The Iron Lion

Related tags:

Reminder: Support Your Favorite Small Software Vendor Day

November 14, 2007 No Comments Tagged as: free-as-in-freedom software

I realized that tomorrow is probably payday for many of you, so I thought I would remind you that before you start spending that money, remember that the day of your next paycheck falls on Coding Horror's Support Your Favorite Small Software Vendor Day. Last year, I donated to the Enlightenment Window Manager which I use every day. Even thought you aren't limited to just open source projects to donate to (a prime example from the original post's comments is WinZip), I thought I would list off a few projects that I use every day that I will probably be donating to:

Mozilla Foundation

While I've been straying away from Firefox for everyday use, I still use it heavily in web development. I also use Thunderbird as my mail client on all of my systems, and my audio application of choice, Songbird, is based of the XUL API that came from Firefox. While the method of donation is buying things from The Mozilla Store, I will probably end up donating whatever I buy to someone who needs it. This way, I'm helping Mozilla and giving away free stuff!

Songbird

I love Songbird. I never really much cared for the bloat that was iTunes, plus, I just recently got an OS laying around that could run iTunes. However, Songbird's support for podcasts is awesome (even though there's not a single mention of the actual word "podcast"), and building on the extension capabilities of Firefox means the sky is the limit. Their easiest method of donating is, once again, a store so donate whatever you get from their as well. The least you can do is give a shirt to a kid and have him walk around as a travelling billboard.

Vim

I was sold on Vim about a year ago now. I use it as my main development platform. For ~$15 USD, you can become a registered Vim.org user, and for a little more, vote on some of the features you'd like to see implemented.

Free software comes at the cost of someone's time. Just make sure you find a way to say "Thank you" to those humble (if not semi-socialist) developers.

Muzzin' Software Fuzzin'

August 7, 2007 Tagged as: best-practices development fuzzing scheme software testing

You've heard of it. All the cool kids are doing it. If you're not doing it, you're living under a rock. C'mon, just try it. The girls will start noticing you if you do it. You'll start meeting all sorts of cool people, and get invited to all the 1337-est parties. No, I'm not talking about cigarettes. I'm talking about fuzzing.

Fuzzing is the process of providing random data (the "fuzz") to the input of a program. Anywhere that input is received into a program, a fuzzer would allow you to test the robustness of your platform. A network fuzzer would be able to construct a random packet of a given type and throw it to an open port. File fuzzers create random files to be opened in a given program. Hopefully, you get the idea. The concept here is not new, but it seems that there has been an increased buzz for fuzzing in the last few years.

This last weekend at Defcon 15, there was a presentation on a network fuzzer called Funk. Fuzzing for me has never been able to draw me to it the way others have clinged to it. Some of that probably has to do with my lack of interest in hardcore security. However, I was drawn to this fuzzer because it was written in Chicken Scheme. Scheme is a great little language from what I've experienced, but I was having a hard time seeing an actual use for the language. So as I sat in the talk, I checked out that code and took a gander. It was a cool idea, and I've already got a little bit of a contribution patch that I'm preparing to submit to the project.

At the BlackHat Briefings in Las Vegas last week, Mozilla released a Javascript fuzzer designed to help browser developers to "fuzz" their browsers to find security vulnerabilities before releasing their products. The media can spin it how they like, but I am glad to see them opening up their tools, and providing documentation on using them. I especially find it useful because Opera, a competing browser, has now used the tool to find at least four bugs in their browser and release a new build. Hooray for communities!

Let's face it, every piece of software has its bugs. However, in the use case that Mozilla is using their fuzzer (and many other companies use their fuzzers), the fuzzing is equal to some great tests. As a web developer by day, I quickly learned that input should ALWAYS be sterilized, no matter how much you "trust" the users of your platform. It's hard, however, for me to find attack vectors in my own software, mostly because I've designed it around one use case, i.e. the one given to me by the "higher-ups." In my mind, I would say "If only I had a tool that would give me some real world use cases," in hopes to cover both stupid users (creating good error reporting) and malicious users (sterilizing the data or failing silently). Creating a good fuzzing tool would fit this bill exactly.

I'm sold on fuzzing now

About Me

Allo! I'm Paul Hummer. This is where I blog about my life, which consists of everything from free software, robotics and hardware hacking, network security, and python, to web development, my various projects and ideas, my job as a software engineer, and all sorts of other shiny things I tend to find on the sidewalks of the internet.

If you're still curious about who I am and what makes me tick, feel free to check out my bio.

RecentPosts

PopularPosts

Contact me

TheIronLion.net and all contents copyright © 2007 by Paul Hummer unless otherwise noted. Content from this site is licensed under the Creative Commons License. Visual design and layout may be literally stolen from me without permission. Code snippets are released under public domain unless otherwise noted.

All opinions expressed here constitute my (Paul Hummer's) personal opinion, and do not necessarily represent the opinion of any other organization or person, including, but not limited to, my fellow employees, my employer, its clients or their agents.