ConceptNet (http://web.media.mit.edu/%7Ehugo/conceptnet/) is a common sense reasoning framework/database from the MIT Media lab. From their website "ConceptNet is a freely available commonsense knowledgebase and natural-language-processing toolkit which supports many practical textual-reasoning tasks over real-world documents right out-of-the-box". For a detailed explanation of the type of reasoning it supports and how it works check out either of the papers found on its home page (http://web.media.mit.edu/%7Ehugo/conceptnet/). Right now though, I'm going to run through some ways you could use it and hopefully you'll be able to think of many more.

To cut straight to the point, the development version of VoIPER is essentially at a stage where it is ready for testing against SIP servers. While I can test open source servers and what not myself, I would also like to test proprietary SIP compliant devices as I've had reports the current version has killed a number of hardphones and proprietary softphones. Anyone with access to Cisco, Avaya, Nortel etc. hardware or proprietary software, and would like to help out , can contact me at nnp [at symbol] unprotectedhex.com. Im interested in testing pretty much anything so phones, gateways, proxies etc are all fair game.

I've uploaded the latest version of VoIPER to sourceforge. Check out the site (http://voiper.sourceforge.net) for the release notes and change log. There aren't that many updates in this release as I've put most of the development effort into the dev branch. I've uploaded the work I've done on that to the Sourceforge SVN repository but I wouldn't recommend using it for the moment, as it is thoroughly untested and hilariously full of new stuff. Yes, thats right....stuff! More stuff than you can shake a strcpy() flavoured stick at in fact! I've also started using the wiki (http://voiper.wiki.sourceforge.net) on sourceforge to store tutorials and development info related to VoIPER. I might move that to Unprotectedhex.com though as 50% of the page display on Sourceforge appears to be taken up with menus and advertisments.

My talk on testing VoIP devices has been accepted for DEFCON so looks like I'll be on my way to Vegas in August. The title the talk is VoIPER: Smashing the VoIP stack while you sleep and the abstract can be found here. (http://defcon.org/html/defcon-16/dc-16-speakers.html#NNP) Should be fun! I've a number of updates planned for VoIPER between now and then, including the entirely rewrote protocol/transaction modules, a number of new SIP fuzzers and hopefully IAX/H.323 support. The next release will be v0.05 in a few days that has a couple of bug fixes and one or two other changes.

I have uploaded the first public release of VoIPER to sourceforge (http://sourceforge.net/projects/voiper/). Download it and check out the release notes (http://voiper.sourceforge.net) etc. for more info. The main focus of this release was getting a solid base on which to expand on in the future with a focus on ease of use and extensive testing. For the moment the fuzzer incorporates tests for - SIP INVITE (3 different test suites) - SIP ACK - SIP CANCEL - SIP request structure - SDP over SIPThis translates to well over 200,000 generated tests covering all SIP attributes specified in RFC 3261 for the given messages. Missing from this release is the protocol state tracking logic as I want to do some further testing of that before a public release.

So I got back from Oxford last night, after heading over for an interview for a Msc in Computer Science. I'd heard a number of stories of the type of questions that arise in interviews there so I was expecting to be asked to stand on my head, throw a brick through a window, explain the meaning of 42 and all the while knitting a fine woolen coat (possibly a slight exaggeration). In the end the questions were comparably mundane. Basically 15-20 minutes of 'Why Oxford?', 'Why the course?' etc and then two math problems which were as follows: 1) You have a M x N grid of squares. How many different rectangles can you create. Partial overlaps are allowed.2) Given an ordered sequence s, containing elements such that for the sequence x, y, z, x < y < z, give an efficient algorithm that calculates how many pairs of elements add up to t, some integer value. e.g.

What follows is a short (1600 words), and probably devisive, discussion of why I think many open source projects would be better served by a license other than the GNU GPL. (Cheers to Sully (http://ssully.blogspot.com) for fixing my rather appaling grammar and proof reading) It is also available in PDF (http://www.unprotectedhex.com/articles/gpl.pdf) and RTF (http://www.unprotectedhex.com/articles/gpl.rtf) fomats The GNU General Purpose License (GPL) is a tenet of the open source community, and considered by many to be the foundation of the open source movement. It facilitates the free and unhindered distribution and modification of software whilst protecting this software and its copyright owners from a multitude of potential abuses.

Just thought I'd mention I've finally come up with a release date for the first public version of VoIPER. On the 17th of this month I will upload it and any related documentation to the sourceforge project site (http://www.sourceforge.net/projects/voiper). Until then there is a demo video located here (http://www.unprotectedhex.com/tools/voiper/demo1.avi) [17 MB]As for vulnerability disclosures, most vulnerabilities will be kept private but the public code will not be altered in any way to prevent others discovering these same issues.Click 'Read more' to view some data on the empirical testing I performed using VoIPER

So while messing with some VoIP phone a few minutes ago I came across a piece of code that I'm hoping was put in purposefully for April fools day. The offending code was a C++ assert() which naturally enough killed the program when it was violated. What the bloody hell is the point of that? Eh? I mean what that tells me is that the developers acknowledged the possibility of this event occuring and instead of doing something productive like....uh.... returning one of the many error codes SIP provides for, they just said 'screw it' and lobbed in an assert(). What does that mean? Well it means a slightly more nefarious/bored person than me could sit around all day just disabling phones because of some muppet of a developer. Depressing.On a slightly more uplifting note, german folk dance metal isn't quite the obscenity of a musical genre as one might expect. Tanzwut and Saltatio Mortis being good examples.

So I stumbled onto the Internet this morning, bleary eyed and without my caffeine fix. This would prove to be a mistake. I'm not going to detail exactly how many hoax sites and news stories I was caught out by before my brain decided to turn up and give me a kicking so I'll just mention the more interesting ones I've come across so far.Metasploit.com - A new homepage with added evil which had me convinced they'd been hacked SecurityLab.ru - Used an XSS hole in the UN.org site to back up a fake story which is pretty cool (http://www.securitylab.ru/news/extra/349440.php) BBC.co.uk - Same story as the previous but this time the delivery is through an XSS hole in the BBC site I'm sure more will turn up as I stumble my gullible way across the Internet today.