Tims Blog

My Verizon modem stopped being auto-recognized in Ubuntu right when I needed it the most. I didn’t know that I could have just done an eject /dev/sr1 and it would have started working.

After I got back to my office, I surfed around a bit and it looks like the ID_SERIAL changed or something.

It used to be

Novatel_Mass_Storage_091097473130000-0:0

For whatever reason, now it is

Novatel_Wireless_Inc._Novatel_Wireless_CDMA_091097473130000

Whatever. So I changed the udev rule in /etc/udev/rules.d/70-persistent-cd.rules

btw, I found out what the available udev variables were by using the udev tools, see below.

tarupp@tonelico:~$ udevadm monitor

then plug in your device and a bunch of crap will pop up. The first entry was the relevant one

tarupp@tonelico:~$ udevadm info –query property –path=/devices/pci0000:00/0000:00:1d.0/usb2/2-1

UDEV_LOG=3
DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb2/2-1
MAJOR=189
MINOR=137
DEVNAME=/dev/bus/usb/002/010
DEVTYPE=usb_device
DRIVER=usb
DEVICE=/proc/bus/usb/002/010
PRODUCT=1410/5030/0
TYPE=0/0/0
BUSNUM=002
DEVNUM=010
SUBSYSTEM=usb
ID_VENDOR=Novatel_Wireless_Inc.
ID_VENDOR_ENC=Novatel\x20Wireless\x20Inc.
ID_VENDOR_ID=1410
ID_MODEL=Novatel_Wireless_CDMA
ID_MODEL_ENC=Novatel\x20Wireless\x20CDMA\x20
ID_MODEL_ID=5030
ID_REVISION=0000
ID_SERIAL=Novatel_Wireless_Inc._Novatel_Wireless_CDMA_091097473130000
ID_SERIAL_SHORT=091097473130000
ID_BUS=usb
ID_USB_INTERFACES=:080650:
DEVLINKS=/dev/char/189:137

You may need to restart udev if you modify that text file

sudo service udev restart

• karls mortgage calculator
• car-part.com
• ammap

I took the following picture while surfing around the web. It’s so appropriate for all the mess that’s going on at work

Easy? Tell that to the facility folks in my building.

This weekend we’re having a get-together at my dad’s house with some aunts, uncles, and cousins. It’ll be pretty cool. Also, I got my new couch that I ordered this last November. It is much better than the hand-me-down loveseat my dad gave me.

• the arithmetic of active management
• elasticsearch
• not so humble pie
• akismet api
• adservers
• automotive front-end alignments
• ipv4 heatmap software

These last couple of days I have been squashing the various bugs that I’ve come across in the browsershot tool that I’ve developed for savory. Well, today I made it go live and aside from some quirks with HTTP timeouts, we have liftoff!

What a pleasant victory to end the week with

Unbeknown to me, the other day I started receiving a bunch of these emails from twitter reporting that some of the URLs I have posted in my savory tweets pointed to malware domains.

My first reaction was panic; I turned off the twitter posting functionality.

But then I got another thought in my head.

The emails from twitter don’t suggest whether or not they are marking my account for possible blacklisting; they’re only removing the tweet.

savory has the ability to read emails…see where I’m going with this?

So I decided to give savory the ability to use twitter’s own service to enhance my service : ) It works like this.

1. I tweet the URL in my post to twitter.
2. I save the bit.ly URL in a “bitly” key in savory
3. I create a procmail filter for mail from twitter that resembles their message
4. If and when I receive an email from twitter, I call the savory API to retrieve the doc that has the bitly key with the value sent in the twitter email
5. I add another key to the document, “twitter_detect”, with a value of “yes” that signifies whether this URL was detected by twitter

Beware, evil genius in the making.

Since savory stores so many unique points of data about each URL, the next logical step for most curious people is to know how can that data be visualized better.

savory includes a chart module in it’s admin area that includes a couple different views of the URL data.

The first graph here shows the geographical distribution of the URLs in savory and where they come from.

The next graph here shows the URL insert activity, by hour, over the last day

The last graph here shows the URL insert distribution by day of the week and hour of that day

Of course the sky’s the limit here. We have copious amounts of data to mine so it all just comes down to your imagination now

You could go on and on and on collecting data about any particular URL. The amount of contextual data relevant to these things is near limitless, especially when they are involved in malware distribution or other hosting nastiness.

Savory includes somewhere around 100 or so different bits of information for each URL it records. More information is added when new, reputable, data sources are found on the net. savory’s design makes it easy to extend the list of information about any particular URL, so as more new sources of context are uncovered, they are easily added to new or existing URLs.

So what does savory currently know?

I picked out a recent URL that was reported as having been defaced recently. Here’s what savory will show you when you view the general information about the URL.

Remember that almost all of this information is retrieved automatically. There is very little user-interaction with savory aside from just seeing “what’s there”

The first tab here shows the URL in question and the value of the <title> tag at the time it was submitted (or if no title was found, a copy of the URL)

In addition to that are a list of notes and tags. Notes can be added by automated processes or human processes to log actions or info about the URL. Tags can be used to allow future narrowing of search results, or the building of various forms of metrics or statistics.

From here we can move on to the “meat and potatoes” of the URI context; the document.

The document contains the majority of the URL information and it can be big, so I’ll show it in pieces. First, the “document details”. This information is specific to the document itself, not to the URL which the document is associated with.

Each document has a unique ID; the Document ID. This is a UUID that can be used to directly pull the full document details out of savory. This ID is used in the context of the backend document database. Savory also uses a relational database which includes a “savory ID”. These two IDs are different, but stored in both databases so that tools that use one database can also access the other database if they need to.

Each time savory updates the details of a URL’s document, it creates a revision of the document. Using the drop down menu, admins can view the context of the URL as it has changed over time and new fields have been added, removed, or changed. It should be noted that the database can, and is, compressed periodically. The end result of this is that old revisions are lost. This is not a particularly big concern for us though because at this time we are not as concerned with document history as we are with what is current.

Moving on down the page we get to the URI context

So here is what savory knows. This document has 72 fields of context (we’ll see more in a second).

You can see some fields that may be particularly useful to you as a human, but we also include information that is more useful to robots, scripts, or other automated tools.

Moving on, here is more context.

Among other things, savory GeoIP maps the IP address of the URL in question, so you can map the location of the URL.

Another automated process that savory runs is page sourcing. Often we’re interested to know what sort of badware is actually hosted at the URL in question. Sometimes it’s a script, other time’s it’s an exe, or a malformed webpage, you get the idea.

We use resources that we get from page sourcing to re-inforce our training and awareness programs at work. We’ve found admins to be much more interested in seeing the actual crap that is used to infect their machines than to just be told about it.

Part of the page sourcing is hashing of the content, show in the next couple pics

Alright, I can here you asking yourself “isn’t that a little excessive? Do you really need that many hashes?”

You’d be surprised how often we come across a new tool that finds some new weird way of doing things. Most of the time you’ll see MD5 or some form of SHA used by these tools but then you’ll find a tool that doesn’t. We include all the hashes we can for the URL to ensure that we don’t have to worry about the next new-fangled hash that people start using.

Finally, a little bit more information after the hashes.

You get the idea.

savory includes one more stub of information on the document page. I will grant you that it is probably useless information. However, it makes for stimulating discussions between upper management during their multiple hour long meetings. So in that case, we refer to the following data as “printing money”; completely irrelevant to the Techs, only cared for by the Suits.

Management like pictures of things, especially ones that look alien like the above QR code. When you take a bunch of these and put them on a single page, people begin to ask questions and your applications get more air-time among the population. QR codes are almost entirely useless in the context of this application. But we did it to scratch an itch (ok I was just wasting time and having fun with technology I admit it)

But it does make for an interesting conversation starter.

• project sikuli
• iconfinder
• lenmus
• hacking the core of php
• phc
• roadsend php
• apache mod mime magic
• lounge

Tags are used in a number of different contexts on the internet today. For example, social bookmarking websites, image gallery websites, blogs, etc.

Tagging provides savory users with a way to ask savory to return a given list of URLs that meet a semi specific list of requirements. The number of tags a URL can have associated with it is arbitrary. In practice, there are often a lot of tags

savory gives you two primary views into your tag data; table and cloud.

In my own opinion, the table view is more functional. The cloud view can often look very messy due to how many tags exist in the database.

In the table view, savory lists all the tags. Each set of tags has a header. In the image above, the header is “1″. This means that all the tags in this group begin with the number “1″. Each tag is a hyperlink that will take you to the URL searching page, filtered by URLs that are tagged with the selected tag. Next to each hyperlink is a count of the number of URLs that have that particular tag applied to them.

Only ~50 tags are displayed for each block. If you want to view all the tags for a given block, there is a “show all” link at the bottom right of the block

Clicking this link will display a modal dialog window which you can scroll through to find a listing of all the tags for that particular header.

The tag cloud view is a very busy view. It functions in nearly the same way as the table view though. The tags are clickable but there are no URL counts next to them. Instead, the size of the tag word denotes how many URLs are associated with it. The more URLs tagged with that tag, the bigger the word.

Finally, on the tag page, you have the ability to filter tags by strings found in those tags. This is essential for searching because too many tags make your eyes glaze over. savory can filter out the cruft for you if you have a general idea of what you’re looking for.

That wraps up savory’s view into tags and how you can use them to gauge the usage of the system. More articles to come that describe yet more features of savory that make it awesome.

savory’s primary view into the URL database is the URL module. Here’s a snapshot of what a portion of it looks like

From this view you can move back and forth through the url list. Some pieces of information about each URL are also displayed to the end user. In the above screenshot you can see

• Snapshot of the webpage at the time it was recorded by savory
• URL of the malware
• Account which inserted the malware into savory (the bold text after “via”)
• The time that the url was inserted
• The tags that are associated with the URL. These include tags specified by the source doing the insert as well as auto-tagging functionality built into savory
• A summary list of tags. The list is interpreted as all tags on the current page you’re viewing and the number of urls that have that tag.

Some other tidbits that you can see are the links next to each tag in the tag summary.

By clicking the “+” sign, you append that tag to your search criteria, narrowing the list of URLs returned by savory. By clicking on the name of the tag, you clear out your current search criteria and start with just that one tag

As you narrow the tag criteria, the interface changes as shown below.

Selected tags are highlighted and moved to the end of the line. You’ll also notice that the number of urls savory returned is substantially less (only a single URL).

Note though that the tag summary to the right has not changed much. What the tag summary is telling you is that there are 5 URLs tagged “ssdfsdf…”, 5169 URLs tagged “unknown_html”, etc.

These numbers will likely exceed the total number of URLs in savory because multiple tags can be applied to any given URL. This summary is meant to be a gauge to the admin of how general or specific a specific tag is in relation to the system as a whole.

Today I added UI components to savory for taking or re-taking screenshots.

When savory is buzzing along doing its thing, the maintainers of the system shouldn’t be concerned with taking screenshots of the malware URLs. When things break though, or when the maintainers wish to retake screenshots, they need to have a component in the UI to do so.

As of this writing, it looks like this

Well, that’s what you see when the screenshot has not been taken yet, or was tried and failed.

If you click the big camera in the middle of the screen, you can ask savory to re-take a snapshot of the webpage. This will open up a modal window in your browser with a progress indicator. When the snapshot process completes (and if it’s successful) you’ll be presented with your new screenshot.

You can then tell savory to save the new screenshot back to it’s database for future use.