), or whether it may arrive but changed, all of those without the recipient nor you even being able to notice it. This is how is Internet.
Now just think what you send over Internet: passwords for important stuffs, credit card’s numbers…

Temporary Conclusion

From both those social and technical approaches to trick you, how do you know who to trust? Which website to trust? How to be sure that my data won’t get read?

Two-part answer: first of all, just don’t trust too much, and before you click some link, think a little. Do you trust some random guy in the street who would tell you he would make you rich? Why Internet would be different? Second, I will explain what kind of help is provided by computers in the next article.

[1] Yet the technologies I am explaining here (TLS/SSL in particular, though not only, but these barbarian names are not useful here) are widely used on many modern protocol, not only the web. Jabber/XMPP for instance use them by default.
[2] The name in this blue band is very important. If you think you are on your bank named “my bank” but the blue band shows the address “the-associate-thieves.com” (which could anyway be the real name for many actual banks, I admit), my advice: don’t write your account number in. Even if there has been no browser warning. More on this in the next article
[3] If you are technically knowledgeable (if you are not, I suggest you don’t read), I am of course dealing here with DNS. And when I write it is not secure “by default”, this is because a security extension called DNSSEC exist. It is supposed to fix most security issues in the base DNS, with technics similar to TLS (which I explain in this serie of article) by the way, though it is still hardly deployed. If you want some information about how much the DNS is broken, this post is interesting and not too complicated.

Edit afterwards: this was an old April joke. If ever you come by and read this article, don’t think there is anything true about it. Fortunately!

Great news everyone! After lengthy secret discussions between the XMPP Standards Foundation, Microsoft and Gadu-Gadu (leader of Instant Messaging in Poland), an agreement has been born today. There should be soon an official communique by the XSF but I thought important to relay this wonderful news as soon as I got it. So here it is: the three networks are to be melted into a single one on the following bases:

• The protocol will stay open, hence freely and without any charge implementable by anyone. The technical base is still XMPP’s, yet as some features are being imported from our — from now on — partner-protocols, protected under many software patents, it is now asked that developpers sign a « Non Disclosure Agreement » therefore protecting them from being sued by our partners, providing that these technologies are not disclosed in any publication without the agreement of the XSF, and that they are not used outside of an XMPP related development. Details of this « Non Disclosure Agreement » will be revealed later when the — newly created — XSF’s juridical service will have finished writing it.
• XSF keeps control and decision power over the protocol. But each partner will have from now on a member in the XMPP Council and in the Board of Directors (with no more nor less power than any other member).
• A new XEP has been written, enabling native targeted advertisements through the protocol (thanks to automatic analysis of your discussions — yet remaining of course respectful of your privacy) by hosting servers. We are this way finally creating a sustainable economical environment for XMPP services. Of course as for any XEP, it is not mandatory to implement it but a XMPP client not featuring the advertisement XEP will not be considered fully compliant (note that this XEP has been submitted to IETF to become a RFC) and won’t be anymore displayed on the clients’ official list.
• Jingle, deceptful, will be dropped in favor of the — so more reliable — Microsoft’s VOIP technology.

These changes are planned to be effective as of end of 2010 if anything goes according to the plan. Similar negociations are ongoing with other currently private networks owners, as for instance Yahoo! and AIM (Skype seems to refuse any discussion until now though we would have liked to use their secret VOIP technology instead). So stay tuned for news! This all is such a great step towards our big dream of an open messaging network, without any barrier and border, usable and used by anyone. Of course it implied a few concessions, but this is the price of liberty. Isn’t it?

Asides for minor fixes, here are the three main changes:

• A Wordpress widget has been added, enabling for any Wordpress administrator (even not computer-technically skilled) to add the XMPP feeds in one’s sidebar by simple drag-and-drop. This is part of the reason I redesigned my website a few hours ago with a new themes enabling the widgets (my old theme was coming from a time before widgets)!
• The NET_DNS dependency has been removed for SRV Records support, under the assumption the server is running Windows with PHP 5.3.0 or superior, or GNU/Linux (any PHP version). For BSD (Mac included), the NET_DNS library is still required. Consequently my plugin has an intelligent behaviour, testing then using NET_DNS if available, otherwise the base PHP function when possible, or else it will deactivate SRV support.
• Implementation of the algorithm for dealing with priority and weight of SRV records’ targets as described in RFC 2782. The SRV support is now nearly fully compliant (only the Time To Live parameter’s support still needs to be added).

My own tests succeeded, but I am welcoming any bug report or any feedback, obviously! Do not hesitate.
As a side information, I wanted to inform there exists now a XMPP pubsub reader, the first publicly released, as far as I know: OneChannel, by Process One. Unfortunately my MIPS machine does not handle well flash (and this software uses the Adobe AIR technology) so I am not able to try it out. If anyone out there wants to try and tell me how it reacts to the pubsub messages generated by my plugin, I am wide-eye-opened. Bye!