It costs one quid..

As you may know in the UK, the cost of petrol is now over one pound per litre. Another bone of contention is the price of eggs. The price of a normal box of half dozen eggs used to be 65 to 70p but to my horror I discovered they were now selling at 99p! I've noticed the similar excessive increase in price for mixed grapes and salmon at my local supermarket.
The egg price has been picked up in the digital spy forums and could this be the reason for the price increase?

London Perl Workshop

Yesterday, I attended the London Perl Workshop just to see what stuff is the out there in the Perl world. There was some interesting stuff discussed. I should look into more of these details. I badly need a new (used) desktop with Linux. I'm still of the opinion things are better that way for Perl development. I bumped into a couple of acquaintances as well! One of the funny things that happened was someone brought in a cowbell and played it at the end of the workshop and made reference to more cowbell in a Saturday Night Live sketch, which I started playing the video loudly.

I also bought a couple of books Intermediate Perl and Mastering Perl for work.
But I will have a look at it first. ;)

Wooshy Changes

I've decided to change this blog a bit. I am going to make this a more general tidbits blog rather than a technical only. So anything can and will go here. I'll just say what I see. I've been thinking what that might entail.

• Coding (Perl, Java...)
• Security (Issues, vulnerabilities)
• Social Networking (Facebook)
• Computing (anything not mentioned above)
• Sport/Gaming
• Entertainment
• Music
  
• News
• Travel/Food & Drink
• Misc stuff

I've started to post a fair bit on a friend's techno blog at michaeldaw.org

Perl Threads

One of things when dealing with some perl articles that some of the code may be depreciated. The point is taken for threads. The old "Thread" package is mentioned in code snippet. However the perldoc.perl.org reference discourages its use...

For old code and interim backwards compatibility, the Thread module has been reworked to function as a frontend for both 5005threads and ithreads. Note that the compatibility is not complete: because the data sharing models are directly opposed, anything to do with data sharing has to be thought differently. With the ithreads you must explicitly share() variables between the threads. For new code the use of the Thread module is discouraged and the direct use of the threads and threads::shared modules is encouraged instead.

Furthermore, when coming to use the new "threads" package, the first thing I encountered when replacing the above script was a "A thread exited while %d other threads were still running". I don't think the advised solution from the perldoc.perl.org is all that helpful. It says:

A thread (not necessarily the main thread) exited while there were still other threads running. Usually it's a good idea to first collect the return values of the created threads by joining them, and only then exit from the main thread.

Which I followed... Except using join in this case, ran each thread one at a time. The above statement to me implies the problem lay with the other threads exiting. But when I tried to use sleep in the child threads, I still had same issue except naturally I had to wait for the same response. The solution is in fact to ensure the main thread doesn't exit before its child threads complete as demonstrated in this forum.
An example on how to avoid this would have been useful.

Perl Networking

A couple of useful links here are at linuxjournal and perlfect.

Facestalking

I picked up this thing about facestalking. You can view other people's pictures and see what they are up to. However, you do need add friends to this. Or do you? It looks like that you can view other people's profiles without friending them. If you go in 'privacy' and then 'poke, message and friend request', you can see who can see your profile.

I'd be very careful who you friend as this man found out the hard way.

So much so, it looks some workplaces are barring them.

Poker and hacking

This hasn't come as a big surprise. Poker has gained a lot positive media. Every other celebrity seemingly want a piece of the action. Combine an interest with this with the Internet, it's hardly surprising that online poker has taken off.

Power hacking? Is that possible? I mean you aren't like to slide an extra ace into your set, are you? But there are a number hacks and tricks that can be made. There is a good reference for online poker hacks that is not filled with too much poker lingo. There's a variety of hacks include the bog standard phishing, collusion and poker bots. However, most of these are on the client side. The server side seems safe as a reputable site would use certificates and cryptography.

Perl and Windows

I've decided that Perl isn't up to scratch when used on a Windows environment. The lack of support for catalyst for windows is something that crossed my mind in the past. But now I've discovered how crap activestate's ppm (perl package manager) really is. I could hardly find any packages with images (let alone the right one). On further googling, it appears for example, GD (one of the main perl graphics packages) is not available on the activestate repository for whatever reason. This is discussed here

Sans Event in London

This just in, there's a training event offered up by sans in good old London town!

Email cleaning

I think everyone can relate to this but I've spent most of the evening going through old email from 3 or 4 email addresses. Ok, admittedly I did this whilst listening to music but as you can see time can easily evaporate with old emails.

IT Conferences / Exhibitions

IT Conference

Today's keyword is: IT Conference

Whilst looking for random conferences, I spotted this article about a group of hackers wondered into a conference and spoofed a wireless login page that whoever connected downloaded some nice worms and viruses. That's funny. It's always turns out to be an inside job, doesn't it.

Anyhow let's have a look at what good development and security conferences that maybe of
interest:

• Blackhat [Tokyo (Japan) - Oct 23-26, 2007]
• Defcon
• Interop [New York (USA) - Oct 22-26, 2007] [Berlin (Germany) - Nov 6-8, 2007]
• Infosec [London - Apr 22-24, 2008]
• Owasp [San Jose (USA) - Nov 12-15, 2007]
• RSA Conference [London - Oct 22-24, 2007]
• Whatthehack
• Cebit [Hanover - Mar 4-9, 2008]
• Ebay's Developer Day
• Google's Developer Day
• Java One [San Francisco (USA) - May 6-8, 2008]
• Hackday (Not to be confused with the curious Hackaday
• (Yet Another) Perl Conference [Vienna (Austria) - Aug 28-30, 2007
• PHP Conference
• O'Reilly Conference
• British Computing Society
• Linux World [London - Oct 23-24, 2007]
• UK Users and Open Systems User Group
• Open Source Developers Conference [Brisbane (Australia) - Nov 26-29, 2007]
• World Wide Web Conference [Beijing (China) - Apr 21-25, 2008]
• XML Conference [Boston (USA) - Dec 3-5, 2007]
• XML Events Calendar
• Service Oriented Arichtectures Conference [San Francisco (USA) - Nov 12-13, 2007]
• Ajax World [Santa Clara (USA) - Sep 23-26, 2007]
• Ajax Seminar
• MSDN Events and Webcasts

You always join a developer community or too:

• Apple
• BBC
• Ebay
  
• Google
• IBM
• Yahoo
• Developer
• Perl Monks
• Perlmongers

You can always attempt to shape great minds and gatecrash the party at Webdevconf [Bristol - Sep 26, 2007]

The Black Market for code

I was randomly looking for information captchas. Actually I was looking how to spell it properly seeing I iz fick and can't speek or speel! I stumbled on this project to bypass the myspace captcha. Looking at other projects on this site, you can find projects to enter data to create myspace profiles and creating duplicate copies of websites.

I remember a long time ago looking for projects to work on at possibly freelance auction but found that people would work for peanuts. I think you put yourself on a cheap project, a lot of things can go wrong. For example, you might not get paid. You don't know what your client is like, they could be anal and could give you a bad rating for no reason. Ratings adds to the unnecessary pressure.

So if you are looking for project or looking for a laugh in general, have a look at the following:

• Projects for Hire
• Scripts Installations
• PHP Freelancers
• Freelance Auction

Of course you could mock up your own auction site!

Credit Card Numbers

I've noticed that there's been an improvement on the credit card verification. A lot of online vendors now require exact details of your credit card. Not only the credit card number and expiry date but also the CVV number. The paranoid amongst us would always think people have our credit card details. That may or may not be true. But these days, most reputable online sales are done through a third party banking organisation.

Anyhow back in the good old days, you could always use a valid credit card number to complete a transaction. Here is the anatomy of credit card numbers!

Useful Java/Perl/Javascript/Linux links

I find it annoying that I keep forgetting to grab the links I've found for certain websites that are worth pointing out that I have spent my precious little time researching.

Anyways I've decide to take a big step back and re-evaluate what are the key things that I like, use and need to focus on.

1. Java has always been on my mind even though I've barely touched in the longest while. It's been knocked for being slow and clunky but it does have its place in server-side computing. http://java.net appears to be a good resource on keeping tabs on Java as well the omega site http://java.sun.com

2. Perl. Ever since I went to yapc::europe in 2006, I've known about the good effort they have been putting into CPAN and Perl 6.

3. Rapid Javascript Development. Client side stuff. A lot has changed since I originally did web development. There's so much you can do. The basic knowledge is still there but there should be lots of tools to develop a quick application with fancy moving graphics and fancy moving windows. Firebug and Mozilla seem to a common thing that's cropped up in searches.

4. Linux. A lot of above languages go hand in hand with Linux. In particular, Perl's catalyst package has little support for Windows. This has to be a basic building block for me.

Data Mining

You know going back to when I did my masters, one of the subjects I did was data warehousing and data mining on a large scale data systems. Well as you know Google is the quintessential data warehouse. We can get anything we need from Google. Not unless you've managed to keep yourself away from the Internet. Data mining are specific methods for obtaining specific data.
Data mining has improved and now it looks like you can data mine the Internet for specific information about people. The obvious pro is you can find out about people, you've lost contact with. The obvious con is you can find out about people and use that information against them. Whether this is for an interview, research or just plain old stalking.

Have a look at paterva! This online tool does a search of many data sets including social networks (e.g. myspace, facebook) and the Internet to find out information about an entity. I say entity, more than likely it will be used and abused to find out more people. But then again this could my warped stalker mind.

Anti-spyware

Interesting thing, a friend of mine noticed. His home PC was running real slowly with Norton Internet Security 2007. He ran a different anti-spyware software (Spyware Doctor which has won a couple of awards) and this picked up no less than 134 bits of spyware that Norton Internet Security failed to pick up.

Norton don't detect spyware very well...

You should really run different anti-spyware packages against your PC as different packages pick up different things. However this should be in scan mode and not in monitor mode. More than one resident anti-spyware might make your machine choke, as discussed on Ask Leo

Privilege Escalation on all Windows

Whilst looking for potential privilege escalation vulnerability, I found this gem regarding to kernel exploitation:
Windows VDM Zero Page Race Condition Privilege Escalation (MS07-022; BID=23367; CVE-2007-1206)

i can't right click and i can't see the source

I found an interesting site whilst looking for photos of myself. It's at http://www.myeventphoto.co.uk If you dig further in the site, you will find galleries where you would have to pay for photos. I think to myself I just want a little snapshot. But the site looks to have Javascript code to stop you viewing the source and right-clicking. It looks well looked down.

However, remember files maybe stored in Internet temporary directories and sure enough I found a photo of myself in there. You could stop prohibitive nature of the application by disabling Javascript!

Facebook can used against you

It was reported that the university authorities are using facebook to throw the book at students at Oxford University. The student union are urging students to tighten their security settings so that not much details can be viewed.

Have a look at: http://news.bbc.co.uk/1/hi/education/6902333.stm

Also in a news article, I saw these interesting facts:
*
* A survey of 600 British companies showed that 1 in 5 had logged on to Facebook and similar websites to vet potential workers.
* Five students were banned from a school trip in Toronto after disparaging remarks about teachers were found on Facebook.
* A US consultancy rejected an applicant after reading that is interest included "smokin' blunts with the homies"

To be fair, I've started using facebook to catch up on old friends. But trying to keep myself as anonymous as possible. If you can call it that. But I am beginning to find already, it's not what *you* put on facebook that could give information leakage. It's what other people put in their facebooks about you. e.g. photos, etc.
But as I say to myself. There's enough information out there about me to paint a picture. But nothing substantial.

Java and flash patches

I'm falling behind guys because my social life gets in the way. I'll try my best to throw lil tidbits from now on in and show what is in my empty head of mine...

Interesting how vulnerabilities and patches were released for both Java and Flash on Friday the 13th. I'm still not superstitious!

Have a look at: The Register's take on those two patches.

Careful what you say...

I remember an old work colleague telling me, "Look I'm going to tell you something really important about work but I'll tell you later". The reason I found out later was that you never know who was on board that train from London. And you know he is right. When you are in public, you represent a number of things, yourself, your family, your religion, your country and your workplace. You have to be careful what you say. Admittedly, you are not likely to be famous and no-one is likely to care. But people will overhear and remember things like anger, swearing and anything illicit. I remember from a kid's story that the 'corn has ears' and can pass messages when the wind blows through the cornfields.

I am a firm believer in keeping a low profile and not drawing too much attention to oneself. You will always leak information about yourself but you can certainly control the amount you give. The little information you give, the less information people have to use against you and chances of such things of id theft happening become slimmer.

Similarly that's why I am not keen on social networks, I mean all the data going into the databases. For example check out: mobuzz on facebook and does what happens in the facebook stay in the facebook
Now I do have a myspace and a facebook but I am trying to leak as little information as possible. The only correct thing you should need is an email address. But again in a public arena, with data bound to be logged, you do still have be careful what you announce. Hmmm is everything we say logged? I mean I was a bit mortified to release all my gtalk discussions was logged within gmail. I mean all your most intimate conversations are logged if someone broke into this feature then that would cause all kinds of brown stuff to hit the fans. Can we trust yahoo or hotmail in the same vein?

Referring to the mobuzz video once more, amazon and ebay appear to store information about you and that's become more apparent with the fact that you cannot close your accounts with them....

So in summary, be careful what you reveal about yourself...
BE CAREFUL WHAT YOU SAY!!!

getopt revisited

Well been tidying some scripts that will generate a list of mp3s and modify them as need be so that that they are wooshy-friendly. As much as you should write modules, there's nothing like getting a quick 10-line script that uses a module.

Anyhow perl's getopt modules have got a little complicated over time. i.e. there are 7 or 8 of them available and they can get confusing. Namely, can mix up getopt::std and getopt::simple quite easily. The fact that getopt::simple is actually a wrapper for getopt::long makes it worse. So in actual fact getopt::simple is not all that simple at all.

I would use getopt::std if you want something quickly done with some options albeit in the form of one dash / one letter. Something a bit more complicated go for getopt::long. Forget the rest...

Links:

• Getopt:*


• McGill's Getopts

Google Keywords: perl, getopt, getopts

Sample Perl Code:
#!/usr/bin/perl

# The Std version of Getopt allows for the processing of single
# character switches
use Getopt::Std;

# The hash %options is initialized and will store the switch as
# the key and the switch argument as the value
my %options=();

# the "\" is simply a pointer to the %options hash
# "a" is treated like a flag while "b" needs an argument after
# the switch is called indicated by the ":"
getopts("ab:",\%options);

# "defined" is a perl function that will return a boolean depending
# on if the variable in question has been previously defined
if (defined $options{a}) {
print "You have selected the option -a and its value is \"$options{a}\"\n";
}

# This if statement will return the same thing as the above example
# using the perl function "defined"
if ($options{b}) {
print "You have selected the option -b and its value is \"$options{b}\"\n";
}

Google is your friend - You can find anything, well almost anything

As a friend once said to me, 'Google is your friend' and you can find anything.
Some searches are easy, some are hard and some are downright frustrating. Looking for something popular, e.g. perl, mysql or david hasselhoff, it's very easy as what you are looking for is usually at the top of the list and on the first page of Google.

Looking for something in particular and generally not as well known is a little harder as what you are looking for is unlikely to be at the top. Take 'Jo King' for example. There are probably more popular people and organisations with that name. Naturally, you would enter some additional points to identify your 'Jo King'. Even then you still have to be even more specific. That's the frustrating and time-consuming part.

Just as frustrating is when you can't find any details about the subject or the exact context.
e.g. you are searching for an example of how to do a perl build...

Conversely, I am trying to get my name out from the Google search engine as much as I can but
unfortunately my name is tarnished and a few results pop up albeit it's old stuff. A few months ago, I discovered my name and address listed on alexa due to the fact that a previous domain that I let expire still had my details even though it was bought out by someone else. It was a bit of a mission getting a contact to erase these details. I remember I had to change these details in two places as well.

Anyone doesn't have their name found in Google is doing a great job. I have pay due to my ex. I can't find anything on her!

Anyways you can find a lot of stuff about companies. One thing I am getting good at is finding ip address ranges of companies just by name/location. The first thing to do is find a domain name. Most companies will have a site. The next thing to do is to whois is on it. You will probably find the domain is hosted. However, it is likely that the company if they are connected to the
Internet will have other services like mail services, proxies, etc. All these services should connect somewhere to the Internet and like I say, 'like Shakira's hips, the logs don't lie'.
Logs can be found by searching Google. So do a random search on the domain name found plus a keyword that would trigger log-files being found (e.g. log, vpn...)
Once you have a sub-domain, do a lookup and whois to get their range and see if they own it.

Buffalo - Buffer Overflow?

That's right, I want to talk about buffer overflows or if you say too quickly... buffalos!
The oldest trick in the book. A program uses memory but anyone thinking unnatural thoughts
could send something that is out of the scope of the allocated memory, hence the term, buffalo!
Buffalos can cause a plethora of problems such as:

• programs hanging
• denial of service on web servers, routers and firewalls

Useful Links:

• http://www.owasp.org/index.php/Buffer_Overflow
• http://www.cultdeadcow.com/cDc_files/cDc-351/

Esri XSS

ESRI make and create maps and GIS systems. I have been looking at their website that uses their technology. Do a google search on "JavascriptFunction" and "Esri" and you will see that one of the parameters used with the java servlets is a callback named "JavascriptFunction". Usually, it is applied with the value "parent.MapFrame.processXML". But you can easily inject your choice of XSS. I fear this might cause a real problem for ESRI though that could potentially take a little while to blat this problem out (looking from a developer point of view). I am trying to contact ESRI about it. Maybe I will release on bugtracker for a laugh! ;)

Infosec

Well I went to Infosec on Wednesday (Apr 25), which is a more business-oriented internet security exhibition. It's good to know that there are exhibitions out there that are actually interesting and actually have some free goodies.

Anyhow, I got a lot of out this, particularly on SSL VPN systems. It looks like there are quite a plethora of solutions for this and endpoint security is something that simply isn't done that well from what I've seen from the big boys (Cisco and Checkpoint). I was impressed by Sonicwall, Wintegra and Zyxel. All of whom, have some form of patch management, firewall/anti-virus and key logging checking. The cost of which may be lower than the big boys.

Let's get technical!!!

Greetings to one and all to my blog. I'll make no secret that I actually have another blog but this one is going to be more random technical musings. So enjoy...

Lately, I have been cooking up a perl module that I started on well over a year ago and then stopped until a month ago. It's an mp3 playlist generator. What it does it scans a given directory for files and prints off the mp3 (idv2) tag and prints it in csv/xml format. A CSV can be imported and mp3 tags can be reset. I've updated the module to update mp3 tags, check for duplicates and missing files in the imported CSV files.
The bottom line is I want to regenerate my playlist but also update the mp3 tag information to something I like (i.e. usual facts/trivia in the comments field).

I am probably my worst own critic when it comes to anything but I find I am a bit slow in coding. Mainly because I have a horrible nerve in getting things done properly. How other coders manage to program software amazes me, you will always miss something. The test::harness Perl module helps loads. I couldn't believe how many small mistakes (not enough to cause problems in regular program execution) I had made when I tested out the module I wrote.

I probably should try and release it as a CPAN module but I suspect that it is a bit specific.
My next pet project is to integrating that module with databases.

The weird thing is right now because I recently have changes roles at work and moved away from coding, I kind of miss it...