Anatiferous blog | Move every zig.

Howdy! This is my (William Reading's) webpage. At the moment, I only have this blog script and my gallery up, but I hope to get more stuff on this page at some point, or so I thought when I created this site years ago. Updates and shiny new copy to eventually go here. If you'd like to contact me to point out that I've done something to break XHTML/CSS standards or heaven forbid--look at my Vita--drop me a line at my e-mail address bill +spam @ [ELEPHANT] aggienerds.org. Simply remove "+spam", the spaces and the pachyderm along with its brackets and that address will reach me. I'm also available on Jabber/GChat/AIM/MSN with the same address above.

I decided that I wanted to try sous vide this weekend, and didn’t want to wait to order a PID controller in the mail. My thought was that I could use a microcontroller with a big relay wired up to the LCD traces for a kitchen thermometer and do the control myself.

I went to Fry’s and purchased a thermometer for $11, a remote controlled appliance switch for $11 and a 6 qt crock pot for $25.

Unfortunately, the LCD display on the thermometer I bought uses some kind of PWM on the pins to multiplex inputs, and that would probably take more than the afternoon to properly reverse engineer:

Fortunately, Gabe had an extra temperature sensor sitting around, so some one wire code later, and we got my arduino sampling temperatures. Right now, it uses a simple temperature range to decide when to turn on and off the crock pot, but there’s a handy PID control library for arduino that could probably be used to reduce the overshoot of the current approach (1ºC). Another thing that would be useful to do is to use the arduino ADC to sample the temperature from a thermocouple. There’s some code that does this here.

Since I didn’t have a glue gun on hand to properly isolate the sensor from the water path, it eventually started shorting and producing bad data. Putting it in a plastic bag was a pretty good workaround, but insulating air inside the bag caused the temperature readings to be off by as much as 1ºC, so the system was off by as much as 2ºC at any given time. Putting the exposed wire inside of a glue blob and then heat shrinking around that seems to have fixed the problem, but a thermocouple is probably going to be more accurate and would handle a wider range of temperatures.

The results were pretty tasty, though it looks like 14 hours is insufficient for beef chuck, which was still a little tough, but not too tough. It’s fine for other cuts of meat, such as a flat steak. I ended up pan searing the steaks after I took them out of the bags, but I think I might have not had a hot enough pan to flash sear it and ended up overcooking. Some people recommend that you use a butane torch (propane supposedly leaves more of an off taste) to get around this problem.

On the note of putting it in a bag, I ended up using a ziplock freezer bag and then dipped it in the water with the bag open to push out excess air, though I think a vacuum sealer would work better.

Lessons Learned:

• Crock pots tend to overshoot, but are probably safer if you’re building your own control system. Consider a rice cooker or other simple steamer that can be externally switched because those have less thermal inertia, and you don’t want another control system interfering with turning it on and off externally.
• A simple on/off with a cheap remote wall switch works surprisingly well. I was able to drive the remote control for the appliance relay with a digital high on the microcontroller.
• You don’t necessarily need PID control, but it probably would keep the temperature more stable. You can buy one on Amazon, though you’ll want to buy a thermocouple (probably type K) to go with it.
• You don’t necessarily need a crock pot. You could also use an immersion heater to warm the water.
• 132ºF is probably a good temperature for medium rare with sous vide with this system

I received this letter in the mail from the Association of Former Students (AFS) last month. It’s written by someone that says she’s given to the Century Club, and often sits at Fish Pond and thinks about the legacy of the university.

Of course, I’m not sure when she would have recently. The pond has been closed since at least March or so, and I have pictures of it being drilled into during May. The plan is to move it to Sbisa, since they want to expand the bus service in the area with the current fountain.

According to the letter, she’s a member of the Century Club. Now I don’t know about you, but I know that I didn’t go around making $100 donations to TAMU while I was a student. And I can say that I made more than most of the students on the campus. Am I really to believe that someone that’s a sophomore that is a student worker for the AFS is really going to be a member of the Century Club?

As of the last few years, it’s becoming more and more commonplace that news of a semi-urgent nature gets pushed out online quickly. In the case of Code Maroon, you can get a notification if Texas A&M University is going to be closed or if a building is on fire. These types of messages are pretty handy, but messages don’t get delivered to e-mail very quickly.

Most people sign up for text messages, but this doesn’t work for me because I exclusively use Google Voice for managing my text messages. What I’d like to do is get a quick notification on my phone whenever one of these things go out, so that I don’t bother to try to go somewhere that’s closed or the like.

So I’d really like to use something like Prowl to send out the notifications. The other thing is that Code Maroon isn’t necessarily the most effective at getting out the message that something of interest is happening on campus, since they presumably never want to send out a false alert. For the recent Zachry building fire, the student newspaper (The Battalion) reported that the building was on fire on their Twitter feed before Code Maroon.

My solution to this notification problem is to pull different campus RSS feeds, and sift out the interesting bits, and then push it out over Prowl to my iPhone. This cleanly solves the notification problem, fixes the expediency problem, and does a best effort job in throwing away things like test messages.

Link to the script here: RSS Notify v0.1

I happened to have a half broken Polycom CX200 lying around, and I discovered that it mostly works aside from the LED on the front. The other thing I noticed was that if I plug it in on linux, the hiddev driver captures it and pulseaudio hooks up the microphone and speakers. It occurred to me that this could be really handy for use with something like Ekiga as a softphone.

I unloaded the hiddev driver and did an lsusb -vvv, to find that the device actually uses a telephony hid page and a standard on/off hook data field:

Report Descriptor: (length is 151)
Item(Global): Usage Page, data= [ 0x0b ] 11
Telephony
Item(Local ): Usage, data= [ 0x01 ] 1
Phone
Item(Main ): Collection, data= [ 0x01 ] 1
Application
Item(Main ): Collection, data= [ 0x02 ] 2
Logical
Item(Global): Report ID, data= [ 0x01 ] 1
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0x01 ] 1
Item(Global): Report Count, data= [ 0x01 ] 1
Item(Global): Report Size, data= [ 0x01 ] 1
Item(Global): Usage Page, data= [ 0x08 ] 8
LEDs
Item(Local ): Usage, data= [ 0x17 ] 23
Off-Hook
Item(Main ): Output, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Global): Report Count, data= [ 0x07 ] 7
Item(Main ): Output, data= [ 0x03 ] 3
Constant Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x02 ] 2
Logical
Item(Global): Report ID, data= [ 0x02 ] 2
Item(Global): Report Count, data= [ 0x01 ] 1
Item(Local ): Usage, data= [ 0x09 ] 9
Mute

(some bits snipped)

Fiddling with accessing the hiddev device note, I found that it was pretty easy to read off hid events coming off the device. The next part was to try to hook it up to Ekiga’s dbus interface. Unfortunately, Ekiga’s dbus interface has been a bit stale since the 3.0 release, so I had to patch it up to add the hangup/answer events that would be useful to wire up to the buttons. It’s a bit hacky because it uses the reuses the private data that the call window is holding onto for itself, but it’s a lot more convenient than going through the call manager.

I hooked up a dbus perl script that I wrote to test my dbus changes to the hiddev script and voila, my CX200 device works properly with ekiga on linux, at least as far as answering and hanging up go. Patch to Ekiga and perl script here.

A few weeks ago, some script kiddie from Romania hopped on my AppleTV that I’d converted to run Linux. My first hint that something was wrong was that the “-h” argument to ls stopped working properly. I’d been using this box as a fileserver with a USB drive attached to it for storage. I pulled the machine from the network, but didn’t get a chance to peek at what had happened until now.

First stop, auth.log:

Oct 31 15:51:59 appletv sshd[1629]: reverse mapping checking getaddrinfo for 79-117-141-201.rdsnet.ro [79.117.141.201] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 31 15:52:02 appletv sshd[1629]: Accepted password for bull from 79.117.141.201 port 50414 ssh2
Oct 31 15:52:02 appletv sshd[1629]: pam_unix(sshd:session): session opened for user bull by (uid=0)


Well, this is a pretty good sign that the box was rooted, let’s take a look in /home:


# ls -alh
drwxr-xr-x 7 root root 4.0k Oct 24 21:00 .
drwxr-xr-x 22 root root 4.0k Oct 11 2009 ..
drwxr-xr-x 51 1000 1000 4.0k Nov 2 16:21 bill
drwxr-xr-x 2 1002 1003 4.0k Oct 31 20:53 bull
drwxr-xr-x 2 1004 1005 4.0k Oct 24 21:20 cgi
drwxr-xr-x 2 1003 1004 4.0k Oct 17 21:10 enter
drwxr-xr-x 7 1001 1001 4.0k Feb 22 2010 gabesk


Looking through the directories, I see that cgi still has a .bash_history:

ls -a
./run 123.36
./ftp_scanner.c 123.36
clear
ls -a
cd ..
ls -a
su
clear
cd /var
ls -a
cd tmp
chmod +x
chmod * =x
chmod * -x
clear
ls -a
pwd
mkdir ” “
cd ” “
clear
ps -aux
ls -a
clear
ls
screen -r
clear
cat /proc/cpuinfo
ls -a
tar xzvfdedicate.tar
tar xzvf dedicate.tar
clear
ls -a
cd fb
ls -a
pico run
ls -a
pico pass
ls -a
pico pass
ls -a
screen
screen -wipe
cd var/tmp
bash -i
cd /var/tnp
cd /var/tmp
clear
ls -a
cd ” “
clear
cd fb
clear
ls -a
clear
ls -a
ps -aux
screen
ps -aux
ls -a
w
cd /var/tmp
cd ” “
cd fb
clear
ls -a
ps -aux
ls -a
screen -r
ls -a
./ftp_scanner 0-100
./ftp_scanner 192.168.0.0/24
./ftp_scanner -h 192.168.0.0/24
clear
./192.168.0.0/24
clear
ps -aux
ls -a
./ftp_scanner
pico run
./ftp_scanner
./ftp_scanner -h 123.36.0.0/16 -u users -p pass -t 6 -c 20 -o log -d -k -C
ls -a
cat log
pico o
ls -a
pico ftp_scanner
ls -a
pico 100-200
ls -a
./run 0-100
ps -aux
ls -a
./run 100-200
./run 200-255
ps -aux
cd /var/tmp
cd ” “
cdfb
ps -aux
cd fb
ls -a
screen -r
cd /var/tmp
ls -a
cd “”
cd .vox
cd /var/tmp
cd ” “
cd .vox
clear
cdfb
ps -aux
ls -a
cd fb
ls -a
screen-r
screen -r
clear
ls -a
pico log
ls -a
ps -aux
ls -a
w
cd /var/tmp
cd ” “
cd .vox
ps- aux
ls -a
cdfb
clear
ps -aux
ls -a
cd fb
screen -r
clear
ls -a
catlog
cat log
killall -9 -vq ftp_scanner
clear
ls -a
s -aux
ps -aux
w
cdb /var/tmp
cd ” “
ls -a
cd /var/tmp
cd ” “
ls -a
tar -xvf multiscan.tgz
rm -rf multiscan.tgz
cd .vox
ls -a
rm -rf vuln.txt
screen
cd /var/tmp
cd ” “
cd .vox
ls -a
cat vuln.txt
clear
cat vuln.txt
screen -r
cat buln.txt
cat vuln.txt
./start 201


There’s quite a few hints as to what happened in there, one of which is that there should be a directory of a space in /var/tmp:

# ls -al
drwxr-xr-x 4 1004 1005 4096 Oct 28 18:26
drwxrwxrwt 3 root root 4096 Oct 24 21:10 .
drwxr-xr-x 14 root root 4096 Jan 23 2010 ..


Well, isn’t that interesting.

# find .
.
./
./ /.vox
./ /.vox/ssh-scan
./ /.vox/start
./ /.vox/screen
./ /.vox/pscan2
./ /.vox/pass_file
./ /.vox/gen-pass.sh
./ /.vox/vuln.txt
./ /.vox/core
./ /.vox/common
./ /.vox/a
./ /fb
./ /fb/log
./ /fb/ftp_scanner
./ /fb/users
./ /fb/0-100
./ /fb/100-200
./ /fb/run
./ /fb/200-255
./ /fb/pass
./ /fb/o
./ /fb/ftp_scanner.c


In vuln.txt, I see a list of machines with poorly set passwords (anonymized and truncated):

root:root:201.9.x.x
root:admin:201.11.x.x
root:root:201.20.x.x
root:root:201.20.x.x
root:admin:201.20.x.x
root:admin:201.20.x.x
root:admin:201.20.x.x
root:root:201.20.x.x
root:root:201.20.x.x
root:root:201.25.x.x