sábado, 23 de janeiro de 2016

How am I studying Japanese?

This is a question I get a lot. Actually, no. But if I did get that a lot this would be the answer. :D

I got the idea of writing this from  this post on the Learn Japanese with Tae Kim facebook group. I started learning this language when I was back in Brazil on May 2014. Almost two years now and I am still a beginner (even though I didn't really take this seriously back home).

I first started by subscribing to the www.japanesepod101.com website. The content is ok, the method isn't that great, but it was more than enough to get me started.

Now I am Living in Japan and, even though I learn a lot from my daily life, I felt like I needed a system to make my learning progress more effective. I wanna be fluent in less than 1 year from now so I can enjoy the most of the experiences I am having here and I figured out that every time I decided to work like "2 ours of Japanese study every day" I got bored really quickly or just gave up altogether. Because you know, "I only have 10 minutes before going to bed... so it is not the 2 hours I set myself to do".

So, the system I came up with is to get myself into situations where I have to use Japanese. Whenever I receive a letter I try to read it (but usually I have a friend confirm the contents because I don't wanna get in trouble with the bank lol), I decided to avoid spending time with English speakers by not making new English speaker friends (I am not going to avoid my current friends, so I just try to meet Japanese people with no interest in English instead). I found out this system is making a huge difference on how fast I learn and how confident I am with using the little I know. So here it goes:


  1. Like most people here, I commute to work by train. When going to work I go trough Anki flash cards. The collection of cards changes from now and then, but at the moment I am focusing on phrases taken from the Human Japanese app - I really want to buy the app now, btw - and kanji from the weirdly good Kanji Damage site. I usually study from 100 to 200 cards every day and always in my way to work. If I leave it for when I am coming back, tired, I know I will not study.
  2. I usually go to lunch by myself and try to get into situations where I need to get by with the little I know
  3. I go out with my Japanese friends and get into some activities that are 100% in Japanese. I think I really understand about 10% of that is said, but I usually can get the gist of what is going on. And whenever I realize some word I don't know is being used over and over again I go to jisho.org using my phone to look it up. I am glad my Japanese friends are so patient and understanding with me.
  4. I listen to www.japanesepod101.com about 3 times a week. I usually do this before going to bed, while cooking or doing other boring task that keep my hands busy. And as soon as I can understand the conversation, even if I don't really know every single word to the heart, I move on to the next lesson because I know they will keep reusing most of those words anyway.

After I adopted this system I started saying things I didn't really know the meaning (meaning I never studied that before), but I say them in the right way, the right context, and meaning exactly what I wanted to express. THIS is what it means to speak a language. If you are translating what you wanna say from your language to your target language back and forth then you are doing it wrong.

And if you think that it doesn't work, the fact I can write this blog is enough proof of that I in fact it does work. I did basically the same with the English language after I got the verb to be covered and now I am fluent enough to work with native people in an environment where the understanding of English language is crucial.

This was a long post, but I really hope it helps you with some ideas and get you motivated in your quest of learning whatever language you feel like learning now.

See you in the next post.. or not - we both know it will be like 2 years until my next post, and by them we don't even know if Google will still be keeping blogger up and running.

Living in Japan!

I know I won't keep my word if I say I will keep this blog updated. Life happens, and I tend to be really busy. So I am doing something different this time.

I am just going to write a small update on what is going on with my life.

But wait... wtf, English?! This was supposed to be a blog written in Portuguese language! What the fuck?!

Settle down, will ya?! So, as the title of the post says, I moved to Japan. This is a country far far away from Brazil (it takes about 30 long ours to get from São Paulo city to Tokyo) and in case you didn't know the language spoken here is 日本語. Exactly, if you don't know how to read what I just wrote then you get where I am going at.

More and more foreigners come to Japan each and every year. But Japanese (or ni.ho.n.go in something called romaji - actually you don't use the dots in romaji; I added this so you get the cadence of the language) is a very different language. And the writing system is based on the Chinese writing system, which uses Kanji (漢字). In case of the Japanese language they even added more... unh.... "complexity" with two new sets of characters (in fact this simplifies a lot our lives, because instead of having to learn 20000+ kanji you only need to learn about 1/10 of that to be fluent - or kinda fluent, I am not there yet so I don't really know).

So yeah, Japanese is different. And you can't really read once you get out of your airplane (so, even using a dictionary can be difficult). So what do you do? Well, you meet some foreigners that have been here longer than you! They come from everywhere, having different native languages. But they all tend to have something in common: English as a 2nd language.

So, here it goes. I am focusing now on writing in English about Japanese things until I really know enough Japanese to write in Japanese, if that ever happens.


This got already too long and I am not going to proof read this anytime soon, so I am going to just stop... and move on to the next post (I kinda feel inspired today lol)

terça-feira, 3 de setembro de 2013

Tirando o pó

Um ano e tra-la-la (ok, um ano e meio e tra-la-la) passado, decidi tirar pó do meu blog.

O que aconteceu? Me formei, estou trabalhando como DevOp, voltei a morar em SP, fechei minha empresa.... ah, coisas e mais coisas.

Decidi, com apoio da minha chefe, voltar a escrever aqui - se bem que eu nunca escrevi direito. Então vamos lá; alguma regrinhas que pretendo seguir.

  • escrever primariamente em português (evitarei usar inglês, mas vez ou outra não terá jeito)
  • publicar exclusivamente sobre tecnologias que eu domino até certo nível (por mais tentador que seja, evitarei publicar sobre boatos)
  • criar posts com alguma frequência
Então... pó tirado, sobre o q vou escrever agora?

sábado, 14 de abril de 2012

FreeBSD, bem que podia se chamar Urutu

Faz um tempão que não posto; odeio ficar bolando ideias pra blog. Mas tem horas que me vem uma ideia ou história que eu acho que vale a pena compartilhar.


Pois bem, nessa semana a luz aqui de casa oscilou pra ca-ra-lho! Sem brincadeira, no dia do ocorrido minha máquina rebootou umas 30 vezes.


BOM, quem já é usuário de PC já sabe o que esperar: sistema de arquivos corrompido, bad clusters escondidos no HD e coisas afim. Bom... não se você usa FreeBSD com ZFS.

Nada daquelas mensagens gigantescas de "transaction replayed" de outros sistemas de arquivos. Nada de arquivo perdido. Nada de dor de cabeça! Sim, zero dor de cabeça.

Essa coisa é mesmo um tanque de guerra. \\o/

sexta-feira, 20 de janeiro de 2012

Thank you AdaCore

My last post was about the attack method described in 28c3 conference and how it affected AWS servers.

Quickly the folks at AdaCore picked up this issue and in the same day they already had it fixed on their repository. Now they are making public releases with the fix.


It's amazing how quickly they fixed this. And they where really kind on keeping me up to date with the situation.

If you compare this response with the one of larger teams such as Tomcat and PHP I'd say it's a huge win to AdaCore and the Ada community in general.

Thanks AdaCore.



terça-feira, 17 de janeiro de 2012

28c3: Effective Denial of Service attacks against web application platforms :: AWS round

Update:  as of 2011-01-19, AdaCore is aware of the situation and is already working on a fix to this problem.

Update 2:  as of 2011-01-19 (yes, the same day), the problem is fixed in the repository (revision 9f1405).

Update 3: AdaCore changed it's name from ACT several years ago. Changed all references to that name accordingly. Sorry about that. :)

Update 4: as Pascal Obry informed in his comment on this post, the updated version is available to all AdaCore customers and the GPL version has been updated at Open-DO forge.

A few weeks ago, the following video has been released:




Well, those guys did a great job not only studying this vulnerability but also spreading the news. Then the question arose: is Ada Web Server vulnerable to this sort of attack?

The short answer is: sadly yes. This post tries to explain how we have tested this issue.

Keep in mind that only if a few hours I managed to get this code working and managed to keep my server at 100% for over 3 minutes with only 46656 variables in my post request.

The compiler used was GNAT GPL 2011. The AWS version is 2.10.0. And the operating system is Sabayon Linux.

Introduction



It all started at the #ada IRC channel at freenode. As I am used to run AWS servers all around I was curious if my servers were vulnerable or not.

After some research on the web I realized there wasn't any official report on the issue and I couldn't find anything useful. So, I went to the chat room and started talking to jesselang.

He discovered the AWS uses the Ada.Strings.Hash function internally. As it isn't really complex I realized we where not safe.
This is the actual implementation of this function (which is actually inside the file s-strhas.adb in your GNAT distribution):

------------------------------------------------------------------------------
--                                                                          --
--                         GNAT COMPILER COMPONENTS                         --
--                                                                          --
--                    S Y S T E M . S T R I N G _ H A S H                   --
--                                                                          --
--                                 S p e c                                  --
--                                                                          --
--             Copyright (C) 2009, Free Software Foundation, Inc.           --
--                                                                          --
-- GNAT is free software;  you can  redistribute it  and/or modify it under --
-- terms of the  GNU General Public License as published  by the Free Soft- --
-- ware  Foundation;  either version 3,  or (at your option) any later ver- --
-- sion.  GNAT is distributed in the hope that it will be useful, but WITH- --
-- OUT ANY WARRANTY;  without even the  implied warranty of MERCHANTABILITY --
-- or FITNESS FOR A PARTICULAR PURPOSE.                                     --
--                                                                          --
--                                                                          --
--                                                                          --
--                                                                          --
--                                                                          --
-- You should have received a copy of the GNU General Public License and    --
-- a copy of the GCC Runtime Library Exception along with this program;     --
-- see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see    --
--                                                                          --
-- GNAT was originally developed  by the GNAT team at  New York University. --
-- Extensive contributions were provided by Ada Core Technologies Inc.      --
--                                                                          --
------------------------------------------------------------------------------

pragma Compiler_Unit;

package body System.String_Hash is

   --  Compute a hash value for a key. The approach here is follows the
   --  algorithm used in GNU Awk and the ndbm substitute SDBM by Ozan Yigit.

   ----------
   -- Hash --
   ----------

   function Hash (Key : Key_Type) return Hash_Type is

      pragma Compile_Time_Error
        (Hash_Type'Modulus /= 2 ** 32
          or else Hash_Type'First /= 0
          or else Hash_Type'Last /= 2 ** 32 - 1,
         "Hash_Type must be 32-bit modular with range 0 .. 2**32-1");

      function Shift_Left
        (Value  : Hash_Type;
         Amount : Natural) return Hash_Type;
      pragma Import (Intrinsic, Shift_Left);

      H : Hash_Type;

   begin
      H := 0;
      for J in Key'Range loop
         H := Char_Type'Pos (Key (J))
                + Shift_Left (H, 6) + Shift_Left (H, 16) - H;
      end loop;

      return H;
   end Hash;

end System.String_Hash;


Turns out this is a linear hash function. It should easy to come up with a reverse algorithm, but ...

Generating Strings with Colliding Hash


Generating a code for this should be hard. I haven't got lazy right from the start; I spent like 20 minutes trying to crack this up but as I have no previous experience in doing such thing and binary arithmetic isn't really my thing I decide to go for the brutal force approach. :)

So I generated a short string. Something arbitrary, such as "ccc" (that's actually what I used). And I implemented a dirty loop to generate substrings with 6 characters each with the same has. Bingo! I found out 12 strings but I decided to use only 8 of them for they only had alphanumeric characters.

And here is the pretty thing: as this hash function is linear all I had to do is to combine all those strings. I came up with 46656 combinations in total - only because I didn't want big variable names in my post requests.

Another thing I found out is that it seems to be quite more likely to have collisions in bigger strings. First I tested against "tt" I and came up with only 4 usable collisions. Adding another character gave me twice as much. I haven't really tested this though.


The attack

I decided to use AWS.Client to implement my attack on AWS.Server. Ironic, isn't it?

The code is really simple. Using unbounded string as a buffer I generated a string containing all the post data I needed. And then I invoked the AWS.Client.Post function. The client code is quite fast (really, less than 1 second).

Now the server code. I just implemented a hello world. Simply as that. It's actually a slightly changed version of the code listed in Gem #29 AdaCore have published. The changes where just to check if I was calling AWS.Client right, before I did the not-so-tricky part of generating the post data. Of course.

The results


I ran both client and server in a computer with AMD Athlon(tm) II X4 640 Processor and 4gB ram. The client being small I see no problem. :)

As expected, the client kept my server using 100% of one core. It stayed that way until the process completion, which took well over 3 minutes.

Firing up 5 client instances managed to get a DoS.

Both brutal force, client and server codes have been forwarded to jesselang's email address who kindly will report back to Ada Core Technologies. With any luck we will be seeing a patch for this in the near future.


Conclusion


It was a really bad surprise finding any information about this issue online. I don't know if Ada Core has been working on it already of they have ignored it completely. Until there is a fix for this available, let's hope no one uses this to damage running systems.
 
Even more astonishing is that the development community (with the exception of perl community) assumed plain Hash tables are great for everything. I've avoided it in the past for security reasons myself. After seeing anyone using hash table I decided to use it a lot.... and now I've been using Hash table myself to represent json data and key/value pairs from configuration files. Time to review all my code. :)

sexta-feira, 4 de novembro de 2011

FreeBSD :: Dicas para usuários Linux


Sou usuário Linux desde a época do Conectiva Linux (versão 6 acho); cheguei a usar Mandrake 9, Slackare 7 e quando conheci o Gentoo minha vida mudou completamente.




Posso dizer que desde o final da década de 90 (não me recordo o ano exatamente) sou usuário exclusivamente Linux, metendo as caras em Windows e mais recentemente MacOS X somente em ocasiões isoladas por trabalho.



Durante esse tempo diversas vezes eu acabei me aventurando no FreeBSD mas sempre desisti - bem rápido, aliás. Mas isso foi até eu conhecer o ZFS e decidir que quero isso em meus servidores. Dominar o FreeBSD passou a ser uma missão e aprendi o caminho das pedras.



Esse post é uma coleção de dicas para usuários experientes no mundo Linux. Se você é um novato pode pescar varias dicas também, mas não vou ficar explicando coisas do Linux.



Sistema de Arquivos



Por padrão o FreeBSD usa UFS2. Manda bala com esse; esquece ext3, reiserfs ou qualquer outra coisa que esteja acostumado a usar. Não suporta Journaling, mas no lugar implementa outra estratégia que no final garante o mesmo tipo de resultado.



Recomendo começar com o layout de partição recomendado pela instalação; analise-o e crie um equivalente, com uma quantidade generosa de espaço livre para ser usado pelo ZFS mais tarde. Primeiro domine o sistema para depois usar as opções avançadas, mas faça isso de forma planejada.




Ports




O FreeBSD é baseado no excelente ports (que, de fato, inspirou o portage do gentoo). O ports é uma coleção de makefiles localizados em /usr/ports. A primeira reação de um novo usuário é localizar o pacote dentro da arvore de diretórios e mandar ver no make instal clean, por exemplo:


# cd /usr/ports/net/mediatomb && make install clean


Isso funciona, mas o que você vai perceber é que a instalação para no meio a toda hora para configurar alguma dependência; convenhamos que é muito chato ficar horas na frente do computador esperando o gerenciador baixar e instalar tudo só para responder determinados prompts de configuração; mala d+! O processo fica muito mais simples usando o portinstall. O comando equivalente ajuda bastante:


portinstall -c mediatomb


A opção -c do portinstall faz com que todos os prompts de configuração sejam apresentados no começo do processo. Isso acelera bastante e torna a administração do sistema muito mais prazerosa (e nesse ponto eu pessoalmente acho que acaba ganhando das USE flags do gentoo, já que você é forçado a ler as opções na hora de instalar e a configuração é por pacote, não system-wide).



Embora isso permita um controle absoluto sob como cada pacote se comporta, cada pacote é compilado a partir dos fontes; se você está em uma máquina antiga e não tem muito saco para esperar compilar tudo, não vale a pena. A opção é usar os pacotes binários.



Pacotes Binários



Pacotes binários com configuração padrão existem. São vários e podem ser baixados via ftp e então instalados com o pkg_add. Mas uma coisa que não tem o destaque merecido é a opção -r dessa ferramenta. Com ela o pkg_add se comporta como o equo ou o apt-get se comporta por padrão. Baixa e instala todas as dependências de acordo. Por exemplo, para instalar o KDE 4 com todas suas dependências basta chamar:



pkg_add -r kde4



Initscripts




Eu, como todo bom Gentooer, estou super acostumado com a excelente ferramenta rc-update. Infelizmente ela não existe, mas algo bem inteligente foi bolado. O arquivo /etc/rc.conf. Basicamente, nesse exemplo do mediatomb, basta colocar a linha:



mediatomb_enable="YES"



Outra opções interessantes existem nesse arquivo; vale a pena dar uma olhada.


Kernel modules




Módulos do kernel podem ser carregados manualmente pela ferramenta kldload. E para módulos específicos, como o ZFS, existem initiscripts.



O que mais?




A primeira fonte de informação deve ser o FreeBSD handbook, que pode ser encontrado aqui. De resto, use o google e sempre que precisar o canal IRC ##freebsd no servidor freenode.org está cheio de desenvolvedores prestativos.