Microsoft has a really nice HTML/DHTML reference compilation available on the MSDN... Generally the MSDN documentation walks you around in circles but in this case they seem to have done a really nice job...
New versions of AutoPatcher have been released...
Win 2K SP4
Win XP SP2
Win 2K3 SP1
I've used these CDs in the past and I'm a big fan of them... they are really nice for people that do Tech Support, even if it's just family and friends.. You don't need to wait and download updates and they provide plenty of extra little tools and utilities that you don't normally think about it...
Peace,
HT
So a new service has been announced, a third party addon for GoogleTalk called GTalk2VoIP, What is GTakl2VoIP??? Here's what their FAQ says..
GTalk2VoIP stands for "GoogleTalk To Voice-over-IP" gateway which offers a number of voice services to GoogleTalk users. The idea is not only to provide cheap outgoing calls from GoogleTalk to ordinary telephone numbers, but make them even cheaper and of a highest possible quality by organizing publicly open voice traffic exchange. Every VoIP service provider can participate in traffic exchange offering call termination service for different destinations. As each service provider gives its own communication rates, or the voice quality differs, it gives a bit freedom of choice for users (GoogleTalk users). Thus, we orginized a service providers ranking system which can be effected by users' votes and some automatically calculating voice quality factors.
They have free services (user to user, voicemail, etc) and they have paid services (connecting in to the PSTN (Public Switched Telephone Network). All you have to do to use this service is add a GoogleTalk User -- service@gtalk2voip.com -- and away you go.
I'm kind of curious about this service... obviously everything goes through them.... but who are they... can they be trusted? Where's the security in this... How do we know they aren't recording every conversation... You're actively sending your conversation to them so I doubt there's any expectation of privacy.. Maybe they're looking for online users who have phone sex and they have a second site setup to sell these conversations to the perverts of the world. Perhaps they're collecting credit card numbers (both the ones you use to pay them for their service and also any one you use over the phone to order items. Given all the government conspiracy theories of late regarding the internet, maybe this service was covertly launched by the government to eavesdrop on terrorists... or by the terrorists to circumvent standard wiretapping....
Then again, maybe the service is 100% safe... but I've got my doubts. The service is there for those willing to use it, but personally I'd wait until a bit more information comes out regarding these people and their intentions...
Peace,
HT
The second in my line of imported tutorials... This was originally posted here.
This tutorial will assume you have already read my first Python Tutorial (Python Introduction).
I'm not real sure yet what I'm going to cover, I figure I'll pick at these for a couple of days and post it at the end of the weekend. Unless I get really ambitious tonight.
Before I get into some examples, I'm going to include a few charts
| quote: |
| Source: Python Reference Manual - 2.4.1 String Literals
Escape Sequences \newline Ignored |
| quote: |
| Python Operators
+ addition |
Now for some examples..
Let's start with the while statement.
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
from random import * answer = randint(1,25) guess = 0 counter = 0 print "Welcome to the Number Guessing Game" while guess != answer : guess = input("Please Guess a Number between 1 and 25: ") if guess < answer : print "To low." elif guess > answer : print "To high." counter = counter + 1 print "Congrats you guessed the correct number (",answer,") in",counter,"tries."
3. Save the script as numberguess.py
4. Open a command prompt and type python numberguess.py
5. You will see Welcome to the Number Guessing Game, followed by a new line which states Please Guess a Number between 1 and 25. I can't walk you though this, since it uses a random number but as you guess you will see To low. or To high. Until you guess the correct number, when it will then display Congrats you guessed the correct number (
This program incorporates a lot of firsts. We've made use of the Random module which allows us to call the command randint(bottom number, top number) to randomly generate an integer. We've created a few additional variables to store values and entered into a While Statement. This is also the first time we've looked at white space. Python makes use of white space quite frequently. As you notice there is no End while or End if statements, instead the tabs (white space) tell the interpreter where each statement ends.
The while statement follows the format while .
This next example will be relatively small as I just want to introduce the for statement and nothing else.
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
print "This program will list the first 10 powers of a number." usednum = input("Enter the number to use: ") for x in range(10) : print usednum, "^", x, "=", usednum ** x
3. Save the script as powers.py
4. Open a command prompt and type python powers.py
5. You will see This program will list the first 10 powers of a number.. Followed by Enter the number to use: . For this example, enter the number 2 and press enter. You will then see.
2 ^ 0 = 1
2 ^ 1 = 2
2 ^ 2 = 4
2 ^ 3 = 8
2 ^ 4 = 16
2 ^ 5 = 32
2 ^ 6 = 64
2 ^ 7 = 128
2 ^ 8 = 256
2 ^ 9 = 512
This for statement uses and undeclared variable (which initializes to 0) and then cycles threw 10 times, leaving us with a last value of 9. Each time threw the cycle it prints the resulting power.
Many of you who have used C/C++ in the past have probably noticed a few similarities and this is because they exist. I have already shown you the print statement, but I will now show you another way to accomplish the same thing that is closer to the way C/C++ works.
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
name = raw_input("What is your name: ") print "Your name is %s?" % name
3. Save the script as print.py
4. Open a command prompt and type python print.py
5. You will see a prompt which reads What is your name: . After Entering your name and pressing enter. You will see Your Name is
This is a great method for joining text and variables because it doesn't add a single space like the comma did in past print statements.
Peace,
HT
I've been thinking about it quite a bit lately, and I've decided to repost some of my older articles and tutorials written for ther sites.. Some of this stuff is rather basic... but it could prove useful for a number of peole out there...
This first article is a very simply python introduction that I wrote for the site AntiOnline.com. The original posting can be found here.
I'm going to pass on describing Python to you and instead let Webopedia do it for me.
| quote: |
| Source: Webopedia Term: PythonAn interpreted, object-oriented programming language developed by Guido van Rossum. The name comes from one of van Rossum's favorite television shows, Monty Python's Flying Circus. Python is very portable since Python interpreters are available for most operating system platforms. Although Python is copyrighted, the source code is open source, and unlike GNU software, it can be commercially re-sold. |
For those of you who do not have a Python interpreter, they are available on the net for download
Python.org Download Page
ActivePython from ActiveState
Now for the tutorial.
I'll try and make this as OS inspecific as possible. All these walk-throughs assume you have installed Python already.
Let's start with the most basic of programs. The obvious Hello World! Program.
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
print "Hello World!"
3. Save the script as helloworld.py
4. Open a command prompt and type python helloworld.py
5. Voila! Hello World! is displayed on the screen.
This simply demonstrates the print command in Python. Now let's look at variables and user input.
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
age = input("What is your age: ") print "So you are",age,"?"
3. Save the script as age.py
4. Open a command prompt and type python age.py
5. You will see an prompt which says What is your age:. Enter your age and press return. You will now see So you are 21 ?.
You will notice you do not have to declare variables in Python, simply reference them. In this example you also see how the input command is used. To input a value simply define a variable name for the value and then set it equal to the input command. The structure of the input command is
code:
input("Question to prompt with")
. You also see how to output more than one string of data, using the , to concatenate the strings. However use of the comma also automatically inserts a space. You MUST remember that input only works with numbers
Now we will attempt a simple text calculator with 4 commands (add, subtract, multiply and divide).
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
calc = raw_input("Which function would you like to execute - [a]dd, [s]ubtract, [d]ivide, [m]ultiply: ") firstnum = input("Enter the first number: ") secondnum = input("Enter the second number: ") if calc == "a" : print firstnum,"+",secondnum,"=",firstnum+secondnum elif calc == "s" : print firstnum,"-",secondnum,"=",firstnum-secondnum elif calc == "d" : print firstnum,"/",secondnum,"=",firstnum/secondnum elif calc == "m" : print firstnum,"*",secondnum,"=",firstnum*secondnum else : print "Error: Unknown Function Entered"
3. Save the script as calc.py
4. Open a command prompt and type python calc.py
5. You will see a prompt which says Which function would you like to execute - [a]dd, [s]ubtract, [d]ivide, [m]ultiply: . For the sake of demonstration enter a and press enter. You will then see Enter the first number: . Enter 5 and press enter. Now Enter the second number: " appears. Enter 7 and hit enter. The screen will now display 5 + 7 = 12. Feel free to experiment with other functions and numbers now.
You have now been introduced to the command raw_input. It fuctions the same way as input but is used for alphanumeric entries. You are also introduced to basic mathematical functions in python (+,-,/,*) and if statements. The syntax for an if statement is
code:
if (statement) :elif (statement) :else :
One last example. We will attempt to incorporate a basic introduction to sockets into this example. *Crosses his fingers*
********************
Step-by-Step Process
********************
1. Open your favourite editor (Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
2. Type
code:
from socket import * s= socket(AF_INET, SOCK_STREAM) yourip = raw_input("Enter your IP Address: ") yourport = input("Enter a Port Number to Listen on: ") s.bind((yourip, yourport)) s.listen(1) (incomingport, incomingaddress) = s.accept() print "Connection Attempt from", incomingaddress s.close
3. Save the script as server.py
4. Open a command prompt and type python server.py
5. You will see a prompt which reads Enter your IP Address: . Do as it says and press enter. You will then see a prompt which says Enter a Port Number to Listen on: . Answer the question and press enter. Telnet to the port you entered and wait a few seconds. Close the session and return to your python window. You will see the text Connection Attempt from .
In this example we played with sockets a little bit. The first task was to include the socket module. We did this using the statement
code:
from socket import *
. We then defined the type of socket (AF_INET, SOCK_STEAM) and created a variable for the socket to be attached to (s). We could then issue our commands based on the varible s. We bound the socket to the ip and port you had previously entered with the bind command and then started listening on that port. Upon a connection attempt we accepted the connection, printed the intruders IP to the screen and closed the socket.
Peace,
HT
It was never my intent to use this blog for posts of a personal nature... I had other sites which served that purpose... those sites still exist but the blogs are gone... so occasionally when my personally rants relate to IT in some way, you'll find them here...
This one is something that's very important to me... It involves one of my favourite websites - Guitar Tab Universe. This is a site where people listen to a song and then write out their interpretation of the music... The songs are never perfect... sometimes they sound better, sometimes they sound just as good and occasionally they sound worse than the original... but you can learn the song and if you play along with the song you learn the subtle nuances that tab and chords can't relate.
GTU is being legally attacked by the NMPA (National Music Publishers Association) and the MPA (Music Publishers Association) for copyright infringement. Having been on the edge of this realm in the past I know the basics of how copyright works... and I have the Internet at my fingertips.
I did some digging around and found this (Canadian Law):
18. (1) Subject to subsection (2), the maker of a sound recording has a copyright in the sound recording, consisting of the sole right to do the following in relation to the sound recording or any substantial part thereof:
(a) to publish it for the first time,
(b) to reproduce it in any material form, and
(c) to rent it out,
and to authorize any such acts.
As far as I'm concerned, that says I make money off it or create copies of it (There are exceptions to this -- Personal Use Clause). It doesn't say I can't produce my interpretation of it (which is all online guitar tabs are... a persons interpretation).
So this got me thinking... What about computer software... it's related. I listen to a song, I figure out how to play it (how the technical side of it works) and I reproduce it. With computer software, I run a program... sniff the generated traffic perhaps... maybe do some disassembly and generally interact with the program, the I write my own version of it. Office products come to mind here.. Corel WordPerfect, Microsoft Word and OpenOffice Writer... All three are different people's interpretations of the same idea... Does that mean one of the people who the original right to it and can call copyright infringement on everyone else? Then I thought of something...
A copyright doesn't protect an idea. The note by note music of a song can be protected, the word for word lyrics can be protected... the source code of a program can be protected... but the idea of the music... That note 1 should be a semi-tone lower than note 2, for example, or the idea that a typing program should exist where I can change the font, etc... cannot be protected... They are ideas that could be patented but they can't be copyrighted.
I fully support the distribution of guitar tabs and chords... I believe it falls under fair use, as it is teaching in a way (someone has learned the song and has written it out in order to teach it to me):
the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
I would also argue the fact that it's not an exact copy of the music but a derivative until I found this under Exclusive rights in Copyrighted Works:
(2) to prepare derivative works based upon the copyrighted work;
In the end, I really don't know who the law would side with but that exclusive right, paired with a legal win for the NMPA/MPA over Guitar Tab Universe scares me... could it possibly mean changes in the computer world as well? I don't know, but I'd sure like to.
I'm looking for anyone, legal background or not (because I definately don't have one), to give me their thoughts on this... I'll definately pass anything useful on to Guitar Tab Universe.
Ultimately this post is nothing more than random thoughts that came to me while writing and a vote of support for Guitar Tab Universe. As the last note of the post I'd like to point you towards MuSATO (Music Student and Teacher Organization). It is an organization that has been formed to fight for the rights of online students to learn music through shared guitar tabs.
Remember: They are just musicians that are reverse engineering the song. They're no different than the members of the security community that reverse engineer software.
Peace,
HT
So the advanced notification is out... It's looking like a light one this month.
There are only three security related updates in total. 2 of them are Windows-related but the highest rating is Important.... which in Microsoft-ese means:
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
So, worst case scenerio? A DoS...
There's also an Office update, severity rating Critical... which in Microsoft-ese means:
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
This is where I always get confused.... I'd love to see Microsoft define "user action". Last time I checked my office didn't open any listening ports. So now I have to at a very minimum download a file or check my email. That sounds like user action to me... but accepting that those are daily, accepted actions so common that they don't qualify as "user action", that still leaves othe questions. Most office exploits, except for those associated with outlook, require that you actually open and view the document. Wouldn't this also be user action? I move my mouse, I double click on a file... I acted did I not? Which would mean that, if checking your mail doesn't count as user action, the only possible Office product that could be vulnerable to a Critical level vulnerability would be Outlook. Now that would mean that this Patch Tuesday Microsoft is going to completely ignore the new Word 2000 0-Day. This doesn't seem overly likely... So I'm guessing that opening a file doesn't count as user action either.
So I'm ending today's post with a question. What is "user action" as defined by Microsoft?
Peace,
HT
So the news is a few days old but on August 31st the NIST released several new drafts.
They include:
All of these documents are accessible from the NIST Computer Security DRAFT Publications Website.
Those of you that are interested in following these publications can sign up for their mailing list to receive news regarding their release by send sending an email to listproc@nist.gov with the following test:
subscribe compsecpubs your first and last name
For example:
subscribe compsecpubs Computer Defense -- OR --
subscribe compsecpubs C Defense
Peace,
HT
Update: I attempted to register for their mailing list and it doesn't seem to work... If anyone has any luck or knows what I'm doing wrong, please let me know.
I feel I should put a bit of a disclaimer on this... I started out knowing exactly what I wanted to say... about 3/4 of the way through I was distracted. I'm also battling a nasty cold, so I'm not sure if, between the distraction and the cold, I made sense but hopefully you all understand what I want to say.
We wouldn't improve the "good things" in life if it wasn't for the "bad things"...
A lot of people would say that statement is true. They could probably pull up plenty of evidence to prove their point as well.
- People fought with wood (clubs) and rocks, until they learned they could combine the two and sharpen the rock to make spears. To counter this, people made smaller spears and attached rope to pliable wood and created the bow and arrow. To counter the club and spear in close combat as metal working was learned they created the sword... In long range fights they went from the catapult to the cannon. Then the single shot gun was introduced, then guns where you didn't have to reload, you just kept pulling the trigger. This wasn't fast enough so guns were developed that fired repeatedly just by holding the trigger down. I know.. this is a pretty crude history of weapons... but it's fairly accurate and most of the time these improvements were due to war (A "bad thing").
- Food storage is another great example... Originally you'd eat what you killed... Then as civilization set in farming began, food had to be stored... Meat was cured or salted, vegetables stored underground.. Iceboxes made it possible to store meat that wasn't cured or salted so you could have "fresh" meat for longer periods of time and then the fridge was introduced which allowed you to store all types of food... These improvements were to prevent the spoiling of food (A "bad thing").
Many people seem to think the same is true regarding computers. New versions of software are generally released for one of two reasons:
a) To introduce new functionality.
b) To fix flaws in a previous version.
I don't think anyone could argue that (a) is not driven by "bad things". It's driven by a human need to constantly improve, to increase productivity. It is (b) that introduces this belief that the bad drives the good. I disagree with this belief. I don't believe that malicious persons or actions drive the movement forward in security, I believe it's a need to explore... a curiosity.
I've heard the argument that people in IT have jobs because of viruses. I don't have my job because of a virus and I'm pretty sure the majority of you feel the same way. Generally it's people at places like Geek Squad and Nerds on Site that have jobs because of viruses, and in reality even saying their jobs exist because of viruses is incorrect... it would be more correct to say their jobs exist because of user stupidity. When I was working in in System Support and System Administration, viruses weren't our focal point, viruses added to our daily tasks... they increased our workload and forced us to put in overtime. We didn't have people on staff specifically to deal with viruses.
I've also heard the argument that viruses drive vendors to release patches. I don't agree with this... but to better prove my point I decided to head over to Symantec and take a look at their "latest viruses" list.
VirusBurst - Accompanies other Trojans.
Trojan.Schoeberl.D - Appears as .pdf.exe (takes advantage of user stupidity)
Downloader.Dowdec - No mention of how it "appears" on your machine.
W32.Mobler.A - A worm that copies itself to all writeable media on the computer (including usb drives, etc)
W32.Bacalid - A polymorphic PE file infector that can download and execute remote files.
Trojan.Mdropper.Q - Exploits a vulnerability in Word 2000
W32.Bacalid!inf - Detection for files infected with W32.Bacalid
W97M.Blackurs - A simple macro virus.
W32.Bustoy - A Worm that copies itself to removeable storage.
That's 9 virus threats... the most recent ones according to Symantec and only one of them is going to drive a patch release.. 1/9, not the greatest odds. That means more often than not patch releases are driven by something other than viruses.
My belief is that patches and updates are driven by a need to explore. Just like man explores space and the dark abyss of the ocean, we explore the lines of code and disassembly information. Take a look at the Microsoft advisories, most of the time the information is disclosed to them by researchers, not by malicious persons. You'll see H.D. Moore, TippingPoint, eEye, David Litchfield, etc. These people are not virus authors, they aren't malicious people... they are well respected in the security community and research because of an interest, a need to explore.
I think people that say IT Professionals only exist because of viruses are naive, they don't see what goes on in the background to keep them up and running, to ensure that an organization runs smoothly. It frustrates me even more to hear a person in IT proclaim this. It's an insult to themselves and to the rest of the IT community.
Do software vendors release patches only because of pressure from businesses to protect them from malicious individuals? Highly doubtful. Is it part of the reason? Most likely. However the majority of these malicious individuals are using exploits and would fall into what the media would dub "hackers" and "crackers". I think there's more to it than that though, there's pressure to patch from a productivity stand point. I don't want my Exchange server to crash because some misdirected traffic happened to provoke an unexpected action. That same human need to improve and increase productivity... to ensure we stay productive. Software is improved upon and bugs are fixed. Everything around us is improved upon over time, improved due to flaws or a need for a better system.
The automobile has seen a huge improvement in the last century or so. Mechanical and Structural flaws were fixed, improvements were made. We made it more convenient, more dependable, more affordable. Think of the movie October Sky, Homer Hickam and the Rocket Boys... they were kids playing with model rockets. Time and time again they fixed design flaws and made improvements until they did some pretty amazing things. It's human nature and human need.
Take the two examples I gave you at the start of this article. Weapons and Food Storage. Perhaps the arguments above would be given by the pessimists that believe human developments are driven by the "bad things"... I don't even believe that. Weapons were improved upon for hunting (a "good thing" as it provides a food source) and protection (another "good thing"). Food storage... well this was to prevent spoilage (which is a "bad thing") but for many, many years people got along just fine without a fridge (which hasn't even been around for 100 years yet)... The fridge, I believe, was just the next step in the constant need for human improvement.
Sure "bad things" can speed up research and development... that's been evident many times in history... but it can also slow down research and development... I'm pretty sure that during the world wars, when research made leaps and bounds in certain fields, that environmental friendliness wasn't a large concern.
I don't think that malicious persons, or virus releases drive patch development and release processes. Sure a specific flaw (WMF for example) may cause the cycle to speed up, but even without 0-day releases and viruses... I don't believe that patch releases would slow and halt.
It's an insult to vendors to say that they only release patches because of the malicious people and it's an insult to IT professionals to say they only have jobs because of malicious people. Sure some fields wouldn't be as prevalent but that would focus more on the security community than IT as a whole. It's like saying the military wouldn't exist if not for war, and the police wouldn't exist if not for criminals... Every field is driven by a need, otherwise the job would not exist. However that need doesn't always have to be the "bad thing". The military exists for our safety as do the police (a "good thing").
Believing in the "good thing" or the "bad thing" all depends on the spin you put on it. I believe vulnerabilities and flaws are found by security researchers because they have an interest in exploring and software is their "uncharted waters". I believe that Vulnerability and Risk Management solutions exist because companies want to ensure that private data is safe, whether or not someone is looking for it. This may be a naivete on my part but I believe it's closer to the truth than a belief in all things being driven by the bad.
Good and bad will both always exist... Malicious people will always exist. Pirates.. Slave Traders... War Lords... Organized Crime... Criminals... Hackers, Crackers and Virus Authors... Malicious individuals have lasted throughout time....I don't think that the bad drives the good any more than the good drives the bad... It's a competition of sorts, a constant struggle. I don't feel I'd be without a job if we suddenly eliminated all the hackers, crackers and virus authors and I'm sure there are plenty of police officers that feel they wouldn't be without a job if we suddenly eliminated all the criminals. This will never happen, so it's not something we have to worry about... but bad things don't drive good things and we'd still have improvement and "betterment" without the bad things happening.
Peace,
HT
So I'd like to thank everybody... My goal this month was 3000 unique views. ComputerDefense.org had almost 3600 unique views over the month. The real shock however was SpamMailBag.com, which only launched August 25th but still managed 1500+ unique views.
I've been sitting on CDTV for so long that I'm going to attempt to revive the idea this month. I'm also going to launch two new sites in the ComputerDefense family (which may end up just tying into this site): pythongod.com and securityne.ws.
My goal is to hit 5000 unique visitors by the end of September for ComputerDefense.org and a total of 7500 across all the CDO sites.
Thanks again.
Peace,
HT
www.ComputerDefense.org
www.SpamMailBag.com
