codeblog code is freedom — patching my itch

December 7, 2006

filtering email body URLs with whois

Filed under: Networking,Ubuntu — kees @ 10:21 pm

I use SURBL filtering for my inbound email. It’s very handy except when my domain receives the leading edge of a new spam campaign. Whenever spam with a URL got through the filters, I’d go look it up and discover that it was added to the block lists about 20 minutes after I got the email. I’d think to myself, “dang, if only I had greylisted that email”.

Well, I got to thinking: all the URL-based spam campaigns have one thing in common: the domains they’re spamming have been recently registered. So now I greylist any email whose body contains a recently registered domain in a URL. It gets delayed just long enough that the SURBLs catch up, and when it is finally reattempted, it gets permanently rejected. Unfortunately, I have not found a common API for querying the registrars for a domain’s creation date, so I wrote an insane script to make a best-effort guess:

$ ./whois-created kernel.org 2>/dev/null
‘kernel.org’ created on: 1997-03-07
$ ./whois-created outflux.net 2>/dev/null
‘outflux.net’ created on: 2000-03-17
$ ./whois-created hosteije.net 2>/dev/null
‘hosteije.net’ created on: 2006-12-01

Any URLs with kernel.org or outflux.net I’d let through, but I’d greylist anything mentioning hosteije.net (which is now listed on the SURBLs).

Most of my email filtering is based on some heavily modified MIMEDefang code (which handles hooking to my script and doing the greylisting), but I’m figuring this sort of thing should live in some optional routine in SpamAssassin so more people can benefit.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

December 4, 2006

OSDL drops staff coders

Filed under: General — kees @ 10:33 pm

News clippings about OSDL‘s RIF:

Two months ago, I jumped on a fantastic opportunity and took a job with Canonical (leaving OSDL none too soon, it seems). I’m disappointed that OSDL laid off so many of my friends. I had been visiting the office on and off so I could continue to participate in the daily lunchtime board games. It’s the end of an era.

Games played during lunch:

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 7, 2006

art-creation pyramid scheme

Filed under: Blogging,Inkscape — kees @ 12:35 pm

Gib started a meme I think sounds like fun. If you’re one of the first 5 people who comment on this post, I’ll create an original piece of art for you, but only if you promise to offer the same deal in your own blog. (And I urge you to release it under a Creative Commons Share-Alike license while you’re at it.)

I’ll likely be using inkscape to get it done, since I need an excuse to play more with the tile cloner and tessellation filters.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 9, 2006

metalink

Filed under: kernel.org,Networking — kees @ 10:47 am

I’ve been watching metalink for a while now, and was urged to write about it, so I am! If you want to download something large that isn’t available via bittorrent, you can still get the distributed download benefits of bittorrent. Basically, metalink-aware downloaders split up your download across many mirrors of the resource you want, using existing protocols.

Bittorrent is great for “new releases” or other similiar things that are currently “in demand” by a large number of people. For older stuff, especially large trees of files, as found on many mirrored archives, you won’t find a bittorrent, and metalink can really distribute and speed up the download.

OpenOffice is using it, and I hope to figure out a way to incorporate it into kernel.org directly. There are already places hosting auto-generated metalink files for various projects, including the linux kernel. I’m hoping kernel.org can publish more complete metalink files since we should be able to build them more easily, having the list of which mirrors are in which countries, their access mechanism, and if they carry bz2, gz, or both. We’ve talked about it briefly, but haven’t finalized the plans yet.

You can even generate your own metalink files online.

Another blog has other details, so I hope I’ve not been too redundant. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 1, 2006

public transit badges

Filed under: Blogging — kees @ 7:40 pm

Thanks to Jon, I had to see what public transit systems I’ve been on. They didn’t have Portland’s TriMet, so I sent them their logo. :)

chicagochicago lnew yorkbostonportland trimetsan franciscosan francisco muniwashington

Got at b3co.com!

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 9, 2006

talk to me about Sendpage

Filed under: Blogging,Networking — kees @ 4:50 pm

Like I mentioned before, I’ll be in San Francisco at Linux World Expo next week. Besides presenting, I’ll also be at a Birds-of-a-Feather on “Network, Device, and Environment Monitoring” on Wed (8/16) at 6pm in Room 309, where I’ll be talking about Sendpage. I’ve been told this BoF is open to anyone with an “exhibits” pass which, prior to LWE starting, is free! So, if you’re in the area, come hang out. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 7, 2006

flag captured

Filed under: Reverse Engineering,Security — kees @ 11:19 pm

I can’t believe it. We won DefCon CTF. I have no idea what to say. It just all came together this year. Great team, great contest.

And to make it even sweeter, since CTF is a “Black Badge” contest, I never have to pay to get into DefCon again! Although, at this point, I might pay several years worth of admission in exchange for lots of time to sleep. :)

UPDATE: nice write-up at the U of Florida.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 2, 2006

mythtv cutlist to mplayer EDL file

Filed under: Multimedia — kees @ 8:47 pm

I was too lazy to walk over to my TV, so I decided to watch my MythTV recordings on my desktop without having installed a MythTV frontend. Via the magic of MythTVfs, I started watching a recent Stargate episode.

Before the opening credits had finished, I knew I was already going to miss MythTV’s commercial flagging. So started the investigation into where in the world MythTV stores that information. I was imagining adding “.edl” files to MythTVfs automatically, etc.

In MythTV 0.19, using “mythcommflag”, you can get the “Cut” list, but not the “Commercial Skip” list. (Think of the latter as a “Cut Hint” list.) The command for this is:

mythcommflag –getcutlist -c 1059 -s 20060728210000

In MythTV 0.20, you’ll be able to use “–getskiplist”. Since I’m still using 0.19, I had to go directly to the “mythconverg” database to get the details. The marks are stored in the “recordedmarkup” table. The mark types I care about are: 4: Commercial Start, 5: Commercial End. This SQL query gets me somewhere:

SELECT mark, type FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;

However, mplayer’s EDL file format expects time, not frame number. MythTV stores frame number. Luck for us, it’s all NTSC MPEG2, so we’re at 29.97 frame per second, and I can modify the SQL:

SELECT mark/29.97, type FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;

Now I just have to get the pairs on a single line with a trailing “0” for mplayer to know to skip that time frame:

echo ‘SELECT mark/29.97 FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;’ | mysql -B –skip-column-names | xargs -l2 | awk ‘{print $0 ” 0″ }’

Combined with some logic to extract the channel and starttime for a given recording, I’ve now got a really crazy wrapper script that’ll let me mplayer a recording after generating an EDL cutlist.

(With thanks to Ken’s excellent collection of “merge pairs of lines into single lines” short cuts.)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 30, 2006

jabber to IRC bridge

Filed under: Inkscape,Networking — kees @ 11:16 am

I wrote a Jabber to IRC bridge a while back. It’s currently being used to bridge communication between the #inkscape freenode channel and the inkscape Jabber conference room. I’ve finally gotten around to cleaning up (read: getting configurable variable out of the script into a .conf file) and publishing it.

It’s a bit fragile since the POE/Jabber code seems to explode once in a while, and it doesn’t like losing connections with the Jabber server, but it works most of the time. Several people had asked me for copies of it, so there it is. Please don’t laugh at it/me too hard. Just send me lots of patches. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 29, 2006

encrypted network filesystems

Filed under: Networking,Security — kees @ 11:59 am

I run a machine in a colo across the country from me, and I wanted to have some backups closer to the machine. So I signed up for a NAS login with my provider. Since I didn’t want to leave all my files sitting on their disks in the clear, I built up an encrypted volume over the network. It’s not fast, but it works.

Here were the setup steps:

  1. mkdir -p /mnt/nas-raw /mnt/backups
  2. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  3. modprobe loop && sleep 2
  4. dd if=/dev/zero of=/mnt/nas-raw/volume bs=32k
  5. losetup /dev/loop0 /mnt/nas-raw/volume
  6. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc-essiv:sha256
  7. Type volume pass-phrase
  8. mkfs.ext3 /dev/mapper/crypt-backups
  9. mount /dev/mapper/crypt-backups /mnt/backups

To unmount it:

  1. umount /mnt/backups
  2. cryptsetup remove crypt-backups
  3. losetup -d /dev/loop0
  4. umount /mnt/nas-raw

And then to remount it later:

  1. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  2. modprobe loop && sleep 2
  3. losetup /dev/loop0 /mnt/nas-raw/volume
  4. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc–essiv:sha256
  5. Type volume pass-phrase
  6. mount /dev/mapper/crypt-backups /mnt/backups

By scripting the “remount” steps, I can actually echo the volume password into an ssh connection:

echo ‘my volume pass-phrase here’ | ~/bin/do-crypto-mount
ssh root@colo.machine.isp “/etc/dirvish/dirvish-cronjob && df -h /mnt/backups”
~/bin/do-crypto-umount

Very handy!

Update: I added the --cipher option to include the essiv type, which should be used.

© 2006 – 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 28, 2006

airodump channel hopping

Filed under: Networking,Security — kees @ 7:14 am

The “airodump” tool, part of the aircrack wireless analysis suite, is like “tcpdump”, except that it can perform channel hopping. Since channel hopping is a “lossy” way to do wireless sniffing (you’re only listening on each channel for a few hundred milliseconds before moving on to the next channel), it doesn’t make sense to listen to channels that you know will contain no traffic. However, there was no way to specify a range of channels. airodump would either listen on 1 channel or hop across all channels.

I wrote a patch to allow for a comma-separated list of channels to be specified. Now I can tell airodump to spend all of its hopping time on 6, 11, and 1, for example:

airodump ath0 /tmp/ath0-logs 6,11,1

UPDATE: Here’s a patch that does that same for aircrack-ng.

© 2006 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 27, 2006

I love Open Source Software

Filed under: Multimedia — kees @ 12:45 am

Today, Randy let me borrow his awsome presentation remote. It’s basically an RF remote, whose other end is a USB fob, that acts as a keyboard. The two “next” and “previous” buttons on the remote map to “PageUp” and “PageDown” keys, which worked great for the Crucible and Xen presentation Bryce and I gave this afternoon.

Tomorrow, for my MythTV presenation, I’m using OpenOffice.org, which makes a distinction between “Space” and “PageDown”. “PageDown” goes literally to the next slide, where as “Space” triggers the next animation within a slide. Since my presentation slides have a ton of “reveals”, I need to be pressing “Space”, not “PageDown”. A search of the Logitech page yielded no info on changing the remote’s config, so I opted to using “xmodmap” to get the job done for me.

Using “xev”, I found that the keysym for “PageDown” on my keyboard is 0xff56, and the keysym for “Space” is 0x20. So, I blew away my PageDown key, and replaced it with Space:

echo keysym 0xff56 = 0x20 | xmodmap –

Now the remote works just how I need it. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 19, 2006

Linux World Expo

Filed under: Blogging — kees @ 7:09 pm

I will be presenting! I’ve never been to LWE, so I’m really looking forward to the trip. It’s also another chance to hang out in the Bay area and visit with people. Whee!

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 4, 2006

frontline assembly samples

Filed under: Blogging,Multimedia — kees @ 8:08 am

Every once in a while, I hear something in a movie and yell, “Hey! That’s in a Frontline song!” This time it was while catching a portion of the The Abyss, where a big chunk of gear misses falling on their habitat, and they kind of laugh nervously. Well, that nervous laugh was looped for about for about 30 seconds at the start of “Victim of a Criminal” from Millennium. I found it at about the same time I thought to put “Frontline Assembly samples” into Google, which gave me this page, which is a list of all the samples that they used. Robocop, Aliens, and the one that haunted me for a while before this Abyss incident: Stargate and “send in the probe”.

This is what my brain is filled with: sound effects. Great. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 24, 2006

easy wordpress anti-spam

Filed under: Blogging,Networking,Security — kees @ 11:06 pm

After getting about 40 moderation requests a day, I figured I should spend some time finding some anti-comment-spam plugins for WordPress. After digging around a while, I found one that doesn’t require JavaScript, doesn’t perform vision tests, but works just fine for the kind of comment-spam-bot that seemed to have taken a liking to my blog (even though no spam ever appeared in my comments ever…)

I found lr2Spam which has a great setup, but an incomplete final step. I merged it with ideas I saw in the RBL measures plugin, and got some good results. By replacing lr2Spam’s comment_post with pre_comment_content (see the WordPress Plugin API), I was able to redirect spammers away from from my site with PHP’s header("Location: [URL]") technique. (This is what I borrowed from the RBL plugin.) The patch is almost as big as lr2Spam itself (both are very small). Honestly, I’m surprised it works at all. Someone wrote a comment-spam bot that can’t correctly parse a totally valid HTML form, but does correctly handle a 302/Location redirect. Weird.

I thought briefly about redirecting all the spammers to http://fbi.gov/i-am-a-spammer/?ip=[IP] but then realized their requests’ referer header would show my URL still. On further thought, I realized that comment-spam is very different from email spam because the bot has to implement a much larger set of protocol elements. Since they must respect the 302/Location redirect, someone who is getting hit really hard with comment spam could effectively DDoS somone’s link by redirecting to somewhere with big files. Say, for example, instead of using fbi.gov above, I used http://mirrors.example.com/iso/DVD-distro-image.iso. Every spam bot in their network would start a giant-ass download from example.com after hitting my anti-spam system. Ewww.

Implemented early on May 20th, after 4 days, I’ve seen 250 comment spam attempts from 162 unique IP addresses (most in China — maybe they need to turn their firewall around). The volume of spam isn’t big when compared to my daily email spam statistics, but each one of those would have been an email in my inbox, asking for moderation. Interestingly, they all stopped on May 23rd. Maybe they got a clue.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 22, 2006

TiVoConnect dissector for Ethereal

Filed under: Multimedia,Networking — kees @ 9:03 pm

Over the weekend, I coded up a protocol dissector in Ethereal for the TiVoConnect Discovery Protocol. The protocol is very simple, but I still wanted the satisfaction of seeing it listed by name when scanning through my home network captures while debugging Galleon/TiVo traffic.

Ethereal has great developer documentation. It was easy to find and got me coding right away with a skeleton dissector. I just love the projects with these kind of to-the-point examples. The only thing I felt was missing from their README.developer was something showing that the dissector routine could return gboolean, letting a dissector reject being attached to a given packet.

There were other clearly written dissectors that I used for reference: DNS, Yahoo, and Syslog. They seemed to answer most of the more subtle questions I had about rewriting column text, scanning the packet, and dealing with other special cases.

Hopefully the patch will get accepted. I even did the randomized testing the wiki recommended. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 18, 2006

bleeding-edgeness matrix

Filed under: General — kees @ 11:22 pm

At least two times in recent history, I’ve wondered “is this the most recent version” of some piece of software, immediately followed by “which distro has the most recent version?” As I recall, these were for:

I had discovered both to be woefully behind “most recent” for a number of distributions. In my mind popped a vision of a chart/table/matrix of software on one axis and distros on the other, showing which had what versions of things. And little boxes where I could rank the “bleeding-edgeness” of a distro.

While hunting around, I found something almost like my vision. The distrowatch website is pretty damn cool. It wasn’t really set up to compare bleeding-edgeness between different distros, just different versions of a distro. For example, here’s Ubuntu’s matrix.

I exchanged some email with the author, and it sounds like he just uses a mess of custom scripts to poll version numbers of some of the more “big-name” software packages, common to most distros. Needless to say, mdadm and f-spot did not make the cut. I’d love to be able to add more “tracked packages” via some kind of web UI. A URL plus a regex to extract a version from; almost the same as what’s needed for WWW-PkgFind to operate. :)

From the pkgfind man page description:

… scans a web or ftp site for newly posted files and
downloads them to a local filesystem. … The motivation for this script is to poll places where developers post patches to software we’re testing.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 16, 2006

catching up on Stargate

Filed under: Blogging,Health — kees @ 10:50 pm

I’ve been catching up on Stargate SG-1 ever since Bryce recommended it. I’d been resisting it, but with no more Firefly, Farscape, or StarTreks left to watch, it was inevitable.

At one point during my catch-up, I realized that I was watching 4 separate time-lines of the show. SciFi was showing new episodes on Fridays, a set of 3-in-a-row on Mondays, and a third chronology running Tue, Wed, Thu. On top of this, Fox(?) was playing re-runs on Fridays as well. About 30 episodes in, I totally lost it, and could not keep things straight. (“What? Where’d Daniel Jackson go? Who’s this guy?”)

To my rescue was my ever-faithful epguides.com to serve as a base check-list for which shows I’d seen already, and the fantastic Stargate Wiki Episode Guide to help me remember which I’d already seen. (They even have full transcripts of the episodes! That’s dedication!)

It looks like very few of season 2 has aired, so I will have to turn to either the library or Netflix to fill the gaps. Once SG1 is gone, I will have to switch my daily exercise routine back to Buffy the Vampire Slayer. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 12, 2006

sourceforge CVS re-check-out solution

Filed under: Blogging — kees @ 9:54 pm

SourceForge migrated to their new CVS server infrastructure recently (due to a catastophic disk failure of the old system), and told everyone that they had to re-check-out all their trees:

Hostname for CVS service
Old: cvs.sourceforge.net
New: PROJECT_UNIX_NAME.cvs.sourceforge.net

This change will require new working copies to be checked out of all
repositories (so control files in the working copy will point to the
right place). We will be updating the instructions we supply, but
instructions that your team has written within documentation, etc. will
need to be updated.

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gaim co gaim

would be changed to

cvs -d:pserver:anonymous@gaim.cvs.sourceforge.net:/cvsroot/gaim co gaim

With 14 projects hosted there, with potentially multiple CVS modules in each, this wasn’t the best way for me to deal with the change. I had relocated several CVS trees at OSDL last year, so I went digging for my command line to do the updates. I was disappointed they didn’t suggest it in their email, so I offered my solution via their Tracker. Someone else (on Cygwin even) confirmed that it worked for them, and SourceF orge summarily closed the ticket (hence making it disappear from the Tracker where other people were seeking help). I can find no record of a change made to their documentation. In effect, they just eliminated my help (though they did thank me first).

It would be nice if SourceForge ran some kind of forum or Wiki on their site so people could help each other. I’ll have to remember this for the next Advisory Council.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 4, 2006

mythtv listing-update time-rotation

Filed under: Multimedia — kees @ 7:33 pm

A few months ago, zap2it‘s renewal survey included a set of questions that were not questions, but rather pleas that people move their database updates to a non-standard time. The default install of MythTV has a hard-coded time in the middle of the night to contact the zap2it servers for TV listing updates. Unfortunately, this means zap2it’s servers were (are?) getting crushed on the hour, across 4 time-zones, in the middle of the night.

To solve this little problem in MythTV, I turned off the built-in “mythfilldatabase” execution, and moved to doing it via crontab. zap2it said they had virtually no load during the day-time, so I moved the update to a little after noon, sticking the following in /etc/cron.d/mythtv-backend:

09 12 * * * mythtv mythfilldatabase –quiet

It dawned on me today while messing around with the “at” scheduler that I could actually randomize when during the day the mythfilldatabase runs. If you wanted to run the job anywhere in a 12 hour (720 minute) period after 9am, you could do it this way:

0 9 * * * mythtv echo “mythfilldatabase –quiet” | at + $(( RANDOM % 720 )) minutes

(My bash manpage says the low-order bits of $RANDOM are as random as the high-order bits, so this is “safe”. If you don’t trust your version of bash, you could use $(( 720 * RANDOM / 32767 )) instead. IANAMG*, YMMV, OMGPONIES.)

*I Am Not A Math Geek

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

careful with mysql downgrades

Filed under: Multimedia — kees @ 1:59 am

I ran into a nasty bug while attempting to downgrade a MySQL database. I had been running my MythTV machine on Debian Unstable, but recently reinstalled to Ubuntu. This has the unfortunate consequence of going from MySQL 4.1 to MySQL 4.0. The “mysqldump” option “–compat=mysql40” kind of forgets to include the “auto_increment” flag for tables creation. This caused my subsequent MythTV 0.18 to 0.19 upgrade attempt to instantly bomb, since all the INSERTs expecting the PRIMARY KEY to increment as new stuff was inserted … didn’t.

Once I split the dumps into tables (-t) and data (-d) with different “–compat” levels and hand-edited the tables, everything was “fine” again. I actually got the whole system up and on its feet again, with no loss of Stargate SG-1 episodes. ;)

So, now all I have to fight with is Xv on an old S3 card. Looks like new versions of Xorg don’t aim Xv to the right place. And, mysteriously, the S3 card’s Xv implementation lacks the XV_SWITCHCRT attribute, so I can’t just use “xvattr” to fix it, like I do I my laptop. Aaagh.

I wonder if something like the xorg.conf’s Option MonitorLayout “TV,CRT” might help it? I’ll try that tomorrow.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

May 3, 2006

fun with OpenID

Filed under: Blogging,Security,Web — kees @ 6:04 pm

While I can’t log into NetFlix or Amazon with OpenID (or other federated login systems), I still wanted to try it out. The goal is to easily write comments on people’s blogs, edit Wiki pages, etc, all without having to keep logging in every time. So far, so good.

First step was to decide between running my own OpenID server or not. I went with “not”, since there really isn’t an installable OpenID server yet (there are only support libraries, it seems). Since I was given a permanent account with LiveJournal for some XSS testing I did for them, I figured I’d just use their stuff. I wanted to use “outflux.net” as my login everywhere, so I just added two lines to my outflux.net HTML source:

<link rel=”openid.server” href=”http://www.livejournal.com/openid/server.bml” />
<link rel=”openid.delegate” href=”http://keescook.livejournal.com/” />

Poof. Done. I used Videntity to verify that it was all working. Nifty stuff.

My only complaint is that it’s not clear how to get an end-to-end secure login. I can log into LiveJournal securely, but the OpenID server they run doesn’t seem to operate over HTTPS. Future study is needed. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 30, 2006

slow debian mirror avoidance

Filed under: Networking — kees @ 8:02 pm

ftp.us.debian.org has 4 mirror servers in their DNS round-robin. One of them (216.37.55.114) is very slow (25Kb/s) for me. The others are blazing fast, especially 204.152.191.7 (800Kb/s). I’ve gotten sick of having to hit Ctrl-C to abort an apt-get, and then restart it, hoping to get a better server out of the DNS.

Today, I added the following to my machine’s iptables config, so that it will just redirect all attempts from the slow mirror to the fast mirror:

iptables -t nat -A OUTPUT -p tcp -d 216.37.55.114 –destination-port 80 -j DNAT –to-destination 204.152.191.7

If I wanted to do this for my whole network, I’d just slap this rule on my firewall and change “OUTPUT” to “PREROUTING”.

I love iptables.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 28, 2006

lvm article

Filed under: General — kees @ 2:14 pm

Bryce wrote a great article on LVM and disk management that I helped do some technical editing on. Hopefully stuff like this will help other people get more comfortable with LVM, and make it less of a dark art. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 26, 2006

smallville, as measured in lana-minutes

Filed under: General — kees @ 7:00 am

I enjoy watching Smallville. I found Lana tiresome almost immediately. Recently, the writers teased us by showing an alternate future where she died. Struck with the possibility of not having to deal with her while watching the show, I became very excited. Then they brought the character back, and I couldn’t bear to continue watching the show. Every minute she’s on the screen is a minute stolen from me through the dark arts of terrible acting. If I didn’t so enjoy the rest of the plots and characters, I could so easily just stop watching. (I am also starting to run low on SG-1 episodes…)

To help combat my annoyance with Lana, I think I’m going to measure her screen-time. I’m going to count every minute that she’s on-screen and not dead, or when the on-screen plot is a direct result of her idoicy. (i.e. Clark complaining about something Lana did.) The goal will be to reach a “perfect episode” Lana-minute score of ZERO.

As a bonus, I figure I should also track Chloevage minutes. I figure Lana and Chloevage timers shouldn’t run if they’re both on screen at the same time — they cancel eachother; I am neither frowning nor smiling. The Chloevage-minutes would be a tie-breaker for episodes with nearly the same Lana-minutes value.

Ah, the physics of abstract television analysis.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 23, 2006

grub, yaird, mdadm, and missing drives

Filed under: General — kees @ 7:54 pm

This is basically a rant. I spent all my energy tracking down the problems, so I never did get things actually fixed. :P

I have my machines configured for software RAID between my primary and secondary drives. I always have. LILO supported this configuration back in RedHat 5.2 days. I’ve been doing RAID1 for a long time now. About a year ago, I changed my preference for boot loaders to GRUB, and just kind of assumed it handled mirroring. Well, much to my surprise, grub totally and completely does not handle mirrored configurations. Even the proclaimed fix didn’t work.

As a result of this “discovery”, I’ve switched back to LILO, which, I think, is a pain in the ass because it doesn’t actually have any filesystem-smarts built into it. (i.e. I have to re-run “lilo” every time I change a kernel or initrd.) I may see if another fix works as expected, but I don’t have a lot of hope considering the device map in the filesystem is the same for both grub drives, which is what causes the problems in the first place. (“Ieee! Where did the other drive go?!”)

So, moving forward, assuming my bootloader works, all kernels from 2.6.13 forward don’t support devfs, and the older initrd tools can’t handle that. Debian invented “yaird”. I had assumed they used the /sys filesystem and did other smart things. As it turns out, it’s fairly brain-dead. I booted without one of my mirrored drives, and yaird totally freaked out. As I discovered while digging through the initrd yaird generated, it just statically builds device nodes, based on what the running system used to look like.

There are two problems with this:

  1. DM devices (LVM, crypto, etc) are dynamically assigned. They may not have the same numbers after rebooting. This is mostly worked around by waiting for stuff to show up in /sys, so I’ll only complain about Ubuntu’s practice of encoding the major/minor numbers for the root device. (e.g. 0xFF00 — my root partition may not always be detected first) I don’t understand this, since the loader handles string-based paths for the root partition. But that’s not the bug I ran into for this rant.
  2. If a device goes missing, yaird assumes this is a bad thing. It has no concept of quorum. It could be argued that it shouldn’t, but in that case, it shouldn’t drop me to a prompt every time a device goes missing. It should only do that in “debug” mode. (I should send my patch for that in.)

While digging to open a Debian Bug report against yaird, I discovered that yaird, while annoyingly dropping me to a prompt (which I can “exit” out of), isn’t the real problem. The real problem is that “mdadm” incorrectly thinks it can’t start up the mirror with only 1 drive. There’s actually a counting bug where it just flat out thinks it needs 2 drives to start. Once I found this, I got pissed, “What? How could this bug exist?”

I proceeded to find the current source for mdadm, so I could write a patch to fix it. Only then did I discover that Debian’s version of mdadm is 5 REVISIONS BEHIND (including a major version jump)! AAAGGGh!

At this point I got in line reporting how old mdadm is, installed a work-around-mdadm patch to my yaird templates, and switched back to LILO. Ugh. And before someone yells “Run Gentoo!”, I checked already. The Gentoo mdadm version is old too. But at least they have a masked ebuild of the modern versions.

I hate choosing between stability and bleeding edge, but I don’t usually complain because I recognize the costs associated with stabilizing new stuff. But, come on, the mdadm 2.x series came out in AUGUST. That’s 8 months ago. I think that’s pretty stable! *sob*

I wish I had enough time to be a Debian maintainer instead of just sitting here and moaning, but hopefully my bug reports will do some good. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 13, 2006

Bruce Schneier on attack trends

Filed under: Blogging,Security — kees @ 9:20 pm

On Wednesday I attended Bruce Schneier‘s short talk about the trends of online attacks. I figure I need to take his talk with at least a small grain of salt. While he has a reputation to maintain, he also works for a security outsourcing company. That in mind, I still like reading his blog, and I enjoyed hearing him talk.

The main take-away from his talk was that attackers are more rarely “hobbyists”, and more commonly criminals. (i.e. there is profit motive rather than an interest in boasting rights.) In the same vein, worms are becoming more sophisticated, quieter, and increasingly effective, while losing their cleverness. (Criminals don’t care if their worm is lame, they don’t care if they ripped off someone else’s worm, they care that their worm is staying undiscovered and is making them money. As a result, whole families of slightly different worms are appearing.)

One thing he said, that I have a hard time believing, and if true is pretty scary, is that cyber-crime profits are now exceeding drug profits. I would love to understand what the sources for that statistic are. Beyond just phishing, beyond worms waiting for you to authenticate to banks before emptying your wallet, there is even small-scale Denial-of-Service extortion. Generally, it’s against places that are themselves on tenuous legal ground, like offshore gambling sites. “If you don’t pay us $X, we’ll DoS you again!” It’s protection money online. Wild.

The market for blackhat exploits is growing. This is reducing the time between vulnerability announcement and exploit usage. Unfortunately, in the Microsoft world, an opposite trend is happening: patch speed is slowing due to their needing to test more and more configurations, staying infinitely backward compatible. At least this has an upside that their patches are generally better and corporations are learning to trust auto-update systems. (And I think this kind of brain-share is actually good for all OS vendors.)

The commoditization (and therefore homogenizing) of hardware and software means that everyone runs the same stuff. Even the criminals. Before, generally only the various corporations had old AS/400 machines and no one really wrote attacks against them. Now stuff runs on PCs.

Overall, the attacks online are becoming increasingly more damaging financially (“criminals are good at what they do”). The volume of attacks come from the open Internet, but the more successful attacks come from inside a private network. More worms are simply waiting for opportunity instead of beating on a network.

While some of the crime organizations have been taken down, there are still large bot networks that are continuing to grow in size even though they have no controller any more. This is truly something out of dystopic sci-fi. I don’t know why, but while I find the idea of full AIs reasonable, and totally non-intelligent systems reasonable, I find half-AI systems really creepy. They just keep doing some semi-smart thing over and over waiting until mommy comes back to tell them to do something else now.

He wound down discussing his worries for the future. He wants people thinking about VoIP security now. (Worms sniff your typing and packets already, soon they can sniff your voice.) He hinted at Digital Restrictions Management without actually saying DRM. (“Who owns your computer?” To which I thought, “I do. This is why Free Software is so important.”)

In closing he talked about security being more about usability than technology. I took that to mean “the Art of security is more about usability than technology.” I can have infinite security by just unplugging something. But that’s not very artful. Towards the goal of successful (artful) security, he wants to see service providers be ultimately liable for the financial damage. He figures this puts the motivations in the right place. It seems like the right thing to me (if credit card companies want to avoid it, it must be good for me) but I suspect there is something hidden deeper that may cause greater harm. I can’t put my finger on it, so for now, I’ll agree. :)

At one point he gave a nice view into his own world, in which he has to go twice a year and disinfect his own mother’s computer of worms. The cobbler’s childrens’ feet…

The end of the session was a book signing (Counterpane gave out gratis copies of Schneier’s new book “Beyond Fear“). I showed my geek by having brought a copy of “Applied Cryptography” for him to sign too. For which he was geek-prepared, and tossed in a cryptogram. Even though he does this for lots of people (Google told me later), it was fun to see it in my book; I wasn’t expecting it.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 11, 2006

construction movies

Filed under: Multimedia — kees @ 7:55 pm

From the time-lapse construction webcam I set up with Brian, I built a pair of AVIs. These were made with ffmpeg so they use the FMP4 codec. Windows folks can find ffdshow in a number of places.

Left view movie (31M), set to Delerium’s “Silence” (with Sarah Mclachlan).
Right view movie (24M), set to a remix of Everything But the Girl’s “Like the Deserts Miss the Rain”.

I tried to build these movies showing only day-light hours, on work days. A few holidays sneak in, though. (There’s a longer section of a few days where no one shows up for work across Thanksgiving, for example.)

The AVI frame rate is 25fps, with each frame jumping 10 minutes. The effective speed is 14400:1. They span the time from July 26 2005 through January 21 2006. (The right-side camera was added on August 29.)

My least favorite easter egg is where the room-light-shield I taped up to keep room glare off the camera peels off the window and hangs in front of one of the cameras during Christmas and New Year’s vacation (when no one was around to fix it).

My most favorite easter egg is near the latter half when a pile drilling rig is parked in the foreground. Over the course of the day, the hydraulics holding the drill up at an angle bleed out, and the drill slowly pitches forward. I just love it; it’s exactly the kind of event no one notices at the time because it’s happening so slowly. Seen in time-lapse, though, it’s very obvious — it’s the only thing moving at all! :)

Enjoy!

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 9, 2006

greasemonkey for RMLS

Filed under: Web — kees @ 8:15 pm

The house-for-sale listings that RMLSweb.com produces are very detailed, and even include a link to show a map for each house’s address. However, this link goes to MapQuest, which I find infuriatingly annoying to use. I wanted the link to at least go to Google Maps instead. Since I live near Portland, I also wanted to search the fantastic Portland Maps site at the same time. That way I could see lot dimensions, crime statistics, etc.

This was clearly a perfect job for GreaseMonkey. The result, after my usual fights with javascript, is my script to override the RMLS address mapping function.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 2, 2006

in honor of DST: SW

Filed under: Blogging — kees @ 7:56 am

Since I’ve lost an hour to Daylight Savings Time, I thought I’d record a list of links to Alternate Star Wars Theories.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

« Newer PostsOlder Posts »

Powered by WordPress