July

A couple of photos from last month. I’ll upload more soon.


 

Haircut

There’s nothing like cleaning yourself up — this time, a haircut — on the heels of change and good news.

I remember the day I outgrew the standard Asian bowl cut and started getting my hair short or spiked — September 11, 2002. I remember when I started to move beyond my punk/goth, baggy cargo pants style and wear jeans for the first time since childhood — Late December, 2004. Wore contacts for a time, starting in early 2008. Moved to the plastic, black-rimmed glasses style in January 2009. Bought my first pair of High-Top Chuck Taylors last year. And so on.

These seemingly insignificant minor details, etched into my memory by the context of those dates and timeframes. Eras and short phases of my life, (very very) vaguely denoted by a (sometimes misplaced) sense of conscious outward change.

I think most everybody does this — whether or not they admit or realize it.

No, there weren’t any actual style changes for me this time — but it’s a haircut nonetheless. And it’s nice to avoid growing the mop-topped near-mullet that my head likes to sprout when unchecked.

The Acceleration of Addictiveness

An awesome read about technological progress and it's advancement of addictive tasks/things, but I couldn't help but notice this quote as well:

One sense of “normal” is statistically normal: what everyone else does. The other is the sense we mean when we talk about the normal operating range of a piece of machinery: what works best.

These two senses are already quite far apart. Already someone trying to live well would seem eccentrically abstemious in most of the US. That phenomenon is only going to become more pronounced. You can probably take it as a rule of thumb from now on that if people don't think you're weird, you're living badly.

Welcome to America.

Five Years

Or, “A Few Career-Related Thoughts Related to My Impending Graduation”

Are you where you thought you’d be at the beginning of this year? A year ago? Five years ago? Are you who you thought you’d be?


Five years ago, my life went kind of like this:

MIT rejection letter

I was an ambitious (and somewhat delusional) straight-A student. I didn’t get into the schools I wanted. My faith in “the system” was upended. (Which, in itself, is worthy of it’s own long discussion some other time.) Dreams were broken. Plans were changed and tossed out.

Instead of following through with any of my original backup schools, I applied to the University of Missouri, to follow my friends. As a kid I’d lived in Columbia (before moving to St. Louis) and I guess in another little delusion of mine, I thought I’d come back to bring things full circle, so to speak. I’d spent years of my childhood wanting it.

(Funny side story about that: During my short photojournalism stint, I profiled and interviewed an award-winning professor who turned out to be the father of a childhood friend of mine, from the days I still lived in Columbia. Full circle, indeed.)

At the time, I was accused of merely settling for the “easy out.” But I’d be lying if I said it wasn’t the right choice — it didn’t make a lot of sense back then, but in hindsight the decision has panned out way better than I could have expected.


Around the end of my freshman year, sick of the computer science curriculum, I toyed with the idea of getting a journalism degree instead. On a whim, I went over to the student newspaper, the Maneater, and started taking photo assignments.

And while that didn’t quite pan out — I’ve since come back to tech and decided on a degree in Information Technology — the gut decision to get involved in the media industry has completely driven my career since then. (Oh, but my reporting/photographing days sure were something.)

Due to a couple folks working the ’Eater site my freshman year, I got acquainted with Python & Django early — an early draft of the new themaneater.com was written in Django 0.91, or pre-“magic removal”. (Not to mention the “Maneater lineage” everyone adored — co-creator Adrian Holovaty had been online editor of the paper, years ago.) I’d like to say I got into it, but I had trouble understanding any of it until a couple years later, when we buckled down and finally took the time to get a new site out the door. (Having started over twice, from scratch.)

But we finally got it done in Django, just as it was starting to become the “hip” thing. And after that launch, one thing led to another, and well… What started as a random major change (to journalism) turned back into a programming gig; what started as tinkering with Django over the course of a few months turned into a nice little career niche.

I’m lucky as hell for having been in the right place in the right time.


Sophomore year, I found my way out of my awkward, shy shell and worked as a barback for a couple semesters. Picked up another part-time job as a programmer at a great local startup. I was working hard and it didn’t feel like work — I honestly loved every minute of it.

I failed out of school on account of really terrible grades. By that, I mean impossibly terrible, are you actually trying to fail grades. After the initial shock, I took it in stride. I appealed and back in immediately, without having to take the requisite one semester off. I took responsibility for the mistake and learned to juggle a bit better. But also: I learned what it felt like to really pour myself into something I loved doing — the difference between a a job and an awesome job.

It may have set me back well over a year, but in hindsight, that year was one of the most fulfilling times of my life.


A quick aside: This article — “Many gifted children fail academically” — and the relevant Hacker News thread posted a couple days ago really hit home. Couldn’t help but get a wry smile when I read this comment:

…MIT alum here, but there's nothing all that singularly unique about MIT in my book. I'm glad I was able to go, but I also realize (claim?) that most people who would be successful at MIT will be successful wherever they go, and that MIT is likely a rounding error in their success. MIT doesn't turn lead applicants into gold graduates.


Today, I take my last final exams. (I really wanted to say “my final finals.”)

Barring any unforeseen circumstances, I graduate on Friday. Pomp and Circumstance and all that — I will finally be done with my “formal education.” (And while I loved and learned plenty from it: good riddance, since high school I’ve always liked my way better.)

I’m so prone to hyperbole when I talk about the near-future, but to tell you the truth, I’m not really sure where I’m going. I’ve committed to going back to Spokane for the summer. (The joke I keep hearing goes, “it just wouldn’t be a Mike Tigas summer without Spokane.”) But after that? Who knows. And you know? It’s somewhat refreshing to have that clean-ish slate ahead of me. I’d put off the thought of “tomorrow” for so long that it’s simultaneously amazing and overwhelming to think about now. No more school. This is it. What am I going to do now? I’ve got my degree — what am I fighting for now?

My impending graduation and departure from Columbia feels like a breakup to me. I’ve mostly passed the sad, reminiscing phase for now, but now that I’m looking ahead I’m stuck in that now what? phase. Starting over fresh is, once again, amazing and overwhelming to think about.

(I feel like that talk would start with something like: Columbia, we’ve had great times together, but I don’t think it’s working out — not now, at least. I’ve had this on-and-off thing with Spokane for a while. And don’t get me started on how long I’ve been pining for New York. I’d love to see you again someday but, for now, maybe we should see other people places? Don’t worry, I’m not crawling back to St. Louis. At least, not right now.)

My biggest takeaway from the past few years: trust my gut instinct more often. As someone with an awful tendency to overthink things, my (at the time, half-brained and random) decisions to go to this school and get involved with journalism here are probably the most significant good choices I’ve made over the past few years.

Another takeaway: and don’t be afraid to fail. I’ve always been a supporter of the better to have loved and lost than never to have loved at all mantra. (The professional corollary would likely fall along the lines of: “better to do something you love and fail” than not.) Crippling fear of failure in the past meant I’d often never give some things a chance, but I think I’ve gotten better at it over the past couple years.

I don’t know where I see myself in two months, much less a year or five years or ten. But so what? I trust myself enough to believe that I’ll find a way make things work out. I mean, the past five years worked out well enough on the fly.

Again, I’ve been lucky as hell; right place, right time.

I can’t wait for the next thing, whatever that may be.

How-to: Easy wireless eavesdropping with a Mac

Simple question: is unsecured wireless an actual, real-world problem?

Simple answer: YES. HELL YES.

Not a single coffee shop I frequent has any sort of wireless security. While I understand the consequences of that, I know that others don’t. Plenty of poeple take unprotected, public wireless for granted. Some don’t understand the risks and others believe that wireless eavesdropping is beyond the technical reach of just any ol’ person. That’s simply not true.

It’s dangerously easy for anyone to do — and today, I’m going to show you how someone can start eavesdropping on an unprotected wireless network in mere minutes. I’m going to show you just how easy it is. And then I’ll talk about what you can do about it.


Super important disclaimer text: If you’re not doing this on your own wireless network, get permission first. Otherwise, you may be breaking the law. I will not be held liable for what you do, based on whatever you learn from here. If you don’t agree with that, stop reading.


This is Mac-oriented, for simplicity’s sake: OS X comes with a lot of things that make this way too easy and that’s the point I’d like to get across. (This is completely doable on other systems, however.[1])

This guide is for tech-savvy folks who’ve used the command-line before. (A previous draft was more general-purpose, but far longer than I was comfortable publishing.)

Tools

Mac OS X comes with a version of tcpdump, which is a common command-line tool for “dumping” (aka “sniffing”; saving) the packets that zip across a network.

To actually analyze and get interesting information out of the mass of information in a packet dump — download Wireshark. I’m using the Development Release (1.3.4), but Stable should work fine as well. Install that to your Applications folder by dragging it over.

Using tcpdump

My usual use case looks something like the following. (I’ll explain all of the bits below.)

sudo tcpdump \
    -i $WIFICARD \
    -I \
    -n \
    -w $OUTPUT_FILE \
    not ether host $ETHER_ADDR \
    and not host $IP_ADDR \
    and not "(wlan[0:1] & 0xfc) == 0x40" \
    and not "(wlan[0:1] & 0xfc) == 0x50" \
    and not "(wlan[0:1] & 0xfc) == 0x80" \
    and not "(wlan[0:1] & 0xfc) == 0xa4" \
    and not "(wlan[0:1] & 0xfc) == 0xc4" \
    and not "(wlan[0:1] & 0xfc) == 0xd4"
 
  • -i sets the network card you’ll be using ($WIFICARD is your wireless card — en1, for example, is usually the identifier for Airport cards in Mac laptops)
  • -I puts your network card in “monitor mode,” where it listens in on all packets on the network, not just the ones addressed to you.
  • -n disables name resolution, since we don’t need it for our packet dump
  • -w sets the output packet dump file ($OUTPUT_FILE could be something like ~/Desktop/capture.pcap)
  • The last few options filter down our dataset:
    • Don’t save data between our computer and the access point, since we’re interested in eavesdropping other people ($ETHER_ADDR and $IP_ADDR would be your MAC and IP addresses on the local network, respectively)
    • Don’t save miscellaneous packets like wireless beacon packets and pings. There are a lot of them, and they don’t hold any useful data.

Tip: you can run airport -I to see what your $WIFICARD is. From there, you can get the others by running ifconfig $WIFICARD — look the values next to “ether” and “inet.”

An example:

sudo tcpdump -i en1 -I -n -w ~/Desktop/dump.pcap not ether host 00:26:bb:0b:1e:01 and not host 192.168.1.100 and not "(wlan[0:1] & 0xfc) == 0x40" and not "(wlan[0:1] & 0xfc) == 0x50" and not "(wlan[0:1] & 0xfc) == 0x80" and not "(wlan[0:1] & 0xfc) == 0xa4" and not "(wlan[0:1] & 0xfc) == 0xc4" and not "(wlan[0:1] & 0xfc) == 0xd4"

Alternatively, I’ve wrapped up that command in a script that (should) automatically figure out your IP and MAC addresses, then start a packet dump that saves to your desktop.

You can view the script here and download it from here.

Since the tcpdump command within the script is being run via sudo, it’ll ask for your password — tcpdump needs to be run as an administrator to switch the wireless card over to “monitor mode.” (Aside: check out the code before running it. Never ever let run anything with sudo on the command-line unless you’re absolutely sure it’s safe.)

Assuming you’ve downloaded it to your Downloads folder, creating a packet dump is as simple as:

cd ~/Downloads
chmod +x sniff.sh
./sniff.sh

If the script is working, you’ll notice the dump file appear on the desktop and grow as you capture packets. You are now eavesdropping on other people’s connections on the given wireless network. At any point, you can finish up and close the script by pressing control-c.

Making sense of the data

Open up Wireshark.

Go to File->Open and go open up that .pcap file that you’ve created.

You should now have a huge list of packets. For our intents and purposes, we really don’t care about a lot of packet types, so paste the following into the “Filter” box and click on “Apply”. (Note that since Wireshark is an X11-based application, pasting is done with control-v, rather than ⌘-v.)

(http or smtp or imap or pop or aim or jabber or aim_chat or aim_buddylist) and not (tcp.analysis.retransmission or tcp.analysis.lost_segment or not http.response.code)

You should now have a packet dump that looks sort of like the following. (Click for a larger view.)

You can now dig around and browse all of the data that went through the wireless network: Web pages, SMTP/IMAP/POP e-mail, AIM conversations, Jabber (Google Talk, Facebook Chat) conversations — provided they’re unencrypted. (Side note: AIM and Google Talk now default to using SSL encryption. Most e-mail hosts do, too.)

The “packet data” panel (the second or third one — bottom one in my example image) allows you to drill down the layers of protocols-within-protocols in every packet. Play around with it!

The following filters might also be nice to experiment with:

  • aim.messageblock.message — will only show IM messages over the AIM network.
  • http.request.uri contains "profile.php" — will only snow Web pages with "profile.php" in the link (i.e., Facebook)
  • http.request.uri contains "login"
  • http.request.uri contains "mail"
  • http contains "username" — will only show requests that have the string "username" anywhere within the URL or content. (Surprise: this includes submissions to unencrypted login forms, if there are any.)

But wait! There’s more!

Wireshark can automatically parse out intercepted files and save them to your hard drive. This means you don’t even need to make sense of the raw protocols to get “tangible” results.

Go to File->Export->Objects->HTTP. Click on “Save All.” Type in a name for this folder and hit “OK” — ignore the “Some files could not be saved” error.

Open up that folder and you’ll see nearly every file transmitted over the network while you were capturing packets:

To drive the point home

Scared yet? You should be.

Unsecured public wireless networks are a huge risk to those who don’t understand just how “open” they are.

I’ve just shown you how little time and effort an eavesdropping attack takes. In mere minutes of idle time (about 10 in my example dump), anyone has the ability to collect a treasure trove of information on the people using a wireless network around them.

Digital eavesdropping and identity theft don’t have to be targeted crimes against specific people. Digital thieves can cast wide nets and hope they drag something valuable in.

What you can do

If your school or company has a VPN, log into it whenever you connect to an open wireless network. (Provided your connection doesn’t need extra authentication like Cisco Clean Access, even non-computer devices like the iPhone support VPN.) Connecting through a VPN encrypts data between you and the VPN — only after your information makes it to your VPN’s internet connection does it become unencrypted (and from there, it goes to the internet normally).

Alternatively, if you’re savvy enough to have SSH access to a Web server, you can use it as a secure proxy tunnel in practically the same way. If you understood what I just said, you can probably wing it.

If you don’t have access to the above, you can’t really do that much. Ideally, you should ask your local business to enable WPA on their network and either post the password or have customers ask for it. (My nearby Rocket Market operated their wireless like this, back when I lived up in Spokane.)

Most importantly: tread lightly. Never do anything “confidential” on an unprotected wireless network. And whenever you do go out, only log into sites and services that use SSL. (Facebook, Twitter, Gmail, and many other major sites always send your username & password via HTTPS. Gmail can be read over HTTPS, as can most other e-mail services. iChat can be set to “Require SSL” under your account’s server settings.)

Cautiousness is a virtue, online. Be careful and always be prepared for the worst. Think before you log in. Don’t use the same password everywhere. (I used to keep a rotation of about four passwords before switching to all random passwords and 1Password as a password manager.) Don’t take the Internet for granted.

Oh yeah, and don’t ever try anything I’ve mentioned here, unless you have permission. §


[1] Wireshark does work on all platforms and also performs the sniffing aspects on Windows/Linux — if your drivers allow it. With a little bit of effort, you can figure that out. You can still make do with my Wireshark analysis instructions once you have a packet dump.