codeblog code is freedom — patching my itch

January 13, 2015

barcode consolidation

Filed under: Blogging,Debian,General,Security,Ubuntu — kees @ 5:33 pm

I had a mess of loyalty cards filling my wallet. It kind of looked like this:

Loyalty cards, from Flickr, joelogon

They took up too much room, and I used them infrequently. The only thing of value on them are the barcodes they carry that identify my account with whatever organization they’re tied to. Other folks have talked about doing consolidation in various ways like just scanning images of the cards and printing them all together. There was a site where you typed in card details and they generated barcodes for you, too. I didn’t want to hand my identifiers to a third party, and image scanning wasn’t flexible enough. I wanted to actually have the raw numbers, so I ended up using barcode. I didn’t use the Debian nor Ubuntu package, though, since it lacked SVG support, which was added in the latest (cough March 2013) version.

I used the Android Barcode Scanner app, and just saved all the barcodes and their encoding details to a text file, noting which was which. For example:

Albertsons "035576322436","UPC_A"
Multnomah County Library "01237035218482","CODABAR"
Supportland "!0000005341632030145420","CODE_128"

I measured the barcode area, since some scanners can’t handle their expected barcodes being resized, (that’s another project: find out which CAN handle it), and then spat out SVG files. I compared the results to my actual cards, since some times encodings have different options (like dropping checksum characters, “-c” below):

barcode-svg -S -u in -g 1.5x0.5 -e upc-a      -b '035576322436' > albertsons.svg
barcode-svg -S -u in -g   2x0.5 -e codabar -c -b '01237035218482' > library.svg
barcode-svg -S -u cm -g 4.5x1   -e code128    -b '!0000005341632030145420' > supportland.svg

With Inkscape, I opened them all and organized them onto a wallet-card-sized area, printed it, and laminated it. Now my wallet is 7 cards lighter. More room for HID cards or other stuff:

Emergency Pick Card

© 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 13, 2014

glibc select weakness fixed

Filed under: Blogging,Chrome OS,Debian,General,Security,Ubuntu,Ubuntu-Server — kees @ 11:21 am

In 2009, I reported this bug to glibc, describing the problem that exists when a program is using select, and has its open file descriptor resource limit raised above 1024 (FD_SETSIZE). If a network daemon starts using the FD_SET/FD_CLR glibc macros on fdset variables for descriptors larger than 1024, glibc will happily write beyond the end of the fdset variable, producing a buffer overflow condition. (This problem had existed since the introduction of the macros, so, for decades? I figured it was long over-due to have a report opened about it.)

At the time, I was told this wasn’t going to be fixed and “every program using [select] must be considered buggy.” 2 years later still more people kept asking for this feature and continued to be told “no”.

But, as it turns out, a few months later after the most recent “no”, it got silently fixed anyway, with the bug left open as “Won’t Fix”! I’m glad Florian did some house-cleaning on the glibc bug tracker, since I’d otherwise never have noticed that this protection had been added to the ever-growing list of -D_FORTIFY_SOURCE=2 protections.

I’ll still recommend everyone use poll instead of select, but now I won’t be so worried when I see requests to raise the open descriptor limit above 1024.

© 2014, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 7, 2014

Linux Security Summit 2014

Filed under: Blogging,Chrome OS,Debian,General,Security,Ubuntu,Ubuntu-Server — kees @ 10:31 am

The Linux Security Summit is happening in Chicago August 18th and 19th, just before LinuxCon. Send us some presentation and topic proposals, and join the conversation with other like-minded people. :)

I’d love to see what people have been working on, and what they’d like to work on. Our general topics will hopefully include:

  • System hardening
  • Access control
  • Cryptography
  • Integrity control
  • Hardware security
  • Networking
  • Storage
  • Virtualization
  • Desktop
  • Tools
  • Management
  • Case studies
  • Emerging technologies, threats & techniques

The Call For Participation closes June 6th, so you’ve got about a month, but earlier is better.

© 2014, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

December 20, 2013

DOM scraping

Filed under: Blogging,Debian,General,Ubuntu,Ubuntu-Server,Web — kees @ 11:16 pm

For a long time now I’ve used mechanize (via either Perl or Python) for doing website interaction automation. Stuff like playing web games, checking the weather, or reviewing my balance at the bank. However, as the use of javascript continues to increase, it’s getting harder and harder to screen-scrape without actually processing DOM events. To do that, really only browsers are doing the right thing, so getting attached to an actual browser DOM is generally the only way to do any kind of web interaction automation.

It seems the thing furthest along this path is Selenium. Initially, I spent some time trying to make it work with Firefox, but gave up. Instead, this seems to work nicely with Chrome via the Chrome WebDriver. And even better, all of this works out of the box on Ubuntu 13.10 via python-selenium and chromium-chromedriver.

Running /usr/lib/chromium-browser/chromedriver2_server from chromium-chromedriver starts a network listener on port 9515. This is the WebDriver API that Selenium can talk to. When requests are made, chromedriver2_server spawns Chrome, and all the interactions happen against that browser.

Since I prefer Python, I avoided the Java interfaces and focused on the Python bindings:

#!/usr/bin/env python
import sys
from selenium import webdriver
from selenium.common.exceptions import NoSuchElementException
from selenium.webdriver.common.keys import Keys

caps = webdriver.DesiredCapabilities.CHROME

browser = webdriver.Remote("http://localhost:9515", caps)

assert "My Bank" in browser.title

    elem = browser.find_element_by_name("userid")

    elem = browser.find_element_by_name("password")
    elem.send_keys("wheee my password" + Keys.RETURN)
except NoSuchElementException:
    print "Could not find login elements"

assert "Account Balances" in browser.title

xpath = "//div[text()='Balance']/../../td[2]/div[contains(text(),'$')]"
balance = browser.find_element_by_xpath(xpath).text

print balance


This would work pretty great, but if you need to save any state between sessions, you’ll want to be able to change where Chrome stores data (since by default in this configuration, it uses an empty temporary directory via --user-data-dir=). Happily, various things about the browser environment can be controlled, including the command line arguments. This is configurable by expanding the “desired capabilities” variable:

caps = webdriver.DesiredCapabilities.CHROME
caps["chromeOptions"] = {
        "args": ["--user-data-dir=/home/user/somewhere/to/store/your/session"],

A great thing about this is that you get to actually watch the browser do its work. However, in cases where this interaction is going to be fully automated, you likely won’t have a Xorg session running, so you’ll need to wrap the WebDriver in one (since it launches Chrome). I used Xvfb for this:

# Start WebDriver under fake X and wait for it to be listening
xvfb-run /usr/lib/chromium-browser/chromedriver2_server &
while ! nc -q0 -w0 localhost 9515; do
    sleep 1


# Shut down WebDriver
kill $pid

exit $rc

Alternatively, all of this could be done in the python script too, but I figured it’s easier to keep the support infrastructure separate from the actual test script itself. I actually leave the xvfb-run call external too, so it’s easier to debug the browser in my own X session.

One bug I encountered was that the WebDriver’s cache of the browser’s DOM can sometimes get out of sync with the actual browser’s DOM. I didn’t find a solution to this, but managed to work around it. I’m hoping later versions fix this. :)

© 2013, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 12, 2011

5 years with Canonical

Filed under: Blogging,Debian,General,Security,Ubuntu — kees @ 9:58 am

This month, I will have been with Canonical for 5 years. It’s been fantastic, but I’ve decided to move on. Next week, I’m going to start working for Google, helping out with ChromeOS, which I’m pretty excited about. I’m sad to be leaving Canonical, but I comfort myself by knowing that I’m not leaving Ubuntu or any other projects I’m involved in. I believe in Ubuntu, I use it everywhere, and I’m friends with so many of its people. And I’m still core-dev, so I’ll continue to break^Wsecure things as much as I can in Ubuntu, and continue working on getting similar stuff into Debian. :)

For nostalgic purposes, I dug up my first security update (sponsored by pitti), and my first Ubuntu Security Notice. I’m proud of Ubuntu’s strong security record and how far the security feature list has come. The Ubuntu Security Team is an awesome group of people, and I’m honored to have worked with them.

I’m looking forward to the new adventures, but I will miss the previous ones.

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

February 5, 2011

fun with game memory

Filed under: Blogging,Debian,General,Reverse Engineering,Ubuntu — kees @ 5:15 pm

So, I was testing a (closed source) single-player offline game recently and thought this exercise might be fun to document. I didn’t want to spend any time actually earning in-game money since I’d played it before and I wanted to just skip ahead to other aspects of the game. I was curious how straight-forward adjusting my cash might be. So, noting the in-game “bank account number” of 219393 and account balance of 3000, I dived right in.

First up, what’s the memory layout of the heap look like? I looked at the brk and the mmap regions without a mapped library or file, marked with “w” in the permissions column, from /proc/PID/maps:

0827e000-08282000 rw-p 00000000 00:00 0
0a22e0000b08a000 rw-p 00000000 00:00 0 [heap]
efa59000-efd00000 rw-p 00000000 00:00 0
efd00000-efd21000 rw-p 00000000 00:00 0

Knowing these, I could use gdb’s “find” command, after attaching to the process:

$ gdb /some/cool/game

(gdb) attach PID

(gdb) find /w 0x0827e000, 0x08282000, 219393
(gdb) find /w 0x0a22e000, 0x0b08a000, 219393

No hits in the first region, but I see two hits for the account number value in the second region. Let’s start there and see what’s near them…

(gdb) x/8x 0xaf03d08
0xaf03d08: 0x00035901 0x00000000 0x00000000 0x0af06ce0
0xaf03d18: 0x0af06be0 0x00000059 0x0af03d98 0x0af041e8
(gdb) x/8x 0xaf06ca8
0xaf06ca8: 0x00035901 0x00000bb8 0x00000bb8 0x0820b148
0xaf06cb8: 0x00000001 0x00000000 0x00000000 0x00000000

In that second hit, I see the value 0xBB8, which is 3000, and matches our account balance. Let’s see what happens if we just change both of those to add a bit a few orders of magnitude above the current value…

(gdb) set var *0xaf06cac = 0x00100bb8
(gdb) set var *0xaf06cb0 = 0x00100bb8
(gdb) x/32x 0xaf06cac
0xaf06cac: 0x00100bb8 0x00100bb8 0x0820b148 0x00000001
(gdb) continue

And presto, clicking on the bank account details in-game shows a huge account balance of 1051576 now. No need to reverse-engineer any saved games, whew.

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 23, 2010

Achievement Unlocked

Filed under: Blogging,Debian,General,Ubuntu — kees @ 5:45 am

I think it would be fun to add an achievement system to the Ubuntu Desktop, like is done on Steam and XBox.

The tricky part is tracking various events and finding amusing correlations. For example, if your screen-saver kicks in 40 times in a single 24 hour period, you could earn the “Alternating Current” achievement, indicating that you’re being repeatedly interrupted all day long:

achievement unlocked: alternating current

There are all kind of things to track and correlate. Miles moved with the mouse, clicks taken, keys pressed, files opened, applications installed, buddies added, IMs received, sent, etc. There are all kinds of achievements that could be designed that could be used to help people discover how to use Ubuntu, or for just plain humor. “Achievement Unlocked: Application Deficit Disorder” when you uninstall 100 applications you installed in the prior week.

I’ve been told this might all be very easy to implement with the Gnome Activity Journal (Zeitgeist), but I haven’t had a chance to investigate further.

UPDATE: I can easily imagine this being tracked in CouchDB, synced between systems via UbuntuOne, and could be linked to any other remote APIs that people could dream up, including Launchpad, Forums, REVU,, etc.

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

January 24, 2010

Google is wardriving

Filed under: Blogging,Debian,General,Networking,Security,Ubuntu,Web — kees @ 8:28 pm

So, a while back, Google started providing location services. This seemed pretty cool, but I kind of ignored it until recently when I was playing with my Android’s location API. With the GPS off, and no cell towers visible (my basement gets terrible cell service), my phone knew within about 500 feet of where it actually was. All I was connected to was my wifi.

Bottom line: it seems that Google, among other methods, is likely wardriving while photographing for Street View. They are now able to pinpoint wifi access points if they happened to see it while driving through your city.

I’m really rather astonished that no one is freaking out about this; I’m a bit unnerved. I implemented the location-of-your-wifi API quickly, so I could terrify myself further. You can do lookups via my location website too, if you want.

UPDATE: yeah, it would seem to be crowd-sourced wifi and cell tower triangulation data. I should say “Google is WarCrowding”.

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 19, 2009

recording from PulseAudio

Filed under: Blogging,Debian,General,Multimedia,Ubuntu — kees @ 11:42 am

Every PulseAudio “Sink” has a “Source” named “monitor”. This lets you attach to a given Sink and chain more stuff to it, for example, recording the audio that is playing through PulseAudio at any given moment. This is very handy for creating, for example, PubQuiz-style clips of songs, movies, etc.

Here is a script to find the monitor for the most recently added Sink, record from it, and shove it through “sox” to get a WAV instead of raw sound data (requires recent sox, Pulse, etc):

if [ -z "$WAV" ]; then
    echo "Usage: $0 OUTPUT.WAV" >&2
    exit 1
rm -f "$WAV"

# Get sink monitor:
MONITOR=$(pactl list | egrep -A2 '^(\*\*\* )?Source #' | \
    grep 'Name: .*\.monitor$' | awk '{print $NF}' | tail -n1)
echo "set-source-mute ${MONITOR} false" | pacmd >/dev/null

# Record it raw, and convert to a wav
echo "Recording to $WAV ..."
echo "Close this window to stop"
parec -d "$MONITOR" | sox -t raw -r 44k -sLb 16 -c 2 - "$WAV"

© 2009 – 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

November 11, 2008

phrase from nearest book meme

Filed under: Blogging,Debian,General,Ubuntu — kees @ 12:42 pm

Meme from Jono:

  • Grab the nearest book.
  • Open it to page 56.
  • Find the fifth sentence.
  • Post the text of the sentence in your journal along with these instructions.
  • Don’t dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.

My result:

“The term linear just means that each output bit of the mixing function is the XOR of several of the input bits.”Practical Cryptography, Niels Ferguson, Bruce Schneier.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 30, 2008

how to drain your entropy and have fun with ssh fingerprint ASCII-art

Filed under: Blogging,Debian,General,Ubuntu,Ubuntu-Server — kees @ 10:48 am

SSH’s new “VisualHostKey” option (in Ubuntu Intrepid and Debian Lenny) is great fun. Normally it is disabled, but it seems that “ssh-keygen” turns it on when generating new keys. In celebration of the Ubuntu release, here is a script to entertain yourself with RSA ASCII-art, care of SSH and your system’s entropy pool:

set -e
DIR=$(mktemp -t -d rsa-art-XXXXXX)
trap "rm -f $DIR/key*; rmdir $DIR" EXIT HUP INT QUIT TERM

while :
    ART=$(ssh-keygen -t rsa -f $DIR/key -N "" | tail -n 11)
    rm -f $DIR/key
    /bin/echo -e "\x1Bc"
    echo "$ART"

Makes me feel like I’m watching Life. (Use control-C to stop it.)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

March 9, 2007

detecting space-vs-tab indentation type in vim

Filed under: General,Ubuntu — kees @ 10:36 am

I edit a lot of other people’s code. Dealing with indenting depth has always plagued me, and I’ve tried all sorts of things to try to address it, but the “real” problems I have are when tabs are mixed into code.

I personally use “4 spaces” for code indentation, and if I’m working on code that uses 8, I just hit “tab” twice, and if I’m working on code that uses 2, I can just backspace over the 2-too-many spaces. When the code has actual tabs, things break. When the code has a mix of tabs and spaces, it becomes a serious head-ache.

I wrote some vim insanity to detect which indentation type was being used “the most” in a given source file. If anyone has a simpler way to solve this (without switching to a different editor), I’m all ears. What follows are some bits from my .vimrc.

First, my space-indentation defaults:

set noai ts=4 sw=8 expandtab

Next, Makefiles and debian/rules files always use tabs, so I have a base set of overrides:

" Makefile sanity
autocmd BufEnter ?akefile* set noet ts=8 sw=8
autocmd BufEnter */debian/rules set noet ts=8 sw=8

Finally, define a function that compares the number of lines that start with a tab to those that start with a space. If the tabs outnumber the spaces, disable my defaults, and don’t expand tabs:

function Kees_settabs()
    if len(filter(getbufline(winbufnr(0), 1, "$"), 'v:val =~ "^\\t"')) > len(filter(getbufline(winbufnr(0), 1, "$"), 'v:val =~ "^ "'))
        set noet ts=8 sw=8
autocmd BufReadPost * call Kees_settabs()

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

December 4, 2006

OSDL drops staff coders

Filed under: General — kees @ 10:33 pm

News clippings about OSDL‘s RIF:

Two months ago, I jumped on a fantastic opportunity and took a job with Canonical (leaving OSDL none too soon, it seems). I’m disappointed that OSDL laid off so many of my friends. I had been visiting the office on and off so I could continue to participate in the daily lunchtime board games. It’s the end of an era.

Games played during lunch:

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 18, 2006

bleeding-edgeness matrix

Filed under: General — kees @ 11:22 pm

At least two times in recent history, I’ve wondered “is this the most recent version” of some piece of software, immediately followed by “which distro has the most recent version?” As I recall, these were for:

I had discovered both to be woefully behind “most recent” for a number of distributions. In my mind popped a vision of a chart/table/matrix of software on one axis and distros on the other, showing which had what versions of things. And little boxes where I could rank the “bleeding-edgeness” of a distro.

While hunting around, I found something almost like my vision. The distrowatch website is pretty damn cool. It wasn’t really set up to compare bleeding-edgeness between different distros, just different versions of a distro. For example, here’s Ubuntu’s matrix.

I exchanged some email with the author, and it sounds like he just uses a mess of custom scripts to poll version numbers of some of the more “big-name” software packages, common to most distros. Needless to say, mdadm and f-spot did not make the cut. I’d love to be able to add more “tracked packages” via some kind of web UI. A URL plus a regex to extract a version from; almost the same as what’s needed for WWW-PkgFind to operate. :)

From the pkgfind man page description:

… scans a web or ftp site for newly posted files and
downloads them to a local filesystem. … The motivation for this script is to poll places where developers post patches to software we’re testing.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 28, 2006

lvm article

Filed under: General — kees @ 2:14 pm

Bryce wrote a great article on LVM and disk management that I helped do some technical editing on. Hopefully stuff like this will help other people get more comfortable with LVM, and make it less of a dark art. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 26, 2006

smallville, as measured in lana-minutes

Filed under: General — kees @ 7:00 am

I enjoy watching Smallville. I found Lana tiresome almost immediately. Recently, the writers teased us by showing an alternate future where she died. Struck with the possibility of not having to deal with her while watching the show, I became very excited. Then they brought the character back, and I couldn’t bear to continue watching the show. Every minute she’s on the screen is a minute stolen from me through the dark arts of terrible acting. If I didn’t so enjoy the rest of the plots and characters, I could so easily just stop watching. (I am also starting to run low on SG-1 episodes…)

To help combat my annoyance with Lana, I think I’m going to measure her screen-time. I’m going to count every minute that she’s on-screen and not dead, or when the on-screen plot is a direct result of her idoicy. (i.e. Clark complaining about something Lana did.) The goal will be to reach a “perfect episode” Lana-minute score of ZERO.

As a bonus, I figure I should also track Chloevage minutes. I figure Lana and Chloevage timers shouldn’t run if they’re both on screen at the same time — they cancel eachother; I am neither frowning nor smiling. The Chloevage-minutes would be a tie-breaker for episodes with nearly the same Lana-minutes value.

Ah, the physics of abstract television analysis.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 23, 2006

grub, yaird, mdadm, and missing drives

Filed under: General — kees @ 7:54 pm

This is basically a rant. I spent all my energy tracking down the problems, so I never did get things actually fixed. :P

I have my machines configured for software RAID between my primary and secondary drives. I always have. LILO supported this configuration back in RedHat 5.2 days. I’ve been doing RAID1 for a long time now. About a year ago, I changed my preference for boot loaders to GRUB, and just kind of assumed it handled mirroring. Well, much to my surprise, grub totally and completely does not handle mirrored configurations. Even the proclaimed fix didn’t work.

As a result of this “discovery”, I’ve switched back to LILO, which, I think, is a pain in the ass because it doesn’t actually have any filesystem-smarts built into it. (i.e. I have to re-run “lilo” every time I change a kernel or initrd.) I may see if another fix works as expected, but I don’t have a lot of hope considering the device map in the filesystem is the same for both grub drives, which is what causes the problems in the first place. (“Ieee! Where did the other drive go?!”)

So, moving forward, assuming my bootloader works, all kernels from 2.6.13 forward don’t support devfs, and the older initrd tools can’t handle that. Debian invented “yaird”. I had assumed they used the /sys filesystem and did other smart things. As it turns out, it’s fairly brain-dead. I booted without one of my mirrored drives, and yaird totally freaked out. As I discovered while digging through the initrd yaird generated, it just statically builds device nodes, based on what the running system used to look like.

There are two problems with this:

  1. DM devices (LVM, crypto, etc) are dynamically assigned. They may not have the same numbers after rebooting. This is mostly worked around by waiting for stuff to show up in /sys, so I’ll only complain about Ubuntu’s practice of encoding the major/minor numbers for the root device. (e.g. 0xFF00 — my root partition may not always be detected first) I don’t understand this, since the loader handles string-based paths for the root partition. But that’s not the bug I ran into for this rant.
  2. If a device goes missing, yaird assumes this is a bad thing. It has no concept of quorum. It could be argued that it shouldn’t, but in that case, it shouldn’t drop me to a prompt every time a device goes missing. It should only do that in “debug” mode. (I should send my patch for that in.)

While digging to open a Debian Bug report against yaird, I discovered that yaird, while annoyingly dropping me to a prompt (which I can “exit” out of), isn’t the real problem. The real problem is that “mdadm” incorrectly thinks it can’t start up the mirror with only 1 drive. There’s actually a counting bug where it just flat out thinks it needs 2 drives to start. Once I found this, I got pissed, “What? How could this bug exist?”

I proceeded to find the current source for mdadm, so I could write a patch to fix it. Only then did I discover that Debian’s version of mdadm is 5 REVISIONS BEHIND (including a major version jump)! AAAGGGh!

At this point I got in line reporting how old mdadm is, installed a work-around-mdadm patch to my yaird templates, and switched back to LILO. Ugh. And before someone yells “Run Gentoo!”, I checked already. The Gentoo mdadm version is old too. But at least they have a masked ebuild of the modern versions.

I hate choosing between stability and bleeding edge, but I don’t usually complain because I recognize the costs associated with stabilizing new stuff. But, come on, the mdadm 2.x series came out in AUGUST. That’s 8 months ago. I think that’s pretty stable! *sob*

I wish I had enough time to be a Debian maintainer instead of just sitting here and moaning, but hopefully my bug reports will do some good. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

March 23, 2006

amd64 is okay

Filed under: General — kees @ 8:36 pm

I’m fairly happy with my amd64 box, but it has some bothers. It reminds me of switching from 16bit to 32bit applications back in the day. Since the SATA drivers were busted on every distro I tried to install, I ended up with Debian Unstable — probably because I know how to dance around needing a more recent kernel.

Audio wasn’t working right away, but it looks like ALSA has resolved the issues finally. These fancy new 6-channel chips are silly. Maybe in 5 years I’ll actually have something other than stereo speakers on my computer. :)

Switching to 64bit has really shown me all the non-free software I use, since I can’t run these 32bit-compiles natively anymore:

  • acroread
  • various proprietary A/V codecs (DLLs via MPlayer)
  • Flash plugin
  • Wine

Okay, so Wine and don’t run because of porting issues, but still. There have been two ways to solve these problems:

  • 32bit versions of various libraries
  • chroot to a 32bit environment

Installing 32bit libs is nice, but Debian isn’t smart enough to let me install .i386.deb files along with my .amd64.deb files. There’s got to be a way, but I haven’t figured it out. So, I followed the Ubuntu instructions, and built a 32bit chroot environment. Any time I want to watch something in Flash, I run “bash32” and run Mozilla in there, which has the Flash plugin. Same for OOo, etc. With the mount bindings (e.g. “mount -o bind /home /chroot/sid/home”) it’s like I never left home. Audio even works. Pretty slick solution.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

January 14, 2006

open source as prior art

Filed under: General — kees @ 6:41 pm

I’m involved in the Open Source as Prior Art initiative. The goal being to more readily make FOSS available as prior art for the US Patent and Trade Office to use while examining software patent applications, reducing the number of poorly issued software patents.

This is a rather touchy area given the fact that most FOSS proponents (myself included) would rather see software patents go away completely. However, in the US, this is not likely to happen any time soon, since it’s not up to the USPTO, it’s up to the US Legislature; the USPTO has to implement the law, which puts them in a bind since they’re not very successful right now at finding prior art (and the laws surrounding prior art discovery aren’t that helpful either). In my opinion, if the USPTO could reliably find prior art, they would start rejecting almost all software patent applications, and the futility of software patenting would become clear to those that didn’t already recognize it. If I’m wrong, then I’d hope that with the very few patents issued, innovation really would return to the system.

Groklaw has already discussed the OSaPA project and the overall “Patent Quality Improvement” initiatives announced by the USPTO. I’ve read these and several other articles, each ranging from praise to scepticism, looking for more thoughts on subject, trying to help me shape my opinions.

One of the most sceptical was written by Greg Aharonian from the Internet Patent News Service (which ironically has no online archives for me to link to). His scepticism is mostly aimed at the USPTO and IBM, and not directly at the various initiatives, past or present. His fundamental point is that the USPTO doesn’t appear to have manged to use the (voluminous) resources it already has at its fingertips, so why would adding more help the situation? This approach didn’t work in the past, and there’s no indication that anything has changed in the USPTO to make it a success this time around.

I don’t have the historical background to know if it’s a fair assessment, but I enjoyed his analogy:

“[…] IBM is Lucy, PTO management is Charley [sic] Brown, and these fake initiatives to improve patent quality are the football that the PTO keeps on trying to kick, only to be fooled again and again.”

One thing I think he may have missed, though, was that the OSaPA initiative contains another player. The initiative itself may again be the football, and the USPTO and IBM may again be playing, just as with prior (seemingly failed) initiatives. However, this time, the FOSS community is involved. I like to think that in Greg’s analogy, the FOSS community is Charles Schultz. We can draw any damn comic we want, and we’ll still be around after the initiatives, IBM, and the USPTO are long forgotten. The FOSS community is on the multi-hundred year plan, the same as any other sustainable cultural plan. If Greg’s predictions come to pass, and it really does turn out to be a waste of time, I still have faith that it’ll only be the USPTO (and, unfortunately, the US) getting hurt. To borrow from John Gilmore, FOSS will treat this as a defect, and route around it.

Regardless of history, I sincerely hope the USPTO takes this novel chance to harness the power of the FOSS community. We’re interested in helping them solve their problems, and if the USPTO drops the ball, it’s unlikely the FOSS community will ever look back.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

December 12, 2005

historical exchange rates

Filed under: General — kees @ 11:07 pm

Tonight I discovered that finding out the historical worth of money is a little tricky to calculate. :) On Poirot tonight, he bought 19 pairs of silk stockings in order to trap a thief. The clerk kept warning him that they were “very expensive”. The final bill was 35 shillings per pair. I thought this was rather odd that a value not involving pounds would be considered “very expensive”. Feeling very detective-oriented, I had to investigate.

First of all, I found a nice conversion chart for British currency. 35 shillings is 1.75 pounds. The story took place in roughly 1928, but that doesn’t change the shillings calculation because even after the decimalization in 1971, shillings and pounds kept their 20-to-1 ratio.

Trying to find “current worth” of historical monies was a little more difficult. I found the How Much Is That? site, and it seems that 1.75 pounds is worth about $95 in present day. Good stockings are about $15 a pair now, and since nylon was invented in 1935, it doesn’t seem unreasonable that good stockings would be about 10 times more expensive in 1928.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 28, 2005

gcc extensions

Filed under: General — kees @ 7:30 am

Robert Love wrote up a great summary of GCC extensions. Recommended reading! This is exactly the kind of summary I’ve been hoping to run into. Maybe I can go through Inkscape adding all sorts of fun tags to functions and variables now. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 6, 2005

freaky screen locking

Filed under: General — kees @ 8:54 pm

This afternoon, for no reason at all, I was annoyed that my music didn’t pause when I locked my screen. So I fixed that. Tonight, I checked my RSS feeds and discovered that Corey did exactly the same thing today.

I think that’s really freaky. Inter-city Open Source Mind-Meld. Only I did mine with xscreensaver and xmms:

xmms –pause
xscreensaver-command lock

What I want now is a way to get xmms to unpause after I unlock my screen. :) I thought of a horrible hack for xscreensaver to do this, but I’m hoping there’s some other way.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 16, 2005

art thoughts on aug 16, 2005

Filed under: General — kees @ 7:11 pm

I saw a mention of the Portland Time-Based Art festival. Looks to be a pretty wild mix of all kinds of performance art. I’ve got to check it out, but it looks a bit pricey (minimum: $125).

Portland’s 94.7FM “alternative” radio station is great. (They even have live streaming.) I’ve been especially impressed with the 6PM “Cocktail Mix” by Gustav. His personal collection of electronica is very nice. I’ve never heard Messiah played anywhere other than my stereo or very rarely at clubs. A few weeks ago, he played it. So cool. They’re also running a NIN remix contest I’m pondering entering. I’m not really sure what sort of open software I should use to cook it, though.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 15, 2005

1 second film

Filed under: General — kees @ 3:18 pm

I found the 1 Second Film project today while trying to remember the name of the movie I saw this weekend. All I could remember was the dude was from Hackers. His name turns out to be Jesse Bradford. (The movie was Happy Endings, which I thought was pretty fun.) I was surprised to see Jesse Bradford listed as a Producer on another film, so I followed the link only to discover that everyone is a producer for the 1 Second Film.

Anyone can become a Producer (and get listed on IMDB) by sending them money. The film itself is going to be 1 second of 12 doubled frames of animation (which will be auctioned off after the movie opens). The credits will then roll for 60 minutes, playing next to a “The Making Of” movie. The profits are going to charity, and celebrities seem to have started a bidding war. Their credit-purchasing page is linked to PayPal, so it looks super-easy to support them. Crazy.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 4, 2005

oscon 2005 doppelganger

Filed under: General — kees @ 10:52 am

Wednesday I met my doppelganger. I had people walking up to me all day saying, “Hi Zak!” and I’d look at them and explain that I was someone else less famous, named Kees. Normally I think I’m just being paranoid thinking people are looking at me all the time. However, today, it seemed to be true. People would kind of slowly orbit me, trying to get a look at my face and my name badge. Eventually I started telling people “Hi! I’m not Zak.” By the end of the day, I had finally met him, and we had a good laugh. There is also Dan at the LTC that shares similar features, and all three of us had our picture taken together. (I hope they read this blog and send me photos!)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 3, 2005

oscon 2005 mid week report

Filed under: General — kees @ 9:33 pm

Day 1 of OSCON was spent recovering from DefCon. I didn’t go to either of my scheduled tutorials. I really wish I could have gotten to see Conway present his Presentation Aikido, since the notes for it are terrific. I also really wish I could have spent some more time with Snort, especially given all the attention I gave to Snort Inline over the last few weeks.

Day 2 of OSCON was spent in the RT and Aterisk tutorials. The RT one was very interesting, but more geared towards people wanting to do something MORE than ticket tracking. I was glad to see that 3+ has a much better commandline query tool. That’ll speed up autokees’s “-rt” responses. (“autokees” is my IRC bot that reports OSDL’s open — and closed — RT tickets for the Core Services group.) The Asterisk presentation was fantastic.

Capouch really knows his stuff, and his Asterisk demo was very impressive. For the last part of his demo his showed off his home X10 turning on a light in his living room that triggered a motion detector running against his webcam, watching his prized Robert Crumb original, which dropped an Asterisk call file into the server and called him. Time between “X10 on” and his phone ringing: 2 seconds, if that. That tutorial was well organized, and detailed. I think I could probably set up an Asterisk server right now if I didn’t need to go to bed so badly.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 1, 2005

Plan B sucked!

Filed under: General — kees @ 5:16 pm

Well, our team of 3 didn’t do so well at CTF this year (4th in teams). But, I guess, holding our own against teams with 20+ people on them is kind of good. The game’s network was organized very differently from years past, and we had no way for inline Snort to work. They held the machines locally (in a FreeBSD jail), and we just got a network drop so we could share the network with our server. That was pretty disappointing, but I think it made the game much more pure. This year’s focus was on code auditing and binary analysis.

Both of my basic goals were achieved though:

  • Not come in last
  • Modify the token scoring tool to play victory WAVs any time we scored a point. That worked very well and was a great motivator.

I guess I’m going to have to really get cracking with some gdb programming work. Jesse’s auto-stack-overflow-detector rocks, and I think that can be seriously expanded, if not hooked up to Metasploit directly.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 29, 2005

google maps

Filed under: General — kees @ 9:37 am

Literally an hour after I finished figuring out how to build a Google Maps site (and having Ken help me with CSS hell), Google goes and changes the API and releases documentation. Aagh.

Google retains the right to put advertising on the map in the future.

Like, as a second overlay? Because I can’t see how this would work in the main overlay, considering users can define their own “info” contents for their XSLT. In-map advertising seems like a silly idea. Since everything is currently rendered in the browser, Google is going to have a hard time controlling what people display. I was hoping they’d go the route of making money off this by making people’s sites really really awsome, and then those people would buy advertising from Google directly due to their huge volume of traffic. I guess we’ll see…

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 23, 2005


Filed under: General — kees @ 8:12 am

We won two tickets to tonight’s screening of Serenity. I’m so excited! I am such a SciFi junkie. So much, in fact, I have to share the SciFi Ship Size Comparison website.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 25, 2005

ask a stupid question

Filed under: General — kees @ 7:58 am

Well, it seems that my stupid questions and bad starts have actually been useful.

In learning all the right ways to write patches for the Wine project, I got corrected a lot by the various developers. This is a much better situation to be in than the dreadful dead-air you can sometimes find on other development mailing lists where the more experienced project members just ignore questions and don’t bother to critique patch submissions. That case is so much more frustrating.

On the Wine devel list, there was never a shortage of people trying to show me how to make my patches better. It took me several weeks to get a large chunk of code into the project, but in the end, it was well documented, had a test suite, used the correct debug channels, handled memory management correctly, and generally did everything the right way. On top of that success was the fact that the Wine Wiki FAQ, which is studiously kept up to date, ended up recording a lot of my questions (or more importantly, their answers). You’ll find a lot of “K. Cook” in the Coding Hints section now.

While there may be no such thing as a stupid question, they’re clearly newbie questions if everything you ask ends up in the FAQ. :) Hopefully my bumbling will be useful to other folks in the future.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

Older Posts »

Powered by WordPress