How to rescue orcs and spaceships

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

Introducing Pulse

Well if you've been doing DNS zone transfers on VulnerableMinds.com then you know, but for the rest of you Pulse has been a mystery. Begun as Project Tango Pulse was meant to do one thing; give you a summarized, quick, complete look at the status of the information security threat landscape. It's a simple concept, but a lacking resource on the Internet.

Pulse came out of my own needs as a threat analyst. Work leaves me with no shortage of projects, research, emails, meetings, and yet the imperative need to have a complete view of what vulnerabilities, exploits, and malcode affecting all platforms. RSS feeds were a good start, but I quickly found myself reading dozens of feeds a day, many filled with useless information. Many I was able to replace or weed out, making it easy to get general news and the opinions, but I still needed more. I still needed information about threats, vulnerabilities and the code to exploit them, but struggled with so many feeds, and I still spent a huge amount of time reading unimportant information.

To this end I decided I needed a tool of my own, something to bring together all these feeds that bring into one place and yet eliminate the chaff, the low threat, the endless mailing list responses; the unnecessary.

The result is Pulse.

Now Pulse is a huge part of my daily workflow. I start my day with it, along with SANS Internet Storm Center and Arbor Networks Atlas portal. I feel that this combination gives me all the information I need to know to be on the "pulse" of the infosec threat landscape. 

I'll quit waxing philosophical about the why's and hows. It's straightforward, but I feel like it meets a need that isn't easily being filled by other services available on the Internet. So take a look, use it, enjoy, and feel free to send me feedback. Pulse isn't done, it's not finished, it's just beginning. To find out more:

• Introduction to Pulse - Presentation
  
• Project Tango Specification - Document

Took long enough...

No, I'm not talking about how long it's been since our last blog post, I'm talking about the iPhone.

I can't say I'm really surprised, except that maybe it took so long, but the iPhone hacking teams have announced a major remote exploit for the iPhone/iTouch. A file parsing exploit, the way we many of us expected it would happen, this is remotely exploitable via a malicious .tiff file. It appears that this was created to make it possible to remotely unlock iPhones (a dubious prospect at best).

For all the interest that the information security community had in the iPhone before it came out I've been shocked at how little has come out of our community. It's shocking how the majority of the "exploit" activity on the iPhone has been the traditional hackers, those who just seek to expand functionality. These "hacks" have been created to compensate for the lacking API, not those attempting to compromise this information rich device. Maybe good is stronger than awesome.

More info here and the actual malicious tiff here.

Another iPhone Security Perspective

Alright, I promise, last iPhone post, at least from me.

The fine folks over at Symantec's Security Response group are apparently taking a look at the iPhone from a "Wouldn't it be fun to land malicious code on this" perspective and seem to have more confidence than I did initially (See: iPhone sounds atlot like iPwn), and with good reason. It would seem that Apple hasn't been as caviler with their AJAX/iPhone integration as early reports suggested. For now that seems like good reason, but as the iPhone gets opened up further and further, either by Apple or by intrepid hackers, that may change.

So give the Symantec article a read, and enjoy your iPhone. We'll be coming for it soon...

iPh0n3: And so it begins...

From TUAW:

"iPhone enthusiasts over at the #iphone-talk and #iphone-mac channels on irc.osx86.hu have developed iPhoneInterface, a new Windows and Mac tool that allows you to manipulate the iPhone's state, launch services, and interact with the iPhone filesystem. With it, you'll be able to scan the iPhone file structure, create and remove folders, start iPhone services, and more."

I don't think anyone is really surprised that this happened I know many people who believe that Apple actually encourages this type of behavior, evidenced by the easy of cracking into the AppleTV and the numerous enhancements that followed. I don't know if I quite fall into that camp, but I do think it's inevitable that any closed system that gains interest from so many technically inclined people will not stay closed for long. I don't know if that's really a statement about security, or just common sense.

Protection/hackiblity philosophy aside I'm excited to see where this goes as I get ready to throw down my own $600 to Apple/AT&T. Take the already impressive iPhone, throw in a healthy helping of the great features you get in regular OS X, and add in some of the features found in other high end phones, and you really have a be all device. Truth be told I'd actually be reluctant to use such hacks on my main phone, but my real hope is that this kind of thing encourages Apple to open up the iPhone, add the features people have been asking for, and make it a lil hacking pad that I can also get email and make calls on.

That being said I think SSH and the ability to browse the filesystem are a must, but how about a Python interpreter or something? Flash maybe? A Safari view source option? TextMate for iPhone? Are you listening Apple? I want to be able to play next year's CTF qualifier on the Metro.

iPhone sounds alot like iPwn

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

Time for a Tango

Well I've had a number of people curious about Project Tango. It's been going for a little over a week now, much of the initial work has been completed, and now I'm in the process of tuning some of the back end pieces for finalization and release.

So at this point I'm asking for some help, and in the process am going to give away a few things about the project, so here ya go:

• Are you a security professional who's an information junkie? Shoot me an email and let me know what you look for in getting your fix. What sites you read, what information you want, what information you don't want, and if you'd be interested in the Tango Beta.
  
• Are you a security professional using RSS to feed your information needs, whether addict level or more of a recreational RSS user? Shoot me an email, pet peeves, wants, information you don't or can't get via RSS, and if you'd be interested in the Tango Beta.
• Are you just really curious about what Project Tango is and want to make a compelling case to get in on the beta? Shoot me an email.
  

All email can be sent to tango.beta@vulnerableminds.com and we'll set you up for an early look at Project Tango.

It's the beginning of the rest of the world...

From Errata Security:

"The badass guys at Matasano, namely Dino, just pocketed a cool 10k and a Macbook in the CanSecWest challenge to own a Mac. Tom is right, brace your self for the flood of Mac faithfully posts about why this doesn’t count. I can hear John Gruber tapping away and silent sobbing in the distance."

Yep, guess what, Dino from Matasano Chargren popped a brand new, fully patched MacBook Pro with an 0-day exploit for Apples implimentation of Java exploited through Safari (which is rumored to be vulnerable in Firefox too). Congrats to Dino, and to the rest of the OS X community: Breathe.

Now I'm a big Mac fan. I adore the things. My Mac is the best tool out there for the work I do. As a general computer user and as a security researcher it provides the platform to code, create presentations, work with multiple operating systems, communicate with others, and all the other things I do with a computer. And you know what, I do believe I have to deal with fewer actual instances of malicious code.

Now that is not me saying this doesn't count. It does and everyone needs to acknowledge it. That's not me saying that my Mac is inherently more secure, it is not. Vulnerabilities are errors in how applications are designed and/or implemented. Since Steve J, for all his brilliance, still has people designing and coding the Mac OS, its drivers, its applications, and its hardware that means there will be flaws, mistakes. Just like Windows (NT, XP, or Vista) OS X will experience flaws that can be used maliciously to execute code, corrupt files, and all manner of other things. That's not a new thing since Dino owned that Mac at CanSecWest, that's the way it's always been, and the way it will continue to be.

I take the same stance on this that I've always taken on OS X vulnerabilities. I'm not getting worked up, I'm not changing my habits, I'm not gonna sell my Macbook and get a Thinkpad to put Ubuntu on (though I may keep my Macbook and get a Thinkpad, this one if you're generous, to put Ubuntu on). I'm going to advocate the following things to Mac users:

1. If you're running a Mac, recognize that you don't exist in a bubble of security that can't be popped.
   
2. Be cognizant of what we realized in step 1, and try to learn some good computer use habits.
   
3. Inhale.
4. Exhale.
5. Repeat steps 3 and 4.

Now I have a different set of steps I'm going to advocate to Apple:

1. Get fired up. This was your warning shot, one across the bow. Heed it.
   
2. Double the number of people you're looking to fill the new security jobs available at Apple. Consider tripling it.
   
3. Take a page from Microsoft and become more transparent. Microsoft's security program has an impressive infrastructure for communicating warnings, details, preemptive fixes, and basically how Microsoft is handling things internally to make people safer. Apple has largely kept security information under the radar, releasing patches without saying much more. Time to end that.
4. Another thing to take from Microsoft: build security in from the ground up. The Secure Develoment Lifecycle isn't perfect, but it's a start. Better yet Microsoft has been open about how and what they're doing to secure their software as they build it. Not a bad idea for Apple to develop a program like that, either by creating one, or disclosing the one that they have.
5. Repeat step 5 from the users list.

It's time for everyone, users from John Gruber to my grandmother, and vendors from the Microsoft Mac Business Unit to Apple themselves, to stop believing Macs are inherently secure and start realizing that they are simply, like any other computer, securable.

Followup: Now after discussing this post with a few of the other Minds and like minded folk it may have seemed that I'm suggesting Microsoft has figured security out completely and Apple just needs to copy what Microsoft is doing. I'm not suggesting Microsoft has the answer to creating the ideal operating system security program, just that they're closer than Apple is right now. Microsoft has made many admirable steps (as the nCircle folks seem to agree with me on) and Microsoft should be applauded for doing so. As they say, you eat an elephant one bite at a time. Microsoft seems to be getting that and as for Apple, well, I'm going start working on my own recipe for elephant, but don't wait for me.

Javascript Internal Vulnerability Scanner Source Code

This code was demoed at Shmoocon '07 during the Javascript Malware for a Grey Goo Tomorrow presentation. The code was given to us by our newest mind Mike, and first analyzed by Steve Davis. It allows for client side internal vulnerability scanning through Javascript. It is currently missing a frontend to run it. First one with a front end wins :)

UPDATE 3/25: Source code removed at request of Jikto creator

For the ISI's out there...

That's Information Security Insomniacs, clever I know.

Well it's late and I've been doing Shmoocon prep work all day. I didn't want to call it a night before I posted something interesting.

While no one would confuse me for a big Microsoft fan there are some things I think they've managed to do very well. Necessity being the mother of invention Microsoft has now developed one of, if not the most, expansive computer security programs in the world. I can't speak for anyone else, but I'm always curious what goes on behind closed doors like that, and in this video documentary of the his team Stephen Toulouse really gives you a run of the farm at Microsoft Security Response. Definitely worth a watch.

A vulnerability to be proud of...

*I make this post without any sarcasm, back handedness, or cynacism.*

I would like to congratulate all the members of the OpenBSD team for their second remote vulnerability in 10 years. Really, it's an accomplishment. This may seem like an ironic thing to say, congratulations that a vulnerability has been discovered, PoC code published, and finally patches issued, but really, in my mind it highlights the amazing efforts of the OpenBSD team.

Ten years is a lifetime for a computer system. Ten years ago most people were running Microsoft Windows 95. Since then OpenBSD has had a grand total of 2 remote vulnerabilities. I'm not even going to fathom a guess at the number of Windows vulnerabilities that have been seen since then, but if you've been involved in security long then it won't take long to conjure up memories of the many, many remote Windows vulnerabilities since then.

In a day when Month of [Insert Technology Here] Bugs are occurring for every technology under the sun I think the OpenBSD team should be proud of themselves for the amazing job of proactive software security that they've done. Bugs will happen, vulnerabilities will be discovered, patches will have to be issued. It's a fact of life in any major development project that such things can't all be avoided, but it's great to see someone is actually doing proactive software security well. The OpenBSD team is setting an example that few, if any, are ready to follow. So I hope the OpenBSD folks celebrated this St. Patty's Day, and here's to another 5 years.

Quick Note

Ivan Krstic is scary smart. That is all.

I Dvorak

The grand experiment has begun. After Steve's wonderful diatribe on his good experience with Dvorak, reading the Dvorak zine (comic book style), and after hearing the same for months from al3x, I've jumped in and taken the Dvorak plunge. Friday afternoon, sitting around Murky, I pulled out my trusty little pocket knife/bottle opener and proceeded to painstakingly scrape all the relevant letters off my iBooks keyboard.

Now I don't do well with tedious things, but taking the time to scrap each little letter off all those keys was good preparation for my first few minutes of typing. I'm not going to pretend it wasn't frustrating, because it is. Everything you've been taught, everything you've trained on, all different.

Slowly though thinks got better. I visited the Dvorak zine website and found a lot of great resources that helped me through the initial stages. First I popped onto their Downloads page and downloaded the Dvorak wallpaper, which makes for a very handy reference, especially when combined with Expose.

Now it's two weeks later.....

I'm an undisciplined slob. The wallpaper is still up, my keys are letterless, but I'm still typing QWERTY. This weekend I take another crack, hopefully getting in the practice I wasn't able to get in last time. I still need to be functional at work. Hopefully my practice this weekend will help, but with so much to do it's not really the best time to start typing like a dyslexic 3rd grader. Maybe there never is a good time though.

Any tips from anyone?

Snort 3: Preview

Lately I've had an increasing interest in Snort, everyones favorite open source Intrusion Detection System. While my last project with it ended up being less than effective it has led to the possibility of a much more interesting project, so I count it a blessing in disguise.

I've been using Snort quite a bit since starting my new job but since this last project I've been studying it on a new level. Running two installations was a start, sometimes even running a third, since HenWen is easy and pretty. Last Monday I attended my first meeting of the new Northern Virgina Snort Users Group (no link sadly), a nice collection of professionals very willing to share their knowledge about Snort.

But this is where Snort is now. For those of your curious about the future here it is. A good read if you're interested in the future of IDS as it looks like Snort is going to push the envelope of what's expected from Intrusion Detection.

Frameworks - The Way of the Future

I've finally done something I've been promising to do more lately. I've been programming more. SCARP, yes it needs a new name and no I'm not telling you what it is, has been my project of late and it's great getting back on the wagon. In spite of what I said in a previous post (Does this sound Scripted?: My Love/Hate Relationship) I've been back to learning Ruby. The draw of getting involved again with the Metasploit Project and the evangelism of my friend al3x has convinced me, and it's fully worth it. Ruby, once I got away from Why's Guide, has been a joy. My current project has been good, and it's already leading to a larger project that should be quite interesting.

One of the things that makes Ruby most interesting is Rails; defined by it's inventors as:

"...an open source web framework that's optimized for programmer happiness and sustainable productivity."

A nice application by the folks at 37 Signals, Rails will make my next project possible and I look forward to working with it.

In addition I'm also looking forward to renewing my involvement with the Metasploit Project, which moves to Ruby for version 3.0. Metasploit is defined as:

"...an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research."

Now before you start thinking that this post is going to be about me espousing my love of Ruby you should know I'm not there yet, though on the way. No, what sparked this post was coming across the Backframe Project. Not familiar? Neither was I. Backframe is:

"...an experiment to create a full featured attack console for exploiting web browsers, web users and remote applications. Those who are familiar with XSS Proxy or even BEEF might already be familiar with the core principles of the project.
...
The result of these core principles is an easy to use and understand web-client-oriented attack framework that keep the data, the presentation layer, and the underlying logic apart. This design is known as "the separation of concerns model". This is highly effective practice which allows to easily extend upon the core elements."

What struck me is the fact that frameworks, like Rails, Metasploit, and Backframe, are becoming the new elements of object oriented programming. Since the beginning of OOP there have been classes, even libraries, but now so many modern projects are moving well beyond that, complete applications, complex, intricately designed, with no other use than to facilitate the creation of other applications. The full featured APIs that are coming out of web projects from people like Google and sites like Remember The Milk are close relatives, but they are interfaces, where frameworks are going above and beyond.

What's my conclusion? I don't really know, I'm waiting to see. All I know is that projects like Rails and Metasploit are turning their respective industries on their heads. Rails has made Web 2.0 applications something that aren't just created by the likes of Google, but by some kid sitting in a coffeeshop on a MBP sucking down americanos wearing a goofy Puma sweater. Metasploit took cutting edge exploits, made them easy to develop, and even easier to fire, drastically changing the threat landscape for people like yours truly.

So check out Rails, Metasploit, and Backframe. They're all interesting projects with nice frameworky goodness. I'm not sure if frameworks will be the way of the future, but frameworks have largely become 2006's contribution to the idea of object oriented programming. I'm eager to see what 2007 may offer. And keep your eyes peeled, more fun is on the way.

Might have been better as a Haiku

Dave Aitel, someone who I've disagreed with on a number of occasions but ultimately recognize as one of the best of the offensive end of infosec, put up an interesting little post in his list "Daily Dave". It was almost poetic really, and since many people don't really keep up with Daily Dave (seriously, who likes mailing lists anymore?) I figured I'd repost it here and maybe add a thought or two:

Date: Sat, 2 Dec 2006 21:04:32 -0500

Give up all your Solaris RPC remotes. All your Tru64 tricks, all your
Microsoft client-sides. The bug classes no one has seen yet, forgotten. The
kernel trojans you use daily, gone. All your shells. The ISPs, the wacky
personal servers of the developers everyone else reveres. Your
ex-girlfriend's laptop. Every exploit and click-script. Lose everything you
know.

Give it all up, and never look back. If you are a Unix hacker, switch to
Microsoft. If Win32, install Linux and never call a Windows API ever again.

Now try again.

-dave

I for one couldn't agree more. As security professionals it's easy to get locked into our tools, especially operating systems. It's natural. We're creatures of habit as human beings, and this is only exacerbated with our work in the security world. We spend our lives looking at and for anomalies, the new things, the cutting edge. I think many of us get very habitual about things because we're trying to give ourselves the slightest bit of consistency as a framework in the constant search of the anomalous.

Still, Dave's point has nearly infinite merit. Every bit of time spent with new tools, new systems, new malware, new operating systems, all of it is increased knowledge, gained familiarity, the chance to discover something new. Sometimes it's done to learn something specific, more often we don't even know when it will come in handy. Being comfortable with your tools is good, but being comfortable with a more diverse set of tools is even better.

I'm the first to admit I've become fairly comfortable, even though I'm fairly diverse. My personal laptop, called Kaylee, is running OSX. My desktop, called Book, is running my Linux distro of choice, Ubuntu. Beyond that I use Windows here and there, but I'm still far from as familiar as I'd like to be, especially as I attempt to better learn the offensive end of infosec. I could also stand to spend some time digging around some of the other big operating systems out there, most notably Solaris.

Maybe it'll be like getting a new piece of furniture, not so familiar, but functional, and maybe more in style.That being said everyone has that old, beat up, junky couch they just can't throw out, I guess there just has to be a place for both.

3rd World Fragging

The OLPC Project, one of my current fascinations, although more from the information security perspective, has finally become a complete and valid computing device, at least in some peoples eyes. That's right folks, the OLPC is now running Doom.



It's sad, but this is getting to be a benchmark of hardware maturity. Especially in this case it's not like these things could have other uses, or like there aren't other, dare I say more worthy pieces of the project that could be worked on. And yet, someone took more than a little time to make this all run correctly.

If I'm honest with myself I guess I'm just amazed it took this long.

Does this sound Scripted?: My Love/Hate Relationship

Let me just be up front so my bias is evident:

• I hate Perl. Hate it. Like I hate liver and onions .
• Ruby is nice, but a bit too esoteric for me. I want to learn it, I just never get through it.
• Python I'm getting to know, and it's not so bad so far.

Every relationship I've ever been in goes through a few phases. According to this Wikipedia article on relationships the phases are: Contact, Involvement, Intimacy, and Deterioration. This may be odd to say, but I have a relationship with many scripting languages, but most notably the three above. Many people I know have been curious about possibly, or are already in the process of, starting relationships with these languages, as a good friend I just want to give my two cents, how these given relationships were or are going for me.

Perl:

• Contact: As I began delving into Linux starting my senior year of high school Perl was part of my introduction, as well as the first scripting language I got interested in. In the beginning I thought of it as the sustaining language, great for automating and creating apps rapidly.
• Involvement: Most of my involvement phase, getting to know the language, was through the very very good Learning Perl book from O'Reilly, which really sets the standard to me of how a programming guide should be. We slowly and thoughtfully got to know each other, with many sample programs throughout the way, but nicely separated, to allow us to really see how well we knew each other.
• Intimacy: Perl and I were actually fairly intimate for a long time, but I was never really happy in the relationship. Perl was easy to get to know, and I knew it well, so it was quick to be my choice for small projects where another language was specified. Perl helped me develop a number of small but functional applications, and was the language of the Metasploit Project, a security project I contributed to on a couple occasions.
  
• Deterioration: It was actually down hill the whole way with Perl. After getting through involvement I never really enjoyed Intimacy with Perl. It was ugly, it was difficult to work with, and it was often very confusing to look at, even Perl I'd created myself. Perl also felt very behind the times, and even newer versions seemed to add few things to keep Perl looking modern and attractive.
  
• Conclusion: Perl may be attractive to some, but this really seems to be a first impression thing. Perl remains slow, behind the times, and frankly the more you get to know it, ugly. Perhaps this is simply it's unique beauty since I know many people who love Perl for it's "flexible syntax" and many many ways to accomplish the exact same result, though in my mind it just makes Perl difficult and confusing. O and every other language on earth can do Regex's, really, not that unique.
  

Ruby:

• Contact: My initial contact with Ruby, like my contact with many cutting edge web technologies, came from the ever edge cutting al3x. This crazy lil language from Japan, I was told, was totally Object Oriented (and I do <3>
• Involvement: Here is where Ruby got tricky for me. Ruby and I had a hard time getting to know each other. My guide was Why's Poignant Guide to Ruby, an amusing tome (and tome really is an appropriate word in this case) that completely failed to allow me to really get to know Ruby well enough for Intimacy to bloom. So much time was spent just learning each others ins and outs, obscure datatypes, little tricks, as taught by cartoon foxes (really, I kid you not), that reaching a time of Intimacy, actually coding some Ruby, never arrived, and more than once I gave up before getting to that point.
• Intimacy: Never reached, and while it seems like many others have enjoyed it I never go the chance. I blame the lack of practical examples during the Involvement phase.
  
• Deterioration: D.O.A. really.
  
• Conclusion: Ruby is a great language, there's no doubt about it, and for many it has lead to the creation of a lot of awesome applications. We just never had it though. It seems like a great thing for a lot of people, just look at those crazy fellows (and ladies I'm sure) at 37 Signals and all their rockin' stuff. I'd recommend it, but we just didn't have the knack.
  

Python:

• Contact: Python was always "the other scripting language" to me. I knew very little about it actually, and I'm just now really starting to become familiar. It's been the language of choice of many, but never one I got into especially. Lately though with my lacking affection for Perl and inability to get to know Ruby, Python has becoming increasingly attractive.
  
• Involvement: Well our involvement is just getting started, but so far it's been going well. Python and I have been getting to know each other over Dive Into Python, which seems to be a very nice guide to this fairly simple to understand language. It's got the OOPiness of Ruby, and being a whitespace aware language it's fairly good about keeping a consistent and easy to read style. I'm really enjoying it so far.
• Intimacy: Haven't quite gotten there yet, but I have a feeling we'll be there soon, and I think it'll be pretty amazing. Not to get too kinky, but al3x might be involved too. I'll be sure to post updates and maybe even pictures (wow, let it be said I have taken personification to a disturbing end).
  
• Deterioration: Well I'm not gonna say we'll be together forever, but the end is not yet in sight, but I'll be sure to post updates.
  
• Conclusion: It's yet to be seen, but I have high hopes. I'll still hold off my judgment until we make it out of the Honeymoon Phase.

But hey, as far as relationship options, these aren't too bad. I could be stuck with some fat, bloated, slow possibility like C# or Java.