sean.blog

School is back in session, and I’m reading as fast as I can!  So much to get done, so little time. My classes at the moment include a bit of finance, a bit of marketing, some negotitations and a healthy dose of law.  All in all I’m happy with my class choices, though we’ll see how the school/life balance works out :).

Here at defcon and so far so good. Sadly the new badges are not available. Though the reg line took about 30 seconds last night. Today its 40 meters or so long. We will hopefully be able to trade our paper badges for the real thing today at 3:00.

Here would be a great link to a wired blog entry with details about the badge but apple doesn’t think us iPhone users need a copy and paste feature.

10:09 Track one is full, no standing room either. Too bad, I think a lot of folks wanted to see the badge talk.

10:21 Got into track 1. Talking about the 2000 $ sdk defcon got for us (to hack the badges). The IR interface on these badges is awsome. The badges contain some of the TV be gone code. The IR led on these have about a 3 foot range but a limited field of illumination. The IR data transfer (the core feature of the device) had a lot of potention. Looks like badge delays were partially due to Chinese customs and the olympics.

11:30ish We got the real badges! Pics up a bit later.

12:50 Now I’m in Track 4 “Security and anonymity vulnerabilities in Tor: past, present, and future,” so far it is very interesting.

• Some talk about mistakes in crypto implementation and attacks on Tor through history.
• Using HTML forms to submit data (attack) to local service ports, i.e. send mail through port 25 on your own box which would be running a mail server.
• Using browsing history, browser window size, language preference and cookies to identify users once they have turned off tor.
• Almost all plugins can be setup to ignore firefox proxies.
• Only safe way to switch between not-using and using Tor in Windows is reboot.
• A lot of options with using dedicate VMs to use Tor safely.
• Correlating Bandwidth/Latency to help identify start and end points in Tor.

1:15. Headed up to the hardware hacking village. Grabbed a miniusb connector for our badges. There were a limited number of soldering irons available and spirits were high.

1:30. At track 2 google gadget hacking talk. Interesting but a bit late.

1:55. At track 2 the attacking social networks talk.

• This talk is funny.  Nevermind, I was wrong.
• Linking to external content is a well known security issue.
• Filters and other restrictions aren’t enforced the same between POST and GET requests.
• CSRF :)
• A lot of talk about impersonating other people with fake profiles.  Interesting, but not super technical.
• App talks now.  Write a popular app, build a userbase, then write some evil feature for it.  Instant botnet.
• Myspace as a proxy. neat.  Relay.proxy has a lot of potential.
• This talk definitely lacked some technical meet.

3:01   Wondering around …..

I’m not a huge Pulse Audio fan, but removing it from Fedora 9 seems non-trivial.  So for those trying Skype, you may want to look at this workaround:

# padsp skype

Easy, eh?

A few months ago I did a small research project on Facebook.  I found the growth rate of the Facebook active user community particularly interesting.

Sources:
“Facebook by the Numbers.” Retrieved from http://www.fastcompany.com/magazine/115/open_features-hacker-dropout-ceo-facebook-numbers.html on Feb 24, 2008.
Kirkpatrick, David. Dec 5, 2007. “About Face(Book).” Retrieved from http://techland.blogs.fortune.cnn.com/2007/12/05/about-facebook/ on Feb 25, 2008.
Swartz, Jon. Sep 11, 2007. “Soon millions of Facebookers won’t be incognito.” Retrieved from http://www.usatoday.com/money/media/2007-09-11-facebook_N.htm on Feb 25, 2008.

Plus a few small articles I don’t have handy. But if anyone is interested I can find them again.

I just switched my laptop from Gentoo to Fedora 9.

I always liked portage, and continue to prefer it over any other package management system.  Unfortunately, network effect is a big factor in the usefulness of modern Operating Systems.  In the open source community, this is even more noticeable.  As more users flock to or, in the case of Gentoo, away from a Linux distribution, the quality of the software packages available for the distribution fluctuates.  In the case of Gentoo, this was very noticeable in the lack of package updates when major updates to specific applications were released.

What compounded this was the lack of interest in certain tools by the remaining development team.  For me, the greatest example was the lack of ebuilds (Gentoo software packages) for Miro and Twitter clients.  Though these applications provided relatively new functionality, video podcast playback and micro-blogging, their omssion hinted at a larger problem.  The current development team was not interested in including these applications in the distribution.  It left me wondering if the development team was larger, could Gentoo provide these newer applications in a more timely manner, when they were even included.

I considered creating the ebuilds I needed myself, but in the end realized that I wouldn’t be able to maintain more then a few ebuilds regularly.  These few packages wouldn’t be enough to make Gentoo appealing to me.

In the end its hard to say if what I saw was a significant problem.  It could be easily argued that the quality of a distribution is not in its breadth of its application library but in its stability and capabilities at specific tasks.  For me, the bleeding edge Gentoo I was drawn too is no longer there.  In its place is a slower to update distribution which still occasionally breaks functionality with updates.  I hope portage or the ideas behind it are passed on to other open source projects, I believe there is a lot of benifits to source code based distribution.

We parked and we walked. We found this:

Found in the lowest level of a parking garage at GMU.  Thanks to rber for taking most of these pics.