The Slow Read DoS Attack That Penetrates CloudFlare.

As a hobby I study about cyber security and hacking, and one thing that really fascinates me are the Denial of Service Attacks (Dos). From them the ones that I’m really interested are the Denial of Service attacks that uses  a single computer or a very few number of computers to take a website offline, this is quite the opposite to LOIC or HOIC used by Anonymous that need hundreds maybe thousands of computers to take down a website.

Today I stumbled upon a new tool called slow read DoS tool, that first appeared on the internet at the beginning of this year.

SlowHTTPTest (slow http read) is a highly configurable tool that simulates some Application Layer Denial of Service attacks.

It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

I showed the tool to one of my best twitter followers @sambowne that tested the attack and the results are quite surprising because CloudFlare failed to detect the attack.

You can read Sam Bowne’s results from the testing of the slow read DoS attack from here : http://samsclass.info/123/proj10/slow-read.html

 I found that this tool did not render the server unavailable with the settings in the man page, but it did consume a lot of resources.

The surprise to me was that CloudFlare did not protect me. My overall security level at CloudFlare is “Low”, however. Higher settings may provide more protection.

CloudFlare was quick to respond :

The attack can be made more powerful by using more number of threads and increasing the number of computers running the slow post attack, so there is still a possibility in using this tool to take down a website, this has been the latest trend in Denial of Service attacks using flaws in the HTTP protocol to take down websites being not accessible to others, rather than taking the whole server down like DDoS attack that can now be stopped using CloudFlare.

On the other hand what if Anonymous hackers sent this tool instead of LOIC to their followers, that can be interesting too.

Update : Sam Bowne has tested other methods of attack with the Slow Read DoS tool and posted his results at his blog. Here are the results summed up.

  • Slow Read Attack: Doesn’t stop the server; Cloudflare doesn’t provide protection.
  • Range Header Attack: Completely stops the server; Cloudflare provides effective protection.
  • Slow Post Attack: Completely stops the server; Cloudflare provides effective protection.
  • Slow Loris Attack: Completely stops the server; Cloudflare provides effective protection.

And thanks for all the interesting Twitter replies I got for this, couldn’t read them till today morning because TweetDeck went down.

Advertisements

Sony Xperia™, Made of Imagination

Just stumbled upon this Ad about Sony Xperia on my Google+ stream, it’s a really neat video, simple yet creative. Currently Sony is making some really good smart phones thanks to Android. Feel sad about what’s happening with Nokia, they didn’t make the right moves at the right time. And Sony is now on a roll.

Nokia never switched to Android when they had the chance, they released a series of cheap mobile phones, when they should have released good smart phones. Let’s hope they can bounce back with Windows Mobile, because Nokia got the hardware and the phones are as good as they get, Lumia 900 looks really great.

Directed by Wes Anderson, this stop-motion animation spot portrays an 8 year old’s perspective. Do you find the ad to be made of imagination as the title claims?

Do Start-ups Really Cost You Money? Money Vs Ideas.

This post is a follow up post to my previous post about “Why I Didn’t Like The Colombo Hackathon”, with the overwhelming responses and contrary ideas I decided to write this follow up post describe my idea even further, so if you can’t understand some parts of this post, I suggest you first read my previous post linked above.

First to begin the post with some facts :

The idea that won at the Colombo Hackathon is nothing new even to this country. It’s already successfully being implemented in Sri Lanka by a budget taxi company and ironically the people who’ve worked in it or voted for it never knew that it’s already successfully up and running, so much for discussing your ideas with other people.  The other thing is the program was developed by a single person, so much for having a team to build your start-up. – A program was aired about this system in national television in late 2011 (if my memory is correct)

First thing that I have to clarify is that I know innovation is not making something totally new.

Google was late to search, Facebook was late for social networking, Apple was late for music. Being late is nothing, just do it. – A meme on the internet

But what makes your idea a winning idea? Your idea need to have an edge on what’s already there, something that you can say this feature makes us a killer from the rest that came before us, for you to have an idea like that you need to be innovative in someways. That ‘idea’ is the thing that everybody is after, and holds the value of the start-up. This is the thing that most people with money lag, they have money but don’t have the killer idea. So people who have the money are always out there searching for a killer idea.

Having said that, in this post I want to touch on a thing that most pro hackathon people said:  

  • You need money to implement your idea.
  •  Having idea is not enough but you need VCs, and money from the investors.
  • You have to be an insanely rich kid to start a start-up on your own.

or is it? Do you really need to have some big bucks behind you? or is your idea more important than money?

If you look at the predictions in the start-up arena the predictions for start-ups aren’t that bad. Actually these are not my original thoughts and are predicted by start-up blogs like TechCrunch.

  • With the development in technology and competitiveness in the field, the cost for a start-up is getting lower day by day, the price you have to pay for hosting is getting lesser everyday while the storage power, server power increases. Therefore now you can buy a better hosting and more powerful servers with little amount what you have to pay decade ago and these costs will reduce more and more in future.
  • The technology in building a start-up is getting easier, year bu year. Now with languages like Ruby On Rails (I’ve never tried Ruby but mot people say it is easier than Java), PHP, you need lesser knowledge on programming your start-up. This too will get more easier in future an average Joe will be able to build their own start-up. Even now you need less coders to build a good start-up than a decade ago.
  • With the advancement of social networks you don’t need any branding or advertising, you can reach millions of users in little time for free with social networking. Without YouTube JB won’t be here, JB didn’t even needed a producer to get the attention of others. (Don’t wanna explain this because, I think you know how JB  got famous)

These are some of the reasons that have helped to increase the number of start-ups that are appearing everyday. As the cost go down the need for  money for kick starting a start-up is less. Just think a bout it? Isn’t it easy and cheap for you to start a start-up now than a decade ago? A decade ago an idea is not enough, you need to have financial backing, but now it’s the other side, you don’t need a funding to start a start-up.

So what makes you a winner today is not financial backing but finding the opportunities out there and coming up with a killer idea, it doesn’t have to be new, but has to be better than what’s already out there.

Some of the best examples and TechCrunch, Mashable, and TheHackerNews.

TechCrunch was started by Michael Arrington as a personal blog, at that time it was the start-up boom, he saw the opportunity out there for a need of  a blog to cover start-up news. And he ended up with founding TechCrunch at his home and now the second best tech blog on the internet, now owned by AOL.

Mashable was started by a college drop-out Pete Cashmore  at his home, it was the beginning of the social networking era and he saw the opportunity for a blog to cover the news of social media, he ended up finding Mashable and now it’s the number one tech blog on the internet.

TheHackerNews is the recent success was founded by an indian (sorry I can’t remember his name), with the rise of Anonymous and Wikileaks he found there is an opportunity for a site to cover hacking news, and he found TheHackerNews. It’s not big as Mashable or TechCrunch but still it’s the go to place for getting news about hacking. I think this was such a hit in such a quick time, it’s more successful than the start-ups of all local the start-up guru’s that are talking so high about VCs.

I took these blogs as an example because they require no coding power and doesn’t cost a thing (Except for the domain)

These are only a very few examples, none of them had any start-up cash, non of them had any big VCs behind them, non of them needed huge coding power. What they only needed a good idea, a killer idea, saw the opportunity and grabbed it with both hands.

So if you still believe that you need huge funding or coding power to build a start-up, I think you are mistaken, what you need is the idea and execution and now the execution doesn’t cost you a huge sum of money. And people who have money but don’t have killer ideas are ready to pay you any sum of money in return of your idea once it has become stressful, or else it’s better to steal that idea spending fewer amount of money at the start-up level or else when it’s still an idea.

As ipv10 commented in the previous post,

If the people who went to hackathon are thinking that you did something awesome, why couldn’t you do it before? Without getting excited, just relax and think.  – ipv10

Forget the hackathon forget everything and thnk, why couldn’t you do it before? Can’t you find like-minded people to get feed back? are there only 75 influential people in the IT sector in Sri Lanka, I think not.

It’s the idea that holds the power of a start-up, and sometimes that idea alone can make the difference without costing you a dollar.

Anything is possible just keep thinking.

Why I Didn’t Like The Colombo Hakcathon.

Winklevosse Twins

The first ever Colombo hackathon is now over. I first read about the hackathon from indi’s blog post about the event, at first I was really excited about the event because I’m a fan of start-up culture, a thing that is lagging in Sri Lanka. However that only lasted until I heard about the financial backing of the event and the idea behind the event.

I followed the hackathon very closely from the beginning, I know you can’t organize such an event without financial backing, however the hackathon was presented as a non-profit event organized to encourage people in building their own start-ups. There were no mention about the VCs behind it even at the hackathon website. It was only from a blog post by indi I got to read the people behind the event and the idea behind it.

There’s also an exit, ie, you can cash out, theoretically. Venture Engine is looking for business proposals which get polished and put in front of actual investors,including the Indian Angel Network.

Yes, I know you can’t start a start-up by yourself, you need funding, money and the people to work with, and you can’t build a start-up without telling your idea to anyone. But, there is a right time to tell your idea to the world, and you have to be very careful when you present it to investors.

Facebook beat MySapace down under, but one must not forget about the start of Facebook, it was the Winklevoss twins gave Mark Zuckerberg their idea about making a social network, and asked Mark to help with the twins’ project. Mark Zuckergerg stole that idea and used it to make Facebook. The Winklevoss twins told their idea at to the wrong person at the wrong time, and the end result was disaster for the Winklevoss twins. If Winlkevoss twins didn’t tell their idea to someone line Mark Zuckerberg and go on to build a social network? The outcome might have been different.

That’s why people need to think twice when revealing their ideas to someone, and the hackathon is not a good place to reveal your ideas with investors around, putting up the idea to a start-up is  then going for VC is better in my opinion than showing the idea to everyone. There is a clear difference between an idea and a start-up.

The way to beat an idea is to come up with a better idea. But, once you are up and running it’s harder even for a better idea to beat you. This is why no matter how good  Google+ is it still can’t beat Facebook, because Facebook is up and running and it’s hard to take the people away from Facebook.

Can you build a start-up with in 36 hours? No, what you can build is an idea and a business model. And revealing your to everyone, especially to investors is not a good thing. So what guarantee is there for the start-ups that their ideas won’t be stolen? There is no such guarantee that your idea won’t be stolen and used to build something better that your idea.

However, it’s too early to comment right now without knowing what happened to the start-ups. May be I might be wrong, but I’m not the only one with this opinion. For now I’m not a supporter for this hackathon.

UPDATE : 

This is the whole point about writing this post. . “You need to commit to it and execute”  that’s right but if you reveal your idea to the everyone even before starting it then, someone else will steal your idea and you’ll end up as a Winklevoss twin.

UPDATE 2 :

I think most people have missed my point in this post, I never said anyone to work in isolation, or not to get feedback from others or not to collect funding for their projects. All I said was the time and place (cmbhackathon) is not right for an idea to be presented to everyone. Do you need a hackathon to present your idea? can’t you find like minded people without coming to a hackathon. After all an idea is an idea. 

And ipv10’s comment also makes a valid point I missed before :

If the people who went to hackathon are thinking that you did something awesome, why couldn’t you do it before? Without getting excited, just relax and think.  – ipv10

Post Colombo Hackathon post at RandomCoding : http://randomcoding.com/2012/03/working-in-a-vacuum/

Indi’s blog post about the hackathon : http://indi.ca/2012/03/colombo-hackathon-cmbhackathon/

Challenging The Challenge.

Life at medical college has been very challenging so far, and keeps getting increasingly challenging everyday.  Exam is one month away and I guess everybody is starting to feel the heat of the examination.

Although, many people like to do medicine as a child, I find studying medicine is a painful experience, it’s not my thing and I suck at it big time. Medicine is just too static, there is  nothing innovative you can do in it, there is no sense of achievement, the thing is if you have studied then you know the answer to the questions, if you didn’t study then you don’t know the answer, there is not option like “I can work out and find the answer” in medicine.

Although I knew that I suck at medicine , I couldn’t find the answer why I hated medicine. I know I hated medicine but didn’t know why, I just did. Recently my brother asked help from me for some chemistry problems that were hard for him to solve and I took the challenge of doing that.  It took me some time to work out the answers because I have’t done chemistry after I left school. However, I managed to solve the problems and I found answer to the problem why I suck at medicine.

When I finished the chemistry problem, I had a feeling, a feeling I had when I was schooling. It was a happy feeling but it was more than just plain happy, it had something that can’t be expressed by words. It was the feeling of achievement, I had to work hard and think hard to find the answer and at the end I can say it that it’s my answer, I figured it out by myself. If someone is passionate in doing something it’s because he enjoys doing it, there is a sense of achievement in hid work, this drives him forward in what he does.

However, I realized that there is no such thing as a feeling of achievement in medicine. This makes me hate medicine more and more because there is not happiness in doing medicine. All you get at the end of the day is stress, nothing else. I think this is why I suck in medicine. I think because of this everyday I do medicine it makes me hate medicine more and more. Sometimes I get the feeling that medicine has ruined my life and I should have done something else. I think it’s the feeling of regret.

I never wanted to do medicine from the beginning, all I wanted to do was pass the Advanced Level examination and do my higher education in some other area where I like, the results were better that what I expected and here I am at medical college. Everything happened to me because of luck.

You cramp up books, you fill your head with things that you can’t even remember. Face an exam and score marks. So what’s the achievement in that? You don’t have to use your brain one bit to finding answers, only thing you need is memorizing what’s in the book. I now feel anyone can do medicine all you need to have is the ability to memorize everything. You don’t need anything else to do medicine.

However, running away from the problem is not the answer, running away from the challenge is easy and anyone can do that, but facing the challenge is better and challenging the challenge is far better. So I;m going to take studying medicine as a challenge and I’m going to challenge the challenge. And if I survive then it’s awesome, if I fail it won’t matter either because I gave my 100% and there is nothing more I can give.

You might think differently than me and very well feel that I’m mad, Yes I know that’s just me.