mark :: blog
Had an interesting week wading through vulnerability details and the various advisories which never really seem to match the facts. Take one Linux vendor for example who got confused about the Oracle mod_dav vulnerability and, even though they were not affected by the vulnerability, released new Apache mod_dav packages. To add to the confusion their newly released errata packages had actually added a patch which added in the vulnerability. So they started out not vulnerable, but then released a patch which was meant to remove the vulnerability but actually really made them vulnerable. No wonder folks are confused. Wrote a bit of a rant about it in Apache Week this week.
Back to work on Monday, but this holiday I've managed to avoid getting into doing real work by playing with the home automation system. I've now finished the conversion of all the components to Jabber bots, written a control client, and got all the one-wire Dallas switches and sensors up and running. some screenshots are available
A hope Google extends the shopping idea to the UK; I've wasted too many days this holiday looking for stuff for the house - just trying to find the right table for our kitchen took two days - I just want to search for a round glass 90-110cm table plus four chairs for under 400 pounds and click on 'buy me'.
The months just fly by. I ended up spending a lot of time on the presentation and the final paper came in at about 40 pages. I'm pretty pleased with it, see my site for a PDF version. For some reason the paper was not included on the conference CD which really sucks considering I got it in before the deadline (and before some of the other papers that made it on to the CD). Anyway, it's on my site so take a look.
Just back from ApacheCon in Las Vegas; a little more budget than previous years, but all that matters is that the content is being delivered by experts right? Hmmm, well talking of which, I made a serious judgement error on the amount of material in my talk and ended up covering only 75% of what I put in the paper, which sucked. I'd spent a lot of time getting the presentation just right too, so it was a little devestating to find out I only had 30 minutes left with over half the material still to go.
We got some ASF keysigning going on, but the BOF was scheduled for 8am so some of the main ASF folks were not around to take part which was a shame.
We had a good time in Vegas, getting to see all the sights including the Star Trek Experience again, get out to Red Rock Canyon, and still have time to win about $40 on the slots.
Had a cold today so didn't get anything done on my presentation this evening, instead did something that required little work and hacked more Perl for the home automation system. There are now four jabber bots online, a common thread is that you can message them and get some status information, or send information to them to do, also if you've got them listed in your roster they'll send you an update with their status every minute.
At the moment the UPS bot tells you interesting status reports and notifies you of emergency things. The adsl bot tells you about the cable modem link signal strength and so on. The tivo bot is rather cool, it tells you what it's currently watching and a few status indicators, and in return you can pop up a message on the screen or send a message to be viewed in the message centre. The final X10 bot lets you control X10 things in the house, just some lights at the moment. It doesn't yet report the status, that seems not to work.
I'm having problems getting Perl to deal with the parallel ports correctly so I can't get the alarm, SMS or heating controls to work yet. Also these bots are complete hacks and return the information in psuedo-xml (random made up DTD) and I've not thought about messages vs groupchats vs iq oob for the data. Anyway much fun being able to message the living room lights to turn to 30% brightness
So I've been spending some time trying to work out what to do with the home automation components - they're a mess of C and Perl that have no real way of communicating with each other. I found this thing called xAP which is designed for home automation components to talk to each other, but it's based mainly on UDP broadcast datagrams - not something I'd trust to make sure things happened when my alarm was triggered. Plus some of the components already written are under a non-GPL, non-BSD license that prohibits commercial use, yuk.
Anyway the idea was to look for something that would use standard components, where frameworks existed in Perl and C for me to write simple code, and to work on the principle of messaging - the UPS for example would respond to status requests and give you things like the temperature and voltage; with a heartbeat notification with the status included every minute; but with urgent alarms to anyone who registers an interest in getting them. Whats the solution? Jabber! In about an hour I had a jabber server running and a test Perl client doing just that; this thing will rock :)
Suddenly realised that in the next month I have to write and prepare for 5 different presentations. I'm talking at ApacheCon in November and want to make the talk extra special, so I'll take a couple of days off in the next week or two to make sure it has some interesting content. "Apache Security Secrets Revealed" although I've no intention of hiding behind a mask until the end :)
What a busy couple of days. It all started last month
with a seemingly innocent DOS being reported to the Apache
security team. jorton and I spent some
time analysing it and found that although it wasn't
exploitable on 32 bit until platforms it may well be
exploitable on some 64 bit machines. Then started the co-
ordination work with CERT.
Then, suddenly, the ISS team announced the same issue
publically causing us to go into firefighting mode and
release the advisory (which I'd fortunately already
drafted and got positive feedback on), followed by
seemingly hundreds of press calls, lots of additional
analysis, and reading ISS say I was untrustworthy in some
Chicago newspaper ;-)
Now for some sleep
interviewed for redhat.com
- I was initiated into the need to carry around more
- had a few days of fun with Bryce and
other US folks. Looking in the US for magazines on how to
do interior US home design, although all I found was
imported magazines showing how to make your US home look
English. Grass, greener, etc.
- Went through far too many security points at airports
and found that it's really important to make sure your
laptop is charged when they want to inspect it
- spent some time with the Mitre CVE people
Did an interesting interview last week for Red Hat about
what I do and why I do it with some very American questions
like "Justify your existance". Anyway that should be on the
web site next week sometime and explains all about how I got
involved with Apache and why I think buying a house is like
The cute Erricson phone works over here in the USA and for
the first time I've been able to hold working SMS
conversations with the UK - saves me a buck or two.
Replaced my outdated paper log book with my todo list and
notes with a system from Franklin Covey. Replaced it with
even more paper - but according to the seminar this system
will sort out my entire life and make me a better person.
Rest of my time has been dealing with various security
advisories for Red Hat and investigating new issues. I'm
off to see the Mitre CVE folks in a couple of days in
Tip of the month: When travelling don't let your
batteries completely run out so when you are asked to turn
on your laptop at airport security there isn't even enough
power to light the 'your batteries are low' light.
Several hours later and I manage to find out the extended
commands for the LW11G dimmer unit. Can't find these
anywhere else mentioned on the web, so for future generations:
# Extended X10 control of LW11G dimmer
# Unlike other L*11* modules the LW11G
# seems to only respond to code 53. Set the data to
# 0 = immediate off
# 255 = immediate on
# 1-254 = slowly dim or bright to that level, turns on if
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
red hat summit,