http://www.theregister.co.uk/2010/12/23/wikileaks_and_data_theft/
I read somewhere that it was likely the communication channels opened after 9/11 that enabled this security atrocity. Kudos to "the media" though for overlooking this blatantly obvious and genuinely interesting story of security officers unconcerned with the well-being of either their own soldiers or Iraqi civilians (see this chat transcript for more).
The amazing thing is this lasted for months! Wired published that article on June 10, 2010 and El Reg (I hope they don't mind me calling them that) has only JUST reported on it. I don't know that I would call this a conspiracy but I have a hard time believing that this was just conveniently "missed."
Although perhaps I give them too much credit. After all, this wasn't even reported on in such a security conscious manner until 6+ months later when someone gave a report sounding the China/cyberwarfare alarm.
Thursday, December 23, 2010
Wednesday, December 22, 2010
Tuesday, December 21, 2010
This is why
This is why I hate Microsoft's updating system.
http://msmvps.com/blogs/bradley/archive/2010/12/20/if-at-first-you-don-t-succeed-with-a-net-update.aspx
http://msmvps.com/blogs/bradley/archive/2010/12/20/if-at-first-you-don-t-succeed-with-a-net-update.aspx
Tuesday, December 14, 2010
Security, security, SECURITY!!!!!
The past couple of days I have received three very important emails.
The first email was a message from Gawker Media stating that my account may have been compromised and somewhat downplayed the risk. Ironically, the risk it downplayed was the use of the same password across many/all sites (a very common practice) which was exactly the practice that led to penetration of the Gawker site and ultimately the release of all 1.3 million account details (including mine! :( ) including passwords.
The second was an email from LinkedIn stating that my account may have been compromised. Sound familiar? Well, I figured that someone had decrypted my password and was attempting to use it at another site (it must have failed I figured because I sometimes used slight variations). So I began my trek to change my password on every site. It's now a 15 character GRC-generated password consisting of ASCII characters (so '!@#$%^&*(), etc. are all possible values).
The third email was also from LinkedIn clarifying the first LinkedIn email. It seems they downloaded and scanned the database of Gawker accounts and checked the email against their own user database. When they found a match, they sent out an email to every email account listed as associated with that user.
As much faith in my fellow programmers the Gawker hack destroyed, LinkedIn has singlehandedly restored it.
Simply amazing.
The first email was a message from Gawker Media stating that my account may have been compromised and somewhat downplayed the risk. Ironically, the risk it downplayed was the use of the same password across many/all sites (a very common practice) which was exactly the practice that led to penetration of the Gawker site and ultimately the release of all 1.3 million account details (including mine! :( ) including passwords.
The second was an email from LinkedIn stating that my account may have been compromised. Sound familiar? Well, I figured that someone had decrypted my password and was attempting to use it at another site (it must have failed I figured because I sometimes used slight variations). So I began my trek to change my password on every site. It's now a 15 character GRC-generated password consisting of ASCII characters (so '!@#$%^&*(), etc. are all possible values).
The third email was also from LinkedIn clarifying the first LinkedIn email. It seems they downloaded and scanned the database of Gawker accounts and checked the email against their own user database. When they found a match, they sent out an email to every email account listed as associated with that user.
As much faith in my fellow programmers the Gawker hack destroyed, LinkedIn has singlehandedly restored it.
Simply amazing.
Saturday, December 4, 2010
Que funny!
Sunday, November 28, 2010
Mitigating the Potential Effects of DNS Hijacking
This is a quick tip I noticed while installing a new linux DHCP server.
In DNS hijacking the resolution of a URL comes down from a "poisoned" or hijacked server and directs users to an IP address used by the criminals to serve up malicious websites. My idea is basically to hijack the criminals' IP space. In the DHCP server simply set up a "host" with your server's MAC and set the "fixed-address" field to your fully qualified domain name (FQDN).
Now, this won't actually work for now but if you could convince the routing table (BGP) to announce the criminals' address as being in your autonomous system (AS) then you would have a pretty decent defense mechanism. Unfortunately, I have not studied the border gateway protocol (BGP) in any significant way. We'll see if I can get around to that sometime.
In DNS hijacking the resolution of a URL comes down from a "poisoned" or hijacked server and directs users to an IP address used by the criminals to serve up malicious websites. My idea is basically to hijack the criminals' IP space. In the DHCP server simply set up a "host" with your server's MAC and set the "fixed-address" field to your fully qualified domain name (FQDN).
Now, this won't actually work for now but if you could convince the routing table (BGP) to announce the criminals' address as being in your autonomous system (AS) then you would have a pretty decent defense mechanism. Unfortunately, I have not studied the border gateway protocol (BGP) in any significant way. We'll see if I can get around to that sometime.
Wednesday, October 13, 2010
Hey you! CHAP with the PPP! Stop right there!!
So. I spent four hours today finding out that the password using CHAP authentication on PPP checks against the CHAP password on the other router, not the global config nor the "enable" or login or secret password. The CHAP password.
Did everybody else already know this? Probably, but I had to find out the hard way and now I know. And so do you.
Did everybody else already know this? Probably, but I had to find out the hard way and now I know. And so do you.
Tuesday, October 5, 2010
The World's Most Embarrassing Statistic
. . . but I'm not sure why.
Stolen from the shirt.woot reckoning on Oct. 5, 2010 ~10:20PM NWT (that's native Woot time aka CST).
Tuesday, September 28, 2010
Notes on a Scandalous Switch
Cisco 3750. We've been mixing it up with different switches and routers and IOS versions and today I discovered something horrible. A bug. Actually it wasn't particularly nasty but it was pretty weird.
My 3750 was using a gigabit port and fast ethernet port for trunking and everything else was on a VLAN between 1-9. The trunks were passing traffic from VLAN's 10,20,30,40, and 50. That's what was supposed to happen. Unfortunately until I set some of the free ethernet ports into corresponding VLAN's from the trunk, it would not pass that traffic through the trunk. Weird!! The more you learn, eh?
My 3750 was using a gigabit port and fast ethernet port for trunking and everything else was on a VLAN between 1-9. The trunks were passing traffic from VLAN's 10,20,30,40, and 50. That's what was supposed to happen. Unfortunately until I set some of the free ethernet ports into corresponding VLAN's from the trunk, it would not pass that traffic through the trunk. Weird!! The more you learn, eh?
Saturday, September 25, 2010
One of many reasons I love the internet
I once discovered a college this way. Downloading Hors de Prix (english title: Priceless) I spied myself an IP resolving to Middlebury College. Some Googling presented me with a wonderful university serving US students studying foreign languages (and with a passionate physics professor to boot!). Alas, they only accept a few students as transfers per year when they accept any at all.
Anyway, I love the internet because of this. Because I can watch a show made and distributed in exclusively in the Pacific region without having to wait for someone to pick up international distribution rights.
Wonderful. Internet, I <3 u.
Saturday, September 11, 2010
A Small Bank Note
Banks are interesting. They exist in a surprisingly competitive market but offer horrible terms.
[Insert lengthy blog post on banks' conflicts of interest here]
After a bit of digging around the best banks I have found are Ally and ING Direct. Ally for offering a small amount of interest checking, a few ATM fee refunds a month, and low overwithdrawal fees (not the same as "overdrawn" fees, Ally will charge you once per day only on days when transactions occur). ING Direct for also offering a small amount of interest checking, free ATM withdrawals with certain partner networks, and overdraft at below market revolving interest rates. Compare these with any other bank, especially big ones.
If you do even some cursory research you'll notice one thing if nothing else: Ally excepting, the bigger the bank the worse the terms. Conversely (inversely?) the smaller the bank the better the terms. This is why I'm a member of ING/Sharebuilder, Ally, and a local credit union.
**Speaking of credit unions, a small shout out for great loan terms. The interest rates on car loans at my CU are slightly better than comparable offers from anyone outside the automotive industry. Sometimes new cars offer no interest for 60 months and you can't beat that!**
[Insert lengthy blog post on banks' conflicts of interest here]
After a bit of digging around the best banks I have found are Ally and ING Direct. Ally for offering a small amount of interest checking, a few ATM fee refunds a month, and low overwithdrawal fees (not the same as "overdrawn" fees, Ally will charge you once per day only on days when transactions occur). ING Direct for also offering a small amount of interest checking, free ATM withdrawals with certain partner networks, and overdraft at below market revolving interest rates. Compare these with any other bank, especially big ones.
If you do even some cursory research you'll notice one thing if nothing else: Ally excepting, the bigger the bank the worse the terms. Conversely (inversely?) the smaller the bank the better the terms. This is why I'm a member of ING/Sharebuilder, Ally, and a local credit union.
**Speaking of credit unions, a small shout out for great loan terms. The interest rates on car loans at my CU are slightly better than comparable offers from anyone outside the automotive industry. Sometimes new cars offer no interest for 60 months and you can't beat that!**
Monday, July 12, 2010
Two Reasons I Do Not Like Google Apps
Side note: I am not a graphic artist and I don't like putting much effort into such things so yes, it is Spartan and possibly ugly. Sorry if I offended your tastes.
You'll probably note that it's pretty decent but has some obvious issues. Probably most obviously is the blue background image I had been using which cannot be placed behind text in Docs. Actually that was my biggest frustration. It wasn't just a problem with the import. When I tried to move the image down just a little to see if I could fenagle it into working, it jumped down and displayed the full image size.
You'll notice I've made a few other minor changes (no my name won't stay popped eye blood vessel red(tm) ) but my stupid image can't even be moved partially offscreen! Clearly the engine is capable of supporting the function (as seen above) but it's not a feature of the editor. WTF?
Now having read all this you might think I'm just a teenage h8r (that's supposed to be read "hater" by the way [btw]). Not true! I was impressed by Docs' quick response, import ability (it did keep the right formatting), Mac keyboard shortcut support, and focus.
This is what I really liked about the service. It was an excellent WYSIWYG editor. No, it was an incredible WYSIWYG editor. Try it yourself. Type in some text with complicated formatting and then insert an image. Your options for how to insert it might be limited but within those it keeps the formatting and placement of all your data in relation to the whatever piece is being modified.
Exhibit 1:
Exhibit 2:
Clearly Google has made an effort to create a very user friendly editor.
Side note: In switching my mom to Win7 I made her sacrifice Office 2003 and without anything to replace it. Eventually I was forced to install OpenOffice. Within minutes she had decided that she hated OpenOffice and would probably never use it again (until I told her to). [Blame auto-crap.] She was ... relieved when I showed her Google Docs.
It's an admirable goal and makes a hell of a lot more sense than any other editor I've seen. I like it. Something I don't think I've said in months (about anything, even in real life!). It's nice and I never knew I could have something this nice.
Now there are still some massive problems to work out before it should be "launched." That's right, the page might not say it but this is a beta.
Remember when I said it was the most awesomest WYSIWYG editor everzzzzz? Wellllll about that ...
This is what it looks like when you tell it to print. Yes, really.
Work it out Google! You have a potentially stupendous product on your hands with some glaring issues but all that really means is they have their work cut out for them. To it, Google!
Sunday, July 11, 2010
See, to me, a head must roll when a person presents more risk to the company than he or she is worth. A noted example of a head already rolled: Robbie Bach. Head of Entertainment and Devices division for several years now he recently retired. According to his Wikipedia page (and confirmed by his MS bio page) "He led the division that is responsible for the Xbox, Xbox 360, Zune, Windows Games, Windows Mobile and the Microsoft TV platform."
Now, think about that. The one possibly reasonably "successful" product still cost the company billions of dollars not just to develop but in damage control from extremely unreliable hardware (we have 12 360's where I work and 5 are broken and out of warranty). Nothing else has matched its commercial success but I don't believe anyone since Kenneth Lay has earned so much money losing money (excluding banks).
But he's gone! What does it matter now?
Well unfortunately not every poor decision can be laid at his feet (I actually might not blame the Xbox problem on him, I just don't have the information necessary for that choice). I have heard several other major names mentioned, mostly from the Danger group now leaving or just departed Microsoft. The list I have seen includes but is not limited to:
Robbie Bach
J Allard
Matt Bencke
Roz Ho
Let me take a moment to especially single out that last one. Roz Ho has been mentioned over and over again for failure in various capacities. I have heard that the Danger team was lied to about their role post-acquisition, that Roz and Matt were responsible for deciding to acquire Danger and start the z(une)Phone project. So just to be clear, a massively expensive team of highly talented and motivated developers (Danger) were bought solely to speed development of a mish-mash of a failing music player and a failing phone in an attempt to out-iPhone the iPhone. All this was done just before Windows Phone 7 work commenced using a totally different, more capable base. Roz was responsible.
As evidence of her incompetence as a leader, I'll let poster WilliamTruthTeller of the Ars Technica forums give you his opinion:
"Roz Ho was in charge of the entire PMX/Pink effort. This was her very first (and assume last) mobile effort. Previously she was in charge of the Mac office efforts at Microsoft. I have never met a less competent leader. She was shallow and completely self absorbed and will find any excuse to talk about herself. She made it clear to the entire team that she has a lot of money and loved to talk about it. She has houses in Redmond, the Los Altos Hills, a condo at Squaw Valley and an apartment in Chicago. She has more than 4 cars one of which is an Audi A10. We only knew these details because she was always talking about them. Nobody cared but she couldn't help it. The ultimate expression of her clueless pomposity was than during the heat of the development battle, when the project was struggling mightily with technical and personnel problems, she took three weeks off to hike to the top of mount Kilimanjaro . . . Just so you understand how terrible these two were in their roles as leaders, both Roz and Matt were assigned executive coaches to review their communications because they didn't have the internal ability to detect when they might destroy morale through their clueless statements."
So morale was down. Roz was responsible.
Management didn't know how to handle technical issues. This is evident in the almost vaporware status of Windows
"In the middle of this mission to save WM7, Roz shows up with some of the PMX folks and says they are going to need his support. They are using a different chip set and will need changes made in the core to support it. PMX not only needed changes in the core, but also needed WM personnel to act as engineering support to PMX. And Terry M. correctly said "No and hell no." . . . MX made its own mess and would have to pull itself out."
Roz was responsible.
Noticing a pattern here? There are plenty of other examples of Roz and also others making gross managerial mistakes but in my view, none tops this. The title reads, "Microsoft's Pink/Danger backup problem blamed on Roz Ho." Trimming the fat, the article says that she was told by the SAN provider that there should not be a problem doing an in-place upgrade on existing equipment (realize that this is expensive equipment and takes 6 days to back up because of the volume). She decided two days into the backup that money could be saved by not backing up. Since there was only room for one backup and the last one had been deleted to make room for the one in progress well... headlines were made. The biggest mobile data loss in history and I can tell you from experience that the service hasn't been the same since (Calendar and email syncing problems existed for me as a new customer in January. I kept the phone for five days.).
So probably every manager in the department should be fired. But that's unlikely. Seeing someone as visible and with as deep a history at Microsoft as Roz leaving would be a good start.
Wednesday, June 30, 2010
Wait, where did I . . ? Oh, [insert expletives here]!!!!!
Washed your Passport? Yep, I've been there. I even did it a week before I was supposed to leave. Surprisingly, finding information on how to deal with this situation is remarkably difficult so just know that I can (probably) help you.This information is from a trip I took in June 2009 to Germany and may have changed between you reading this and my experience but for what it's worth, here's what happened to me. Current and relevant information should be available at the Dept. of State website, especially http://travel.state.gov/travel/tips/emergencies/emergencies_1197.html .
Also I used this blog post to model my own experience. Why go there? Well because it's prettier and has a better title.
Finally, I'll update my photos when I have a better camera available.
With that all out of the way...
Actually I lied earlier. I do that sometimes. I didn't just wash my passport. I also dried it. I figured finding out what to do would be easy surely so many people had come before that another had done the same and blogged about it or the government recognized it as a chronic problem or at least there was some forum with answers to questions like the ones I had:
- Is this a serious problem?
- Do I need a replacement?
- If I do, how much will this cost?
- Would the mail be too slow?
- OMG MY PLANE LEAVES TOMORROW WHAT DO I DO?
This really is a serious problem. Here's a little primer to explain why:
- You get to the airport toting your bedraggled old passport in whatever imperfect condition it is in and approach the check-in desk.
- The attendant goes through the motions until she asks for your passport. You hand it over casually, hoping she doesn't notice and/or care how good/bad it looks. She glances at it, stares and hands it back.
- SURPRISE!!!!
Note about embassies: There is usually a long line outside. This is actually locals looking to travel to the US and there is usually a seperate line for the different services offered to US citizens (I believe it's US Citizen Services). If there are two lines that should mean you get priority :) Of course, always ask your friendly-but-stone-faced-kinda-scary-looking guard first before cutting!
To recap:
This is a serious issue. If you're bothering to Google things like "what constitutes a damaged passport" it highly likely it needs to be replaced.
The cost might have changed since posting but in June '09 it was ~$100.
The mail depends on how long you have. Get thee to an embassy!!! And trust me, emailing and calling will NOT get you the fast response you want. You should GO, with or without an appointment.
Good luck! You're probably hosed and have to risk it unless your embassy is in the same city/farm as the airport. If it is, check what time it opens and GET OVER THERE! You can probably skip any lines and making a passport might take less than an hour.
How to get Windows 7 running with 160MB RAM, an 850MHz processor, and 8GB of hard drive space OR Why I love FOG
Ignoring the abuse of titular "or"s the world over, the first question you might ask is, why? The answer is coincidence (or fate or serendipity or just some really tight OS design). I was working on a proposal for work (currently so secret not even my boss knows about it) that involves FOG. WTF? No, not the obscuring pea soup you're probably used to mouth-breathing zombie-style between sips of that all-too-hot-but-not-quite-enough-to-overcome-your-scorched-tastebuds-and-wake-you-up cup o' Joe. I mean FOG Project (I think it's Free and Open-source Ghost). For those not "cool" enough to have a job where one of your many meaningful contributions is "ghosting" computers, let me explain:
When an administrator wants to deploy lots of computers (this number can vary) but wants his own software on it (read: not just the Dell crapware pre-installed but the corporate crapware. Or sometimes something worthwhile like a not-IE browser.) and also wants to be able to quickly update lots of computers and such, he basically makes a single computer have all the stuff he wants and copies it to all of the others that want that combination of software. But Windows is designed NOT to be copied. They want to thwart all the "lost sales" of piracy so there's all sorts of ways to prevent that and this is especially thorny in Windows XP. Anyway, special software exists to help administrators create "images" of computers for redistribution to other PC's. The longtime market leader is Norton Ghost, hence "ghosting" or imaging. Hopefully your eyes didn't just glaze over.
You've probably figured it out by now, it's not that complicated. I downloaded the FOG VMWare image (shameless plug: it's great software if overpriced for students), configured it for my network, created an image using another VM (I wanted a clean install and small image for testing), and sent it on its merry way up a couple of non-existent ethernet connections inside my VMWare software. Importantly, it was Win7 and it had a few things installed like iTunes, Firefox, and Chrome among others. Now normally Windows 7 would not allow installation on anything less than 512 (I think, might be 1GB though!) but I just deployed it using my little Knoppix style PXE linux environment and BAM! I'm ready to take half an hour to make and eat a sandwich (so that I can finish downloading the image not because I have some kind of weird sensual sandwich eating fetish or anything). Come back, everything's booted up nicely and I don't even have mouse lag (mostly). Took some time but I managed to browse the web with Chrome and grabbed a screenshot of the machine specs as "proof."
So there you have it. Fresh install, pack it up with Sysprep, upload it to the FOG server, and download it to the final client which doesn't do any hardware checks apparently. Simple, right?
Le Raison D'Être
If only I spoke French. I can't. Sure I took it for 5 years and completed 4 years of coursework but understanding something, anything takes a lot more study than that. I was never fluent and I often translated things literally (ok that came out backwards. I also often struggle to communicate in English!). I never understood the full cultural context of everything, much less that I was acting as a part of it. I still feel the same way and not just about the French. I don't know what I'm doing here and I have no clue why you are visiting but if you're reading this know that I cannot know how my writing will affect you but this is the closest thing I have to improving the world. If it works out and I save your life or something that's great! If not, well . . .
C'est la vie.
Subscribe to:
Comments (Atom)