Google Wave Invite Nominations

This is what it looks like when you finally get to nominate folks to join Google Wave:

I've had Wave since October 8, and I am just now able to nominate folks.

Update: All the Wave invites I had are now spoken for. Thanks for all who participated!

Here's how it works. Leave a comment with your email address in base64 encoded format, and I'll invite you if you're among the first eight to do so. Your email address absolutely must be in base64 format or I'll just ignore you. If you don't know how to convert text to base64, you can do some research. Hint: ALL YOUR BASE64 ARE BELONG TO US. Consider this an extremely easy challenge. Keep in mind (as written above) that invites aren't actually mailed out instantly. In my case, it took about 8 days from nomination to Google Wave access. Be patient!

Example: my email address in Base64 is YXgwbkBoLWktci5uZXQ=

A blonde joke courtesy of Google.

Nothing against blondes, but this one reminds me of "write 'flip over' on both sides of a piece of paper"

Recursion. lolwut?



hat tip: Dangerboy

Tracking Rumors (a la the OpenSSH Exploit)

By now, I'm sure you've all heard the OpenSSH Exploit rumor.  The short and sweet points are:

• The rumored exploit doesn't work on the current version (5.2/5.2p1 as of writing)
• The rumored exploit does work against older versions (but we don't know how old or when it got fixed)
• It's not a bad idea to upgrade your OpenSSH (and derivative) services to OpenSSH 5.2.

What really concerns me are forks from OpenSSH that are likely to be ubiquitous in the enterprise. There are many, but the following two seem like A Pretty Big Deal to me:

• Red Hat Enterprise Linux ships with OpenSSH 4.x, but patches it in-house and releases these updates to RHEL users to fix certain bugs as they're fixed in the 5.x series. 
  
• Sun Solaris 10 ships with "SunSSH 1.1" which is basically a mash-up based on OpenSSH 3.5p1.

You see why I'm more than a little concerned, right?   Without having the exploit code to test with, we don't know if the exploit will work against these bastardizations of the OpenSSH code-base.

Without some solid proof, I'm not going to go to my boss and scream that the sky is falling. I just want to stay in touch with the OpenSSH / 0pwn0wn exploit drama. Google Alerts to the rescue!

Google Alerts allows you to get rapid-fire email or RSS feed updates when new items show up in Google's index for given search terms. You can use this for vanity searching and a host of other things... or, as I do, to keep an eye on breaking news for more obscure stuff.

With that, I set up alerts for OpenSSH (News and Blogs) and 0pen0wn (Comprehensive search) - If an exploit is released publicly, I want to know about it so that I can test it and make recommendations on how to fix it.

Also, it's not a bad idea to set up google alerts for other mission-critical products or services you rely on, if for nothing else, to keep your fingers on their pulse.

Web filter evasion part 1: RSS and You

View entire series: Web Filter Evasion

A lot of times, you kind of want access to your favorite content, even if it's just to read it, while at work or school. Some places with more draconian Internet access policies block pretty much everything "cool" and paint their restrictions with a very wide brush. In this series, we'll uncover a few ways around these restrictions.

In Part 1, I am going to cover one way of evading these restrictions that is not only one of the most straightforward and easy methods, but also the least likely to get you in trouble with your boss or your IT department: Online RSS readers.

About RSS
RSS was invented around the turn of the century, but started to gain widespread popularity in the wake of so-called "Web 2.0", when syndication, mash-ups, cross-platform publication and content management all coalesced together. While not every web site has an RSS feed, almost every blog, news site and social network has some kind of RSS integration going on. In this article, I'll focus on gaining access to content via RSS despite web filtering software's strangle-hold.

Local RSS Clients
Local RSS clients such as FeedReader or Mozilla Firefox Live Bookmarks usually contact the site directly, pulling a data feed down (RSS, Atom, XML, etc) to display the information in a lightweight, easy-to-read format. The problem with this is that the RSS feed usually has the blocked URL in it. For example, Digg's rss feeds are all on digg.com. If access to Digg is blocked, you can't get to the feeds, either.

Online Readers
Online RSS readers pull the feed from a central server, then just display the information to you directly over the web. For this example, I'll use Google Reader. That said, My Yahoo and MSN Live (among dozens of others) also offer the ability to integrate feeds on your page but it's not quite as robust as Google Reader. Using the example above, if you add Digg's RSS feeds to Google Reader, your web filter only sees you trying to access http://www.google.com/reader/ which is passing the contents of the RSS feeds to you - and most web filters let you get to Google. Again, if that doesn't work, there are dozens of ways to access RSS feeds with online readers.

Things to note
One flaw here is that embedded content from banned sites won't load and may be logged in your web filtering software. If your employer blocks Flickr, you can load someone's Flickr RSS feed into your reader and see their feed, but all of their images will fail to load. Same goes for blog posts with embedded YouTube videos if YouTube is blocked. You get the idea. Basically, this works best for RSS feeds where most of the content is text-based. News sites like CNN or Engadget. Social bookmarking sites like Digg, delicious and reddit. Blogspot, wordpress or livejournal blogs. Even twitter.

Justification
If you get busted (which is not likely if you play your cards right), you can always say that you use something like Google Reader to track updates to your favorite websites at home. If you can get to it from work, it must be okay, right? Make sure you're managing your time wisely, and keep the content you view at work "work safe" and non-offensive. Chances are that your boss won't mind. In fact, he might just think you're checking your personal email really quick, as RSS readers often look somewhat similar to web mail clients. Plausible deniability only works once, though. If you're asked to stop it, you should stop. If your written policy specifically bans all personal Internet browsing, you may also get the book thrown at you. HiR won't be held responsible for legal or employment problems.

How to do it:
First, sign up for a free Google account if you don't have one already.

Next, go to Google Reader and log in.

Add a subscription RSS feed. I'll add HiR Information Report to my Google Reader:





In part 2, I'll cover using out-of-band communication.

View entire series: Web Filter Evasion

Asmodian's Workbench

Whats on Asmodian's workbench?
============================================
Google mini
============================================
The Google-mini is an Internet search appliance. It is essentially a 1u Intel server with Googles search engine with a simple web based interface to specify what sites it should index. The mini lacks the capability to access anything but web or samba based resources. To this end they have a feature called a Onebox.

A Onebox module is an XML profile describing what to do if a certain set or format of keywords are encountered during a query. The definition then tells Google to access a certain collection or an external script which then is sent the query and any applicable authentication information and expects back an XML response. The response is pared with an XSLT style sheet and displayed with the search results.

The Onebox can search queries by key words, Perl regular expressions or on every search.
The example they made was an employee directory which searched by lastname and returned basic contact information in a formated box with a graphic.

Informative resources:
Google Inc. "One Box Guide". Accessed 2-18-2008
http://code.google.com/enterprise/documentation/oneboxguide.html
============================================
Pure-FTPd Follow up.
I am working on an adaptation of my previous article on Pure-FTP using Mysql as the user database and creating an automated user web space system, or adapting an existing one.

I am in a situation where I have user information sitting in LDAP (via Novell NDS) however I cannot implement my own schema so I must use a Mysql back end to store the user information.

So what I plan on doing is setting up the interface to poll LDAP for user info and import it into the authentication database.

============================================
iPOD Touch Hassle
It seems I am cursed to buy the one technological widget which is resistant to modification.
It appears that the new iPOD's purchased since December 2007 are resistant to Jail breaking.

Worst yet, information on this is buried amongst a deluge of you tube videos and un-readable Interweb BLAG's with a crap ton of advertisements so that searching for helpful information is an all night task. I'll tell you what doesn't work:

Upgrading to the 1.1.1 firmware via Itunes 7.5+ (Mac and PC)

Though it has been a learning experience:
The iPOD touch /iPhone uses a Arm processor some where around 500Mhz.

You can access the media folders on the iPOD via iPHUC. However on a standard iPOD this dumps you into a chrooted folder (/var/root/media)

The downgrade/jailbreak process goes like this 1.) Get the old firmware 2.) Put it into recovery mode(see above) 3.)Use iTunes to load the old firmware 4.)on your ipod goto the site with the giant tiff with the overflow info and payload. 5.) It will load the program installer.

Then theres some tricks to upgrade the iPOD back to the latest firmware while keeping the ability to load 3rd party software.

Like I said, this has not been working.

You can resurrect a "bricked" iPOD or iPhone by holding in the Sleep button and the home button then letting go of the sleep button when you see the apple logo. Then you should see the iTunes logo and the iPOD cable symbols. Attach it to iTunes and then restore the firmware. (This wipes out EVERYTHING).

I understand that if the boot loader is corrupted or overwritten with an incompatible version there is a way to reload it too but I haven't seen any articles with sufficient details on this.

Informative Resources:
ARM web page. "ARM Powered Products". Accessed 2-18-2008 http://www.arm.com/markets/mobile_solutions/armpp/18665.html

Johnstone, Jeremy. "Howto: Run custom apps on iPhone (Part #1)" Accessed 2-18-2008
http://www.jeremyjohnstone.com/blog/archives/2007/08/05/howto-run-custom-apps-on-iphone-part-1/
*This describes a utility called iPhuc and has little to do with the iPOD touch

ilounge.com. "white screen lockup", Accessed 2-18-2008
http://forums.ilounge.com/archive/index.php/t-209541.html
*This references a couple of Youtube videos on updating the firmware.

iPHUC Homepage, "iPHUC" Accessed 2-18-2008
http://code.google.com/p/iphuc/
*iPhuc gives you an interactive (albet chrooted) shell to your iPhone or iPOD.

True, Nathan. "ibrickr" Accessed 2-18-2008
http://cre.ations.net/creation/ibrickr
*The iBrickr application is very handy in even though it's meant for the iPhone.
============================================

Zend Framework and Google Spreadsheets

I've been tinkering with Zend Framework specifically for the purpose of dealing with Google Spreadsheets for the past couple of days. I know that most of my code is a complete bastardization of PHP. The examples I saw were using classes and objects. I'll be frank with you: I am not a developer, and I haven't taken the time to really wrap my brain around that stuff. The ZF Google Data tools return objects, and I worked my way through those enough to get the data out that I wanted, just in order to make this little project work.

I may build on this a little bit later, but for now I'd like to show you what I threw together, then how it works. Sorry, this is kind of big for a blog post so I put it in a scrolly iframe. Each little block of code has some documentation. It's worth reading my comments.



You can also download it here: Google Spreadsheets Explorer (php source, 4kB)

I don't actually have Zend Framework on any production servers right now, so I did a fresh install of PHP5 and Zend Framework on my OpenBSD virtual machine. If you want to test this yourself, you can easily get Zend Framework up and running easily if you have PHP 5.1.4 or newer running anywhere. Currently, PHP is up to 5.2.5.

When you first fire it up, there's no session, so it displays the login screen. You login with your google account information:

After logging in, a session is established. How this session information is stored varies from one PHP installation to the next. It might be in a client side cookie, a server side database, etc. Behind the scenes, the script is authenticating your stored session information to Google and creating the $client construct, which is what we'll use to bounce queries off of the mothership.

Once authenticated, its default action is to fetch a list of spreadsheets. This is an XML feed that Zend Framework essentially makes into an object. It contains one entry per spreadsheet. Spreadsheets are called by the key, which is a string unique to the creator of the spreadsheet, a period, then a string unique to the sheet itself. These are all properties of the "entry" within the feed object. I made a quick function that returns a basic array. Each element contains the URL to pull up the spreadsheet in my GS Explorer script, and the title of the spreadsheet. This gets displayed to the user.

function getsss($client) {
# Gets a list of spreadsheets; Returns an array.
 $spreadsheet = new Zend_Gdata_Spreadsheets($client);
 $feed = $spreadsheet->getSpreadsheetFeed();
 foreach ($feed->entry as $entry)
 {
     $id=split("/",$entry->id->text);
 $key=$id[5];
 $url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."?key=$key";
 $availss[$url]=$entry->title->text;
 }
return($availss);
}

Clicking on one of the spreadsheets will give you a list of the sheets (or pages) within it. The code for getting the list of sheets is very similar to the code for getting the list of spreadsheets, so you can reference the source if you're interested.

I threw something together that just rips through the sheet and pulls the cell data out, dumping them in order, left to right, top to bottom. I could clean it up a bit, but this demonstrates reaping data out of Google Spreadsheets. Obviously, you could automate this to pull data down.

Unfortunately, the GData API, while slick, can be a bit sluggish. You probably wouldn't want to run a production site using live data from Google Spreadsheets. I'll cover writing to GS at a later time. That could come in handy, as you could use a web front-end or scheduled PHP script to occasionally update the values of a spreadsheet.