Something New!

Something new, something different! BITCOIN! Follow the link and donate to the college fund. It's fun for us, and even a penny's worth of bitcoin would be cool. So far, we have five donations. I am studying devOps at Cabrillo College in Aptos, California. They don't know it's devOps yet, but gimme a year and I'll have them brainwashed to use all the tools I like. I'm going to start with Golang and Docker first!. Gita is at UCSB doing math and other stuff. She's got her eye on crypto, which is where we came up with the college fund idea. We are wild women on the move! We also built some of our own coin for fun, scrypt-based. I think it's not ready for prime time. http://gita.saragen.com/sites/default/files/scholarship fund.pdf

I'm Gonna Wash Those Bits Right Outta My Hair

BitBake. Sounds like a simple thing -- pop some bits in the oven, bake at 350 until brown. Not so easy. Like, what the hell is it, and what does it have to do with baking? In my lazy world where nobody googles anything to find out if it is true or not, the bake is just an alphabetical sorting improvement on make, the handy-dandy utility we all know and love. And the bits? It's all bits, baby.

My adventure with BitBake began when I discovered there was a magic way to make a custom Linux distribution for my Raspberry Pi. Did I say magic? Yes! First you need to learn a little bit about OpenEmbedded. There are other paths to enlightenment, but this is the one I used.

OpenEmbedded is a build system -- a collaboration of embedded systems engineers to develop a virtual shopping mall for everything Linux. You have device X? You want your Linux to do Y? You can't build on device X because of memory, access, or speed limitations? (or pure laziness in my case) You want to pick and choose from kernel features, versions, commands, drivers, and filesystems, then cross-compile an image? You can. But wait, you haven't even bought your Beaglebone Black or your new toaster! No problem. The OpenEmbedded people will give you an emulator. Best of all this runs on any flavor of Linux.

In 2010, The Yocto Project became a collaborative project of the Linux Foundation. Yocto draws from and builds on the OpenEmbedded system. As a Linux Foundation project, Yocto is independent of industry manipulation, and Linux proper becomes vested in the continued well-being of the project. Yocto is chartered with making an entire Linux build system work efficiently by standardizing on, creating, and reusing tools. The reference implementation created by The Yocto Project is called Poky and some other day, I'll get into the details of cross-compiling and toolchain building.

So where does BitBake come in? Based on the Gentoo Linux Portage package management system, BitBake is a tool used to manage a build, or for that matter, any number of other tasks. It reads a .bb recipe file and does everything from fetching the files from a repository and satisfying dependencies, to compilation and creation of a ready to use image or package. That's any number of repository types including git, svn, or files, compilation including cross-compilation, and all the most common package types. It even knows the difference between cygwin and BSD. That's only scratching the surface. BitBake is written in python, and knows what to do with python code in a recipe file, .bb or .bbclass. Bottom line? BitBake is one badass piece of software.

My short term plan is to use Yocto to build a distro for my Raspberry Pi. There are recipes out there already. My long term plan is to learn how to write a BitBake recipe, and get my personal distro building down to pushing a single button.

BadBIOS Holds a Mirror to Our Community

I heard an amazing security expert give a presentation at Toorcon a few weeks ago, and he prefaced his remarks by talking about how he has suffered with social anxiety and imposter syndrome throughout his career. It's become safe for hackers to talk about depression and social anxiety in the wake of some highly publicized suicides and attempted suicides, but this was the first time somebody has mentioned imposter syndrome. After all, if you question your own abilities publicly, perhaps that will lead others to question them as well. Not always good for business. This speaker is so highly admired that his skill will never be called into question. He offered his story as encouragement to others, like me, who might not feel confident stepping up to a task with a lot of visibility. He looked around the room and said something to the effect that we were the best and brightest.

But are we? I follow a lot of security people on Twitter, and when the badBIOS discussions began, I was amazed at how quickly facts were distorted then retweeted. I began to delve into some of the badBIOS research and criticisms, and I even wrote a little story about how the malware was being passed to my dog. I read a blurb about how different BIOSes can't just run the same random code, another about directionality, distance, and non-prevalence of high-frequency speaker broadcasts, and of course, a few people wrote that it would be highly unlikely that an uninfected microphone would pick up something malicious that it knew what to do with. There was some discussion as to the ability of a researcher to pick packets from the air, and some concern about documenting and failure to reproduce the various effects of the malware. And of course, nobody works on something like this for three years. While there has been a little intelligent discussion all along, most of what I've read is of the "me too" variety. Ten people retweet the latest news, and start a flurry of FUD that grows exponentially. Then the pendulum swings the other way, and there's a whole lot of finger-pointing and crazy-calling.

So I guess I'm left to wonder how a researcher who has proven himself brilliant again and again can feel like the imposter. If the badBIOS discussions have shown us anything, it's that there are a lot of real imposters out there, guys who are writing without thinking, who are replying without reading, who seem to have zero appreciation of how systems work. But they sure know how to have an opinion! Perhaps badBIOS is an experiment Dragos Ruiu created to test how viruses can infect the community.

I think I have a #badBIOS

When I was kid, I user to burn custom firmware for fun. It's nice to be personally greeted by your BIOS when you give it the boot, and it's a-laugh-a-minute watching your mother get boot error messages about her cooking. Harmless, and all in good fun.

But, it's not so much fun when someone gets hurt, and that's what's been happening. It seems like all over the country (whichever country that might be) dogs are going nuts because of an epidemic of #badBIOS malware in the wild. What happened is that some clever person has figured out a way to infect machines with shriekware. That's right, one machine communicates with its victims by directing a high-pitched scream in their direction. All the oscillating parts of the computer and those transducer things shake like a crystal goblet at the opera. But they don't shatter, they do stuff. Dangerous stuff, like passing on the message to other machines, and in what I can only assume is an accident of syntax or semantics or something, dogs have become infected. I have such a dog, and his name is Gipper.

Now I'm not one to pretend to understand everything that happens in a BIOS, but one pleasant thing about them is that they are a nice finite size, and if you and a couple friends wanted to spend the day reading one, you could. If you had some tools, you could look for jumping off points where a #badBIOS might decide to pick up or drop off its shriekware. What makes the job easy is that your BIOS has probably been sticking with some fundamental code for a while, and you can skip over blocks and piles of that stuff. So, it's doable.

As a computer scientist, I'll be the first person to tell you that polymorphism is a bad thing, and we need to stop any kind of #badBIOS code that does different things the samely, or the same things differently, because dogs are suffering from these high pitched sounds that only they and microphones attached to infected systems can hear. Gipper seems to be suffering, and he's off his feed. He's been barking in Morse code for almost 48 hours, and since you no longer need to know Morse code to get a radio license, nobody can understand him. It appears that my Galaxy S4 has caught it, as has my Raspberry Pi. Gipper has been barking at the washing machine and the refrigerator, so I think some of my appliances have become infected as well.

I'm writing this because I've heard that some people are not taking the #badBIOS problem seriously, and I want to make sure that nobody thinks it's just one lone looney out there with a tin-foil hat. You people who know about how speakers can be sending this shriekware around to microphones and stuff, please take some time to read the firmware of all these infected systems. I really don't want to have to take Gipper to "Another Home".

Lightbeam. Ain't I connected, baby!

So I downloaded Lightbeam from Mozilla yesterday, and installed it as a plug-in for Firefox. It appears that there is no limit to the number of websites which want to know me, showing me little tidbits while sucking the life out of my cookies and configuration. I feel so popular. Imagine a sausage exploding, then run that video backwards. That's me in the middle, little grease splatters homing in on my every click. And now, that's me watching the watchers. Turn-around is fair play, as they say.

For some, Lightbeam will be trivial to set up, but I actually had a small learning experience. Lightbeam is launched from the add-on bar, and fills a window with it's goodness. Took me a while to figure that out, since I never even knew there was an add-on bar. But true to google, when I clicked view->toolbars, there it was. My toolbar opened quite unremarkably on the bottom of the window, and in the lower right corner, I found an icon that looked like a Mazda motor. I clicked it, and then the fun began.

A browser tab opened for Lightbeam, showing the lines, triangles, and circles modeling my connections and their connections. In other tabs, I visited my usual sites, and followed a number of links that I normally wouldn't follow, just to stir up the mix. Returning to the Lightbeam tab, I was amazed at the beauty of my connections. I dragged the model around the screen a bit just to see the little triangles representing third party sites flow with my cursor and swarm around their first party sites. I am like a god in this world, changing from graph to list, clicking check boxes and blocking third party sites en masse with reckless abandon, despite the big warning that I might be introducing unpleasantness into my browsing experience.

Lightbeam can phone home if you want it to. Mozilla will use the community-sourced data to understand relationships between first and third party sites. And fourth, and fifth, and sixth... I had a pretty good inkling that my visits to most websites were very, um, productive, because I when I start a browser for the first time, I require the browser to ask me every time a third party wants to set a cookie. That's an all day job, but by the end of the day most of the big ad players have been blocked. So I change that setting, and while I still get a lot of third party cookies, I've made a dent. Unfortunately, the name of the third-party cookie game is: I'm Blocked, I Must Create a New Domain. That means I lather, rinse, repeat on the blocking every 3 weeks or so. It's possible that community-sourcing will eventually offer some better options in cookie choice. The websites most of us use depend on advertisement revenue, and all solutions must take that into account if the current model of free service provision is to be maintained. But what if, gasp, users paid to use sites, and advertising was phased out. It could happen.

Cookies come in all sorts of flavors. Some remind real service providers that you are logged in, have read message 128, or left to follow a link. There are cookies which sites need to set in order to use their cache or the cloud more effectively, and there are cookies that speed up page rendering and access in other ways. Cookies to remember you location, your language, your color and font preference. Many popular sites have site-api.com configurations, and it is difficult to know if those APIs are for advertising or actual visitor business. Lightbeam lets you block sites on the fly, so you know right away when all the pictures from site-img.com are necessary to render the page, because the site becomes immediately very texty. On the other hand, site-img.com might merely waiting in the dark to show you A Weird Trick. I think that crowd-sourcing can help us understand what differences there are between sites that want to know all about us.

The Ford Foundation and the Natural Sciences and Engineering Research Council came up with the money for the development of Lightbeam, and the source code is available on Github* so tech types can have a closer look. In a perfect world, the forces for good would add some code that tags cookies as keepers, experience enhancing, or spam generators. The data visualization benefited from the creative touch of a Emily Carr University of Design team led by Associate Professor Amber Frid-Jimenez, and designers Sabrina Ng, Joakim Sundal and Heather Tsang. Thanks to everyone involved!

*Obligatory: "But Git is hard!"

Random Asset - a little bio

Hey, I have a Gita! blog now, everyone. I have to play with it a little, but so far, so good. You may remember me from my talk "Booter Shell Booty" that I did at Defcon XX1. I got a lot of awesome feedback, and given the circumstances of the con, that's more than I could have ever hoped for. Nice to see my pals, Reminy and Lizzz who hooked me up here.

A Review of The Circle, a Novel by Dave Eggers

Dave Egger's The Circle is an easy read, and I enjoyed it quite a bit. The characters are a little shallow, and the settings not tremendously nuanced. On the other hand, Mae's desktop, The Circle's social networking, and the work environment perks were very well developed. Developed to the point that I was really enjoying my job there. I wanted to work overtime, but the book ended.

Like my fellow Circle newbie employees, I have occasionally been lax in my social duties. I haven't liked enough, and I've even forgotten to let Amazon inform my Facebook family that I've just purchased replacement Brita filters. I haven't been fair, I've withheld some geolocation information, and I haven't really been honest in sharing medical information. Even now, if I received a traffic citation, I might only tell a few dozen close friends.

Yesterday, in Real Life, I received a completely unsolicited and unwanted Keurig single-serving coffee maker. It was there on the front porch when I got home from work. It seems that maybe Keurig is drinking from the Twitter firehose, where I have mentioned coffee a few times. They found me, liked the demographic crumbles I've left, and decided I needed to be included in their #brewthelove campaign. Problem is, they have an incomplete picture of me. I am not a materialist. I am thrifty enough to know that K-Users pay 50-100 bucks a pound for their "coffee". And I know it doesn't taste like real coffee. I resent being cast in a Fifth Avenue lie, as does Mercer, a former BF of Mae who just wants to go off the social grid. But eventually he is subsumed (Like is that a word?) and finally consumed by extreme friending.

This is the struggle that Dave Eggers' character Kalden sees. We either lose our identity by casting it into every forum, or we lose our identity because there is nobody left to know us as we are. Kind of a sad tale.

So yeah the book has shortcomings, and I won't dwell on them, because the story was told, the message delivered, and Dave can work on something else. I mean Everyman is kind of boring, too. But people still read it. And if you don't read The Circle, sucks to be you.

Syndicate content