New Year's Inventory

Now that we've all failed our New Year's Resolutions, we should focus on something genuinely productive. I don't do New Year's Resolutions. Culturally we rarely seem to set them in earnest so I find them to be of little use.

Instead, do a New Year's Inventory. Look at different aspects of your life and assess where you really stand. Do you do well at these things or do you do poorly? Is your performance so low that you should be striving to improve or so high that you should be mentoring?

Consider the following:

• Family
• Are my family members adequately cared for?
• Am I a positive influence on their lives?
• Do I distribute my attention appropriately?
• Are there strained relationships I should be mending?
• Friends
• Do my friends add value to my life?
• Are they trustworthy in intention, word, and deed?
• Do I provide the support they deserve?
• Am I a positive force in their lives?
• Career
• Am I performing at the level I should be?
• Am I doing what I can to improve my career?
• Can I be doing more to derive more satisfaction/less stress from my job?
• Do I cultivate the respect of my boss/peers/subordinates?
• Finances
• Am I meeting my financial obligations?
• Am I confident about the next few month's finances?
• Next year?
• Next decade?
• Am I prepared for a few months of no income?
• Have I prepared to provide for those who depend on me in my absence?
• Health
• Am I eating well? How do I know?
• Am I active enough?
• Am I getting sufficient rest?
• Am I taking steps to prevent illness and disease?
• Am I managing stress and negative emotions well?

All of those are off the top of my head. You should add the categories and questions that are relevant to you. The first year you do it it is informative. Doing it every year tells you what you're doing with your life.

It's critical to be honest with yourself, not just about your shortcomings but also about your strengths. Identifying where you should improve is the purpose of the exercise but if you don't identify your strengths it's difficult to feel empowered in tackling the other challenges.

Searching For a Therapist Will Leave You Needing a Therapist

Finding a therapist or psychiatrist is a miserable process. Both have specialization criteria that disqualifies them as a good fit. To find candidates you can search Google, but Google doesn't have a sane place to get the information from so it can't give helpful answers: Garbage In, Garbage Out.

Google will invariably refer you to the Psychology Today referral site. Their search/selection criteria is spotty at best. It's a magazine after all and I can't help but be skeptical about their listings.

We've never had a Primary Care Provider that could refer us directly, nor have he had a health care network that would give referrals. They direct us to our insurance provider's "Find a Doctor" site.

I've tried to use this functionality through Blue Shield and Blue Cross respectively. I don't know their commercial relationship but their "Find a Doctor" search has been the same. You find a general field for a doctor and they give you a list with name, gender, address, and phone number. The "Accepting new patients" filter seems to have no bearing on whether or not the doctor is Accepting new patients. You can click on one doctor's listing to get details, but that loses your place in the search and you have to start over.

I finally gave up trying to get recommendations. I started going down the list and just calling. Of course they never answer the phone; they're probably in session and can't. So you're left to leave messages and hope they call you back. I called about 25 offices and left in the neighborhood of a dozen messages. Several I was able to skip leaving a message because their voicemail indicated that they weren't accepting new patients. I got 3 quick responses noting they weren't accepting new patients, and I appreciate knowing right away I can cross them off the list. One I eliminated because the voicemail greeting indicated that they worked in pediatrics.

Overall, I most appreciated those 2-3 offices I called where a human being was able to quickly tell me that they weren't a good candidate. Second were those whose voicemail let me know they weren't a good candidate. Third were those that returned my call quickly; one was via text message, which was great.

I'm struggling to understand why this is so difficult. The insurance provider seems like the best place to get this information together. They can't seem eliminate ineligible providers. I'm wondering if it's because they don't actually know about their providers (which would seem pretty reprehensible) or they just don't know how to organize this data. As it stands, their service is little more than a private phonebook. Hell, yellow pages listings would probably have been more helpful.

How do you treat an injured Soul?

(Expanded on from a Google+ post)

This is becoming trite. As the story unfolds in Connecticut we're going to learn that the shooter showed signs of mental illness that went unaddressed.

The reason they went unaddressed is because culturally we have two views on mental health: you are normal or you are crazy. If you seem to fall in between your choices are to try to seem normal, or risk being looked on with shame and lose all your credibility. Worse still, it's a reasonable fear that you might risk being hospitalized against your will if you're determined to be a threat to yourself or others.

Socially, we consider consulting your doctor about physical health problems a sign of good judgement. It's not uncommon for friends and family to come to the aid of someone with a sprained ankle with useful advice. "Put ice on it to reduce the swelling." "Wrap it with a bandage for support." "Take it easy for a while and let me help you." Most importantly, "If it doesn't improve, we'll go to the doctor."

In contrast, consulting a behavioral doctor carries a risk as mentioned above. If we admit we're "crazy", we risk embarrassing our loved ones, being considered incompetent by our peers, and harming what's already a trouble ego.

We don't accept mental and emotional problems as "normal" and thus we don't have normal modes of support. We don't know how to help each other with these problems the way we do a sprained ankle. They go untreated, often until the problem has grown significant that even the appearance of normal function has fallen out of reach.

The tragedy we've seen in Connecticut is clearly the culmination of mental illness, yet we all suffer smaller, more subtle problems. At best our problems won't grow more severe; they'll merely keep us from success and happiness.

We need to:

• change our views about mental and emotional health;
• accept that mental and emotional health problems are normal;
• acknowledge that we all suffer from mental and emotional health problems that we cannot always bear alone;
• learn about common mental health issues the way we've learned about common injuries;
• accept that we may need to accept the help of strangers;
• look upon people that need help with compassion.

Stop looking away. Face your own problems and the problems of your loved ones. With different attitudes we can not only avert the rare tragedy, we can all be more happy, successful, and empowered.

National Alliance on Mental Illness

Baked Pasta with Meatballs

• 2qt Pyrex baking dish (mine's square)
• .5 lb short pasta (I used small Rotini this time)
• 1.5 jar sauce (I used Newman's Own Marinara)
• .5 - 1lb frozen italian style hor's d'oureversr meatballs. I used safeway brand.
• 8oz Shredded Mozzarella-Provolone
• .5-1 cup grated parmesean
• 8oz Ricotta
• Spices
• Gusto

• Boil water for pasta
• Put frozen meatballs in sauce pan. Add a cup or so of marinara. Cover, simmer on low. Stir occasionally
• Get a big bowl. Dump in your ricotta, parmesean, 1/2 of your shredded cheese
• Add spices to the bowl. I did garlic powder, some oregano powder, onion power, ms dash, and pepper like I meant it. 
• Put about 2 cups of sauce in a microwave safe dish, make hot. Ensure you cover it because it will splatter                                                                         

• Dump the warm sauce into your mixing bowl and mix it up. The result will be this grainy pink goop.                                                                                 
• Line the bottom of your baking dish with some sauce.                                                                                                                               
• Spread about 1/2 of remaining shredded cheese over sauce in baking dish                                                                                                             
• Preheat your oven to 400                                                                                                                                                            
• Once the pasta's done boiling, drain, drop it in your mixing bowl and mix with the pink goop.                                                                                       
• Dump the sauce pan with sauce and meatballs into the pasta and pink goop. Mix that up too.                                                                                          
• Carefully put all that stuff in the baking dish. It will probably barely fit                                                                                                        
• If you have sauce left, pour it over top                                                                                                                                            
• Spread remaining shredded cheese over this. You gotta have lots of cheese on top.                                                                                                   
• Assuming your oven is ready, stick a baking sheet or some tin foil on a lower shelf, then the baking dish on the middle shelf. The baking sheet is there in case it drips.          
• Don't play Borderlands 2. You'll forget about this awesome stuff in the oven. Instead, check out tmbo for 25 minutes.                                                               
• When the time's up, the cheese should be a congealed skin of awesome on top with some crusty brown spots. This is how you know it's done and why you need lots of cheese on top.    
• Take it out of the oven and let it sit for 5 minutes or so. It's still cooking inside.                                                                                              
• Don't forget to turn off the oven.

Enjoy. This is a delicious but heavy meal. Better break out the red wine.

Movie Quality, Piracy, and the Cinema Experience

Movie theaters are way too expensive. Ticket prices, concessions, the whole nine. I deal with the cost of concessions by not buying them. I deal with the cost of tickets by being very picky about which movies I'll see in the theater.

I used to download movies on bit torrent a lot. Despite being able to download movies for free, eat my own food, sit on the comfort of my couch and pause it when I wanted I would still go to the theater a couple times a month.

I stopped torrenting movies when Netflix came into my life. A lot of people say that piracy is really a content-delivery problem and there's definitely some truth there. As Netflix's streamable library has grown, torrents have gotten further from my mind. To be clear, I would rather pay for access to Netflix than torrent movies for free.

Netflix fills several roles for me:

• Killing time: I will not buy a movie ticket for this
• Television shows: I can't buy a movie ticket for this, nor would I
• Movies I missed in the theater
• Movies long out of the theater
• Movies I don't think are worth seeing in the theater

If Netflix disappeared with no replacement I still wouldn't go to the theater for any of the above reasons. What does bring me into the theater? A good movie on a big screen with great sound. If the reviews for a movie are mixed I'll usually wait to watch it via Netflix. A key point to emphasize is that "new release" is not something that brings me to the theater.

I'm optimistic that theaters are starting to get that last point. Locally, "Titanic" and "Star Wars Episode I (in what's-the-fucking-point 3D)" have made trips back through the theaters. Say what you want about the films, if you're going to see them at all, the big screen is the way. We need lots more of this with cheaper ticket prices.

Dear Hollywood,

You don't have to lose money by making another shitty romantic comedy or Resident Evil movie. You can show us movies we've already seen and if you pick good ones we'll pay to see them. We will pay to come to theaters to see movies we already own. You can even draw people in by showing director's cuts and the like. Bring the older movies in a series back into theaters before the next sequel comes out. Put "The Godfather", the Indiana Jones movies, "Blade Runner", or "Airplane!" in theaters and I'll see them all in a week.

What's critical is that you stop making terrible movies. Instead, give us consumers real reasons to come to the theater and make the theater experience something meaningful. Given the digital projection systems it seems unlikely to me that distribution is a significant hurdle to this. If bandwidth is a concern for getting the extremely high resolution movies out to theaters perhaps you can utilize something bandwidth-efficient for the distributor... like bit torrent.

Xoom LTE Upgrade

A bought a Motorola Xoom android tablet the day it came out and from the beginning there was the promise that it would be upgraded for free to 4G LTE. Last week I got the notice that I could upgrade. Here's how it went:

• I signed up on Nov 2nd and quickly got a shipment traffic email from Motorola.
• Nov 3rd I received a pre-labeled FedEx box with instructions and packing materials.
• Nov 7th I got around to shipping it out.
• Nov 10th I received the upgraded tablet.

The turnaround time for this was pretty staggering. I'm guessing the recognize that a lot of people depend on these things and wouldn't be happy having to be without their's for long.

The instructions with the returned tablet said I would have to turn it on and when I got logged in I would get a prompt for turning on 4G LTE after a few minutes. Somehow I had cancelled the prompt when it appeared. I found the settings (clearly indicated in the instructions had I cared to look) and then it was a waiting game.

The instructions said it might take a few hours for OTA registration to complete. I was occasionally checking the network connectivity indicator in the lower right to say "4G" instead of "3G". After three hours nothing happened so I went to reboot the device to try again. When it booted back up it immediately said "4G". It worked!

I haven't really played with the 4G much yet as I'm pretty much in WiFi range all the time during my week. I did turn WiFi off for a few and pulled up maps just to see if it was fast. Man those map tiles loaded fast. I even got a free OEM standard dock (power and audio connectivity, no speakers, USB, or HDMI) as a "while supplies last" deal. In theory they could have upgraded my Android Market to a newer version but my tablet was encrypted so I had to do it myself. I'm more comfortable with the encryption and an extra upgrade step.

Overall, Motorola did a fantastic job with this. The instructions they provided were clear and described exactly what would happen with the upgrade process. I was pretty floored by how fast I got my upgraded device back. If you bought a 3G Xoom from Verizon you should definitely take advantage of this.

On Google+

I'm trying out this Google+ thing.

I have a Facebook that I maintain for people to find me. Every time I log in my mind recoils in horror.

I previously used tumblr for blogging and really liked the asymmetrical sharing model. Hopefully Google+ incorporated the good bits of everything.

Go Language Compile/Link/Launch Script

I've started playing around with the Go language and I think it's pretty neat. I have a security-related project I'm working on to help me learn the language that I'll share soon after it's finished.

I found myself slightly annoyed when I would compile, link, and launch my program while editing it. It was fast but the command line was long:

bin/6g whatever.go && bin/6l -o whatever whatever.6 && ./whatever -arg1 blah -arg2

To make things a little easier when switching between source files I wrote a simple script:

#!/bin/bash
#gogogo.sh <program_name> [<args>]

progname=${1}
shift
bin/6g ${progname}.go && bin/6l -o ${progname} ${progname}.6 && ./${progname} ${@}

Now just run:

./gogogo.sh whatever -arg1 blah -arg2

There's probably a smarter way using gomake or something similar but I haven't dug it up yet.

evilbitchanger

I've been learning scapy, which is an awesome tool. I have a colleague who is doing some research and had a need for a tool that could modify IP packets in arbitrary ways either from a pcap file or on packets in real time. The prototype sets the IP evil bit, recalculates the checksum and forwards the new packet.

Web page here.

Code hosted here.

Management vs Leadership

Management Skills != Leadership Skills

IMO:

People management: concerned with the career growth, compensation, work satisfaction, etc of your reports. In a sense, this is a local extension of HR. Not a technical role. Must be well-versed in the issues related to employee effectiveness.

Project/Product/Program Management: concerned with planning, development, execution, and maintenance of products, services, etc. Should be technically competent but somewhat isolated from implementation.

Leadership: Inspires a team and fosters a culture optimized toward producing the desired result. Leadership skills are independent of other skills but complement them. Sometimes the action indicated by good leadership is contradicted by good management.

People managers deal in carrots, project managers deal in sticks, leaders deal in aspiration.

PS3 Rootkit

Official PS3 firmware v3.56 has a rootkit
It is imperative that someone create a PS3 worm.

Remakes

There's been a trend over the last couple years where old movies are remade and handed to us as something new.

When IPv6 becomes common place, the same thing is going to happen with network vulnerabilities.

Altism

Altism -noun:

The mental deficiency wherein on believes that something is superior because it is uncommon.

Move Complete

My blog move has been completed! In the future I'll write up notes about the process and share the python code I used to do the migration.

Adobe Anagram

Anyone else notice that Adobe is an anagram for “B O-dae”?

Adobe: Productive Media Tools

Adobe should incorporate some of the security buzz into their marketing:

Adobe media tools increase productivity, giving you 0-day turnaround.

The SEO opportunities are endless.

Advanced Evasion Techniques: A Long-Winded Explanation of the Threat

Recently a company called Stonesoft launched a website called http://www.antievasion.com/ with videos warning us about the threat of Advanced Evasion Techniques that can float right through your network security and attack systems you thought were protected. The videos on their site are worth watching, if for no other reason that they approach self-parody.


Their concern lies mostly in Intrusion Detection/Prevention System (IDS/IPS) software and appliances. These devices observe traffic passing through looking for behavior indicative of an attack in a fashion conceptually similar to antivirus/antimalware. IDS systems merely “observe and report” while IPS systems intervene, trying to cut connections or otherwise stop the attack. The limitation of these types of systems is that they’re primarily signature-based; they are looking for a specific set of indicators to determine that something is an attack. They cannot say with certainty that anything is safe.


Compare this to police mugshots. You can use them to identify known bad guys but you can’t use them to identify unknown bad guys or bad guys with convincing disguises. Modern IDS/IPS (and antivirus) are smarter. They’re better at recognizing fake beards, hats, and changes of clothes. These kinds of attack disguises have often been referred to as “IDS/IPS evasion techniques” and they’re almost as old as IDS/IPS technology itself. As is always the case on the Internet, the good guys cause the bad guys to evolve and vice versa. IDS/IPS technology gets better, IDS/IPS evasion techniques get better.


These “disguises” involve changing the properties of the transmission in ways that are still valid (enough) but violate the IDS/IPS product’s assumptions about how the data should be transmitted. For example, some IDS/IPS products can only look at one packet at a time. If you break the attack transmission into small enough pieces, the IDS/IPS won’t be able to see the signature. For IDS/IPS products that are a little smarter, transmitting the pieces in the wrong order might fool them. There are lots of permutations at various levels.


To build an analogy, IDS/IPS systems are like TSA personnel. They scan through your luggage looking for things that might be dangerous. They can’t possibly know every possible threat and disguising a threat, like hiding it in your underpants, can potentially get through the screening process (in all fairness, the underwear bomber didn’t go through TSA screeners, he might have got caught but that demonstrations a point about security; you attack through a channel with weaker defenses).


TSA screeners could be incredibly effective against a known threat. If we knew attackers were going to carry a weapon onboard a plane in a red stuffed unicorn, TSA personnel would have a clear thing to search for. If the weapon were moved to something else, maybe it would be found, maybe not. In the same vein, when a new vulnerability is discovered, providing a good signature for your IPS could provide adequate detection until a patch becomes available. That is, unless an attacker decides to put a moustache on it.


So what are Advanced Evasion Techniques? Simply put they are IDS/IPS evasion techniques that are applied at more levels of the network stack. Where previous techniques might manipulate the transmission at the IP and TCP/UDP levels, advanced techniques might also manipulate the application layer. It’s an evolution on the attackers’ part that many vendors didn’t anticipate but it’s not really breaking new ground.


What does this mean to your network? Hopefully, nothing. The conditions for a successful attack are that a service has to be exploitable and the attacker has to get the attack passed the IPS and… it has to get passed the firewall. The inability of your IPS to stop an attack is moot if the target is not vulnerable or if there is no path from attacker to target. If either of those cases hold you can be pretty confident. The “The Principles of AntiEvasion” video seems to presume that your IPS is the only thing protecting your unpatched services. If you’re relying on your IPS in that fashion then you probably are at risk. If your firewall is configured sanely and your patches and configuration are solid, that video is mostly just FUD.


To tie this up I’ll return to the “human screener” analogy. An IPS is like a person looking at people entering and leaving a building, trying to guess at motive. The building itself is like a firewall: it limits points of entry with walls and locked doors. Relying on your IPS to protect you is like foregoing walls and trying to guard a valuable resource in the middle of an open field with only a handful of guards.

On Saturday we adopted our second cat: Sam. Please forgive the mediocre photo. I was thoroughly impressed by the Silicon Valley humane society. Their facilities were excellent and I felt that the staff were genuinely interested in helping us find the right cat. If you’re thinking of adopting and you’re in the area I definitely recommend them: http://hssv.org/

Graffiti Analysis App

http://vimeo.com/13327615

Graffiti Analysis App

Nikon D90

I got my first DSLR and I’m having a blast with it. On my third day with the camera I managed to get some awesome shots:

From Random

From Random

From Random

I think they’re awesome, at least. I’m having fun with it.