Yvan Seth's Hole in the Internet

Happy retirement GSSP-C!

Tue, 03 Nov 2009 19:19:00 GMT

Some time ago I wrote about the GSSP-C exam. Being a certification non-believer I thought it would be interesting to have a poke at a certification. The one in question being the, at the time, new GSSP-C (GIAC Secure Software Programmer in C.) It seemed at least relevant to my work (mostly C/C++ back then) and my industry (the dirty world of infosec.) In general I was impressed by the practical resources and also by the message the people behind the exam (SANS) were trying to get across. Afterall… many software security issues are caused by bad programming, the GSSP-C seemed a worthy attempt to address this.

Here's the amusing thing, the GSSP-C has been quietly retired already. Or, perhaps, "become a victim of infanticide" would be more accurate?

As of 10/27/09, the GSSP-C Certification has been retired. This is a business
decision GIAC has made due to decreased demand for the certification, and the
need to focus our efforts and resources on higher performing certifications. 

While this does not invalidate the skill sets that you have or the GSSP-C
credential you've earned, we just cannot support the exam's maintenance moving
forward.

You are still free to use the GSSP-C logo on your personal correspondence
(signatures, business cards, etc)

It's short and to the point really: we were in the for the money, but the money ain't there. No surprise! I just love the language in the email text above, it illustrates so much of what's weird about the certification world. How on Earth could this "invalidate the skill sets that [I] have" anyway? The measure of a "high performing certification" is "more people take it" which translates to "makes us more money."

I'm enjoying the thought that this whole situation is a statement on the mindsets of different groups within the tech community. The GSSP-JAVA.) has not been retired as far as I can see.

The Java crowd are more into certifications (most of the Java population work for big old banks and similar institutions, there's also more of them of course)
The certification crowd are an insecure lot (haw haw haw!), they need their certifications to validate their "skills"
In the C world, especially amongst any C/Systems level programmers I've known, certifications are anathema. They're for "programmers in suits"!

I wasn't sure at the time of doing the certification (which I safely acquired by the way) whether or not it had any inherent value. I think that we can now say the answer is no – for the time and money involved the value for the majority is probably negative. For me, the value was in the experience of the certifications world and this retirement of the certification increases the value even. Then again, I just did it for a bit of a lark in the first place.

I'm reminded of a time just before the exam when I received an email from some SANS bigwig (as I imagine every GSSP-C victim did.) The email asked what we thought about this particular SANS campaign, and generally solicited feedback. I fed-back of course, questioning the validity of the certification route and its likely ineffectiveness at improving the world's C-coding standards. I never received a reply of any sort :) surprised? It would be been good to get one though. I was genuinely interested to know more about this. I wondered how they were going to take this to the sorts of programmers who really need it. I imagine those few of us who sat the exam while it existed were already quite security aware, we'd have to be to have even heard of the exam in the first place! In other words, we're the people least in need of sitting the exam. (I did learn a couple of interesting C gotchas in the process though!)

Will I ever touch a certification again? Certainly not out of my own time and pocket, and unlikely even if someone else is footing the bill and paying me for my time.

Backporting an Ubuntu/Debian Package - spatialite for Jaunty

Wed, 21 Oct 2009 22:03:00 GMT

There are a lot more "Debian", aka Ubuntu, users around the place these days. In general it seems many newer users have been spoilt by Ubuntu's regular release schedule. Back in the old days we sometimes waited years between Debian releases, if there was something you needed that wasn't in your antique but "stable" Debian you'd have to use backports, if you were lucky enough to find what you wanted there, backport a package for yourself (thanks to the Debian package build tools being mostly friendly), or just compile from source.

Perhaps self-backporting has become an anachrnism? Still, I find myself doing it from time to time. Right now I want spatialite because I'm playing with GeoDjango and don't want to mess with PostgreSQL or MySQL – I'm just fiddling. In general on the 'net you find people are just grabbing precompiled binary tarballs or, shudder, the game are self-compiling and doing a make install … won't somebody think about the package management system!

Still another approach is to just upgrade to "testing" (or is it "unstable" - I think "stable" Ubuntu is closer to what we might have called "testing" Debian back in the day.) But the koala isn't fully baked yet, so why risk that? Backporting the karmic package is safer, and probably quicker. (Yes, yes, I know there's only 10 more days of baking to go.)

Here's a recipe to help avoid unbaked koalas:

sudo -s
# Put the Karmic 'universe' deb-src line into your sources
echo "deb-src http://gb.archive.ubuntu.com/ubuntu/ karmic universe" > \
    /etc/apt/sources.list.d/karmic-universe.list
# Install a few pre-requsites 
# you may find you need more than this
# but you'll definitely need at least the following
apt-get install autotools-dev debhelper doxygen dpatch dpkg-dev fakeroot \
    libgeos-dev libsqlite3-dev quilt ruby ruby-dev sharutils swig
exit

# Get, compile, and install a newer libgeos
apt-get source libgeos-dev
cd geos-3.1.0
dpkg-buildpackage -rfakeroot
cd ..
sudo dpkg -i libgeos-3.1.0_3.1.0-1_i386.deb \
    libgeos-dev_3.1.0-1_i386.deb libgeos-c1_3.1.0-1_i386.deb

# Get, compile, and install libproj
apt-get source libproj-dev
cd proj-4.6.1
dpkg-buildpackage -rfakeroot
cd ..
sudo dpkg -i libproj0_4.6.1-5_i386.deb \
    libproj-dev_4.6.1-5_i386.deb  proj-data_4.6.1-5_i386.deb

# Get, compile, and install spatialite - see a pattern emerging?
apt-get source spatialite
cd spatialite-2.3.0
dpkg-buildpackage -rfakeroot
cd ..
sudo dpkg -i libspatialite2_2.3.0-1_i386.deb  spatialite-bin_2.3.0-1_i386.deb

The advantage of this approach is that your additional bleeding edge software is installed "properly". The package management system is aware of it, and when the koala is baked and you upgrade you'll be certain to get any important updates.

Of course, the sequence above makes it look like plain sailing. The reality of the process is that you start by adding the deb-src line, then you get the spatialite source, then you try to build it. The build fails with a long list of the packages it needs as build dependencies. You install each of the build dependencies as required, grabbing some from the "unstable" source repository when needed (as for libgeos and libproj above.) In this case it all came from universe, so my restrictive deb-src line was fine, but usually you'll find you need things from "main" or even "multiverse" as well. Be warned, if you start needing to upgrade things like your libc it is time to stop and either venture the dist-upgrade or resort to make install (or try hacking the Debian package source to lower a dependency version;)

This post is a little tongue-in-cheek in some ways. I wouldn't expect people, developers especially, to stick with "stable" religiously - nothing ventured nothing gained! But I decided to pollute the 'net with these thoughts after coming across some young developers who had never seen the apt-get source command, let alone built a Debian package (die-hard Ubuntu fans who're young enough that Ubuntu was the first "Debian" they installed.) No, don't risk the koala I shouted! It is not the right way! (Then I hobbled back up to my hermit hole while the young fellows pitied the poor old crazy man.)

I do think backporting is usually a better approach than risking a premature system upgrade though. That said, we live in a pretty bleeding-edge world these days. I myself use most of my direct dependencies from SVN trunks, stuff releases - they're old and dusty, and a lot of these newfangled frameworks/technologies/whathaveyou even recommend this.

Also, I'd be dishonest if I didn't mention that sometimes when trying to backport something from proper Debian/Ubuntu package sources you can end up chasing your tail for ages. Quickly leading to frustration, and giving up, followed by either a make install or a dist-upgrade … ah, technology.

For the interested, after doing the above the rest of the process to get my Django sqlite database primed for geospatial data was simply:

wget http://www.gaia-gis.it/spatialite/init_spatialite-2.3.sql.gz
gunzip init_spatialite-2.3.sql.gz
spatialite mydatabase.db  < init_spatialite-2.3.sql
./manage.py syncdb

Oh, you want the fancy Open Street Maps editor widget too do you?

apt-get source libogdi3.2
sudo apt-get install python-gdal gdal-bin libgdal1-1.5.0 libogdi3.2
cd ogdi-dfsg-3.2.0~beta2
dpkg-buildpackage -rfakeroot
cd ..
sudo dpkg -i libogdi3.2_3.2.0~beta2-4_i386.deb ogdi-bin_3.2.0~beta2-4_i386.deb
sudo apt-get install python-gdal
./manage.py shell
Python 2.6.2 (release26-maint, Apr 19 2009, 01:56:41) 
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.contrib.gis.gdal import SpatialReference
>>> from django.contrib.gis.utils import add_postgis_srs
>>> add_postgis_srs(SpatialReference(900913))
>>> from django.contrib.gis import gdal
>>> gdal.HAS_GDAL
True

w00t!

iDork

Sun, 17 Aug 2008 23:01:00 GMT

Well, it's happened… I'm an iDork. Got myself an iPhone today.

Basically it is far and away the best "smart" phone handset around for now. I played with the Diamond Touch, but wasn't impressed. I've been trying to hang out for an Android handset, but who knows when that'll happen? And what's up with that "leaked" video of the HTC offering, slide-out keyboard? Ick. Flimsy.

The iPhone, on the other hand, is a pretty solid unit. I doubt it can handle the sort of treatment my Moto F3 lives with (thrown forcefully down the stairs, no worries!) but it probably isn't going to break in my clumsy fingers. My Moto A1000, a very nice phone IMO, lasted me a couple of years before I managed to smash the screen. So I'll probably be right.

Speaking of the Moto A1000, that's a phone I have very fond memories of. In the end it was only the fact that my worn out battery lasted a mere 6 hours that made me stop using the thing. The reason I never switched to any other, more up to date, alternative is that I simply didn't think anything else was up to the A1000 standard. I've played with blackberries, Nokia's high-end phones, and countless HTC options, and, frankly, they were all just shit.

When I heard about the iPhone the one thing I knew is that it'd be sleek and probably have an above-par UI. But it was an Apple product. I have never owned an Apple product, not because I have anything against Apple really, more because they just don't do good geek gear. The iPod is nice an all, but doesn't excite me. Their laptops are pretty, but not quite my thing. No iPod? I use a JoS MP3/OGG player, it plays OGGs and is ruggardised. Perfect. No MacBook? I preferred the Thinkpads, my next laptop is likely an Asus Eee. Mac stuff isn't Yvan stuff. Until now.

Problems?

Huge delay between buck and bang, every other phone I've bought I've had working before I even left the shop.
I need an iTunes? For my phone? sigh 60MB download and install later… But it is far better than the usual utter garbage PC/sync software that comes with phones.
Whoa, three different screens full of multi-page click-wrap licences. Bloody yanks.
"upload your photos to the cloud" does it even know WTF it is talking about? This kind of language just rubs me the wrong way.

I know Apple are control freaks, but this is just a little silly. I can live with it though, I live in the UK after all. Big brother is part of the landscape.

It's a nice piece of hardware, after Q4 has rolled past I'll see if I regret it. (But then again, Kat also needs a new phone;)

I was impressed once I finally got it working at home. I entered the map application and asked it where I was, right away it homes in on me. And it was spot on. Nice. Will be interesting to play with the assisted-GPS in the field, see how it goes up against my Garmin.

It's also bloody nice to be able to browse the web and read email on my "phone" again, I really have been missing that old A1000.

Open Tech 2008

Mon, 14 Jul 2008 21:33:00 GMT

A couple of weekends back Kat and I went to the Open Tech 2008 one day conference in London. I had planned to write about some things I came across there in some depth, alas time is against me. It would be criminal for me to let it go completely unmentioned though.

There's something amazing about OpenTech: it costs just £5 to attend. For the breadth of coverage, interesting speakers, things learned, and inspiration gained over the day this is an extreme bargain.

Giving myself a few minutes to note down a few points still in the top of my head 10 days later:

There was an overwhelming theme of "public good" running through the conference. From the projects devoted to this, such as mysociety.org, through to entrepreneurs and icons pushing to inspire everyone to follow their various leads. This is a great change from the usual case of "this tech is cool because, well, it is" – I loved to hear that tech was cool for the ways is was actually helping everyday people.
Further contrast between the geeks and the suits (generalisations, I know.) A few weeks back I went to a serious business-tech conference hosted by the 451 group, this was also good stuff but coming at security from a completely different angle (security was just one of several topics covered.) The contrast is all the more interesting because there's a convergence. At the business conference we hear "security is difficult, we have to try harder, alas, some things may be impossible" at OpenTech we hear "security is impossible, but we can try harder and do better." There's far too much depth to this for me to go into right now, not that my own thoughts are in any good order. Suffice to say, studying the application of security from social and economic standpoints would be very interesting right now. There's a lot of material out there, and people(/businesses) are speaking more openly about security issues these days I think.
More on/around security. People get very confused about identity versus reputation, especially when technical definitions of authentication are worked into the mix. People, even a room full of geeks, know very little about the history of currency, and banking in general (a cultural weakness in the geek horde?) Cryptographers are regarded as some sort of higher being… maybe they are! (Aside: I've just read Simon Singh's Fermat's Last Theorem – it lives up to its reputation, and man those number theorists are an insane bunch!)
Ubiquitous networking has changed the world, maybe those of us who've lived through the changes sometimes don't appreciate how revolutionary the changes are (I have trouble seeing it sometimes, much older geeks seems to see it more clearly.) What's scary, is that the field is still young and haphazard, what further refinement will bring is difficult to imagine.
The above is amazing, now how to we deliver this to the rest of the world. Can it actually help solve the terrible problems most of the world has? I'd like to think so.

Of the sessions I attended these are memorable:

Most entertaining: The Web is Agreement, Paul Downy. A talk/rant around current trends centred on Paul's sketch of the same title. (The talk "Living on The Edge" from Danny O'Brien was also entertaining, and the only time I've seen a geek talk "flood" with what can only be called "groupies", it was strange.)
Most inspiring: Digital Money, David Birch. This guy's online presence seems to be a blog about digital money. In essence this was a short, angry rant about the fact that us geeks have not solved the problem of "digital money." At the core of the rant was the idea that functional digital cash will make the world a better place, breaking down unnecessary barriers in the world of money (think of sending aid/donations right to where they're needed, family members sending money home without the "Western Union" tax, etc.)
Most relevant (to me): Security Discussion with Ben Laurie and Friends. Four security/crypto geeks/experts talking about how much things are broken. Entertaining, enlightening, and (to some) challenging.
Most disappointing: Android and the Open Handset Alliance. It just wasn't techie enough, more a marketing spiel from a "developer advocate." I wa hoping for a crash "how stuff works" intro to Android.

On reflection… of the talks I saw there were a lot of "grumpy old(er) men."