Sunday, May 27, 2007

Johan Petersson explains the mysterious linux-gate.so.1




Apart from the image above, I won't even try to introduce the topic, but check out What is linux-gate.so.1. Oh, and if you felt the slightest twinge that this could be dangerous, check out the milw0rm paper on exploiting with it.

And, No, I'm not writing Linux exploits, but porting some of the shell functions from mkinitramfs to a fancy new Ruby UbuntuTrinux image builder.

Saturday, May 26, 2007

OpenWrt has come a long way




So I've had a PoS Dell 2300 TrueMobile router (wonder how much iDefense paid for this) I bought used at Discount Electronics (God I miss that place, half the gear in my basement if from there, interesting to see they are part of a campaign to keep Walmart out of our old neighborhood back in Austin) sitting on the basement floor for months. I decided I'd give OpenWrt a try again. Downloaded version 0.9, installed openwrt-brcm-2.4-squashfs.trx through the Dell web interface, and figured I'd bricked it and boom the web interface came up. Wow!

Debian and Fickle Old Me

After Ragging on Etch last month, the last two servers I've built at home have been Etch boxes.

Downloading the cd installation iso has been so painless and quick (thanks to the CERIAS mirror) close by. Then

apt-get install tightvncserver openbox xterm

I know the identical command would probably work on Ubuntu for a nice headless box, I'm now leaning towards Etch on the server in place of Ubuntu Dapper LTS.

We'll see how Xen and Vmware-server go.

Thursday, May 24, 2007

Macbook Strike One: Keyboard Failures During Bootloader

Bootloader keyboard issues (GRUB in particular) are an Apple Bug according to the the Refit folks back in March. Dual booting is pretty painful, if not impossible. Workarounds, create a custom isolinux image while you are testing kernels or just keep rebooting until probability catches up with you and you can actually use grub to select a kernel/os. No thanks, I'll pass.

Labradoodle vs. Latitude



Labradoodle's are awesome dog's. We rescued ours (mis-use of the term "adoption" for animals is a pet peeve of mine) from the Town Lake Animal Shelter back in Austin last Fall and he is now up to 80 pounds--but looks like 120 due to the haircut. Also has a scary deep bark. Most importantly (as illustrated in the snapshot above), He also hates Dell laptops.

Last week, I came home last week to find keys from my wife's D-510 spread across the floor as result of a tussle with our 24 pound female Boston Terrier. But there is a bright side to the story. The degradation of service against the Dell means and the ThinkPad Memorial Day Sale means I can give my MacBook (which I'm growing weary of) to my wife. The only thing holding me back is I'm torn between the bleeding edge 14.1" T-61 (7658CTO) which might result in a rough couple of months because this is going to be 90% Linux laptop. Or the underpowered, but more portable (and expensive) X-60 (1709CTO)

But no more Dells.

Wednesday, May 23, 2007

OSX Safe Boot is your Friend (SHIFT!)

There I was (after weird wireless issues and a Finder that hung with only the spotlight icon the upper right hand corner after login) booting from the install CD (learning that boot from the CD that came with my MacBook indeed causes a kernel panic) and net-catting mdfranz.sparseimage over to another box and racking my brain for the master password I used with Folder Vault and wondering if I managed to copy this 30 gig file over to my MacBook would I be able to open it? And with only my userid? And so an rsync of 363,250 files begins so tha I can finally go to sleep tonight and end my Thinkpad envy.

But hey I learned that I can push 7MB/sec from a Powerbook G4 - 1.5ghz to a PIII-500 with netcat. And average about 4-5 MB/sec with rsync+ssh. Yes, bwm-ng is your friend, too. All through the switched ports on Cisco 851. Which is 3 times what I was able to do over wireless (routing on the router, though a Linksys (natting), then routing through another Linux box)

Tuesday, May 22, 2007

Suprise Author on OPC Security

It is always fun to get credit for work you didn't do.

Today, I was pleasantly surprised to learn I was one of the authors in an ISA InTech paper of OPC Security when a reader of the article provided feedback on how .NET OPC implementations (that use .NET Remoting vs. the dreaded DCOM) were farther along than we suspsected in the article. Working with BCIT on OPC security was my 2nd project at Digital Bond (the first project was contributing to energy sector scenario--oh yeah which involved OPC, a coincidence?--for the first DHS CyberStorm Exercise). What we thought was to be a short little paper we could knock out in a a few months, turned out to be massive document that will be released in multiple parts. This paper was the 2nd most painful deliverable I worked on. The first most painful one was a web application assessment where I learned how much more involved it is doing that sort of work for paying customers where you have to produce quality deliverables with executive summaries that management will read -- as opposed to the informal "powerpoint and engineering notes" (don't forget DDTS's!) deliverable that were adequate for Cisco product teams.

Friday, May 18, 2007

Countdown to MoDB




Somewhere, someone with a scary sounding gmail or yahoo email account (either with elite-speak or a long numeric suffix and who is probably subscribed to the fuzzing mailing list) is working yet another FTP fuzzer in Perl or C or PHP (God forbid!). Perhaps this tool is even used in an example of a soon to be published book on Fuzzing (why there is a need for 2-3 books on the topic, is beyond me). But I beg you, please, stop! Not another semi-colon. Pick a sane language to develop tools and while you are at, another protocol to fuzz.

How about RFC 2229: A Dictionary Server Protocol. It's a green field, man. dictd is waiting for you and it guarantees dozens of security advisories since all the Linux distributions will have to update. No more testing of Windows shareware for you. You hit it big time. There are enough DICT implementations that have probably never been audited to keep you busy for a month. I can see the eweek headline: "A Word A Day Keeps the Hackers at Play." And remember you can just announce and not ever find anything. The security press will pick up the story anyway. The best thing is most of the FTP test cases you started on should work, even your code for testing FTP clients. I'm sure you'll find some juicy Curl client sides. While you are at it, you can include in your whitepaper how how public DICT servers can be "fingerprinted" based on 3 digit response codes to and how they disclose unnecessary information of the server and the underlying OS, how the DICT sessions can be hijacked to redirect unsuspecting sequesters to rogue dictionaries (with or without your clever Ettercap plugin, how malicious "show" commands can be used to perform dictionary enumeration, how DICT can be abused to peform SQL Injection, and last but not least h ow new word notifier forms fail to properly sanitize user input and suffer from XSS. All of this should allow to submit a presentation to Black Hat with an ominous title like "Internet Dictionaries: Unsafe in any Language" (of course there is a double entendre because you will have found flows in both the C, Java, and Python implementations). Oh, if only I had a month on my hands.

Thursday, May 17, 2007

ubuntutrinux-core-0.1 release candidate is out!

In the past hour or so I've squashed enough bugs and completed enough documentation, I'm please to say that a release candidate for the first (0.1) formal release of UbuntuTrinux is now available. I've hit most of the milestones for 0.1 and some in 0.2. Not to shabby.

Among the changes:
  • A complete list of included tools is up. Let me know if I missed anything small. We are a 14.2 megs. 15 meg is the new max.
  • bash is now the default shell (not sure why but it keeps ls from segfaulting on long file listings, must have been a busybox ash thing) and less finally works
  • I think Nmap 4.20 is new this build. It may have been in the last one. Socat is new because I didn't have any port redirection tools apart from what is in iptables.
  • Added the latest build of snort. I got it working, but there are no signature files or configuration files present.
  • New dropbear keys are generated on each boot
Now on to the testing, final documentation, and release announcement on Freshmeat.

Wednesday, May 16, 2007

Minimum Standards, Methodology, and the "False Sense of Security" Defense

Probably few in the mainstream security community noticed the announcement of the first round of controllers certified by Wurldtech. Yes, follow these links before you read any further, because none of this will make sense if you don't.

Although out of the SCADA Security world, this is something of personal interest to me not only because Eric Byres (who started but did not finish this effort, although you won't see his name anywhere) and I discussed quite a lot over the years (and something I presented on last year at PCSF and earlier at CanSecWest/01) but because the problem space something was one that I was intimately involved with at Cisco.

Over the years, I was involved in 3 or 4 different initiatives of varying scope and ultimate effectiveness that touched on the problem of defining minimal security standards/criteria/test procedures for network devices and protocols. See, I told you if you didn't follow the links you'd be lost or bored

While a lot of folks find this sort of "methodology work" tedious or tiresome, I have always found it fascinating. Although, truth be told, much of the point of defining (and automating the testing of) minimum product security standards was to offload soon-to-be boring work so that others can do it. Running port scans, testing TCP/IP/UDP/ICMP stacks for protocol implementation flaws (i.e. running ISIC for days and days, even if it gets you a CNN moment), checking for weak, default credentials, running commercial test suites like Codenomicon, tracking down all the versions of software and searching public vulnerability databases for relevant flaws in Open Source or commercial software components all should be done. I'd just rather someone else did it. And if I put my small company research hat back on, the sort of repetitive tasks such as this aren't terribly interesting from a project standpoint either.

However, defining and automating test cases or assessment criteria was interesting. But I'm probably in the minority since I've found "hard core" security folks to be the folks most resistant to the definition and enforcement of minimum security standards. You'll see this almost any time a new standard comes out. The standard is worthless, because it doesn't go far enough. It doesn't have/do X, Y, or Z, so it will lure users/vendors/whoever into complacency.

I saw this firsthand during my last year at Cisco. There was division within our group on how to approach a new effort that was being proposed by another [competing??] product security group who had in mind something very similar to Wurldtech's L1-4 test cases. The intent was to stamp out the "low hanging fruit" vulnerabilities which unfortunately all to common. (You know the sort of stuff that is many of the SCADA vulnerabilities being discovered) The most senior engineer in the group was putting up the classic "false sense of security" argument. (Another unconscious argument often put forth is that finding vulnerabilities is more art than science and can't be captured in a process or methodology, but I don't think that was in play)

I ultimately sided with the minimum standards effort for pragmatic as well as political reasons, since I knew the other group's manager (who I'd worked for previously) was far more more savvy than our current boss. We'd lose the fight even if it were the wrong thing to do--which it wasn't. Our group went on to drive the effort and it was one of the more important thinks I worked on in STAT and the Nerd Lunch I did out in San Jose was received far better than the one I did on BGP.

So what are the takeaways? Sometimes, the risk is greater for setting the bar too high vs. picking something that is good enough. The perfect is commonly the enemy of the good. There are always too many excuses not to do something now that solves part of the problem vs. endlessly working on something that might solve the entire problem in the future.

And I think this is one of the reasons why we see the first security certification of this type in the parochial world of SCADA and not somewhere else.

Saturday, May 12, 2007

Trinux, Java, P2P, and 114MB





trinux# PATH=$JAVA:/java/bin
trinux# java -version
java version "1.5.0_11"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode, sharing)
So 114MB appears to be the minimum RAM footprint for J2SE5, at least with everything else I have running in the Trinux build. Since 64MB is the default max for the initrams I had to create another ramdisk for the JRE.
trinux# mount
rootfs on / type rootfs (rw)
none on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/ram0 on /java type ramfs (rw)
BTW, if ramfs is in /proc/filesystems you can create ramdisks with

mount -t ramfs /dev/ram0 /mount

I can't remember if I managed to run any Java apps (I remember looking at Kaffe) running under Trinux, but tonight I managed to get the Java Modbus/TCP Simulator I wrote for the the Digital Bond Scada Honeynet. I didn't actually see if it works, but netstat shows the socket open, so I guess it works.

trinux# pwd
/java
trinux# du . | sort -rn | head
80684 .
79132 ./lib
28080 ./lib/i386
16592 ./lib/i386/client
7268 ./lib/i386/server
1764 ./lib/zi
1156 ./bin
1120 ./lib/ext
544 ./lib/oblique-fonts
516 ./lib/zi/America
35 of the 80 megs are the runtime (rt.jar) which theoretically could be stripped, but not sure it is worth the effort.

Why the sudden issue in Java on UbuntuTrinux?

We'll I've been looking at some of the P2P APIs out there such as JXTA, P2PS, and Pastry.

If anyone knows of any C P2P APIs (and I no I'm not talking about filesharing stuff, I'm looking for APIs that handle routing, registration, rendezvous, and all that stuff) that are comparable, let me know. The only thing remotely I interesting I dug up is pitsaw but I haven't got it running, although it did build, which is more than I can say for the C JXTA implementation.

Friday, May 11, 2007

Vulnerability Anxiety

My mind is fried from my noisy but under-stimulated children and the plague of perpetual morning (and afternoon and night) sickness. And, no, not mine.

Or perhaps Gadi Evron's NANOG alert on Broadband Router vulnerabilities has pushed me over the edge, but I think Bejtlich might be on to something with his whole focus on the threat, impractical or not. Or perhaps it is just more intellectually honest that than folks in security [consulting|product] companies going on and on ad nauseum about end of the world vulnerabilities of the day/month/year so that the morons at e-week will reprint their "marketing" as news.

Sure, I did it too. It is fun. Pick the latest product, protocol, technology, and find holes in it. Easy. Make the world safer. Hell, save it while you are at it. I did inside Cisco with product teams. Find the bugs before the bad guys do. I tried to do it with the thick-headed SCADA community. Don't get me wrong (when I used to work to work for a vendor, and was still bitter about having wasted lots of time and energy on product security initiatives that went absolutely nowhere and being part of small, understaffed, non-revenue-generating group buried deep within the bowels of a security business unit) I used to be sympathetic to Alan Paller/Bruce Schneier-style vendor-bashing (meaning if only Microsoft, Cisco, Oracle, etc. would do x,y,z then we'd all be fine.) But not anymore. Now I find it tiresome, almost as tiresome as the new scary fuzzer of the week. And I am glad that I'm in a job were I don't do too much "awareness raising" of this sort (or writing fuzzers, for that matter.) Whistle blowing, bell ringing, inviting the wolf in the door, dressed as Grandma. Whatever you want to call it.

But it reminds me of one of the handful of occasions (most which were quite amusing and absurd in hindsight) where work I touched received at least a blink of attention at the senior executive level (meaning, to folks that reported directly to Chambers).

I was working on a high visibility prezo that was going to be given to some govt big shots. This is pre-DHS days, but it involved a former Clinton administration appointee that would go on to release a tell-all book critical of the Bush administration in the summer of 04. A year ago would actually stand behind him going through security at Reagan one morning, chuckling while TSA took extra long to go through his bags. (Another HINT: this guy talked about "Digital Pearl Harbors" a lot)

To get back to the point, the critique from the exec on my slides was short and sweet. I still have a printout:
[this] reads like a laundry list of anxieties regarding the future of networking and its vulnerabilities..
Of course I thought this was nonsense at the time. Like all the execs, he just didn't get it.

But what does this mean to me now? It means, sure, you can (and should!) do all that product/application security goodness. But every new technology (Web 2.0, Vista, VoIP, IPS, NAC whatever) is going to be broken as hell (or at least appear so, because all it takes is one hole, right?) when it first hits the streets.

Not only has the endless vulnerability drum-beat gotten old, I'm not sure of the point anymore. The terrain that must be defend is endless and particularly difficult for vendors (such as Cisco) that do much of their product development via acquisition. Although it is no cake walk for those that do everything in house. And just like the real wars, it is difficult to know the scorecard, since most of the time we only know about those that "get though" and there is only one interpretation of publicly available information: that we are losing.

Wednesday, May 09, 2007

All that is wrong with presidential politics

This CNN story on the $150 check by Ann Romney to Planned Parenthood. Who cares? And abortion is one of those "high school debate topics" that gets way too much attention every four years. However, fellow Texan (I still have my license plates until July, that counts!) Ron Paul's Youtube Concatenation is sort of interesting. But, then again, I like candidates that have no chance. Bonus points for those that have a crazy gleam in their eyes like McCain did in 2000, but alas no more. The great thing is my vote won't count next year here any more than my vote counted in Texas in 2004. Not a bit o' difference.

Tuesday, May 08, 2007

Drupal/PHP You Win for the night

Last three hours battling Drupal on Dapper (PHP 5.1) and the dreaded Access Denied Error after you created your admin. I swear I had this working a month ago.

This doesn't work
root@karlov:/var/www# dpkg -l | grep php
ii libapache2-mod-php5 5.1.2-1ubuntu3.7 server-side, HTML-embedded scripting languag
ii php5-common 5.1.2-1ubuntu3.7 Common files for packages built from the php
ii php5-gd 5.1.2-1ubuntu3.7 GD module for php5
ii php5-mysql 5.1.2-1ubuntu3.7 MySQL module for php5
ii php5-mysqli 5.1.2-1ubuntu3.7 MySQL Improved module for php5
root@karlov:/var/www#

This still did!
root@ubuntu:/var/www# dpkg -l | grep php
ii libapache2-mod-php5 5.1.2-1ubuntu3.6 server-side, HTML-embedded scripting languag
ii php5-common 5.1.2-1ubuntu3.6 Common files for packages built from the php
ii php5-gd 5.1.2-1ubuntu3.6 GD module for php5
ii php5-mysql 5.1.2-1ubuntu3.6 MySQL module for php5
ii php5-mysqli 5.1.2-1ubuntu3.6


Nah, the security update didn't break something...

Damn you PHP, damn you!

Sunday, May 06, 2007

We're Two Weeks out from UbuntuTrinux 0.1 (or how I defeated Unix98 ptys)

So the big new feature in the latest (050607) ubuntutrinux snapshot release is a working SSH2 server (courtesy of Dropbear.) Like Busybox, it has added a lot of features since I last built it back in 2003. There is now a small SSH client (ssh is symlinked to dbclient) and it includes some version of scp from OpenSSH. So scp (at least to Trinux boxes) works as well.

As the title suggests, we're getting close to an initial (0.1) release. I'm this close to finalizing the feature list. If you followed the link you see that goal for the 0.2 release is finishing the .yaml configuration file and 0.3 an IOS-like shell using the Ruby Cmd module. But back to Dropbear...

For others that might be want to include it (or get the Busybox telnetd server working) in a small distro, the key (but not terribly difficult) technical hurdle to overcome is to ensure the kernel had Unix98 pseudoterminal support and that the device files are present. I had the former, but not the latter.

Basically you need kernel support, the "multiplexer device" (/dev/ptmx), and a /dev/pts directory as you can see below:

trinux# ls -al /dev/ptmx
crw-rw-rw- 1 root root 5, 2 May 7 12:02 /dev/ptmx
trinux# ls -al /dev/pt
/dev/ptmx /dev/pts/
trinux# ls -al /dev/pts
drwxr-xr-x 2 root root 0 May 7 12:01 .
drwxr-xr-x 3 root root 0 May 7 12:01 ..
crw--w--w- 1 root root 136, 0 May 7 12:02 0
trinux# cat /proc/config.gz | gunzip | grep PTY
CONFIG_UNIX98_PTYS=y
CONFIG_LEGACY_PTYS=y
CONFIG_LEGACY_PTY_COUNT=256
The device files with the major number of 136 are created dynamically for each pair. The Linux Text Terminal Howto has good info on this. The kernel config file in /proc is nice, huh. I wonder if the BSDs have something like that. I doubt it.

And the dropbear logs show that I have a little more work to do but it works:


May 7 12:01:50 trinux authpriv.warn dropbear[1099]: Failed reading '/etc/dropbear/dropbear_rsa_host_key', disabling RSA
May 7 12:01:50 trinux authpriv.info dropbear[1100]: Running in background
May 7 12:02:08 trinux authpriv.info dropbear[1105]: Child connection from 10.0.2.2:51769
May 7 12:02:14 trinux authpriv.notice dropbear[1105]: password auth succeeded for 'root' from 10.0.2.2:51769
May 7 12:02:14 trinux authpriv.err dropbear[1106]: open /dev/tty failed - could not set controlling tty: No such file or directory
May 7 12:02:14 trinux authpriv.warn dropbear[1106]: lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory
May 7 12:02:14 trinux authpriv.warn dropbear[1106]: lastlog_openseek: /var/log/lastlog is not a file or directory!

Friday, May 04, 2007

My failed attempt at "instant ruby enlightenment"




I like Microsoft API documentation. Or at least I liked the .NET 1.1 stuff I was using in C# several years ago so much that even if I was working with Mono I would have VM (or VNC) open with the help viewer. It was definitely better than Sun Java documentation (had more examples) both of which are miles ahead of the worthless crap that ships with Ruby. Or at least the Rubies on my boxes. Unfortunately, I was never able to get any of the Linux .chm tools working to be able to read them natively. But I don't do much with C# anymore.

So in my quest to will myself into using and liking to use Ruby, I figured I'd give fxri a try. Actually I was using it on Windows (because it was built in to the Win32 install) and because I get no love from ri and I hate the web docs and I always forget to open up the dated copy of Ruby in a Nutshell i bough back in '01.

As you can see from the not-so-pretty picture (I had a darwinports version of libpng installed so why didn't the .png's render?) I did actually get fxri to build on OSX (PPC). First I tried using the libfox from ports and the fx-ruby and fxri stuff from GEMs.

No dice. Don't even bother. Here is how I did it (since I found only one tutorial last night on the the topic, and it was much more involved, and I lost it this afternoon)

Pull down the latest version (now it is 1.6.26) of the Fox toolkit and do the configure; make; make install dance (remembering to use the appropriate prefix). On my Powerbook G4 it took like 40 minutes. Of course you have to have necessary darwin stuff and X libraries, etc.

Pull down and FXRuby-1.6.11 and follow the procedure exactly:

Typical installation procedure is:
$ ruby install.rb config
$ ruby install.rb setup
# ruby install.rb install (may require root privilege)

Make sure you can do a require 'fox16' from irb. Maybe there are some demos or tests. I didn't bother.

Pull down fxri-0.3.6.tar.gz (warning it is one of those impolite tarballs that doesn't create a directory) and run the .rb and it mostly works. But it was ultimately unsatisfying. It was not the

I doubt this this fxri's fault, because the APIs I want to look up don't show up. I still don't know why docs I would expect to show up with ri/fxri don't make it. Is this a Mac thing. Is this a darwinports issue? They did on Windows. I know gems won't show up in the docs but stuff like CSV which are in the standard library just isn't there? On Windows there were over 7800 different entries that showed up in the left column. On my Powerbook I only have about 2800. What is up with that?

Given that so many Ruby fanboy's use Macs, I'm suprised there isn't a native Cocoa API viewer. I know there a Gnome viewer because I saw someone complaining the GEMs they installed didn't show up.

More application security cliches from Schneier

Sometimes back in CIAG, lowly Grade 10 Engineers had to fill in for executives at the various security forums that seemed to breed like rabbits after 9/11 as the private sector (in particular the IT vendor community) tried to prove taking it was taking security seriously--to stave off government regulation. (Not that there should have been any concern, since the private sector owns the Bush administration or is the Bush administration). Often, other worker-bee types, who also were filling in for their boss's boss's boss's boss (perhaps one too many?) from thinktank-type, overhead organizations that really didn't do much and weren't accountable for anything, were there. We would exchange knowing glances or eye-rolls.

I remember one at the Intel campus in Santa Clara where a bunch of CTO-types sat around trying to solve "BGP Security" or "DNS Security" in one fell swoop. Then there was a memorable workshop at Rand in Santa Monica. Everyone's favorite CSO from Oracle was there. And Michael Vatis (after he left government circles) was somehow involved in directing the sessions. I remember arguing with him about something unimportant, possibly Common Criteria. Everyone was hyperventilating about "source code scanners" the way I heard various senior managers (who were trying hard to be directors) talk about the importance of "teaching secure coding" in the undergraduate curriculum.

All of these are not bad ideas. And 95% of these folks were far smarter than I was. My point is that the level of discourse at these forums was shallow and simplistic, because they were too far removed from the problem space -- kind of like Schneier's latest observation on the state of software security. (On the plus side, they usually had decent catered food at these meetings and you got to stay in nice hotels and vist places where the weather was usually better than Texas.)

If you've made it this far, I have nothing constructive (or substantive) to say on whether or not a "security industry is needed" (it exists and isn't going anywhere) but check GNUCITIZEN or Taosecurity, especially the latter for some worthwhile commentary.

Thursday, May 03, 2007

Ruby (off Rails) Podcasts?

Although NPR was surprisingly non-depressing today (wowie-woooie, Condi is talking with the Syrians and neither side lectured each other) I was looking for some Ruby podcasts to listen on the commute home which seems to averaging about an hour lately. Something where I don't have to listen to Rails fanboys like the drivel on the OReilly Ruby blogs. or with a little more advanced and that won't induce traffic accidents like Rubyology. Something like .NET Rocks except without all the VB. Since tomorrow is WFH friday (enough Services vs. Solutions and TCO-talk for one week, need to actually get some work done), maybe I'll give Ruby Roundup a listen on Monday.

Or maybe this mysterious Thomas character can help me?

Tuesday, May 01, 2007

Which is easier? A pure ruby netflow parser or flow-tools bindings that don't suck?

So I pared down one of the examples in vflow (ruby bindings to flow-tools)

#!/usr/bin/ruby

require 'Vflow'
require 'socket'

TESTFILE=ARGV[0]
def dumpvflowrec(r)
puts "=============="
print "srcaddr #{IPSocket.getaddress(r.srcaddr)} -> "
puts "dstaddr #{IPSocket.getaddress(r.dstaddr)}"
puts "srcport #{r.srcport} dstport #{r.dstport}"
puts "prot #{r.prot} tos #{r.tos}"
end

x = Vflow.new()
x.open(TESTFILE)

count = 0
x.each() {|r|
dumpvflowrec(r)
count += 1
puts count
}

I guess I found the bug the author mentions on the website.


franz-g4:/tmp mdfranz$ ruby vftest.rb ft-v05.2007-04-30.064501-0500
==============
srcaddr 202.97.238.199 -> dstaddr 24.136.7.235


SNIP


==============
srcaddr 24.136.7.235 -> dstaddr 64.233.163.19
srcport 58911 dstport 443
prot 6 tos 0
197
==============
srcaddr 207.172.3.8 -> dstaddr 24.136.7.235
srcport 53 dstport 57738
prot 17 tos 0
198


ruby(674) malloc: *** Deallocation of a pointer not malloced: 0x320110;
This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

Of course not like I could do any better, I know better than to touch anything in C.

What are the odds the Python flowtools will be more robust.

Pretty good, I reckon.

Chain vs. Independent Coffeeshops (and Austin vs. Skokie) Epiphany

For the year plus, I was at Digital Bond I spent a lot of time working in small independent coffee shops close to Burnet Road. Pacha (not so much) Genuine Joe (quite a lot) and Russells (when I really needed to code, because they had no Wifi) and the place in the strip mall right close to 183 in between the Chilis and the Benihana whose name I can't remember (quite a lot, sometimes at the south location on Guadalupe).

It is probably more something about the true sense of community here in humble Skokie (with its authentic diversity, not the fake Whole Foods diversity, and no your tattoos don't make you any less white) compared to the segregated, self-congratulatory hippie-yuppie-vibe of Central Austin that a Panera bread (of all places, yes, I've got in the bad habit of stopping for coffee before I get on the Edens to make the trek up to Lincolnshire) can be such a warmer place to work. It probably also because the median age is not 25.

Yesterday the young African man working behind the counter saw my Cisco corporate polo and asked about "Cisco Network Engineer" jobs in America and this morning, always energetic manager (with some Eastern European accent, but not Russian) who greets most customers by first name after swiping my debit card asked if she should call me Matthew or David.

I guess I'm a regular now.