Home

Hello x-wap-profile I Didn't Notice You There @ 2010-08-31 23:41:17.570601
Filed under: Code  Tech  Security  Python 
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.

Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.

The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data .... 

#!/usr/bin/env python
"""
Terrible but works way to find out info about mobile clients.
"""
import re
import sys
import urllib
import yaml

from lxml import etree


rx = re.compile('\{.*\}')
no_tabs = re.compile("[\t\n]*")
no_li = re.compile('li ')

xml = etree.XML(urllib.urlopen(sys.argv[1]).read())

results = {}
prev_key = None

for ele in xml.iter():
    if type(ele.tag) is type(""):
        tag = rx.sub('', ele.tag)
        text = no_tabs.sub('', str(ele.text))
        if tag == "Bag":
            continue
        if tag == "li":
            try:
                results[prev_key].append(text)
            except:
                results[prev_key] = []
                results[prev_key].append(text)
        else:
            prev_key = tag
            results[tag] = text
print yaml.dump(results, default_flow_style=False)


The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header: 

$ python wtf.py http://device.sprintpcs.com/HTC/APA9292KT/latest
AcceptDownloadableSoftware: 'Yes'
AdvertisingCapable: N/A
AntiSpam: 'No'
AntiSpamVendor: N/A
AntiVirus: 'No'
AntiVirusVendor: N/A
AudioCodecsForDecoding:
- mp3
- aac
- aac+
- eaac+
- amr-nb
- amr-wb
- qcelp
- wma
- evrc
- midi
AudioCodecsForEncoding:
- AMR-NB
- QCELP
AudioInputEncoder:
- gzip
- deflate
AudioJack: 3.5mm
BitsPerPixel: '16'
BrowserName: Android Browser
BrowserPortalVersion: ''
BrowserVersion: Eclair 2.0
CPU: ARM11
CamcorderResolution: 1280x720
CamcorderZoomCapable: 'Yes'
CameraBuiltInFlash: 2x power LED
CameraHighestImageResolution: 3624x2488
CameraMegaPixels: 8M
CameraZoomCapable: 'Yes'
CcppAccept:
- application/vnd.oma.drm.rights+xml
- application/ogg
- application/smil
- application/vnd.oma.drm.message
- application/vnd.wap.mms-message
- application/vnd.wap.multipart.alternative
- application/vnd.wap.multipart.mixed
- application/vnd.wap.multipart.related
- application/vnd.wap.sic
- application/vnd.wap.xhtml+xml
- application/vnd.oma.dd+xml
- application/java-archive
- audio/aac
- audio/amr
- audio/imelody
- audio/mid
- audio/midi
- audio/mp3
- audio/mpeg3
- audio/mpeg
- audio/mpg
- audio/x-mpeg3
- audio/x-mpeg
- audio/x-mpg
- audio/x-mid
- audio/x-midi
- audio/x-mp3
- image/gif
- image/jpeg
- image/jpg
- image/png
- image/vnd.wap.wbmp
- video/mpeg4
- video/mp4
- text/plain
- text/html
CcppAccept-Charset:
- ISO-10646-UCS-2
- ISO-8859-1
- US-ASCII
- UTF-8
CcppAccept-Language: ''
ColorCapable: 'Yes'
CommerceCapable: N/A
ConnectionManagerVendor: N/A
ConnectionManagerVersion: N/A
DataNetworkTypes:
- IS2000
- EVDO
- WiMax
- WiFi
Description: ''
DeviceIdentifierType:
- MEID
DeviceType: Android Touch
DiagnosticsClientVendor: CIQ
DiagnosticsClientVersion: 3.2.18
DiagnosticsProtocolVersion: 3.2.18
DownStreamBufferSize: None
DownloadableBrowserApps:
- 'No'
DownloadableSoftwareSupport:
- application/java-archive
EmailCapable: 'Yes'
EmbeddedApplicationsCapable: 'Yes'
ExternalMemoryMaxSize: 32GB SDHC
ExternalMemorySlot: 'Yes'
FirmwareVersionWiMAXRadioModule: 4.6.2.1 build22766
FixedVoIPCapable: 'No'
FotaClientVendor: SmithMicro
FotaClientVersion: ''
FotaProtocolVersion: 1.5.1
FramesCapable: 'Yes'
GLMSClientVendor: ''
GLMSClientVersion: ''
GLMSProtocolVersion: ''
GPSChipsetModel: '8650'
GPSChipsetVendor: Qualcomm
GamingCapable: 'Yes'
HardwareVersion: '1.0'
IMVideoCallingCapable: 'No'
IOTAProtocolVersion: N/A
ImageCapable: 'Yes'
InputCharSet:
- US-ASCII
- UTF-8
- ISO-8859-1
- ISO-10646-UCS-2
IntelligentSearchCapable: 'Yes'
JVMVersion:
- N/A
JavaAppletEnabled: 'Yes'
JavaEnabled: 'No'
JavaPlatform:
- N/A
JavaScriptEnabled: 'Yes'
Keyboard: TouchKeypad
LBSCapable: 'Yes'
MI-UICapable: ''
MI-UIVersion: ''
ManufacturerWiMAXRadioModule: SEQUANS
MobileOriginatedSmsSupport: 'Yes'
MobileTVORVODCapable: 'Yes'
Model: '9292'
ModelWiMAXRadioModule: SQN1210
MultimediaEncoder: Qualcomm Qcamcorder
MultimediaEncoderDisplaySize:
- '800x480 '
- '640x480 '
- '320x240 '
- '176x144 '
- 128x96
MultimediaEncodingSupport: ''
MultimediaFileFormatForDecoder:
- MPEG4
- 3GP
- 3G2
- AAC
- AMR
- MID
- MP3
- WMA
- WMV
MultimediaFileFormatForEncoder:
- MPEG4
- 3GP
- 3G2
MultimediaMaximumBitRateForEncoding: 5000 kbps
MultimediaMaximumBitRateForPlayback: 5000 kps
MultimediaMaximumBitRateForStreaming: 1200 kbps
MultimediaMaximumFrameRateForEncoding: 24 fps
MultimediaMaximumFrameRateForPlayback: 30 fps
MultimediaMaximumFrameRateForStreaming: '30 fps                '
MultimediaPlaybackSupport: ''
MultimediaPlayer: 'Yes'
MultimediaStreamingSupport: ''
MultimediaVideoDisplaySize:
- '800x480 '
NavigationSupport:
- Touch Screen
NumberOfSoftKeys: '0'
OMADMCapable: 'Yes'
OMADMVendor: SmithMicro
OMADMVersion: '2.0'
OSName: Android
OSVendor: QUALCOMM
OSVersion: QSD8650/Eclair
OnDemandCapable: ''
OnDemandVersion: ''
OutputCharSet:
- US-ASCII
- UTF-8
- ISO-8859-1
- ISO-10646-UCS-2
PictureMailSupport: 'Yes'
PixelAspectRatio: 1x1
PreferenceForFrames: 'Yes'
PssVersion: 3GPP-R6
Push-Accept:
- text/plain
Push-Accept-AppID:
- None
- None
Push-Accept-Encoding:
- base64
Push-MsgSize: '4096'
RDF: ''
RadioCapable: 'yes'
ScreenSize: 480x800
ScreenSizeChar: 25x21
SecuritySupport:
- SSL-3.0
- TLS-1.0
Seq:
- en-us
- es-us
SoftwareNumber: 3.26.651.6
SoundOutputCapable: 'Yes'
SprintMcdVersion: 3.5.4
StandardFontProportional: 'Yes'
SupportedApplications:
- Album
- Browser
- Calculator
- Calendar
- Camcorder
- Camera
- Dialer
- FlashLite Plug-in for Browser
- Footprints
- HTC Sync
- Lock Screen
- Mail
- Messages
- Microsoft Exchange ActiveSync
- Music (integrate with Ringto Trimmer)
- OOBE
- PDF Viewer
- People
- Quickoffice
- Settings
- Social Network
- Stocks
- Windows Media Streaming Player
- Teeter
- Voice Recorder
- Weather
- World Clock
- Amazon MP3
- Sprint Navigation
- Remote Diagnostic
- Sprint TV
- NFL
- NASCAR
- Voice Dialer
- Visual Voicemail
SupportedBearers:
- IS2000/rel0
TablesCapable: 'Yes'
TextInputCapable: 'Yes'
TotalDeviceFlash: 1GB ROM
TotalDeviceMemory: 512MB RAM
UpStreamBufferSize: None
VOIPAnalogJacks: ZERO
Vendor: HTC
VideoCodecsForDecoding:
- MPEG4 simple profile
- H.263 Profile 0
- H.264 Baseline
- Motion-JPEG
VideoCodecsForEncoding:
- MPEG4
- H263
VideoMailSupport: 'Yes'
VoiceChatCapable: 'Yes'
VoiceInputCapable: 'Yes'
WapDeviceClass: C
WapVersion: '2.0'
WmlDeckSize: ''
WmlVersion:
- None
XhtmlModules:
- Mobule-based XHTML W3C Recommendation
XhtmlVersion: XHTML-Basic/1.0
component: ''
type: None


After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.

If you want to look at other profiles see google search.


 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:        


Introducing A New Villain @ 2010-08-22 15:34:51.126464
Filed under: Comedy 


Ice cream in the future is terrifying!!
 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:  


Hey Mitch, Why?! @ 2010-08-11 15:38:32.878489
Filed under: Security  Frustration 
This image was sent to me some time ago by a friend. I gimped out some parts to keep this Mitch fella from having a problem. This was found right next to a phone that was open for usage. My biggest question (other than WHY?!?) is could he really not remember usernames and passwords which are variations on his name?!


 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


The Business Is A Customer? ... Information Security? @ 2010-08-07 14:43:00.537043
Filed under: Philosophy  Tech 
Before I start let me give you this warning: I'm tired, cranky and need a nap. I also badly need a shower. Now enjoy my mad rambling ...

Many companies have implemented or are implementing the ITIL Framework within their organization. That usually is a good thing. If done right it brings a common, repeatable process that can be done and tracked for accuracy. Of course, this also can be done wrong which creates gates and bottlenecks, process for process sake, overhead, confusion and special cases in the name of pragmatism .. but I'm not going to talk about that here. I do want to talk about a common idea that seems to tie back with ITIL in many cases and that is IT is the vendor, the business is the customer.

When one thinks of the business/customer relationship usually one simple aspect of it comes to mind. That one aspect is that the customer gets what the customer wants (aka the customer is always right). If the customer is not happy they will go somewhere else. If the customer can get it cheaper elsewhere they will go elsewhere. Generally this is a good thing. It means that there is competition and the lowest price with the highest quality product or service will keep driving other vendors to match or find related services to enhance their products. But how does this actually fit with Information Security within IT and it's greater Business unit(s)?

The short answer is it does not :-) (surprise!). In some ways ITIL attempts to remedy (no pun intended) this with ITIL Security Management which holds true to the CIA triad and requires that InfoSec have documented policies that the company follows (among other things). ITIL Security Management can work, but what about the customer, do they want this?

Here is where things break down in my opinion. When it comes to purchasing a product or service in the real world the burden and effects are on the customer. For instance, if someone buys a chainsaw it will give them a warnings about how they should use it (and how not to use it). The customer can still cut his leg off, but that is the customers fault, the vendor is not responsible nor is hurt by the action (yes, there are exceptions where legal action is taken against a company who didn't provide a disclaimer or warning ...). Using a service example, if someone takes a taxi, opens the door in transit and falls out it's not the taxis fault ... the customer did the action and suffers the burden and effects of the action. It's easy to look at the examples and say they are simple and don't apply ... everyone knows not to fall out of a moving car or take a chainsaw to the leg. It's common sense not to hurt yourself! One could says the same thing about opening up that PDF from an unknown sender too yet business users do this all of the time. This is where the first issue comes into play: The Customer (aka the business) believes they know how to use the tools properly and safely. Of course some can, but a good many of them can not and fall in the camp of being lucky (or pwned and unlucky enough not to know). So how does a traditional vendor tell their customer they are acting risky? If it is a product vendor they will more than likely send a notice or a fix to the customer to let them know there is an issue. They can use the fix or continue using the problematic product at their own risk. If it is a service vendor then sadly the answer is they don't unless it also puts the vendor at risk. If it does put the vendor at risk the action is to usually cut service or, at the very least, cripple the service in such a way that the customer can not cause any harm to the vendor.I don't know about you but I can't see that conversation going well if it's IT as the vendor and the Business as the customer ... unless it's so painfully obvious that someones great grandfather could understand is an issue the customer will get their way. Even if one takes the product route of things, the customer still must use said fix but in the case of a company failure to use the fix can be disastrous to everyone, not just them.

The second issue is that of process. I'm going to use an ITIL implementation as an example but this can be for any process. Let's say that someone from a large printing companies InfoSec group has found an issue. To make things simple, let's say it's a public issue found in Adobe software (there have been tons of them in the last year or so). The company in question gets PDF's from reporters, advertisers, managers, spammers, etc.. This means the the member of InfoSec needs to put in a change request to get the software updated to a safe patched version. Problem is, this will take some time. In fact, it may never get done as the customer may complain they don't have time for petty upgrades ... they have "real" work to do. Putting aside that "real" work probably means 30-40% of their day surfing Facebook and Twitter, this is obviously a problem. The customer does not want to take the small inconvenience to protect themselves and the company. If this is something that IT can do without the need to involve the users then the change will likely be held up in process while it goes through multiple approval layers by people who don't really understand the issue at hand (either way meaning the fix will be delayed increasing the time of vulnerability), which brings us to the third issue.

The third issue is that of the education of those who make the decisions. A good manager understands what his people do on a day to day basis. They also understand the basics of how they do it and what the results mean. They understand more than just 'this is bad' or 'this is good'. In terms of Information Security, simple concepts like data exfiltration or why cross-site scripting is a problem are a must just like understanding basic economics is needed for a manager of a finance department. The problem lies in that as you go up, the understanding of basic concepts goes down. This is not because the people get dumber as you go up (well, hopefully not :-)) but because they have a larger amount of information they should understand. The natural response is to understand all of it in such a shallow manor that you essential understand none of it. By the time you hit those who are actually approving changes basic concepts may seem like abstract tech talk or, even worse, unintelligible alien language (run far away if this is the case ...). Add in that pressure from the customer and politics at this layer and things get tougher. How can any InfoSec engineer work in a situation like that and be productive? By the time the update is approved there is a good chance there is already one or more updates to the same piece of software that need to be applied. Get ready to go through the explanation process again even if it is the exact same issue.

There are more reasons I'm sure. I've been thinking about this for months trying to find a good way that it could actually work and I'm at a total loss. The only way I can see IT InfoSec and Business Units working in unison is if they work together and not in a vendor/customer or master/slave relationship. It seems I'm not the only one with this thought. For instance, Ivar Jacobson has written about breaking out of Business as the Customer mentality.

The next time the business as the customer asks for this:


and you catch them doing this:


... either cry and plan the funeral or smile and bring dead fish to throw in with them.


 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


Terrified of Qik @ 2010-06-29 22:00:18.554564
Filed under: Personal  Tech 
For those who don't know what qik is, it's a mobile application for taking videos and uploading them to the net as well as a "live" stream service from your phone for people to watch. I put live in quotes as, since one would expect, there is a delay depending on bandwidth, processing and other factors (it seems to be between 10-20 seconds usually). It's quite an interesting idea and seems to work decently well. For many phones this is a downloadable app but for us Evo users it is preloaded an, without hackery, can not be removed. Of course, this is par for course when it comes to bundled apps, but it's still no excuse as to why the practice is still done.

Anyway, I've noticed quite a few odd videos showing up online through qik. Now, a lot of these videos show up in the recent videso section and then disappear off the site 15-60 minutes later. Some you really can't tell WTF is going on (like in this). While others seem like accidental recordings. Take this video for instance. A few seconds of a steering wheel while you drive? Kind of odd. Or this and this ... odd as one usually tries to record something when they record. This is a guy telling someone else how to use it as he reads the instructions on his phone. How about this one which is in someones bag or purse. Then, just for fun, take Monk's sarcastic didn't mean to record video.

While some of the videos are just odd I tend to think a number of them were accidental. Why would you record 15 seconds of your phone moving around in your bag? Why record nothing but a few random words and no image? Why else would the videos have default names such as "A qik snippet of my life"? Have I convinced you at least some portion of these were accidental recordings? Good. We can move to the next step ...

Where do people use their smart phones? At the airport? Yes. Walking down a hall? Of course. At a restaurant? Sure ... but let's think of where else many people use their phones ... the bathroom. Now before you start running off stating that no one does that or you don't do that just think about it. Not much else to do but read or get that phone out and be productive! If you go into (almost) any decently sized company and hang out in the stalls you will end up hearing the beeping, keyboard/feedback clicks and alerts from smart phones (assuming you don't get kicked out for being creepy).

One more thing before we bring this all together. Having a forward facing and a rear facing camera is common on this new generation of phones. Both cameras tend to be at least webcam quality if not much better. For instance, the rear facing camera on my EVO is amazing while the forward facing one is in the better than average similar to iPhone range.

So here it is, why I'm terrified of Qik: With Qik and the ease of accidental recordings it is quite possible that one could record themselves in the bathroom and have it uploaded to the net for everyone to watch without the user realizing it for 15-60 minutes (which is my very unscientific estimate for how long it takes someone to tell someone else they posted a recording they don't think was meant to be posted). This is very close to the dream many people have when younger: going to school naked. Sure, in this case you are not naked, but everyone gets to see you in a bit of a compromising position. To make it worse, there is an automatic "good job" post that happens on some videos as if to encourage you to make more ... if you accidentally posted yourself in the bathroom and were told good job .... yeah.

So I leave you with the closest video to what I've described. No, this person is not in the bathroom but it kind of seems like how the video would end up looking:



EDIT
I lied ... this one is closer (but done on purpose) and kind of creepy:


 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


iPhone4 vs HTC Evo or She Doesn't Care @ 2010-06-29 09:59:43.261656
Filed under: Philosophy  Comedy  Tech 
Warning: Strong Language


 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:      


I Am No Longer F**kn' Up @ 2010-06-26 18:09:49.637923
Filed under: Linux  Tech 
After waiting what seemed like forever I was able to finally get an HTC EVO. Unless you wear iBlinders (seen below) you have heard of the HTC Evo. It wasn't very long ago that I found out I was "f**ckn' up" but not having one (see this). I am proud to say that is no longer the case!


iBlinders(R)(TM)(Patent No 1234567)


So here is the deal. About a week and a half ago I finally put myself on the Evo waiting list at the local Sprint store. I was told there was about 50 people in front of me. I went online to look to see if I could order direct from Sprint but they stopped taking orders until they could fulfill the current back orders (or so the graphic seemed to indicate). The only place I could find selling Evo's were Amazon and brick-and-mortar Sprint stores. Just to be safe I put in an order on Amazon -- it would take about 2 weeks to fulfill and I figured if one came through I should be able to cancel the other one.

Fast forward to today. I decided (on a whim ... I think) to drop in to the Sprint store and find out where I was on the waiting list. The friendly fellow behind the podium stated there was no more waiting list. Hmmm ... I thought about that for about 5 seconds and then responded saying that I never received a call over the last week and a half. He then informed me that if I could just hang out for a bit they could hook me up with one as 5 showed up not much sooner before I dropped in.

I stood awkwardly at the back of the store hoping that this would not turn out to be a mistake. I then saw a manager like fellow walk out of the back with an Evo box and take it to the guy who was behind the podium (now at a register helping a lady). I watched as he started to ring her up for an Evo when he called the manager back over and pointed at me.

Podium Guy: That guy over there is waiting on one too. He said he was on the waiting list but didn't get a call.
Manager: He is wrong. Everyone was called.
Podium Guy: Well, he didn't get a call.
Manager: Then he wasn't on the list

I started to get a bit frustrated. I was on the list ... or at least I was told I was on the list when I stopped in during my lunch break a week and a half ago. I stood there thinking that maybe I would have to fall back on my Amazon order and wait another 5 days before I would get my hands on the device.

The manager came back out from the bowels of the store (or maybe the left arm, it's hard to tell) and called me over. He asked me if I was waiting for an Evo and I told him that I was and that I stopped by a week and a half ago and got on the list but didn't get a call. His response was a friendly "If you were on the list, you got a call already and if you don't pick up then we take you off the list." I thought about arguing that point. I have a phone. It keeps track of who called me. They are Sprint. They can see who called me. I didn't get a call. I decided instead of getting upset I would give him a nugget of information so he knows I'm not trying to MBA (like BSing but being an elitist too) him out of a phone. I told him that I had come in a week and a half ago and was told there was about 50 people ahead of me on the list and that it was first come first serve. I also told him that the guy who took my reservation wrote my information down on a yellow legal pad and I'm not sure if that was the official list or a temporary one. I'm assuming something I said in there clicked with him because he told me not to go anywhere and he would go pull one of the last two out of the back for me ... and within minutes I was in process of getting my plan moved over for the new phone.

I've only spent about 30 minutes with the phone so far, but I am impressed. While the UI is not as polished as the Palm Pre, it is a very fast phone with a ton of options and abilities. It's also got some impressive hardware!! So far the only semi-negative experience I've had would be in getting the phone ... but then again I can't complain, I didn't get iPhone'd (or -- waiting hours if not days in attempts to get the hardware you preordered a month ago to work and then hopefully just work after that).
 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


Python RPM Specs Needing a Loving Home @ 2010-06-22 16:37:30.688423
Filed under: Linux  Code  Tech  Fedora  Python 
I found myself in need of some (currently) unpackaged python libraries and tools so I decided to do some quick packaging. If you are using these libraries (or want to) on a Fedora, RHEL or CentOS system and want to start packaging in Fedora then one of these could be an easy jumping in package. Note that they are not perfect so they still need a bit of love before getting them approved but it's (slightly) easier than starting from scratch!

django-picklefield.spec: provides an implementation of a pickled object field
python-amqplib.spec: Client library for AMQP
python-anyjson.spec: Wraps the best available JSON implementation available in a common interface
python-billiard.spec: Multiprocessing Pool Extensions
python-carrot.spec: AMQP Messaging Framework for Python
python-importlib.spec: Backport of importlib.import_module() from Python 2.7
python-celery.spec: task queue/job queue based on distributed message passing (requires all of the above)

 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:          


Why I Am Buying An HTC Evo @ 2010-06-16 16:55:05.879065
Filed under: Comedy  Tech 
The most obvious answer is that it looks great. A friend of mine (monk) got his late last week and just being around the device makes me want it more. Even with the awesome factor and gadget peer pressure there was still a slim possibility that I could pass on it and wait .... but then I watched a review the solidified it for me. The review is actually good but one specific section was what told me I need to buy it: 9m11s to 9m21s.



So let me break this down ,,,
"If you are a dude ..." Yes! I am a dude!
"... walking around ..." Yes! I do walk!
"... with a bunch of phones and electronics and all that ..." Yes! I carry phones and electronics!
"... and you got Sprint ..." Correct! I do have Sprint!
"... and you don't got this ..." Right! I do not have an HTC Evo!
"... your f*ckn' up ..." NO! I don't want to do that!!!!

Evo here I come!!

(Seriously though, the review is pretty good. Check it out)


 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


Changelog Format @ 2010-06-14 22:06:54.198506
Filed under: Code  Tech  Frustration  Fedora 
This has been bugging me fore a while. Many projects and products have a changelog. It's great! We can see in a file what changes have been made from release 1 to release 2. Wouldn't it be great to watch an upstream changelog file and use something like Buildbot that would trigger a build on a new release. Then my brain started working. It told me that humans are much better at parsing information provided in different textual formats or markups. Let me explain ....

Let's take a look at the victims project. Even though victims doesn't have a special changelog, we will follow the general scm changelog information. Victims has a changelog like so:

2010-05-20  Steve 'Ashcrow' Milner  

        * setup.py:
        added archivers module to the setup script
        [4cd8f0133b44] [tip]

2010-05-18  Steve 'Ashcrow' Milner  

        * README, src/victims/__init__.py, src/victims/archivers/__init__.py:
        rpm is now listed as a useable archive closing #8
        [e71ad437f9f4]


Based off this information we can easily create a parser! We care about the date, author/email, description and the release (tag). Through the magic of a little bit of regex the following works decent enough ... 

(\d{4}-\d{2}-\d{2})  (.*)  <(.*)>\n\n.*:\n[ ]*(.*)\n[ ]*(.*)


Now we can parse changelogs! Yay! Oh, but then our brain explodes in fear since this is not the only project out there. Surely everyone uses the same format! Let's use nmap as a second project example.

# Nmap Changelog ($Id: CHANGELOG 18109 2010-06-14 18:48:07Z drazen $); -*-text-*-

o [NSE] Added additional vulnerability checks to smb-check-vulns.nse. These checks
  are intrusive and have MS06-025, MS07-029 designations.
  
o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script does
  cache snooping by either sending non-recursive queries or by measuring
  response times.


Well that isn't so bad! With a little regex we could ... wait ... if I have to do this twice with two different projects am I going to need to do this many, many more times before I create Skynet^H^H^H^H^H^Han uber parser smart enough to figure out what accent, dialect, markup, etc.. a changelog may be in? It sure seems that way!

This is when another thought entered by brain (TWO IN ONE DAY!!!): Surely someone else has thought of this. There must be a commonly used format that shares this information for easy inclusion. As it turns out, I could only find one format for this and it doesn't exactly match. The project I'm talking about is doap. While the project does seem interesting, it seems to focus more so on information about a project and it's services and not so much about project releases and changes that have happened between those releases.

Long story long .... am I out of luck? Is there not a format in the works to deal with release information such as this in an open way? If there really isn't, is anyone interested in creating a format? It seems to me that this would be quite useful for package maintainers, system administrators and developers. Hit me up on identi.ca or twitter if you know or a format or want to chat about what one would look like.
 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:        


Apple Fan's Everywhere React To The New iPhone @ 2010-06-11 10:25:15.683228
Filed under: Comedy  Tech 

 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


Updated Mercurial Config @ 2010-06-03 20:02:01.496252
Filed under: Code  Tech 
I've really taken a liking to using Mercurial for version control. I figured it was about time to post my updated personal config (~/.hgrc)! 

[ui]
username = Steve 'Ashcrow' Milner 
editor = vim

[extensions]
hgext.convert =
hgext.graphlog =
hgext.gpg =
hgext.schemes =
hgext.patchbomb =
color =
mq =
bookmarks =
pager =
inotify =
rebase =

[pager]
pager = less -R

[diff]
git = True

[alias]
blame = annotate -uln

[smtp]
# removed ;-)

 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:    


Hello Guruplug You Jerk @ 2010-05-17 23:16:53.858363
Filed under: Linux  Tech  Frustration 
So you bought a Guruplug. You've waited and waited and now it's at your front door taunting you. You rip open the packaging and find a place in your networking closet to plug it in. Ethernet cord plugged in you plug the Guruplug in and watch your router logs. Nothing. Restart the plug and watch logs. Nothing. Change ethernet ports, reboot and watch logs. Nothing. Nothing. Nothing. ARRGGGG!

Don't fear -- here is some help. Before I start please note most of this information came from the forums at plugcomputer.org. Also note I am tired and cranky.

First, unplug the Guruplug and unplug the ethernet cord from the device. Before an ethernet connection will work you will need to ensure that your router/switch is 10/100 and not a gigabit router/switch. This may seem odd but many people have found plugging into gigabit devices (even those which can sense and fail downwards) causes the Guruplug to plainly not work. Go find an old router/switch and patch it in to your modern gigabit switch and then plug the guru plug in through there. While it shouldn't matter (at least I don't *think* it should matter) which ethernet jack you use note I have only tested it with the top one (the one closest to the logo and lights).

Lookie there! You see the Guruplug in your router logs now with an IP address. Great! ssh on over with the root user and the default password of nosoup4u (yeah -- really, that is it). Before you do anything else, STOP! Do you need the wifi device running? Anyone is able to join the network and use your connection! Even if you are going to be using the wifi in the Guruplug in your project you probably do not need it running at this point, so let's turn it off temporarily by running "uaputl sys_cfg_radio_ctl off". Use your desktop/laptop and check to make sure that you can no longer see the GuruPlug SSID (it may take a minute or two you to see). If you know you are not going to be using the Wifi for a while you can turn it off by editing /root/init_setup.sh and comment out everything from "rm -f /etc/wlanclient.mode" up to and including "/usr/bin/uaputl bss_start". The file should now look like this: 

# We always bootup in AP mode. Delete any stale files
#rm -f /etc/wlanclient.mode
#SSID=Plug2-uAP-`ifconfig eth0 | awk -F ":" '/HWaddr/ {print $6$7}'`
#
#insmod /root/uap8xxx.ko
#ifconfig uap0 192.168.1.1 up
#/usr/bin/uaputl sys_cfg_ssid $SSID
#/usr/bin/uaputl bss_start
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/udhcpd start
/etc/init.d/dnsmasq start
iptables -A INPUT -i uap0 -p tcp -m tcp --dport 80 -j ACCEPT

# Re-enable bluetooth. In the earlier case, it didn't find the firmware.
#rmmod libertas_sdio libertas btmrvl_sdio btmrvl bluetooth 2>/dev/null
rmmod btmrvl_sdio btmrvl
/etc/init.d/bluetooth start

modprobe btmrvl_sdio
hciconfig hci0 up
hciconfig hci0 piscan
/usr/bin/mute-agent &

# Set leds
echo 1 > `eval ls /sys/class/leds/*plug*\:green\:health/brightness`
echo 1 > `eval ls /sys/class/leds/*plug*\:green\:wmode/brightness`
Now let's get that root password changed! We don't want someone iPhoning us! All you need to do is run "passwd". You will be prompted for your new password two times. Now the root password is no longer nosoup4u, it is what you just set it to. Don't forget it.

As any good engineer you just tried to update the system (you are a good engineer aren't you?). The problem here is that, well, it didn't work. 

Err http://10.82.108.51 binary/ Release.gpg    
  Could not connect to 10.82.108.51:80 (10.82.108.51). - connect (110 Connection timed out)
Err http://10.82.108.51 binary/ Translation-en_US
  Could not connect to 10.82.108.51:80 (10.82.108.51). - connect (110 Connection timed out)
Ign http://10.82.108.51 binary/ Release        
Ign http://10.82.108.51 binary/ Packages/DiffIndex
Ign http://10.82.108.51 binary/ Packages       
Err http://10.82.108.51 binary/ Packages       
  Could not connect to 10.82.108.51:80 (10.82.108.51). - connect (110 Connection timed out)
W: Failed to fetch http://10.82.108.51/kedars/sheevaplug_wifi/builds/packages/binary/Release.gpg  
Could not connect to 10.82.108.51:80 (10.82.108.51). - connect (110 Connection timed out)

W: Failed to fetch http://10.82.108.51/kedars/sheevaplug_wifi/builds/packages/binary/en_US.gz 
 Could not connect to 10.82.108.51:80 (10.82.108.51). - connect (110 Connection timed out)

W: Failed to fetch http://10.82.108.51/kedars/sheevaplug_wifi/builds/packages/binary/Packages  
Could not connect to 10.82.108.51:80 (10.82.108.51). - connect (110 Connection timed out)

E: Some index files failed to download, they have been ignored, or old ones used instead.
E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem.
As the error states, go ahead and run "dpkg --configure -a". Then edit /etc/apt/sources.list and comment out the silly internal to the manufacturers network IP address so the file looks like this: 

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://http.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org lenny/updates main contrib non-free
deb http://www.backports.org/debian lenny-backports main contrib non-free
#deb http://10.82.108.51/kedars/sheevaplug_wifi/builds/packages/ binary/
Now run "apt-get update && apt-get upgrade" to get that system updated. This will take a bit of time. While that runs go learn about Mentally Ill Gangsters


OK, now we see all those stupid messages saying we are getting stuff from the future. That is cool and all but we don't need to hear about time traveling code over and over. Let's fix it using date. You will need to run date like so 'date -s "+Mon May 17 22:50:00 EST 2010"'. Now you will need to really set the timezone (assuming you are not in UTC). To do this replacing EST with your correct timzeone: "cd /etc/; mv localtime localtime.old; ln -s /usr/share/zoneinfo/EST localtime".

Now is the moment of truth. Reboot the plug by running "reboot". It will probably come back up with the same IP address (punch a tree in the face), but if you can't get to the plug check your routers logs to see if it got assigned another address. Everything should be great and you should be off to the races. YES DICE! Now I need sleep. I have no more caffeine powering my madness.
 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:      


victims demo @ 2010-05-09 00:39:40
Filed under: Code  Tech  Security 

 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:      


python-dulwich spec file @ 2010-04-16 20:39:42
Filed under: Linux  Tech  Fedora  Python 
I was looking at Anyvc when I couldn't seem to find a dulwich package in Fedora. I threw together a spec file so I could test out anyvc (it's pretty cool by the way). I don't intend to maintain a dulwich package since I use Mecurial most of the time these days. Nothing against Git, I still like it!

If you are interested and taking the spec and running with it as a maintainer you can find it here.
 digg it   seed it   del.icio.us   ma.gnolia
Comments: 0 Tags:        


 
A Django joint.
© 2007-2009 Steve 'Ashcrow' Milner | Studio7designs | Arbutus Photography