Our good pals Rhett & Link have invited Wicked Awesome Films to be a YouTube Team Captain for their "YouTube-Hold-A-Singing-Note-The-Longest-Event". They call it "Supernote" which is caticher (I guess).

Here's our video. Watch it, then go to YouTube and make a video response to it. All you have to do is say, "This is my supernote..." and hold a musical note as long as you can!

Win and Rhett & Link just might make a song for you!

1. support several platforms. I want to test programming on the Wii and the PSP, so I need to be able to build for these targets, not just a windows game.
2. support several hosts. I want to be able to build on my windows machine, or on my linux machine, and if someone has a mac, then you suck, but i'd want to be able to build on a mac also.
3. use correct tools. I am no geek... well I take that back. I am not geek enough to work with Vi or Emacs, though. I am using Visual C++ at work, and the tools make it so much easier to develop. So I need the build system to be able to maintain solutions for these tools.
4. find sources by yourself. I am well organized, and when there is a C++ file on my hard drive, it's supposed to be built. And when it's in a folder named "physics", yeah, it's probably a part of the physics library. I want the tool to find the sources automatically.
5. I want to use several compilers. The reason behind that is that the XBox has only one compiler (the one from Microsoft) and the psp has only one compiler (GCC). So the build system needs to handle at least MSVC and GCC.
6. I am being picky here, but I want to be able to build several things at the same time with just one command. When I type "build" (or "make" or "do" or whatever) then I want it to build all the things that I wanted to build, like the static release version with MSVC for windows 64 and the PSP version using GCC. and please put everything in separate folders so I can find them easily.
7. I want it to build fast. Not that it should build faster than the compiler itself, but if I have to wait 35 minutes before seeing what the new font looks like, I might get old before there is a pixel on the screen.
8. I want the command I type to be 3 letters or less. I am going to build a lot, so I am going to type it a lot, so it'd better be a small comand.

The build systems that I know of are :

• make. It is a pentazillion years old, but after all it works. I used it a lot before, but the problem is that it's not fast at all. It spawns 5 processes per command you want to run, and finding dependencies take ages. Too slow.
• autoconf/automake. This one is a joke. If I had to say what's the best thing in the world, I would say "free software". If I had to punch someone in the face that would be the creator of autotools, for plaguing the free software community with this. It's insanely complex, and after 1 week you have forgotten what you had done. It is slow. It generates 197 files in the root directory, and of course you don'y know what any of them does. you have to type 153 commands to build. And the worse is that it's not even able to use Visual C++'s compiler. Actually, it hardly runs on windows.
• cmake. it's actually not building anything, it simply generates solutions or makefiles for other tools. I must say I id not try this one, i know that KDE use it for their big libs. It must be pretty good, but that's not the direction I chose.
• Scons. It's made of python. I hate python. I hate duck typing. I hate when you're hit by a stupid bug like "not enough arguments for the function blabla" when any compiler will tell you that immediately. No, python has to wait that you use the function. Their philosophy is "as long as you don't couch the bomb, it won't explode". Dang, don't let bombs happen!! This is the tool I chose. Yes I know, I am weird. Python is actually good for scripting, and being able to test things quickly is great. So I learnt to live with duck typing. I said I chose it, and then I un-chose it. For several reasons, the first one is that cross compilation doesn't work good. It is also a very complex tool, that ships with a gazillion of complex python files. And it is still slow.
• Waf. If I understood correctly, waf is made by a guy who worked on scons, he simply disagreed a bit with the other guys. Now he has made his own tool, which is very fast. It is also fairly small, the core python is only 10 files (and them some files for the tools). You don't have to install it. However, it doesn't support cross-compiling out of the box.

So finally, which one of these tools did I choose ? well, I used scons for a very long time, building on win32 for win32, trying not to read the code. I added a solution generator for Visual C++, so I mainly worked with Visual C++. After a while, it stopped building, I could just generate solutions. After a longer while, I was fed up with it.

I switched to waf, without even thinking much about it. I tested it and at first, nothing worked. I used version 1.4.2, and it was broken. I used verson 1.3.X and it was also broken somewhere else. I tested the latest beta version, and, yes, it was also broken. And there was no easy way of adding cross compilation.

After thinking very carefully about it for 10 seconds, I finally decided to use the Waf build system but develop my own kind of tools to auto detect Visual C++ and be able to do cross compilation. Then the good news started to appear; the build system is verypowerful, the problems came mainly from the support of C++ or C that comes with the default Waf library. After a week of bad python programming, the "new" waf is able to use any Visual C++ compiler installed on the machine (including the ones targetting Win64) and GCC. And I am about to put back the good old MSVC solution generator to make it full.

So the answer to the build system is : waf. I am using waf to build, and I am also using waf to generate projects for eyecandy tools like Visual C++. And the answer was even more obvious when I had switched entirely to waf : the only possibility was to make my own build system or rewrite a good part of another one. That's how I work.

s.a. OWASP – Testing for business logic flaws

Der Security-Spezialist Jeremiah Grossmann weist in einem Beitrag für die kommende „Black Hat Convention“ , einer IT-Security-Messe in Las Vegas, darauf hin, dass somit spezielle Hackertools für Angriffe auf Webanwendungen zunehmend durch den Browser als Allzweckwaffe ersetzt werden könnten. Zudem viele „Angriffe“ eigentlich nur aus einem neugierigen „Zupfen an der Tischdecke“ bestehen. Etwa indem man durch „Google Hacking“ nicht verlinkte aber doch vorhandene Webseiten, Administrationsoberflächen, private Webcams etc. aufstöbert.

Da mittlerweile viele Anbieter ihre Dienstleistungen ins Internet verlagern, sei es laut Grossman nun einfacher als früher, viele verwundbare Anwendungen zu finden. Dabei sei das Vorgehen nicht einmal unbedingt illegal. Der Angreifer würde in vielen Fällen nur gegen die Vertragsbedingungen des Anbieters verstoßen.

Sich vor solchen Angriffen zu schützen ist relativ schwer, da sie kein konkretes Angriffsmuster aufweisen. Normale Intrusion Prevention Systems (IPS) oder Web Application Firewalls (WAF) erkennen solche sich noch im normalen Nutzungsbereich befindlichen Interaktionen mit der Anwendung oft nicht.

s.a. Seven Business Logic Flaws That Put Your Website At Risk, Paper von Jeremiah Grossman

nothing else...

---

I had a job interview today, and as soon as the interview was over, I went shopping.
I didn't mean to do it of course, but the Fairweather beside it was having a sale! I just had to have a little peek. Besides, I made a pretty good impression during the interview - surely, she was going to give me the job, right? Of course.
So I went into Fairweather looking for a dress to wear this weekend for SassyGirl in the City Part 2. Actually, I already have a dress that I've decided to wear this weekend, but I had to keep an open mind. What if there was a better dress out there, just waiting for me to take it home with me? One musn't be prejudiced about these things after all.
I didn't find anything (Fairweather's clothes were never good enough for me anyways, I sniff), but as I was walking out of the store, I picked up a skirt off the sale rack and paid for it. What? I deserve a little indulgence, it's going to be my birthday soon! Besides, I'm sure I got that job.
As I was walking towards the bus stop, I noticed a small wine store. I don't have any more wine in my apartment, I suddenly recalled, and promptly walked in and bought a bottle of 2006 Muscat. How could I call myself a city girl without a constant stash of alcohol at home?
Then I checked the bus schedule and realized I still had another half hour. I'll just go into one more store, I thought. So I walked into another clothing store, wine bottle in hand and everything. I decided I would just find a pair of shoes to match the dress I had at home. I didn't see any shoes that matched the dress, but I did find a ridiculously cute pair of black stilettos. Come on, black is sexy, timeless, and functional! Who didn't need a good pair of black stilettos, right? Then I noticed a couple colourful tops and dresses on the wall and decided to try them on, too.
Two hours later, I had both salesladies at my beck and call and had tried on almost every top and dress the store owned. There were at least twenty discarded items outside my change room when I finally emerged victorious with a stunning strapless dress that was perfect for a night out on the town. It wasn't on sale, but I could always keep the tag on and return it if I didn't end up wearing it this weekend right? I congratulated myself on being so shrewd and told the cashier to ring it up. Just then, I noticed a very Victory-Ford-esque dress on the highest rack and had to try it on. So I did. And it was adorable. Even the lady in the change room beside mine said so.
"How much is that?" She asked. I showed her the price tag.
"You have to buy it. It looks like it was made for you."
"I know right?"
I look like Victory Ford, I thought to myself as I examined my reflection in the mirror. I didn't think it possible, but I do. I actually look like the fictional fashionista herself!

But I'd already found a dress that looked good on me. When was I going to wear this one? Ah, just buy both, wear one, and return whichever one you don't end up wearing! My shrewd inner accountant told me. Good thinking, I thought back, as I ran my fingers over the satin bow and smiled into the mirror.
So as the cashier rang up the purchases, I asked her what their return policy was. "You have two weeks for an exchange or store credit. The shoes are final sale."
Wait, what? Did I just hear her right? I can't get a refund?
But it was too late. She'd already swiped my credit card, and I was too embarrassed to ask her to put one of the dresses back after she'd helped me for two hours.
Surely, I got that job right? I thought to myself as I walked out of the store with $80 worth of purchases. I mentally calculated how much I'd spent after the interview. At least $120. Clearly, what WAF said did not resonate with me. She doesn't know what she's talking about, I do need shoes. I only own one pair of stilettos and they're totally not as cute as these ones. And it's not like I can just get pretty shoes and without any pretty clothes to go with them, right? I wouldn't want to romp around naked in stilettos, after all. Besides, even though they weren't on sale, they weren't expensive either. Where else am I going to find a dress like that for under $50? Plus, it makes me look like Victory Ford. No, they were worth it. And I can wear the other dress when we go to Montreal! I can't look like a poor student when I'm partying it up there, of course.
By the time I made it to the bus stop, I was feeling loads better. I must have gotten that job, I thought optimistically. God, or at least the God of Fashion, must have known I got the job and strategically placed those stores there for me to find.
So, God, I hope I got that job.

Help Browser Improvements
I'm very happy about Svens changes for the next stable version of GIMP (2.6). The help browser uses now webkit to render the manual and can even now load the manual from the net if the user have an internet connection. I think that'll make the access to our manual more easier for the most of GIMP users.

Manual switches to gettext
The user manual is written using DocBook/XML. The translation is seperated by 'lang' attributes. There is no reference language. Therefore the manual is written in various languages, seperated by 'lang' attributes.

We're currently working hard to figure out a possible migration strategy of the current manual to gettext. Our build system need to be customized to manage the translations hold in *.po files. There are currently two possible candidates for this:

• Publican
• WAF

Publican provides a lot of the functionality we need to update/manage the translations. So has a very specific purpose. It uses the automake/autotool build system, we're using as well. It is written by people at Red-Hat and can compile hundreds of manuals in the row. Ulf D. Ehlert and I elaborated a possible migration to publican and we figured a few pros and cons:

Pro:

• provides all the functionality needed to manage and build documentation using gettext

Contra:

• complete switch to Publican and be dependant from it
• feels like we won't need most of the functionality implemented to compile all (other manuals)

WAF though is a build system written in Python. It's ment to replace the currently widely automake/autotools toolchain, which is currently widely in use by a lot of open source projects.
Pro:

• It's easier to understand and can better handle the complex process of building and installing our manual. I find it sometimes very cumbersome to express what the autotools/automake should do using bash expressions. I find it much easier to do this in Python or any other high level language than bash (don't misunderstand me: bash is fine for batch processing).

Contra:

• WAF uses tools to provide configuring/building software. There seems to be no such tool available which provides the functionality to build our manual. We probably need to write our own tool. Not a problem though, but we need to do it and it will cost time.
• "Not compatible" to our GIMP/GNOME (modules) which use automake/autotools.

I will try to write a build script for our purpose using WAF and I also want to communicate more with the publican people. I think this will sort out our current "problems" choosing a system.

Well, could be, that I overlooked or misunderstood something elaborating those tools. I'm sorry if something is not correct, while I was checking.

Update: Ulf sent me already a patch based on autotools/automake, which uses a bit of the publican infrustructure. Think that points out the direction where we're heading now :)

Story:

The University of Massachusetts, Amherst is working on a robot that can learn to use unfamiliar objects. According to MIT’s Technology Review, UMass’s Robot, called the UMass Mobile Manipulator, or UMan, ‘sees’ an object with the help of a Web cam and then pushes it around to see how it moves, identifying and recording the objects’ parts and joints.

Doctoral student Dov Katz is working on the UMan along with computer science professor Oliver Brock, Katz told the review that the UMan learns similarly to how a baby does, moving around the world, picking things up and playing with them to see how they work. He didn’t say whether or not the UMan also tries to put everything in its mouth.

The researchers at UMass believe that enabling robots to adapt to unstructured environments will allow them to perform more “meaningful” work such as exploring new planets and helping around the house.

From the Blogosphere.

F-Secure has released their Security Threat Summary for the First Half of 2008.

(IN)SECURE Magazine issue 17 is available. Good stuff as always.

Continuing their week of War on WAF's (Web Application Firewall), ts/sci security talks about language specificity in WAFs.

Well, looky there, there's as a new Zero-day flaw in Internet Explorer. Who'd a thunk it? Caveat: It is for version 6.

From the Newsosphere.

Nothing today.

Have a good one folks.

Kevin

Technorati Tags: insecure, waf, ie

From the Blogosphere.

Marcin has posted a really interesting treatise at the ts/sci security blog about Web Application Firewalls. Some really good stuff to think about.

The Princess of Antiquity continues her series on Cryptography (Non-Technical) with a post titled Earlier Forms of Cyptography. Very well written and easy to understand with really good info.

Didier has given us another tool written in python, apc-pr-log, which uses the AirPcap adapter to log all probe requests with a SSID for easy viewing. Should be fun to play with.

From the Newsophere.

Whitehat Security has raised some VC cash. Congrats Jeremiah.

Sun has released version 8 of Identity Manager.

That's it for today. Have a good one.

Kevin

Technorati Tags: waf, cryptography, airpcap, iam

Well, I must say, I worked by butt off on this little parody. Originally edited for the MTV Movie Spoof Contest, we got a bit hosed over at Dailymotion. Congrats to the winner, but I really feel our piece is far better than the video they chose that depicts a mediocre sketch with a horrendous Matthew McConaughey impression, although it was shot pretty well. (Doesn't make it funny though).

The MTV contest or its affiliates contacted Wicked Awesome Films on three separate occasions asking us to submit to the contest. I would've never done it if it weren't for my lovely girlfriend Sarina, who is both funny and cute in this little sketch, starring as Juno's girlfriend, Pauline Bleeker.

At the end of the day, I think we have one of the better Wicked Awesome Films and I hope you all enjoy it. I really loved the original movie and I had fun making this parody with all my friends.

I've gotten A LOT of requests to make the ringtone for The Barack Obama Song available. So I did. Click the Phone Sherpa link below and you too can show your support for your favorite Democrat as he races towards the White House with this incredibly silly, catchy ringtone.

And if you want to download the MP3, click the Lulu link below. Thanks!

The Google Video Blog posted a piece today on How They Find Great Videos. While I haven't tried this yet, I think it's worth a shot. Help them help you!

I'm going to go through the process and if you read this and create web video, you do the same. Let me know how it goes. And here's a Nunchuck Heroes of mine for good measure:

There are 7 total videos and not a ton of views. Frankly, I'm sort of shocked that it was accepted to the program. What's funny is that my personal account, bobjenz, was rejected from the program (for now). I don't exactly remember submitting each but I think around the time that Wicked Awesome Films because a YT Content Partner, we advised told to roll all of our accounts into it. Whatever.

So, I'm not really sure what to do with NunchuckHeroes. It was all a goof last year and I certainly don't want to create 1,000 Nunchuck videos, do I? Perhaps I can all Nunchuck related shows. Stuff like, "THIS WEEK IN NUNCHUCKS" instead of This Week in Baseball. Or even a Nunchuck Song. Hey, I bet the Internet would love that!

and then a fact one for chiclets, which makes me giggle like a 12 year old.

and don't forget Junxacilin,.....(as on a short circuits in 2007)

yes I'm five. and I'll stop, but they amumse me and its 6:18 in the morning...I should go to bed.

I like the message of the article so much, that I'll just cite the according section:

[...] one of the following: web vulnerability scanning, penetration testing, deploying a web application firewall and log analysis does not adequately ensure "security." While each of these tasks excel in some areas and aid in the overall security of a website, they are each also ineffective in other areas. It is the overall coordination of these efforts that will provide organizations with, as Richard would say, a truly "defensible web application."

I do think that some of the activities mentioned above are more effective (and therefore important) than others, but generally, I couldn't agree more. Very well put Ryan Barnett, thanks!

Picture of scary spider in its web by Vanessa Pike-Russell

I really hate to be a spoilsports, but I'm afraid it's still a long time until we have such a thing as the Year of WAFs. I've never been a huge fan of such firewalls and for a reason. I'll use the following posting to tell you why I feel this way.

While I think that e.g. ModSecurity can increase the security by some, the dangers IMHO out-weight the gains. Here is my reasoning:

• Web Application Firewalls give companies a false sense of security. As opposed to normal network firewalls, where people know exactly that such devices keep traffic from going to certain ports, however let traffic to other ports pass, it is impossible to know the vulnerabilities that can or cannot be prevented with a WAF in front of an application. Many instances of SQL Injection or Cross-Site Scripting will be detected, but others will fall through the cracks. I'd rather know that I have lots of SQL Injections in my application than think it is secure when it in fact has a few exploitable flaws.
• Many critical vulnerability classes can not be detected and prevented at all. Flaws in the logic of an application, or Cross-Site-Request Forgery vulnerabilities (which get more interesting by the minute) can be exploited even with a WAF in front of the application. This, in connection with the false sense of security matter mentioned above can be a problem, even though I admit it is a weak argument not to use WAFs just because they don't protect against certain attacks.
• They increase the attack surface by adding a new layer. While ModSecurity seems to have a pretty clean vulnerability record, this does not hold true for other Web Application Firewalls. In any case, they do add a layer of complexity and therefore also bear the risk of introducing new vulnerabilities. In fact, I've seen WAFs that were more easily hacked than the application they was supposed to protect.
• False positives can cause the protected application to stop working. WAFs come with a huge number of default configurations. However many are not context sensitive and those who are can often be tricked. Take the word Union for example. It might either be used by an attacker exploiting an SQL Injection vulnerability, or by a valid user posting a comment about the European Union. Another example is a forum that allows certain HTML-tags for postings. The default configuration will break the complete forum functionality. Companies using WAFs to protect huge applications need to put a whole lot of work into testing if their web applications still work in boundary conditions after installment.

So, to sum it up, I think it is indeed possible to protect web applications from some attacks by WAFs. However it takes a lot of work to correctly configure the product and make it a fit to the application. More importantly, correctly configuring it requires to know the vulnerabilities to protect from. Once the vulnerabilities are known, it's almost always more effective to patch the code instead of putting a WAF in front of it (there are some cases where this might not be true, e.g. when only the binary code is available and the manufacture cannot be squeezed to fix the flaws).

My appeal is to please, please Web application developers: Start to write secure code. It's not that hard! Have a look at the Open Web Application Security Project (OWASP) Guide. It is a great starter into the world of secure development.

Picture of Lego-Firewall by ianlloyd

His introduction started with him dissing his own abilities to do anything good, including trying to print a photo out on an inkjet printer. After much wasted time and paper he concluded that

-- It turns out the procedure is simple. You tell the printer what sort of paper you’re using and how big it is. Then you give the information to the computer. Then you say whether you want “landscape” or “portrait”, then you choose the quality level you’re after, then you fix the red eyes, remove the blemishes, have a look at the preview and then, after just 55 minutes or so, out pops the finished product. Which is still crap. --

Exactly... read it here

Its the BIG BIG problem, bigger than anything else you could possible think of ......

I am of course referring to WAF.... the dreaded Wife Acceptance Factor.

I dont take credit for this acronym, I'm sure I heard it somewhere else on the net, but it's a major point when considering things for the home. Of course it doesn't just apply to the wife, it also applies to the kids, the parents and that non-geeky but vaguely stupid good friend of ours who likes to press buttons.

WAF is merely a handy name to use, a bit like hoover for vacuum cleaner. Its also a younger relative of another acronym KISS (keep it simple stupid) combined with that other saying that women use the world over - YNTST (You're Not thinking of Putting that Sh*t There are you?).

Lets face it, once past a certain age we all like to take a slight degree of pride in our living space. We like to decorate now and then, keep the place clean and have nice things to show off to the neighbours. Of course as men we pretend that we don't, but face facts guys, its true. Its the 'home is my castle' syndrome

This is why you see a load of men on Saturday mornings trudging round PC World and Dixons looking longingly at the latest combined wifi router/hair trimmer, and not actually buying it. We don't buy it because its not functionally cool, no. The reason we dont buy it is because we make a conscious decision that (unless its going in the garage) it will not pass the WAF, oh and also because we know it looks sh*t.

So, moving swiftly on I would like to put forward some (free) guidelines for the modern Electronics Manufacturer:

1. We are not all under-25 single geeks living in converted lofts, we have families (wives, children and elderly parents) and mortgages and bills to pay.
2. Referring to (1) I would also point out that when it comes to the global marketplace we are in the majority.
3. Referring to (2) it would therefore make sense to concentrate on selling to us, and not to the minority of geeks who like upgrading firmware every day. ( I speak from past experience of firmware-geekdom)
4. When you finally do grasp the intricacies of releasing a commercial product, please remember Its only a DVD player, WTF are those 1000 extra buttons on the remote control for?

I shall add to, and refine these guidelines in the coming weeks and months, please feel free to suggest your own.