Hacking is Bullshit

I love hacking.  I love vulnerability research.  I love software exploitation.  I love finding creative ways to subvert control of an application or system to make it do something it wasn't intended to do.

But this is research, and like any research, lots of things never pan out.  It's weird because it involves hours, often hundreds or even thousands of hours, of frustration paid off by successes that last only moments.  And the cycle repeats.

In order to develop an exploit we spend countless hours dissecting hardware and software looking for an oversight or misstep on the part of the developer.  We follow dead end paths, only to realize they're dead ends days or weeks in.  We often spend even more time wrestling with tools, trying to get them to work the way they should or to work together properly.  When there isn't a tool already available we spend hours developing one that will help answer an esoteric question or shine light in a dark crevice.

When nothing's going right and at the height of frustration, I'm known to mutter "hacking is bullshit" and walk out of the room.  My colleague, Craig, and I have now taken to calling arbitrary things "bullshit."  Usually hacking, but often computers, programming, people, or D-Link routers.

Yet, we are driven to hack.  We are driven to further the study of vulnerability research, to keep moving the ball down the field.  The exchange of hours of frustration for minutes of victory is worth it.  It's worth it because the next time we solve a similar problem, it takes a few hours rather than hundreds. It's worth it because the victory is amazing.  It's worth it because the euphoria is like nothing else.

It's worth it, but let's be clear: hacking is bullshit.

I wanted to capture the irony of the frustration-to-victory inequity of hacking, so I made a T-shirt on Zazzle called "Hacking is Bullshit."

Here are some pictures:

I made it for myself, but if you'd like one of your own, here's a link that sends me a little kickback for beer.

Cheers and keep up the hacking.  It's worth it.

Tweet

DLink DIR-815 UPnP Command Injection

With all the excitement regarding UPnP vulnerabilities lately, I though I'd write up this one I found a few weeks back.  I had kind of forgotten about it.  But it's pretty straight forward, and kind of fun, so here it is.

In Tactical Network Solutions' Intro to Embedded Device Exploitation class, we use the D-Link DIR-815 for the practical exercises since there are tons of great 0-days for the students to find.  The last time we taught the class, I thought I'd try my hand at finding a new one. Twenty minutes in, voila! Command injection in a single multicast packet!

The DIR-815 has a single binary executable, /htdocs/cgibin, that is responsible for handling most, if not all, HTTP requests.  I found a symlink to cgibin called 'ssdpcgi':

zach@endor: dir-815-reva1/v1.00/squashfs-root/htdocs (0) $ ls -l upnp/ssdpcgi
lrwxrwxrwx 1 zach wheel 14 Jan  9 13:43 upnp/ssdpcgi -> /htdocs/cgibin

If we disassemble cgibin and look at ssdpcgi_main(), we see it executing a shell script called "/etc/scripts/upnp/M-SEARCH.sh".

A shell script gets excecuted with the contents of the ST field as an argument.

So let's look at M-SEARCH.sh:



The contents of the M-SEARCH packet get turned into shell arguments.  If we can get one of the arguments to be a string inside backticks, the string gets executed by system()'s 'sh -c' and its output gets handed to M-SEARCH.sh as arguments.

So what if we send an M-SEARCH packet with the ST: field containing the string `reboot`?

M-SEARCH * HTTP/1.1
HOST:239.255.255.250:1900
ST:uuid:`reboot`
MX:2
MAN:"ssdp:discover"

If we send that packet to the 239.255.255.250 multicast address, on UDP port 1900, our D-Link router reboots! Nice!

But rebooting routers is bullshit.  Root or it didn't happen, right?  Okay, no problem.  D-Link routers generally come with a telnet server onboard, so lets use the command injection to fire it up:

Getting root via command injection on the D-Link DIR-815 wireless router

Ownage in a single multicast packet.  Not bad for 20 minutes of strings analysis and a few lines of Python.


Here's some proof-of-concept python code to try out.

Tweet

UPDATED: Responsible (non)Disclosure

Update: I received a personal communication from Mr. Flemming.  He makes the case that what I believed to be a subtextual threat was not intended.  Not necessarily speaking for TNS, I am inclined to take him at his word and that my initial read of the situation may have been unduly skeptical.  I hope to post additional updates as things develop.  I'm leaving the original text of this post intact, though, as it provides meaningful context for the situation that is unfolding.

Original Post:
So here's something awesome.  And by "awesome" I mean "kinda shitty."

Back in August, having seen me on Hak5 talking about hacking Netgear WiFi routers at Black Hat, someone contacted me through my company's website asking if I'd be willing to help out with some hobbyist WiFi router hacking.  (As an aside, the company that I work for is Tactical Network Solutions.  We're a boutique computer security firm in the US, specializing in vulnerability research and advanced exploitation of network infrastructure and related embedded systems.)  The person, whom I'll call Will, told me he and others are trying to root their ISP-provided modem/routers so they can customize them and even use them with other ISPs.  Essentially they're wanting to jailbreak them.

I responded to Will that if he would ship me some actual hardware, I'd take a look in my free time, but no promises.  I wrote this off as something that happens when you get a few seconds in the Internet's spotlight, and figured I wouldn't hear from Will again.  To my surprise, Will shipped me a couple of routers to hack on, so I signed on to their forum and got caught up on their research to date.

I spent about six weeks, part time, poking at the router's firmware.  Expecting to find the sort of low hanging fruit we typically find in embedded gear, I thought this would be an easy win.  I was wrong.  I ended up taking an onion-like approach, investigating various aspects of the device in multiple passes gaining a deeper understanding with each pass.  I finally found an application that I could successfully crash, controlling the CPU's instruction pointer.  This was promising.  I was confident I could develop an exploit that would yield a root shell, and bring us closer to jailbreaking the device.

I posted an update about the crash to the forum.  What happened next was unexpected.  A couple of days later, I received an email directly from the ISP's retail head of security.  Mind you, this ISP operates communications infrastructure and sells services on multiple continents. This gentleman, whom I'll call "Mr. Flemming," reports to the corporation's board and CEO.  My research had caught the attention of this vendor in no small way.

Mr. Flemming expressed concern that the vulnerability I had discovered would impact their customers' security and asked me not to disclose it publicly.  Rather, I should share the details of the crash with his technical team so they could fix it.  Reasonable, right?

At this point, I should point out that at TNS, we've never before been contacted by a vendor regarding our research.  I know readers will attribute various motives to this vendor for wanting to prevent this bug's public disclosure.  I'll just say this is a large company whose motivations are complex.  I'm sure many possible motives are factors in their decision process.

"Well, this is interesting," I said to our managing partners.  They agreed.  While Mr. Flemming's message was amicable in tone, the subtext was clear: "We've been watching you. We know who you are.  Mr. McGee, you wouldn't like us when we're angry."  One of the partners promptly responded to Mr. Flemming's request, via email.  The conversation spanned a couple of weeks and several messages.  It went something like the following:

Us: We'll provide you with priority access to our research for no charge, with the following terms:
    -We plan to release a proof-of-concept exploit after 30 days
    -We want to publish papers and present our research at conferences such as Black Hat.

Them: We want 90 days before public disclosure, and we want veto power over anything you want to publish.

(At this point we looked at each other and said: "Wait...what?  We're offering our research to them for no charge, and they're not happy with the terms?")

Us: How about if you reimburse us for our time--we're not trying to profit--and we'll work with you on a longer release window.  We reserve the right to publish our findings, though.

Them: We don't pay for research we don't commission.  Sorry.  Also we'd really like you to let us review in advance (i.e., veto?) anything you plan to publish.

So that's where we stand.  It's frustrating.  While vulnerability research is still a nascent field where the legal ramifications are untested, this doesn't seem like a completely original problem.  I know we're not the only ones forging this path.

Tweet

Specifying Preferred Load Addresses for ELF Shared Libraries

[NOTE: This was going to be a post about how to relocate a shared library that is loaded using LD_PRELOAD such that a program's linked libraries get loaded at their normal addresses.  Sadly, the trick I thought would do that didn't actually work for me.  The library got relocated, but the other libraries weren't restored to their natural base addresses.  That said, it still is interesting and worth writing up.]

I'm currently developing a buffer overflow exploit for an application that runs on an embedded device.  I don't have console access to the live device--in fact the main goal for this exploit is to get an interactive shell so that I can do more analysis.  Since I don't have console access, I have to debug the application and the exploit entirely in the QEMU emulator.

I have to use several ROP gadgets in my exploit, so I need to test and develop with the libraries containing the gadgets loaded at their normal addresses.  Hence, I'm using QEMU full system emulation running Debian MIPS. QEMU binary emulation won't load the application's libraries in the right location.

There's a hitch, however.  The emulated system doesn't provide the same hardware that the target device has, so I have to convince the target application it has the right environment.  One of the many tricks required is to intercept NVRAM queries and provide the right answers.  In order to do this, I wrote an NVRAM faker library and LD_PRELOAD it when I run the target application.

Did I say there's a hitch? Actually there are a bunch of hitches.  Another problem is that when you LD_PRELOAD a library, it gets loaded before the application's other libraries.  As a result, the load addresses are all off from where they would normally be.  Since the whole point here is to run the application with the libraries loaded at the proper addresses, this won't work.

Here's a look at the application's memory layout without LD_PRELOAD:

Above, you see libc (specifically libc's text segment) loaded at 0x2aaf9000.

If we run the program, using LD_PRELOAD to load the nvram library:
export LD_PRELOAD=/mylib/libnvram-faker.so,
the load addresses change.

Here's another look at the program's memory maps, this time with libnvram-faker.so preloaded:

Here, you can see libnvram-faker.so mapped right after the dynamic loader itself, at 0x2aabe000.  This has shifted everything down, and libc is now loaded at 0x2ab3a000.

However, the linker, GNU ld, has an option to specify a preferred address for the text segment.  If we give GCC the option, '-Wl,-Ttext-segment=', it will pass that option on to the linker.

There are a couple of things to note about the address you specify.  First, the address needs to be a multiple of the maximum page size, generally 4K, or 0x1000.  Second, this address is going to be an offset from where the dynamic linker would normally load your library.  Since that is generally right after the linker's load address, you can subtract that address from your desired address, rounding up to the nearest page, to get the offset.

0x2abee000 - 0x2aabe000 = 0x13000

So we tell gcc: -Wl,Ttext-segment=0x13000.

Now with the new version of the library loaded, let's look at the memory map for our application:

We see libnvram-faker now located at higher addresses than all the other libraries: at 0x2abee000.  So specifying a preferred load address for the text segment had the desired effect.  Sadly (for my specific issue) this didn't result in the other libraries being restored to their original base addresses.

This is, of course, if your linker knows about the Ttext-segment linker script.  I found that some older versions of GNU ld did not.  You may be constrained to an older toolchain in order to be compatible with your target system.  To quote the (in)famous Cormen algorithms text: "this problem is left as an exercise for the reader."

Tweet

Parsing Email and Fixing Timestamps in Python

I decided to POP out all my Yahoo mail into my Google Apps account so I could stop paying for Yahoo's "premium" service (WTF, it's 2012, and POP is a paid feature--and there's no IMAP?).  I have fetchmail then download all of my messages which get post-processed by procmail and re-served by dovecot.  Since a bunch of really old messages were just downloaded by fetchmail, they appeared to be "new" from dovecot's perspective.  This is because the name of the message files stored in the Maildir format used by dovecot starts with a number representing when the messages were downloaded.  So years-old messages that were just downloaded will have a very recent timestamp encoded in their filenames.

The file names look like this:

1339506150.22834_0.hoth:2,Sb
1339506889.22952_0.hoth:2,Sb
1339507621.23058_0.hoth:2,Sb
1339509572.27344_0.hoth:2,Sb
1339510487.386_0.hoth:2,Sb

To fix this, I wrote a little python program to parse out the dates the messages were originally received, and rename the message files.  It also updates the file system's atime and mtime timestamps.  Since several new "Received" headers were attached to the message when Google POPed the messages from Yahoo, and then when fetchmail downloaded them from Google, I needed to figure out which ones to disregard.  I decided to compare the date the message was originally sent to each of the Received: dates, and use the most recent Received: header that was no more than 24 hours after the message was sent.

I made a backup of ~/Maildir/cur/ first.
You can loop over the message files like this:

$ for file in $(ls -1); do ~/bin/timestamp.py $file; done

I'm not really sure what the implications are for dovecot while mucking around in ~/Maildir, so I stopped that, and also fetchmail while doing it.

Here's the script.  Use at your own risk:

Tweet

Long-form Reading 2011

Here are some long-form articles I've enjoyed this year.

The Hazards of Nerd Supremacy: The Case of Wikileaks (theatlantic.com)

The Octopus Conspiracy: One Woman's Search for Her Father's Killer (wired.com)

Confessions of a Prep School College Counselor (theatlantic.com)

The Great Rubber Robbery: How Julius Fromm's Condom Empire Fell to the Nazis (berlinbooks.org)

Bursting the Bubble (about David Vetter, the "Bubble Boy", houstonpress.com)

The Stutterer: How He Makes His Voice Heard (slate.com)

The Day The Movies Died (gq.com)

Man vs. Machine on Wall Street: How Computers Beat the Market (theatlantic.com)

Authorities in Awe of Drug Runner's Jungle Build, Kevlar-Coated Supersubs (wired.com)

Kiki Kannibal: The Girl Who Played With Fire (rollingstone.com)

The Battle for Tora Bora (tnr.com)

The Humility Imperative: CEOs Keep Your Arrogance in Check (inc.com)

How to Land Your Kid in Therapy (theatlantic.com)

How One Man Hacked His Way Into the Slot-Machine Industry (wired.com)

Cyber Weapons: The New Arms Race (businessweek.com)

Don't Be Evil (on google's narrowly conceived, yet handicapping motto, tnr.com)

A Few Too Many: Is there any hope for the hung over? (newyorker.com)

The Man With the $16 House (dallasobserver.com)

The Wrestler in Real Life (on Ric Flair's long decline, grantland.com)

Enter the Cyber-dragon (on how China is operating with impunity on America's defense and commercial computer networks, vanityfair.com)

Apple's Supply Chain Secret? Hoard Lasers (business week.com)

50 Years of Stupid Grammar Advice (thechronicle.com)

The Rise and Fall of the Columbia House Record Club -- and How We learned to Steal Music (thephoenix.com)

How a Financial Pro Lost His House (nytimes.com)

When Did the GOP Lose Touch With Reality? (nymag.com)

What is Sony Now? (businessweek.com)

The Pest Who Shames Companies Into Fixing Security Flaws (wired.com)

Thanks to Marco Arment's excellent Instapaper  service and iOS app for helping find and keep track of excellent reading material on the web.

Tweet

Reading List 2011

I was using up all of my accumulated credits on Audible.com just now, and realized I've listened to several great audiobooks over the last year. Here's a list of what I've listened to in 2011, along with a link to the book on Audible.com. I recommend them all.

Judas Unchained, Peter F. Hamilton, Part 2 of the Commonwealth Saga (link)
The Gun, C. J. Chivers (link)
The Windup Girl, Paolo Bacigalupi (link)
Snow Crash, Neal Stephenson (link)
Embassytown, China Mieville (link)
Pattern Recognition, William Gibson (link)
Spook Country, William Gibson (link)
Zero History, William Gibson (link)

I'm pretty excited about my reading list for 2012 (and likely beyond--I had 12 credits to use), which I will share soon.

Tweet

Multi-page Javascript Bookmarklet

[Disclaimer: I don't know crap about javascript, other than what I pieced together from the 'tubes.]
I read something somewhere (I don't remember where) about having a bookmarklet that automatically opens your favorite sites, each in their own tab, when you click on it. I wanted to set up my own, but the article didn't explain how to do it (just suggested it as an idea). It's actually pretty easy.  Below is commented code:

javascript:(function(){
  /* save a reference to the current window */
  oldWin=window;
  
  /*
   * Replace the current window's or tab's website with this one.
   * If you just want additional windows (or tabs) opened
   * skip this.
   */
  location.href='https://mail.google.com';
  
  /* Each additional window/tab you want opened */
  window.open('https://voice.google.com');
  window.open('http://www.accuweather.com');
   
  /* restore focus to the original tab, since each
   * new window gets focus
   */
  oldWin.focus();
})();

Paste this entire javascript fragment in as the address for your bookmark. It may be easier to bookmark an arbitrary page, then edit that bookmark's title and address.

Tweet

On the Mac App Store and Sandbox Restrictions

Update: My friend, Chad, creator of Pear Note, has an interesting perspective that is much more in-depth than what I have written. While I don't agree with his conclusion, he is a successful full-time Mac developer where I have no Mac development experience. Also Chad has more SELinux background that I do.

There has been a lot of gnashing of teeth lately over Apple's forthcoming Sandbox restrictions on software sold through the Mac App Store. In the near future, applications sold through the Mac App Store will be confined by very restrictive security policies. These security policies will make it impossible for applications to do many of the things we are accustomed to applications being able to do, such as interact with other applications. Some have described this change, pejoratively, as the "iOS-ification" of the Mac. I think these people miss some important points.

I used to work at a company where most of my time involved developing either SELinux security policies (a technical mechanism that the operating system uses to restrict applications' behavior) or applications designed to be confined by SELinux policies. Unfortunately, although SELinux is extremely powerful, it isn't used to confine most Linux desktop applications. It exposes users to problems that are beyond their ability (or desire) to troubleshoot and fix. Having spent time working with under-appreciated access control mechanisms, I am really excited to see Sandboxes coming into the mainstream on an operating system known for its ease of use. This is a Good Thing for users.

SELinux is similar in some ways to Mac OS X's (and iOS's) Sandbox mechanism. These mechanisms enforce a system-wide security policy that cannot be overridden through traditional user-based file ownership and permissions. For example, an application executed by you shouldn't be allowed to change or delete all of your data (without asking you first) simply because you own the data. An unconfined application could be tricked into doing just that.

Apple has implemented a trusted process model in OS X Lion to handle risky behaviors. An application confined by a Sandbox profile might not be allowed to write its data to your hard disk. Instead, it has to send its data to a Lion-provided process whose job it is to write the data. That trusted process is only allowed to access data on the hard disk. It is not allowed to receive connections from other computers on the Internet. An attacker on the Internet would have to compromise not only your application, but also the trusted process in order to gain access to your data on your hard disk. Think of a building that requires entry through one door followed by another, and no single person has both keys. You have to co-opt both key holders to gain access.

Many things that applications normally do on their own will now have to be proxied through a trusted interface provided by Lion. Some things, such as adding cover art to iTunes albums, become impossible where no sanctioned interface is provided. In the near term, applications in the Mac App Store will become simpler and less capable because of this. I suspect that over time, though, Apple will provide more robust set of mechanisms that applications will be able to use to do more things. This way, applications will be able to do more on behalf of the user without introducing significant risk.

I like knowing that applications I install through the Mac App Store will be confined by a security mechanism that mitigates mistakes made by the developer. I'm happy with it as long as I can obtain applications from outside the App Store when I'm willing to assume more risk. You have choices. If you want an application that not only won't but can't eat your data (or syphon it off to the Russian mafia) get it from the Mac App Store. If you want an application that has more features--and more risk--buy it elsewhere from Chad's website.

Tweet

Fake Reviews on Amazon?

We all know there are shady marketing/image promotion firms that do things like post fake reviews on Amazon.com and others. However, I've never actually seen a review that I was certain was a fake. That is, before today.

Yesterday I bought a no-name 21 bottle thermo-electric wine cooler from Tuesday Morning. I wanted a feel for whether I got a good deal, so I did some post-purchase comparison shopping on Amazon.com. I couldn't find my exact model there. Again, I'm certain it's a no-name, made-in-china, rebranded by a distributor type affair. I did find a couple of models on Amazon that are extremely similar to my own. So much so that I would not be surprised if they are actually the same unit with minor cosmetic revisions.

As I was reading the customer reviews, they were mostly pretty terrible, complaining of failures within 18 months of purchase. Most also complained that there wasn't a place locally to get the appliance serviced. Unsurprising. Oh, well. Live and learn, I guess :-(.

However, what was interesting to me was that for each of the two items, I found one review that was uncharacteristically positive. Even less likely, both reviews were impossibly similar, following a template, highlighting the same positive features, and using similar wording.

I'm not going to link to the Amazon product listing because I don't want to help boost those items' page ranking, but I have pasted in the product name as found on Amazon, as well as the full review in each case.

From the "NewAir AW-210ED NewAir Thermoelectric Wine Cooler With Dual Temperature Zones"

A four star review:

I ordered this as a present for my wife, and read a lot of reviews. There were so many negative product reviews for wine coolers, I really didn't know which one was actually the truth. I didn't know what to buy or who to believe.

This fridge is really quiet. In an empty room without any other appliances on, you can't hear it.

It's beautiful. It's aesthetically pleasing and fits in well into our dining room. She loves the sleek black finish, we get lots of compliments on it. It gets a lot of attention believe it or not. Some people are really impressed by it. My friends think NewAir should of made room for cans of Bud Light, but I disagree. The unit stores my $[...]bottles of Opus One. It is definitely a higher end unit meant to store wine collections not beer for UFC fights. Same high quality as Cuisinart models we've seen at Bloomingdales, but bigger which means more room for WINE! I would definitely choose this unit over a built in unit. This model requires some room for venting like most refrigerators, which makes sense. We had a built in wine cooler in our last house and it was nothing but problems. When they had to fix because the compressor went I had to contact a laundry list of people because the manufacturer went out of business. Then the guy who came to fix it decided it was ok to damage our granite bar top to access the built in wine cooler.

No assembly except putting on the handle. Let's face it not many of us spoiled Southern Californians are handy.

he temperature holds steady and does not reset when exposed to sunlight, or when the room is warm. It's really easy to read the temp setting, really easy to set, and it works like a dream. The LED lighting is awesome. Also, you can feel the difference in temperature between the 2 zones.

Dollar for dollar, this was competitively priced. I really liked my experience with Air & Water. They were great. And, we're SO happy with it.

I know you will be too.

And from the EdgeStar 21 Bottle Dual Zone Wine Cooler

A five star review:

I ordered this as a present, and read a lot of reviews. There are so many negative product reviews for wine fridges, I really didn't know what to buy. So, let me put your fears to rest:

1) This fridge is really quiet. In an empty room with no AC on, you can't hear it.

2) It's beautiful. Really nice stainless finish, we get lots of compliments on it. On par with Cuisinart models we've seen at Macy's, but bigger.

3) No assembly except putting on the handle. Hallelujah!!!

4) Consistent temperature - the temp holds steady and does not reset when exposed to sunlight, or when the room is warm. It's really easy to read the temp setting, really easy to set, and it works like a dream. You can feel the difference in temperature between the 2 zones.

Dollar for dollar, this was competitively priced. I really liked my interaction with Compact Appliance. They were great. And, we're SO happy with it.

Hope you will be too.

Here are the points addressed by each review, in the same order:

• The unit is quiet, and in a quiet room, you can't hear it
• The unit is beautiful
• Requires little to no assembly
• Keeps a consistent temperature
• Competitively priced
• Interaction with the manufacturer/distributor was great (WTF? you bought it from Amazon.com)
• We're so happy and "hope you will be too."

It's kind of amazing how blatant these reviews are. I guess the most Amazon can do is close each user's account. Since the reviewers are disposable, the PR firm just hires more, or even creates new accounts under new names.

Tweet

Remarks on Apple, Flash and the "I Hate Apple" People

I've want to put down in words a few loosely related thoughts on controversy regarding Apple's policy of not allowing Adobe Flash Player on its mobile devices, and on the I Hate Apple crowd in general.

First, the "I'm anti-apple" people. I hear this mantra repeated frequently by friends and colleagues and also by noisy people on the Internet. I tend to rail against this sort of thinking, and as a result, come off as an Apple apologist to people who know me. I'll clarify: there are plenty of legitimate reasons to be angry with Apple. This vitriol, however, just seems irrational. Apple, as a company, has a lot of surface area and characterizing them in such broad strokes is problematic. They do things that are frustrating, but they also do things that are great. Most people who revel in waving their Apple-hating flag struggle to articulate just why they they hate them so much. It usually goes something like "grumble grumble, closed, proprietary, grumble grumble, App Store, grumble, no flash on the iPhone." The argument usually doesn't hold together well, and often these people will even admit that they just can't quite put their finger on what they hate so much about Apple. Look, we all are frustrated with Apple's App Store policies, even veteran iPhone and Mac developers. Even John Gruber, often accused of being an apologist is frustrated:
Serious App Store Doubts
Excerpts From the Diary of an App Store Reviewer
The App Store’s Exclusionary Policies

Further, if we're going to jump on the Apple-hating bandwagon, which is very in vogue nowadays, there are a lot of big-company-hating bandwagons we're going to have to jump on and start bitching about and boycotting. That's tiring. I don't have enough hours in the day to hate every company that needs hating. Sigh. Pick your battles.

Moving on to Apple's prohibition of Adobe Flash Player. It's not that complicated. Flash on the iPhone specifically, and cross-platform development frameworks in general, have the effect of diluting all platforms, including the iPhone, down to the lowest common set of platform features. No company should want their mobile device to be reduced to a state of generic similarity to their competitors' devices. Apple is perfectly justified, in my opinion, in wanting to keep this sort of shovel-ware out of the App Store.
This week Apple CEO Steve Jobs penned an open letter regarding his company's position on Adobe Flash Player on the iPhone OS:
Thoughts on Flash
I won't dissect the letter; it's been covered. But I agree with everything in it.

In response, this blustery counterpoint was posted on Linux-Magazine.com:
Apple's Steve Jobs is spreading FUD on Flash

This author's post actually makes me angry. It makes me angry because he is so bigoted against Apple, that he actually comes to Adobe's defense, conveniently forgetting that they've been dragging down the Linux desktop experience for years.

I self-identify as both a a Mac user and a Linux user. For years I was a full-time Linux user. I was the most obnoxious of Linux bigots, so I have that perspective. I have unhappy memories of flash on Linux. Since flash video became prevalent on the Internet, Adobe flash player has been the bane of Linux users' existence. Its performance on Linux has always been abysmal. I remember times when my laptop's fans would spin up to full speed, and the battery would start draining, and it would start scorching my lap. I would have to go hunt down whatever Firefox tab had a flash-based banner ad that was eating my CPU for lunch.

Adobe was slow to update it to the latest release, taking a year or more after it was released on Windows to release a new version for Linux. Also, Adobe still hasn't released a 64-bit version of the Flash Player for Linux or the Mac. Yeah. Seriously. It's 2010. Although major Linux distributions have gotten a lot better at making flash installation easy, you used to have to do weird 32-bit library wrapping voodoo to get Adobe Flash Player to work with 64-bit Linux and Firefox.

Because the Adobe Flash Player is closed and proprietary, Linux distributions couldn't ship with it installed. Users would always have to jump through hoops such as configuring third-party package repositories in order to install it.

Yes, as the author points out, flash is an open specification, so anyone technically can implement it. But to date, there haven't been any open flash players that are worth a damn. Open implementations such as Gnash are turds. They are several versions of the flash specification out of date, their performance is abysmal, and getting them configured and working is black magic. So let's leave flash's "openness" aside, because that's a red herring.

What is material is that much of the Internet depends on your browser being able to play flash. This is just as bad as the Internet of a few years ago requiring Internet Explorer, and being broken on every other browser. An Internet dependent on Adobe Flash Player is bad for Linux users. An Internet that has embraced HTML5, CSS, and Javascript is good for Linux users. Get off your Apple-hating high horse and acknowledge the fact that the two of you are on the same side.

Tweet

Ubuntu Netbook Remix in VMware

I needed to install Ubuntu Netbook Remix (UNR) in a VMware Virtual Machine so that I could try to reproduce a bug. It was kind of an asspain. Problem is, UNR is made to be installed from a USB flash drive, and VMware can't boot from USB devices. There isn't a DVD or CD ISO image for UNR 9.04 available. It turns out that you can make a DVD image from the UNR .img.

I found the following guide on the Ubuntu forums (see below for a link). It should work from most linux distros:

Make a directory to hold the contents of the UNR DVD image:

$ mkdir unr

Make a mount point to mount the UNR .img file:

$ mkdir realunr

Mount the UNR .img as a loop device:

$ sudo mount -o loop -t vfat ubuntu-9.04-netbook-remix-i386.img realunr/

Copy all the contents from the UNR image to your unr/ directory. Note that realunr/.diskimage is critical:

$ rsync -a realunr/ unr/

Rename syslinux to isolinux:

unr$ mv syslinux isolinux
unr$ mv isolinux/syslinux.cfg isolinux/isolinux.cfg

Generate a DVD image from the contens of unr with the following incantation:

mkisofs -o ubuntu-9.04-netbook-remix-i386.iso -r -J -l \
-V "Ubuntu-Netbook-Remix 9.04 i386" -b isolinux/isolinux.bin \
-c isolinux/boot.cat -no-emul-boot -boot-load-size 4 \
-boot-info-table unr/

mkisofs will generate a DVD image that you can either boot a VM from or burn to a DVD.

Guide on ubuntuforums.org

Tweet

Jailbroken iPhone, Cydia Apps, Upgrading iPhone to 3.0.1

I've been running my iPhone jailbroken for a couple of weeks. At first I felt dirty about having callously cast aside many of the legitimate security mechanisms in the iPhone, such as sandboxing of 3rd party apps. Utlimately, I have given into my baser instincts and am sticking with it.

Today I upgraded my iPhone to 3.0.1. There isn't an official jailbreak for 3.0.1 yet, but the 3.0 jailbreak works. The problem in general with upgrading a jailbroken phone is that there's no real way to back up all of your unauthorized customizations. You've basically had your way with the underlying Unix OS. Not everything you install from Cydia is a self-contained app. There are system modifications like installing OpenSSH and system utilities. Anyway, what it comes down to is that you need to reinstall all of your Cydia packages after upgrading and re-jailbreaking.

Here's how the process went for me:
In iTunes:
-do a backup
-choose to restore, which will also update. Don't choose upgrade.

After this is done, leave itunes, and follow the normal jailbreak process
-Run redsn0w
-Point redsn0w at your 3.0 iPhone OS ipsw file.

Once redsn0w is done, you're jailbroken again and running (mostly) 3.0.1. You still need to reinstall your Cydia packages. I found some of my customizations returned once I had reinstalled the Cydia packages, but not all.

On the topic of Cydia packages, here's a list of packages that I installed and really like:

• BigBoss Recommended; This gets you a bunch of command line utilities that you'd expect to be on most unix systems. It actually is a metapackage that brings a ton of other packages with it.
• MobileTerminal; A terminal application (not an SSH client)
• MusicControls; A paid app that lets you background and control many music applications like Slacker and Pandora
• OpenSSH; client and server. Be sure to reset passwords for root and mobile. Also disable root logins. Disable sshd from running automatically.
  
• SBSettings; let's you tweak many hidden settings, replacing BossPrefs. Also required for disabling autostarting of the sshd service
• Safari Download Manager; A paid app. Lets you download and save files, even ones that Safari doesn't know how to handle. Great for downloading files and getting them off you phone.
• iFile; A paid app that lets you browse the entire filesystem and open files. Also has a built-in web server that will serve up files to your laptop. Useful when you have no Internet, but need to download a file.
• SysInfoPlus; Shows you lots of technical information about your iPhone. Mostly just neat.
• Status Notifier; shows various status indicators like new mail icon in the iPhones status bar at the top of the screen
• BlackDarkness theme; This is a complete system theme that replaces lots of things, including many icons. I think it's kind of neat. Brings winterboard with it.

That's about it. The BigBoss blog is recommending that you stand pat until there's a redsn0w update. Supposedly it's going to make things a bit easier. It's not clear in what way. At the very least, they point out that for now, you'll still end up with a 3.0 kernel. Hmmm. :-/

http://thebigboss.org/2009/07/31/iphone-v301-released/

Tweet

GEICO Music

I hate to admit it, but GEICO commercials have a pretty good track record for featuring good pop music. Whether it's 3 Doors Down, Royksopp, or The Sounds, the songs in GEICO's ads are usually pretty good.

The latest that I like is "Somebody's Watching Me" by Mysto & Pizzi. This song is featured in the ridiculous "Kash" commercials. You can download it for free. While you're there, check out the "making of" video. It's surprisingly entertaining.

I don't like the commercials, and I'm not about to switch insurance providers, but, in general, if you hear a song in a GEICO spot, you can probably add it to your library with no regrets.

Tweet

Spotlight does Math

I just discovered that Leopard's Spotlight does math. Try it. Bring up spotlight with ⌘+space. Then start typing something like
7pi*8.3 or
sqrt(2)
and the answer is the first search result.

This isn't quite a powerful as the Google calculator. It doesn't appear to do base conversion, and it doesn't let you copy the result for pasting into an application, but it seems handy nonetheless.

Tweet

Mac OS X handy bash aliases

Here are a few handy aliases that I keep in my .bashrc in OS X:

alias cppwd='eval "echo `pwd` | tr -d \\\\n | pbcopy"'

This copies my current working directory to the OS X pasteboard so I can Cmd+V it into another terminal. Often I want several terminals open in the same directory at once.

alias burn='drutil burn -noverify'

This one lets me type

burn mydisc.iso

to burn an ISO disc image to CD or DVD without having to open Disk Utility.
And a variation:

alias vburn='drutil burn'

This does the same as the other but also does the disc verification step.

Tweet

A Gun for the Time Hole

An ordinary AK-47 Kalashnikov automatic rifle would not be allowed through the time hole. One made of bacon, however, is an ideal candidate for the time-traveling freedom fighter.

Tweet

FiOS at Work

Finally.

Tweet

Handling HTTP Redirection in Ruby

I have a Ruby project where I'm dumping a bunch of bookmarks from delicious.com, then fetching each bookmarked page for analysis.

One of the problems I encountered early on is that the some of the web pages bookmarked would redirect to some other location. Simply checking for HTTP response code 200 was insufficient. I needed to check for redirection as well.

A quick Google search for "ruby follow http redirect" yields lots of results. Unfortunately, they're all very similar, and not quite right. In general, the examples you come across (even the one in the official Ruby documentation) don't handle the case when the redirected location is path relative to the original location. So you end up doing a get on a URL that looks like "../../redirected/location/index.html," which clearly won't work.

It turns out that detecting relative redirection is fairly straightforward:

 until( found || attempts>=@@MAX_ATTEMPTS)
     attempts+=1
     http=Net::HTTP.new(url.host,url.port)
     http.open_timeout = 10
     http.read_timeout = 10
     path=url.path
     path="/" if path==""

     req=Net::HTTP::Get.new(path,{'User-Agent'=>@@AGENT})
     if url.instance_of? URI::HTTPS
       http.use_ssl=true
       http.verify_mode = OpenSSL::SSL::VERIFY_NONE
     end
     resp=http.request(req)
     if resp.code=="200"
       break
     end
     if (resp.header['location']!=nil)
       newurl=URI.parse(resp.header['location'])
       if(newurl.relative?)
           puts "url was relative"
           newurl=url+resp.header['location']
       end
       url=newurl

     else
       found=true #resp was 404, etc
     end #end if location
   end #until

The trick here is to ask the redirected url object if it is relative. If it is, then add the redirected path onto the old url object. the URI class overrides the '+' operator (what is this, C++?) so that you can concatenate the new path onto the old URL, by doing:
newurl=url+resp.header['location']

Tweet

Mounting LVM Disks in Ubuntu

I always thought LVM (Linux's Logical Volume Manager) was kind of neat for the flexibility it gives you in adding and removing disks and resizing volumes such. However, in practice, I find it's usually more trouble than it's worth. It adds a layer of complexity between me and my data.

Often I need to mount a disk configured with LVM on another Linux machine or in an Ubuntu live CD environment. Out of the box the logical volumes aren't recognized, so I can't mount them.

It's fairly easy to add LVM support and mount the volumes though.

You install the lvm2 package, load the device mapper kernel module, and then activate any lvm volume groups on your disk.

$ sudo apt-get install lvm2
$ sudo modprobe dm-mod
$ sudo vgchange -a y
(assuming your disk with logical volumes is already connected)
$ sudo mount /dev/mapper/<logical volume name> /mnt

And that's all there is to it.

If you want to deactivate the volume groups (recommended before unplugging a USB disk with logical volumes):
$ sudo vgchange -a n
Warning: the above command will deactivate all volume groups, so check the vgchange manpage first, if that's not what you want.

Tweet