Psychotomy

I’m not entriely sure i’m diggin my new job …

primarily b/c i’ve got shit-all to do most days. hell, even sudoku and kakuro have gotten boring. they’re either easy, or way more complicated (5* ones) than I’m interested in putting for the effort on (4* i can do in about 10 minutes, 5* I usually have to do two or three times b/c I miss some bit and end up with two 8′s in a row … i love how i can get all the squares, all the verticals, and have ONE wrong horizontal .. . wtf? shouldn’t this have an effect on something else ???) I’ve taken to taking my netflix in and watching them on my laptop while I read blogs. but the handful i read either update sporadically, or simply not that much, so it really doesn’t take a lot of time :/

then there’s the fact that when I do have something to do, it’s tweaking some BAD FUCKING CODE. one task i found this week was going through and tweaking some code that queries a database, saves THE ENTIRE RESULT to an array in a file, then a second script that gets used regularly to READ THE ENTIRE ARRAY in and use like 1 value. thats like 1 column of 1 result. it was done to “help” with database overhead, to keep it from overloading. apparently they didn’t realize that this is like 5 BILLION percent harder on the server, and that the database is DESIGNED for this shit. of coures, this is probably a result of the morons who have 5 databases, and so run 7 or 8 mysql servers, each one with all the databases that were there when whatever was added, none of htem in sync, and all of the shittily configured. but at least they know what they’re doing.

Oh, and that first script? it has 30 different SQL queries. 15 of them are identical except for the WHERE clause, then 10 more, then the last 5 are UNIONS that look like two of the previous queries munched together b/c they didn’t want to “complicate” the WHERE clause … *Sigh*

I kinda hate these scripts. i really want to gut the shit and start over everything i touch there, b/c it’s all just so BAD. oi. but i can’t, b/c that requires an official request, and since they work no one wants to request it.

and the DBA stuff I was hired to do? hell, most of my msyql access is stolen from the scripts I’ve worked on and i swipe the passwords so i can see what’s in the db that i’m accessing at least. can’t change anything.

*sigh* maybe if i get my mysql cert it’ll get better and i’ll be allwoed to swipe some of hte databases back internal like i was told was the original plan.

otherwise, I gotta start working on miscellaneous projects. like subversion and making vmware install to a user-dir instead of the root-dirs,and just have a run-as-root script for the root-necessary bits or stuff and whatever.

b/c the other option is looking for a new job again, and given that the last two times (02 and 06) the increase in income did absolutely nothing for the $$$ situation, i’m not sure it’s worth it. and if i do decide to in a year or so, i’ll have the cert, so maybe that’ll help ;)

Posted in: work by attriel /
No Comments

so, i stayed home wed/thurs this week b/c of the snow/ice/idiots. figured i don’t usually have much to do at the office, so i could not do it at home just as well, but i could play computer games and watch law and order dvd’s at the same time i didn’t do it ;)

except yesterday I, again, had real work to do from home :o this makes 3 out of 5 days i’ve worked at home and had work to do at the same time! it’s INCREDIBLE! (i’m not counting the days i was home b/c of the construction , although i think i had things to do at least one or two of those three, come to think of it)

apparently, unlike my old job, my new job actually has me WORKING when i WORK at HOME :o what a concept. I don’t get it ;)

oh, and my desk gets full when i have my windows laptop (for ssh to the office since their proxy/vpn-like client java tool thing only works in windows, wha?) and my mac laptop (b/c htat’s what i use for me stuff). then there’s the gmaing machine, but the keyboards in the tray and the monitors on a step up, so not really in the way. But the plate of tacos? yeah, that was coming up short on good places to put things :o

mind, I had some work to do this morning at the office, too. of course, i finished that hours ago, so now i’m marking time again. reading docs and such on security again. b/c it’s like an obsession ;)

Posted in: work by attriel /
No Comments

day 2!

and today i learned how to fill out my timesheet! i only have something like 20 possible billing codes, oi! dropped k at camp last night, b/c he didn’t have camp yesterday. took an hour in that process (picked up more of his meds and signed for training, but still), then decided to do dinner (another hour? cripes!) and groceries (AGAIN? AN HOUR???? wtf, do all my clocks move by hour segments???)

but i woke up on time (early, actually) today, whee go me! now i’m at work , with little to do. got another semi-voluntary project to play with though, so might be good

Posted in: k-line, work by attriel /
No Comments

so! today’s my first day at my new job

we’ll ignore the last 4 months, it gets confusing :o

this morning was my orientation telecon .. except the only other person being oriented left her packet on the commuter shuttle or something, so it got moved. so, instead, i read the packet (whee), picked out the coverages we want (SHOCKING! we want top all), and did my job some. b/c i can’t actually sign up for my benefits until i get another packet in the mail. *sigh*

we’re hoping it comes in the next day or two (7-10 business is the quote, unfortunately) b/c then i can sign right up. COBRA runs out wednesday night, and I’d like to not pay the february bill on that. b/c it’s EXPENSIVE! and while the new medical will supposedly be retroactively in place to today, she’s got a labwork or two and a pair of dr’s visits before the end of feb. that i KNOW of … so we’ll spend the $ on cobra so that she has coverage listed at the time. b/c i distrust “retroactive” yaknow?

Posted in: work by attriel /
No Comments

project A we finished last week (good, b/c it was due last wednesday .. wonder if the people who set the deadline have looked at it at all …)

project B is on stall until we can find a way to POLITELY browbeat someone into letting us actually talk to the person with the answers. Person Z is our contact. Person Y asked a bunch of questions. Person X has the answers. Person Z never seems to get the meaning when we ask “can we talk to Person X to get the answers we need for Person Y” :/ so, we’re stalled indefinitely.

so, this week at the office I’m reading my Zend PHP Certification guide. I figure once I’m hired I’ll look into the policies on certs. If they’ll pay for them, I’ll probably go for the PHP, LPI level 2 and MySQL DBA certs. Of course, those last two are 2nd level, and each level has 2 tests, at 200$ a pop … i am SOOOO not paying for that myself :o

Otherwise, I’m making another hack at learning hindi. Why not! just b/c the last dozen times or whatever have failed miserably is no reason to think this one will too! this time I’m going with written. learn to mimic words, then learn to pronounce them. I’m going about it like your average 3-5 yr old learning to read/speak by reading aloud. Of course, hindi primers are all in devangari (the character set), and I have no basis for knowing what those mean (although I did find a site… uh, wonder where I put that URL … anyway, it goes through the alphabet and tells you how to pronounce the letters and some of the common letter-combos (like ie, ae, etc)). So I’m working with that, a big list of english words and their hindi versions in devangari, and trying to figure out how to say things.

I’m doing this by translating Dr Seuss ;) If Green Eggs and Ham, Cat in the Hat, and Horton Hears a Who are good enough to teach kids english, then they should be able to teach me some (relatively useless) hindi phrases. Once I have a base, maybe I can go from there.

I figure that I may put up the translations, assuming I can figure out if that’s allowed since Seuss is still under copyright so the fulltext isn’t online in english … otherwise, I may put up phrases or something.

And then I’m going to work on a “Hindi Primer for Americans” b/c we do NOT pronounce things like the brits. The second o in Library … wtf are you talking about? there’s NO o, let alone TWO!!! :)

Heck, if this works for me, maybe I’ll do Hebrew too. See if I can figure out how to sell my Language Mastery plan for fat cash. retire rich at the age of 25 and live high on the hog, just me and my buxom wench! And the puppy, obviously. duh!

Posted in: hindi, work by attriel /
No Comments

saturday I consulted for my old company to help the new guy figure out what madness I had been doing.  took ~3hrs, give or take a bit.  and it was almost all stuff he could have gotten if he’d looked hard enough and spent the time (except the database root passwords I’d forgotten to write down).  actually, a good deal of I’d documented before and no one had given a damn so the docs had kinda slipped by the wayside.

got an email yesterday from said company, unrelated.  we had won the people’s voice webby and my ‘boss’ had ordered copies of the award statues for everyone on the team.  first he asked, and like ZERO people were interested in paying for an ugly assed statue.  then apparently he went and ordered them all anyway and used project funds.  for an award no one cared about having.  they came in after i left, but they’re engraved so it’s personalized.  now they want me to come in to get it, or give them my address (hello?  you should be sending me my W-2′s!  try that address, yadig?) and they want my phone # “because we’ll probably have to send it UPS or something” … b/c, you know, UPS usually calls before dropping things off.  wtf?

worse, I don’t even WANT the damned thing.  I told them that before, but they’d already been ordered.  that’s how I found out they were engraved, b/c I tried to donate mine to the company to display in their awards case.  so now I have to give them more contact info (i’m good with you emailing me, thanks; I’m much better at saying “no, go away!” in email than in person/on the phone) or I have to go in and pick it up.  then I have to figure out how I want to dispose of it, b/c I [b]don’t want it[/b]  It’s a foot tall crappy looking spring-like thing made of aluminium or something.  but with a heavy base.  so it’s ugly, heavy, and useless.  also known as “clutter” which we’re trying to get rid of.  oi.

Posted in: general, work by attriel /
No Comments

monday is new years day, we have the day off.  i’m an hourly employee, i have to make up that time, so 4x10hr days.

president ford died this week.  93, not bad considering apparently there were two assassination attempts during his brief presidency (2yrs or something i think).  because of this, president bush has declared a day of mourning (appropriate), a federal holiday.  on tuesday.

which means i have 3 days to do 40hrs.  i am SO not doing 13hr days :o  my boss’ boss (boss isn’t in this week, and bb sent the message around) suggests that the building will be open, so i could come in.  more likely i’ll work from home so i can at least get my 10 hours.  i’ve just never been clear on whether i COULD work my hourly on fed holidays.  b/c, yaknow, it’s a holiday and the office is basically shut down.  what am i working on?

of course, then there’s the question of what am i working on most of the time AT my desk, since i’m still in a very dry period here :/  oh well.  whatevah

Posted in: work by attriel /
No Comments

most of today, at the office, was spent digging through mysql code, to figure out where and how it authenticates, so i could know where to try putting in the ssh key code

then, once i think i identified the right places in the daemon and the client, it was into the ssh code :o  after much tracing and file changing etc, here’s how SSH handles a key exchange (given public/private RSA keys):

client connects to server, they negotiate their communication, then:

• client identifies {A} as wanting to login, and chooses “no authentication, just let him in”
• server tells him where to shove it and offers some auth options
• client tries blah blah gets to key auth.
• takes MD5 of the public key
• hexadec encodes the MD5
• takes ssh communication ID+HEX and saves it as “msg”
• uses the private key to cryptographically encode (sign) msg
• sends msg and signature to server
• server receives this mess:
• server knows the ID and the public key, so it generates it’s own copy of MSG
• compares MSG and msg, if they mismatch, bad auth attempt
• if they match, and there’s a sig, it generates SIG of it’s own
• if sig and SIG match, authenticated

my first inclination is the need for a nonce (one-time randomly generated string) to pass back and forth.  but to be useful, server would need to encode it with public key so client can private decode.  but since there can be multiple keys on a single account for different purposes (such as i’ve set up accounts with a key that launches an automatic process and then logs out vs key2 which lets me log in properly), there’s no telling which key should be used for the encryption of the nonce …

and technically there’s no danger in passing around the public key.  it is, after all, public.  and with the (tiny bit of) entropy coming from the SSH communication ID, the signature will change, although the MD5 does not.  in the end, it boils down to, effectively, encrypting a few bytes of information (the ID) as everything else is static across every authentication.  it adds noise, however, since decrypting a bunch of short numeric messages would be easier than a long message, even if you know what the message says (which you do; it’s sent unencrypted first … I wouldn’t've done that either, TBH)

anyway, setting up MySQL should be … interesting.  I’ll have to put the public key in the database (so it can verify against, for a user) or in like /var/mysql/keys/ … pub key is required to verify the sig.  i might use it to encrypt a nonce, since i don’t (AFAICT) have a comm ID like SSH set up for such a purpose.  at which time, i may not bother sending the pubkey around.  server sends pub(nonce), client decrypts and sends pri(nonce), server decrypts and verifies nonce …

i’ll let you know how badly this fucks up ;)  and mysql can’ do SSL encrypted traffic unless client and server both have SSL certs, according to what I’ve read (i thought it could, so I may have found an old archive) … so i can fix that, or make this local-only (which makes more sense anyway)

Posted in: work by attriel /
No Comments

i swear, i’m gonna make a new cat for security shit.  or programming shit.  or both, but they’d overlap a lot.  of course they overlap work most times, too.  go figure

anyway.  mysql5 (maybe 4) added the option for SSL Client Certificates to authenticate a user, instead of using passwords.  This is handy, if, for instance, you want to be able to log into a shitload of different databases without having to use a shitload of different passwords.  b/c using the same password a bunch of times would be bad.  except when it’s not (don’t get me started on security here; that’ll be another day i’m sure)

ssh uses keys.  which are generated from certs, in a way.  or are a part of a cert.  something like that.  definitely something.  the first s is the same in both.  and ssh uses a modified ssl (secure socket layer; just means the communication is encrypted, honestly; secure shell, means the shell itself is just a fucking shell.  the communication is encrypted however; go figure).  but ssh credentials are called “keys” and are, AFAICT, different from ssl “certs” (or certificates).  and ssh clients tend to have bundled an app called a “key agent” which monitors what keys you have, and then just presents the fuckers to the server when it asks, so it can say “oh, ok, yeah.  that guy, sure come in”.

which is what an SSL Client Cert would do for a mysql system.  (SSL usually refers to the server end.  HTTPS, server has a cert and gives it to the user saying “see, i’m me!  here’s my papers!”; client certs are the other direction.  you’ve verified the server (or you don’t give a shit) and now you’re presenting your papers “Ja.  I veesh to kom een.” and then the server says “ah, friedreich!” or throws you out a window onto a pile of luggage and says “no papers” to the other clients trying to connect so they all fish out their certs and wave them in the air)

so, my current (self proferred) task at work?  i’m trying to find a way to use ssh keys (which we all have if we want to log into anything more than our desktop and we forward around with ssh-key-agent and the ssh client/server encrypted secure communications SOCKET LAYER) to let me into mysql servers.  either turning a key into a cert (if there really is a difference (and i’m sure there is, lathough it may just be the cruft that a cert has that a key doesn’t worry about)), pulling a cert from a key (which i don’t think is possible, since certs have more (See preveious par-unethical comment)), or agenting a certificate (preferably t hrough the ssh-key-agent, which wouldn’t make any sense, or through some other agent that can piggyback into the ssh channel (uh, hello, encrypted?) and forward around the cert)

b/c, see, the private cert (ie passport) stays on you at all times.  you can’t just stick it on the server and figure you can just grab it when you need it.  b/c then when someone else breaks into your locker, they’re you.  i mean, they need a password, but those are relatively meaningless, b/c most people tend to use their birthday (july01) or their mother’s maiden name (jones) or something equally stupid.  coupled with the fact that they’ll tell anyone who asks what it is or how to guess it.  people are idiots.

i wonder if a cert, encrypted with a key, is secure … b/c then the key is the one you’re forwarding all over. .. except you don’t actually forward the key, rather you forward some fingerprint of the key or something.  b/c forwrding the key around is STUPID since the whole point is to keep it secure and close …

Posted in: work by attriel /
No Comments

so, there are two general mechanisms for testing:

blackbox is what most users are aware of.  You put stuff into the magic black box and answers come out.  you don’t care how it gets from A to B, as long as B is what it’s supposed to be

whitebox is the developers mechanism.  you put A in, then you follow it through the code/pipes/innards and verify that at each step it’s the B it’s supposed to be.  then at the end you get the answer.  it’s called “white box testing” because it’s the opposite of “black box”.  It’s also called “clear box” or “no box”; the idea being that black-box is big, black, and completely hides the internal workings.  whitebox lets you see the insides
whitebox is basically used in debugging code.  because if you put in A and get Z, you know there was a problem, so you trace it through A B C F … and you know where to look to fix it.

right now i’m debugging an app we’re upgrading.  and i get to do it through blackbox debugging.  I put stuff in, and see what comes out.  I can’t fix anything, but I keep narrowing down where the problem is.  As I find a case that doesn’t work (A53), I then narrow it down further to find the minimum required “bad A” that triggers the problem.  it’s a real pain in my ass, and it sucks.

there’s a reason why no one uses black box debugging.  IT SUCKS!  *sigh*

Posted in: work by attriel /
3 Comments