Are Security Efforts Misplaced?

January 11th, 2011 3 comments

Warning... this is a bit of a disjointed rant!

I won't reveal the person's name, but recently I chuckled when reading a Facebook status update from someone I knew in high school. His comment was along the lines of, "My boss asked me to label our switches with their IPs, so I asked if we should post the configs along with the usernames and passwords on the internet. My boss has a wonderful concept of 'security'".

This person is a graduate of a post-secondary computer program. Probably not unlike the program that I graduated and now teach in. I want to know who, during his education, said "labels are insecure" and drove this idea into his head to the point that he would call out his boss on Facebook over it. I want to know who this professor is because I want to see them stripped of their right to teach.

However, if we ignore that someone is passing along incorrect information, this seems to be part of a larger issue. I noticed numerous comments on Facebook laughing at the status update, perhaps by people that know nothing about computers but, even worse, they might be people that work in IT. I have to ask myself as a security professional and as a security professor if all of my efforts are wasted. Do we really have people working for companies that feel proper security means not labelling equipment?

I then realized that this likely part of a larger problem. We have people everywhere doing jobs that they aren't trained for and aren't prepared for. As we focus more and more on security, we are forcing developers, network admins and sys admins to focus on security, but we're never telling them what matters and what is involved in security. It's not unlike when I took my first job after I graduated and cried my first day. The prevoius sys admin had enabled WEP on their wifi ("for security") but had also put their Win 2K box acting as a DC and running Exchange 2K directly onto the internet. Not even a linksys router in the way, just straight into the DSL modem.

So are we wasting our efforts? Is there any point in looking at security when there are so many SMBs that have a single IT person or an outside consultant who has no idea what to do. A lot of people dislike standards like PCI but maybe this first step, a simple checklist, is exactly what we need. Maybe instead of user awareness training, we need to start talking about IT grunt training because how do we have the users trained if their likely trainers don't know what's going on.

If I were told it was a security risk to write IPs on switches, I'd really have to ask why someone is able to get access to the switches in the first place. That would be the real security risk... who cares about the IP if someone has physical access.

Categories: IT, Security Tags:

2011: Time to Blog Again

January 7th, 2011 1 comment

Lately I seem to have over extended myself. I had multiple blogs on the go and on top of my full time day job, I was developing curriculum, teaching and doing some book editing. Given my unnatural TV watching habits, that meant other things had to suffer. One of my many resolutions this year was to fix that. I have plenty of things Iwant to write about at any given time, I just never do...and everything I do leads me to more things I want to write about. So it's time to start writing again. My goal was to publish 365 blog posts this year, but since this is my first one and it's the 7th, that doesn't seem likely. I will, however, do my best to start blogging again on a regular basis.

One thing that kept me ridiculously busy this past year was my server. I had decided that a Linux box at home wasn't sufficient a couple years ago and purchased a hosted server for way too much money each month. In the end the maintenence and upkeep were draining me and I finally decided to abandon it. Primarily because I grew lax on maintaining it and it was hacked. I decided it just wasn't something I needed to have any more and that there were better ways to accomplish my goals. So now I'm in the middle of transition as I restore back-ups I'd pulled off the server and get myself up and running with various new services.

One way that I'm handling my lack of access to that shell is by increasing my usage of SDF. I've been an ARPA member of SDF since 2003, but I decided to upgrade to MetaARPA membership and take advantage of some of the additional services (more on this in the future). On top of this, I signed up for Amazon Web Services. I created myself a Micro-Linux instance that falls within the free tier for now, but I plan on playing with AWS and exploring some of the possibilities with it in the future.

I seem to have most things back up and running that I had previously, however one missing piece is that SSLFail.com is still not back up. I am hoping to get that blog back up and running and open it up to be more user contributable...I'm just not sure how to do that yet. If you have any opinions, please let me know.

Categories: Site Related Tags:

Thank You Everyone!

August 4th, 2010 No comments

*UPDATE*
Just wanted to let everyone know that I managed to throw $40.00 towards HFC, it wasn't much but I had forgotten PayPal fees and exchange rate (which is close to par but still affects $2k). Thanks again everyone!

I just wanted to let everyone know that I've reached my goal to cover my bandwidth costs. I want to thank the individuals who donated, it was definitely appreciated. I also want to thank SecurityCompass for making a donation. Additionally, I need to extend a big thank you to my employer. This is my personal blog and when I started with nCircle I pointed out that I blogged here and wouldn't stop. Even though we have our corporate blog, they were happy to allow me to bounce back and forth between the two rather than push me to blog only on blog.nCircle.com. So even though this blog is all mine, nCircle stepped up and offered me an advertising contract, featuring their logo and link on my website and in exchange they offered up cash to cover the remainder (total less donations) of my hosting fees, and in the end I believe I'm coming out slightly ahead, so I'm hoping to pass some money towards HFC (more on that once my 1and1 bill is actually paid). So once again thank you to everyone. You'll now see nCircle's logo on the page, and in the near future (once my transfer volume is straightened out) DVL will return with a nCircle sponsored download page.

securitycompass_logo

ncircle_logo_150x715

iPad Review: Taking Notes Part 2

July 31st, 2010 No comments

After my last review of Note applications, I was asked to review a few more apps, some by the author and others by friends who wanted to know if programs were worth buying (I guess they prefer I spend my money :) ).

As last time, I'm using the Pogo Sketch for all on screen activities and I'll use the same chart as last time:

  • P -- Pen Function
  • E -- Eraser Function
  • T -- Text (Keyboard) Function
  • U -- Undo Function
  • R -- Redo Function
  • C -- Colour Support

neuNotes (Free) -- PEURC

The author of neuNotes commented on my last post and suggested I look at the software. I'd have to say that if I wanted notebook style software (similar to PaperDesk and Penultimate) that this is by far the best free option. I've come to like Sundry Notes more and more lately but it's still got a lot of feature bloat, and Adobe Ideas is really more of a whiteboard, neuNotes finds a nice middle ground. I can draw in multiple colours and also select the transparency, which means I can use it as a highlighter. It allows for multiple notebooks with multiple pages and several transmission options (Mail Page as PDF, PNG, or JPG; Tweet Page; Mail All Pages as PDF).

The feel of the software isn't quite as refined as some of the other apps, the icons and colours made it feel a little juvenile but that's a pretty minor sticking point.  I've spent so much money on note taking apps, that I'm not sure this one will make the cut in the end on my iPad, but if you haven't spent money on an app yet, this is probably a good starting point.

The transparency, multiple pages and email options were all high wins for me, while the lack of paper types (lined paper can be useful) and look of the software were the primary cons. As an added benefit, you can replace a page out of a notebook with an imported image and mark up the image, and you can name each page individually.

photo 1photo 2photo 3

Note Taker HD ($4.99) -- PEURC

The biggest sticking point on this software has to be the price. It, along with Notes Plus, take the cake as the most expensive pieces of notebook software. From a features standpoint, they'd almost seem worth it (they have some of the nicer features) but there are some basics that are definitely lacking in both cases. Additionally the Note Taker HD UI takes some getting used to. While the colour and icons of neuNotes were bothersome for me, in this case it's the buttons themselves, they don't fit the typical iPad buttons that I've become accustomed to and the UI layout is a little wonky.

Where Note Taker HD is nice is in the edit modes. You can mark up an entire page, or you can switch edit modes and write in a small zoom box so that you can take notes like you would on paper (and the functionality works quite well). Another point that many people may like is that Note Taker HD is like a single notebook. You add pages, title pages and work with pages, just as if you had a real notebook that you carried around to scribble in. While this may not be quite as organized as multiple notebooks, the tagging and favourites features help to make up for that.

While I really like the zoomed writing features, I'd want the UI to feel a little more 'iPad-like' to make this a part of my daily use.  Given that this app only supports lined paper, I'd say that it's really meant to be treated like a notebook that you carry around and scribble down random thoughts in, and in that case, for people that do that... this might just be the perfect app.

photo 4photo 5

Notes Plus ($4.99) -- PETURC

While I'll likely keep a few of the other apps (Penultimate and Adobe ideas) this may soon become my primary note taking tool.  You have multiple notebooks with multiple pages; multiple pen, text and paper options, group select and move (try the erase tool out and drag instead of deleting).  The software also contains zoom and write functionality like Note Taker HD. The UI also has a very professional look and feel that improves the overall user experience.

If I was to nitpick, it'd be that the only email option is PDF. I'd like to be able to email a specific page as an image (PNG or JPG preferably). I'd also like a real eraser, so that I could "tidy" my notes. The only option write now is to use the group select and delete the highlighted chunk of writing.

The ability to intermingle typing and hand writing is also a nice feature. While the cost is a little high, in this case it may almost be justifiable. I wouldn't recommend this software if you aren't serious about taking notes (then the cost isn't justified) but if you are, this is the option for you.

photo 1(2)photo 2(2)

Ghostwriter Notes ($1.99) -- PEUC

This is pretty standard note taking software. You have the ability to select from a few pen colours/types and a couple of types of paper. The zoom functionality is the only way to enter input with this software, which means no drawing diagrams (unless you can do that while zoomed into a couple of lines). This software may actually be the closest representation to pen and paper and the pen strokes are quite nice (no blocky text with this app).

You're limited in what you can do with this software, but along side Adobe Ideas or Penultimate you may end up with a nice pair of apps.  There's a catch though... wait a version or two. Current the software has some lag issues (not sure why) but you end up with pen strokes that aren't acknowledged with leaves you with half written characters, or the zoom window lags and you don't see what you've written until you're down a line or two. Either way it could be very annoying to use in a real-world situation and risk encountering this problem

photo 3(2)photo 4(2)

iBrainstorm (Free) -- PE

This is the last piece of software I'll look at, I've almost got more note taking software on my iPad that I do games (almost, but not quite :) ). This software is clearly a competitor to Adobe Ideas and perhaps the two belong in their own category but I'll lump them in here. The easiest way to sum this app up is to say that when I'm done the review, Adobe Ideas will be staying on the iPad.

iBrainstorm has a single screen, no clear page and no new page. If you want to start over you sit with the tiny eraser and wipe it all out. It also have buttons that seemly do nothing, and occasionally the screen greys out for no reason. Those issues aside, it actually has a few cool features.

The first cool feature is the ability to insert a Sticky Note. The tool itself is all freehand, but you can add a Sticky Note, and type a note to go along with your drawing. The other cool aspect, which I couldn't test, is the ability to connect multiple devices to bring along group think functionality. I'll hopefully get a few people running this in the future and test it out and if it's amazing, I'll write more about it.

photo 5(2)

I’ve Become a Cyber Pan Handler

July 22nd, 2010 12 comments

**Update on this on another blog post -- fees have been paid in full, should anyone chose to donate at this point, I'll use it to pay future fees**

Every now and then I encounter websites that have donate buttons, especially if they provide a service. I've always wondered about this but figured "Hey, if people want to give money why not". I've decided today to become one of these "Cyber Pan Handlers"

For quite a while I've been hosting DamnVulnerableLinux without any problems. About 6 months ago, my transfer limit was exceeded due to DVL and I had to pay a bit extra. I decided that I would stop hosting DVL and it went to being only available via torrent. A couple of months later my hosting provider, 1and1, sent out an email stating that all hosting accounts had been upgraded to unlimited transfer, so I re-enabled my hosting of DVL. This month DVL appeared on Slashdot and what followed was a bill for a couple of thousand dollars. 1and1 is claiming that my account is a grandfathered account that no longer exists, and is therefore not eligible for the unlimited transfer. Yet they had still sent me the email and when I had checked at that time my account stated unlimited. I'm guessing that they made a mistake in their system when they initially implemented it and then silently fixed it. Either way, they are unwilling to honor the email they sent me and the DVL direct download has been removed. Should I come out of this, I will upgrade my account (which will increase my current monthly costs) and resume hosting DVL for download.

In the mean time, I'm going to ask for donations to help cover this large bill. During this push, there were over 30K downloads of DVL. I'm hoping that some of those downloaders (or anyone else) will realize the value they gained from the direct download and donate a few bucks to help cover costs. I just don't have the cash to cover it right now, and not only will the DVL direct download go away, a number of other things will as well:

  • ComputerDefense.org blog, hosted web pages, mailing lists, and email addresses
  • SSLFail.com blog, hosted web pages and email addresses
  • Hosted DNS
  • Shell Accounts
  • SecurityBloggers.net domain name and associated email forwards / url redirects
  • Hosted Domains

If you are someone affected by any of these services, maybe you want to donate too :)

As I said, once I manage to get this worked out, the DVL direct download will resume. Those who donate, I'm also willing to consider any requests you have for a shell account, dns hosting, email or whatever else. If any companies want to donate... Well, I'll add a banner with your logo to the top of CDO.org and SSLFail.com. Let's say for companies, every $20 buys you a month of banner :)

Anyways... that's it... figured I'd give this a try.... now for the lovely download button.

Thanks For Reading!
Tyler.

***UPDATE***
I've been asked what will happen if I get more money than the cost of the bill. If that happens, I'll gladly donate the rest to HFC.
Categories: Site Related Tags:

iPad Review: Taking Notes

June 5th, 2010 1 comment

One of the biggest reasons to get an iPad, in my opinion anyways, is that a tablet seems like the perfect note taking platform. So I was rather surprised when I first turned it on and encountered Notes, the built in software. If Apple's goal was notepad, then sure... mission accomplished but I expected more from a company that does graphics and media so well. This lead to the search for the perfect note taking tool and I've played with a few at this point, so I figured they were worth comparing. All on screen writing was done using the Pogo Sketch, an absolutely amazing stylus that I recommend for anyone using one of these tools.

There are a number of common features, so as I walk through these tools, next to their names I'm going to list a series of letters, the letters stand for:

  • P -- Pen Function
  • E -- Eraser Function
  • T -- Text (Keyboard) Function
  • U -- Undo Function
  • R -- Redo Function
  • C -- Colour Support

PaperDesk ($1.99) -- PETC

You will notice from the screenshots that this is PaperDesk Lite. While I paid for PaperDesk, a mix-up in the app store has lead to all people who purchased PaperDesk having the Lite version for now. So it may have additional features that I can't comment on at this point.

One of the most interesting aspects of PaperDesk is the ability to do VGA out. When you select to create a new notebook you have the option of creating a Notebook or a VGA Output whiteboard. Since I haven't purchased the VGA Adapter yet, I can't comment on this functionality, but it is on my list of iPad add-ons that I want to buy.

After you've selected your notebook, you are presented with a page on which you can type or draw. Paper options are available and include Lined (White), Lined (Yellow), Graph, Blank. While you can draw anywhere on the page, text entry is limited to word processor style entry (top to bottom, from the left side of the page).  You can't draw an item and then type a note next to it. It was also nice to see that colour and brush size selection were available.

Another handy feature of PaperDesk is the ability to record while taking notes. The recording quality (from a few feet away) is quite good and recordings are saved with timestamps so you can easily reference them. While the ability to clear all text or all drawings from a page is available, I was not able to find the option to clear recordings.

Another nice feature of PaperDesk, if you use it frequently, is the bookmark feature. You can bookmark a page, so that you can easily jump back to it. The annoying component of this is that, like recordings, it is handled via timestamp and you cannot specify a name, each bookmark is simply stored as a timestamp. If you were a student using this for lecture notes (which I think would be the primary purpose of this app), you may have a hard time jumping back to a specific topic.

The email functionality of PaperDesk sends a single page combing your text and drawings, however it also extracts the text and sends it in the body of the email.

photo 4photo 5photo

Penultimate ($2.99) -- PEUR

Penultimate is on the first page of my iPad apps and is the one that, so far, I've used the most. It gives you multiple notebooks and multiple paper types (Lined, Graph, Plain) much like PaperDesk but that's where the similarities stop. Penultimate doesn't allow for text input, has a single pen colour (black) and supports undo and redo. This means that there's not a lot to explain about Penultimate, it's a bare bones notepad that allows you to quickly diagram or jot down notes without features getting in the way.

So why is Penultimate on my main page, while the others are buried in the app list? Penultimate has the killer feature that every one of these tools needs to add in order to really compete. The feature? Wrist Protection. I can lay my hand on the touch screen and write as if it were a pad of paper with Penultimate and it knows to ignore my wrist/palm. This is the killer feature for notebook/whiteboard interfaces on the iPad.

My biggest complaint with Penultimate (which is ultimately an expected feature for most) is that my screen turns. I could simply enable the screen lock, but it isn't that I don't want the screen to turn, it's that I want it to turn differently. As you'll see in pictures 2 and 3 below, when the iPad is turned into landscape, the notebook remains the same size, leaving a portion of the screen to the right unused and requiring that I scroll to access to the entire page.

photo 1photo 2photo 3photo 4photo 5

Sundry Notes (Free) -- PETURC

Sundry Notes is probably the most feature packed of all the tools. In fact, if you're looking for drawing/whiteboarding it may be too jam-packed with features. Also note that while Sundry Notes is free, it does have two in-app upgrade options (based on Donations). A donation of $2 or more will allow you to change the background on the main screen and the covers of the notebooks, while a donation of $7 or more will remove the watermarks from exported PDFs.

Let's start with the basic components of Sundry Notes first and then move to the more complex stuff. The bottom of the screen contains a menu bar with a number of options (in portrait mode... in landscape, the menu is on the left). You can create text boxes (and place them anywhere on the screen), draw with the whiteboard feature, import pictures and record voice notes. Additionally you can bring up a calculator ("equation solver"), a list with many common symbols and surf the web (You can't enter an address directly, but you can search Google and click into pages). The web functionality is one of the more interesting features I've seen in any of this software. You can cut any portion of a website and bring it into your note as a picture that you can then draw on and mark up. The selection method is quite simply, however I've found it hard to bring in a the entire viewable area of a page.

Since you can place a textbox anywhere and start typing, Sundry Notes far exceeds the text input capabilities of PaperDesk, as well as surpassing the types of paper packgrounds available in either PaperDesk or Penultimate. The whiteboard has a colour selector and supports many shapes along with the pen and eraser. Sundry Notes interfaces with SundryNotes.com online (which I have not used) so you can upload your notes and view them online. You can also share your notes on Facebook, Twitter or Picassa or email them as a PDF. Notes can also be backed up to a computer as a PDF or Zip file.

With so many features, getting a handle on everything you can do with Sundry Notes will take some time, but I suspect that the benefits are substantial.

photo 1photo 2photo 6photo 7

photo 3photo 4

Adobe Ideas (Free) -- PEU

Adobe Ideas is designed as a whiteboarding tool. It supports single page whiteboards with no concept of a notebook. Once you're in a whiteboard, you have access to a pen and an eraser, beyond that all you can do is undo actions and adjust the size of the pen. I actually think this is a really smart design, it's extremely basic (pretty much the opposite of Sundry Notes) and allows you to get in and quickly jot down an idea without wasting time getting setup or fiddling with options.

There are two features that I think are worth talking about with Adobe Ideas, the first is the ability to import a photo to draw on, I think this is crucial. You bring in your initial concept and then you can easily mark it up. The second is Auto-smooth. Something that is unique to the Ideas product. Your images come up almost cartoonish with certain final brush strokes, but the end result is much nicer because your shapes have all been smoothed out for you. Ideas, like most of the products, also supports emailing the end result.

photo 1photo 2photo 3photo 4

Draw for iPad (Free) -- PEURC

I don't think that Draw was ever intended to fit into this category, it's simply a drawing program for the iPad but I think it's a nice edition. Like Adobe Ideas, Draw is a single page that you can draw and sketch on, however it's even more basic than Ideas (which allows you to save individual whiteboards), as it only has a single page. Draw does support multiple colours, along with undo, redo and clear (a function lacking on many of these applications). It also supports a few more interesting features.

Like most programs, Draw will allow you to email your end result, you can also post it to twitter. The icon for bluetooth connections still eludes me (I only have one iPad)  but my guess is that it allows multiple people to share a drawing board, and if so that makes it one of the better options available (since none of the other tools support multi-iPad collaboration).  Like Ideas, you can also bring in a photo and draw on it.

Another addition (although maybe not of use to most people sitting here) is that draw contains some pre-built pen/paper gameboards, primarily Dots and Tic-Tac-Toe. This may seem like an odd option for a productivity tool, but as an entertainment tool, it's pretty awesome. My wife and I actually sat the other night playing Dots on my iPad.

The final option worth mentioning (and you'll see this in one of the screen caps) is that draw supports freehand or snap-to drawing. However touching the pen down in snap-to mode doesn't mean you'll come out with a single straight line, it just eliminates the curves.

photo 1photo 2photo

WritePad ($9.99) -- TUR

WritePad may not really fit in well with this review, since it is the only tool that doesn't have a drawing/whiteboarding capability but I felt I should include it. WritePad allows you to write on iPad and converts your handwriting to text with incredible accuracy.  You can write until you fill the screen, wait a couple of seconds while it converts and then begin writing again. WritePad includes spellcheck and will auto-learn your handwriting the more you use it. You can even setup shorthand that it will convert for you. WritePad also allows for keyboard input if you don't want to make use of a stylus. The final interesting feature of WritePad is it's built-in translation abilities. You can have it translate for you (I'm not sure if it's using Google Translate or another service) which may make it an interesting communication tool. Written work can be emailed from within the application.

photo 1photo 2photo 3photo 5

While I'm not going into full write-ups on these, I felt there were additional items that deserved honourable mentions:
  • Dragon Dictation (Free) allows you to simply record voice notes that are transcribed to text. Your recording is uploaded to their servers for transcription so an Internet Connection is required. I've found that the speech-to-text isn't quite as good as Vlingo on my BlackBerry but if you speak slowly it is fairly accurate.
  • Bento ($4.99) is Database software from the Filemaker. While you most likely won't be taking notes inside a database, the forms you can build are quite nice and this may be the perfect application if you are doing structured, repetitive notes.
  • Evernote (Free) is popular across every platform and allows you to centrally store your notes on their servers. The Free package is a little light on storage space and monthly upload, so heavy users will need to pay for the service. The software allows you to jot down text-only notes that can be saved and accessed with Evernote on any supported platform. Additionally, text within images is made searchable within the Evernote application which is a nice added bonus of using this product to store content. Ideally the other tools on this page will one day let you sync to Evernote.

So that's it... my review of some of the more popular note taking devices available for the iPad. I recommend you keep Penultimate handy for jotting things down quickly without worrying about your wrist getting in the way. With a few improvements (named bookmarks for example), I think that PaperDesk will become a tool that no post-secondary student will live without. It is a nice melding of note taking, lecture recording and drawing. For those looking to save money (or for the most features) I think that the combination of Adobe Ideas and Sundry Notes gives you both power and flexibility. In the end, unless I hit my app limit, I don't think I'll be deleting any of these applications from my iPad.

iPad Review: Source Code Editors

May 22nd, 2010 1 comment

In playing with my iPad, I determined that editing code in vi via SSH just wasn't going to be possible (the on screen keyboard just doesn't work well for vi keyboard commands). That meant I had to look at AppStore alternatives. I came across two that advertised what I wanted to do; for i ($9.99) and Monkey Wrench ($6.99). Given that I'm used to Komodo IDE, which has a price tag of $245 I wasn't expecting much.

I decided to play with for i first and was impressed with a number of things. One of which was the addition of an extra row to the keyboard with most of the commonly used programming characters. This meant I wouldn't have to switch to numeric and then to symbols. It also included a tab key which was useful, since I work primarily with Python.  I wrote out a few lines of code and was happy with the speed. I couldn't type as quickly as I can on a keyboard, but I was quicker than some people I've seen attempt to write Python. Syntax highlighting, a built in web server (for file sharing), and some settings were all nice to have, along with the exceptional language support.

photo 1photo 2photo 3photo 4photo 5

After I wrote out my quick demo script, I switched over to Monkey Wrench to do a comparison. The first thing I noticed was that it didn't look quite as nice. I'm not sure what it was, but it looked outdated.  What I did like about Monkey Wrench was the line numbering, however it was mostly a viewer and it felt like code editing was added as an after thought. I also didn't like that Monkey Wrench was written primarily for use with FTP and then local files were thrown in afterward. There was no need to select a language as I had in for i, I simply typed... syntax formatting need not apply right now (but it is listed as a planned future improvement). The keyboard, while it added extra characters, didn't had enough of them and coding was almost a pain (keys like = / ( and ) were missing ).

photo 1(2)photo 2(2)photo 3(2)photo 4(2)photo 5(2)

for i Pros

  • Syntax Highlighting for numerous languages
  • Attractive Interface
  • Enhanced Keyboard
  • Wifi File Sharing

for i Cons

  • Lack of Line Numbering
  • No SFTP support
  • Copy/Paste support was extremely poor and inaccurate

Monkey Wrench Pros

  • Line Numbering

Monkey Wrench Cons

  • UI felt more like a viewer than an editor
  • Lacking certain enhanced keyboard functionality
  • No Syntax Highlighting
  • Had to enter typing mode
  • Wedged in a viewer and an editor instead of sharing the space for a single window.

In the end, I'll use for i for now but I'll keep both up-to-date and see what happens with them in the future. Either way, it's nice to see this type of app available... now if only Python was in the AppStore.

My “DoS” Attack

May 20th, 2010 No comments

I experienced a ‘brief’ period of downtime ( ~24 hours) the other day on a server that I have hosted with 1and1. When I contacted them to find out about the outage, I was informed that my IP has been blackholed due to a DoS attack. I was surprised to discover that they hadn’t contacted me when they’d taken this action and, if I didn’t access my server daily, I wonder how long they would have continued to blackhole the IP. I asked for proof that my server was under attack and they sent me a snippet of the log:

12:57:25.528325 IP 64.233.180.94.53615 > 74.208.78.XXX.53:  5038 A? www.securitybloggers.net. (42)
12:57:25.586218 IP 64.233.180.94.38886 > 74.208.78.XXX.53:  27266 A? www.securitybloggers.net. (42)
12:57:25.606691 IP 64.233.180.94.50898 > 74.208.78.XXX.53:  5454 AAAA? www.securitybloggers.net. (42)
12:57:25.653284 IP 64.233.180.94.32922 > 74.208.78.XXX.53:  16830 A? www.securitybloggers.net. (42)

That IP, for those of you running to look it up, resolves to ni-out-f94.1e100.net. It turns out that 1e100.net is a Google domain. So, if I believe my hosting provider, I was DoSed by Google. I emailed 1and1 to point out that it was a Google domain and simply DNS traffic, and shortly after that my server was back up… at least in theory. In the end I had to reboot my server before it would respond… but at least I got it up at running.

Nothing exciting... just my latest pain.

Categories: Site Related Tags:

Twitter gets EV SSL but is the message correct?

May 18th, 2010 2 comments

This would normally go on SSLFail.com but due to a server outage, I decided to just post it here...

Tim Callan, SSL Evangelist for Verisign, has posted a brief comment that Twitter now enjoys the added cost... um... protection... of EV SSL. I decided to check this out, so I visited https://www.twitter.com and was greeted by my biggest internet pet peeve, a website where only the www or non-www version works properly.

https://www.twitter.com

I decided to remedy this and use https://twitter.com, however I still couldn't get any green demonstrating EV SSL

firefox_mixed_content

Of course, this was probably just a Firefox problem... I'll use the new kid in town, Chrome...

chrome_mixed_content

Hrm... now I'm confused, perhaps Firefox and Chrome both have some sort of problem, because I should be getting the glorious green that is EV SSL somewhere in my address bar. I figured I'd try Internet Explorer first though because I don't want to be accused of prematurely pointing out why Tim's comment is wrong and why EV SSL is useless.

ie_mixed_content

Again, mixed content errors... this time complete with the famous IE pop-up.

Alas, all is not lost... EV SSL and the glorious green bar is available on Twitter. You simply need to provide your credentials on the page with the "broken SSL" and then, after login, you'll be presented with the wonderful green bar.

finally

Now maybe it's just me... but it seems that this is sending the wrong message to most users.

Categories: Uncategorized Tags: , ,

My Experiences Jailbreaking the iPad

May 18th, 2010 2 comments

It's been a while since I posted here (I'll add another post with links to my recent postings) but maybe this one will irritate enough people to make up for it :)

--

Last weekend involved more playing with my iPad and given that it’s my first Apple product since the original iPod mini, there are many things that I’d never played with. I decided that an interesting first step would be figure out why it’s so popular to jailbreak iDevices. It only took me about 30 seconds on Google to come across Spirit and the process was incredibly painless. I downloaded the app, connected my iPad and clicked Jailbreak. In a matter of minutes I had a jailbroken iPad with Cydia installed (GUI apt-get like program similar to Synaptic on Ubuntu).

Given that I spend a lot of time with Python and I’m a big fan of Metasploit and Nmap, I decided that I’d start with those apps. It was pretty impressive, to just click and install (although I did have to modify msfconsole to get it to run on its own). If I was a pentester, I’d see some serious benefits to a jailbroken iPad. However, I’m not so I continued to dig around. I had to install openssh-server and SSH into my host (there’s no terminal software for the iPad like there is for the iPhone) but that was easy enough. Now it’s time to investigate.

My biggest complaints about the iPad are:

  1. Inability to play DRM wma files.
  2. Inability to multitask.
  3. No decent text editor.
  4. No way to have portable python.

#4 was solved immediately but wouldn’t be useful without a Bluetooth keyboard and that limits the portable aspect. #1 is wishful thinking; it’s just never going to happen. That leaves #2 and #3, so we’ll explore those in more detail.

The inability to multitask is a big one for me. I’d like to have a browser and a game and email and IM open… but Mr. Jobs doesn’t want me to have that freedom. Multitasking is supposed to be one of the big things that jailbreaking gives you… I’m afraid we’ve been mislead. ProSwitcher was the first app I tried, and as soon I installed it I experienced my first stability issue… Switchboard crashed when I tried to open an app. So next I tried Multifl0w and was disappointed when the repository failed and I couldn’t try it. That left Backgrounder; which, based on what I’d read online, was my best chance. It allowed me to background applications (a partial win) however my chat still logged me off when the Window was in the background, so ultimately it was another fail. I suppose that I could have gone with full console applications, install screen and run a different console app in each window but that feels like it’s defeating the purpose of having an iPad (besides, I’ll SSH into a shell account for that functionality).

A decent text editor is something else I was excited for. I’ve recently stumbled across a source code editor in the AppStore that might solve my problems but I couldn’t bring myself to spend $10 on it just yet. In the meantime the first thought I had was ‘finally… vi’. Vi IMproved was available and I quickly installed it. It was useful but, similar to python, wasn’t overly useful without a real keyboard (the lack of ‘:’ on the main keyboard made it especially painful to use).

So all my dream iPad situations faded away but I figured I should still check to see what else was in Cydia. I have to say, I was impressed… Impressed by the sheer amount of crap that existed. I couldn’t find any useful functionality. There was software that would make the annoying mosquito sound (that’s only heard by people under 30) and software that allowed you to “shake body parts” and even software that simulated Bluetooth functionality. It didn’t give you Bluetooth functionality… It just looked like it was doing something. No software to add DUN support so that I could tether with my Blackberry. No cool office suites or useful tools, just a whole lot of useless, mindless programs.

Needless to say, my jailbroken iPad lasted less than 2 hours, at that point I did a full restore of the original OS and I’m happy that I did it. In those two hours I had the iPad crash once and Springboard about a half dozen times. I found no useful software and couldn’t accomplish any of the tasks I wanted to.

Should Python ever make it into the AppStore, even with a price tag, I’ll happily pay for it but I’m going to stick with my iPad in its default configuration. Should I ever get into pentesting, I’d probably change my mind, but it just doesn’t seem useful for anyone else to even consider.

Categories: IT Tags: ,