failures to disclose and people who fear disclosure

find myself wondering today why more large businesses aren't willing to admit they use opensource software. when i worked at ACS it was always so hush-hush that we had this monstrous postgres database. furthermore, we were using linux. 

i've said a few times that i don't really like linux. this is still true. however, i don't think it's right for companies to be using it as heavily as they are without giving some credit to the movement.
so i'm thinking maybe it would be nice if there were some anonymous submission archive where employees of said companies could contribute anonymous anecdotes about how such and such software was used.
 
seems to me that the gpl says if you distribute software with gpl components, you have to provide the source, and the same rights you were given under the gpl. but there's no component that says you have to be truthful about using it, and if you're not distributing the software, you aren't compelled to make it available. on the other hand, there's no body of researchers out there trying to determine whether anyone is using gpl software either. or is there?

this leads me to believe that a license with such a stipulation might not be such a bad thing. of course, licenses are one of the jihads among programmer folk, so i'm sure somebody has a counter-opinion.

minutiae

life at the aforementioned isp has been interesting. its the first time i've ever been really "full time," versus being a contractor (for almost ten years even). the culture is very different. 

 

i'm working with some very bright people, and i can tell this is going to be a challenge. thankfully, the people i'm working with are real nice, and i've known some of them for years online (on irc).

i've now got three cvs repositories i'm maintaining my code in between work, home, and home-public (eg shared). so much stuff to code, so little time.
 
been doing a lot of postgres stored procedure stuff. never really liked sql from an aesthetic standpoint, but i suppose if i were going to code in sql, i'd choose pl/sql. at least it has some control structures. :-/

my mother and sister coming out turned out to be more taxing than relaxing, that's kind of a shame.

been coding a lot in POE. i think Matt has it right when he says "there are two kinds of perl programs i write anymore: 4-5 line quick scripts, and POE scripts." I thought about this some yesterday, and I realized, I see almost no point in coding in "regular" perl anymore. state machines just make so much sense. i think when people tell me i missed out on college, this is the stuff i would have liked to have done. mostly i've found academia to be stuffy and overly impressed with itself. but this kind of thing is fun. sometimes its practically useful, but mostly I just like programming this way. we shall see in the spring what happens when i get back into school.

my friend Rod has encouraged me to publish a paper on self-organizing networks of natural language parsing sensors (eg botnets that you can "talk to" for monitoring), and has said he'll hook me up with a partner of his. i'm excited about this, but nervous. i've got a lot to say and no real coherent thoughts on it yet.

the navy, predictably, got completely pissed. i told them. months ago. "i am leaving if you don't put a job in front of me." so they show up on the last possible day, offer me $15k less than i'm making, and call it a job offer. riiiiiiiight. maybe in a decade or so when i need something relaxing.

starting to think raising kids might be a more rewarding activity than programming. we shall see. sandy seems supportive either way.

STOS report

The talk at STOS went very well. I've been invited back next year, and hope to be able to be there for San Francisco in, what, April? I'm also eying the DARPA Symposium in March. 

 

In the meantime, my slides from the talk available on my personal webserver. These will be updated soonish, I found some bugs at the talk, and I made some quick typos. I'll also be putting up, with the slides, the collection of rules for pf, as mentioned in the talk.
 
The talk was an overview of basic crypto, protecting your data, firewalling, special routing, and generally just a primer on not being owned. People really liked it. I think it was helpful for them to see in real time how quickly you can be compromised. Anyways, the slides are large, and keynote sort of cocked up the export to PDF, but I think you'll get the general impression by going over them.


Let me know if you have questions or comments. I plan to can this talk and give it for people who want it.
On another note, I got to talk to Rob Daniel's wireless class (several of whom were in his honeypots class previously, whom I red teamed for their final) about the red teaming I conducted for them over the summer. That was a real treat. I was very careful to provide a lot of information for them. It was difficult to conduct an attack on a network with the intent to create specific "waypoints" that would be visible for purposes of grading on a test. Anyways, talking to them was great, I got to explain how everything worked and what they could and could not have done to stop it.

I really respect the people in there for being so polite, when I had spent a couple hours pounding on them. The original log is available on Professor Daniel's website.

Anyways, I'm excited. I also got to meet Robert Watson (I'm not name dropping, honest) who was able to provide some very helpful insight into how the OpenBSD bridge* devices work. Originally I thought it was a flaw in the BSD TCP stack. Robert tells me this is sort of the case, but only because when you start examining the stack in this detail it becomes sort of a metaphysical discussion. I agree with him. He also shed some light on why OpenBSD doesn't have SMP yet. There is good news. FreeBSD will have pf, smp, and run on Sparc64 as of 5.3 (indeed come out of the box with all three). Despite my really hating FreeBSD (well, it kind of boils down to the community and the installer and not so much the OS, I'll admit that), that sounds like a good enough reason for me to switch. Theo will get his wish.
 
So I'm going back for the Wireless Challenge tomorrow. We're going to try to connect about a quarter of DC with Yagi's and omnis. So far we've done pretty well.

Starting work next week, but I'm having so much fun PLAYING!

Contracting downs and down-furthers

Well, with 400 hours left at the beginning of October, and work weeks averaging in the 50-75 hour range, I'm damn near out of hours. I think probably this is the last week BAE can continue to pay me. 

That's really alright with me, I'm going to be working for a large isp in Reston, Virginia. I start Dec 8.


A curious thing about this recent fit of interview-offer-ponder stuff. The Navy really sat around for months on my contract, when they could have renewed it. I eventually hit a point with them where I was so frustrated that at a couple times, I really was trying to get myself out of the project by doing insanely stupid things (coming in to work deathly hung over -- for an 8 hour meeting!).


Once things reached that point, I more or less wandered off and started looking for other work. Then, when I've actually got an offer in my lap, they come back about how they really need me. I think they just figured that I'd take what they offered, even if it meant a paycut, just because I wasn't going to go looking. Well, I found another job, and I'm just shocked at how far these people are willing to go to keep me on the project. We went from a 15k paycut to a 15k pay raise in something like 36 hours.


Sadly, I think it's that kind of ... well, let's just call a spade a spade: dishonesty is why I'll be taking a bit of a break from DOD work. Personally, I find it very rewarding. I know many of the programmer types out there are a sorry liberal bunch, but I find it deeply rewarding to be able to work on projects that are in fact keeping us safe at night. The way these people run their projects, though. Yeeeeesh.
I don't know if I'll ever go back.
 
Speaking of going back, I think I'm going to try to go back to school in the spring, on a large isp in Reston, Virginia's dime. I'm even thinking learning Java could be neat. [ed: they fucked me over so very hard]

Lastly, I'm talking at STOS in December. Should be a lot of fun. Been researching the subject matter for a month or so, getting actual data, and preparing to pwn people as they watch. And that's not even the second half of the talk.
 
edit: removed employer identity references.