Category Archives: Uncategorized

Hindsight is 2020 – When 2019 didn't happen

This is a post to myself really. One where I want to whinge once to get it out of my head and then stick the marker down for how we just skip over 2019 in my history so that it didn’t really happen. Not doing this for sympathy I am just looking to get it out of my head and really the focus is on the positives at the end. This post is an open diary entry I can come back to later.

Physical Health

Rewind to Christmas Eve 2018 and I was sat in an empty GP waiting room looking at the “get your flu vaccine here” posters, pondering whether it was unseemly to have a crack at that toy abacus while nobody was looking. Trying to keep my mind off speculating on the results to blood tests taken a few weeks before. I had never been asked to come in for test results previously so presumed it meant something.

I had gone in due to persistently low energy levels where I literally couldn’t stay awake beyond 2pm. The Dr had asked about my lifestyle and stopped at how old my kid was and chalked it up to lack of sleep.”Get more sleep” I was advised. Pretty challenging to achieve when a kid screams to see you every hour throughout the night. Any-who.. It felt like a fair cop as they say and so I had already resolved to sleep more by that point.

I shuffled in to meet probably the 9th different GP in a row to get told I had my first disease of old age. Gout! Nothing serious but they wanted to put me on a pill from that day until the day I die. To me that felt a bit premature since it seemed you could probably treat yourself with the usual alterations to your lifestyle: lose weight, drink less booze, and drink more water.

I walked out without the prescription resolved to make those simple changes first. From the day after boxing day onward I climbed that mountain of walking ten thousand steps a day. I maintained that for months. If anyone saw me for work during that period I was literally pacing in meetings and drinking water like it was going out of fashion. The results added up pretty quickly and I even celebrated needing an entirely new wardrobe because my trousers were all about to slough off in a most unseemly manner!

Then the bad luck kicked in as spring got into full swing. A run of weeks out of the game due to infections turned into months where I was unable to leave the house and I went stir crazy. During the hottest week of the year, you were probably outside having a lovely time. I was spiking a crazy fever and finding it impossible to stay hydrated.

All of this was unrelated to my diagnosis but it definitely triggered me to accept the medication at the next opportunity. I just did not want to be stuck in a bed any longer so that I could ultimately continue with the exercise and behaviour changes that had been working for the first few months of 2019. If gout kicks off you get 2 weeks in bed and in agony so going on the medication was supposed to reduce the risk of it. Sign me up I said!

I got put on the magic pill but the GP neglected to put me on an industrial strength anti-inflammatory and had not stated I needed to even take ibuprofen along with it. They said “take Ibuprofen for 2 weeks BEFORE starting the pill”.

I read up about my new medication and know that once you start it you do not stop for any reason other than a Dr saying so. It is the kind of thing that takes ages to build up into your system and comes with a shopping list of side effects until your body can cope with it.

By the time I presented to my 10th new GP in a row to ask about the side effects I had been stuck in bed for a further 10 days as a result of the medication triggering a monumental attack of gout. I could barely stand by the time I hobbled round the corner and the GP almost broke professional courtesy to go yell at the last guy I had spoken to for NOT prescribing an anti-inflammatory at the same time. I got the feeling if I was in the US they would assume a lawsuit for such a failure.

I said “don’t yell at him. But strongly remind them to not do that ever again and tell him it was an absolute living nightmare”. I believe that mistakes are learning opportunities and fortunately I came through it unscathed.

Holidays

In 2019 we had four holidays paid for and planned. We have not left the country in years but we booked a holiday a long time ago. Guess what? It was the week BREXIT was originally scheduled to happen. We booked before article 50 was dropped. Not wanting to be stuck in any chaos when an opportunity presented itself to cancel free of charge we took it. Then the deadline moved and we could have gone unimpeded. Oh how we regretted that since I think it was before the run of infections kicked in. How different 2019 might have been.

The next holiday was booked for a caravan park near Edinburgh. Guess what? A massive weather warning for travel came into force for the day we needed to drive there and was going to cover the entire period. It was unlikely that any of the events were going to be on due to the weather. So in a last minute call we didn’t bother leaving home. Why take children to a place with less to do than their own house to sit and listen to rain hitting the roof of a caravan? Logical, but no refunds possible.

We drove to Stonehaven in July. Everyone else in my family was sick for the duration. I was fine for once in the entire summer, but nobody else was. We were stuck in an airbnb seemingly designed to torment:

  • DVD player built into TV with a disk jammed inside. Pride and prejudice was likely the culprit if that helps make it worse somehow?
  • Freeview box capable of hundreds of channels but not CBBC or CBEEBIES.
  • An endless supply of massive flies just bumbling about inside the property at all times. Escort them outside and back in they came through some unknown means.

Devoid of ways to entertain sick kids it was perhaps not the relaxation I was hoping for :D.

In possibly the low point of the year I went outside with my acoustic guitar to sit in the garden and play. We don’t have a garden at home. The big selling point of Stonehaven was to have the outside space to play about in and maybe get some family over for a BBQ. I was determined to at least sit in the garden and play some songs. So when my nursing duties lulled I eagerly bowled outside.

I was in danger of having a moment of joy in 2019! I was on holiday. Nobody was yelling for attention. The sun was baking me outside and I had a guitar. One or two songs in a seagull shit all over me, all over the guitar, and it will never not smell like shitty fish again. Good game 2019 you absolute bastard!

Next up. The holiday we had out of obligation going to America to see the sister in law get married. Love the sister in law, she is a class act. But we knew this one was going to be an absolute nightmare with long haul flights, children, and the general procedure for 2019 being a bastard. Guess what? There was a BA strike… Oh absolutely guys. Yeah you can get there but you’ll be stuck in the USA. Want us to refund the entire thing?

Stuck in the endless cycles of telephoning them to sort us out we came pretty close to just taking the refund and making apologies. They found us an alternative route back which was going to be a bit worse than the original itinerary but YOLO lets actually go on a holiday we have paid for this year.

The flights were awful. The sleep patterns for the kids were thoroughly wrecked. We return back with a sick child diagnosed with Croup by the NHS. “Croup”, a disease which sounds so Victorian you think it might come with a moist sponge base. It was no laughing matter and several days of recovery were required.

In summary all the holidays were an absolute nightmare and no relaxation was achieved.

Mental Health

I have had a few struggles with burnout during my career. It absolutely happens folks. I have been pretty good at spotting it happening and taking action so it hasn’t happened for several years. But due to a mix of physical health and hilariously bad attempts at relaxation 2019 was the year to finally break me again.

As summer flipped to winter and the clocks went back the youngest kid just stopped going to bed anywhere near bedtime. Consistently. Night after night after night after night. It went on and on and only just started to get better now over the Christmas holidays. Instead of going to bed for several hours at 8pm they would now not even entertain sleep until 11pm. Then only in hourly chunks before waking up for reassurance.

There is a reason sleep deprivation is part of interrogation techniques. You have no defences once you are routinely starved of sleep. Since November/December I was fluctuating pretty near collapse with the lack of sleep. We were hiring baby sitters just to get some sleep it was really that bad.

It has triggered a series of panic attacks which are just absolutely exhausting in themselves. If you have never experienced one then you are pretty lucky. I would not recommend them or wish one on even a mortal enemy.

It is like the moment when you survive a road traffic accident only you are probably just sitting on a train and everything is fine. A surge of adrenaline to allow you to take flight or fight some unknown crisis. Your heart rate goes right up, you feel a tightening in your chest where you start to think “ok well, I am dying now at least I lived a good life full of love and tried to help”.

The first couple of these happened several years ago but I took action then and they went away. Turns out I can look forward to these whenever I am overly stressed and unable to sleep for a protracted period of time too.

Imagine living in a state where you constantly think about your own mortality like it is going to end momentarily. But it isn’t. You have the heart of an Ox and it isn’t actually broken. That is where long chunks of December have been spent in my head. It is also true that I am now much much better at coping with them. I can alter the dialogue in my mind. Centre myself and recover from it. Still they are pretty exhausting.

As anticipated the Christmas hiatus has given me space from work and a bit of relaxation. I have been able to get some extra sleep, spend time with the wife, play with the kids etc. It has been the tonic I needed to start sorting things out.

What of 2020 then?

I know I need to attack the causes of stress in my life to improve on 2019. Post Christmas day I have already started re-implementing the new behaviours which I started back in January 2019:

  • Walking 10k steps every day – so far so good.
  • Going to bed way earlier than I used to – so far so good.
  • Getting actual respite on weekends – meaning childcare on Saturdays and Sundays so that alone time and time with the wife becomes possible.
  • Indulging hobbies which are away from the screen – now that I am walking again I am going to try the audiobook and podcasts malarky. I purchased a yamaha keyboard before Christmas and can now do you several songs playing the chords. Lots of fun doing that.
  • Stay hydrated – it is medically required now to drink tonnes of water!
  • Reduce the booze – I always feel better when I take whole months off anyway. Since kids came around I haven’t really been out raging it large anyway :D. But, reducing calories in at the same time as creating time to indulge possibly new or more varied activities AND winning more restful sleep into the bargain is a good idea.
  • Lose weight – what news yearsy list would be complete without that? I was doing really well for months last year. I haven’t even put on all the weight I lost so go me. Starting from a lower point anyway. Easy!

To future Cornerpirate. How did you do? Don’t let me down.

Network Adapter names in Windows for Hackers

Sometimes you will need to test from a Windows environment. To cite merely two examples:

  • if you have busted out of a Citrix locked down environment and are now installing tools; or
  • if the customer wants you to simulate a rogue internal user with one of their Workstations (I love doing this personally!).

These come up relatively regularly in my life but not day to day. The biggest one is really: you just want to do some work and your host OS is Windows!

In those situations you might miss the friendly and warm embrace of “eth0” and that ilk we have under Linux. If you want to install and run Responder or Wireshark or whatever you will need to know your interface names.

Solution

Rename your adapters to mean something to you! Not complicated. Windows allows you to do this via “Control Panel” -> “Network and Internet” -> “Network Connections:

rename-adapters

Pick a name that makes sense to you and be on your merry way. I renamed things to “Ethernet”, “Ethernet 2”, “WiFi” etc so I knew what they were. These names are then persisted within Wireshark when I tested it so it seemed like a good idea to me.

The rest of this blog are just random thoughts on Adapter Creep, and ipconfig rants if you want to stick around that is your choice!

Adapter Creep: How we got here

The number of network adapters has been on the increase in the last decade. You may have:

  • Ethernet
  • WiFi
  • VPN Connections
  • Virtualised Interfaces (for VMWare, VirtualBox etc)

I personally find it a pain to read the output of “ipconfig” or sift through the drop downs in tools. This is another reason I decided to start renaming adapters.

Rant about “ipconfig”

The following in your command prompt will display the list of adapter names you currently have:


ipconfig | findstr "adapter"

The usage instructions for “ipconfig” do state that you have a “where” clause which can let you interact with specific interfaces:

ipconfig

Based on attempting this myself many years ago, and on the various Stack Overflow and forum responses I just saw on trying to use that “where”, I am going to conclude that this doesn’t work well enough for anyone.

I had hoped that explicitly setting the name of the adapter would make this easier but somehow “*Ethernet*” does nothing as far as I can see.

Solutions are out there to get what you want with .bat files, or VBS etc. Fairly hacky was to do basic networking tasks.

Netsh seemingly to the rescue

In reading the forum posts I did find a tip about using “netsh” instead of “ipconfig”. While this feels like a much much bigger tool for the job. It is possible to properly query details of specific interfaces only. So sharing the syntax in case it helps:


netsh interface ip show address name="WiFI"

Where the address name is exactly the name of the adapter.

 

Jython and it’s java.nio.charset.UnsupportedCharsetException

 

I have been working on an Extender for Burp Suite (a local proxy which allows you to check for common problems and security weaknesses). While the proxy is written in Java it is common for the Extender’s to be made in Python.

Jython is the glue that keeps Java and Python working. My Extender had the need to execute python so I redirected the Standard Out and Standard Error streams to a MessageConsole.

Redirecting Standard out and err

The code for doing this is shown below:

// Redirect standard out and err to the MessageConsole
MessageConsole console = new MessageConsole(this.output);
console.redirectOut();
console.redirectErr(Color.RED, null)

Note: I might not leave this as the final product because I have just found this reference:

http://www.jython.org/javadoc/org/python/util/PythonInterpreter.html

Which indicates that “setErr” and “setOut” might work better for me somehow. However, that is a side show.

With the above code if you click the “Execute” button you trigger an event handler with this code:

// Get the python code from the text area
String python = pythonTextArea.getText();

// Show user that something is happening
setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
PythonInterpreter interp = new PythonInterpreter();

// Run the user python in the Jython interpreter.
interp.exec(python);
// Close the interpreter
interp.close();

// Now our task is over show the user it is done.
setCursor(Cursor.getPredefinedCursor(Cursor.DEFAULT_CURSOR));

Pretty simple; get me the python code, start an interpreter, execute, and close the interpreter.

UnsupportedCharsetException: cp0

Using the above code you will see that you get our pesky “UnsupportedCharsetException” on first execution of Jython as shown below:

unsupportedCharsetException.png
That makes for an unsightly error. It is not a blocker because as you can see the JOptionPane displayed its message after. But an error appearing to users is going to erode their trust in your software. Particularly since this happens once per execution. After it is displayed it seems Jython then selects an OK character set and plays happy from there.

Looking into it the exception is because the Java Virtual Machine has not been launched with an appropriate run-time parameter. According to the reference below:

https://wiki.python.org/jython/ConsoleChoices

You should be able to fix the problem by launching your Java process like this:

java -jar <yourexecutable> -Dpython.console.encoding=UTF-8

There are other Console Choices available. But this seems to be a way to prevent the error. This is also the accepted answer on bug trackers and forums across the Internet.

It seems possible to use a “jython registry” to apply this setting but that means shipping files with your tool or making users create them. It seemed messy when what I guess we really want is a way to set the character set somehow as a property of instantiating the “PythonInterpreter” object. That doesn’t appear to be in the API so we can only dream of that.

The Right Solution

The legend that is Paj working over at PortSwigger these days fired in this nugget:

Which effectively is the programmatic interface to interacting with run-time parameters. This solution works perfectly when I tested it. The code for this is below:


System.setProperty("python.console.encoding", "UTF-8");

// Redirect standard out and err to the pythonOutput textpane
MessageConsole console = new MessageConsole(this.output);
console.redirectOut();
console.redirectErr(Color.RED, null);

That got the job done right. If for some reason you are unable to use that. Then I have maintained my hilariously hacky solution which somewhat did the same job.

The Hacky Solution

In the realm of writing Burp Extenders I am not able to really influence how users launch their instance of Burp (so that -D approach is not likely). Nor would I imagine PortSwigger (the vendor) taking the time to cater for this edge case by making everybody launch burp a new way! Quite rightly too.

This means I came up with a hacky solution which avoids the errors for users:

// Here comes the dirty, dirty hack!
PythonInterpreter interp = new PythonInterpreter();
interp.exec("a=1+2");
interp.close();
// Yup. Launch the interpreter and do nothing of significance
// Do it before setting up your STDOUT and STDERR redirects

// Redirect standard out and err to the pythonOutput textpane
MessageConsole console = new MessageConsole(this.output);
console.redirectOut();
console.redirectErr(Color.RED, null);

I am going to need a shower. This feels particularly dirty even for me.

Folks from Google. You are welcome!