random thoughts
inside Alan's cluttered head
CarolinaCon – Day 3
1
15 years
After Hacker Trivia last night, it was pretty hard to wind down and get to sleep. So 10am arrived quickly.
The Art of Software Destruction – Joshua Morin and Terron Williams
I missed this talk due to Daylight Saving Time… yeah, that’s it.
Apparenly, the topic was fuzzing, or throwing unexpected data at a system’s inputs to see how it handles them.
Why Linux is Bad For Business – Wesley Shields
Wes tried to raise the hackles of the Linux users in the audience with his provocative title and his confrontational style. However, his point was driven home very well. Many companies flock to Linux when they want to build on a base of a community-supported project. However, there are other alternatives that might be a much better fit to their development and deployment plans. FreeBSD has a very business-friendly license, which does not require re-contribution of a company’s changes (which may be their special sauce).
Wes makes a very compelling argument. While I appreciate his conclusion, I disagree with one of his premises: that anyone who is building an appliance will probably be making their changes to the kernel, and not in user space. That was true for him, since he was building a “networking appliance”, and the best place for fast networking logic is in kernel space. However, I have also developed a Linux-based “appliance“. But our secret sauce was in the application, and not in the networking or driver layers. So for us, the underlying kernel and support packages were just commodities.
Nits aside, Wesley’s talk was more thought-provoking than just provoking. And your author will certainly consider FreeBSD on his next project that requires an open source base.
Sorry, Wes. If you were trying to come across as a jerk, you failed. Great talk!
The Evolution of Social Engineering – Chris Silvers and Dawn Perry
These guys have entirely too much fun at their jobs. They are security consultants who specialize in penetration testing in the physical realm. That is, they break into office buildings. Well, that’s not really true. People let them in — they con their way into office buildings.
Chris and Dawn shared lots of stories about the many jobs they have been on, explaining along the way the rules of engagement, how they are hired by management, what they are trying to prove, and how far they’ll go to exploit the helpfulness of others.
One hour was simply not enough for these guys!
Metasploit – Ryan Linn
Man, I should have taped this talk.
Ryan gave us a very fast-paced hands-on demonstration of Metaspoit (as run from the Backtrack 4 Live CD), and the many ways that a target box can be probed and PWNED. He covered the msfconsole, meterpreter, automation of exploits, and generating malicious payloads.
This talk wins the “most informative” award from me. Very good stuff.
How the Droid Was Rooted – Michael Goffin
Michael shared his experience working with team that rooted the Motorola Droid phone (hint for developers, putting the phrase “this could be exploited” in the comments of your open-source code sort of acts like a neon sign that says “HACKERS WELCOME”).
There was a lot of good technical content, explaining how the Droid software is packaged and upgraded. But just as interesting was his account of the team dynamics. When one member decided to take the entire team’s marbles and go home, it really did not slow them down, because they were using a distributed source code control system (Mercurial). That meant that every team member had a complete copy of the source code repository. Lesson learned.
At the end of this talk, I wondered how long it would be before you could buy smart phones directly from the carrier that had root access, straight out of the box (after all, I have root access to my PC’s and PDA’s). Having worked for a cellular phone manufacturer, I would guess that we may never see that day. So, give a big thanks to Michael and his team for their hard work!
Protecting Systems Through Log Management and System Integrity – David Burt
This talk was, by far, the worst of the show.
David did not seem to have a core message… instead, he had hastily thrown together 86 slides worth of screen shots and raw data about logging tools. On the stage, he struggled to speed-read his way through the slides, speeding up even more when he hit the 5 minute warning. 75 minutes into his one-hour talk, though, David’s message started to shine through. He knows a lot about logging — and he is available for consulting work.
Wrap-up
We wrapped up with some prize give-aways… youngest attendee, oldest attendee, drunkest attendee, winner of a rock-scissors-paper showdown, that guy who looks like some other famous guy, and anyone else who will take this junk.
And that’s it, the show is over.
Mad props to the CarolinaCon Group, organizers, sponsors and volunteers. I had a great time, and I learned a lot. And it looked like most of the other 176 attendees did as well.
Now let’s see how much trouble we can get into between now and CarolinaCon 7!
CarolinaCon – Day 2
0
15 years
The second day of CarolinaCon was packed from sunup to sundown — who am I kidding… hackers seldom rise before noon. The festivities started at 10am.
Hacking with the iPhone – snide
No, not hacking the iPhone… but using the iPhone as a hacking tool. This talk was a good slide into the morning, a chance to let the coffee sink in. It could probably summarized with two main points:
- Since the iPhone OS is a distant cousin of BSD Unix, many open source (Linux) networking tools can easily be ported to run on it, so a jailbroken iPhone makes a decent platform for network sniffing and the like.
- A jailbroken iPhone provides a behind-the-scenes look at the user interface, and many things that are set on the main GUI can be changed by directly manipulating the underlying settings files.
Neither of these ideas is too surprising, and so this talk was nothing new. Still, for me, having never played with a jailbroken iPhone (honest), it was an eye-opening experience. Or maybe that was just the coffee kicking in.
We Don’t Need No Stinking Badges – Shawn Merdinger
Shawn has spent some time evaluating campus-oriented badge reader door locks from a company called S2 Security. He showed how they work, and how they are advertised to work — not necessarily the same thing. An interesting glimpse into the world of distributed security systems, with several take-home lessons about what not to do.
It’s a Feature, Not a Vulnerability – Deral Heiland
This is the third time that I have seen Deral present at CarolinaCon. In 2009, he showed us what a mistake it can be to “web-enable” your products, and in 2008, he showed us how he made friends at Symantec with “Format String Vulnerabilities 101”.
This time, he continued his endorsement of Symantec’s products by demonstrating how their AMS product conveniently allows very easy access to a machine’s resources. In fact, all it takes is a single packet to tell AMS to run any command on a target Windows box. That’s convenient! (PWNED)
Smart People, Stupid Emails – Margaret McDonald
Margaret came here all the way from Denver to tell us what we already knew… that otherwise intelligent people send the stupidest things in email. This was a lively discussion that we could all relate to… yet I have this sinking feeling that our inboxes will still be filled with garbage when we get back to work on Monday.
Mitigating Attacks with Existing Network Infrastructure – Omar Santos
Omar was cursed with the dreaded 3:00 time slot… just in time for the after-lunch sleepies. It did not help that his presentation was JAM-PACKED with very technical networking information. So, for the most part, I sort of zoned out during this very informative presentation.
I tried hard to stay awake by asking a question (about “bogons” — in this case, the newly-allocated and unfortunately-numbered 1.0.0.0/8 address space). But it did not help.
Omar plans to give this same talk at “Hack in the Box” in Dubai later this year. So if I start feeling regrets that I missed something, I guess I can always book a flight.
OMG, The World Has Come To An End! – Felonious Fish
Hackers are usually prepared for anything… or are they? FF led a discussion on survival, what is needed when the rest of our infrastructure is gone. We might have food and water and shelter, but when my iPhone battery dies, it’s game over!
You Spent All That Money and You Still Got Owned – Joe McCray
Joe’s talk was one of the highlights of the Con… even Stevie Wonder could see that it was awesome. Joe told us his secret to success — he goes into companies, totally pwns them in short order, tells them how they suck, and then they pay him.
Apparently, corporate America makes Joe’s job very easy by following the worst practices. And on the odd chance that they have their operational act together, he can always solicit a security slip-up by sending them a carefully-crafted email (pwn), or if that fails, by leaving a CD with provocative title for some nosy employee to find (serious PWN).
What a life Joe leads — that “education” he got in prison has really paid off.
Locks: Past, Picking and Future – squ33k
The lovely and talented squ33k — 5th grade teacher by day, lock hacker by night — educated us on all things lock-related. With assistance from the TOOOL crew, she taught us how modern pin tumbler locks work, and how they can be picked. But being a full-time teacher, she made sure to frame her talk with some interesting background info on locks from as far back as 4000 years ago, and a glimpse into what locks may be like in the future.
I am so proud that our youngsters are learning their skills and attitudes from this woman. She’s a girl geek role model!
Hacker Trivia
What’s that? Al was spotted in parking lot? Someone allowed him back into the country? I thought that call to the TSA would be enough to keep him detained in the airport until the Con was over. I guess not. HE’S BACK!
Once again, Al Strowger took the stage and led us in a game of Hacker Trivia. Loosely based on Jeopardy!, this game quizzed the inebriated audience on the topics of: Movie Quotes, x86 instructions, other (hacker) conferences, math, 2009 tech, and ccTLD’s. John “Math for 400” Davis took home first prize, an iTunes gift card. Many other contestants won spot-prizes: hacking books, some new geek toys, donated “vintage” equipment, Vic Vandal’s old CarolinaCon 3 t-shirt, and lots of cupcakes.
Good night everybody. Sleep well, we’ll see you at 10am tomorrow morning!
CarolinaCon – Day 1
0
15 years
It’s that time of year again… time for the annual CarolinaCon security conference. This year promises to be bigger and better than last year — it has expanded from 1.5 days to 2.5 days, and it has moved from the somewhat undistinguished Holiday Inn in Chapel Hill to the somewhat less undistinguished Holiday Inn in Raleigh.
Notably missing was the “Master” of masters of ceremonies, Al Strowger. But Vic Vandal and his cohorts seemed to have the show in order. Personally, I can’t imagine a Con without the provocative charms of Al. But we’ll see how they do.
As usual, the Con started with a short after-work session on Friday night. There were three presentations to get the crowd warmed up.
Cybercrime and the Law Enforcement Response – Thomas Holt, a.k.a. Professor Farnsworth
The good professor never disappoints, and he really had a challenge this time, to warm up an otherwise un-primed crowd. He dove right in, with the not-so-statistically-significant results of a survey of state and local law enforcement officers, asking about their experience with computer crime. It was not surprising to find that most LEO’s were not very well versed in the specifics of computer-based crime, but they had a pretty good appreciation for the concepts. Thank you, CSI. Many trends and prejudices were revealed, and Dr Holt and members of the audience supposed several reasons why these might be so.
The Search for the Ultimate Handcuff Key – Deviant Ollam
If the crowd was not warmed up before Deviant Ollam took the stage, they certainly were after. He and the TOOOL team showed how handcuffs work, and how they can be defeated, sometimes with simple items like a piece of notebook paper!
But just as important as the actual material they presented, was the chosen format of their presentation. In true CarolinaCon fashion, they began by mixing a pitcher of their beverage of choice… tonight’s choice was a “Stone Fence” (one part Apple Jack, three parts hard apple cider, and a splash of bitters). Every time something in their presentation went unexpectedly, they would take a drink — this rule was strictly enforced by the audience.
In case that was not interesting enough, each live demonstration of handcuff picking techniques was accompanied by background music from a famous X-rated movie from the 1970’s and 80’s. In many cases, an audience member was able to “name that movie” before the lock-picker had freed himself, thus winning a prize.
Now this is the CarolinaCon that I came to see.
Microcontrollers 101 – Nick Fury
Finally, Nick showed the audience how to think small… he introduced the AVR microprocessor and the “Arduino” board and tools. Then he showed a few demos of what a small board like that can do. Certainly a tool that many hackers can add to their toolbox.
–
With these three presentations, the Con begins. We’re looking forward to Day 2, which brings a full day of hacking. See you at 10am.
Snakes of a feather
0
15 years
This time last year, Audrey wrote a computer program in BASIC. Someone had loaned us an Apple II computer, and I showed her what computers were like when I was a kid. I wanted her to write a program, and her mother decided that printing a 10 x 10 multiplication table would be a suitable challenge. So Audrey rose to the task.
This year, I decided to repeat the lesson with Sydney. However, our two girls are very different in personality and interests, and so we had to choose a different approach.
Audrey was motivated by her interest in history, and in learning how Daddy became a nerd. Sydney was motivated by attaching a prize to the assignment — a “feather” on her Indian Princess vest. This would count as one of our father-daughter “crafts”.
I also decided that since I did not have the lead-in of the Apple II computer, I could use any language, and not just BASIC. I went out on a limb and chose Python.
Sydney followed along as we talked about variables and loops, but she was not nearly as engaged as Audrey had been. In her defense, I think the idea of line numbers in BASIC is a little easier for a kid to grasp than the indented blocks of Python. And although formatting the output is easier in Python, all of that punctuation was sure to blow a few fuses in that young mind.
In the end, however, she produced a nice multiplication table.
Here’s her program.
#!/usr/bin/python
import sys
# top line of numbers
print " " ,
x = 1
while x <= 10:
print "%3d" % (x) ,
x = x+1
print ""
# top line of dashes
print " " ,
x = 1
while x <= 10:
print "---" ,
x = x+1
print ""
# ten rows
s = 1
while s <= 10:
# each row is here
print " %2d |" % (s) ,
x = 1
while x <= 10:
print "%3d" % (x*s) ,
x = x+1
print ""
s = s+1
print ""
And here’s what the output looks like:
1 2 3 4 5 6 7 8 9 10
--- --- --- --- --- --- --- --- --- ---
1 | 1 2 3 4 5 6 7 8 9 10
2 | 2 4 6 8 10 12 14 16 18 20
3 | 3 6 9 12 15 18 21 24 27 30
4 | 4 8 12 16 20 24 28 32 36 40
5 | 5 10 15 20 25 30 35 40 45 50
6 | 6 12 18 24 30 36 42 48 54 60
7 | 7 14 21 28 35 42 49 56 63 70
8 | 8 16 24 32 40 48 56 64 72 80
9 | 9 18 27 36 45 54 63 72 81 90
10 | 10 20 30 40 50 60 70 80 90 100
Two days later, Sydney got to show her program to the girls in her Indian Princess tribe. Needless to say, there were some raised eyebrows coming from some of the dads at that meeting.
2009, a year of trying “new things” online
0
15 years
At the beginning of 2009, I made a New Year’s resolution, of sorts, to try new things online throughout this year. Specifically, I wanted to crawl out of my curmudgeon cave and try new services like online banking — things that had worked “well enough” in my old way, but that might be really cool once I opened up to them. Now that 2009 is over, I would like to report on my findings.
Online Banking
The first area that I wanted to expand my horizons was online banking. This can be a leap of faith, since financial stuff is very important, and since I already had a pretty good system for making sure things got paid on time and for keeping track of finances.
I converted most of my monthly bills into “paperless” billing, and I opened a new bank account that offered a relatively high interest rate in return for being totally paperless. I abandoned my paper filing cabinet in favor of an encrypted thumb drive. I replaced the “bill box” at home with a set of email folders that let me know which bills were in the queue, and which ones had already been paid.
For the most part, this system has worked very well. But there were a few hiccups. For example, one credit card company does not send me an electronic statement if my credit card balance is zero. That makes it hard to tell whether I am paid in full, or if I might have forgotten to download a statement. Also, I do not get email reminders from our city (my last remaining paper bill) when my water/trash bill is due.
Some banks and billers make the process easy, while others stand in your way. For example, my utility (gas and power) bills are sent directly to my bank, where I can pay them. However, to get my credit card company to send their bills directly to my bank, I have to give my bank the login credentials for my credit card company. BUZZ — I don’t play that game. There needs to be some other kind of authorization… like the way that domain transfers are handled, making the request on one side and validating the request on the other side.
There are also some “work flow” glitches. When downloading statements, some banks and billers pop up a “save as” box with a sensible filename filled in, like “Statement-2009-11-05.pdf”. Other billers populate the filename box with something not-so-helpful, like “billdisplay.asp”. Most offer PDF files, but a couple just show you a web page, and it’s up to you to “print to PDF”. I also had to choose how I was going to distinguish between (1) downloaded-but-unpaid, (2) paid-but-not-reconciled, and (3) reconciled bills. Little details like this can make online bill-paying either easy or maddening. But after a month or two, I had developed a new routine that works pretty well.
The one thing I am still getting used to — I end up with a bunch of windows open on the computer: GnuCash, bank web site, biller web site, file browser looking at PDF files, PDF viewer, email client with bill reminders.
Gadgets
I had my eye on the iPhone for a while, and I decided that when my Verizon contract expired, I was going to get one. By chance, I started shopping right as the iPhone 3GS came out, so I snatched one up, and I completely love it. It’s a game changer. It’s the sort of “nerd-vana” always-on network device that I had been wishing Ericsson could develop when I worked there.
A month later, I bought the ultimate iPhone accessory: a Mac Mini. I was hoping to learn how to write applications for the iPhone and iPod Touch. The Apple development tools, of course, run on the Mac.
Social Networking
I have always been a little suspicious of companies like LinkedIn that offer services where you can “build your network” of friends online. It’s just creepy… I feel like I am just feeding the marketing machine.
However, in spite of this, in 2009 I decided to take off all of my clothes and jump into the social networking pool.
I started with Twitter, which immediately appealed to me, with its minimalist design and its non-mutual “following” model. Next came the supposedly-professional LinkedIn and it’s more frivolous (and “fun”) cousin, Facebook. I also experimented with location-based services such as FourSquare and Gowalla, but these did not immediately “stick” with me.
I think the tipping point for me was during our trip to Malaysia. I really enjoyed taking photos with my iPhone and then posting them to Facebook immediately.
Online Services
My paranoia against the gatherers of information extends to the cat-daddy of them all: Google. But this year, I decided that these guys really are offering cool services that I would like to participate in.
So I got a Google Voice phone number, and a Google Wave account.
In 2009, I never got around to posting to Flickr or Youtube, although I had planned to.
Programming Languages
I had been feeling a little stale in my work, so I decided to teach myself a new programming language. I spent a couple of days reading through intro slides to Python, and then I wrote a small program to keep track of a “to do” list. It does not sound like much, but I used this one program as an exercise to learn about model-view-controller architecture, “curses” programming (full-screen windows and boxes on a text-based console), and SQLite (a small embedded database library) as well as the Python language itself.
The staleness at work did not last long. I was asked to help out with a new web application project, so I had to become an instant expert in Javascript and PHP, as well as Zend (a web app framework) and dojo (a set of Javascript widgets that can be used on a web page). Along the way, I also picked up a fair amount of CSS (cascading style sheets, which dictate how a web page is supposed to be laid out on the screen).
Shortly after I bought the iPhone, I wanted to learn how to develop applications for it. So I joined the Apple Developer Program, and I studied Objective C and the Apple development tools (Xcode and Interface Builder) by watching the video courses from Stanford University. After a few weeks, I was ready to write and publish a simple iPhone app called “Tipster”.
New Media
One unintended consequence of getting an iPhone was that I now had a very capable video iPod. So I subscribed to a couple of audio podcasts, so I could have some music to chill to at work.
After a while, I discovered video podcasts as well. I am totally hooked, and I have a backlog of TED.com videos I want to watch.
For fun, Sydney and I produced an audio recording that we referred to as “a podcast”, even though it was delivered to her friends on CD’s. But over the holidays, I decided to learn how to publish a podcast by uploading our audio file to my web server, and then by adding a simple XML index file.
Productivity and Sharing
For years, I have carried a small lab notebook at work. It’s where I keep notes, such as what I did each day, tips and tricks, lab set-up, and administrative details. This year, I replaced my paper lab notebook with a Tiddlywiki, a small one-file wiki that I can carry on a thumb drive. It allows me to easily search for key words, share with others via a web server, and keep multiple copies… and it’s smaller and more durable than my paper notebook, too.
And finally, although I have been publishing the “Porter Family News” every month for ten years now, I decided to supplement it with a WordPress blog. This has been my place to give opinions and observations, and to share tips and tricks with the world.
Overall, I am very pleased with where 2009 has taken me. At times, I had to remind myself to keep an open mind. But I have encountered, and embraced, many changes this year.
When ‘sudo’ pauses…
1
15 years
On my Ubuntu 9.10 server at home, I had been having a hard-to-diagnose problem where the “sudo” command will pause for 20 seconds before getting on with its business.
What made this problem so hard to track down is that it would happen once, and then the log jam would be cleared for a while. I would usually see it the first time I issued a sudo command, but never again in that session. The next day, it would do it again.
Last night, I finally tracked the problem down.
What helped the most was the discovery that I could do “sudo -K” to make sudo “forget” my earlier authentication. When I re-tried to run a sudo command, it would prompt for a password and then delay 20 seconds… every time.
So now I had a way to test out theories. I just needed some theories to test.
I saw many reports on the internet about Fedora users seeing a similar issue. Their problem turned out to be in the /etc/hosts file — there were problems if “localhost” and “localhost.localdomain” and even the machine’s given hostname were not listed there. But this was not the case for me. My hosts file was fine.
Instead, I started tracing what happens when sudo is called (unfortunately, you can’t just “strace sudo somecommand“, because strace does not like to trace a setuid program).
I looked at PAM, the pluggable authentication modules. In the /etc/pam.d directory, there was a file called “sudo”. This did not have anything interesting in it. But it did include a couple of other files: “common-auth” and “common-account”. It turns out that the last line in the common-auth file was the culprit:
auth optional pam_ecryptfs.so unwrap
This line is supposed to decrypt the user’s home directory if is encrypted, so it can read the files as part of sudo’s startup. But I don’t have any encrypted home directories. So for me, this is unnecessary.
Commenting out this line made the 20-second delay go away.
Plugging external commands into ‘gqview’
0
15 years
I have been taking digital photographs since 1998, and so one piece of software which I use quite a bit is my photo organizer. I use a tool called “gqview”. It’s a very nice browser that shows folders and thumbnails and a large image on the screen at the same time. And it does a good job showing slide shows.
One nice feature of gqview is that you can plug external programs into the ‘edit’ menu. When you install it (at least on Ubuntu systems), a few of the plug-in’s are populated already:
- edit in GIMP (external package: gimp)
- edit in xpaint (external package: xpaint)
- rotate clockwise (external package: libjpeg-progs)
- rotate counter-clockwise (external package: libjpeg-progs)
I wanted to add a plug-in to shrink images a certain percentage. I often find that I want to send a bunch of pictures to friends via email, and I really don’t want to send a 50 MB email, and I don’t want the pictures to be so big that the reader had to scroll to see it.
It’s pretty easy to add the plug-in. The actual shrinking can be handled easily with the ‘convert’ command, which is part of the excellent ‘imagemagick’ set of graphics tools. Plugging convert into gqview is as easy as this:
%vif convert %p -scale 25% %p_tmp ; then
mv %p_tmp %p ; else rm %p_tmp ; fi
I didn’t make this up myself — I simply copied the “rotate” plug-in’s and changed what I needed to. I am not sure what the %v is for, but it’s pretty clear that %p is the full path of the image file.
Now I can highlight a whole bunch of photos and shrink them all with a single command.
Surgical web page editing with “stylish”
3
15 years
Have you noticed that some web sites have ads that are somewhat… unpredictable? Facebook is a good example of this. The ads that appear on the right can sometimes contain trashy-looking content. I’d like to hide them, if I could.
I found a Firefox plugin that does a good job of slicing out selected bits of content. It’s called “stylish“.
Just install the plugin, and then set up a script that intercepts the stylesheet for a particular site and does a little on-the-fly modification. The script I use for Facebook looks like this:
@namespace url(http://www.w3.org/1999/xhtml);
@-moz-document domain("facebook.com") {
.emu_ad, .UIStandardFrame_SidebarAds, #home_sponsor {
display: none !important;
}
}
I don’t claim to fully understand the script, but I do know that it looks for a specific block in the Facebook HTML and style sheet, and it sets the style for the sidebar ad box to “display: none”. That makes it disappear.
Three weeks in Malaysia
0I had been stockpiling vacation days for the last year, partly at the request of my company’s management, since we were working on a very big project for a Tier 1 phone carrier. But as that project neared completion, I started making plans for time off. As it turns out, the only time that the girls would be out of school for any length of time was during their October “track out”, a three week break between quarters (their year-round schedule is basically nine weeks on, three weeks off, four times a year). So we decided to take the entire three weeks and visit our family in Malaysia.
Most folks don’t get to take a three week vacation all at once, and so what follows is an account of what we did, just to give an idea of what it was like. As you’ll see, there were a few bursts of activity, but for the most part, we did a lot of “just hanging around”.
All in all, we had a good time. But it seemed like a strange vacation, because we did not really “do much”.
GETTING THERE
We started off the trip at 4am (ugh). It was very dark, and before we had even left our own doorstep, Foong fell on the steps and hurt her ankle. The journey of 10,000+ miles almost began with a side trip to the emergency room. But she was OK. Her ankle swelled a little, but it was OK in a couple of days.
The plane trips were long, but we kept ourselves entertained. We flew American from Raleigh to New York and then Cathay Pacific to Hong Kong to Kuala Lumpur. That long leg from JFK to HKG was 15 hours, and I managed to watch five movies during the flight (Get Smart, The Bucket List, Angels and Demons, Night at the Museum 2, Star Trek XI).
We arrived in Kuala Lumpur at dusk. Foong’s sister drove us home (a little less than an hour), and we greeted everyone and then tried to wind down for bed.
I noticed that my iPhone did not work as a phone. It just said “No Access”.
Day 1 – Tuesday 9/29
Our first official meal in Malaysia was at the food court in my in-laws’ neighborhood. It’s a large open-air eating area with a dozen or more little stands along the edge, each selling something different: noodles, soup, drinks, fruit, stuffed buns. This layout is very common in Malaysia, whether it is in an open-air neighborhood setting, or inside of a shopping mall.
We stayed close to home that first day, exploring the shops in the neighborhood, picking up some essentials like milk, diet soft drinks (no luck), not-so-sugary cereal (no luck). The local stores looked a little more bare than the last time I saw them (in 2004).
I tinkered with their internet connection, an ADSL modem and a wireless router. It was set up in a most unusual way, the DSL modem acting as a bridge, the router acting as a switch, and the client PC doing the PPPoE authentication. Apparently, the local phone company recommended this set-up, and my brother-in-law was led to believe that it was “secure”. I proved that theory wrong by getting on the web using my iphone, and then later by sniffing his network traffic, and showing him how his virus-infected laptop was sending out spam while we watched it.
Now might be a good time to mention that I was planning on attending a hacker’s conference in Kuala Lumpur in a few days.
Foong got a hair cut. Short hair feels good in the hot, humid weather.
Day 2 – Wednesday 9/30
Still adjusting to the time zones, I woke up at 4am. I found that the girls were also up. So we walk around the neighborhood, where we saw old ladies doing Tai Chi in an open lot.
I decided to reconfigure their ADSL modem and router. I set the router up to do the PPPoE, because no one should ever have to set that up on their PC (or iPhone). Then I set a wireless password. And then THE MOST IMPORTANT STEP… I wrote down how it was all set up, and I taped that paper to the router. Most people forget that step.
We had breakfast at a local cafe, typical of Malaysia, a shop with an open front, tile floors, plastic lawn-style tables and chairs, and a kitchen in the back. Then we went shopping at the local fresh market, a large two-story building with an open area where they sell fresh meats and fish (“fresh” means you can pick out a live chicken). There is also an area of small shops selling trinkets, handbags, watches, accessories, flowers, and toys. And finally, there is a food court, which is just like the one in our neighborhood. Same plastic lawn chairs, same assortment of food.
For lack of anything specific to do, we went shopping at Jaya Jusco, a shopping mall in “Seremban 2”, the new side of their town. This mall has a Starbucks… the first place outside of our house where I found an open wifi connection. At the large supermarket in that mall, we finally found some Diet Pepsi.
I was surprised to see a store devoted to selling “Instant-Dict” electronic dictionaries. I have a 1992 model Instant-Dict Chinese-English dictionary which I do not ever use, but I happen to keep my iPhone in the leather sleeve that it came in. It still has the logo on it. I showed it to the girl who was working in the shop — she was just slightly older than that leather sleeve — but she was underwhelmed. Malaysians are not known for small talk.
We walked to a hair salon near our house so the girls could get short hair cuts. US$5 each! (I already started the trip off with short hair, so now we were all prepared for the weather).
Day 3 – Thursday 10/1
Foong’s brother lives in the small town of Mentakab, a couple hours drive away, in the state of Pahang. There’s not much in Mentakab — it’s in the middle of nowhere. We decided to visit his family, even though he was currently on a business trip in China. Foong’s dad (the girls call him “Gong Gong”) drove. He drives fast. The plan was to stay one night.
On the way to Mentakab, we were pulled over in a police speed trap. In Malaysia, the police are not interested in giving you a speeding ticket… they’re looking for small bribes. It’s really sad. However, it seems that having a white boy in your back seat with a big camera hanging around his neck is a “get out of jail free” card.
When we got to Mentakab, we took a tour of my brother-in-law’s furniture factory.
Day 4 – Friday 10/2
I know I said that Mentakab was in the middle of nowhere, but if you drive another half hour further out into the middle of nowhere, you will find the Kuala Gandah National Elephant Conservation Centre and a petting zoo called “Deer Land”. What fun! So we piled the kids into the car and drove to the elephant preserve, only to find that it was not open in the morning. So we went to Deer Land, only to find that it is closed on Fridays. So we drove back to Mentakab, slightly bummed. On the way home, a mother monkey with a baby hanging on around her neck darted across the road, right in front of our car! That brief encounter was the only wildlife we’d see that day.
We went to downtown Mentakab: lunch at McDonald’s and then shopping at a chain store called — get this — “The Store”. It’s like K-mart.
Although we were supposed to go home on Friday, my sister-in-law invited us to stick around for a Moon Cake Festival party that she was hosting for her Lion’s Club chapter. It was a lively party, with traditional candle lanterns, a DJ, games, a lots of food. It was a little surreal to be surrounded by a hundred slightly drunk Chinese-speaking party-goers.
Day 5 – Saturday 10/3
We got up the next morning and drove back to Seremban.
AT&T sent us an email, saying that our phones did not work in Malaysia because they did not activate international roaming on our accounts, because we were “new” customers (we only had 80-some days of service — it takes 90 days to be considered “established”). They wanted us to FAX a copy of our drivers license and a recent utility bill to them so they could establish our long term creditworthiness. Let me get this straight — I am in MALAYSIA, and my phone does not work, and you want me to *fax* you a copy of my *gas bill*??? Against all odds, I happened to have my most recent gas bill in my pocket (thanks to online banking, PDF bills, and my encrypted 4 GB thumb drive). Dang, I felt like MacGyver! So we sent off the fax and waited.
Meanwhile, Foong’s sister and her son arrived from Shanghai.
Foong spent the rest of the night catching up with her sister, while the kids and I burned stuff in the yard. It started off innocently, lighting Mooncake Festival lanterns, but it does not take long to turn pretty lanterns into pyromania. Eventually, we put out the yard fires and played badminton instead.
Day 6 – Sunday 10/4
We met two of Foong’s high school classmates at McDonald’s for a McReunion breakfast. While we were out, we bought a prepaid SIM card to use for local calls (but not on the SIM-locked iPhone – we used a cheap hand-me-down GSM phone instead).
That afternoon, we crammed into the car and drove to Singapore, a three-hour trip. I spent my time reading Harry Potter and the Sorcerer’s Stone.
Once we got to Singapore, we split up. Foong’s sister stayed in her old neighborhood, Bukit Batok. We stayed with some Malaysian friends who used to live in Apex NC, but who now live in Bedok, a very nice neighborhood in Singapore. We stay up until 1am, catching up with our hosts. They miss Bojangles.
Day 7 – Monday 10/5
The plan was to spend Monday at Sentosa, Singapore’s island resort.
It took half the day to get there, because of ticketing delays, the cable car being renovated, and being suckered into a complimentary lunch at an out-of-the-way restaurant. That free lunch cost us $30 — it turns out that the drinks were not free. Suckers.
While we waited for transportation, Audrey and I found a geocache hidden on a historic train car. With a “smiley” on the map, we could now say that we had really been to Singapore.
At Sentosa, we went to the aquarium (+), a “simulator” ride (–), a dolphin show (–), a chair lift (S$21!), and an observation tower (S$28!). Sure, it was activity-filled, but a wasted day that could have spent exploring the city.
We met some old friends and a distant relative at Tiong Bahru for dinner — for me, it was just Chinese food in a mall.
Day 8 – Tuesday 10/6
Foong slept until 11:30. We were supposed to meet her sister at the “HDB flats” (government-owned high-rise apartments) for lunch. We panicked for being late, quickly packed up and left by 1pm. We had a late lunch in a typical HDB flat food court, very similar to all of the other food courts, with the same plastic lawn furnture.
Since we had practically blown our entire time in Singapore at Sentosa, we drove by our old house at Watten View so the kids could see it. And then we went by Thomson Medical Centre, where Audrey was born. Her delivery doctor was still there, but she was busy, so we could not say “Hi”.
We made the three-hour drive back to Seremban. The only eventful part of the trip was seeing wild monkeys at the highway rest area.
Day 9 – Wednesday 10/7
I had to wake up early to catch a commuter train into Kuala Lumpur for the “Hack In The Box” security conference.
The conference lasted two days, and I will cover it in a different post. It was basically a day in a super-refrigerated hotel. The speakers were very entertaining. But at the same time, it was lonely.
After the conference, I took the commuter train back to Seremban, and grabbed some supper at Kenny Rogers Restaurant, which is across the Frogger-like road from the train station.
Day 10 – Thursday 10/8
On the second day of Hack In The Box, I was a seasoned pro, as far as public transport goes. So rather than taking the train back to Seremban at the end of the day, we tried a more tricky maneuver. Momma and the kids spent the day at Sunway Lagoon, a mall with a water park. I took a train and a taxi to meet them at the mall, just in time to have dinner with some old high school friends.
We spent the night with one of Foong’s HS buddies in Subang Jaya, on the outskirts of Kuala Lumpur.
Day 11 – Friday 10/9
We woke up and had a dim sum breakfast with more HS friends. Then we went shopping in the KL Mall “Utama”. The two memorable things about Utama were: the huge ball pit playground, and the fact that the Burger King guys were wearing silly cowboy hats. Believe me, any Malaysian wearing a cowboy hat is going to look a little out of place.
We took a train back to Seremban.
That night, miracle of miracles, I watched the folks at NASA crash the LCROSS spacecraft into the surface of the moon (in an attempt to see if there was water in the impact and debris plume). What makes this so extraordinary is the fact that I watched it on NASA TV… over the internet… from Malaysia.
Day 12 – Saturday 10/10
We spent Saturday in Seremban. We went shopping at Giant, which is Malaysia’s answer to Target. Foong bought a lot of food to bring back to the US.
Day 13 – Sunday 10/11
On Sunday, we drove to KL to see our nephew Hong Bing at his boarding school. We were curious to see what it was like to live at a boarding school. I think he was happy to escape for an afternoon.
We took him to KLCC (the mall at the base of the Petronas Towers), where we ate at Pizza Hut. We could not tour the Petronas Towers that day… you have to make reservations in advance. So we went to the very large (and hot) park behind the building and found a geocache. [I remember taking my parents to the same park in 2001, and my most vivid memory from that trip is also about how hot it was.]
We returned Hong Bing to his school, and then went to the KL Tower (a space needle observation tower). We got our money’s worth at the KL Tower — Audrey could not make up her mind about which souvenir to buy, and so we waited, and waited. She ended up getting a necklace with a small pendant with her name written on a grain of rice.
At the bottom of the KL Tower, they had a lot of add-on attractions: pony rides, a small indoor animal exhibit, and a F1 simulator (well, a video game where you sit in a low seat that looks like a race car).
Day 14 – Monday 10/12
On Monday, we had to pick up Foong’s brother at the airport and take him back to his home town (which you may remember, is in the middle of nowhere). So we decided to kill some time until his plane arrived by driving through “Putrajaya” and “Cyberjaya”.
Putrajaya is Malaysia’s answer to the Washington DC Mall… it was built way outside of Kuala Lumpur to house the government offices, and each building is competing to look more grand than the rest, while retaining some hint of Muslim architecture. The whole place had a Disneyland-like artificiality to it.
Cyberjaya is Malaysia’s answer to Silicon Valley… or really, it’s more like Research Triangle Park in NC. It’s a concentrated area of high-tech offices, with nearby apartments and some shopping. Once again, a bit contrived, but it looked like a nice office park.
We picked up Chee Kin at “LCCT”, the Low-Cost Carrier Terminal, which is much more… basic… than the main international terminal KLIA. We drove to Mentakab and spent the evening at Chee Kin’s house.
Day 15 – Tuesday 10/13
Since we had missed the elephants and other animals two weeks ago, we gave it another try.
The Kuala Gandah National Elephant Conservation Centre did not disappoint. We petted the elephants, watched them bathe in the river, we helped feed them, and then we took a quick bareback ride! Just down the road was “Deer Land”, which was a fully-immersive petting zoo, with deer, ferrets, snakes, hedgehogs, birds, and a large bear!
We drove back to Seremban, and went shopping at Jaya Jusco in Seremban 2. I bought some glasses. As the shopping center was closing, due to some faulty pay-to-park equipment (and some bad advice from the attendants), we got stuck in the parking lot! So we snuck out the back exit.
Day 16 – Wednesday 10/14
Wednesday was a do-nothing day. We spent most of it packing to go home.
Day 17 – Thursday 10/15
It was time to leave Malaysia, and Foong’s family saw us off with a hearty dim sum breakfast. We had a little bit of time to kill, so Audrey and I walked through the neighborhood. We stumbled upon a newly-built Buddhist temple.
The rest of the day was spent in transit: driving to KLIA, flying to Hong Kong, taxi to Po Lam. On the plane, Sydney lost a tooth! That earned her 10 HKD from the Tooth Fairy.
We were excited to see Foong’s sister, and the girls were happy to see their cousin, Emily. We stayed in their three-bedroom, 700 sq ft apartment.
Day 18 – Friday 10/16
We spent Friday exploring downtown Hong Kong. There is so much to see. We went to the Central-Mid-Levels escalators, a half-mile of escalators that take you up the steep slopes of that area of the city. We took a ferry to Kowloon, and explored the tiny shops. The girls found one shop that had nothing but gumball-style vending machines! We wrapped it up at Temple street, which is a tacky tourist market. I was enjoying the show, but reality set in… we needed to take the long bus ride back to Po Lam, and then try to get some sleep before our early flight back home in the morning.
Day 19 – Saturday 10/17
Our long trip began very early in the morning. Just like on the way over, I watched five movies on the plane (Hancock, Eagle Eye, The Soloist, State of Play, Ice Age 2: Dawn of Dinosaurs).
Our transfer in NYC was uneventful, and from there, it was a short hop back home.
We had Sunday to recover. And then it was back to school and work.
—
And that is how I wasted three weeks in Malaysia.
Back to the Future
2
15 years
A few days ago, I learned a very important lesson about filesystems and snapshots. I learned that a complete copy is not always a Good Thing™.
I help manage a server for our local Linux Users Group. We have about 250 users on the system, and all of our system administration is done by volunteers.
A few months ago, I made a complete backup of our /home partition using the guidelines that have been told to me by Smart People™:
- make a snapshot volume of /home (called
home-snap) - make a new empty volume (called
home-backup) - use ‘
dd‘ to copy fromhome-snaptohome-backup - remove the
home-snapsnapshot volume
All was fine, until a few months later, when we decided to reboot.
When the machine rebooted, it mounted the WRONG copy of /home. It looked in /etc/fstab to see what to mount, read the UUID, and started looking for that filesystem among the logical volumes.
Here’s a list of the available filesystems and their UUID’s.
root@pilot:~# blkid /dev/mapper/vg01-home: UUID="1a578e6f-772b-4892-86e3-1181aadda119" TYPE="ext3" SEC_TYPE="ext2" /dev/mapper/vg01-home-backup: UUID="1a578e6f-772b-4892-86e3-1181aadda119" TYPE="ext3" SEC_TYPE="ext2" /dev/mapper/vg01-swap: TYPE="swap" UUID="303f2743-da69-466b-a200-40a1a369fa1c" /dev/mapper/vg01-u804: UUID="b5689a93-b7ad-4011-a0f9-ffaf2d68bf6f" TYPE="ext3" /dev/sdb: UUID="Uh0TI1-pxD4-M1Pm-5kP3-zU1a-IRgm-bD0JAq" TYPE="lvm2pv" /dev/sda: UUID="9oZhBo-3DPP-1eay-kgGM-fd06-yuJB-c2eCo7" TYPE="lvm2pv" /dev/sdc1: UUID="5c15308e-a81b-4fd9-b2c2-7ef3fe39ce0b" SEC_TYPE="ext2" TYPE="ext3" /dev/sdc2: TYPE="swap" UUID="08c55fa5-3379-4f6a-b798-4b8f3ead6790" /dev/sdc3: UUID="5a544a7f-90ed-474c-b096-1b5929c83109" SEC_TYPE="ext2" TYPE="ext3" root@pilot:~#
Notice anything goofy? Yes, the UUID for the home volume is the same as the UUID for the home-backup volume! Of course it is… I used ‘dd‘ to copy the entire volume!
So our machine booted up, looked for a filesystem whose UUID was ‘1a578e6f-772b-4892-86e3-1181aadda119’ and it mounted it on /home. Unfortunately, it found the home-backup volume before it found the real home volume, and so our 250 users took a step back in time for the evening.
All of the files in our home directories looked like they did back in May.
On the surface, this does not seem like such a Bad Thing™. But over the course of the next few hours, users started receiving email, and logging IRC chats, and doing all of the other things that users do. These new emails and log files were written to home-backup instead of home, and so now we were starting to mix old and new files.
This is a lot like the movie “Back to the Future”, when Marty’s mom tries to kiss him. Except the characters involved here are not as good-looking.
The fix was quick and painless. I simply generated a new UUID for the home-backup volume, and then rebooted. The magic command is simply:
tune2fs -U random /dev/mapper/vg01-home-backup
But the cleanup would come later. If someone were interested in the emails or log files that were mistakenly written to the wrong volume (their “past life”), then they would need to look on that volume for “new” files. Pretty easy work.
find /mnt/home-backup/porter -mtime -7
This will show all files in my “backup” home directory that are less than a week old. Since the backup was made four months ago, I would expect all files in that directory to either be more than four months old, or just one day old. This command will show you the new files.
So I am revising the backup procedure as follows:
- make a snapshot volume of /home (called
home-snap) - make a new empty volume (called
home-backup) - use ‘
dd‘ to copy fromhome-snaptohome-backup - remove the
home-snapsnapshot volume - change the UUID on
home-backup◄— new
In fact, now that we already have a base to work with, I might just use rsync to copy files instead of dd to copy the entire volume. This will leave the backup with its own UUID, and will avoid collisions like the one we saw.
iPhone VPN
2
15 years
One of the coolest features of the iPhone is the way it uses the best data network that it can find. If you’re at home or at work, or even at a coffee shop, it will use the local wifi network. But if you’re out of range of any suitable wifi networks, it will use AT&T’s “3G” (UMTS) network. And if it can’t find a UMTS network, it’ll fall back to EDGE. Phone companies call this hybrid approach “ABC”, or “always best connection”.
Now that I have an internet device in my pocket, I find myself using public (or otherwise open) wifi connections quite a bit. And this carries with it some unintended consequences. That is… everything I type and everything I read is transmitted in the clear, unencrypted.
I try to make a habit of encrypting my data traffic whenever possible. My mail server is set up to only allow SSL connections. So no matter where I check my mail from, I am forced to use an encrypted connection. Similarly, banks and commerce web sites usually force you to switch to HTTPS before you start entering information. But there are a lot of applications on the iPhone that do not use encryption at all.
You might ask yourself why bother to encrypt your Twitter connection, since what you type is going to be blasted out to the world anyway. But the point is…
If you encrypt everything, then nothing is left to chance.
So I decided to explore a VPN option on the iPhone. It supports three flavors of VPN: L2TP, PPTP and IPSec. I was disappointed (but not surprised) that “openvpn” was not an option, since I already use this excellent open source SSL-based VPN package.
So I decided to give PPTP a try.
Setting up the PPTP server
On my Ubuntu 8.04 LTS server, I installed a PPTP server called, appropriately enough, “pptpd“. Configuration was very easy. Most of the setup was done for me after I did the standard apt-get install pptpd. I simply needed to pick a private subnet that would be used for my VPN clients, and an IP address in that subnet to use for the server. I chose the 172.16.4.0/16 subnet and 172.16.4.1 for the server (these addresses are part of a private network address space, defined by RFC 1918, just like 192.168.x.x and 10.x.x.x addresses).
My /etc/pptp.conf configuration file for the pptp daemon looks like this:
option /etc/ppp/pptpd-options logwtmp localip 172.16.4.1 remoteip 172.16.4.2-250
I also needed to tell the daemon to give out some DNS addresses when a client connects, so in the /etc/ppp/pptpd-options file, I added the two “ms-dns” lines below:
name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 208.67.222.222 # resolver1.opendns.com ms-dns 208.67.220.220 # resolver2.opendns.com proxyarp nodefaultroute lock nobsdcomp
Finally, I needed to add an entry into the /etc/ppp/chap-secrets file that would contain my password. Mine looks like this:
alan pptpd MyHardToGuessPassword *
At this point, the PPTP server was completely configured, so I restarted it with service pptpd restart.
Setting up the iPhone
On the iPhone, I needed to set up a VPN client. This is very easy. On the settings screen, go to general / network / VPN and “Add VPN Configuration…”. Then just fill in the blanks.
- choose “PPTP”
- enter a description
- your server’s IP address
- the username (from above)
- RSA SecurID=OFF
- the password (from above)
- encryption level = Auto
- “Send All Traffic” = ON
- Proxy = OFF
Click on “Save” and you will see a switch in the network tab and also in the main settings tab to turn the VPN on and off.
For now, I am leaving it off unless I am on a public network. I am not sure, but I think that keeping the VPN alive might use a lot of battery. So I do not use it unless I need it.
Networking
For me to get this VPN on the internet, I had to do two more things: punch a hole in my firewall for the PPTP traffic, and forward traffic from my VPN out to the rest of the world.
For my server, both of these tasks were handed by the same tool: shorewall.
I added a “masquerade” rule to /etc/shorewall/masq to NAT all of the traffic from 172.16.4.x out through my main network interface.
eth0 172.16.4.0/24 # OpenVPN and PPTP
And then I added two rules to /etc/shorewall/rules to allow the PPTP traffic in.
ACCEPT net fw tcp 1723 # PPTP ACCEPT net fw gre # PPTP
When shorewall starts, it will generate the iptables rules that are used by the kernel to filter packets. If you’re using hand-written iptables rules, then you will need some rules that look something like this:
# accept "gre" protocol traffic (PPTP tunnel traffic) iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT # accept PPTP control traffic to TCP port 1723 # (my server IP is 11.22.33.44) iptables -A INPUT -p tcp --sport 1723 -s 11.22.33.44 -j ACCEPT iptables -A OUTPUT -p tcp --dport 1723 -d 11.22.33.44 -j ACCEPT # masquerade/NAT internet traffic out of interface eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # turn on packet forwarding echo "1" > /proc/sys/net/ipv4/ip_forward
Conclusion
Now, when I am in a coffee shop, I can turn on the VPN easily by flipping the switch in the iPhone’s main settings screen. It will make a TCP connection to my server, negotiate a few things, and then send all further network traffic through an encrypted tunnel directly to my server, which relays it out to the internet.
You can test this by going to a web site like http://www.whatismyip.com/. If the VPN is working, it will show your server’s IP address. If not, it’ll show the coffee shop’s IP address.
Once I am using the VPN, anyone in the coffee shop who happens to be sniffing traffic on the wireless network will only see a single connection from my iPhone to my server, but the contents of this connection will be scrambled.
Custom ring tones for the iPhone
1
15 years
I spent five years working for Ericsson, devoting all of my professional energy towards making cellular phones better. I developed device drivers, application software, “middleware”, protocol stacks, and device prototypes. Not a day went by where I did not think about cellular phones in some way. It was not just a job, but a total gadget lifestyle.
Even in areas where I was not actively assigned to work, I still found ways to influence our products. Two particular examples come to mind.
In mid-2000, I was invited by our vice president (one of the two top managers in our NC office) to attend an all-day brainstorming session to discuss phones for kids and pre-teens: what it would mean for the kids, for the phone companies, for the parents, and for the content providers. I was a bit shocked when I entered the room — the attendee list was much smaller than I had expected, and I turned out to be the only software developer there. But the session went well, and I shared my (year 2000-era) thoughts on how Ericsson could never write even a small fraction of the applications that our customers would want, and so we would need to include some sort of API or virtual machine. At the time, Java looked promising. Fast forward to today, and see the success of Apple’s app store.
The second story, if you’ll indulge me (it is my blog, after all), is when I made friends with the King of Rings in Sweden. He was responsible for all ring tones that we delivered world-wide. I knew that he was also a Palm PDA user, so I showed him a Palm app that contained some really cool alert tones, and we discussed what made them really good alarm sounds: they did not blend in as background noise, they did not sound like voices or singing, they contained some pure tones of different pitches which would cut through the noise of everyday life. In short, they were alerts, not just sounds. That guy was very cool, and he had a very fun job.
It should be no surprise after hearing my Palm stories, that today I carry an iPhone. It’s everything the Palm aspired to be ten years ago, and a lot more than the Palm never imagined. It should also not be a surprise that I would find it important to install some good non-music ring tones for my iPhone. I was pleased to find that it is pretty easy to put custom ring tones on this device without writing a check to Apple or to AT&T. I dig free, and I really dig open.
On iTunes (we’ll forget about open for a second), I subscribed to a podcast that publishes ring tones. The one that I picked was the MacMost iPhone Ring Tones podcast. Every so often, it dumps a pile of ring tones (m4r files) onto your iPhone.
Some of them were cool, some were trash, and others needed a little bit of work. For example, one of them was a woman’s voice that said “ring ring, ring ring, your iPhone is ringing”. I liked the first half, but I thought the last part was tacky. So I decided to edit that one.
On my Linux machine, I downloaded “X Convert File Audio” (xcfa) and “audacity“. I copied the ring tone from iTunes to my desktop. I changed the file extension from “m4r” to “m4a”, since they really are the same thing, but Apple uses the “r” to distinguish ring tones from regular music files. Then I ran xcfa to convert the file to a common “wav” format. The GUI is a little crude (and some of the text is in French), but it works well enough for a quick conversion. Audacity understands wav files, and so I was able to edit the “your iPhone is ringing” out of my sample, and I cut and pasted until I had a 30-second clip (which worked better than a shorter clip for some reason). Audacity has all of the features you’d want, so you could add echo or reverb or whatever you like. I saved my sound as a wav file, using a new name (and also filling in that new name in the “properties” dialog box that popped up). Then I ran xcfa again to convert the file back to “m4a” format, and renamed it back to “m4r”. Finally, I imported the file back into iTunes.
So that was pretty simple: (1) export from iTunes (2) m4r to m4a (3) m4a to wav (4) edit (5) wav to m4a (6) m4a to m4r (7) import into iTunes.
If you wanted to start with a sound or a song instead of an existing ring tone, you would simply convert it to “wav” format and then continue at step (4).
If you’ll excuse me, my iPhone just farted.