Merry Christmas Everyone

I wish I could say I had the same talents as Darren when it comes to taking pictures at the holidays, but I am afraid I cannot. However, I would like to leave you with some pictures I took on the digital camera this early morning.

These pictures don't do justice to those beautiful glass balls, but the thought is still there. Hope you are having a great christmas day.

OH MY $DEITY

OH MY GAWD! Went and saw Lord of the Rings : The Two Towers last night with Alan and the crew. OH MY GAWD. I loved the first movie in the series. Didn't think I could like anything more. Until last night. What an amazing 3 hours (hold that to the 15 minutes of advertising for stupid Zoom-Zoom Mazda cars.. someone needs to drop kick that kid). The battle scenes are just amazing. The rendering of the trees and the scitzoid formally known as golm are to die for. I expected it to look corney, but they really pulled it off. I won't say anything more, just in case you haven't seen it yet. (Quit reading this blog and get your arse down to a theater if thats the case)

This morning the school had a "family breakfast" on that was pretty good. Nice to get together and have breakfast with a few families we know from school. Not being a pancake man myself without strawberries, I still was able to survive.

Working on cleaning up a Transparent Proxy Redirector. I am sick of having to use an IP for my mail/web server behind the firewall due to NAT issues. Hopefully by the end of the day I will have the plugin finished. Was a bitch to get that figured out on how to write it to the firewall correctly. I have it now, and should get it merged into beta pretty quick. I think other people would love this as well. (I know Alan and Wim will for sure)

Can you believe XMas is almost on us? How sickening is that. *sigh* I just thought we finished halloween. Man time flies when you aren't the one getting all the presents. ;-)

Two Towers is OUT!

TODAY IS THE DAY! Two Towers is released. I am so excited... and SO SAD. Why am I sad? Because I cannot go. :(

Alan and I were going to go see the matinee today, but my mother-in-law is in the hospital, and yours truely needs to stay with the family, driving them to the hospital and generally being a nice guy for support. The movie will still be there tomorrow... but I was SO looking forward to seeing it on opening day. :( And yes, my mother-in-law will be ok... she isn't on her death bed... which makes this even more sad.

Thats ok though. I'll live. But please NO SPOILERS on yer blogs if you go in the next day or two.

Monday night Alan, Wim and I got together to chew the fat about automated functional and security testing. Evening started off a bit bumpy as I was so looking towards having sushi, only to find the sushi restaurant closed on Mondays. Curse you Japanese Sushi Chef! We settled for Boston Pizza, and then had a good time exploring all the different aspects of it. One conclusion we came to was testing is rarely fun and is really a chore, which is why none of us ever do it. I still don't believe the approach to Extreme Programming is clear on how to do tests before writing code, but I will probably always struggle with that one. I would rather write tests that can insert into the master sources to test, rather that writing little programs to test the function. That doesn't make much sense. Let me restate that. If I have a function called writeXMLConfig(); I don't want to have to strip that code into a simple application so I can run it, and then run my test against it. Lets assume the test simply checks the validity of the XML file that is written out. If I decide I want to change something in the master sources, I have to ALSO remember to change it in the little test app. To easy to forget/screw up. Now, that was never the intent of xtreme programming, as unit testing should have a harness around every function WITHIN the code. But that isn't always practical. Many functions can not be automated as they are triggered from UI events, or external functions we may not have control over. Makes it EXTREMEMLY difficult to test.

Wim sent up some interesting links to the automated testing though. They can be found here on his Wiki. I have been looking at the C/C++ test suite over at Parasoft and trying to see if that makes any sense to use. I get scared when they purposely don't tell you how much it costs on the web site. *shutter*

On that note, I need to go upstairs and see that everyone is alright. Hopefully Jenn's mom will be out of the hospital today and that should relieve some tension around here. Noone likes having a family member in the hispital.. its just nuts. TTYL

Security Testing

You know, unless you want to spend 10's of thousands of dollars, there is very little out there for tools that perform fault injection for security testing, or even functional testing for that matter. In the new year I am going to be spending some time writing some generic security tests that can be used to do a gambit of different things. I am going to also open a free site so other developers can
use and exchange their tests to hopefully help us all write better quality code with security in mind. A few tests I hope to write include:

• Dangerous Function Scanner - Scan an entire master sources tree looking for dangerous functions and API calls that should not be used, or atleast used with care. Examples would be strcpy vs. strncpy, using SetSecurityDescriptorDacl( ..., ..., NULL, ... ) incorrectly [shouldn't use a NULL Dacl] etc.

  
  

• Rogue TCP/IP Client/Server - Simple socket client and server to purposely stress-test network clients and servers by attacking and tainting the data stream in malicious ways.

  
  

• Script-Injector - To test against cross-site scripting and invalid script injection code in web forms and services. Especially useful for those PHP and ASP boneheads off the world that don't properly validate user data.

  
  

• XML Tainter - XML is starting to become a defacto standard for data manipulation, especially in newer tcp/ip protocol communication paradigms. Did you know though that there are limits in the size of the tag, as well as the characters that can be used? May as well create a test to maliciously create payloads of XML data and see how the data abstraction layer in an application can handle the information. On the flip side... I am routinely seeing misuse of XML where tags are EXPECTED in the file, but don't actually exist. Non-existant tags are just as bad as malicious ones if not handled correctly.

  
  

• Sizeof op checker - Wanna know the classic way to overflow a windows application? Find one that uses both multibyte and wide characters and uses the sizeof() operator to calculate dynamic memory allocation. Routinely developers screw that up and allocate enough room for a string, only to find it is multibyte and needs double the amount of room. The result? A memcpy/strcpy etc can overflow and allow you to go to town. Microsoft's printer spool is a perfect example of an app that had this issue for a VERY long time.

  
  

• SQL Misuse - Scan code to see if it exposes priviledged SQL information such as username/password to connect, or functions that could easily be stored procedures rather than raw code. Top that off with SQL injection checks, and SQL builder issues, this test should hopefully stomp out a lot of issues surrounding database access with SQL.

  
  

There are others, but I see those ones being of immediate use to many of us. If you have any other ideas of good security tests that should be written, please let me know. I will be writing all my security tests in Perl which can be used in unix environments and Windows environments(with cygwin) natively, which means they can easily add these into your make files or build environment scripts for your daily builds.

Christmas Concert

My daughter's Christmas concert was cute. It had a lot of different religions tied in, ranging from jewish celebration to a mexician pinata dance. The Jamacian Noel was just weird. Anyways, was good to get out, and I seem to be over the worst of the cold.

Can't wait for LOTR. With baited breath I sit imagining a hobbit's tale that awaits me. If its anything like the first movie, they will do justice to the books and really give a rewarding theatrical experience. It is hard to stay away from the "spoilers" that are starting to leak. Of course, having read the book I know how it turns out. But hey, Titanic had good parts (except the acting) that I didn't expect, even though I knew how it ended. :)

Was burning a few cds today and found an old MP3 cd I burned about 4 years ago. Oh my $DEITY have my tastes changed. I know some songs were there for Arc's benefit (such as his favorite Spice Girl's songs :) ), but when I found Mar's "Pump up the Volume" and Prodigy's "Voodoo People" I began to remember some of the old music that I liked. Really interesting to see that the format/info of the mp3 back then kinda sucked compared to the conventions of today. There is no way I could sort and compile this into my exisiting collection without tainting my exisiting catagories/naming conventions.

I would write more but Shaw seems to be having huge network issues as about every 3 or 4 minutes my ssh session is dying and nothing resolves. Then again.. not much more to say just right now. Should be heading to bed anyways. TTYL.

*Ah-choo*

I hate being sick. *sniffle*. My daughter gave me her bad cold, and its pretty much drained me. Yesterday I had to spend the day tending to my daughter, only to get sick myself. *sigh*

It is weird to just sit on the couch and lay around instead of working. I don't know how people could do this on a regular basis. I mean, a vacation is kewl, but people that just lie around and watch Springer all day must be going nuts.

3rd Watch Last night ROCKED. It has so many twists and turns, with a moral delimma here and weird police action on the border of illegal acts there.... you wanted more... just like a kid in the candy store. As always expected, Bosco has moved more to the dark side covering up and lieing so he could nail his perp. He misjudges the kid... how does he know he isn't misjudging the gang leader (besides the fact he's an arsehole). The law is the law... stretching it like that will walk you deeper to the dark side.

My head is starting to feel woozy. I think I will put the laptop down and lay down for a bit. I have to get better enough to go to my daugter's xmas concert tonight, or she will be devistated. L8r.

Ho ho ho

Went to the Mission Santa Parade last night. Weather was great, and made the event much better than last year... since we were soaked and miserable with the rain last time. I don't mind parades, but I wish the damn rigs would refrain from using their horns so much. I get quite a headache from the noise.

Been thinking more and more about security tests. The entire process of providing that within the build environment, and applying the test to each build. Some others in the security industry have been interested as well, and I think I might end up starting a free web site to collect this sort of information, and let others get free access to generic security tests they could apply to their environ
ments. Be it Java, C/C++ or even some web services in ASP or the likes, these could be very benefitial tests. Ranging from user validation tainting in fields, to rogue servers to stress-test socket implementation, this could be a nice site for all of us to use.

Been getting to spend more time talking with Michael Howard over at Microsoft in the Secure Windows Initiative and we got into the philosophies of least priviledge and the top 10 security tips he always flogs on the Microsoft campus, and how that relates to education in the workplace. The "Developer Boot camp" they did was riddled with common things people take for granted daily. If you haven't read his article on the top 10 tips you should do that now.

We have people coming over tonight, so I need to run to the store and pick up some snacks etc. Eating better makes it extremely difficult to entertain in the snack department, when you don't HAVE any party snacks in the house. I am a salsa and baked nacho chip kinda guy. Kinda boring. As such, I'm outta here to go get some meats and cheeses to add to the veggie plate. TTYL.

Well written paper

I just finished reading a well written paper on 10 interactive security design principles as it relates to user interaction within a secure application. I originally got the link as a topic on /. about Secure Interactive Design and found it quite interesting. As usual, id10ts in the /. community have no clue what they are talking about and are quick to judge and make erroneous statements without even spending the time to read the whole paper. But what can you expect from many of the posters there. Don't get me wrong, I love many of the slashdot crowd, but geeks without knowledge are dangerous beasts. *sigh*

Anyways, its well worth the read. You may or may not agree with all principles, but the paper is written in a logical way in how UI design needs to apply more security engineering principles in a more constructive light. I don't fully agree with it as I think to much emphasis is on user's role in the system when truely the model of security needs to take precedence on how user authoritive access controls can be applied. As an example, you can not apply the Bell-LaPadula security model to a user to start with, as the classification of any given object's security within a system determines access control, and not the other way around. In the end it comes to the same point as brought within the paper, but addressed slightly different in how it is applied practically. Even so, I enjoyed reading the paper. Very well done.

Congrats Zim!

Congrats Zim. I hear you got PGP out the door today. Now that I owe you the beer you have to come up and collect. :P Actually, I am looking forward to that buddy. Been a long time. Of course, my head isn't sure if it can have another friendly debate on crypto issues of the world. Maybe Gene can come up with ya and we can have some real fun talking about *** ******.

So Muckhead took my advice and put up a blog. Of course, now he will need to keep up with it and update it on a regular basis :) Then again, blog month wasn't as easy as I thought it would be as I have been so busy. Guess time will tell if I can keep up with it on a semi-regular basis myself.

This weekend looks like its gonna fall through. A few families were supposed to go up to Manning Park to snowshoe. With literally no snow up there, that ain't going to happen. :( Not sure what we are going to do now. Maybe a hike in the cold or something. I wonder if there is any places up there for camp fires.

The count down to The Two Towers is driving me nuts. I can't wait to see the new movie. I think I might take the afternoon off and slip out opening day and catch a matinee in Mission. Of course, every other geek will probably do the same thing and it will be packed. I hope not.

I am on the 20th campaign in Age of Mythology. I would be much further but I haven't had much time to play it except late at night. Its getting progressively harder, but at the same time interesting, as they have neat little missions to accomplish that makes the game play kinda fun.

On the note of no time, I need to get back to work. Lunch is over. TTYL.

Curse you Noma

Now I know why Noma makes so much money as a company. Their damn isicle lights can't last more than a season. *grumble .. grumble*

So I got up and was outside prepping the lights to hang as I do every first weekend of December. Of course, the isicles SEEMED fine when I plugged them in on the ground. Of course, after several hours on the ladder, and putting the lights in series... some strands just would not work. Out of the 9 strands... 1 is fully hooped and two have only half the lights working. In an effort to get this done I went to Canadian Tire to swap out the bad strands. Of course Noma decided that this year, the cord color would be WHITE instead of green. In other words, I would have to replace EVERYTHING or look goofy with some cords white, and some green. *sigh*

I will make some calls this week and see if I can find a store that has green cord isicles. Hopefully I can find some. While I was wrestling with that, my wife and daughter made the inside of the house festive. Beautiful tree again this year. We have a lovely gold bead, red ball with white lights christmas tree. I love that. Very classy, extremely sophisticated, and not tacky. I really dislike fla
shly color light trees which would make an epaleptic go nuts. Add to that tacky ornaments and you got the, in my opinion, most ugly tree ever. Maybe its kewl when yer 3, but after that its just ugly. Of course, most people disagree with me. But thats ok.