Limitations of SNMPv3/USM When Combined With EngineID Discovery

SNMPv3/USM, unfortunately, does suffer from some elements of man-in-the-middle attacks. But these are poorly understood and certainly not well documented (if at all). This document attempts to describe the weakness inherent in the SNMPv3/USM protocol.

Background and Conventions

Although this document coves some of the necessary background, it’s still expected that the reader already understands how SNMPv3 with its User Based Security Model (USM) works. The details of the SNMPv3 protocol and the USM-subprotocol aren’t discussed in this write-up.

It’s also expected that the reader is familiar with the USM concept of “discovery”, which can be summarized at a high level as this: a manager is allowed to send a “probe” message to an agent and the agent should return a “report” message that says “I’m using securityEngineID 1234″. An important element of this discovery request and response process is that it’s fundamentally unauthenticated. There is no proof that the agent responding actually is the right agent. The belief is that because future requests and responses are authenticated and use a key only known to the agent the manager wants to communicate with that the unauthenticated discovery request isn’t a big deal. But, in fact, it is and it does open the door for certain types of man-in-the-middle attacks.

USM contains a key-localization process provides the ability for the administrator to provide only a master password or a master key and the management software can transform that key through a series of one-way hashes into a key which is unique to each agent that the packets are destined for. Though this does prevent keys stolen from one agent from being used to break into another, it doesn’t help in the problem described below as will be shown. It won’t matter if the key localization process is used or not; they could have been randomly generated for each remote agent.

For documentation simplicity I’m only showing the use of one key in this document. But in SNMPv3/USM there are actually two: one for authentication and one for encryption. For purposes of the discussion, however, we can treat the keys as a “pair” and any time one is affected then so is the other.

SNMPv3 also has the notion of a contextEngineID, which is not discussed in this document as it is not relevant. Only USM’s specific securityEngineID is relevant to this discussion.

Typical Real-World SNMPv3/USM Start-Up Sequence

Pictures are always easier to understand, so let’s pretend we have the following network setup. Agent B will be colored red in these pictures since in the examples below we’ll consider it to be a machine which has been taken over by an attacker.

Typically a management station starts talking to an agent for the first time over SNMPv3/USM it will send an an securityEngineID request. And, of course, the agent sends back a response with its own securityEngineID:

At this point, the management station can start sending authenticated and encrypted traffic to the agent by using the authentication and encryption key assigned to the given securityName for the remote agent. Each agent has its own unique key pair that the manager uses to communicate with it and internally the manager has a table (the usmUserTable) of all the users and keys for the agent it wants to talk to.

The Attack

The problem with this situation is that the manager uses two values in order to look up the key for a given communication.

  1. It uses the securityName value it was given by some dialog box or command line option. In these diagrams this value is “userJoe”.
  2. The securityEngineID that it potentially learned from the discovery process.

But Discovery Results Aren’t Authenticated

Assume in the diagrams that Agent B has been compromised and it’s keys are now known to the attacker. Normally traffic sent from the manager to Agent A should be authenticated and encrypted with Agent A’s keys. This means that Agent B shouldn’t be able to see or respond to requests sent to Agent A because it doesn’t know the right keys.

But, if an attacker has compromised a device that is able to see traffic destined for more than just itself (e.g. when connect to a hub or truly in the middle of the path) then there is a problem if it can also spoof traffic. All it has to do is spoof responses to other addresses with its own securityEngineID for any securityEngineID probe that comes it can see. It will have to do this faster, of course, than the real agent can respond (but that can frequently be easily helped by launching DOS attacks). The end result is that the manager will get back a packet in response to it’s securityEngineID probe with a packet that looks like it was from Agent A but internally has a securityEngineID for Agent B.

Now, the manager thinks it has the right securityEngineID for Agent A, but in fact has the wrong securityEngineID for it (i.e. it has “engineIDB”). It uses this securityEngineID (“engineIDB”) in combination with the operator-provided securityName (“userJoe”) as indexes into it’s user/key table to figure out which key to use for protecting traffic. This look-up succeeds in finding a key, but has in fact found the wrong key for the agent it wants to talk to (Agent A). Instead, it finds Agent B’s key and starts its communications using KeyB.

Agent A will actually drop any requests that fail authentication (possibly sending a notification; but more on that later). But Agent B no longer even has to beat Agent A’s response back to the manager so there won’t be a race any longer and Agent B has successfully captured the entire communication stream until the manager looses its knowledge of Agent A’s securityEngineID again.

What Power Does This Leave Agent B With?

This only buys Agent B two things:

  1. The power to receive and decrypt traffic that was intended for Agent A. Typically GET and GETNEXT requests from a manager shouldn’t have anything but OIDs in them (though from an analysis point of view it might contain information about what functionality Agent A is supposed to have). SET requests, however, might have more interesting information encoded into the values that might be worth “stealing”.
  2. The power to spoof Agent A and return fictitious data from it. Agent B can now adequately pretend to be Agent A and thus can return bogus data as well as pretend to have acted as if SET requests had really been processed. This lets untold number of bad things happen, including convincing a management station that a device is fine when it really isn’t, under-reporting bandwidth usage, etc…

Protecting Yourself From The Attack

There are only a few choices when considering what to do about this attack:

  1. Understand the weakness and be OK with it. Just don’t be ignorant of it.
    • Understand that:
      • Management data sent from the management station can be stolen.
      • An agent can be “spoofed”. A management application may think it’s talking to agent A which has possibly:
        • Accepted and acted upon SET data.
        • Has returned real and true values that you can trust to be from that agent.
    • Protect yourself as best as possible:
      • Leaving your management applications long-running so they memorize securityEngineIDs can be helpful (though if the attacker succeeds at any point, you’ll believe he’s the right agent for a longer period of time so it’s still a trade off).
      • Doing a “leap of faith” type approach and believing the first securityEngineID and expecting it “from then on” (even if the management station is shut down; though I don’t know of software that stores securityEngineIDs in persistent storage.).
  2. Don’t use the securityEngineID discovery process and pre-populate the management database with the real expected securityEngineIDs extracted from their consoles. Unfortunately, this doesn’t scale well. And thus I don’t know of a single person who actually manages their network this way.
  3. Use different securityNames on every agent. Unfortunately, this doesn’t scale well either. I don’t know of a single person that manages their network this way either.
  4. Use another form of SNMPv3 security, such as SNMP/SSH transport or the upcoming SNMP/(D)TLS transport. These forms of SNMPv3 don’t suffer from this weakness but have only recently been defined by the IETF and aren’t widely implemented and deployed.
  5. Only run management commands over a protected physically separate and entirely switched network. Fortunately, this is frequently common practice. Though it doesn’t necessarily eliminate the threat depending on which network components have been broken into, it should help reduce the threat significantly.

Questions and Answers

Does This Attack Work If Not Man-In-The-Middle?

The short answer is “no”.

The longer answer is that if the attacker can’t see the traffic, then they’d have to be able to guess the manager’s messageID and time the securityEngineID response appropriately.

But even if they could do that, it doesn’t help much unless they can see the traffic since they won’t see what they can now decrypt and respond to. The attacker can’t easily respond to what they can’t see (without an unreasonable amount of guessing of packet contents and timing).

The best an attacker can hope to accomplish would be a denial of service attacker because the manager would fail to communicate with Agent A while the securityEngineID mismatched.

What About Authentication Failed Notifications?

If all the agents are configured to send out SNMPv2-MIB::authenticationFailure notifications then in theory the manager would receive a notification every time agent A received a packet that wasn’t authenticated with the proper key (keyA).

This is true and maybe helpful if authentication-failure notifications have been turned on. But the evil Agent B entity may find it possible to spoof securityEngineID query responses from the management’s notification receiver to stop INFORM notifications from being encrypted with the right authentication key thus causing the notification receiver to drop the notifications. TRAP notifications are sent using the local (correct) engineID so this attack won’t work on them.

Comments (1)

August 31, 2009 · Filed under Computers

My Friend’s Older Conversation With AT&T

I recently posted my both funny and depressing text message conversation with AT&T as a result of their spamming me (which, by the way, I still haven’t managed to turn off mostly because I gave up).

A friend of mine (WY0X) gave me permission to post his recap of his on-the-phone conversations with AT&T about a similar, but even worse, problem:

Be really careful with those. I recently had to deal with a scam on Karen’s phone. Apparently AT&T has made it super-easy for 3rd party “providers” to send you a text message, and if you reply AT ALL, that’s all AT&T can see in their system. The 3rd party company then uses the convenient “upload an XML file full of phone numbers and any arbitrary price we desire to extract from said phone users” file to AT&T for AT&T to handle the billing. When you call to contest this $19.99 monthly “subscription” that shows up on your AT&T cell phone bill, they say, “Well, we see you exchanged text messages with the company in our system. You must have accepted an offer from them.” Only after an hour of explaining that my wife was NOT that stupid and NEVER replied to any message that said “will you sign up?”… did they offer to refund the charges and set up “Parental Controls” (HA!) on both of our accounts so NO 3rd party could ever bill anything on them. I highly recommend to all on AT&T.

So seriously, some company could send you this message “Hey, what you doing tonight?” from a number you don’t recognize, and you could send back, “Who is this?” and AT&T would see that as “proof” that you had a business relationship with them. When I pointed this out to an AT&T supervisor they said, “I suppose that could happen — we are getting a ot of complaints right now. However I’ve refunded the fees this month.” … Okay lady, how do I stop it FOREVER, and why are you making it easier for unknown third parties to bill me, your customer, than it is for me to opt-out of such shenanigans? Oh by the way, I will be reporting this to our State Attorney General since it’s generally considered bad business to bill for another party whom you can’t prove has a business relationship of any kind with your customer. You yourselves say you can’t see the text messages for privacy reasons… so how do you know EVERY one of the bills you’re sending out isn’t a scam such as I described?

She was like a deer in headlights, and started reading from the script again. After about four attempts I said, “What would you say if this were my 12 year old’s phone?” “Oh, we have Parental Controls for that!” Well, there ya go lady… fire me up some “Parental Controls” on both lines, please… my wife’s and mine. “But you won’t be able to order any other services!” “That’s absolutely correct, and I can’t see us ever NEEDING those other services either, but my wife did enjoy a few of the Trivia questions she received once a month from these idiots.” That was pretty much the end of the conversation at that point. 30-45 minutes of my life wasted, stopping my cell carrier for billing me for other people’s scam businesses.

AT&T *did* do the “right thing” and refund it, but there were clueless about why I was upset about it. I finally got down to asking everyone I talked to there: “Please prove I have a business relationship with XYZ third party company, which allows you to bill me for their services.” They were dumbfounded. There was nothing on their (so called) customer service scripts to handle someone asking such a “tough” question.

I love the fact I have intelligent friends. I hate the fact I have less-than-intelligent companies.

Comments (3)

August 20, 2009 · Filed under Thoughts

Stuck In Stockholm

Recently my wife and I went to Stockholm, Sweden. We were there, accidentally, for 2 weeks in total. For the first 2 days we wandered around and tried to battle jet-lag through a healthy regiment of walking in the sunlight with frequent stops to consume cappuccinos. Following that, I had a week long convention while Dawn did whatever suited her at the time.


 Our first major outing was to the island of Gamla Stan, which is one of the oldest parts of Stockholm. It’s narrow streets are filled with stores, restaurants and brightly colored walls. It’s an extremely relaxing area of the city to walk around that is devoid of cars and full of things to feed your eyes. There are, especially in the summer, a huge number of tourists so the streets are crowded but it’s worth it. The Stockholm guidebooks we looked at mentioned pick pockets but we felt much safer in Stockholm than many other large European cities.

During my working-week we did get to spend an evening at the wonderful Vasa museum. This museum is dedicated to a huge wooden war ship which sank in 1628 and was recovered in 1961. It’s a wonderfully done museum dedicated to a ship that is stunning to walk around. Though it does feel odd to visit a museum entirely dedicated to a ship that failed so dramatically: it sunk only a few minutes into its maiden voyage. The museum is on the “must see” list if you ever plan to visit Stockholm.

After these first few wonderful days of touring the city we were emailed by our currently preferred credit card company (thank goodness for conference internet access!) that we needed to contact their fraud department ASAP and they had deactivated our card. After calling, we learned that they suspected something was wrong. They asked us if we had purchased plane tickets recently. Certainly, we assured them, we had. Also, did we purchase anything from overstock.com on July 24th. Well it so happens that was the day we were travelling (and travelling and travelling), so we certainly hadn’t. They immediately cancelled our cards and promised to send new ones to our hotel and they “should hopefully get there by Saturday”. This was a good thing as we were set to check out on Sunday.

We had a wonderful last day in Stockholm on Saturday visiting some of the museums that we hadn’t seen yet. The Nordic and historical museums are well worth visiting in Stockholm. The historical museum in particular goes into great depth about the fascinating Viking history in wonderful detail. That evening we returned to the hotel and were told by the front desk that, sorry, but we hadn’t received a package. Oh uh, we thought. Now what. Our only choice was to stay longer and wait for it. So much for our “last day”. Fortunately, they had enough room that we could stay until Monday if we liked while we were waiting “our package” (we of course didn’t admit we were waiting for cards to pay them with). So much for our plans to see the south of Sweden.


 So we spent another wonderful “last day” on Sunday visiting Skansen, which is an outdoor museum of Swedish historical architecture and culture. In a large open space on the top of a hill in an island with a beautiful view of the water around Stockholm, they brought in houses and buildings from around Sweden from various time periods and let visitors walk around and through them. It is an absolutely fascinating area that we spent over 10 hours in before giving up and realizing we couldn’t see every possible structure (but we still felt good about getting to 90% of them or so).

The next day, Monday, we slept in after our 10+ hour walk. Around 11:00 (an hour before checkout time) we checked with the front desk and they informed us “no package; yes you can stay until tomorrow”. Then we brain stormed. What now? Well, we hadn’t yet taken a boat cruise through the city, so… let’s do that. We opted, after pouring over brochures, to forget the simple cruise around the city and go all out for our “3rd last day”. We signed up for an all day boat cruise for the day after that would take us through some of the neighbouring islands. And yes, we could stay until Wednesday since the all-day Tuesday trip would ruin our chances of checking out on Tuesday. And yes, they could add the boat trip tickets to our hotel room bill. Excellent, I thought while slyly trying to glance through the kitchen doors to see how many dishes we’d be able to wash in order to pay the upcoming larger and larger bill without a credit card.

The boat cruise was fantastic. Just off the coast of Stockholm are 30,000 archipelago (small islands for those of you with a vocabulary similar to mine). The boat cruise took us around and through a gazillion of them and dropped us of for an hour on three of them. Each were different, the final including a cute village with brightly colored houses. All red. My favorite of the three islands, though, was the most remote, desolate, rocky island. I could have spent a full day on that small island walking across the barren terrain through the fog.

Upon arriving back at the hotel that evening we, of course, found no package waiting for us at the front desk. We called the bank again and they apologized profusely and explained that they couldn’t even find a tracking number for the package they had sent. They were deeply concerned about this and would look into it.

Now, I don’t want to say anything particularly negative or positive about the bank in question. It’s probably not even worth naming them. On the plus side, they were extremely courteous (of course) on the phone. But, on the down side they did fail to get us new cards within even 5 days. They’re on par for the typical banks in the U.S. of America.

We learned one important lesson during the trip: always carry two credit cards. Of course we always knew you should do this, but now we really understood why. I think this is the first trip we hadn’t taken two and naturally it was the first one where we needed two. At least we had an ATM card (which is also supposed to work as a visa but never seems to act that way consistently). Next time we’ll certainly take a back up. We’ve learned.

If there is one thing I’ve learned from travelling: you need to roll with the punches. Almost no trip goes perfectly (oh the stories I could tell about just airports!). When travelling, if you spend all your time just fighting the good fight, you’ll have a lousy vacation.

In the end the bank informed us that we could ask the front desk to charge the bill to our old credit card and it would fail. Then we could call the bank and they would authorize the next charge of that amount and it would succeed the second time. Now, when you go to the front desk of a hotel that you’ve just spent two expensive weeks at and tell them to “try this card but it’ll probably fail” you should have a camera ready to capture their expression. It’ll be priceless. But the process did work as expected and I’ll now quote the receptionist after the second charge succeeded: “Yessssss!” (while throwing a fist in the air).

All in all, Stockholm is a wonderful city to visit. There is more to see and do than you can fit into even two weeks, as it turned out. And if you have to get stuck in a city, it’s a good one to pick to be stuck in. My wife summed up Stockholm wonderfully: it isn’t Paris, but it’s definitely right underneath it as good places to visit.

Leave a Comment

August 16, 2009 · Filed under Travel

Today’s Conversation With AT&T

So, AT&T has gotten in the recent habit of spamming you with “tips”. “tips” are really “spam” when they’re trying to get you to do things that will eventually make them money (ie, by using more of their services).

Here’s the “tip” I got today:

AT&T:
AT&T Free Tip: Get weather, movie or restaurant
tips from Google on your phone.
Text HELP to 466453 to get started.
To end Tips send no to 4436

Easy, enough, I thought.

Me:
No

And a few seconds later, I got the response back:

AT&T:
Sorry, we did not understand
your response.  Reply ONLY the
word "YES" to activate the 4
channel/$6 Mobile TV plan

HUH???

Ok, I thought. Maybe it’s because my phone auto-capitalized the word “No”

Me:
no

And a few seconds later, I got the response back:

AT&T:
Sorry, we did not understand
your response.  Reply ONLY the
word "YES" to activate the 4
channel/$6 Mobile TV plan

NOOOOOOOOOOOOOOOOO

sigh…

[UPDATE 2009/08/20: Read the follow-on story from a friend describing his conversation with AT&T]

Comments (6)

August 12, 2009 · Filed under Thoughts

Just For The Good Of It

There are many times in my life where I’ve thought “I wish I had the time to make that part of the world OK again”. But invariably time and money always gets in the way of my goals for world improvement. (ok, and frequently politics).  (ok, and frequently over commitment to too many things that need to be made better).  Sometimes I wish I could just get paid to “do the right thing” of my choosing. Here’s a salary. Go forth and do good.

http://www.thegentlemensfund.com/nominate_form.asp

The problem is that little in the world works that way. Capitalism is founded on the belief that both sides of a transaction must prosper economically for the transaction to be beneficial. But when one side of the transaction is “the good of mankind” it turns out that the entity doesn’t have any cash to spend. And unfortunately the world works on cash (or at least my mortgage seems to think so).  Many times an idea may be good in theory but there is no way of having it “turn a financial profit” even if world would be better off with its instantiation.

Even if there was a “for world good” entity with funding to spend at will there is an inherent problem of trust of the common man. Even if only 10% of the world embezzled or drank their money away with nothing positive to show for it (and I only wish the percentage was that low) the average sponsor would be pretty distrustful of all the applicants.

So in the mean time, most of my grand ideas for world good (ranging all over the map from improved communication systems to improved emergency response solutions) will have to remain in my head until someone comes along willing to just pay people to “go forth and do good”.

What would you do, given unlimited funding “to just do good”?

Comments (1)

August 11, 2009 · Filed under Thoughts

What’s the Difference Between Facebook and Twitter?

Many of my friends and family have been confused over the differences between Facebook and Twitter. (Most of the confused use one and simply don’t know what the other is). There has also been a lot of speculation on the net about how Facebook has been slowly trying to take on twitters surge in popularity through their adoption of Twitter-like-qualities.

This write-up documents some of the important differences between the systems so that you can decide which is best for you and how you should think about using each one.

First the Similarities

The core part of both Facebook and Twitter surround “status messages” that you and your friends post to stay in touch with each other. Messages like “just got back drom the new star trek movie” will frequently start an online discussion between those you know about how successful the new film was as a “reboot” of the old series. More boring messages like “I just woke up” will only stir up the electronic version of crickets and will provoke little conversation.

On to the differences…

Openness

Facebook was designed as a web-browser based service: you log into their site through your web-browser to see status updates from your friends mixed with their advertisements.

Twitter has, since it’s early days, provided a programming interface (API) to it’s service. This interface let’s programmers write applications that check for new tweets, submit your own status messages, etc, all without actually visiting Twitter’s web page. The result is that there are many many applications and ways to interact with Twitter content besides just navigating to the twitter web page. The most popular ones tend to be the ones that sit on your desktop or in your toolbar and notify you when new tweets arrive.

Openness of the Data

By default, Facebook hides all your data so only friends (and approved game applications) can see your status updates and personal information.

Twitter is the opposite though, for both good and bad. It defaults to posting your messages publicly for the world to search through.

This, by far, is the biggest in usage differences. If you end up using both systems, just think before you post who your audience is. But more importantly, I like it this way. There are many updates that I post to both systems because I either don’t care or actually want them heard widely. The announcement for this blog posting, for example, I’ll submit to both services. I also tend to post smaller and more frequent comments to just Twitter. And much more personal comments to just Facebook.

Update Frequency

Because of the open API and extensive external application support, Twitter is more in your face 24/7 and integrates into your day rather well. The result is kind of a constant connection feeling with lots of friends, services and celebrities. The ability to tweet quickly in seconds is always present because somewhere on your screen you already have an open box waiting for you to type in your latest pontification. There are even application plugins that monitor what you’re doing and provide a tweet on your behalf (such as every time your music player switches songs). Many early tweeters make the mistake of tweeting way too much and let you know all about their third bite of a taco bell buritto you probably don’t care about. (They also quickly lose their followers). The better twitterers post only interesting thoughts and activities.

Facebook on the other hand is designed for less frequent status updates and less frequent review of your friend’s updates. Most users log into the site a few times a day, respond to the discussions, update their status (maybe) and play a game or two. It’s designed to be a “visit when I have time site” and is not designed to let you know that your BFF just put on her left sock.

But the instant notification ability of Twitter is what makes it far superior for service broadcasts. Many important services today have twitter feeds for major events (eg, the White House, the RedCross, CNN Breaking News or even Earthquakes that occur near San Francisco) so that you can be instantly informed about events happening at a given instant.

Twitter has also always had the ability to send and receive cell phone text messages. You can have the service text you when your favorite friends update their status and likewise you can update yours by sending a text too. Many smartphones have Facebook applications or web browsers, but twitters SMS tie-in is, again, designed to make you feel continuously connected (no matter how old your phone is).

Status Update Size

Twitter messages have a size limit of 140 characters, which isn’t much (note how easily it fits into a 160 character SMS message? Surely their choice of size was deliberate!). Twitterers learn to abbreviate and be witty in a very small space.

Facebook, however, lets users write multiple paragraphs about their current thoughts. This works much better for ideas you just can’t convey in a short burst. Twitter is referred to as micro-blogging, and Facebook is in between Twitter and a full-size, long-winded blog like this one.

Data vs Presentation

Another major difference between Facebook and Twitter is the presentation. Twitter is all about the content and the data. It doesn’t concentrate on presenting it in fancy graphics on their site (though many desktop applications actually look much better than the Twitter home page). Twitter just wants to bring you data fast and it excels at doing just that.

Facebook, on the other hand, is a complete package. It’s like the “Hotel California” as it wants you to never leave. It’s entrance hall is splendidly decorated with fancy graphics, profiles, pretty colored reply boxes, etc. Every link from Facebook tends to take you to another Facebook wrapped external page or application so you’re always encouraged to return to Facebook immediately. But, their web interface is a beautiful blend of simplicity and function (apple would be proud).

Twitter is also just status messages only with no extra features, while Facebook is constantly tempting you to take a new quiz or play a new game. Facebook’s interactive and highly-addictive multi-player games are wonderful distractions and suck up hours of your time. Twitter almost seems dull after having spent an hour trolling around Facebook’s site.

So which should you use?

You’ve probably guessed my answer by now: Both!! I have both a Facebook and a Twitter account and use them both daily. I love them equally, but for very different reasons. Facebook is a collection of conversations with friends and family. But Twitter has actually helped me make new friends through it’s openness.

The truth is, they’re very different beasts that serve fairly different purposes. Regardless of what Facebook does to become more Twitter-like it may not matter if the users don’t want or use the Twitter-like changes (I for one like the differences). If Facebook adopts many of the Twitter attributes of openness it will mean losing out on an important aspect of Facebook: your status updates go to your friends and family and people you trust.

So I suggest you try them both and hopefully you’ll even use them both. They’re free, after all. What do you have to lose (but time)?

Comments (1)

July 9, 2009 · Filed under Computers

My Wife’s Solution to Random Farmers Dropping By

These days if you play FarmTown and you visit “The Marketplace” in order to sell some goods, get hired, or whatever you’re likely to find occasionally that random people follow you back home to your farm when you leave. This seems a bit odd to many people. I mean, if you go to your local grocery store and some random person followed you back to your house you’d probably call the police right? In fact, this is the whole reason we have these things called “locks” on our front doors. To prevent everyone, including friends, from randomly entering our house. Farmtown, however, doesn’t have locks. (Fortunately there isn’t much they can do in your farm so it’s not really a huge concern)

Why people are doing this in facebook too I’m not sure. I suspect that they’re looking for a job (ie, they want to work in your fields for cash) and they’re hoping you’ll hire them.

My Wife’s Solution

So, my wife had a smart idea: never hire them. In fact, make sure you can’t. She does this by clicking on them and then clicking “ignore”. By doing this you add them to the list of folks that are functionally “banned” from your view of the game. The result is that no matter how much they beg you for a job in the marketplace in the future, you’ll never see them and will never hire them. Plus they immediately disappear from your farm as well.

I thought this was a great idea to solve the annoying-farmers problem.

Comments (6)

July 3, 2009 · Filed under Computers

How I Cheated at FarmTown Today

Cheat??? Why??? Well, after posting my previous blog entry about FarmTown cheating I noticed a huge number of Google and other search engine hits by people looking for “how can I cheat at FarmTown”, etc. Apparently I’m not alone in the desire to overcome FarmTown boredom.

There is a huge amount of wonderful pages devoted to farmtown data, but not as much about advice about how to play efficiently. For those just looking for how much stuff costs, what level you get it at, etc, I recommend
Uncle Joe’s Farm Town Addicts Site

Today’s Progress

While working diligently away on my farm today and jumping from level 19 or 20 (I forget) to level 24 I:

  • Ate a wonderful father’s day breakfast with my family that was prepared by my wife
  • Filled up the car with gas
  • Packed the car
  • Went shopping
  • Played a game of pool
  • Read to my daughter

Motivation

Well, simply put I wanted to be level 27 so I could buy rivers. I didn’t get all the way there today, but I made a good leap forward. The problem with farmtown is that after the first 15 levels or so it gets very boring when it comes to the farming aspect itself. Not the building pretty pathways and stuff aspect, but the aspect of cultivating a huge set of crops just to try and get more experience points.

This, in my opinion, is a fault of FarmTown’s. They should, after a certain level, make it easier to clear and plant a field full of crops with one “select a rectangle” type motion. It’s cute when you first start to plant each square, but boy does it get boring by the time you get up there in levels. And because levels get harder and harder to achieve the level reward is less and less (aside from the financial increase, which is constant).

FarmTown isn’t the only game with this problem. It dates back to any large “build an empire” type games including empire (the old ascii text game for those that remember it) to warcraft and to the latest in the line: FarmTown. Maintaining a huge set of maintenance tasks gets dull and dry.

But… I really wanted to be level 27. I just didn’t want to spend the time.

Enter The Cheat

Ok, it’s not a “real” cheat. It’s well known, as I’ve discussed previously that you can turn FarmTown cash into FarmTown experience points. The cheapest way to do this is by adding hay bails to your farm. At the end cost of roughly 1 experience point per 10 FarmTown coins spent the hay bails are the best return.

But, it’s boring putting out a gazillion hay bails too, so why is that any better? It provides you increased speed at yet more boring work.

Or does it. I handled this by recording mouse clicks with a mouse event recorder and then playing them back. I’d buy a hay bail and then sell it. And then tell my computer to repeat the process over and over for me while I went and did something else.

Sure, occasionally it would mess up and start trying to place a bail on another, but in general it worked and I got a lot of house-hold chores done instead! Yay! I’m level 24 now!

So if you want the amount of coins you have divided by 10 in experience points, you might give this approach a shot. I don’t have software to recommend to you (see below for my linux notes) but I’m sure if you search for some for your OS of choice you’ll find something. I know stuff exists for windows, and I suspect for OSX as well.

Advice for FarmTown Developers

Don’t get mad at the people that want to cheat. Fix the issue within the game. I’ve noticed that a lot of my friends simply stop playing near level 28 or so because it’s just boring after that. You’ll loose customers unless you can fix the boring aspect of the higher levels. Add something else for them to do instead that captures their interest again.

Final Linux Geek Note

Turns out that all the linux event recording software is dated and doesn’t work. There is some playback software though. I wrote a quick script to wrap around xte from xautomation to record and then replay what I needed.

Comments (13)

June 21, 2009 · Filed under Computers

A Day in the Life of a Parent


What’s the real cost of parenting? How much time do I spend managing the lives of those I’m responsible for?

For a long time I wondered “where does my day go?” I mean, I know that I spend a lot of time working and a lot of time parenting and a lot of time cleaning, but it still seems to slip away from me with seemingly little to show in the way of filled in checkboxes on my growing list of personal goals. So I decided to check how much time I spend parenting.

Thus, today (2009/06/18) I decided to write down all the little things I do as a responsible parent to see how much time it adds up to. Now mind you, I probably missed a few little things here and there and I am estimating much of the time sync, but I suspect it’s fairly accurate (at least within a 5-10% error rate).

Why did I pick today? Well, for a few reasons. One, I’m acting as a single parent today which I figured would make me look even more like a super-parent. Ok, I probably shouldn’t have admitted that. Also, it was a day I was going to try and get as much work in as I could as well (fortunately, I work from home). It was a beautiful summer day where there was no transportation requirements (adding trips to and from school is a huge time sink) and it was a day where I didn’t do many other house-hold tasks that would have been an even bigger time sink (laundry, vaccuuming, deep cleaning, napping, …). IE, the only two goals I had for the day were parenting and working. In that order.

Now mind you, I try to be a decent parent. There are two extreme views of parenting: let them fend for themselves (they know where the cereal is darn it, why are they bugging me) and complete micro-management (no, move that sock to the left side of your drawer). I try to balance nicely in the middle and be responsible but encouraging self-sufficiency when possible. I made them breakfast and ate with them to interact before I started working (more) and they made their own lunch while I made mine to teach independence.

The Tally

I thought one computer typed set of notes (when it was in front of me) and one piece of note paper would be enough. I underestimated that a bit.

Time Spent Parenting Today
Time Seconds Description
7:02 20 Good Morning conversation to first awake child walking by.
7:44 780 Make Breakfast (cereal and oatmeal)
8:02 45 Poured a glass of milk
8:35 180 Applied mosquito repellent liberally to children’s skin
(Oddly, I don’t consider it acceptable for them to touch the stuff even though I put it on thickly)
8:39 30 Explained how to be a more kind older sister
(Hint: don’t yell as much)
9:20 60 Answered questions about going outside, eating crackers, etc…
9:30 60 Son: “What are you using that computer for daddy?” (noticing me typing so quickly)
Dad: “sending email for work”.
10:17 60 Took pictures of my cute kids playing in a stream.
10:23 30 Answered questions about snack choices
10:32 15 Daughter: “What was the hand movement to the a-ram-sam-sam song again?”
Dad: [:shows movements he learned during her pre-school class ages ago:]
10:34 60 Reapplyed bug spray now that a sweatshirt had been taken off and the arms were exposed
10:56 20 Walked outside
Yelled “stop throwing sticks at each other.”
Walked back inside
11:26 20 Walked outside and shouted “stop shouting.”
12:03 60 Dad: “Want to pack a picnic and go on a hike for lunch?”
Daughter: “Yes, but check out the cool rocks I found!”
12:14 300 Directed and participated in the lunch making process
12:22 30 Tied a yellow string in daughter’s hair at her request because her normal hair tie appears to be missing
13:05 60 Applied more mosquito repellent for the afternoon outdoor shift.
13:10 60 Son: “I just wanted to tell you I’m going to put on shorts so you need to put more insect repellent no me.”
Dad: [:reaches for bottle:]
14:46 10 Dad: “Don’t forget to wipe your feet on the rug please”
14:49 30 Daughter: “Dad, can I grab something out of the car?”
“Yes” and [: handed off keys :]
14:50 10 [: Put keys back in pocket :]
14:50 10 Son: “Can I have some graham crackers dad?”
14:54 20 Son: “Dad, how can I get this dirt off my arm?”
Dad: “It’s probably sap and that’s why it’s so hard to clean off. Rub really hard and Good Luck.”
14:55 30 A longer discussion ensued about how I’m wrong and it’s not sap. Oh, and my son proceeded to inform me that hand lotion and soap mixed together make really good soap.
15:21 60 Instructed children to pick up their dirty clothes and then supervised with a threatening look when they failed to follow instructions.
16:19 30 Admonished kids who fell down the stairs that they need to be more careful
16:20 60 Tasking assignment and instructions: “Please water Mommy’s bulbs using these containers”
16:29 180 Patched up kid who ran chest first into out-stretched window frame. Apparently the 16:19 lesson didn’t stick.
16:43 30 Dad: “Did you water both sets of flowers?”
Children: “No. Where’s the others?”
16:55 60 They’re yelling loudly again. Oh, and climbing on that stack of wood isn’t safe. No, swinging from that very thin branch isn’t either. I don’t care if it’s “bendy” it’s still not safe.
17:30 60 Advised about the two minute dinner time warning and answered various questions fired back at me
17:35 1320 Made the promised pancake dinner. Since I don’t like pancakes all of this prep time I’m charging to them (but a promise is a promise, so I made them). I had eggs, which I made later.
17:40 0 (In the midst of the above)
Son: “I can’t get all this sap off.”
Dad: “Holy cow, what were you playing with?”
Son: “Sap”
Dad: [: Grumbles :]
18:13 600 I did the dishes. It actually took me 15 minutes not 10, but 1/3rd of them were mine.
18:36 10 Checked up on teeth brushing status.
18:37 600 Read to son: “Oh the things you can think” by Dr. Suess
19:24 660 Tucked son into bed
19:24 180 Dealt with the ‘Spilled water on Pajamas’ catastrophe
19:39 120 Dealt with the ‘Spider catastrophe’.
Unfortunately it was a catastrophe even though I meant to harmlessly catch and release him
19:57 2100 Read to daughter: Harry Potter
(boy that was a long scene that I couldn’t stop in the middle of)
21:21 180 Tucked older child in and replenishing the night time water supply.

The Results

How much time did I spend being a parent? It turns out to add up quickly:

Seconds: 8250
Minutes: 137.5
Hours: 2.29 (rounding up slightly, but I deserve it)

Now, before you jump in there and say I’m an uptight parent who just spent the day yelling at his kids, I have one important distinction to make about the results: That’s just the time I spent being a responsible parent. These are just the things I felt I “had to do” and there was no choice in the matter. That summary does not include the hour lunch I spent eating with my kids on a rock by a river and watching a butterfly land on my kids outstretched hands (which was really really cool). It doesn’t count the 30 minutes I spent playing sequence with them, or the game of pool I played with my daughter. I only counted the get-through-the-day time. Not the “Quality Family Time” time.

Conclusion

When I was a kid I learned that every essay should have a good introductory paragraph, and solid body and a conclusion. My conclusion from all this is that it takes a lot of time to be a parent. When I signed on to the job I knew it was a commitment that couldn’t be broken and a responsibility I would hold for life. But I’m not sure I truly understood the time sink. In the end, it’s still worth it, of course (the hugs and the laughter alone are worth it). But now I at least understand why I don’t get much accomplished in the other aspects of my life.

It’s my bed time now. Tomorrow it all begins again. Technically I’m being risky posting these totals before midnight.

Leave a Comment

June 18, 2009 · Filed under Parenting

How to win (sort of) at Facebook’s FarmTown

[Update: make sure to read my follow on article as well: How I Cheated at FarmTown Today]

Any game, is of course, accompanied by a number of different ways you can attack the problem of “how do I get a high score as quickly as possible”.

Facebook’s FarmTown game is highly addictive to many people and some of my friends have spent endless hours carefully laying out rice fields for harvest two days later.

Status in FarmTown

There are really only two things worth achieving in FarmTown: Money and Levels/Experience Points. Money is earned by planting and harvesting crops (or better yet, having someone else harvest your crops for you). And, if you harvest someone else’s crops then you get some extra cash too (it’s a good deal for both sides). The fastest way to get cash is to go hang out in the market place and beg people for jobs harvesting their fields.

But experience points you only get by either plowing, planting crops, visiting friends farms, or building infrastructure. Now, you can only visit your friends for experience points roughly twice a day. And there is only so much space on your farm so after you’ve filled you soil with crops and farming infrastructure (virtual barns, paths, scarecrows and hay bails) you have to sit back and wait until the crops are ready.

Or do you…

[Update: as people have pointed out in the comments and as I discuss in How I Cheated at FarmTown Today using hay bails for converting cash to experience points is more efficient]

Many people have figured out that planting grapes earns quick experience points because in 4 hours their ready again. Yes, they’re not worth much but they do turn around quickly. Thus if you’re shooting for straight XP then grapes seem like the right way to go.

But there is a better way:

  1. Plow your whole field per normal (20 coins per square and it’s worth 1 XP)
  2. Plant grapes in your whole field (also 20 coins per square and it’s worth 2 XP)
  3. Buldoze them over immediately (gasp!!!)
  4. Go back to step #1

(and for you slashdot readers add in “Profit!” somewhere)

See… If you’re willing to spend the cash (40 coins) and the time (something you’ll admittedly never get back) then you can earn 3 XP points per square. Quickly. Keep repeating till your out of cash. You’ve probably just levelled up quite a bit.

When you run out of cash, go to the market place and beg people for a job to get more cash. I bet following this formual you could go from level 1 to level 20 in a day without breaking a sweat on anything other than your index finger.

Begging for jobs

Having done a bit of job begging, here’s my advice: be smart, be witty, be silly. You’re much more likely to get a stranger to hire you than if you just keep chanting “hire me”. When I’ve simply made funny jokes about wanting to get hired I’ve gotten jobs much faster than the others around me that were closer to “annoying”.

After all is said and done

Go outside into the real world and mow the real lawn. You probably need it at this point.

Comments (29)

June 12, 2009 · Filed under Computers

« Older Posts
Newer Posts »