English - 11

I recently played around with the possibilities of fuzzing. It's a simple way to find bugs in applications.

What you do: You have some application that parses some kind of file format. You create lots (thousands) of files which have small errors. The simplest approach is to just change random bits. If the app crashes, you've found a bug, it's quite likely that it's a security relevant one. This is especially crucial for apps like mail scanners (antivirus), but pretty much works for every app that parses foreign input. It works especially well on uncommon file formats, because their code is often not well maintained.

My fuzzing tool of choice is zzuf.

I am impressed and a bit shocked how easy it is to find crashers and potential overflows in common, security relevant applications. My last discovery was a crasher in the chm parser of clamav.

Recently I was asked by a friend for a linux tool to extract ressources from windows exe files, especially icons. He used a windows tool in wine till then.

I said that this shouldn't be so hard and already started writing my own parser (I came to the point where I could extract headers and content separately), when I found that there already is an appropriate tool called wrestool. It's part of the icoutils package.

wrestool -o . -x filename.exe
will extract all ressources (icons, cursors etc.) to the current directory.

Seems with the latest versions of webkit-gtk and midori, a long-standing crasher-bug got fixed and it now allows you to run the browser-test ACID3.

I just bumped the webkit-gtk ebuild in Gentoo to the latest snapshot.

ACID3 is a test for the standards compliance of modern web browsers. I wrote about ACID2 some years ago.

It's the second day on the GPN7 (a local hacker event from the Chaos Computer Club Karlsruhe / Entropia).

Yesterday evening I hacked together a map based on openstreetmap showing surveillance cameras:
http://osm-cctv.hboeck.de/

As a basis, we could use some data provided by the chaos computer club cologne. I'm working on an importer to get that into the openstreetmap database. Will probably happen within the next days.

All cameras tagged with man_made=surveillance in germany.osm are already imported into the overlay. I'll keep a wiki-page up-to-date at:
http://wiki.openstreetmap.org/index.php/User:Hanno/CCTV

There are two tools out there for Linux to put Garmin maps (which you can convert from OpenStreetMap Data) on devices, sendmap (proprietary) and qlandkarte (free). Sadly, both don't support my device (Garmin Quest), so I had to find an alternative solution. This should also work with other garmin devices.

After some playing around, I managed to get it running with MapSource on wine. I've used wine 1.1.0 on Gentoo, if you have problems, be sure to get a recent wine version.

Steps to do:

• Download MapSource_6137.exe from the Garmin webpage.
• Use 7-Zip to unpack the exe to some directory: 7z x MapSource_6137.exe
• Install MAIN.msi: wine start MAIN.msi
• Install MapSource: wine Setup.exe
• Get one of the MapSource Installers from here and install it: wine Setup_OSM-Germany-2008-06-11.exe
• wine doesn't support usb, so you need the garmin_gps module. If it's installed on your system, it should load automatically after attaching your device and switching it on.
• You should now have a device ttyUSB0, which you need to symlink as com1 for wine: ln -s /dev/ttyUSB0 ~/.wine/dosdevices/com1
• Run MapSource: wine ~/.wine/drive_c/MapSource/MapSource.exe
• Go to Settings -> Transfer, there you can select a serial port. Select COM1.
• Click the map selection tool from the buttons and select an area.
• Select Transfer -> Transfer to device. If everything went fine, it'll detect your garmin device attached to the serial port and you can start your upload.

I couldn't believe it, but afterwards I had routable OpenStreetMap maps on my garmin.

Today I played around a bit with the stuff done by the Wii homebrew/hacking community, which is far more advanced than I had expected.

I had the game Twilight Princess borrowed by a friend. For those who don't know, using this game you can run homebrew software on the Wii without the need of a modchip.

The way this works is that first you install a modified savegame for Twilight Princess, afterwards you can install the Homebrew Channel. The Homebrew Channel will stay in the main Wii Menu and you'll be able to run various stuff from there. While looking around the various webpages covering the topic, I found that wiibrew.org is a good place to find documentation and links to the appropriate projects. So look there for the details.

The gc-linux project (originally porting linux to the gamecube) has a simple Linux image available.

A warning: Nintendo released a new firmware that stops this method to work, so if you wanna have fun, don't update your Wii. And the obvious warning: Everything you do is at your own risk.

Update: Seems the Firmware update is no longer a problem.

Phoronix has just published an article about the development of xorg and they have a statistics of contributors from Distributions.

I'm listed there on the Gentoo part with 0.01 % contributions to Xorg. Yay!

Today we met a team from the german television station RTL.

They made some recordings in Bad Cannstatt and in a forest near Murrhardt. It will probably come in the »Nachtjournal«, we don't know a date yet. Hopefully the recording will be available online as well.

Update: You can now download Nachtjournal from 3th July.

»Der Spiegel« is (cited from Wikipedia) Europe's biggest and most influential weekly magazine. In today's edition, there's a three page article about OpenStreetMap.

I wrote a while back that we met with two journalists and started mapping in the small village Kaisersbach.

Last week, there was a report in WDR (television), so we're raising interest in the mainstream media.

Update: The article is now available online.

Today and tomorrow, we're presenting the OpenStreetMap-project at the Open Source Expo (or OpenExpo) in Karlsruhe.

I made some pictures, more will follow. Sadly, we didn't get a talk slot for OpenStreetMap.

One of the missing features in jabber most commercial instant messaging systems have are small games one can easily play over them. Till now, because just yesterday, gajim got support for Tic Tac Toe over jabber.

Which reminds me tic tac toe was one of the first »programming projects« I did in the past, some day I'll have to dig out the sources and publish them. My next wish would be something like tetrinet over jabber.

Gajim-svn ebuild is in my overlay at http://svn.hboeck.de/overlay/.

I just read an article about the recent wordpress vulnerability (if you're running wordpress, please update to 2.5.1 NOW), one point raised my attention: The attack uses MD5-collisions.

I wrote some articles about hash collisions a while back. Short introduction: A cryptographic hash-function is a function where you can put in any data and you'll get a unique, fixed-size value. »unique« in this case scenario means that it's very hard to calculate two different strings matching to the same hash value. If you can do that, the function should be considered broken.

The MD5 function got broken some years back (2004) and it's more or less a question of time when the same will happen to SHA1. There have been scientific results claiming that an attacker with enough money could easily create a supercomputer able to create collisions on SHA1. The evil thing is: Due to the design of both functions, if you have one collision, you can create many more easily.

Although those facts are well known, SHA1 is still widely used (just have a look at your SSL connections or at the way the PGP web of trust works) and MD5 isn't dead either. The fact that a well-known piece of software got issues depending on hash collisions should raise attention. Pretty much all security considerations on cryptographic protocols rely on the collision resistance of hash functions.

The NIST plans to define new hash functions until 2012, until then it's probably a safe choice to stick with SHA256 or SHA512.

I own this Canon IXUS 50 camera for more than two years now. It's a fine device, but it has some small lacking features where I often asked myself if this could be enhanced with a new firmware.

Until recently, when I read about the CHDK project: It's a kind of firmware enhancements for Canon cameras. It doesn't fully replace the real firmware, but adds additional stuff (I must say I don't fully understand what they do). And now they have an experimental port for the SD400, which is built into my cam.

The first big killerfeature one will notice is that the cam now has a battery monitor, which is the most obvious lacking feature of the original firmware.

One more thing I always would've liked for my cam is a better video compression. The video quality is quite good, but the cam just can do mjpeg, which leads to big files and limits your maximum video size to about 20 minutes. It seems CHDK has some better compression video mode, but I'll have to dig deeper into it. Beside, I can now record raw images. So there's lot's of cool stuff to play with.

In the instant messaging world, encryption is a bit of a problem. There is no single standard that all clients share, mostly two methods of encryption are out there: pgp over jabber (as defined in the xmpp standard) and otr.

Most clients only support either otr (pidgin, adium) or pgp (gajim, psi), for a long time I was looking for a solution where both methods work. psi has otr-patches, but they didn't work when I tried them. kopete also has an otr-plugin, but I've not tested that yet.

Today I found that there is an otr-branch of gajim, which is my everyday client, so this would be great. As you can see on the picture, it seems to work on a connection with an ICQ user using pidgin.

I've created some ebuilds in my overlay (the code is stored in bazaar, I've copied the bzr eclass from the desktop effects overlay):

svn co https://svn.hboeck.de/overlay

Today I asked myself if I can ping an IDN host.

My default ping (iputils on linux) couldn't do it, but I found some patches out there, e.g. from Fedora. Thanks to SpanKY, we now also have IDN-enabled ping in Gentoo (he used a modified patch).