Have Air Miles, Will Donate To Charity
I'm sure many of you collect some sort of rewards on a reward program, be it Aeroplan or Air Miles, or some other similar program. Myself, I'm an Air Miles person, and a lot of that has to do with the really good deal that I get for Safeway prescriptions.
But I digest 
While casually browsing the rewards catalog online, I was going through the gift cards and subscriptions. I happened to notice a new section for charities. Under there, you have redeem 170 Air Miles to donate $20 to one of three charities: Kids Help Phone, Special Olympics Canada, and the World Wildlife Fund. Unfortunately, Air Miles has yet to add any more charities, but I sincerely hope that they add more than those three. I've made a firm decision to redeem a donation for every item I redeem on there.
I've never seen this on a rewards site, and I think it's a great thing to do. Think about how many reward miles you have. When was the last time you redeemed them? Do you think you could spare a few to help a good cause? I hope the answer is yes. Some people don't donate to charities because they can't afford it. Now that you can use Air Miles, this should make things a little easier. Alternatively, redeem a gift certificate somewhere you would normally shop, and use the saved money to a charity of your choice. Either way, it's a free donation.
Just a little food for thought.
Ruby Documentation Sucks
Okay, this is going up a day late. My bad. I've been busy. Regardless, I have a rant which any programmer can sympathize with.
I've been recently programming a proxy in the Ruby programming language, which is known for its code elegance. When you know how to use it, it's a great language. The problem, however, comes when to learning about the API in the language. To put it bluntly, the documentation is crap. To be more specific, a good amount of it is incomplete, and those sections that are completed fail to follow a consistent fashion. To put things in perspective, there are 108 core libraries included in the Ruby documentation; over half of those libraries have incomplete documentation.
Now, this isn't that much of an issue if you know how to use the language; after all, there's no need to go to the documentation when you know the language. The problem comes when you are like me, learning how to use the language, and don't know what any of the constants for the sockets library do, which is a bit of a problem when you need to program a proxy. See where I'm going with this?
Maybe I'm complaining because I've been spoiled on PHP's phenomenal documentation, which is an amazing feat when it comes to documentation. All of the functions are properly laid out with plenty of cross-references, and tell you exactly what to expect for each and every function. The documentation is a work of art, I kid you not. Don't believe me? Try learning how to do something complex in PHP using the documentation only, then try to do the same in Ruby.
I have heard some people make the argument that Ruby is open source and relies on its members to do the documentation, hence the lack of it. While I understand this argument, it doesn't entirely make sense. Ruby has a large band of dedicated followers (think Jehovah's Witnesses-style) who should have filled in the 1.9 documentation by now. Thinking about it from another perspective, PHP is a free and open source language as well, and look at the detail in there compared to Ruby.
All I'm saying is that Ruby needs to step up its game a bit, otherwise it will have trouble competing for those people looking at learning a new language. If it wasn't for an amazing IBM document on Ruby socket programming, I would have moved on to another language by now.
Anyways, tune in this Friday for something different. I realize programming isn't everybody's cup of tea, so I'm hoping to branch off into something a little different for those of you who either find computers boring, or those of you that simply don't understand them. As always, I appreciate you reading, and I appreciate even more those of you who tell a friend about my blog 
.
iPhone 3.1 Firmware Issues?
Hey all, this post will be a shorter one. Not too much to talk about today, but I do have a bit of an insight into the new Apple iPhone firmware update.
After having my iPhone for the past month or so, I've found very few problems with it. In fact, I've never had a problem yet.
Well, that's not completely true. I've never had a problem until earlier this week, when the new firmware was released. After about 24 hours of running my phone, I noticed two significant changes. First of all, my battery life was dropping faster than a kid coming off of a caffeine high. Secondly, my phone took a whole 3 seconds (yes, three - I counted) to respond to the "slide to unlock" bar. Those were two things that I was not willing to put up with.
After doing some reading up on the subject, I noticed that I wasn't alone. Some people blamed the firmware, while others blamed the users. I blame both; clearly the issue wasn't universal. A hard reset (ie. not using the "slide to power off" slider) seemed to be a temporary fix, but I wanted something more permanent. It seemed the only way to fix this was to do a DFU factory restore. The only catch is that when your phone restarts, you have to create a new phone profile, and NOT restore an existing backup.
The process was relatively painless. I only lost a few photos and my text messages (I'd love to have a way of backing up text messages!), but aside from that I got all of my old data back after loading it on again. The reset seems to have done the trick; here's hoping it stays that way.
Finding the IIS FTP Vulnerability
On September 1st, Microsoft released a security advisory regarding an exploit that was discovered in their IIS FTP service, which you can find here. In short, the vulnerability allowed servers which allowed anonymous write access to be compromised.
Opening up my email, I notice the vulnerability in my inbox, and a message attached asking me to find all the servers in the government which might be vulnerable to this exploit. Now, as you can imagine, it's not like there's 50 servers in the government. This isn't a situation where you go to each server manually and check for the vulnerability. This worked out to be a perfect situation to use nmap.
Nmap, as I had mentioned last post, is a security scanner. It's powerful: really, REALLY powerful. There's so many command line switches that they have to use two characters for a lot of them, and they're case sensitive as well. To top it all off, it also provides scripting support. In layman's terms, you tell it to jump, and it asks you how high, how many flips it should do, what music should be playing in the background, and what the acrobat's costumes should look like. You get the picture.
Anyways, the task was put before me to determine which servers were vulnerable, and how many FTP services could simply be turned off. After acquiring a list of IP addresses of assets, I sorted the list, changed each IP to refer to the class C subnet (255.255.255.0 or /24), and remove duplicates. I then came up with a list of IPs which had an FTP service. Some had closed ports, and others were filtered. Some of them were also open. A few quick grep commands and I had narrowed down the list to open Windows boxes. Below, I have the nmap command that I used to find all the servers with FTP running on them. I'd be curious to see if anyone has come up with a similar command that might be useful for this same purpose, and where improvements can be made.
./nmap -T4 -PS21 -p21 -O --max-rtt-timeout 200 --initial-rtt-timeout 150 --min-hostgroup 100 -oG /tmp/WindowsFTP.grep -iL ../WindowsServers24
Upcoming Swing Events
For this Monday's blog post, I'd like to stray a little from my typical technology discussions and focus on something far from that: dance. Not just any kind of dance, though. I'd like to quickly discuss swing dancing.
This might seem like an odd topic for a geek to discuss. After all, I'm supposed to be glued to my computer, make obtuse references to nerdy shows and movies, and have a natural inability to talk to women. While all of the above may or may not be true (heh), I also found myself two years ago to have an interest in swing dancing, thanks to a friend who convinced me to go to the University of Manitoba Swing Dance Club (UMSwing) open house (thanks Jacklynn!). Although initially I didn't think I would enjoy it that much, I found myself addicted by the end of that open house, and walked out that night with a full membership. I'm still shocked that I'm even capable of dancing, but regardless, it's a great way to get some exercise, meet new people, and get out of the house.
Two years later, and I'm on the executive committee for UMSwing as their omnipotent web administrator. I've met a lot of great people through the club, and by being on the executive committee, I can hopefully give back to a club which has helped me a lot. One of the events that is happening in just over a week is this semester's open house, which I will be MCing. The club puts on one open house per semester, usually within the first few weeks. We pride ourselves on being able to teach anybody to dance, regardless of skill level. You don't need to bring a partner to dance with, and you don't need experience. We do some demos, teach you basic Jive, and do some social dancing. Oh yeah, and there's a bunch of prizes that we will give away.
- Multi-Purpose Room (MPR), 2nd Floor University Center, University of Manitoba
- September 16, 2009 @ 7:00pm - 11:00pm
- Free!
- Prizes!
- No experience required!
- No partner required!
So, if you have nothing to do that night, come out and enjoy yourself.
UMSwing's classes tend to be geared towards beginner swing dance. If you happen to have swing experience, HepCat Studio is a swing studio that is starting up today at 6:00pm. The first class today is free, and they will teach both beginner and intermediate swing dancing. You can find their website over at http://www.winnipegswing.com.
So, I will continue with random technological rants and whatnot next Friday. Methinks that my next post will probably discuss my upcoming server build and the parts involved. Although I had posted on it a while back, I've solidified my decisions for the next server incarnation. It will be awesome. Very, very awesome.
The First Week
Looking forward to going to work Is a feeling that I've never felt before this week. It's an odd feeling, and one I don't know if I will ever completely get used to. Of course, I'm sure the feeling will wear off after a while.
In the past week, I have gotten a number of experiences that I would not have gotten any other place. My first two days were spent trying to break into a web application on a VM. Although I managed to get access to a few things, I never really got that far.
Today presented a similar scenario. In a virtual network, there were a number of computers: some desktops and some servers. I had to gain access to some "fianancial information" hidden on a server, using exploits in the other machines to gain access. Although I needed a few hints here and there, I managed to get the sensitive information using a variety of tools, including two kernel exploits, sqlmap, Nmap, Metasploit, and RainbowCrack. It was a really fun experience, and I'm glad I got to take it for a test drive.
The icing on the cake for today, however, was using a decompiler to disassemble a fake program requiring activation and bypassing the registration. From the information gathered we made a keygen using 3 different methods. Doing so requires a bit of smarts and a lot of assembly knowledge, which is something I don't have a lot of. With some help though, I managed to crack the registration, which was an exhilerating experience.
These experiences are pretty much all thanks to Ron Bowes, one of the guys I'm working with. I'd call him an IT Professional (he's certainly skilled enough), but he might laugh at me for such a remark. The virtual network was all designed by him, and he walked me through the application hacking, showing me every step and how it was done. I certainly have no intentions of using any of that knowledge to break the registration information for any program for any reason other than my own personal development, but it was still a really amazing experience. He keeps a blog on his homepage (I'm mentioned in a recent post), and it's certainly an interesting read.
A final thing that I'm working on at work is a suitable replacement for Burb Suite, which is an application for attacking web applications. It's a really powerful program, but there's three main problems with it: it's closed source, you have to pay for it, and the Swing interface is god-awful ugly. Other free utilities lack in either power, the user interface, or both. So, upon approval from a supervisor, I might be helping to develop a free open source alternative which would be released into the public domain. We've decided to program the backend in Ruby, and so far it's going really smoothly. In just one day I almost have the proxy designed, and I'm looking forward to getting the backend completed.
All in all, work is great so far. Getting paid to do something you love is amazing.
I Am
- Brian
- Computer Science Student
- Swing Dancer
- Photographer
- Recreational Security Analyst
- brian [at] dj-bri-t [dot] net
- irc.freenode.net #dj-bri-t
Categories
- Development
- Everything Else
- Five Things
- Music
- Photography
- Podcasts
- Rants
- Reviews
- Security
- Technology
- Spectral Instruments 112 Megapixel Digital Camera http://t.co/tVmnlxrm
- I think I just dealt with the pointy end of a netsplit... #irc http://t.co/yS2CpEFC
- The Best Ways to De-Stink Your Stuff http://t.co/0VCirOs2
- Student Makes Real-Life Portal Turret - Slashdot http://t.co/dl1IVDIp
- Faith in humanity restored: "What is the nicest thing you've ever done that no one knows about?" [Reddit] http://t.co/k9FfMxc8
