Tuesday, May 29

iPhone day

Yes, I did get the iPhone. It’s a funny funny story, and I’ll write it all down along with my review of the phone after it activates.

Since everyone is activating their iPhone right now, it’s taking a long time (according to the nice AT&T lady I am on the phone with)

The phone is alot nicer then I thought, nice screen, and since I actually used an iPhone at the store, the keyboard is alot better than I thought.

I just got off the phone with the AT&T rep, she said it may take up until 7 pm tomorrow to activate all the iPhones. Hopefully mine isn’t that deep in the queue.

More later, stay tuned.

Added Story -- Okay..

So, I got off of work at the customer I was at and was going to head up to the Apple Soho store. From where I was at, (World Trade Center) I had to walk up and catch the R/W Subway lines at City Hall. About 2.5 blocks. Not a bad walk.

On the way there, I passed an AT&T store. Having researched all the AT&T locations listed on their site, knowing that AT&T said the closest site was on Wall St, I figured this one was ‘unmapped’. The line had about 35 people in it. Not too bad. So I jumped in.

We kept having to move the line, since the people were waiting in line were blocking the ghetto ass stores that were around the location (on Broadway), and their managers kept coming out and hollering at the AT&T manager (PEOPLE GET OVER IT, IT’S ONE DAY!), even calling the cops at one point.

So we kept having to move, which meant that we were being crammed in tighter and tighter spaces with more and more people. It wasn’t awful, just crowded.

2.5 hours.

6pm rolled around, the started letting people in about 15 at a time. The first group went in, (the first lady in line sold her place/phone for 1500 bucks. Not too bad I guess, and another guy sold his place in line for 300.) About 10 people left to go in, (in front of me, there were about 100 people behind me), and they announced they were out of the 8Gig model. So, I was at this point kind of disappointed and figured I would buy a 4 Gig for Ebay or something.

5 ppl left, they ran out. So, they told us we could order one. Since we had heard that the wait outside the SoHo store was around the block, I ordered an 8 Gig phone, and went back to my hotel.

I got back to the hotel, head hung low, and feet sore from standing, i jumped online, only to be greeted by everyone’s pictures of their damn iPhones.

So I got frustrated, and got up and jumped on the subway and went to the SoHo store like I had originally intended to.

Got there. No line. Said to the ‘bouncer’ out front, ‘You guys have any phones?’ Plenty he said.

Went inside, and they had thousands. Literally tens of thousands of phones behind the counter. I should have taken a picture but my camera was dead.

If anyone has a picture of the inside of the Soho store on Friday, please email it to me.

So, I got my phone, and updated my “Apple Store Visits” page. Read here for iPhone review.

iPhone day

Yes, I did get the iPhone. It’s a funny funny story, and I’ll write it all down along with my review of the phone after it activates.

Since everyone is activating their iPhone right now, it’s taking a long time (according to the nice AT&T lady I am on the phone with)

The phone is alot nicer then I thought, nice screen, and since I actually used an iPhone at the store, the keyboard is alot better than I thought.

I just got off the phone with the AT&T rep, she said it may take up until 7 pm tomorrow to activate all the iPhones. Hopefully mine isn’t that deep in the queue.

More later, stay tuned.

Added Story -- Okay..

So, I got off of work at the customer I was at and was going to head up to the Apple Soho store. From where I was at, (World Trade Center) I had to walk up and catch the R/W Subway lines at City Hall. About 2.5 blocks. Not a bad walk.

On the way there, I passed an AT&T store. Having researched all the AT&T locations listed on their site, knowing that AT&T said the closest site was on Wall St, I figured this one was ‘unmapped’. The line had about 35 people in it. Not too bad. So I jumped in.

We kept having to move the line, since the people were waiting in line were blocking the ghetto ass stores that were around the location (on Broadway), and their managers kept coming out and hollering at the AT&T manager (PEOPLE GET OVER IT, IT’S ONE DAY!), even calling the cops at one point.

So we kept having to move, which meant that we were being crammed in tighter and tighter spaces with more and more people. It wasn’t awful, just crowded.

2.5 hours.

6pm rolled around, the started letting people in about 15 at a time. The first group went in, (the first lady in line sold her place/phone for 1500 bucks. Not too bad I guess, and another guy sold his place in line for 300.) About 10 people left to go in, (in front of me, there were about 100 people behind me), and they announced they were out of the 8Gig model. So, I was at this point kind of disappointed and figured I would buy a 4 Gig for Ebay or something.

5 ppl left, they ran out. So, they told us we could order one. Since we had heard that the wait outside the SoHo store was around the block, I ordered an 8 Gig phone, and went back to my hotel.

I got back to the hotel, head hung low, and feet sore from standing, i jumped online, only to be greeted by everyone’s pictures of their damn iPhones.

So I got frustrated, and got up and jumped on the subway and went to the SoHo store like I had originally intended to.

Got there. No line. Said to the ‘bouncer’ out front, ‘You guys have any phones?’ Plenty he said.

Went inside, and they had thousands. Literally tens of thousands of phones behind the counter. I should have taken a picture but my camera was dead.

If anyone has a picture of the inside of the Soho store on Friday, please email it to me.

So, I got my phone, and updated my “Apple Store Visits” page. Read here for iPhone review.

Friday, May 18

Icons are so 1995

Something else I noticed today, I was interested in how the new Finder desktop looks, in ref: the menu bar, the dock, Stacks...etc.. and I noticed something else

There are no icons on the Desktop.

Now, Steve said that one of the reasons that our desktops are so cluttered is because, when we download something, it falls on our Desktop. (True). So they created a Stack to manage all the downloads.

Which, if you strip all the other stuff off the Desktop, (Your Hard-drive icon, your CD/DVD icon (if you have something in the drive), your iDisk icon (if you have one), your other hard-drives, mounted shares...etc.. can all be found in the new Finder, which, can be launched from the most left button on the Dock.

Personally I like this. I don’t use my Desktop icons anyway, I actually shut them off and use my menu bar (at the top) and the Dock (at the bottom) like you are supposed to.

Which it looks like Apple is going to have you do in Leopard. Nice.

Icons are so 1995

Something else I noticed today, I was interested in how the new Finder desktop looks, in ref: the menu bar, the dock, Stacks...etc.. and I noticed something else

There are no icons on the Desktop.

Now, Steve said that one of the reasons that our desktops are so cluttered is because, when we download something, it falls on our Desktop. (True). So they created a Stack to manage all the downloads.

Which, if you strip all the other stuff off the Desktop, (Your Hard-drive icon, your CD/DVD icon (if you have something in the drive), your iDisk icon (if you have one), your other hard-drives, mounted shares...etc.. can all be found in the new Finder, which, can be launched from the most left button on the Dock.

Personally I like this. I don’t use my Desktop icons anyway, I actually shut them off and use my menu bar (at the top) and the Dock (at the bottom) like you are supposed to.

Which it looks like Apple is going to have you do in Leopard. Nice.

Tuesday, May 8

The Snort Book

Finally got my copies of my book today from the publisher. (Only took them a month!) There are alot of comments I could make about the book, positive and negative, but overall, it’s a great resource. In particular the preprocessors chapter (i know, I wrote it) has some good tuning steps and hints that you won’t find elsewhere.

Some chapters are better than others. Some chapters have errors in them (even mine! I mean, really, who begins a TCP conversation with a FIN, ACK? I swear, it was correct in the proof copy!)

I make mention of Stream5 in my chapter at one point, saying that we ‘took a peek at it’, even though I didn’t discuss it at all. At the time of writing Stream5 wasn’t out yet, so I couldn’t really put much in there about it since it was still in beta. I originally had some stuff in there about UDP session tracking being in Stream5, but I took it out. Hence why I “refer” back to it later.

I edited/rewrote another chapter in the book (which shall remain unknown for now), but none of my edits got in the book. When I asked the publisher why, turns out the publisher for this particular book quit in the middle of the book’s publish, so alot of edits didn’t get in there. Hm.. That sucks. Maybe they’ll do an edition two to add in that stuff.

I really like the book overall, I really liked the writing experience, however next time, if asked to write a book, or if I write my own book... i’d like more control over it. Our editors, did a GREAT job with the task that was set before them. I wrote my chapter on my laptop on flights and in hotels. I always got interesting looks when people would look over in a plane and see me just goin to TOWN on the keyboard. (You know how some people just work on excel spreadsheets and what not, it’s always interesting to see people going nuts on their keyboard.)

Go buy the book. You’ll learn alot. I promise. If you read the book, alot of the most common questions are answered. If that doesn’t work, then pop into #snort on irc.freenode.net and ask your question, or pop onto the snort-users mailing list. Chances are, your question not only has been asked already, but we’ll get you the answer right away. See you online!

Addendum --

It was pointed out in a blog comment here that my title was neither “Director” nor did I “develop” an IDS at my last job. (As listed in my bio.) Both true. I’ll admit it. The commenter even went so far as to call me a LIAR. (Yes all in caps). Let me correct/clarify. As I most definitely didn’t mean to ‘lie’.

There was no such thing as “Director” in my last job. My title was “Section Manager”. Originally the title given me at my was “Section Lead”, however, in the politics that ensued after I was ‘promoted’ to the position, it was pointed out to me that “Lead” was reserved for Government employees. I was a contractor. When I sent my bio to a couple of people for proofread, I also sent it to the publisher because of a deadline we had to meet. When the people I sent it to for proofread pointed out “Director”, I said, ‘ah yes’ and emailed the publisher with the correction. Why did I write it in there? In my present job, the equivalent title of the position would have been Director. No one knows what ‘Section Manager’ is. It’s not a real title. ‘Manager’ is a real title, ‘Section Manager’ is one of those made up Government titles. What were my responsibilities? I attended a weekly ‘managers’ meeting, and compiled a weekly report of what the guys did who ‘worked’ for me did. First of all, the guys that worked for me were on a different contract, so I couldn’t tell them what to do anyway. You didn’t get into our section unless you didn’t need to be managed. (You had to be self-sustainable) So, the title really meant nothing. Second of all, no one had one boss. Working on one project, a friend named Jamey was the lead on, Working for the section, I was the lead on, but then my contract lead (Joe) was my boss and wrote my reviews, except he didn’t give me my jobs, another person named Harry did that, his title was “Lead Contractor”, and he was everyones boss, but everyone reported to him directly. Then on top of all that, our Government rep at the office was our boss as well and she was over everyone. After I left, it just got worse with one more layer of boss in the middle there somewhere. As I said, the title didn’t mean much.

That’s what causes people to get other jobs. Some of the best employees I know have left that place because of all the politics.


As to the second point -- Developing an IDS. I did NOT develop an IDS. I DID develop a IDS system of tools that worked together (yes, of course, with some assistance from a couple of friends, mainly on the db side), for passive os fingerprinting, full traffic capture, and then yes, the IDS. Which was Snort. I developed how the tools worked together, and automated all the pieces and parts to keep them all up and running on the multiple sensors I had. When I was asked to help develop the system that is currently in place on a much much larger scale at a sister office, I did. That system is still in place today exactly how I designed it (at the sister office).

The system I developed at my home office has been dismantled and pieced apart and not all the pieces on it are running anymore, mainly because no one knew how it all worked after I left. Why? I am not sure. It was all documented. For the best comparison that I can make to the system I made is sguil. Except without the tcl/tk frontend.

Did I write ‘Director’? Yes. I sure did. To make myself look better and over-inflated and to lie? No, that was not the intention. The intention was to convert my ‘made up’ title into a commercial equivalent. When it was pointed out to me, I did make the correction, and the correction wasn’t published. (add that to the list of things that didn’t get corrected)

Now, the thing that concerns me is, only a few people knew the exact nature of my title while at the RCERT, and out of those people, only a couple would be rude enough to try and bust me out publicly. On my own blog nonetheless. All of those people, both the people I think it is, and the rest of the people at the RCERT have my email address and could have wrote me an email telling me the deal. Everyone has my email address. Hell, it’s on the front page of this blog.

I didn’t appreciate it, even though you were correct, it was rude.

Unresponsive Finder

Okay. A long time ago (If you read my old blog), you’ll know that my powerbook froze up, accessing files in Finder was unresponsive, and searching with Spotlight was impossible. (Spinning beachball from hell). Well I figured out how to fix it then, and yesterday, my PowerMac Dual G5 started the same exact thing, and I was able to reproduce the fix, so here it is for your problem solving pleasure:

As I stated, Finder and Spotlight become unresponsive. I have no idea what causes this, but I noticed it yesterday when I’d try to open a file, or attach a file to an email, I’d click on the file in Finder’s ‘column’ view, and it would literally take about 20 minutes to get the details of the file in the next column. (Spinning beachball, machine and Finder completely frozen)

Open Terminal, type:
$sudo mdutil -s /

mdutil is the utility that manages your Spotlight store for each drive. You can use mdutil to even index network shares. (which is quite handy) For more information on mdutil, either read the man page, or type:
$sudo mdutil -h

Anyway -- I got sidetracked there. If mdutil -s / takes a long time to run and gives you some crap about not being able to lookup the index status of the “/” drive, then you are experiencing the same problem I was. For some reason OSX’s Spotlight index gets fubar’ed, and when that happens, no more information store (Finder) for you! So let’s fix it. Back in your terminal type:
$sudo mdutil -i off / (This turns off indexing for your drive)
$sudo mdutil -E / (This erases the information store for your drive)

If either one of these two error out, you will have to do it manually, skip the next step then read further down.

Now reboot. When your computer comes back up, open a Terminal window and type:
$sudo mdutil -i on /
$top -o cpu

This will bring up top and sort it by cpu usage. If you see ‘mds’ and ‘mdimport’ being in the top 3 or 4 or so, that’s good. OSX is rebuilding your Spotlight cache. Let it do this, and hopefully everything will return to normal. Now, if at any point your command errors out (“Can’t find index status, Can’t erase index” or similar, go to this:)

Now, if all that stuff didn’t work, so let’s fix it manually.
Step 1: Open System Preferences -> Sharing. At the top you will see the hostname of your computer. (Yes, this is the HOSTNAME.) Change this. To anything you want, for some reason Finder is tied to the hostname of your computer and if you change the hostname it magically fixes this problem.
Step 2: Back in your Terminal Window, descend to “/”. ($cd /)
Step 3: Erase your Spotlight cache. (Sounds dangerous doesn’t it? Don’t worry it’ll be rebuilt)
$sudo rm -rf /.Spotlight-V100/ (NOTICE THE DOT, it’s a hidden directory, you’d have to add a -a to your ‘ls’ to see it)

Now reboot. When your computer comes back up, your Spotlight cache will be rebuilt (may take awhile, it took about 3 hours on my Powermac (But it has 3 harddrives in it), then everything should be good to go.

Remember, changing that hostname is the magic step. Don’t forget it.

If this helps you, please leave a comment and let me know. If you have an suggestions to add to this, please leave a comment and let me know.

Unresponsive Finder

Okay. A long time ago (If you read my old blog), you’ll know that my powerbook froze up, accessing files in Finder was unresponsive, and searching with Spotlight was impossible. (Spinning beachball from hell). Well I figured out how to fix it then, and yesterday, my PowerMac Dual G5 started the same exact thing, and I was able to reproduce the fix, so here it is for your problem solving pleasure:

As I stated, Finder and Spotlight become unresponsive. I have no idea what causes this, but I noticed it yesterday when I’d try to open a file, or attach a file to an email, I’d click on the file in Finder’s ‘column’ view, and it would literally take about 20 minutes to get the details of the file in the next column. (Spinning beachball, machine and Finder completely frozen)

Open Terminal, type:
$sudo mdutil -s /

mdutil is the utility that manages your Spotlight store for each drive. You can use mdutil to even index network shares. (which is quite handy) For more information on mdutil, either read the man page, or type:
$sudo mdutil -h

Anyway -- I got sidetracked there. If mdutil -s / takes a long time to run and gives you some crap about not being able to lookup the index status of the “/” drive, then you are experiencing the same problem I was. For some reason OSX’s Spotlight index gets fubar’ed, and when that happens, no more information store (Finder) for you! So let’s fix it. Back in your terminal type:
$sudo mdutil -i off / (This turns off indexing for your drive)
$sudo mdutil -E / (This erases the information store for your drive)

If either one of these two error out, you will have to do it manually, skip the next step then read further down.

Now reboot. When your computer comes back up, open a Terminal window and type:
$sudo mdutil -i on /
$top -o cpu

This will bring up top and sort it by cpu usage. If you see ‘mds’ and ‘mdimport’ being in the top 3 or 4 or so, that’s good. OSX is rebuilding your Spotlight cache. Let it do this, and hopefully everything will return to normal. Now, if at any point your command errors out (“Can’t find index status, Can’t erase index” or similar, go to this:)

Now, if all that stuff didn’t work, so let’s fix it manually.
Step 1: Open System Preferences -> Sharing. At the top you will see the hostname of your computer. (Yes, this is the HOSTNAME.) Change this. To anything you want, for some reason Finder is tied to the hostname of your computer and if you change the hostname it magically fixes this problem.
Step 2: Back in your Terminal Window, descend to “/”. ($cd /)
Step 3: Erase your Spotlight cache. (Sounds dangerous doesn’t it? Don’t worry it’ll be rebuilt)
$sudo rm -rf /.Spotlight-V100/ (NOTICE THE DOT, it’s a hidden directory, you’d have to add a -a to your ‘ls’ to see it)

Now reboot. When your computer comes back up, your Spotlight cache will be rebuilt (may take awhile, it took about 3 hours on my Powermac (But it has 3 harddrives in it), then everything should be good to go.

Remember, changing that hostname is the magic step. Don’t forget it.

If this helps you, please leave a comment and let me know. If you have an suggestions to add to this, please leave a comment and let me know.