Thursday, 12 May 2016

Testing Adventures

Building a verification toolkit ...

... without a software department - Part 1

Binary image verification

For larger companies and manufacturers who already heavily invest in R&D and software development there is a low barrier to produce in-house binary image writing and verification tools. However for the new entrant into the industry and entities who do not invest in producing their own software the prospect of commissioning custom software could seem a daunting challenge. However many may not be aware that the state of the art in cryptographic verification is right at our fingertips in an open source format which is itself verifiable and inspectable.

OpenSSL provides a plethora of hash based verification methods and with very few exceptions (and combining it with crc32) can be used to verify the binary images for almost all jurisdictions. If you are part of a regulatory body considering a new hash technique, ensuring it is available in OpenSSL makes sure you'll always have an independent, verifiable reference implementation that is easy for manufacturers to verify their implementations against and easy for test labs to start utilizing.

The following bash functions can be put into your bashrc file to allow very convenient verification of binaries:
 

Image Verification Functions

function hmac-sha1 () { date > hmac-sha1.txt; openssl dgst -sha1 -mac HMAC -macopt hexkey:0000 $@ | tee -a hmac-sha1.txt; }

function sha1 () { date > sha1.txt; openssl dgst -sha1 $@ | tee -a sha1.txt; }

function crc () { date > crc.txt; crc32 $@ | tee -a crc.txt; }


so now we can just run the commands (replacing <file-name> with the aquired image):
sha1 <file-name>
hmac-sha1 <file-name>
crc <file-name>

and we get the output files below containing timestamps and the cryptographic digest of the supplied file:
sha1.txt
hmac-sha1.txt
crc.txt

 
This give us timestamped logs of the digest values that allow us to verify binary images for the majority of jurisdictions around the world. Next in the series we'll look into tools for acquiring the binary images from a given device.
 

OpenSSL Resources

Monday, 8 June 2015

The Rest of May

Open Knowledge Melbourne

OpenKnowledge were hosting GovHack on the 13th which I figured I'd go to as I thought GovHack might be a good fit for Free Software Melbourne. Turns out it was a great fit, but b going to the O.K. event I got three times the bang with Alisha, Ruth & Rosie the Melbourne, Gelong and Balarat GovHack fellows. I never knew you could email a tree, but I did when they were done because apparently you can email the CBD trees ha! Anyhow it seems like a pretty interesting Hackathon and I keep hearing more and more from the Open Data movement recently and transparency and access can only be a step in the right direction.

Links:


YOW Nights

There was also the YOW night in Melbourne on the 14th with Dave Thomas talking about the past, present and event future of memory and computing in general. He seems to be excited about the new memory models proposed by HP's "The Machine" thingy, however he was just as vague and enthusiastic. He also discussed a (possibly related) new programming model where reads are fast and writes are slow and uncertain, which also fits the pattern of a web-based-architecture where reads can be cached close to the consumers, but writes have to follow the chain all the way back to the origin and the origins disk/storage before a write is completed (probably without confirmation). For the future he recomended focusing on collections and queries, with this absolute gem "think more ... write less code"

Do Right

On the 20th I took an interesting detour down the path of the Samurai at the Do Right meetup, who are a branch of the new acropolis group. Looking into the group they seem to be well intentioned and "mostly harmless", but the ethos seems somewhat flaky and unstated and I think my time is better spent elsewhere.

Free Software Melbourne

The 21st was the Free Software Melbourne meetup with guests from GovHack and Russell Coker. We trialled our first live stream of the meetings which was a particular success with a few regular members unable to attend in person but listening in from around Melbourne. Jordan Wilson-Otto and Alisha Ryans-Taylor from GovHack gave us a run down on the upcoming competition and outlined it's goals in regard to Open Government and some of it's history in Australia. After another frantic Gnews Russell gave us an account of his journey with open source and in particular Debian and SELinux. I especially enjoyed the Debian SElinux demo box stories... If I'd been given an offer like that I do more than just try "rm -Rf /". I also found the amusing story about email client bugs another good reasons to stick with server side email storage, where I can't mess it up :p. They were definitely some interesting topics this month sparking discussions that continued over to dinner at Classic Curry.

Links:


OWASP Melbourne

The OWASP meetup was on the 22nd and Julian Berton gave a cool demo using the exposed framework (there it is again) to bypass root and proxy checking on installed apps. To be honest I didn't know apps did that (although in the context it is quite understandable for this kind of app) and I'd might have had to learn this earlier if my bank did that (or change bank).

Links:


Data Science

Unfortunately I missed the Data Science meetup on the 26th and instead spent the evening wandering around Ettihad Stadium wondering where I was, it even took me over half an hour to find my car again... I'm so geographically challenged.

Links:


Open Knowledge

Then on the 27th the Open Knowledge Foundation had a mapping meetup in preparation for the upcoming GovHack. Matthew Cengia took us through a tour of JQ (json editor/viewer), CVS Kit (collection of cvs tools) and even slipped in a couple of command like skills (actually this might be hard not to do while demoing command line tools). Then Steve Bennett crammed a weekend workshop on TileMill into about an hour of slides and tutorials. Stowing data on proprietary clouds still gives me the creeps, so I'll probably skip that one if I can at GovHack, but we'll see what happens.

Links:


Engineering Machine Consciousness

The Engineering Machine Consciousness meet was a thought provoking night as always. It certainly will be an interesting time ahead with the rise of resources. Let me give that some context James Newton-Tho­mas was discussing the idea that the economy (at least as we know it) is made up of three fundamental units: resources, capital and labour. Now even mainstream news is catching onto the fact that labour is about to be taken out of that equation with the rise of automated vehicles and factories. I also think the capital part of the equation is in doubt with the rise of home fabrication and the pending self-manufacturing era, this will lead to an economy based solely on the possession of resources... unless something else changes, and what are the chances of that.

Links:


RHoK Melbourne Winter Hackathon

On the weekend of the 30th I joined about 50 other hackers at the RHoK Winter Hackathon. This was just a great weekend, if only more hackathons could be this focused on positive projects and relaxed about the competitive side. All the projects were interesting and seemed to have a real need and purpose, it was also interesting tackling projects with such a firm direction rather than the usual hackathon kind of "shot in the dark" kind of attitude.

Links:

Sunday, 7 June 2015

Meetups from May in Melbourne



What a busy month of may that was, kicking off on the 1st with the virtual reality meetup. A guy form @TSRCTCO discussed and demonstrated some interactive imersive applications... the Occulus display was amazingly reactive and quick to react to movement without blur or lag. I also got to have a play with the Google Project Tango which had a few cute demo apps and I can't wait till those kind of sensors are standard. It's such a shame Occulus just got bought by Facebook because that looked like being the most open VR platform out there, but I'm terrified that the probably will still be the most "open".

Links:

http://www.meetup.com/Melbourne-Virtual-Reality/events/221881543/
@TSRCTCO


Linux Users Victoria was on the 5th and Nathan Scott inspired me to have a fiddle around with PCP (Performance Co-Pilot) as remote historical logging coult be a very handy tool someday. Check out acksyn.org for more PCP resources. Then Paul Fenwick reminded me (and us all) to keep and eye on our apps, lest they keep an eye on us. His recomendations include afwall+, xprivacy, all the guardian project apps including orbot and off-the-record and also talked up Serval which I've been meaning to have a play with again (but haven't).

Links:

http://www.meetup.com/Linux-Users-of-Victoria/events/222126397/
http://pcp.io/
https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.installer/

The next day was the Melbourne JVM meeting celebrating 20 years of Java with an international guest (New Zeland counts doesn't it). There were a couple of quite syncronynis news items with the Gradle 2.4 release and the BioWare Orbit release also making Free Software Melbourns Gnews. Then Pablo Caif gave us a great demo of performing geospatial queries in Java using GeoTools allowing for easy importing geo data in various formats. It also allows easy plotting and overlays on screen and usefull querying capabilities.

Then Sumit Khanna talked in depth about his experience with BigSense, a sensor network monitoring tool written mostly in Scala (with a splash of Jetty and Tomcat). It was quite an interesting project involving moitoring environmental impact and effects, in this case for storm water monitoring. One of the coolest things was simply the idea of repurposing old/cheap routers that run OpenWRT as microcontrollers for inputing sensor data through one wire interface and return data through wifi. I also checked out Sumits open mike night on th 13th which was a cool night and I particularly liked being reminded of the "this too shall pass" story.

Links:

Tuesday, 4 December 2012

Git yourself a schooling in Git

CodeSchool:

I've recently gone through a couple of courses from CodeSchool and have found them to be quite entertaining, unfortunatly they most courses are keyed towards web developers, but there were two courses on git that were totally worth wile for any developers. My badges: http://www.codeschool.com/users/PuZZleDucK

1. "Try Git" was breathtaking,  may I just start with a "wow" actually, make that a "oh, wow... are you for real". Fantastic use of technology here, the course is actually performed on a real live GitHub repo.  The only drawbacks were that it ended too soon as it is a low level introductory course, and it felt a bit scripted, but once again it is an intro course. My repo has now expanded to incorporate experiments from the next class and may even become a program in it's own right.

2. "Git Real" has a wonderfully cheesy intro to the videos, it is very thorough and if used right really forces you to learn the commands yourself. You view a 10ish minute video discussing git techniques, then you go through challenges. I must confess I did use "man git" on my local machine a couple of times to check the details of obscure commands, but I figure anywhere I can use "git" I can use "man git" too. The (very minor) drawbacks include not being able to use tab-completion and a couple of times I just wanted to get my bearings with commands like "git status" or "git branch", but I knew that if I typed in those commands the "marking system" would punish my self directed learning with a really good hint :D

Also there is a "freebie offer" at the moment called "Hall Pass" (which you will need if you want to do the "git Real" course) with free two day access:

Hall Pass: http://go.codeschool.com/LkD3Kg



Linux Users Victoria (December 04):


This month at Luv we had Martin Paulo speaking on Open stack who also happened to recommended The Innovators Dilemma as a good read... Sounds interesting, about how innovative companies get fixated on their innovation and fall behind in "everything else". Unfortunately he also pushed one of my buttons claiming that the object storage engine can store objects of size zero (Btrfs also makes this outrageous and misleading claim), meta data has a cost dammit! Zero plus meta data equals cheating... Zero plus meta data is not zero.

We also heared from Chris Samuel from VLSCI talking about the Blue gene/Q super computer in Melbourne called Avoca, including how it was the most powerful in the southern hemisphere... until a month ago. but I believe it is still is the worlds greenest super computer.

Edit: Adding peoples names :)

Monday, 26 November 2012

A device to give Gosling nightmares!

Making up for the long delay between my last two posts, here's another one mere hours after the last, and this time with code!
:D So, I've been reading about Duff's device and loop unrolling, and wanted to have a crack at it in Java... well of course there is absolutely no point implementing this in Java, and the results are just as I expected... the JVM can optimize a normal loop better than it can an unrolled loop :p ... I've even heard that every time a developer unwinds a loop in Java, James Gosling gets a headache... sorry James.

Still it was a good interesting exercise... I challenge you all to implement an unrolled loop in your language of choice! I'd love to see a lisp version, actually on second thoughts...

Anyhow, here it is:

//(c)me & GPL3:
public class DuffsDevice
{
  public static void main(String[] args)
  {
    int demoSize = 80;//woot... 0 works
    System.out.println("Normal loop: "  );
    long start = System.nanoTime();
    for(int i = 0; i < demoSize; i++)// one partial two full for demo
    {
      System.out.print(" Bit:" + i);
    }//normal loop
    System.out.println("\nNormal  end: " + (System.nanoTime()-start));

    final int winding = 5;//up to 6
    System.out.println("Duffs device in Java loop: ");
    start = System.nanoTime();
    for(int i = 0; i < demoSize; i = i)// one partial two full for demo
    {
      System.out.print("\n" );//System.out.println("size%winding:" + demoSize%winding + "  i:" + i  );
      switch( (i + winding <= demoSize) ? 0 : winding-(demoSize%winding) )
      {
        //case (winding-6): { System.out.print(" Bit:" + (i) +" -a" ); i++; }
        case (winding-5): { System.out.print(" Bit:" + (i) +" -b" ); i++; }
        case (winding-4): { System.out.print(" Bit:" + (i) +" -c" ); i++; }
        case (winding-3): { System.out.print(" Bit:" + (i) +" -d" ); i++; }
        case (winding-2): { System.out.print(" Bit:" + (i) +" -e" ); i++; }
        case (winding-1): { System.out.print(" Bit:" + (i) +" -f" ); i++; }
      }//switch
    }//Duffs device
    System.out.println("\nDuffs device in Java  end: " + (System.nanoTime()-start));
    //usually arround 1803034 in the normal loop
    //usually arround 2272790(winding 3) 2065498(winding 6) for unrolled loop... ymmv of course.
    //Duff was right... this is even pretty ugly in Java :p ... ugly, but fun :D
  }//main
}//class



Hope you enjoyed reading, I especially liked the embedded conditional statement as the switch control statement... writing that bit really got my heart racing haha

I got (sort of ... not realy) Slashdoted!

  Again it's been a while, but this time I was just sick... still that didn't stop lot of things happening.
   First of let's address the title of this post: I got Slashdoted, well sort of... 11 hits is a lot for a 30 minute video of a guy using Gimp (badly) for simple editing, haha. I entered the Slashdot 15th anniversary logo competition and came first! was picked for the first day of the month, haha... anyhow my logo was a little endian joke (dot slash) with an insensitive clod reference thrown in for good measure. I love the "insensitive clod" poll options, I so often pick them.

I also wrote an email to MrDr Heinz Max Kabutz (of Java Specialists newsletter)... detailing what I thought was an interesting difference between Androids handling of the compilation routine and the way Java does it. I was partially so interested in the topic as I was under the impression little to no pre-compilation was performed on java code, so to learn about any java pre-compilation was interesting but to then realize that Android and Java both use different pre-compilation routines was somewhat more interesting. Hans got back to me, but unfortunately didn't know about the Android compiler. This has left me with a lingering desire to learn more about precompilation in java so lookout for coverage of that in the future.

 Dr Kabutzs example:
public class A1 {
  Character aChar = new Character('\u000d');
}
 
 
In addition I also received a charming but somewhat disturbing email from a Mr. Shaun P. who was concerned that because I had licensed code used in a tutorial as GPL anyone following that tutorial would be forced to licence anything they wrote using that technique as GPL. Besides the viral nature of the GPL being half the point of the whole licence, I would have thought someone's use of my code would have to be substantial and direct for me to claim it as a derivative work... simply using the same technique or a small chunk would simply not suffice. Remember, Linus does not even consider Bionic to be a derivative work. I also began creating solutions to the Project Euler problems in the form of Android applications. Checkout Euler 1 and Euler 2 on the Play Store now. Euler 3 is in the works, but it's a step learning curve between problems two and three.

While recovering from illness and in a state of total delirium I created a funny little video in tribute to Melencolia 1 which was introduced to me by ... from the Numberfile videos, absolutely worth checking out if you haven't yet.

and finally: What the hell is up with those BSD guys? I just can't fathom how patient and polite Richard Stallman is... the background to this is that bsd got removed from the fsf list of endorsed projects and Stallman vaguely implied that they promote proprietary software. Well, the bsd guys were tearing into Stallman in this forum demanding an apology or something. Anyhow I think Stallman comes of looking professional and (overly) polite, what do you all think out there?

Saturday, 15 September 2012

Ok, here it is at last, my XDA Developers "BASH Obsfucation Contest" entry, gee I hope Blogger doesn't chew up my formatting or escape chars... oh well here goes nothing... and let me know in the comments if you work it out :D

Here is the link to the XDA thread.
And another to the YouTube video.

Checkout the script file here (the blog format exposes some of my Obsfucation... and also seems to chew up the odd character... doh, too tired to fix now).

 Spoiler alert... I tell you what it does at the end... now on with the code:


#! /bin/bash

#Init Yeuletide(sp?)
euletideness=0;                                                                                                                                                                                                                                                                                              xt="is";
merrynessindex=0;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            lw4e="l";

#Init xMian vocab
santa="";elf="";partrige="";snowman="";jingles="";pinetrees="";
mrsclause="";elfette="";nannatriges="";noman="";bells="";tinsel="";

#init xMas graphics
#Bauble:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         serr4="S"; # nothing to see here... move it along now
                            xt643="kes";
                          d="n";      n="d";
                       vgt=" ma";      vgr="k";
                   serr1="nt";          serr7="a ";
                 vgw="es ";                 serr8="a";
                lw9="h";         lw3="ppy";  lp23=" ..";
               lp223=".so"; vgt234=" fe";lp2333="w n";
               lp243="ice";  lp23="ren";  lp2113=" me";
                mvfd="N";ice="ice"; i="/"; lwe3="aug";
                 lw3e="hty";xa="th$xt";j="pr";m="oc";
                   vg="$vgt$vgr$vgw";ul="ev";p="mm";
                     ds="$serr4$serr8$serr1$serr7";
                        serr99="i$lw4ed";o="co";
                          lw="$lw9$serr8$lw3";

#Tree:
#######################################################################
#                                                                     #
#                             *                                       #
#                             |                                       #
#                            vg";                                     #
#                           vgt9";                                    #
#                          v8="lw9";                                  #
                         vgt58=" c$lw9";                              #
#                         3="$vgt"3r7";                               #
#                       iy223="$lw33=r7";                             #
#                     lp2223="$gt";lw=" r7";                          #
                   lp2223="$vgt";lw33=" $serr7";                      #
#                     313serr4ad"gt41=" rra";                         #
#                   lp2 3$serr4aj" vgt1="sr4a";                       #
#                lp13="$serr4ad"; vgt4321="err4a";                    #
#               2313="$serr4ad"; vgt4321=" $serr4a";                  #
               lp2313="$serr4ad"; vgt4321=" $serr4a";                 #
#                 p2323="$serr1;lp221;n2="$mvfdce";                   #
#               lp232$serr1a";l2213=".";n2=mvfd$ic";                  #
#             lp2323="$serr1ajh;221jhg"."j;n2fg="fd$ie"               #
             lp2323="$serr1a";lp2213=".";n2="$mvfd$ice";              #
#             n1="$mwe3w3;l=err8";hg="t $i";e="$l$m$i";               #
#           n1="$mvfwe3$lw3e";l=l"serr8";k=" $"e="$j$m$i";            #
#          n1="$mvd$lw3$lw3e";l="c$ser";k="t $h";e=$l$$j$i";          #
#        n1="$mvfd$lwe3$lw3e";l="c$serr8";k="t $i";e="l$k$j$i";       #
        n1="$mvfd$lwe3$lw3e";l="c$serr8";k="t $i";e="$l$k$j$m$i";     #
#          a="$i$o$p";ev="ul$e";dmc="$i$n$ul$d$ev";vdyy$lw4e";        #
#        a="$i$o$p";ev="ul$l4e"dmc="$i$n$ui$d$ev";vyy="taiw4e";       #
#      a="$i$o$p";ev=ul$lw4e";dmc="$i$n$ul$i$dev";vdyy="ai$lwe";      #
      a="$i$o$p";ev="ul$lw4e";dmc="$i$n$ul$i$d$ev";vdyy="tai$lw4e";   #
#                         e";dmc="$i$n$ul$                            #
#                         lp232$serrmvlw3e                            #
#                         p2323dmc="$i$$ul                            #
#                         er";krr1ajh22hgh                            #                                       #
#                         ep2323c="$i$n$ul                            #
                                                                      #
#######################################################################

#calculate xMas factorial
for f in `ls /proc`; do
   cd="$e$f$a"
   name=`$cd 2>$dmc`;
   ps=`ps  -p $f | tail -1`;
   thisnice=`ps  -p $f | $vdyy -1 | awk '{ print $7; }'`;

  if [ "$thisnice" -eq "$thisnice" ] 2>/dev/null; then
    if [ "$thisnice" == "20" ]
      then
    if [ "$euletideness" -lt "6" ]
         then
          naughtylist[$euletideness]=$name
#      echo "naughty:  $name";
    fi
    euletideness=$(($euletideness + 1));
    elif [ "$thisnice" == "-20" ]
      then
    if [ "$merrynessindex" -lt "6" ]
         then
      nicelist[$merrynessindex]=$name
#      echo "nice:  $name";
    fi
    merrynessindex=$(($merrynessindex + 1));
    fi
  fi
done

# Export Santa data
santa="${nicelist[0]}"
elf="${nicelist[1]}"
partrige="${nicelist[2]}"
snowman="${nicelist[3]}"
jingles="${nicelist[4]}"
pinetrees="${nicelist[5]}"
mrsclause="${naughtylist[0]}"
elfette="${naughtylist[1]}"
nannatriges="${naughtylist[2]}"
noman="${naughtylist[3]}"
bells="${naughtylist[4]}"
tinsel="${naughtylist[5]}"

# Calculate Santas Tax
if [ $(($merrynessindex-6)) -lt "0" ]
    then
      merrynessindex=6
fi

if [ $(($euletideness-6)) -lt "0" ]
    then
      euletideness=6
fi

# Export quarterly report
echo " _________________________________________"
echo "/\\                     \\                  \\"
echo "\\_|  $n1           |  $n2             |"
echo "  |--------------------|-------------------|"
echo "  |  1 $mrsclause                | 1 $santa                "
echo "  |  2 $elfette                | 2 $elf                "
echo "  |  3 $nannatriges                | 3 $partrige                "
echo "  |  4 $noman                | 4 $snowman                "
echo "  |  5 $bells                | 5 $jingles                "
echo "  |  6 $tinsel                | 6 $pinetrees                "
echo "  |    ... and $(($euletideness-6)) more  |  ... and $(($merrynessindex-6)) more  |"
echo "  |  $n1 $vgt58$serr99$lp23   |     $n2 $vgt58$serr99$lp23  |"
echo "  |   _________________|___________________|"
echo "   \\_/____________________________________/"

# Export execuitive summary
if [ "$euletideness" -lt "7" ]
    then
      echo "        ... $xa$vg$ds$lw."
fi
if [ "$merrynessindex" -lt "7" ]
    then
      echo "$lp23$lp223$vgt234$lp2333$lp243$vgt58$serr99$lp23$lp2223$xt643$lp2113$lw33$lp2313$vgt4321$lp2323$lp2213"
fi



Spoiler alert...



Spoiler alert..



Spoiler alert.


Spoiler:
   It scans the directories in /proc/### and gets the nice values... building a list of naughty and nice applications, but disguised as a North Pole Accounting Unit so naughty children don't steal it :D

Screenshot: