The Caffeinated Penguin

musings of a crackpot hacker

Survival, stupidity, and Windows Vista suckage

| December 22, 2006

Most of these are from slashdot, but for those folks who don't read slashdot…


Decent site on surviving in the woods:

http://www.wilderness-survival.net/


Idiot tries to hire hackers to change his college records:

http://www.networkworld.com/community/?q=node/9999

Except they post the whole content on their website (use this mirror, the other one is slow):

http://www.mirrordot.org/stories/f90a8b85bd79721d7914c7c51aeb99f0/index.html This is the original article:

http://politics.slashdot.org/politics/06/12/22/1550250.shtml


Windows Vista DRM imposes onerous requirements on… everyone:

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

And another thing

| December 19, 2005

Everyone is up in arms about the whole “presidential wiretap” thing. Here's my take on it:

What did people expect? Between the PATRIOT act, and, gee, I don't know, everything that's happened with the FBI and all the other intelligence agencies in the past 75 years?

Think about it – when you give governments the ability to do something, the only thing stopping them from doing it is their own restraint, which invariably erodes over time.

The only way to stop this from happening would be to stop the government from having the ability to wiretap, hence my use of crypto as often as possible. (Here's my PGP key for those who are interested).

“But, but, then the evil terrorists will attack us because we don't have surveillance”.

Yeah, and if we are constantly living in fear and having our whole lives monitored, then they already have.

More stuff, and promised pictures

| December 8, 2005

Links: Maxpedition makes some cool bags. Not sure if I'll get any, because Sportsman's Guide has a pile of cheap stuff (as always), but hey, seems like a decent company to plug.

The community seems interesting.

Other stuff: So, Liz doesn't seem to have a problem with the survivalist stuff. This is good. It means I don't have to feel guilty or hide anything from her, and she'll keep me in line if I get a little too nutty. For example: I realize that I don't NEED an East German AK-47 bayonet. This is not a survival thing, but merely a toy. I don't need a WWI trench knife either, it's just badass.

However, I realize that these things are silly. Bouncing ideas off of Liz, however, makes me realize that the ones that I think are good ideas might be silly.

I dug out my compass today. Why do I have one? Because everyone should. Why did I dig it out? Well, we're talking about going hiking in the woods. Noting the bearing which you head out makes it easier to get back.

We've also talked about maybe getting some lightweight aluminum snowshoes. I found some cheap ones for less than $75. Might do that. Not sure. We'll have to see.

no flash No flash. flash Flash.

Ketchup

| December 7, 2005

  • I’ve started listening to Rant Radio at work. It is interesting and amusing. I highly recommend it, though one should utilize headphones, because they tend to curse a lot.
  • I’ve started watching Patrolling with Sean Kennedy, which is sort of a “modern survivalist” sort of show. For example, the show I’m watching now is doing a segment on boots, what type of boots to buy, how to choose boots, etc. The previous episode has a section on pants. Anyway, I recommend it. The second season is torrents, which are pretty scalable, but the first season is straight download, so to save the nice mirror guy’s bandwidth, if anyone wants a copy of it, I can burn them a DVD of it (it’s about 2GB) if you drop by my house to pick it up.
  • I’ve modified my AK according to the instructions here, because it has a lot of trigger slap (the trigger comes back and hits your finger when the bolt cycles and it chambers the next round). Now, this was actually pretty easy. The downside to it is that if I screwed it up, the disconnector could fail to catch the hammer which could lead to a slam-fire (which happens when the round is fired before it is fully seated in the barrel) which could do such nasty things as destroy my rifle and kill me. Anyway, I don’t think that this will happen, otherwise I wouldn’t do it. However, I will start with single shots – the idea being that if the disconnector doesn’t catch the hammer, I would be happier if it falls on an empty chamber than on a live round, you know?
  • Anyway, I’ve taken a liking to paintball scenario games. Large games (300+ people), with lots of large scale maneuvering, recon, strategy, and all that stuff. The last one I went to featured lots of folks with very military looking rifles. Come to find out, there’s a whole subculture of people devoted to this stuff. So, I figured I’d try my hand at making a paintball version of my AK, without too much effort. Paintball gun and real gun So, the basic gun is a Tippmann A5, which has a quasi MP5 look to it. If you remove the foregrip, and add a stock (yeah, it’s sort of an MP5 style stock, but it’s the best I could get) and a BT AK-47 barrel. It points well, and looks the part. I thought about putting an empty magazine on it. I picked up a polymer Pro-Mag, but the mag wants to be where the pressure regulator is, and I couldn’t come up with a way to make it fit all nicely, I could get a bracket and mount it forward of the pressure regulator as many folks do, but that screws up the ergonomics of the rifle, because the mag is too far forward. It is actually lighter than the AK, but once you add tank and hopper, it ends up being a little heavier. Paintball gun with tank and hopper When you add the tank and hopper, it doesn’t spoil the lines too much.
  • I’ve been thinking that Liz and I should try to get out and hike more. I feel a lot less stressed with my job, and have started to become restless. I need to get some cargo bars for my car, so that I can borrow my parents’ kayaks and explore the little lakes and tributaries around northern RI. Probably wouldn’t be a bad idea to go hike around as well. Maybe I should pick up a cheap used GPS on eBay and do the geocaching thing? Or, maybe I should just take a compass and hike. I had a compass, I should probably find it. Heh, errant thought. Anyone want to join me? We can call it “Hike Club”. 😉
  • Liz was watching Oprah. This woman was on where she divorced her husband and he came back, stabbed her something like 50+ times, then strangled both the kids. Now, aside from how tragic this is, I can think of two anti-gun responses: (1) That’s horrible! We should ban knives! (2) It’s a good thing he didn’t have a gun, otherwise, she’d be dead, because she would have been shot! No one has actually said this, but neither would have surprised me. Oh, and stabbing people is basically as deadly as shooting them. Shooting them just has longer range, and doesn’t require a lot of physical strength.
  • Speaking of shooting, I managed to hurt myself shooting this weekend. I got a chance to fire a Smith and Wesson Model 500. This fires bullets that looks like this. Now, that’s a bullet that is 1/2 inch wide, in a casing over an inch long, full of powder. Anyway, it was so powerful, and I was holding it so tight, that I managed to pull the muscles on the back of my hand – you know the muscles that you use to make a tight fist. This has never happened to me before, and is a little disconcerting. But then again, that gun was basically a round almost as powerful as a rifle, with nothing to eat up the recoil (such as a bunch of moving parts which chamber the last round). Just a little nuts.
  • I bought new shoes this weekend. It was a “buy one, get one half price” deal, so I got some slippers too. I feel old, since they’re Dr. Scholl’s, which makes me think “orthopedic”. But, man are they comfortable. I need to buy socks, too. And underwear. I guess I’ll have to head to Target or something. I should probably clean and polish my boots, too. They look like crap.
  • We have 5 foot long animatronic deer on our lawn now. Liz wanted them, because she likes them. Each one has 300 little lights on it, and they move. I’ll try and grab pictures some evening. I had already taken my coat and shoes off, so I didn’t do it tonight.
  • Lobsters amuse me. What better thing to do than take a bunch of territorial arachnids and stack them in a tank. That must drive them nuts.
  • Elk meatloaf is yummy, especially when Liz makes it.

Copy protection bites MS in the ass

| October 7, 2005

Link

Nutshell version:

  • Sony caves to Fox and adds strong copy protection to Blu-Ray format. This protection is supposed to “stop piracy”, but basically the concern is that it will only play movies in an approved DVD player, and not in PC's.
  • Since MS's XBox 360 plans center around a standard DVD drive and streaming movies from a PC to the XBox, this potentially throws a huge monkey wrench in their plans.
  • Meanwhile, the PS3 will have a Blu-Ray drive, so it can work like a normal DVD player.

See little children, copy protection is BAD. You could do way more cool things if there wasn't any copy protection.

Oh, in a related story, Sony was telling people how to circumvent their own copy protection in order to be able to put the CD's on iPods. Link

Survival stuff

| September 2, 2005

Okay, maybe I've gone a but nutters, or maybe I'm just really thinking about this seriously for the first time in my life. I always kind of scoffed at my dad's doomsday preparations, but this Katrina thing has got me thinking – what if we had to evacuate? What if we have to live without electricity for a couple months?

Now, I could go nuts and buy a pile of MRE's, but realistically, they're expensive and only good for 3-10 years (depends on storage conditions). Might just be good to keep a decent pantry supply of food, which we eat before it goes bad and replenish. We already keep a pantry of canned goods for general cooking; buying some extra and sticking them in a rubbermaid tote and just making sure to eat and replace them before they go bad isn't that much of an expensive or inconvenient proposition.

Neither is picking up a couple 20 gal diesel fuel cans and keeping them filled. My car can go over 1500 miles on 40 gallons of diesel, and diesel never really goes bad.

Then it's just what else? Water, toilet paper, some fire starting gear, tent, sleeping bag, etc. Maybe a couple hundred dollars worth of stuff. Make sure it all fits in the car with 2 people, and we're good to be evacuated.

Basically, I'm looking at 2 scenarios: 1.) Evacuation scenario with at least 1 hour warning (such as evacuating New Orleans) 2.) Non-evacuation with simple loss of power for at least a week, with 4 weeks as a realistic maximim.

I'm NOT worried about terrorists (can't really prepare for that anyway), invasion by a foreign power, etc., though the stuff we do may be applicable to that situation.

Same thing if we lose power for multiple weeks because of a blizzard or whatnot.

I'm also not in a panic about this. My dad let me borrow a survival book written by an SAS guy, and I'm just thinking of reading up and laying out a reasonably comprehensive and affordable plan over the next six months.

The New Orleans situation also wakes me up to the savagery to which people can be driven by desperation. While I realized this on some level, I didn't quite realize it on a visceral level. Consequently, my .45 is leaving me feeling a little undergunned (handguns are that which you use to fight your way to your real gun). Right now, I have:

  • Kimber Pro BP II semi-auto pistol in 45 ACP (main defensive piece)
  • Walther P22 semi-auto pistol in .22 Long Rifle (light holdout piece)
  • Marlin single shot rifle in .22 Long Rifle
  • Ruger 10/22 semi-auto rifle in .22 Long Rifle.
  • Liz's lever action Marlin in .22 Long Rifle

Now, the first two are fine defensive combat arms, and the last three are fine plinking guns, but quite frankly, I'd like something a little more realistic. So, the sort gun list is now (in order of priority): Vepr K in 7.62x39mm Uberti Cattleman 2, Gunfighter edition in .45 Long Colt Henry Big Boy in .45 Long Colt

The rationale is simple:

  • I need a quality military rifle for long range engagements. That's what the Vepr brings me. AK reliability, and the stopping power of the fine 7.62×39 cartridge.
  • Now, the other two are “fun” guns, but still perfectly accurate, useful and deadly. I'll be getting a gunbelt and holster for the Cattleman, and likely a second holster for my Kimber (I have an “inside the waistband” concealed carry holster, but it doesn't hold spare mags). Now, it will look a little cliche'd with the “old west” motif, but a .45 Long Colt will put you down just as well know as it did 150 years ago, and the rifle will be damned accurate. So, this leaves us (Liz and I) each with a rifle and each with a pistol, all in hard calibers.

A longer list is likely to include a bolt action rifle in .308 (7.62x51mm), which will probably be a Kimber Montana. This is a long range hunting/sniping piece, that will be discarded if push comes to shove, though Liz might keep it over the Henry (her call). A shotgun (high quality pump or semi-auto) would likely round things out nicely.

A lot of the gun choices depend on what Liz wants. Ultimately, in a SHTF (Shit Hits The Fan) evacuation scenario, I want her to be comfortable with whatever she's firing. Since she's grown up with hunting rifles with bolt and lever actions, it makes sense to go to what you're comfortable with. Combat is a scary thing, and you don't want to have to think about how to shoot the gun; you want the muscle memory to take over. Personally, I know exactly how to shoot a .45 – I can do it in my sleep. Of course, I've put about 1000 rounds through mine already, so I'd better have an idea how it works. Plus, it's kind of hard to screw that gun up. The 1911 is a perfect design, John Browning was a genious, and you kids can take your fancy Glocks and shove 'em…. ;-).

Apple update

| April 9, 2005

Okay, so the Mac is almost done being set up. There are a couple things left, and I'll get to those later.

First, it looks like ps2pdf is broken under Ubuntu Hoary. I've filed a bug report. I'd appreciate if people can try it on their systems and see if it works or not.

Second, someone has found a legitimate OSX local root compromise. Basically, a trojaned app could run, wait until it sees a call to sudo go off, then executed something itself. Congratulations on finding a legit vulnerability in OSX, as well as every other Unix distro using this mechanism. It's not a new thing. This has always been the problem with sudo when set up to run things in a desktop context (when running from the terminal, it can be locked to the terminal).

Anyway, installed bits: DoubleCommand – Since I’m running the Mini off a PS/2 KVM with a PS/2 -> USB converter cable (the only such conversion I’ve ever found that actually works), and my keyboard is a standard 101 key PC keyboard (no Windows keys), I don’t have a command (open apple) key. This creates a decided problem. So, DoubleCommand lets me remap Alt to Command (which is actually in the same spot as Command is supposed to be). It also has the side benefit of changing it so that the Home/End keys work as they do on PC’s. Apple’s X11 – This was not included on my Mac Mini’s install DVD (at least, not that I could find), so I needed to download it. Gimp.app – This is one of the many Gimp packages for OSX. It requires X11, and works just fine with Apple’s. Mozilla Thunderbird – Because Mail.app behaves very strangely when dealing with IMAP+SSL. It’s supposed to be a lot better in 10.4. We’ll see. Mozilla FireFox – Note that this one was a little special. As explained in the article, the stock FireFox doesn’t use the right input handler API, which is why it doesn’t handle middle-click properly. The poster fixed the issue in his patched version of FireFox. Also note that this is only installed for compatibility with my other machines – since all my bookmarks are in FireFox’s HTML format, and Safari won’t import them, the only nice way to get access to the bookmarks is to install FireFox. Sure, I can open the bookmarks in Safari, but that’s just ugly. However, Safari is much faster on OSX and therefore remains my default browser. Hopefully, Apple will add an “import bookmarks” feature. Neo Office – This is a native port of OpenOffice, which doesn’t require X11. XJournal – LJ Client. Works nicely. Fink and Fink Commander – Apt-style packages for OSX. Haven’t done much with this yet, except installing Gnome and KDE and then removing them when I scrapped my 2 desktop idea because it was taking too long. Destop Manager was the one who told me about this. Anyway, it provides multiple desktops and cool switching effects. QuickTime Ogg Component – So I can play Ogg files in iTunes. Things I considered installing and didn’t, or tried and removed: iTerm – It was nice, but I didn’t see why this was so much better than Apple’s stock terminal. So, I removed it. DarwinPorts – I was actually going to install this to get XFce (see the XDarwin discussion, below). Then I saw that there wasn’t an installable package and that I was going to have to get it from CVS and that it was basically going to be more trouble than I cared for. XDarwin – Thanks to for this one. It’s actually REALLY good. You can executed as a full screen session and flip between (you’re supposed to be able to do this with Apple’s X11, but I haven’t tried). Anyway, I was originally going to try to have Cocoa and X desktops running in parallel and flip between them. The problem with this was that Fink didn’t have an XFce package. I did get KDE and Gnome running just fine (it was trivial to install), but as I worked on this problem, I started to care less and less, especially since my Linux desktop is just a KVM flip away. Problems fixed – I wanted to make an icon to mount the network shares on my core server. I finally figured out that a nice way to do this is to mount it by your favorite method, then right click and choose “Make Alias”, then drag the alias to the dock. But, it has to be on the part of the dock next to the trash, where you can drag documents and stuff. Of course, this led me to the document explaining the Top Nine Reasons the Apple Dock Still Sucks. Bear in mind that this guy was “Apple Employee #66, Apple’s first Interaction Designer and only Human Interface Evangelist”, so not just some random crank. (Well, maybe a crank, but not random). I think he’s right. Problems needing fixing – My local DNS is broken. My WRT54G serves out DNS names for itself and all machines in the house. The Linux and Windows machines have no problem with this. The macs seem to hate it for some reason. I don’t know why and have to look in to it, and just haven’t yet. Of course, it means that printing is broken until I do. – I need to figure out how to make an entry for the dock that launches a script. – I need to figure out how to make additional bins/drawers/folders/menus/etc. to contain less frequently used icons. You know, click drawer, click icon, drawer closes and app launches. Misc opinions and thoughts – The fact that you can’t shift+home or shift+end to select text in an input box in Safari really pisses me off. – Finder’s behavior in accessing FTP sites is annoying. I wanted to get a pile of stuff and ended up just doing it in a terminal because copy/paste wasn’t working. I could have drag & dropped it, but that would require opening 2 finder windows (one for the FTP site, and one to navigate to the desired target folder). Conclusions – This is not going to replace any of my Linux machines (they’re just too “set up exactly perfect” for what I want. – This does have a lot of really good applications that I want to use (which was why I bought it). Also, I haven’t made much progress on Linux/Mac video comparison (been busy), and since I want to actually get some video projects done, I think I’ll do them in iMovie and go back and do the comparison when I have a chance.

More on the Word rant, Biometrics and the new Napster ads

| March 8, 2005

Remember this link? Well, there was a point to it, which was that I fail to see how Word is used for document preparation. If you do any work of any length a variety of things go wrong with it (oh, and I found another one – the blinking cursor goes away after your document gets too long as well). So, let’s break it down. Pro:
  1. Quick learing curve
  2. Industry standard
Okay, so 2 is what I’m trying to figure out, and seems like a circular argument – Word is an industry standard because it’s an industry standard. As for the quick learning curve, I concede that Word is quick to learn. However, so is OpenOffice. Now, I’ve heard OpenOffice characterized as the little kid trying to stand up to Microsoft’s Office. Well, when it comes to the document portion of the suite, it seems good enough to me. After all, it can’t be much worse than Word. I guess what I’m led to after this experience is that Word is useful for quickly and easily writing up a letter to your grandmother, but (like most Microsoft products) is not really suited for real work (their “we see your vision” commercials notwithstanding). No wonder people using Word to write books break them up into chapters – it’s the only way to keep Word usable. Speaking of commercials, I saw two of them that bothered me:
  • The IBM Thinkpad commercial demonstrating their biometric security systems. This is a fine commercial demonstrating a bad system. Biometric security is BAD. The problem with using it for authentication (note that I’m not saying ID here. Biometric ID’s are fine. After all, they already are – there’s a Photograph on most ID’s, which is a form of biometric identification) is that if the system were to be compromised, you can’t change it except to migrate to another authentication mechanism. Authentication should be done in one of two ways – what you know or what you have. What you know are things like passwords, answers to secret questions, etc. What you have has a longstanding precedent: your house or car keys. These two methods are simple, they work, and, most importantly, they can be changed if compromised. Change your password, change your locks. Easy. The problem is that if biometrics are used for authentication purposes, then what happens if they are compromised? For example, say that you use a fingerprint reader. I hire a sexy operative to chat you up in a bar. I’m two seats down. She gets you away from the bar, I get your class. I lift the prints and make a false finger with your fingerprint. Congrats, I now have your authentication mechanism. If the whole system is predicated around it, then you need to change the system to something else, because you can’t change your fingerprint. Congratulations, you’re screwed. Now, if people want to use biometrics for identification, that’s fine. I’d have no problem with a retinal scan + password combination. After all, that’s just like username and password. A similar system would be a voiceprint + spoken password combination (although the possibility that you might be overheard concerns me). What is the best way? I’d like smartcards, except that people would have a tendancy to leave them in machines for convenience. Bear in mind, you can’t make an authentication system too complex, because you’ll end up causing people to take shortcuts to make life easy. For example, when you enforce a monthly password change policy and strictly enforce strong passwords, users forget the password and end up just writing it down, which compromises any security you think you have. A better idea is to do a yearly or 6 month change policy, with a strong password validation. That way, people have time to remember it.
  • Napster I’ve finally seen the new Napster ad. For those of you who haven’t they basically posit that it will take $10,000 to buy enough songs to fill up your iPod. However, you can fill up your other random music players with songs from Napster for just $15 a month. However, there is a little bit of fine print at the bottom of the last screen of the ad (where they show the napster logo), which says (I’m going from memory here), that: “subscription must be maintained in order to keep access to songs”. That’s right. Any music that you buy goes away if you stop the service. Nice, hunh? At least with iTunes, you own the song. Now, one might ask how this is technically possible? Well, WMA has DRM functionality built into it. They can revoke access to any DRM-ed stuff at the whim of the “content provider”. Nice to know that this is going to be included in Word documents, isn’t it? Stops those pesky whistleblowers from emailing, printing, or copying Word documents to “unauthorized devices”. Plus, if you do manage to get it out, your reporter’s copy of Word will refuse to open it. OpenOffice won’t help much, because it will be encrypted, and circumventing that encryption would violate the DMCA. Welcome to Korporate Amerika, citizen.

Debunking the "window of opportunity" security myth

| March 7, 2005

There have been a couple of articles that have come out in the past few months detailing how Windows is more secure than Linux. This is the most recent. The problem is that all of these studies stuffer from a fatal flaw in their common logic.

The logic is to use the method factors in the number of reported (aka publicly disclosed) vulnerabilities. More vulnerabilities, less secure. There is also discussion of the “days of risk”, which is a day when there is an open, unpatched vulnerability. There is one big problem (and a bunch of little ones) with this logic – Microsoft cheats. How? Well, Microsoft certified partners are required to report vulnerabilities in Microsoft software to Microsoft and only to Microsoft. If they report the vulnerability to anyone else, they lose their certified partner status. (This may apply to other levels of Microsoft affiliates and licensees; I'm not sure of the full scope of this stipulation). Consequently, a large number of vulnerabilities in Microsoft software are either fixed immediately after being publicly reported (because MS has the fix when they announce the bug), or are never disclosed to the public. After all, what better way to keep confidence in your product then to sweep things under the rug?

So, this lowers both the number of reported vulnerabilities (which, is the number of vulnerabilities reported by Microsoft, not to Microsoft. Linux vulnerabilities, on the other hand, are typically reported to the package maintaner, not the distribution vendor. Therefore, the vendor has no control over disclosure of vulnerabilities. In some cases, they hear about it when everyone else does, which may be quite a long time before the patch comes out, depending on the complexity of the problem. Additionally, the divisions in the security community about limited disclosure (disclose to the software vendor only), vs. full disclosure (disclose to the public at large) seems to fall along source code development methodology lines (closed vs. open source). Since the open source development model is inherently open, their bug reporting is equally open. The closed source model favors secrets, and the vulnerability disclosure often reflects this.

So, this increases the number of Linux vulnerabilities reported, and decreases the number of Windows vulnerabilities reported.

Don't forget that the “severity of vulnerabilities” issue doesn't hold much water either – after all, there is no consistent grading system for vulnerabilities, so one person's Moderate might be another person's Severe.

Finally, the Linux results are skewed in favor of more vulnerabilities merely because Linux distributions include more packages. Does Windows include an office suite by default? Nope. Multiple databases? Nope. Multiple desktop environments? Nope. High class backup software? Nope. Featureful CD mastering applications? Nope. Most Linux distros come with all of these, many as default options, and often with multiple versions of the same class of application (multiple word processing suites are not uncommon). The more applications, the more potential for vulnerabilities.

I'm baack!

| August 11, 2004

Edit: Fixed malformed html in the second link.

Hello all! Moving is basically complete, and I'm pretty much caught up on all my emails, so it was time to update my journal again.

Links:

Here is a link to a fine paper on vulnerabilities in Internet Explorer. In a nutshell, there have been vulnerabilities for almost a year that can let people take over your computer just by visiting a website.

This is an interesting discussion about the US and our place in the world. Unusually for me (or perhaps increasingly usually as I get older and less morally outraged), I'm taking a more laissez-faire attitude towards things. Have a read, and flame on.

Arthur all tuckered out Arthur all tuckered out Mikey gets the catnip Mikey found catnip in one of the bags, and proceeded to scatter it about the kitchen. Liz's bed Liz’s bed – the purple passion pit. Closets We have walk-in closets! Dining room A shot of the dining area. Living room A long shot of the living room. You can see the color very well against the far all. At the top (hard to see) is the light fixture we wired in. It’s kind of a squiggle with 3 halogen lights on it. My office My office. Not a bad view out the window, kind of cozy. View 1 This is the view I see when I wake up. View 2 This is our “water view”; a small pond in the back. This is a good shot – you can’t see the concrete manhole at the end.