Monday, January 28, 2008

CIO Magazine: What Decade is This?

I ran acrosss an absurd article called You Used Perl to Write WHAT? on one of my Java feeds.
Perl is the granddaddy of the open-source scripting languages, with the 1.0 release seeing the light of day way back in 1987. By comparison, PHP wasn't released until 1994, and Python didn't have its 0.9 release until 1991—only the Unix shells themselves have an older pedigree.
While there are no doubt some pretty intense apps written in Perl, it's time has passed. There are some rare but unfortunate situations when writing shell scripts is justified (*UNIX startup scripts for one), there is no excuse for initiating any new Perl projects in the 21st century.

Perl is not a wise elder. Perl is on life support and it is time to remove the feeding tube or call in Dr. Kevorkian.

Saturday, January 26, 2008

What's is it with the seniors and the newer Compaq ILOs?



It's been a crazy/busy week (hence no blogs) and all I will say is that the newer lights out management boards in HP DL-145G3's and DL-380G5's are on "my list!" I'm watching you! You piece of $*%&#! Although most of it is Java hell, to be honest.

But enough of that, the South Carolina exit polls again showed how the over 60 crowd (traditional Democrats, yuck, probably folks that liked Mondale or Dukakis) tilt for Billary. On the one hand it sort of makes me queasy to hear the Billary on the attack, but its pretty funny how on several of the Air America radio shows I listen to in traffic (Stephanie Miller) or shuttling back in forth between various buildings (Ed Shultz) are going off on the Clintons.

If these Bush-haters are so down on the Clintons, it really does seem the Democratic Party is on edge of screwing themselves over again! Only a patronizing knucklehead like Kerry or a sighing windbag like Gore could lose to Bush. It is not just the genius of Rove, but lack of creative thinking on the damn parties.

Thursday, January 17, 2008

Eee PC for President!


Continuing on a theme I made it by the CDW showroom in Vernon Hills yesterday during lunch and stumbled across a black Asus Eee PC on display.

I spent about 15 minutes unsucesfully trying to find the X-Term (it is there through a key sequence I later found it) and trying out various apps (sans Internet one's because there weren't any open hotspots) are the highlights/impressions:
  • The OS was pretty responsive. OpenOffice 2.x loaded slightly faster than on my T-61
  • Keyboard is really small and difficult to type on initially, but one could get use to it
  • Feels cheap but not flimsy
  • Screen is decent
  • Speakers (and web cam) seemed surprisingly good
  • Startup/shutdown was was within a matter of seconds
  • It appeared to be Kwin + ICEWM
  • The trackpad button was really hard to click, took a surprising amount of effort

One downside was the offical ASUS web sites on the product are awful. I couldn't find any decent manuals but I did find the GPL source. Pretty much everthing requires flash but the EeeUser Wiki had lots of good stuff.

Pretty appealing as a portable Linux platform especially if you consider that the 2G versions are around the same price as an Ipod Touch.

Wednesday, January 16, 2008

"This" close to wiping XP from my T-61

Slow bootup time, flaky WPA with Linksys box at home, and (the last straw, this morning) problems with the Sprint Mobile Broadband connection manager, plus I need the partition. Yeah about time.

Tuesday, January 15, 2008

MacBook Air Wins Michigan!


I'm not sure who the creepy guy (who I sort of resemble If I'd get a haircut) standing next to Romney, but I bet he's not thinking about the the new MacBook Air he just pre-ordered.

Of course neither am I, since I believe in ultraportables that weigh nearly 5 pounds.

But of course they are seductive, although if they are really the same footprint as the MacBooks that is just too big, no matter how thin.

But watching the guided tour was a hell of lot more interesting than the way things have been going in the campaign for the last week and the prospect of a Hillary vs. Mitt matchup is so depressing I won't even go there.

The only comfort is the knowing that we get what we deserve.

Sunday, January 13, 2008

BinData for Ruby Fuzzers

Not that I'm into fuzzing binary protocols/file formats anymore. But if I still wasted my time on that sort of nonsense BinData looks useful enough for that sort of thang:


= BinData is a declarative way to read and write structured binary data.

This is a performance release. Execution speed has been doubled and memory usage has been decreased by about 25%.

== What is BinData?

Do you ever find yourself writing code like this?

io = File.open(...)
len = io.read(2).unpack("v")
name = io.read(len)
width, height = io.read(8).unpack("VV")
puts "Rectangle #{name} is #{width} x #{height}"

It's ugly, violates DRY and feels like you're writing Perl, not Ruby.

Here's how you'd write the above using BinData.

class Rectangle < BinData::Struct
. endian :little
. uint16 :len
. string :name, :read_length => :len
. uint32 :width
. uint32 :height
end

io = File.open(...)
r = Rectangle.read(io)
puts "Rectangle #{r.name} is #{r.width} x #{r.height}"

BinData supports signed/unsigned integers, strings, null terminated strings, arrays, choices and user defined structures.

Saturday, January 12, 2008

HBO's The Wire, Ubuntu DVD Playback, and the best low cost Linux PC for Kids



So the older PIII/Celeron-class boxes I've built for my son are too slow for bzflag so that I'm considering building/getting him a new PC. I'm not wild about it, but he's been using my highest end box at home (an Optiplex GX-620 Pentium D). A Mac Mini would be perfect, but they are just too damn expensive. The price difference between a comparably equipped Dell-n-Optiplex Desktop is probably $300-400. Not worth it.

I've priced out the following at $462: OptiPlex 330 Desktop Intel® Pentium® Dual Core Processor E2160 (1.80GHz, 1M, 800MHz FS, 1GB, 250GB SATA, 3 Year Warranty, Intel X3100, with DVD-ROM.

This is obviously overkill and I could probably skimp and cut $75-100, but since he actually won't be using it that much (although it will be in his room) I can use another VMWare server Box.

So it needs wireless, but since I've had marginal luck with with USB/PCI 802.11 cards under Linux, I'm leaning towards getting a Linksys bridge just so I don't have to mess with it.

He also needs to be able to play music and he's comfortable with the GNOME music tools.

The last considerations was DVD playback. I remember compiling xine, dvdcss and friends from source 5-6 years ago on my T-22 at Cisco but I haven't played a DVD on Linux since then.

Well Linux has come a long way since then and it was a snap on Gutsy was a simple as adding the mediubuntu repository and installing totem-xine. Oh and the other great thing about medibuntu is the dvdrip works great. Kids are hard on DVD's (meaning food and scratches) it only makes sense to rip them so they can watch them over and over.

Oh and you must watch The Wire (which is is supposedly Barack Obama's favorite show) and I do like Omar, as well.

Friday, January 11, 2008

Not SCADA, But Close Enough



While I previously bemoaned Hoff's comments on SCADA his post on train control system hacking is on target. And arguing whether something is SCADA is pointless potato/patato exercise unless you are Joe Weiss (or in the UK, where it does rhyme with patato.)

For me this issue is whether some non-physical-layer electronic attack (I consider jamming a physical-layer attack) against COTS components can effectively used to alter some physical system.

That could be a building control system, that could be rail control system, that could be IP video surveillance and card readers, that could be hacking a food manufacturer to stamp to incorrect expiration date on a bottle of beer.

It's all good. It's all in scope for the FUD game.

Thursday, January 10, 2008

Wow A Ruby Modbus Implementation

Since we know all the cool kids use Ruby (but the smart kids use Python) so cool kids that want to "play SCADA" can now use RModbus to bring down the power grid!

I didn't play around with this because I think the best Open Source Modbus implementation (for SCADA hacking) is Jamod which I previously with Jython but would now probably use JRuby since I'm no longer smart anymore.

Tuesday, January 08, 2008

At least "Mac is Back"

Even if Obama can come from behind (still stuck at 36-39 now, damnitt!) this is a victory for Hillary. But least Romney (and Huckabee and Rudy) were defeated tonight. After all I'm just one of those goofy conservative leaning Independents are smitten by Obama and line up much more ideologically and practically (particularly in terms of Iraq) with McCain. And a party that picked Gore and Kerry (just like a party that picked W) deserves what they get.

Some of these daily dish reader responses nail it:


It's times like this when I remember that political parties, not the American public, choose the nomines. The Democrats turned out for Hillary. If they want her, they can have her. Just please God, give me McCain as the alternative. Otherwise, I'm out.


and


As a lifelong Democrat, come February 6th, I am rerolling (as the kids with their fancy computer games like to say) Independent. This party would rather brawl with, and lose to, the Republicans out in the schoolyard than try to come together and achieve anything loftier than keeping Roe v. Wade as good law.

Someone get me a McCain '08 sticker ... These current Dems would have nominated Adlai Stevenson over Kennedy in 1960


Although I have no idea which party affiliation I filled out a year ago when I got my driver's license up here, but I'm guessing it wasn't Dem.

Wow exploitable MSFT TCP/IP Vulns! Is it 1998 or 2008?

While I'd expect this kind of shit from Cisco (don't ask me what that even means and it definitely has nothing to do with anyone from Finland or the fact I've drinking horribly strong Nordic beer lately) but I was shocked to see MS08-001. Very cool. Maybe I do remember looking at IGMPv3 back in the day and thinking what a mess, so maybe this isn't such a suprise. Nonetheless, seems very old school and maybe there is some attack surface below HTTP.
A denial of service vulnerability exists in TCP/IP due to the way that Windows Kernel processes fragmented router advertisement ICMP queries. ICMP Router Discovery Protocol (RDP) is not enabled by default and is required in order to exploit this vulnerability. However, on Windows 2003 Server and on Windows XP, RDP can be turned on by a setting in DHCP or by a setting in the registry. On Windows 2000, RDP can be turned on by a setting in the registry. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMP packets to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
and
A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Friday, January 04, 2008

Yuppie Elites for Obama!

Whether or not I'm a yuppie elite, count me in!
As Hillary Clinton looks to rebound in New Hampshire, it appears one part of her strategy will be to cast Barack Obama as the favorite of yuppie elites who aren't looking for experienced leadership so much as they are wanting to ride a trend or indulge a sentiment.
I would like to not feel ill when I hear the Commander in Chief (I was enlisted) on the radio the way I did during Clinton and Bush II. If that is indulging a sentiment, sue me.

I've always wanted to know if I'm a member of the cherished Middle Class politicians alway talk about and pander to? These Middle Class folks I keep hearing about, can they be software engineers or have ever cashed in stock options or worked for Bay Area companies?

I might have been a yuppie elite when I lived in laid back Central Austin neighborhood with lots of 40-something hippie-artistic types (oh the scent of Cannabis wafting across Burnet road), but up here in Skokie on a single income, struggling to pay for overpriced housing, expensive [public] pre-schools, with a few grand in unpaid mental health bills, where I'm afraid to even drive in these old-money North Shore neighborhoods in our brand new Honda minivan. Is that "Middle Class" enough? Maybe Hill is my gal? Forgot about manufacturing, will Edwards should fight to keep my high paying security job from being outsourced to an MSSP? No, I don't want a damn thing. I just want government (and the executive branch, because Congress is a lost cause) to have the appearance of being civil and competent. That's all I ask.

Thursday, January 03, 2008

Could be a long evening (NOT!)


So the Real Time Stats pretty cool, if maddening. God help the Democrats if "Mr. I'll fight for you" so we can have the best jobs. After all we deserve it because just because we are Americans, damnitt!

Update: An hour later, Obama up by 7% with Hillary in 3rd!!!!

And this is a decent explanation which jives with my experience with Obama: following the urging of Radio Paradise (back in June) I wrote to all my representatives about the increased royalities that Internet Radio stations were about to pay. I received a response in less than a day from Senator Obama (I assume a staffer, I hope!) 3 months later from Durban's office and whoever the Representative from Skokie/Evanston: Never.

Wednesday, January 02, 2008

21st Century Ethernet, False Prophets, and other Absurdities



Once again the SCADA Mailing list provides lots of heat but little light. The thread started out mysteriously enough with myrcurial's assertion that in '08 SCADA was just but too lame to bother hacking (on a related note check out Dale's recap of Ralph Langners view on CCC Hacking SCADA) degraded into the usual whining. Much like the Obama vs. Clinton, a lot of the argument falls out based on age and experience, with some of the more senior folks having some crazy ideas not based in reality. I swear I heard the dumbest Hillary supporter on All Things Considered this afternoon, you know the one that wanted Hillary right after Bill.

As much as I tried,there is nothing to say here except to ponder each of this and their ironic potential, especially when taken out of context:

"we have met the enemy and it is Ethernet."

More and more, thanks to very clever marketing departments, customers are ever more eager to convert their "old" industrial control networks to Ethernet. Perfectly adequate systems that are running isolated and safe.

Whuy? Well, Ethernet is just so cool, so 21st century. Web browser interface, etc... What could be cooler? Techs and engineers want to work with the latest technology, it improves the resume, makes one more marketable, right?

What results from this rush to Ethernet?

Well, for one thing, there is clearly a lack of decent IT talent to maintain that many critical SCADA systems (many existing personnel can barely understand serial networks - believe me, 25+ years in the business - I know.)

Ethernet invites connection to company LANs through firewalls.

Firewalls get penetrated due to the same lack of IT talent to maintain their robustness.

Joe Weiss speaks the truth. The you-know-what is going to hit the fan, it's just a question of time.