See this. See this right. freaking. now. The awesomeness is... awesome.

Today I'm having a fence installed. This process has taught me 2 things:

1- I have become a grumpy old man.
2- Cats are fascinated by concrete mixers. Like, unhealthily fascinated.

Like a rock,
like a planet,
Like a fucking atom bomb,
I remain unperturbed by the joy and the madness
That I encounter everywhere I turn,

Bad Religion on an iPod is remarkably effective at getting your ass up the hills around Riverside park while jogging.

on the iPod

I am always doing things I can't do. That's how I get to do them.

--Pablo Picasso.

Well do you find you like to fall in love with people that you're never gonna meet?
It's easier then breaking up and crying in the street
Do you curse the happy couple?
Do you cringe at wedding bells?
Do you drink up all the punch while you wish 'em all to hell

Love Love, Kiss Kiss.... Blah blah blah
You're making me sick
I wish you'd just stop showing off
For the rest of us that no one wants to love.
It's hard enough trying to drink another winter all alone
Love Love, Kiss Kiss.... Blah blah blah

Alkaline Trio has a new album. I've mentioned them before and while there sounds has changed with recent albums like Crimson from there more punk sound of songs like Private Eye, and Radio, I'm enjoying this new album so far.

Alkaline Trio: Agony & Irony

In principio creavit Deus 2 bytes. Servers would also accept an answer if it had the correct 2 bytes even if it came in on a different port. You could win that race. So when this was discovered back then the solution was to increase entropy by modifying the servers so the source port had to match. Thats 2 more bytes of entropy right? Problem solved.

[psst] Source port numbers are assigned from a pool. You don't have 4 bytes of entropy anymore. And the race is still winnable.

And this is why Dan is, still very much the man. Its just annoying that co-workers keep telling me what was discovered is a mystery.

The problem with TiVo is that you never see commercials. So I almost missed that the The Venture Bros. returned for a 3rd season.

If you aren't watching this show you are a fool.

From last night's episode:

Dean: She's the Wereodile!
Dr Venture: I almost f@$&ed a wereodile?
Dean: Don't worry dad [grab chair]... [smacks Dr Quymn] The power of Christ compels you!

and of course:

Henchman 24: Come on! They have one female servicing a large group of males. That implies a species that lays eggs.
Henchman 21: Oh my God, you're crazy! They're so obviously mammals!
Henchman 24: Please! She'd be in estrus 24/7 if she didn't lay eggs.
Henchman 21: Smurfs don't lay eggs! I won't tell you this again! Papa Smurf has a fucking beard! They're mammals!

Venture Bros. Season 3

I've been loving Amazon MP3 for a couple months now. Its just so damn easy. I can find who I want, move it back and forth between Linux at home, my work laptop, and my iPod with ease.

The only thing that is annoying me is Amazon's MP3 Downloader. When you buy a song without the download you just get an MP3. When you use buy a song with the MP3 Downloader it files the MP3 away nicely into a directory structure in "My Music" and automatically adds it to iTunes. Amazon is doing some kind of detection in the browser and servers you an AMX file for the downloader instead of a raw MP3.

Only it seems that my browsers "forget" about the Downloader after every reboot. Amazon goes back to gives me MP3s. I'm not sure whether the browsers just no longer detect the program or whether the file association is lsot or what. Its gotten so bad I just keep the install file on my desktop and do an uninstall/reinstall everytime I need to shop.

Grrrr. I don't know anyone at Amazon, but if you are reading this, I love your service and please fix this issue.

Start at bottom for maximum effect...

update: patched

_____________________________________________
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:27 PM
To: Wood, Matt (); Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

This is too great. I'm posting this to Memestreams.

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

_____________________________________________
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:27 PM
To: Wood, Matt (); Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Stivo! you crazy! Change-set 27173. 6/21 @ 6:37pm in SimpleUrlCrawler.cs 

I guess the build-box is building with the debug symbols in it?

So the crawl limit is 2.1 billion right now  2^31-1

_____________________________________________
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:19 PM
To: Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Whoops! Here:

private void buildCrawlLimit()
{
crawlLimit = 1500;
#if DEBUG
crawlLimit = int.MaxValue;
#endif
}

Pretty sure the Labs build box is pumping out debug builds...

_____________________________________________
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:19 PM
To: Wood, Matt (); Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

... ... STFU! Are you telling me the limit most people are bitching about doesn’t even exist? Haha, Should we even patch that?

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

_____________________________________________
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:15 PM
To: Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Haha… scrawlr may not have a limit…

I just set a break point in the function that checks it and it never gets called… apparently it got lost somehow…

_____________________________________________
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:10 PM
To: Wood, Matt (); Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Then explain this:
[Screen shot removed]

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

-----Original Message-----
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:07 PM
To: Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Nah, just a lot of parameters. We will only crawl 1500 pages, but we will audit more.

-----Original Message-----
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:09 PM
To: Wood, Matt (); Millar, Steve A
Subject: uhhhh does Scrawlr really have a limit?

Guys,

I noticed a Chinese site offer Scrawlr for download. Its classic ASP so I decide to scan it with Scrawlr.

Site is: [Site Removed]

The only thing is, Scrawlr is saying it has visited 3879 pages so far and is still going. Perhaps a bug in our limiting?

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

Matasano gives some love, which is nice.

Some of my favorite reads (there are others) have recently written about about Scrawlr and some of what I have read has been critical. Critical enough? Depending on your level of pedantry with respect to webapp security and/or free software, probably not.

Stop that. Right now. Overlook the limitations of the tool that was released, realize that this is a closely targeted thing designed to help alleviate a specific problem. Go back and think a little harder about what is going on and why this is actually A Good Thing(tm).

[snip]

The scanner is built to look for things being indexed by search engines. If those sites are fixed, 99.999% of the problem should go away.

Trying to compare Scrawlr to a full blown SQL Injection scanning tool is like comparing a letter opener to a Swiss Army Knife. Sure, you can do other things with a letter opener (and some of you probably want to slit my throat for that simile. That’s fine, use the knife) —- but its stated purpose is to open letters.

The feedback we've been getting from developers has been "Thanks for the tool, I didn't understand [other tool]/couldn't make it work." Not surprising. These are people 5 years behind the security curve, with only a passing understanding of SQL injection and still believing XSS is all alert boxes and cookie theft. You average classic ASP dev can no more use Burp than my mom can use a methane digester. In both cases the fundamental concept of what the tool does is lost on the end user.

The feedback I've gotten from security folks is "why isn't this WI Lite. I'm sick of paying you guys $30k a year." Well, not exactly, but the subtext is there. :-)

Believe me, I really wish I could talk about the challenges of writing modern web crawlers. The fact I got to do it once was a bit of a fluk and was extremely limited in scope. So if I cannot even talk about it publicly, do you really think I would be allowed to manage a team to write a free one?

Matasano Chargen » And Now For A Few Words About HP’s “Scrawlr”