Man! I have totally neglected this blog. I will try to start back up. I have a lot of projects that I have been working on and will start to post about them. Hopefully I can get back to this and add some good content. *fingers crossed*

This Feb. 14th I had off for Presidents Day (happened to also be Valentines Day). Luckily I have a wonderful wife and she let me run off to San Fransisco to attend B-Sides San Fransisco.

Unfortunately, on my way there the traffic on the bridge took longer than I had planned and I missed the first talk.

The next talk in track 2 was Selling Security Without Selling Your Soul given by Aaron Cohen. It was a good talk with some very humorous videos.

We then broke for lunch. Free pizza and beer!

The next talk that I saw was Security Domination via Hard Drive Isolation given by Gal Shpantzer. This was a very interesting talk about securing the communication between an offsite computer to an internal network. Gal mentioned various options a company has to connect from a home computer to an internal network. These are: VPN (horrible security), deploy strictly regulated company laptops (not cost effective), set up a safe virtual environment (still unsafe if the host pc is pwned), and boot directly to a custom OS on removable media (this is the method chosen for the talk). Gal spoke of the benefits of using a bootable usb as the media of choice. With a USB the OS, certificates, encryption, etc. can be updated (not so with a burned CD). With the usb encrypted it is safe if misplaced, as any finder of the usb key would not be able to use it without the encryption code. An employer has many options as to how secure they need the connection, how durable the usb key needs to be, how covert the drive needs to be, etc.
Though I do not need ultra secure access to my work network, I would like to implement some of the ideas of the talk. I need to start using a separate OS for logging into my bank account, home mortgage site, etc.

Post Attack: Working with Law Enforcement by Nick Selby was the next talk that I saw. This was a wonderful talk to sit in on, as I will explain. The beginning of the talk was spent discussing how the infosec community can help out law enforcement by speaking their language. LE does not understand digital theft. It needs to be proven that a law was broken. Once that is done their hand is forced to help. But what can they do?
LE does not have the capability to investigate a digital crime. The FBI do, but they cannot be bothered by small time theft. So where does that leave the organization? They can try to solve the problem internally if they have the staff, but that usually does not result in a conviction. A member of the audience actually mentioned that her company was breached and lost $40,000. They investigated internally and were able to find enough information to pursue a case against someone. Unfortunately for them the case is on it’s seventh year in trial and does not look like it will end soon.
This is where the talk became interesting for me. At the heart of the matter was that there is no one to turn to when a company is breached. The police do not have the resources and the FBI only take high profile cases.
Nick Selby proposed that there needs to be an organization formed to fill this gap. He wants to help organize a non-profit group of LE, detectives, infosec, etc. to give organizations a place to turn if they need help. He stressed the need for members to be “bilingual”: to be trained and knowledgeable in LE and information security. This would help bridge the gap between the two realms.
I always thought there was a tech department available to investigate computer crimes. Unfortunately, I was wrong.
I hope that Nick Selby can create the team necessary to help the organizations and people who need them.
Though I don’t have the necessary training in either field I will keep an eye on this and contribute in any way I can.

The fourth talk that I saw (fifth talk of the day) was How to Attack Windows Kernel given by Song Liu. The talk was interesting, albeit difficult to understand. Song Liu’s accent was difficult to get through, and the sound was a bit low. What I gathered from the talk was that Song Liu found an exploit in the Windows Kernel by manipulating the TCP/IP stack. By sending malformed TCP/IP headers he said that he was able to get windows to crash. This sounds very interesting and I would love to attempt to recreate the scenario. I probably don’t have the knowledge to do this but at the very least I am learning more about the TCP/IP stack while I try.

The last talk for me (there was one more but I had a long drive home ahead of me) was Cloud Security Realities by David Mortman. This was a fun talk to sit in on as it was more of a conversation, with everyone in the talk able to ask questions and bring up points. The talk varied in many directions but the main point was that a company needs to weigh the needs, costs, and security involved in adding a cloud service to their network. The “Cloud” Solution may not work the same for every situation or company. The service may need to be certified pci compliant in order to work in some cases, for example.
Another reason the talk was fun was that anyone with a good question or comment received a slice of bread that David Mortman’s father baked.

As I mentioned above, I left BSidesSF as the last talk started so that I could start the long ride home. All in all I had a wonderful time at B-Sides San Francisco. I feel that I learned a lot and I want to continue to dive deeper into the infosec community. I hope to get to know the other attendees and mingle more at the next conference.

If anyone is interested in mentoring an aspiring infosec member please contact me.

I recently ran apt-get dist-upgrade on my Debian testing box. Upon reboot I found that VLC would play videos squished about 30% horizontaly and shoved to the left.

There seems to be a problem with some libraries in the Multimedia repo. This thread gives the fix that worked for me http://www.mail-archive.com/debian-user@lists.debian.org/msg575710.html

Here are my steps:

nano /etc/apt/sources.list

Comment out all Multimedia repos

aptitude update
aptitude purge vlc
apt-cache policy libavcodec52

aptitude install libav{codec52,device52,filter0,format52,util49,postproc51}=version from above command ffmpeg=version from above command libswscale0=version from above command

aptitude install vlc

VLC is back to normal.ūüôā

I’ve been looking around this week for a command line mail client for my N810, but I didn’t want to install procmail, sendmail, etc. to get it going. I narrowed my search down to xmail and mutt. The best solution I found was setting up mutt to use your gmail with smtp. I also found a guide for porting mutt to the N810 ÔĽŅÔĽŅÔĽŅÔĽŅhere. The guide was for mutt-1.5.18, but the newest version is 1.5.20. So I decided to follow the guide for the newest version. I did have an issue after installing mutt and found that I needed to install ncurses-base.

sudo gainroot
apt-get install ncurses-base

I now have mutt running on my N810!

After playing with it awhile I found I was getting an error when I tried to run mutt in “interactive mode”. I received the error: “Interactive SMTP authentication not supported”

I did some searching and found there was a bug: ÔĽŅhttp://bugs.mutt.org/trac/ticket/3289

It says the bug is fixed by using a variable call, but I didn’t quite get it working. I decided to just go back to version 1.5.18 and it worked without any issues.

Now I need to work on my script. Here is all I have so far.

mutt -x -s test -i testfile -- myemail@gmail.com < /dev/null

Here is my .muttrc file that I slapped together from various websites:
Replace yourgmailusername with your gmail user name, yourgmailpassword with your gmail password, and yourname with your name.

set from = "yourgmailusername@gmail.com"
set realname = "yourname"
set imap_user = "yourgmailusername@gmail.com"
set imap_pass = "yourgmailpassword"
set folder = "imaps://imap.gmail.com:993"
set spoolfile = "+[Gmail]/Drafts"
set message_cachedir =~/.mutt/cache/bodies
set certificate_file =~/.mutt/certificates
set smtp_url = "smtp://yourgmailusername@smtp.gmail.com:587/"
set smtp_pass = "yourgmailpassword"
bind editor noop
macro index gi " =INBOX" "Go to inbox"
macro index ga " =[Gmail]/All Mail" "Go to all mail"
macro index gs " =[Gmail]/Sent Mail" "Go to Sent Mail"
macro index gd " =[Gmail]/Drafts" "Go to drafts"
set move = no #Stop asking to "move read messages to mbox"!
set imap_keepalive = 900

Geektool Identica geeklet

I’ve been playing around with Geektool on my work MacBook, and I think it is a really great tool. It add a prefPane to your System Preferences that allows you to place “widgets” (called Geeklets) on your desktop. The three options to choose from are files, pictures, or shell. As a bash geek, I’ve created all sorts of shell scripts all over my desktop. Here is one of my favorites.

View identica friends list in bash

I have a proxy at work and no proxy at home, so I have a ProxySet variable to check that so I can use the proxy settings in curl if I need to. This will only work on osx. I am working on a linux script for home, I’ll post that when it is done. If you don’t need to check your proxy or are going to use this on linux just edit the proxy stuff out and it should work.

Also you will need to change the http link that curl grabs. My user name is cghouly (follow me for updates) so you will need to change that to your username in the script.


ProxySet=`system_profiler SPNetworkDataType | grep "HTTP Proxy Enabled: Yes"`
if [ "$ProxySet" != "" ]
then
ProxyAddress=`system_profiler SPNetworkDataType | grep "HTTP Proxy Server" | awk '{print $4}' | head -1`
ProxyPort=`system_profiler SPNetworkDataType | grep "HTTP Proxy Port" | awk '{print $4}' | head -1`
curl -s -x "$ProxyAddress":"$ProxyPort" http://identi.ca/api/statuses/friends_timeline/cghouly.rss > /tmp/identica.rss
else
curl -s http://identi.ca/api/statuses/friends_timeline/cghouly.rss > /tmp/identica.rss
fi
grep "" /tmp/identica.rss | sed -e 's/<[^>]*>//g'

This is a simple script and I don’t claim to be the best at bash code, but it works for what I wanted. Let me know if it works for you.

I just recently re-flashed my Nokia N810. I re-installed qtwitter but had some issues. I realized that there were some problems with the original deb that I created. I have fixed the issue and created a new deb file. It should be updated soon. If you have installed the old deb file, uninstall qtwitter and install from the new deb.

Note: I did have one issue when I installed the program. Here is the error:

Process 9774: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory
See the manual page for dbus-uuidgen to correct this issue.
D-Bus not built with -rdynamic so unable to print a backtrace
Aborted

If you get this error here is the fix:

dbus-uuidgen > /var/lib/dbus/machine-id

Restart the app and you should be good to go.

That’s it for now, Happy Hacking!

Finally, I have done it!

qTwitter has been ported over for Maemo. It has been compiled and tested on diablo on my N810. I do not know if it will work on older versions of Maemo.

Requirements

  • Qt4
  • QOAuth
  • QCA
  • QCA-OSSL plugin

Download

You can also go directly to qt-app.org to download the debs.

These are all straight ports of each source. I have not changed any of the source code.

Please let me know if there are any changes specific to maemo that you would like to see.

You can also post bugs or feature requests at:

http://ayoy.lighthouseapp.com/projects/27230-qtwitter/tickets?q=all

Many thanks to Dominik Kapusta for all his help, and for a great app. You can find qTwitter source code and packages for other operating systems at Qt-Apps.org.

Check out my earlier posts for more info here and here.

I have been learning a lot about my wonderful N810 as I have been working on getting qTwitter ported over to maemo.

I want to log my progress as I learn, and hopefully I can learn from my mistakes. Please feel free to comment and help me on my journey. This is the first time I have done anything like this so please be kind.

In my original post I mentioned that I used a guide to package all of the created files into one deb with

dpkg-deb -b qtwitter

This deb worked on my N810 but I want to share the deb and realized that I need to separate each package into its own deb file. qTwitter depends on QOAuth, QOAuth depends on QCA and QCA-OSSL plugin. That’s four separate packages, not the one that I created.

Back to the Scratchbox.

I had a few brainstorms and decided to package the debs according to the maemo guide.

Here are the commands I used:

export DEBFULLNAME="First Lastname"
dh_make -e email@address.com -c gpl --createorig
dpkg-buildpackage -rfakeroot

(I filled in italics with the appropriate information of course)

I did have some errors during the build and had to change the debian/rules file.

./configure
#./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"

Once that line was changed the deb was created, but I notice another problem. The debs were practically empty.

[sbox-DIABLO_ARMEL: ~/qtwitter/qtwitter-0.10.0] > dpkg --contents ../qtwitter_0.10.0-1_armel.deb
drwxr-xr-x root/root         0 2009-11-16 10:16:34 ./
drwxr-xr-x root/root         0 2009-11-16 10:16:28 ./usr/
drwxr-xr-x root/root         0 2009-11-16 10:16:26 ./usr/sbin/
drwxr-xr-x root/root         0 2009-11-16 10:16:25 ./usr/bin/
drwxr-xr-x root/root         0 2009-11-16 10:16:28 ./usr/share/
drwxr-xr-x root/root         0 2009-11-16 10:16:28 ./usr/share/doc/
drwxr-xr-x root/root         0 2009-11-16 10:16:32 ./usr/share/doc/qtwitter/
-rw-r--r-- root/root       193 2009-11-14 21:52:46 ./usr/share/doc/qtwitter/changelog.Debian.gz
-rw-r--r-- root/root      1549 2009-10-28 18:35:52 ./usr/share/doc/qtwitter/README
-rw-r--r-- root/root       177 2009-11-14 21:52:46 ./usr/share/doc/qtwitter/README.Debian
-rw-r--r-- root/root       356 2009-10-28 18:35:51 ./usr/share/doc/qtwitter/changelog.gz
-rw-r--r-- root/root      1331 2009-11-14 23:04:16 ./usr/share/doc/qtwitter/copyright

I noticed in debian/rules this line:

# Add here commands to install the package into debian/qtwitter.
$(MAKE) DESTDIR=$(CURDIR)/debian/qtwitter install

Even with the DESTDIR set, I realized that the files were not getting installed into that folder. This is the folder that the deb is created from and the reason that my debs are empty.

My Solution

I still had the build tree from the first deb that I created. I just separated them into folders representing the four packages and stored them in the folder qtwitter-build.

[sbox-DIABLO_ARMEL: ~/qtwitter/qtwitter-0.10.0] > ls ~/qtwitter-build/*
/home/maemo/qtwitter-build/qca-2.0.2:
debian  usr

/home/maemo/qtwitter-build/qca-ossl-2.0.0-beta3:
debian  usr

/home/maemo/qtwitter-build/qoauth-1.0:
debian  usr

/home/maemo/qtwitter-build/qtwitter-0.10.0:
debian  usr

I then added two commands to the debian/rules file under the $(MAKE) command:

rm -r /home/maemo/qtwitter/qtwitter-0.10.0/debian/qtwitter/usr
cp -r /home/maemo/qtwitter-build/qtwitter-0.10.0/usr /home/maemo/qtwitter/qtwitter-0.10.0/debian/qtwitter

This is a very ugly hack and I know there has to be a better way. Please let me know if you have a better solution.

Testing

I have tested the new deb packages on my N810 and the all install properly and qTwitter is still working. I will post the link to the debs when they are up.

I’ve been sick this week so I’ll keep this post short.

Hacking

Create a full MIDI Drumset with Guitar Hero and Rock Band Drums

I’ve always wanted to get an electronic drum set. Must be some deep desire to play in an industrial thrash band.

Create a font from your own handwriting

How cool is this?

Art

Flame Gate

If I saw this in the woods, I think I'd walk toward the light.

CARDBOARD a cardboard animation!

Music

Grooveshark

This is what I believe the future of music is going towards. Grooveshark is a site were you can look up artists and make playlists just as if they were locally stored on your computer. This is similar to the popular music sites such as Last.fm and Pandora, but with Grooveshare you pick each and every song that you want to hear. You don’t rely on the sites algorithm to choose a song that you might like. Last.fm and Pandora are great music discovery tools, but for just listening to music that I want to hear, Grooveshark in my new favorite site.

Stereo8

This is an internet radio station were you can vote on the songs that are played. Interesting concept, with sites like Digg and Reddit getting very popular, you would think that this would be a great idea. Personally I don’t see the point. There are plenty of music sites were I can pick the music I want to listen to. Why should I have to be at the mercy of what the masses choose. If I wanted that I would start listening to the crappy radio stations.

8 Best Ways to Share ‚ÄėMix Tapes‚Äô

Speaking of music, here is a Wired article that has a lot of information on music sites. I am still checking out the first few. Some are new to me and some I need to check out again. If you want to discover new music then check out the article.

Halloween Costume

The 8-Bit Low-Res Make-Up Is High-Res Clever

Halloween has come and gone this yea and the photos are up. This is definitely my favorite.

Low Resolution by Kindacarsick

Black Friday

It’s November and sooner that you’d like it will be Nov 27th: Black Friday. To help prepare, why not start looking through those sale ads now. Here are some links I’ve come across of leaked Black Friday Ads.

Kmart [pdf], Sears [pdf], Lowes, Old Navy [pdf], Harbor Freight [pdf], Toys R Us [pdf],

Office Max asked for there ad to be taken down, but there is a list of items and prices at Gizmodo.

via [bfads, TheBlackFriday.com, and Gizmodo]

Internet News

Internet Finally Getting Non-Latin Domain Names

The address bar at the top of your browser is filled with latin characters. Those who use the latin alphabet, we haven’t thought twice about this. But if you live in a country with a non-latin alphabet then you had to learn new characters to type in a web address. This is going to change soon, as ICANN (the group that decides on ip and addressing regulations) has decided to use native characters in the address.

If this doesn’t make sense, check out this video

Google Making search more musical

Google has partnered with MySpace (which just acquired iLike) and Lala to give you music results when you search for a song, band, or album title. The first results will have links to play the song. There will also be links to purchase the song/album directly through MySpace or Lala services. There will also be links to music discovery sites such as,  Pandora, imeem and Rhapsody.

I tried out the service on their demo site, before the release date, and it looked good. Though I am unable to get any of the same results on my searches today. The demo is down today, and I do not see the results in my regular google searches. I am not sure if I’m missing something or if the service isn’t fully released yet. ???

Google Onebox Demo Fail

Google Onebox Fail

MySpace Adds Full Music Video Archives, Deep Artist Analytics

MySpace as a social site seems to continue dying but they are doing some interesting things. Their purchase of iLike seems to have worked out for them (see above post).

I’ve always wanted a video music player so that I can have a video playlist. If that feature is there I may actually use MySpace.

Web Games

Steakhouse or Gay Bar

A local rock radio station plays this game. You just guess if the name of an establishment is for a Steakhouse or a Gay Bar. Sounds simple but it’s amazingly difficult.

Internet Baby

Woman to Stream Her Child’s Birth Live on the Web

You can find just about anything you want on the web. Now you can watch a live birth. A truly amazing event, but live streaming it? Really? I guess it was just a matter of time…

Actually, this isn’t the first time.

Internet TV

BBC Planning To Launch Global iPlayer VOD Service

I am so excited about this. I watch almost all my shows online now and about 1/3 of those shows are from the BBC. It’s always been a pain to find the shows or wrestle with proxies to watch them. I can’t wait to watch the new season of Dr. Who.

Automobile Accesories

AIDA is the love child of your GPS Device and EVE (from Wal-E).

via [Gizmodo]

Arm Accesories

UIST’09: Enabling Always-Available Input with Muscle-Computer Interfaces

Look Ma’ no hands!

Improved arm mounted flame thrower

Hadouken!