I have made a few much-needed site updates today!

First of all, I have made a new page about Arduino music, and linked it off of the projects page. It contains links to the code for my Arduino musical projects, as well as links to various pages that I have found helpful in exploring the subject.

Secondly, I have updated my presentations page. I added the slides for the talk about instilling a more welcoming culture in the hacker community that I gave at Notacon 7 this month, as well as the slides from the FDCC Virtual Machine talks that I gave at Pumping Station: One's Pecha Kucha Night and at Neighborcon NYC in December. Also, I added the slides for my upcoming talk about Arduino music that I am giving at Penguicon on Saturday, May 1.

If you're going to be at Penguicon this weekend, please come to my talks! I am giving a talk entitled From Microcontroller to Maestro: Music on the Arduino at 3:00pm on Saturday, May 1 in Private Dining Room I. At 4:00pm that same day, in the same room, I will be talking on a panel entitled What the Hack? Hackerspaces in Detroit and Beyond with Russ Wolfe and Nick Britsky of i3Detroit, as well as Mitch Altman of Noisebridge.

It has been an eventful December so far.

On December 4, I presented at Pumping Station: One's Pecha Kucha Night. My talk was entitled Setting Up FDCC Testing Environments on Non-Windows Systems (Or: How Nicolle Lost Four Hours of Her Life for Want of a Nine-Kilobyte Text File). It drew from my rather frustrating experience trying to get the FDCC Windows XP virtual machine image running on my Linux box on VMWare, since the federal government releases it in Microsoft VirtualPC format.

On December 5 and 6, nine of us from PS:One went on a weekend road trip to Detroit to visit i3Detroit, the hackerspace in Detroit. It was a fantastic trip! There are a lot of creative and talented people at that space, and they've set up such a nice hackerspace in a few short months. I'm so proud of them, and I'm looking forward to the next time I can visit their space for a few days.

From December 11 through 14, I was in New York City for Neighborcon NYC. I have been to all three Neighborcons to date, and all three of them have been fantastic. It's a chance to get together with a group of hackers from all over the country in a far lower-key environment than most cons. Neighborcon NYC was held in a bar called Local 138, on the Lower East Side. Both days featured a lot of socializing and casual exchange of ideas, as well as talks later in the day. I gave the first formal talk of the conference, a slightly expanded version of my FDCC Virtual Machines talk.

This week, I have been focusing on getting as much done on projects at PS:One as possible, since I leave for 26c3 on December 25. However, in the last two days I have found out about two very exciting things on the horizon for early 2009.

Yesterday, I was informed that I was accepted for Shmoocon Labs, so I will be helping to set up and maintain the network at the conference! This will be my first time on any kind of network operation crew for a conference. I will learn a lot about setting up networks, maintaining them, and solving computer and network problems under pressure, and I can't wait to make the most of this opportunity.

Then, earlier tonight, I found out that my talk proposal for Notacon 2010 got accepted! My talk is entitled Hey, Don't Call That Guy A Noob: Toward A More Welcoming Hacker Community. I've noticed that in hackerspaces and other organizations, there's a lot of emphasis on trying to find new people to join, but very little time spent thinking about what to do once these new people have found their way to a space or a club meeting. It will discuss ways to make someone new to the hacker community feel welcome and valuable there. I am really excited--it will be my first time speaking at Notacon, and I'm looking forward to discussing a topic that I feel so strongly about.

On Friday, December 4, Pumping Station: One is hosting a Pecha Kucha Night. This even is open to the public--so whether you're a member of PS:One, have visited us in the past, or have never come to the space before, you're encouraged to come, and you're encouraged to speak!

What is Pecha Kucha? It is a night of short talks. Each speaker may talk for twenty seconds about each of twenty different slides, for a total of six minutes and forty seconds about their topic.

What topics are appropriate? Talk about a project you've done. Talk about a technology with which you have experience. Talk about something you've broken in an interesting way. Talk about something you've fixed in an interesting way. Talk about something funny that happened to you. Talk about something weird that happened to you.

Talk about anything.

The deadline for notifying Pumping Station: One of your talk topic is November 21. Send me an e-mail if you are interested.

The event will be at PS:One, 3354 N. Elston, at 7:30pm.

The video and audio from all of the presentations at DEFCON 17 are now up on the DEFCON archive.

This means you can watch my talk, which centered on legal concerns that arise when you're starting a hackerspace. You can also watch all of the other talks...and I can as well, given that when I was actually at DEFCON, I spent a lot more time in the hallway track and the contest area than I did attending talks.

A friend of mine, Colin Keigher, recently did some interesting research into how Scanlife's proprietary EZCode 2D barcode system functions. He did a presentation of it at BazCamp Vancouver about his findings, and has also written a detailed blog entry explaining his findings.

It's fascinating to see the breakdown of what he found, and it's enough to make me want to check the format of any 2D barcode i'm trying to scan. I'm not quite sure how prevalent these codes are in the United States yet, but I know they're starting to show up in Canadian newspapers.

Recently, the Chicago Transit Authority released its CTA Bus Tracker API. For those of you who don't live in Chicago, CTA Bus Tracker is just about the greatest thing ever. It allows you to look up online, in real time, when the next bus is coming to a stop. It was rolled out over the last few years, and within the last year or so, has been available for every bus. My only major complaint about it was that it was only available via the Bus Tracker website, so if you did not have a smartphone with a web browser, you were out of luck. But, there was very little I could do, since there wasn't an open API for accessing their Bus Tracker data.

Yesterday, I saw a few tweets about various Canadian public transit systems that had opened their APIs to varying degrees. Curious, I looked up whether CTA had done anything in the last few months to open up the Bus Tracker API. They had! Back in September, they posted it online. They require you to make an account on Bus Tracker and apply for a developer key, so I decided to go for it and see if they'd allow me to start using it.

...and, I got my developer key this afternoon!

This led to me spending the vast majority of the afternoon and early evening playing around. The Bus Tracker API itself is pretty straightforward, but I hadn't yet learned the python commands for creating DOM objects and parsing XML. (In fact, I didn't even know what a DOM object was until this afternoon--I just assumed that there had to be an easier way to parse XML than parsing it with regular expressions or pattern matching within the strings.) At this point, I have gotten the hang of pulling the Bus Tracker XML data and parsing it, which means that I can start to do something useful.

My thought is to do a Twitter interface. I enjoy working with the Twitter API, and back when I didn't have a smartphone (but could use Twitter by SMS), I wished there was a way I could text for bus times. A good Twitter interface for Bus Tracker would solve that problem.

Of course, the challenge is going to be crafting a "good" interface. The code is not going to be the difficult part. Finding a way to make a Twitter interface that is intuitive to use is going to be the difficult part, since there is so much information that Bus Tracker needs to give the user the times: bus route, direction, and stop. The difficulty will come because people will format their queries in different ways (for example, referring to the same stop as either Belmont and Sacramento or Sacramento and Belmont or Belmont/Sacramento or Belmont & Sacramento, et cetera), and it would be extremely obnoxious for the user to have to be all that picky about their formatting or street name order if they are rushing to find out when their bus is going to come.

As most readers of this little corner of the internet probably already know, today was the first day of the free-for-all that is Shmoocon ticket sales. Last year, I was insanely lucky, and managed to get three early bird tickets to the con--two on the first day, and one on the weird mid-December sale date that they had because the server had gone down on December 1. I'll admit it--I was tripped up, like several others on my Twitter feed, by the fact that the cart page said that the ticket sale was not online yet, although the link to the reservation page had been placed at the bottom of the page. That is something I would suggest they fix for the December sale date, and in future years--put the reservation link at the top of the page, not the bottom. I got frustrated the first time I saw a no-tickets-available page, but remembering the confusion and mixed messages from the website last year, I kept trying. Occasionally a ticket reservation page would pop up, although by the time I solved the captcha, it would tell me none were available.

Despite the initial frustration, this has a happy ending. I was not lucky enough to get an early bird, but did manage to get an Open Registration ticket. So, I'll be seeing you all at Shmoocon!

One side question about Shmoocon--has anyone who reads this done Shmoocon Labs before? I'm considering signing up for it.

That's not the only convention on the horizon, or even the one that's closest in time. I'm also planning on going to 26c3 in Berlin this December. I don't have my reservations yet, but that's only because I'm waiting for Hackers on a Plane plans to come out. Nick just confirmed on the HoaP 2.0 list that there's going to be a HoaP 3.0 to Berlin this December. I had such a great time on the trip to HAR that I want to do that again. I hope it comes out soon, though, so I can have the right dates and get decently cheap transportation to and from New York to meet up with the group. I know there's probably very little hope for that anyway, given that the trip is right between Christmas and New Year's, but it can't hurt to reserve it as soon as possible.

This afternoon, I was reading my Twitter feed, and @n3tg33k retweeted a twitter.com address: twitter.com/server-status. Since I'm mentioning it on here, I'm sure you know it doesn't refer to a Twitter username @server-status, but rather is a link to a page that displays server status information for some of Twitter's servers. A few minutes after seeing that link on my feed, there was another retweet from @agent0x0, referencing twitter.com/balancer-manager--another page with server information that probably should not be publicly available.

Out of curiosity, I decided to poke around to see if I could find any more data leaks on there. My original tactic was rather haphazard: I found a list of standard Apache modules, and brute-forced some URLs based on them. However, I got a much better idea--since these were public-facing pages, maybe I should try a little Google hacking before I spent the rest of my day trying to read the minds of the webmasters at Twitter. Since both of the data leaked pages I had heard about so far were web server status pages, I Googled "Apache/2.2.11" site:twitter.com and looked through the results.

A link to server-status showed up on the first page in the initial list. The link to balancer-manager didn't show up in the initial result set, although when I asked Google to show similar results, balancer-manager showed up as well as server-status. However, these were the only two Twitter data leak pages that showed up under that search; the rest of the approximately fifty hits were from Twitter users who tweeted about installing that version of Apache, or tweeted lines from Apache status pages for whatever reason. I double-checked by searching Google for the entire Server Version line (Apache/2.2.11 (Unix) PHP/5.1.6 mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5); this only returned the same two data leak hits as before. Of course, this is not to say these are the only two data leaks on Twitter.com. There may be more lurking, connected to things other than Apache/2.2.11, or not yet cached by Google. But, there are at least two that have been cached, as well as passed around the social media security geek corners of Twitter--and that's two too many.

What does this mean? It means that Twitter should change its settings so that these two pages are accessible by their server administrators, but not the public at large. It also means that if you are responsible for maintaining a website, you should make sure that all of the pages created by your web server that are meant for internal monitoring and maintenance are kept just that: internal. Otherwise, if someone malicious knew what they were looking for, they could find that information, scour it for any indication that your system had a known vulnerability, and exploit it. Defending against exploits is inevitable when running any computer system, of course, but there is no use in making it easier by keeping internal server monitoring and maintenance data exposed.

Epilogue: It appears that Twitter has blocked access to these two pages. For a few minutes, I was getting a page that told me that they liked my enthusiasm, but I was rate-limited to prevent abuse and should try again in 60 minutes. This happened when I tried to access either of the aforementioned URLs. This happened not only from my computer from which I was doing all of the poking around and reloading, but also from my smartphone, which I had not yet used to access either of the data leak URLs.

Within ten minutes after first seeing the rate limit pages, I was getting 403 Forbidden errors instead.

Tangential to the data leak weirdness, it's interesting to see a rate limit web page on Twitter. I've had plenty of experience and frustration dealing with rate limits on API calls, since I've written some rather API-call-intensive Twitter bots in the past. However, I've never seen any documentation about rate limits on Twitter's web interface--either a limit on the number of times a certain user or IP address can reload a Twitter web page, or on the number of times that users in general can access a page per hour.

Has anyone else who is reading this seen a web page that said they were rate-limited, or do you have any knowledge about any restrictions Twitter has on how many times a web page of theirs can be accessed? I would be interested to know.

Over the last couple of weeks, I've been doing too much research and tinkering, and not enough documentation of it on here.

A web hosting company donated several servers to the space last month. We had a server or two before, but now we have enough to actually get a proper server rack going, and have services both internally as well as on the warzone. Members were allowed to grab one and start playing, if they wished, and I was not going to let such an opportunity pass me by.

My original intent was to use the server as a sandbox, but before I knew it I was actually contributing to the infrastructure of the space. I got Xen running on the bare metal, and one of the more experienced server administrators at the space suggested I get a Nagios server running to monitor our network. So, I spent some time delving through the documentation and deploying that, and I'm now responsible for it. I'm still tweaking it, making sure that it's monitoring the services that exist on each piece of equipment on our network. I've realised I really enjoy using Nagios. I've also set up a new DHCP server for the space's internal network, and will be helping to set up an LDAP/RADIUS authentication server.

As someone who is just trying to start out in this field, and has done a lot of reading about system administration, I find it exciting to have access to real servers, and real server administration tasks. These may be baby steps for the more experienced, but as someone who has never done anything but read about this stuff before, I'm invigorated that I can actually do any of this. I can do as much reading about it as I want, but I don't internalize it the same way unless I'm actually getting my hands dirty with trial, error, and deployment.

It seems like the hottest thing on the internet right now is a Google Wave invite. The day that Google began to offer Wave invites, I felt like I was the only person on my Twitter feed who was not tweeting either about the fact that she had one, or the fact that she wanted one. Since then, I still see some tweets about it, but it has mainly calmed down on my feed.

However, Twitter is still abuzz with people passing links to supposedly free Wave invites around. It seems simple enough to the unintiated: give some website your Twitter name and your email address, retweet the link to their website, and get your hands on one of thousands of invites. Sounds simple, right?

But...anyone can put up a site claiming that they have Wave invites, or anything else. It has all the marks of a scam: someone you don't know has harvested your email address, and they can send whatever spam they want to you. They've also matched your email address to your Twitter account...which makes it easier to crack your accounts, especially if the passwords to them are the same.

I was having a conversation about this with Hellekin on Twitter earlier today, and he suggested putting up a site that culled the tweets that passed around the spam links, and call the people out on the fact that it's probably a scam. I am not all that adept at putting up websites--however, I really do enjoy making Twitter bots, and started becoming very good friends with the Twitter Search API last week, while writing an IRC bot that (among other things) searches for tweets that reference my hackerspace. Thus, I took a little code from that IRC bot, took a little other code from the Kanye Bot, tweaked it a little bit, and made a bot that digs up tweets that are likely to be from people who have fallen for the scams. It lightheartedly tells them that their email address has now been taken by a scammer, and advises them that it may be good to change their password.

The bot is posting at @WavePwned. Right now, the way it's coded, it hits a few false positives, since the search terms are google wave invite http: So, in addition to hitting people who are tweeting links to span sites about Google Wave invites, it also hits people who are linking to articles about Google Wave invites. However, it is almost impossible to craft something more specific and hit such a large amount of the people propagating these phishing links, since there are so many new links made with the same kind of spam, and the phrasing of the spam tweets changes so often.

Hopefully, this little bot will alert at least a few people to what a hoax all of these Google Wave invite sites are, and make them think a little more before giving some random website their information. The morals of the story: if it sounds too good to be true it probably is, and think before you give out your social networking or email address information.

(thanks, @hellekin, for the idea!)