Remember my post about the python __str__ issue? A couple of people asked me if I had any simple patch/workaround for it. Here is a small function that you can use to work around the problem (click on the Show code to see the solution):

Click here to show the code


Here is a nice example of the solution:

  >>> from decimal import Decimal
  >>> from datetime import datetime
  >>> str([Decimal('42'), datetime.now()])
  '[Decimal("42"), datetime.datetime(2009, 11, 1, 23, 47, 47, 45115)]'
  >>> my_str([Decimal('42'), datetime.now()])
  '[42,2009-11-01 23:47:51.517091]'

A workaround solution to python str/repr issue

When it comes to security, there is an overwhelming amount of resources/tools available for you. The key issue is to figure out which one works and if using it is worth the hassle, complexity and your investment.

Service availability is a topic that rarely gets the spot light in the security domain. Most regulatory and compliance bodies are focused on integrity and confidentiality of data. Availability is treated as a compliance neutral state. Its very similar to driving: If you park/stop somewhere inappropriate (e.g. in the middle of a busy street), you will get a small fine, but almost never a demerit point! If you get into an accident and your vehicle was not moving, you are almost never at fault.

During the past 5 years which I have been deeply involved with the network security domain, I have seen many complaints about how organizations feel vulnerable to DoS attacks. Just recently the personal website of a municipal parliament candidate was subject to an easy shutdown by his enemies. He didn't know what to do about it.

Technologically, IP stack denial of service attacks are history. The solutions have been known for years, and a majority of enterprise firewalls and most of the network stack implementations within the OS provide reasonable defense mechanisms. TCP SYN attack is the most famous method due to its effectiveness.

You would think that IP stack issues are over; however, there are new variations of vulnerabilities that enable similar attacks. Most recent example came out on Aug 2009 where the attacker set the TCP window size to zero and targeted Microsoft Windows TCP/IP stack.

Firewalls, fortunately, understand such bad states and behaviors. A properly configured firewall can block a lot of these IP stack attacks.

The application level denial of service vulnerability, however, is a whole new subject. Assuming that your application itself (e.g. your backend website) doesn't have any vulnerability, it is still quite possible to exploit most HTTP (or any other front-end) servers by consuming huge amount of resources for a very small number of requests.

Attacks of this nature are becoming more widespread and the security community is new to this. Don't get me wrong, these are generic attacks, which are targeting application layer vulnerabilities. The primary target for these attacks is the common application layer services such HTTP and mail. Lets use HTTP (Apache) as a case study here.

Slowloris attack method has produced a lot of heat lately. In a Slowloris attack scenario, the attacking party initiates TCP connections to the target HTTP service and sends a partial HTTP header over a long period of time to keep the server's resources locked.

Apache comes with a handful of modules that are developed to help you survive HTTP DoS attacks. They are helpful in reducing the vectors for this type of attacks; however, these modules are not currently able to stop recent more sophisticated attacks such as Slowloris.


Similar attack vectors exist for telephony services that are using SIP, SS7, IAX2 or almost everything else for that matter. Examples of the recent vulnerabilities are abundant in Asterisk (e.g. see IAX2 Call Number Space Exhaustion DoS and SIP Channel Driver INVITE Header DoS)

In TELTUB, we need 5*9 (99.999%) service availability for our telephony cloud. This brings up a lot of questions as to whether the systems are vulnerable to such DoS attacks. TELTUB Telephony Cloud (TTC) has been architected and built with security in mind. Having said that, it's not always easy to keep up with attackers. Specially when it comes to DoS, it's best not to have many enemies, if you know what I mean...

How to defend your service availability

Hi there! My name is Ehsan and I am an old buddy/partner of Farid, turned co-founder for TELTUB. I love to dig deep into the designs and prototypes (mostly initiated by Farid) and turn them into some beautiful code (or as they say, into code with 'minimal WTFs/sec').

I am a big fan of scripting languages such as python, and for some unexplainable reason I have a passion for distributed architectures/programming. I am very excited to be a part of TELTUB and genuinely believe that TELTUB is were we get to connect the old world of Telecom to the new world of IT. You can find me on Twitter as well.

I've had a few wrestles with the mighty python language in the past two years. There are enough python users out there that I can safely bet I am not the first one digging these dirt out. However, it is there and you better deal with it.

Let me get down to business:
>>> repr(1L)
'1L'
>>> str(1L)
'1'

This is expected. Right? A long integer, when converted to string using 'str', would be human readable, without a nasty 'L' at the end. And 'repr' would make a reproducible string out of it that python understands: '1L'.

Now look at this:
>>> repr([1L])
'[1L]'
Again, predictable. Bnd this:
>>> str([1L])
'[1L]'
Not so much!!

It seems that the python arrays, tuples, and dictionaries, will break this routine and recursively call 'repr' interface regardless of what method you used to convert them to string.

If you like the proof, here is a more detailed investigative case:
>>> class test:
... def __str__(self):
... return 'str'
... def __repr__(self):
... return 'repr'
...
>>> str(test())
'str'
>>> str([test()])
'[repr]'

Where does it explode in your face? When you rely 'str' interface to avoid writing your own to_str function. An example is when you want to create a SQL query like this:
cat_a, cat_b = Read_Some_BIGINTs_from_SQL()
sql_str = 'SELECT id FROM table WHERE category IN %s' % ((cat_a, cat_b))

The example above is not the most recommended way of doing things, but if it happens, make sure you convert things to integer first to avoid getting surprised.

A python str/repr thing: Call it a bug? A glitch?

In my last post I explained how a phone service is different from phone connectivity. One company can provide your connectivity but not the service. However, the question remains: What is this phone service that I am talking about? What are the examples?

This is a valid question. The only services that we have seen so far are limited to VoiceMail, simple call forwarding and a few other ones. When talking about new telephony services, it might be difficult to imagine what is it that we are talking about.

The differences between telephone and internet services are gradually disappearing. People used to have a computer at their homes which was connected to the internet and a phone handset which was connected a phone line. You could use your phone to talk to your friends and use your internet connection to browse the web. The infrastructure supporting these two technologies were also quiet different.

However, nowadays these two type of services are not that different anymore:
1- Devices consolidation (cell phone can be used to browse the internet and your laptop can be used to make calls)
2- Technology consolidation (You can use your internet connection and install a VoIP phone instead of paying a phone company to install a separate line for your phone).

We have also started to see integrated services that use both your internet capabilities and your phone capabilities. For example, you can browse a website and click on a 'call me' button and you will be contacted by that website (well, by somebody who works for that company). We have just started to see this type of services in which we don't look at internet and telephone services as two separate concepts. They are essentially the same thing: Something to somehow enables people to connect.

After Google's acquisition of Grand Central in 2007, which by the way cost $45M, it was rather obvious that the internet giant, Google, plans to enter the telephone services. It was a bold move at that time and attracted a lot of attention. Grand Central's core business was to offer phone number consolidation. They were offering a single number that could ring to all your phone numbers (cell phone, home phone, etc). The call will be carried on the phone that is answered the first. Google has spent more than 2 years on integrating the services that were offered by Grand Central into Google's core business. Google wants its users to treat their phone line as just another way of communication. Your Voicemail is something like you email box!

They also offer telephone services that are initiated from the web such as making a call to your friend from Google's website. The call itself is carried on your phone but you initiate it from Google's website.

Despite all recent advancements in phone and internet service consolidation, they are still essentially two different services. Telephone calls are not integrated into your browsing experience. Let me give you an example:

If you are browsing your bank's website, you may well see a call me button. If you click on that button, your phone will start ringing and a nice lady from the other end would ask if there is anything that she can do for you. It would be like a normal call to your bank from that point on.

But, what if you wanted to ask something about the current view of your browser? What if the nice lady wants to ask you to go to a certain page in the website and do something? What if instead of the nice lady you could use an automated system that determines the page that you are viewing and you could interactively do things on you phone while observing the results on your monitor!
The bank example is just one out of a million services that can be offered if the phone and internet services were truly integrated. Essentially, your phone should act as your headset when you are in front of your computer. The only difference is, well, you could take your phone far far away from your monitor! But if you are in front of your computer, there should NOT be any difference between your phone and a headset that is connected to your computer. This is what I call the realtime integration of the telephone and internet services.

Just think about what you can do with realtime integration in social networks...

Realtime integration of telephone and web services

Until a few years ago, it was critically important to get your cell phone from a reputable company otherwise you'd have many dropped calls, bad reception and many missed calls. Nowadays, it is not as important to get your cell phone from one of the big guys. The difference in the quality of your connection, cell phone or home phone, is pretty much the same regardless of your provider. They are all good (or well, all bad in some cases). Therefore, the most important factors for phone users to select their company/plan is price (as opposed to price/quality in 2006)

Phone lines (cell phone or landline) are becoming commodities. It is getting harder and harder for the phone companies to say 'our service is better than our competitor, so you should pay more'. They are all providing similar quality of services and therefore price is playing a crucial role. This is of course only true about your basic service. In other words, if a company is offering value added services such as family plans, voicemail, call block, etc they can still set a higher price and justify it by saying : Well, we offer such and such services that are competitors don't. The basic service, i.e. the connectivity, is becoming a commodity whereas value added services are playing important roles in distinguishing a phone company. It means that the profit margin on phone connectivity services will be gradually disappearing and phone companies will have to depend on new services to attract new customers.
The problem is developing new services is expensive. The current infrastructure used by phone companies are not that flexible to enable them to build game changing services. All they can do is to tweak some parameters in a traditional service, give it a new name and a new brand and offer it as a new service OR pray that their device manufacturer provides a new module that implements a new service!

This is one of the essential differences between the IT and the telecom world. If you have an interesting idea in IT, you can create your own service rather inexpensively, create your own website and start offering your service. That's why new services are coming out everyday in the Internet world but not in the Telecom world. Creating a new telephony service is expensive and a guy/gal in a basement cannot just wake up with a new idea and start implementing it. It takes way more time, energy, expertise and investment to develop a reliable telecom service and it is even more difficult to offer it to potential users. Even if you manage to implement your telephony idea, it is next to impossible to offer it to your potential buyers without being partner with one of the phone providers.

The solution is to have a system that:
1- separates connectivity from value added services so that offering new services does not require partnership with the phone providers.
2- provides enough flexibility that enables people to actualize their ideas as easy as creating a website
3- provide a market/store for the developers to offer their new services to potential buyers. Customers should be able to select the service they want from the developer that they want.
4- Developers should not worry about how to host their service, how to make it reliable and how to handle accounting, etc. Having a good idea and knowing basic programing skills should be enough to make a change.
This is just the beginning.

Service vs connectivity in the telephony world

The name is Farid and I am currently living in Toronto. This place is the official weblog of TELTUB, a high-tech IT/Telecommunication company that Ehsan, a buddy of mine and the other contributer to this weblog, and I have co-founded together. We have a small team of amazing people at TELTUB that has helped us develop a very exciting technology. We will be sharing what looks/seems/sounds/tastes or for that matter feels interesting and we think you might digg it. We will talk about business, technology and the daily life of a couple of guys who have spent more than 2 years, so far, to actualize their goal of making a new line of services that solves particular problems. Needless to say we will also introduce TELTUB's products as we present them to the world. I am excited, very!

This is the first post so I just want to introduce myself and give you a bit of background about TELTUB and what we do. I am on leave of absence from my PhD in Telecommunication networks from the University of Toronto (at least if I am not kicked out yet). I have studied and worked in Telecommunication/IT/IT security/hardware design/software development/power plant design and installation(!), robotics, math and lately MBA. I may be one of those guys you call a geek! (Who am I kidding; I am one of those guys).

Our beloved TELTUB has been built around a simple idea: making new and exciting IT/Telecommunication services and also enabling everybody else to do the same.We are supporting open source and open platform models but we also understand that this may not work for every single business and therefore we try to work with/support any product/service that are not as open as we like :)

TELTUB will give you the variety and nobility of Facebook, the openness of Google, the simplicity of Twitter, the elegance of iPhone and the afford-ability of Vonage. We want to introduce unprecedented services and bring innovation into the boring ones that have existed for the longest time. We also want to allow everybody else to bring their ideas into life in a fast and affordable way and start their own business. At the end, it all starts with a good idea.

TELTUB, connect your way