codeblog code is freedom — patching my itch

September 15, 2007

catching stack overflows in gdb as they happen

Filed under: Reverse Engineering,Security,Ubuntu — kees @ 8:57 pm

Recently I was trying to help debug a stack overflow crash in wpa_supplicant. The trouble with a stack crash is that you end up without a useful call history since the stack is left partially wrecked. The compiler code for detecting stack overflows (SSP), sets up a canary value between the local variables of the function and the stack frame. When the function exits, it tests this canary value and aborts if it doesn’t match what it is expecting. So, logically, to catch the stack overflow, gdb needs to be set up in a way to watch the canary location too. Since the canary is only valid while in the function, gdb must be set up to have a memory watch only when the function is called.

Here is the function preamble:

0x08081940 <wpa_driver_wext_get_scan_results+0>:        push   %ebp
0x08081941 <wpa_driver_wext_get_scan_results+1>:        mov    %esp,%ebp
0x08081943 <wpa_driver_wext_get_scan_results+3>:        push   %edi
0x08081944 <wpa_driver_wext_get_scan_results+4>:        push   %esi
0x08081945 <wpa_driver_wext_get_scan_results+5>:        push   %ebx

Save registers, prepare %ebp.

0x08081946 <wpa_driver_wext_get_scan_results+6>:        mov    $0x1000,%ebx
0x08081951 <wpa_driver_wext_get_scan_results+17>:       mov    0x8(%ebp),%eax
0x08081954 <wpa_driver_wext_get_scan_results+20>:       mov    0xc(%ebp),%edx
0x08081957 <wpa_driver_wext_get_scan_results+23>:       lea    0xffffffb0(%ebp),%esi

Make room for local variables, copy some function arguments and local variables into registers.

0x0808195a <wpa_driver_wext_get_scan_results+26>:       mov    %gs:0x14,%ecx
0x08081961 <wpa_driver_wext_get_scan_results+33>:       mov    %ecx,0xffffffec(%ebp)
0x08081964 <wpa_driver_wext_get_scan_results+36>:       xor    %ecx,%ecx

Here’s the stack canary getting set, and the register cleared. It’s saved at %ebp minus 0x14 (0xffffffec signed is -0x14):

(gdb) printf "0x%x\n", 0-0xffffffec
0x14

Now for the function play-out:

0x08081a37 <wpa_driver_wext_get_scan_results+247>:      mov    0xffffffec(%ebp),%edx
0x08081a3a <wpa_driver_wext_get_scan_results+250>:      xor    %gs:0x14,%edx
0x08081a41 <wpa_driver_wext_get_scan_results+257>:      jne    0x8081eae <wpa_driver_wext_get_scan_results+1390>

There is the canary check.

0x08081a47 <wpa_driver_wext_get_scan_results+263>:      add    $0xec,%esp
0x08081a4d <wpa_driver_wext_get_scan_results+269>:      pop    %ebx
0x08081a4e <wpa_driver_wext_get_scan_results+270>:      pop    %esi
0x08081a4f <wpa_driver_wext_get_scan_results+271>:      pop    %edi
0x08081a50 <wpa_driver_wext_get_scan_results+272>:      pop    %ebp
0x08081a51 <wpa_driver_wext_get_scan_results+273>:      ret    
...
0x08081eae <wpa_driver_wext_get_scan_results+1390>:     call   0x804bdc8 <__stack_chk_fail@plt>

Release local stack, pop saved registers and return. Nearer the end is the call to __stack_chk_fail when the canary doesn’t match.

So, to watch the canary, we need to set up a memory watch after it as been set, and tear it down before we leave the function. Respectively, we can use addresses 0x08081964 and 0x08081a3a (in bold above):

(gdb) br *0x08081964
Breakpoint 1 at 0x8081964
(gdb) br *0x08081a3a
Breakpoint 2 at 0x8081a3a

At the first breakpoint, we set a memory watch using a gdb-local variable, based on %ebp (we can’t use %ebp directly since it will change in lower function calls):

(gdb) commands 1
Type commands for when breakpoint 1 is hit, one per line.
End with a line saying just "end".
>silent
>set variable $cow = (unsigned long*)($ebp - 0x14)
>watch *$cow
>cont
>end

Since I couldn’t find an easy way to track the memory watch number that was created during the first breakpoint, I just built a gdb counter, and deleted the memory watch when leaving, since I could predict gdb’s numbering (first watch will be “3”, following our breakpoints 1 and 2):

(gdb) set variable $count = 3
(gdb) commands 2
Type commands for when breakpoint 2 is hit, one per line.
End with a line saying just "end".
>silent
>delete $count
>set variable $count = $count + 1
>cont
>end

Now we can run, and wait for the canary to get overwritten:

(gdb) cont
Continuing.
Hardware watchpoint 3: *$cow
Hardware watchpoint 4: *$cow
...
Hardware watchpoint 12: *$cow
Hardware watchpoint 13: *$cow
Hardware watchpoint 13: *$cow

Old value = 4278845440
New value = 4278845546
0x0804eae6 in ?? ()

We see the canary value is 0xFF0A0000 getting it’s little-endian first byte overwritten to FF0A006A. We catch it before it has wrecked the stack, and we can see very clearly where we are:

(gdb) bt
#0  hexstr2bin (hex=0x080a239d "6151663870517a74", buf=0x080a2395 "aQf8pQzt00000000j", len=8)
    at ../src/utils/common.c:88
#1  0x08082297 in wpa_driver_wext_get_scan_results (priv=0xb7dd816c, 
    results=0x080a239d, max_size=0x79)
    at ../src/drivers/driver_wext.c:1383
...
(gdb) x/1i $eip      
0x804eae6 <hexstr2bin +54>:      addl   $0x1,0xfffffff0(%ebp)

On a closer look at the source, we realize wext_get_scan_custom got inlined into the function (it was static and only called from one place, so the compiler optimized it). Further tracking in the source shows that the “16” value passed in should actually be “8” (the limit of the destination, not the source, buffer size).

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 7, 2007

flag captured again

Filed under: Reverse Engineering,Security — kees @ 4:22 pm

I thought last year was going to be a fluke. Somehow we managed to do it again. Team 1@stPlace won DefCon Capture the Flag for a second year in a row. If my sources are correct, this is the first repeat CTF winner at DefCon since the Ghetto Hackers. I’m honored to be on such a very talented team. I’ve only just recently recovered from getting almost no sleep for 3 days. :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 13, 2007

Farewell Breezy

Filed under: Blogging,Security,Ubuntu — kees @ 6:46 pm

Breezy is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 18 hours, 49 minutes, and 4 seconds on 108 builds related to the roughly 64 breezy-security updates I was involved in publishing. So far, Dapper is at 132 builds totaling 19:59:40, and Edgy is at 142 builds totaling 23:32:28. These times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the PPC machine, etc. Even if it’s a bit incomplete, I think it’s fun to be able to point to some hard numbers about CPU time spent on Breezy updates. :)

Thank you Breezy! You have housed my MythTV installation very nicely, but now it’s time for some long over-due upgrades…

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 2, 2007

AppArmor now in Feisty

Filed under: Security,Ubuntu — kees @ 11:03 am

With the help of Magnus Runesson, Jesse Michael, Martin Pitt, and many others, I’ve got AppArmor packaged and uploaded into Feisty universe. Prior to this, admins interested in a Mandatory Access Control system in Ubuntu only had SELinux available; now we have more of a choice. For anyone wanting to try out AppArmor, you will need to compile the modules, and install the base packages:

sudo apt-get install apparmor-modules-source dpatch
sudo m-a -v -t prepare
sudo m-a -v -t build apparmor-modules
sudo m-a -v -t install apparmor-modules
sudo apt-get install apparmor apparmor-utils apparmor-profiles libterm-readline-gnu-perl

With the default profiles, you can see one quick example of a confined process. Try doing this:

ping localhost >/dev/null &
sudo ps aZ | grep ping

In the first column, you should see what profile is being used to confine the process:

/bin/ping 14351 pts/14 S 0:00 ping localhost
unconstrained 15381 pts/14 S+ 0:00 grep ping

The list of active profiles can be seen as root in /sys/kernel/security/apparmor/profiles, which are loaded from /etc/apparmor.d/.

To confine a process, use aa-autodep and aa-logprof. For example, I wanted to confine my PDF document browser to only use /tmp (since I tend to only use it when browsing PDFs online):

  • First, I create an empty profile in “complain” mode: sudo aa-autodep evince
  • Next, I run evince like I normally would, including as many actions as I can think of (printing, preferences, help, etc). Watching the output of dmesg you can follow the trail of all the actions evince is taking. When I’m finished, I quit evince.
  • Next, I run aa-logprof, which runs through all the kernel audit output and offers suggestions on what to allow from evince. Where appropriate, I select “abstrations” for things like Gnome, DNS, fonts, tmp dir usage, etc. When a whole directory tree should be allowed, I double-glob the path (/usr/share/evince/**). Once all the items from the log have been processed, the profile is saved.
  • Finally, I enable the profile with aa-enforce evince. Any disallowed actions will show up in the kernel logs.

Check out the resulting profile for evince.

Now if I end up reading a malicious PDF that takes advantage of some currently-unknown vulnerability in evince, it will be confined to the above AppArmor profile, unable to exec new processes, and only able to write to the Gnome preferences for evince. (It’s also unable to read files out of /home, so that the above profile may be way too strict for common usage. And to even get caught by AppArmor, the imaginary exploit would have to avoid the randomized stack, randomized heap, stack protector, and, since I’m running 64bit, the NX processor bit.)

Be aware, this is still a new bit of packaging for Ubuntu, so you may run into sneaky gotchas. If that happens, please open a bug.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 9, 2007

detecting space-vs-tab indentation type in vim

Filed under: General,Ubuntu — kees @ 10:36 am

I edit a lot of other people’s code. Dealing with indenting depth has always plagued me, and I’ve tried all sorts of things to try to address it, but the “real” problems I have are when tabs are mixed into code.

I personally use “4 spaces” for code indentation, and if I’m working on code that uses 8, I just hit “tab” twice, and if I’m working on code that uses 2, I can just backspace over the 2-too-many spaces. When the code has actual tabs, things break. When the code has a mix of tabs and spaces, it becomes a serious head-ache.

I wrote some vim insanity to detect which indentation type was being used “the most” in a given source file. If anyone has a simpler way to solve this (without switching to a different editor), I’m all ears. What follows are some bits from my .vimrc.

First, my space-indentation defaults:

set noai ts=4 sw=8 expandtab

Next, Makefiles and debian/rules files always use tabs, so I have a base set of overrides:

" Makefile sanity
autocmd BufEnter ?akefile* set noet ts=8 sw=8
autocmd BufEnter */debian/rules set noet ts=8 sw=8

Finally, define a function that compares the number of lines that start with a tab to those that start with a space. If the tabs outnumber the spaces, disable my defaults, and don’t expand tabs:

function Kees_settabs()
    if len(filter(getbufline(winbufnr(0), 1, "$"), 'v:val =~ "^\\t"')) > len(filter(getbufline(winbufnr(0), 1, "$"), 'v:val =~ "^ "'))
        set noet ts=8 sw=8
    endif
endfunction
autocmd BufReadPost * call Kees_settabs()

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

February 3, 2007

OpenID and goofy Claims

Filed under: Blogging,Inkscape,Ubuntu,Web — kees @ 8:33 am

I’ve been having fun fighting religious battles and confusing people with in-jokes at jyte.com. Other good claims:

Or just see what’s been claimed about linux in general. Yay for silly social networking sites! :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 23, 2007

CVE links via Greasemonkey

Filed under: Blogging,Security,Ubuntu,Web — kees @ 10:00 pm

I spend a good bit of time reading CVEs but their entries are plain text, without links associated with their various recorded URLs. I’m annoyed at having to select/paste to load a URL, so I had to go code a work-around. :)

Since MozDev‘s “linkify.user.js” was a bit heavy-handed, I wrote up a quick hack based on similar code to only look at mitre.org’s LI tags: “cve-links.user.js“.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 10, 2007

attempting a secondlife build on ubuntu

Filed under: Blogging,Ubuntu — kees @ 5:37 am

Linden Labs released their Second Life client under the GPL, so I figured I’d have a go at getting it compiled on Ubuntu. Three libraries weren’t already packaged, so I threw together some initial attempts at getting them usable (libelfio, libopenjpeg, and libxmlrpc-epi). I think the long-term approach will be trying to convince Linden Labs to use stuff that is being actively maintained.

One big hurdle is audio, since FMOD doesn’t have a Free license. I hope it can get replaced; I’d be curious to hear what Second Life needs from FMOD that some of the other Free stacks can’t do.

So, if you’re in a mood to play with getting the Second Life client running, hopefully my stab at packaging can help (I’ve solved a number of gotchas in the assumptions their build system made), and so far it built:

$ ls -lh secondlife-x86_64-bin
-rwxr-xr-x 1 kees kees 34M 2007-01-10 05:33 secondlife-x86_64-bin*
$ ldd ./secondlife-x86_64-bin | wc -l
77

Unfortunately, it immediately crashes when I load it. :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 25, 2006

2006 recommended reading

Filed under: Blogging,Ubuntu — kees @ 10:45 am

It’s not quite the end of the year yet, but here are Kirsten’s top 6 books from 2006:

  1. The Great Influenza: The Epic Story of the Deadliest Plague in History The Great Influenza
  2. The Devil in the White City:  Murder, Magic, and Madness at the Fair that Changed America The Devil in the White City
  3. Cloud Atlas: A Novel Cloud Atlas
  4. The Fortress of SolitudeThe Fortress of Solitude
  5. It's Superman!: A Novel It’s Superman!
  6. Welcome to Our Hillbrow Welcome to Our Hillbrow

(Also, figured this would be a good test of the WP plugin for Amazon, which is very handy. I’m going to see if I can patch it to hook things to my blog roll “Reading” category.)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 13, 2006

silly things to do with unicode

Filed under: Blogging,Ubuntu,Web — kees @ 12:37 pm

˙ǝɓuɐɹʇs ʎɹǝʌ ʍoH

‮Unicode is so odd.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 9, 2006

frozen-bubble handicapping

Filed under: Blogging,Ubuntu — kees @ 10:32 am

At UDS, I learned that I am a poor frozen-bubble player. After getting repeated trounced by pitti, I decided I had to find some way to level the playing field. I was my own worst enemy due to my bad aim, but all the malus (as in, the opposite of bonus) balls were clearly causing me greater pain. I wrote a patch that creates a new key binding “b” to toggle the blocking of malus balls. Using this made things a little more even, and after a week of practice, I was a much better player (and quit using my cheat).

Since frozen-bubble depends on a shared game state between all players, everyone will notice if you’re using a mod like that, since they will just queue up on your malus post:

malus blocking

So be sure you’re playing with people you know. :)

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 7, 2006

paranoid browsing with squid

Filed under: Security,Ubuntu — kees @ 11:40 pm

As Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for the deeply paranoid: all your DNS traffic is still in the clear. While the web traffic and URLs aren’t sniffable any more, curious people can still get a sense for what kinds of stuff you’re browsing, based on domain names. (And for the really really paranoid: if you’re on open wireless, your DNS lookups could get hijacked, causing you to browse to look-alike sites ready to phish your login credentials.)

Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.

Update: Oops, as the title hints, I was going to talk about Squid. But then I didn’t. It’s pretty cool too. Carry on…

© 2006 – 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

filtering email body URLs with whois

Filed under: Networking,Ubuntu — kees @ 10:21 pm

I use SURBL filtering for my inbound email. It’s very handy except when my domain receives the leading edge of a new spam campaign. Whenever spam with a URL got through the filters, I’d go look it up and discover that it was added to the block lists about 20 minutes after I got the email. I’d think to myself, “dang, if only I had greylisted that email”.

Well, I got to thinking: all the URL-based spam campaigns have one thing in common: the domains they’re spamming have been recently registered. So now I greylist any email whose body contains a recently registered domain in a URL. It gets delayed just long enough that the SURBLs catch up, and when it is finally reattempted, it gets permanently rejected. Unfortunately, I have not found a common API for querying the registrars for a domain’s creation date, so I wrote an insane script to make a best-effort guess:

$ ./whois-created kernel.org 2>/dev/null
‘kernel.org’ created on: 1997-03-07
$ ./whois-created outflux.net 2>/dev/null
‘outflux.net’ created on: 2000-03-17
$ ./whois-created hosteije.net 2>/dev/null
‘hosteije.net’ created on: 2006-12-01

Any URLs with kernel.org or outflux.net I’d let through, but I’d greylist anything mentioning hosteije.net (which is now listed on the SURBLs).

Most of my email filtering is based on some heavily modified MIMEDefang code (which handles hooking to my script and doing the greylisting), but I’m figuring this sort of thing should live in some optional routine in SpamAssassin so more people can benefit.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 4, 2006

OSDL drops staff coders

Filed under: General — kees @ 10:33 pm

News clippings about OSDL‘s RIF:

Two months ago, I jumped on a fantastic opportunity and took a job with Canonical (leaving OSDL none too soon, it seems). I’m disappointed that OSDL laid off so many of my friends. I had been visiting the office on and off so I could continue to participate in the daily lunchtime board games. It’s the end of an era.

Games played during lunch:

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

October 7, 2006

art-creation pyramid scheme

Filed under: Blogging,Inkscape — kees @ 12:35 pm

Gib started a meme I think sounds like fun. If you’re one of the first 5 people who comment on this post, I’ll create an original piece of art for you, but only if you promise to offer the same deal in your own blog. (And I urge you to release it under a Creative Commons Share-Alike license while you’re at it.)

I’ll likely be using inkscape to get it done, since I need an excuse to play more with the tile cloner and tessellation filters.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 9, 2006

metalink

Filed under: kernel.org,Networking — kees @ 10:47 am

I’ve been watching metalink for a while now, and was urged to write about it, so I am! If you want to download something large that isn’t available via bittorrent, you can still get the distributed download benefits of bittorrent. Basically, metalink-aware downloaders split up your download across many mirrors of the resource you want, using existing protocols.

Bittorrent is great for “new releases” or other similiar things that are currently “in demand” by a large number of people. For older stuff, especially large trees of files, as found on many mirrored archives, you won’t find a bittorrent, and metalink can really distribute and speed up the download.

OpenOffice is using it, and I hope to figure out a way to incorporate it into kernel.org directly. There are already places hosting auto-generated metalink files for various projects, including the linux kernel. I’m hoping kernel.org can publish more complete metalink files since we should be able to build them more easily, having the list of which mirrors are in which countries, their access mechanism, and if they carry bz2, gz, or both. We’ve talked about it briefly, but haven’t finalized the plans yet.

You can even generate your own metalink files online.

Another blog has other details, so I hope I’ve not been too redundant. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 1, 2006

public transit badges

Filed under: Blogging — kees @ 7:40 pm

Thanks to Jon, I had to see what public transit systems I’ve been on. They didn’t have Portland’s TriMet, so I sent them their logo. :)

chicagochicago lnew yorkbostonportland trimetsan franciscosan francisco muniwashington

Got at b3co.com!

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 9, 2006

talk to me about Sendpage

Filed under: Blogging,Networking — kees @ 4:50 pm

Like I mentioned before, I’ll be in San Francisco at Linux World Expo next week. Besides presenting, I’ll also be at a Birds-of-a-Feather on “Network, Device, and Environment Monitoring” on Wed (8/16) at 6pm in Room 309, where I’ll be talking about Sendpage. I’ve been told this BoF is open to anyone with an “exhibits” pass which, prior to LWE starting, is free! So, if you’re in the area, come hang out. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 7, 2006

flag captured

Filed under: Reverse Engineering,Security — kees @ 11:19 pm

I can’t believe it. We won DefCon CTF. I have no idea what to say. It just all came together this year. Great team, great contest.

And to make it even sweeter, since CTF is a “Black Badge” contest, I never have to pay to get into DefCon again! Although, at this point, I might pay several years worth of admission in exchange for lots of time to sleep. :)

UPDATE: nice write-up at the U of Florida.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 2, 2006

mythtv cutlist to mplayer EDL file

Filed under: Multimedia — kees @ 8:47 pm

I was too lazy to walk over to my TV, so I decided to watch my MythTV recordings on my desktop without having installed a MythTV frontend. Via the magic of MythTVfs, I started watching a recent Stargate episode.

Before the opening credits had finished, I knew I was already going to miss MythTV’s commercial flagging. So started the investigation into where in the world MythTV stores that information. I was imagining adding “.edl” files to MythTVfs automatically, etc.

In MythTV 0.19, using “mythcommflag”, you can get the “Cut” list, but not the “Commercial Skip” list. (Think of the latter as a “Cut Hint” list.) The command for this is:

mythcommflag –getcutlist -c 1059 -s 20060728210000

In MythTV 0.20, you’ll be able to use “–getskiplist”. Since I’m still using 0.19, I had to go directly to the “mythconverg” database to get the details. The marks are stored in the “recordedmarkup” table. The mark types I care about are: 4: Commercial Start, 5: Commercial End. This SQL query gets me somewhere:

SELECT mark, type FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;

However, mplayer’s EDL file format expects time, not frame number. MythTV stores frame number. Luck for us, it’s all NTSC MPEG2, so we’re at 29.97 frame per second, and I can modify the SQL:

SELECT mark/29.97, type FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;

Now I just have to get the pairs on a single line with a trailing “0” for mplayer to know to skip that time frame:

echo ‘SELECT mark/29.97 FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;’ | mysql -B –skip-column-names | xargs -l2 | awk ‘{print $0 ” 0″ }’

Combined with some logic to extract the channel and starttime for a given recording, I’ve now got a really crazy wrapper script that’ll let me mplayer a recording after generating an EDL cutlist.

(With thanks to Ken’s excellent collection of “merge pairs of lines into single lines” short cuts.)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

July 30, 2006

jabber to IRC bridge

Filed under: Inkscape,Networking — kees @ 11:16 am

I wrote a Jabber to IRC bridge a while back. It’s currently being used to bridge communication between the #inkscape freenode channel and the inkscape Jabber conference room. I’ve finally gotten around to cleaning up (read: getting configurable variable out of the script into a .conf file) and publishing it.

It’s a bit fragile since the POE/Jabber code seems to explode once in a while, and it doesn’t like losing connections with the Jabber server, but it works most of the time. Several people had asked me for copies of it, so there it is. Please don’t laugh at it/me too hard. Just send me lots of patches. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

July 29, 2006

encrypted network filesystems

Filed under: Networking,Security — kees @ 11:59 am

I run a machine in a colo across the country from me, and I wanted to have some backups closer to the machine. So I signed up for a NAS login with my provider. Since I didn’t want to leave all my files sitting on their disks in the clear, I built up an encrypted volume over the network. It’s not fast, but it works.

Here were the setup steps:

  1. mkdir -p /mnt/nas-raw /mnt/backups
  2. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  3. modprobe loop && sleep 2
  4. dd if=/dev/zero of=/mnt/nas-raw/volume bs=32k
  5. losetup /dev/loop0 /mnt/nas-raw/volume
  6. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc-essiv:sha256
  7. Type volume pass-phrase
  8. mkfs.ext3 /dev/mapper/crypt-backups
  9. mount /dev/mapper/crypt-backups /mnt/backups

To unmount it:

  1. umount /mnt/backups
  2. cryptsetup remove crypt-backups
  3. losetup -d /dev/loop0
  4. umount /mnt/nas-raw

And then to remount it later:

  1. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  2. modprobe loop && sleep 2
  3. losetup /dev/loop0 /mnt/nas-raw/volume
  4. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc–essiv:sha256
  5. Type volume pass-phrase
  6. mount /dev/mapper/crypt-backups /mnt/backups

By scripting the “remount” steps, I can actually echo the volume password into an ssh connection:

echo ‘my volume pass-phrase here’ | ~/bin/do-crypto-mount
ssh root@colo.machine.isp “/etc/dirvish/dirvish-cronjob && df -h /mnt/backups”
~/bin/do-crypto-umount

Very handy!

Update: I added the --cipher option to include the essiv type, which should be used.

© 2006 – 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

July 28, 2006

airodump channel hopping

Filed under: Networking,Security — kees @ 7:14 am

The “airodump” tool, part of the aircrack wireless analysis suite, is like “tcpdump”, except that it can perform channel hopping. Since channel hopping is a “lossy” way to do wireless sniffing (you’re only listening on each channel for a few hundred milliseconds before moving on to the next channel), it doesn’t make sense to listen to channels that you know will contain no traffic. However, there was no way to specify a range of channels. airodump would either listen on 1 channel or hop across all channels.

I wrote a patch to allow for a comma-separated list of channels to be specified. Now I can tell airodump to spend all of its hopping time on 6, 11, and 1, for example:

airodump ath0 /tmp/ath0-logs 6,11,1

UPDATE: Here’s a patch that does that same for aircrack-ng.

© 2006 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

July 27, 2006

I love Open Source Software

Filed under: Multimedia — kees @ 12:45 am

Today, Randy let me borrow his awsome presentation remote. It’s basically an RF remote, whose other end is a USB fob, that acts as a keyboard. The two “next” and “previous” buttons on the remote map to “PageUp” and “PageDown” keys, which worked great for the Crucible and Xen presentation Bryce and I gave this afternoon.

Tomorrow, for my MythTV presenation, I’m using OpenOffice.org, which makes a distinction between “Space” and “PageDown”. “PageDown” goes literally to the next slide, where as “Space” triggers the next animation within a slide. Since my presentation slides have a ton of “reveals”, I need to be pressing “Space”, not “PageDown”. A search of the Logitech page yielded no info on changing the remote’s config, so I opted to using “xmodmap” to get the job done for me.

Using “xev”, I found that the keysym for “PageDown” on my keyboard is 0xff56, and the keysym for “Space” is 0x20. So, I blew away my PageDown key, and replaced it with Space:

echo keysym 0xff56 = 0x20 | xmodmap –

Now the remote works just how I need it. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

July 19, 2006

Linux World Expo

Filed under: Blogging — kees @ 7:09 pm

I will be presenting! I’ve never been to LWE, so I’m really looking forward to the trip. It’s also another chance to hang out in the Bay area and visit with people. Whee!

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 4, 2006

frontline assembly samples

Filed under: Blogging,Multimedia — kees @ 8:08 am

Every once in a while, I hear something in a movie and yell, “Hey! That’s in a Frontline song!” This time it was while catching a portion of the The Abyss, where a big chunk of gear misses falling on their habitat, and they kind of laugh nervously. Well, that nervous laugh was looped for about for about 30 seconds at the start of “Victim of a Criminal” from Millennium. I found it at about the same time I thought to put “Frontline Assembly samples” into Google, which gave me this page, which is a list of all the samples that they used. Robocop, Aliens, and the one that haunted me for a while before this Abyss incident: Stargate and “send in the probe”.

This is what my brain is filled with: sound effects. Great. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 24, 2006

easy wordpress anti-spam

Filed under: Blogging,Networking,Security — kees @ 11:06 pm

After getting about 40 moderation requests a day, I figured I should spend some time finding some anti-comment-spam plugins for WordPress. After digging around a while, I found one that doesn’t require JavaScript, doesn’t perform vision tests, but works just fine for the kind of comment-spam-bot that seemed to have taken a liking to my blog (even though no spam ever appeared in my comments ever…)

I found lr2Spam which has a great setup, but an incomplete final step. I merged it with ideas I saw in the RBL measures plugin, and got some good results. By replacing lr2Spam’s comment_post with pre_comment_content (see the WordPress Plugin API), I was able to redirect spammers away from from my site with PHP’s header("Location: [URL]") technique. (This is what I borrowed from the RBL plugin.) The patch is almost as big as lr2Spam itself (both are very small). Honestly, I’m surprised it works at all. Someone wrote a comment-spam bot that can’t correctly parse a totally valid HTML form, but does correctly handle a 302/Location redirect. Weird.

I thought briefly about redirecting all the spammers to http://fbi.gov/i-am-a-spammer/?ip=[IP] but then realized their requests’ referer header would show my URL still. On further thought, I realized that comment-spam is very different from email spam because the bot has to implement a much larger set of protocol elements. Since they must respect the 302/Location redirect, someone who is getting hit really hard with comment spam could effectively DDoS somone’s link by redirecting to somewhere with big files. Say, for example, instead of using fbi.gov above, I used http://mirrors.example.com/iso/DVD-distro-image.iso. Every spam bot in their network would start a giant-ass download from example.com after hitting my anti-spam system. Ewww.

Implemented early on May 20th, after 4 days, I’ve seen 250 comment spam attempts from 162 unique IP addresses (most in China — maybe they need to turn their firewall around). The volume of spam isn’t big when compared to my daily email spam statistics, but each one of those would have been an email in my inbox, asking for moderation. Interestingly, they all stopped on May 23rd. Maybe they got a clue.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 22, 2006

TiVoConnect dissector for Ethereal

Filed under: Multimedia,Networking — kees @ 9:03 pm

Over the weekend, I coded up a protocol dissector in Ethereal for the TiVoConnect Discovery Protocol. The protocol is very simple, but I still wanted the satisfaction of seeing it listed by name when scanning through my home network captures while debugging Galleon/TiVo traffic.

Ethereal has great developer documentation. It was easy to find and got me coding right away with a skeleton dissector. I just love the projects with these kind of to-the-point examples. The only thing I felt was missing from their README.developer was something showing that the dissector routine could return gboolean, letting a dissector reject being attached to a given packet.

There were other clearly written dissectors that I used for reference: DNS, Yahoo, and Syslog. They seemed to answer most of the more subtle questions I had about rewriting column text, scanning the packet, and dealing with other special cases.

Hopefully the patch will get accepted. I even did the randomized testing the wiki recommended. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 18, 2006

bleeding-edgeness matrix

Filed under: General — kees @ 11:22 pm

At least two times in recent history, I’ve wondered “is this the most recent version” of some piece of software, immediately followed by “which distro has the most recent version?” As I recall, these were for:

I had discovered both to be woefully behind “most recent” for a number of distributions. In my mind popped a vision of a chart/table/matrix of software on one axis and distros on the other, showing which had what versions of things. And little boxes where I could rank the “bleeding-edgeness” of a distro.

While hunting around, I found something almost like my vision. The distrowatch website is pretty damn cool. It wasn’t really set up to compare bleeding-edgeness between different distros, just different versions of a distro. For example, here’s Ubuntu’s matrix.

I exchanged some email with the author, and it sounds like he just uses a mess of custom scripts to poll version numbers of some of the more “big-name” software packages, common to most distros. Needless to say, mdadm and f-spot did not make the cut. I’d love to be able to add more “tracked packages” via some kind of web UI. A URL plus a regex to extract a version from; almost the same as what’s needed for WWW-PkgFind to operate. :)

From the pkgfind man page description:

… scans a web or ftp site for newly posted files and
downloads them to a local filesystem. … The motivation for this script is to poll places where developers post patches to software we’re testing.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 16, 2006

catching up on Stargate

Filed under: Blogging,Health — kees @ 10:50 pm

I’ve been catching up on Stargate SG-1 ever since Bryce recommended it. I’d been resisting it, but with no more Firefly, Farscape, or StarTreks left to watch, it was inevitable.

At one point during my catch-up, I realized that I was watching 4 separate time-lines of the show. SciFi was showing new episodes on Fridays, a set of 3-in-a-row on Mondays, and a third chronology running Tue, Wed, Thu. On top of this, Fox(?) was playing re-runs on Fridays as well. About 30 episodes in, I totally lost it, and could not keep things straight. (“What? Where’d Daniel Jackson go? Who’s this guy?”)

To my rescue was my ever-faithful epguides.com to serve as a base check-list for which shows I’d seen already, and the fantastic Stargate Wiki Episode Guide to help me remember which I’d already seen. (They even have full transcripts of the episodes! That’s dedication!)

It looks like very few of season 2 has aired, so I will have to turn to either the library or Netflix to fill the gaps. Once SG1 is gone, I will have to switch my daily exercise routine back to Buffy the Vampire Slayer. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer PostsOlder Posts »

Powered by WordPress