Digital Shokunin

Oscar is a Python project utilizing the Raspberry Pi w/ UPC barcode reader to scan barcodes on items you keep stocked in your pantry or fridge, when scanned, ideally when you run out of an item just before throwing the packaging or container away, it will populate your grocery list with the item reminding you that you need to pick up more of that item on your next shopping trip. Since it’s written in Python, it could easily be adapted to run on almost any device with Linux on it and a USB port that is networked. I’ve been working on a fork of it for Python3/Arch and using the miniature UPC reader from Adafruit.

In my attempt to code more, I’ve been looking for a purpose or a problem to which I can apply what I’ve learned or use as a reason to acquire new knowledge. One of the things I’ve been working on a clone of a Mac OS X application an acquaintance of mine is writing. This has begun my foray into writing using the PyGObject API for GTK along with the Ubuntu GTK indicator API. The PyGTK library is deprecated (GTK 3 going forward), which is what most of the examples I’ve found online use where as there is less documentation and discussion for PyGObject. In keeping with using the latest I am writing it in Python 3.

Some of the lessons I’ve learned from the Matasano Crypto Challenge has already had unexpected practical application for a common issue I encounter at work. Sometimes, people forget things, don’t document things especially in dev environments (hopefully not so much in production), one of those things is passwords, passwords for database accounts, or for an account that has some authorization the application needs. If a dev forgets a password or can’t find where it was documented, it’s many times better to just recover the password, rather then reset the password, especially if the account is used by the application in local dev environments, etc.

I have been honing my Python skills on a couple of projects recently. One is the famous (or infamous) Python Challenge which has been interesting, but its not where I have spent the bulk of my time. The other is some work related scripting in jython for Websphere automating some tasks for developers (pausing and resuming activation specifications) in their test environment.

But was has challenged me the most and captured the majority of my attention is the Matasano Crypto Challenge. The nature of the challenge is they send you several tasks to complete successfully using the language of choice (in my case obviously, Python) and in the process you learn about encryption. More to the point you learn several basic weaknesses and common attacks used to crack encryption.

So I’ve been using some of my spare time to experiment with and learn how to use Metasploit. I’ve been familiar with Metasploit for a while now, so this isn’t really about learning something new so much as it is finally getting familiar with a tool that I’ve messed with only a little in the past. Part of this is because I have no programming projects to occupy myself with since I have a real problem finding an interesting problem or project that I can code a solution for. Metasploit is also something I feel I should know how to use, if I ever want to run a quick pentest against my own network, etc.

One of the components that I deal with in my work with WebSphere that seems nebulous to some conceptually, is the service integration bus and it’s corresponding message engine. Especially when you’re first beginning to learn about WebSphere and JMS. This concept is not unique to WebSphere and similar implementations can be found in JBoss, but my experience with it rests mostly with WebSphere.

A service integration bus lets applications exchange messages between each other within a cell. Think of it like a transport provider for messages within WebSphere that allows for asynchronous communication between applications. One application can place a message on a bus, and all other applications connected to the bus can retrieve the message and perform some work on them, or there is some mediation done before hand. You can have one application handle a web request and put a message on a bus where a cluster of applications that can handle the request will see it and one of them will grab the message and handle the work needed for the request. This is very useful for spreading the workload among a cluster of application servers while ensuring high availability.

I’ve been learning a little bit about security and penetration testing in my spare time. I have some friends who are professionals in the industry and I have an interest in it myself so when they mention a tool I like to take a look at what it does and learn a little bit about it.

Fierce is a domain scanning tool, what that means is it scans an organization’s domains for listed hosts. For example, a target company may have several non-contigious IP ranges or have branch sites or locations that aren’t using the same public IP’s as say their website or main office. By scanning their DNS records you might discover some hosts on IP’s that weren’t in the same scope as say their website or primary data center, and thus may be hosts that aren’t as vigilantly maintained. An organization’s IT department might have hosts or backdoors to access a branch location they setup for themselves that they setup a domain name for (ex:branch32-jumphost.company.com) that isn’t apparent by scanning a single IP address range.

CarolinaCon 9 was this weekend in Raleigh, NC which I attended Saturday. I was also there as a representative of FALE to help host their lock pick village.

There were several talks given by some of the FALE members, one titled “Terminal Cornucopia” by treefort was on how ineffective TSA security theater is at preventing weapons from making it onto an airplane. There was a demonstration of a club called “Murica” made with items purchased in the terminal behind TSA security checkpoints consisting of a copy of the Declaration of Independence, with a pointy metal souvenir model of the Washington monument protruding from it. I actually missed this one, but saw and held the hefty “Murica” and can honestly say a violent individual could do some serious damage with it.

In the last year I’ve been picking up more and more Java, I did this for two reasons.

The most personal one is that I wanted to learn how to write Android programs. First, because I own an Android phone, second, the mobile platform is a platform where a small individual developer can write useful apps and there obviously is demand and a future for such skills on the market as well.

Those of us that use WebSphere Application Server in our environments as our J2EE application server have a very powerful tool to administrate or automate tasks from the command line, wsadmin. wsadmin is a command line utility that allows you to issue commands in a single server or network deployment (multiple servers in a single administrative domain or “cell”). If you are reading this you probably know all about it and its support for Python, or Jython environment as a language to issue commands and run scripts to handle a variety of tasks.