Digital Shokunin

I have an XPS 13 Developer edition laptop (aka Project Sputnick), after some updates to Ubuntu in recent months, it would randomly freeze. It became apparent it was the graphics card that was freezing as processes were still running even though the display image was frozen and the mouse nor any other input seemed to have no affect (if I left it on downloads would finish). This was very frustrating as I had bought an officially supported set of hardware for Ubuntu from Dell to eliminate these kind of hardware support headaches. Turns out the issue is a known issue with Intel 4400 graphics chipset and the old kernel. The solution was simple, get a more recent kernel, which means updating from the LTS 12.04 release of Ubuntu to a newer version. Since doing the update I’ve had only one freeze in almost a month.

I’ve been taking a Coursera crypto class, although I’m very behind, the theory has been informative. I was hoping to use what I learn to eventually get past where I’m stuck in the Matasano Crypto challenge.

Koding is a cool site that provides a web-based development environment that is perfect for budding programers and veteran programmers who want an easy to use sandbox environment to develop in. For free you get a VM that that comes pre-setup so that you can develop in several languages including Python, plus database backends ability to install more resources (you get full root access to your VM).

A lot of coders use it to stage or live demo a project, and of course the VM automatically shutsdown when you log off. You can expand the VM’s but that’s the point you start paying, or once your project needs some real resources, or you want to bring on additional team members, etc.

Oscar is a Python project utilizing the Raspberry Pi w/ UPC barcode reader to scan barcodes on items you keep stocked in your pantry or fridge, when scanned, ideally when you run out of an item just before throwing the packaging or container away, it will populate your grocery list with the item reminding you that you need to pick up more of that item on your next shopping trip. Since it’s written in Python, it could easily be adapted to run on almost any device with Linux on it and a USB port that is networked. I’ve been working on a fork of it for Python3/Arch and using the miniature UPC reader from Adafruit.

In my attempt to code more, I’ve been looking for a purpose or a problem to which I can apply what I’ve learned or use as a reason to acquire new knowledge. One of the things I’ve been working on a clone of a Mac OS X application an acquaintance of mine is writing. This has begun my foray into writing using the PyGObject API for GTK along with the Ubuntu GTK indicator API. The PyGTK library is deprecated (GTK 3 going forward), which is what most of the examples I’ve found online use where as there is less documentation and discussion for PyGObject. In keeping with using the latest I am writing it in Python 3.

Some of the lessons I’ve learned from the Matasano Crypto Challenge has already had unexpected practical application for a common issue I encounter at work. Sometimes, people forget things, don’t document things especially in dev environments (hopefully not so much in production), one of those things is passwords, passwords for database accounts, or for an account that has some authorization the application needs. If a dev forgets a password or can’t find where it was documented, it’s many times better to just recover the password, rather then reset the password, especially if the account is used by the application in local dev environments, etc.

I have been honing my Python skills on a couple of projects recently. One is the famous (or infamous) Python Challenge which has been interesting, but its not where I have spent the bulk of my time. The other is some work related scripting in jython for Websphere automating some tasks for developers (pausing and resuming activation specifications) in their test environment.

But was has challenged me the most and captured the majority of my attention is the Matasano Crypto Challenge. The nature of the challenge is they send you several tasks to complete successfully using the language of choice (in my case obviously, Python) and in the process you learn about encryption. More to the point you learn several basic weaknesses and common attacks used to crack encryption.

So I’ve been using some of my spare time to experiment with and learn how to use Metasploit. I’ve been familiar with Metasploit for a while now, so this isn’t really about learning something new so much as it is finally getting familiar with a tool that I’ve messed with only a little in the past. Part of this is because I have no programming projects to occupy myself with since I have a real problem finding an interesting problem or project that I can code a solution for. Metasploit is also something I feel I should know how to use, if I ever want to run a quick pentest against my own network, etc.

One of the components that I deal with in my work with WebSphere that seems nebulous to some conceptually, is the service integration bus and it’s corresponding message engine. Especially when you’re first beginning to learn about WebSphere and JMS. This concept is not unique to WebSphere and similar implementations can be found in JBoss, but my experience with it rests mostly with WebSphere.

A service integration bus lets applications exchange messages between each other within a cell. Think of it like a transport provider for messages within WebSphere that allows for asynchronous communication between applications. One application can place a message on a bus, and all other applications connected to the bus can retrieve the message and perform some work on them, or there is some mediation done before hand. You can have one application handle a web request and put a message on a bus where a cluster of applications that can handle the request will see it and one of them will grab the message and handle the work needed for the request. This is very useful for spreading the workload among a cluster of application servers while ensuring high availability.

I’ve been learning a little bit about security and penetration testing in my spare time. I have some friends who are professionals in the industry and I have an interest in it myself so when they mention a tool I like to take a look at what it does and learn a little bit about it.

Fierce is a domain scanning tool, what that means is it scans an organization’s domains for listed hosts. For example, a target company may have several non-contigious IP ranges or have branch sites or locations that aren’t using the same public IP’s as say their website or main office. By scanning their DNS records you might discover some hosts on IP’s that weren’t in the same scope as say their website or primary data center, and thus may be hosts that aren’t as vigilantly maintained. An organization’s IT department might have hosts or backdoors to access a branch location they setup for themselves that they setup a domain name for (ex:branch32-jumphost.company.com) that isn’t apparent by scanning a single IP address range.