"To do a dull thing with style-now THAT'S what I call art" - Charles Bukowski

Recently I saw two things that I thought were worth passing on to everyone else. The first was the animation show who's trailer appears beneath. The second a documentation on Charles Bukowski entitled Born Into This. The former was a hilarious and fascinating series of short animated short films. If you've ever seen the rejected cartoons short film then I highly recommend that you check it out or at the very least search youtube for the animated shorts and then go next year.

The Bukowski film was interesting. Before I saw it I can really say that I didn't know that much about the man aside from the tails of debauchery. Most notable of this was that he threw up at a reading of his poetry. I found the documentary both enlightening and entertaining. I really need to read his work.

Lack of Content

Lately, I've been swamped with work and generally exhausted so that the blog has had to take a short hiatus.

If you're coming to San Francisco for the RSA conference and you have my cell phone number or email drop me a line so we can meet up. If you don't have that info and want to hang out leave a comment.

When I do finally get a chance to write on the blog again, I'd hope to have articles on:

• Restore My LFSR shellcode article to the blog and include some PoC


• A quick article on the Animation show


• Release of my goofy threat modeling tool


• Software licensing


• Notes from The Art of Software Security Assessment


• Writing a fuzzer with dpkt and libdnet


• Writing a fuzzer with Peach


• Notes from os x presentations and books

Mostly I'm putting the list out there so that I make sure to do it.

Tahoe was Fun

So this weekend I took a break from computers and went snowboarding in Tahoe. To put it bluntly it was fantastic. Having grown up in the northeast I've become acustomed to so so winters and descent skiing but not fantastic. The snow here was excellent even though I'm told it's a horrible winter for out here. Man I can't wait until they get some snow. :).

Book Review: The Art of Software Security Testing

Tonight I'm taking a page from the taosecurity blog and reviewing a book. I'm not Richard Bejlich so please be kind in your critique of my critique. While traveling over the holidays I read The Art of Software Security Testing. This is a book I wish I'd had when I'd first started with security. It's a book that aims to help software testing people understand security testing. Particularly I enjoyed the way the authors divided the book into 3 parts and the tone. The first part consisting of the first five chapters is an introduction or overview to what it means to attack software. Specific attention is paid to why one needs to test security and the mindset one needs to play the adversary. The chapter on threat modeling and risk based testing is one that I wish could have been a sample chapter pdf so that I could send to a few people.

The second part of the book is about conducting actual attacks. Unlike other books I've read. The authors make sure to drive home the points and principles made in the first section of the book with the tools and techniques they demonstrate. For example the first chapter in this section on network fault injection when talking about port scanning uses nmap as an example and then quickly with in a page or two moves on. This point should be commended as I don't think that enough books on information security get this right. Take for example the hacking exposed books. They tend to focus on a point and then give you thirty tools that accomplish the same task. This annoys me cause it feels like fluff as well as I get the impression that people read it and come away with the notion that the tools are the important part. As an aside this strikes me as a very bad thing for the security industry as a whole but I'll save that for another post. The only chapter in this section that seems to suffer at all from this is chapter 9 which is basically all about web scarab. The only downside to the second section is that I wish I had some of the code they were using for the web apps. I like to follow along when I can and it'd be nice to try the attacks mentioned and follow along with the screenshots. The third part Analysis consists of one chapter on determining exploitability. This was honestly the weakest part of the book, only because of lack of depth in my opinion. It did an excellent job serving as an intro But didn't get into some of the nuances, I vaguely remember something in their description of how the stack is used that didn't quite sit right with me but can't seem to find the passage. There are other books that do this in great depth in this area, so even for a "weak" section is was pretty descent. Other interesting things in the book that I noticed were : All Screen Shots were in OS X. The @Steak jokes were persistent through out the book. You could tell when some of the authors had written a section based on the command prompts shown. Overall I'd say that it's quite an enjoyable book and one that I plan on giving to software engineering friends as an introduction. As to what did I learn from this book? I'd say that I didn't really learn a whole lot more but that this book helped me reorganize a lot of information that I'd been using these past few years. Sometimes getting better context is better than learning new facts.

IPSC Rocks and That iPhone Looks Cool Too

Okay so I'm sure that IPSC (IP Subnet Calculator for console) is old hat to many but I'd discovered it this morning and man am I'm happy I did. It's nice not to have to either go to a web page or just figuring it out in your head.

Sample Output

[ markowsky@markowsky ( 8:15PM) ~  ]
$  ipsc 192.168.0.22/24
Network class:            C
Network mask:             255.255.255.0
Network mask (hex):       FFFFFF00
Network address:          192.168.0.0
Subnet bits:              0
Max subnets:              1
Full subnet mask:         255.255.255.0
Full subnet mask (hex):   FFFFFF00
Host bits:                8
Addresses per subnet:     256
Bit map:                  nnnnnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh

Also aparently this page got mentioned at stumbleupon.com and has caused 188 visitors to show up yesterday alone. IIf any of you are still here from yesterday welcome.

In other news Apple released the iPhone. I'd want one if:

• I knew what components were in it processor, amount of memory etc.





I don't want a phone that's under powered or that it has really crazy annoying DRM in it. Also I'd like to get a good guage of the battery life as I use my cellphone as my primary phone and am prone to go days without charging if possible. Additionally I don't want a phone that chokes while running apps and acting as a phone.



• It wasn't tied Cingular






T-mobile has been really really good to me. Plus the whole being able to roam on Cingular's network is nice. I don't want to have to pay $200 - $250 to break my plan with T-Mobile in addition to the $499 - $599 price tag for the phone. Together that just prices the phone out my willingness to spend cash.

Yet Another Fun Tool

So as you've probably noticed I'm becoming a graphviz weenie, meaning I'm trying to write programs that use it as much as possible. It's not the only form of visualization but it's fun none the less especially since pydot makes it so trivial. So on the commute into work the other day I was bored and looking at kdump output. Which if you've ever looked at it tends to be a lot of data. Alot of it's useful however when you want to see calling relationships it can be a pain in the butt. See where I'm going yet?

I wrote a silly little script that takes the textual output of kdump and turns it into graphviz. I'm calling it ktrace-grapher.py. Like most things I seem to be releasing the code is somewhat rough. Feel free to play with it or add features.

Sample output can be found here

Things that need to be handled properly:

• the exec family of functions


• layout of multiple paths to functions


• currently I ignore NAMI and GIO stuff