.:Computer Defense:.

I'm not going to talk about this, just a link to Ryan's post on the subject.

Greetings,

While this is a bit of a personal gripe, it really does apply to IT and on a broader scope... universally.

The player in this complaint is Rogers (A Cable, Phone (Home / Cell), Internet) provider in Canada.
The item is a Rogers PVR (I already have a generic one, but I want one that ties in with all the features of Digital Cable)

So I call up our "Local Rogers Rep" and the conversation goes like this:

Me: Hi, I'd like to add a PVR to my account.
Rep: It'll be $15 to trade in your receiver and $20 to add it extra.
Me: I'll add it.[For those keeping score I just increased my bill by $240 annually before tax]
Rep: Great, you can pick it up at a retail store.
Me: I want it delivered, if I wanted to pick it up, I would have just gone and got one.
Rep: Ok, we'll have it delivered... it's a $60 delivery fee.
Me: Excuse Me?
Rep: It's $60 to have it delivered?
Me: Nevermind then, I'll pass on getting a PVR

Now, I'm not cheap... just the opposite I love to spend money, but if I'm giving a company an extra $240/year don't you think they could deliver the item for free? After all, I'm going to be a customer for more than a year, so they will just keep making more money and all they had to do was deliver a PVR to my door. There are Rogers trucks outside my building *ALL* the time. I'm sure if I go down there right now that I'd find one. This is a great example of squeezing your customers for every last dime you can get out of them. Given that I've been investigating Satellite for quite some time now, I do believe this is the perfect time to make the switch. I'll have to spend the afternoon calling around getting prices from Satellite providers.  I'm also not the first person to have this complaint, I've heard the same thing from other people, which is why I find it to be such a travesty.

This is an important note for all the businesses out there... customers won't stand around and let you shake them by their ankles until the change stops falling out. This is customer abuse... plain and simple. As a loyal customer who takes advantage of everything Rogers has to offer, I would think that sending over a PVR (which would take a whole of 5 minutes, as I'm sure all the trucks keep a few handy) would be a great way of saying, thank you for being a customer. It really is that simple.

Rogers has slowly been losing my business... My home phone was with Rogers, they wanted to charge outrageous prices for VoIP so I made the switch to Vonage (much cheaper and better quality).  I had a Rogers cell phone, it was 4 years old and I wanted a new one... I was told I'd have to pay full price for a new phone, I went to Telus and said that I had a Rogers phone... they took the Rogers phone, gave me a new phone and a year of free service (on a 3 year contract).... A couple months ago (my contact was almost up) I went into a store and said I wanted a new phone. They got me a great deal on a PocketPC phone without any hassle.

So far, I'd kept my Internet and Cable with Rogers because they provided great service... now I'm not so sure, they are doing the same thing they did with my home and cell phone... They think they are the only game in town and are abusing that power.  It's time to stand up against customer abuse by big business.

I was browsing my Bloglines the other day and I saw an interesting post title on the McAfee AVERT Labs blog. Federico Barbieri had write a short post entitled, "Educational Hacking? Is it really a good idea?" After reading the title, I expected a write-up on universities offering ethical hacking and malware authoring courses and I was quite excited to read what Federico had to say. Instead I found a post questioning the disclaimer that we see attached to most "questionable" software, "For Educational Use Only". This is still an interesting topic and I wanted to address it.

A few specific examples were addressed:

1. "Hacking Kits" sold on auction sites (Dave Lewis recently mentioned this at LiquidMatrix.org)
2. Sniffers designed for specific purposes (stealing passwords for example)
3. Malware creation toolkits.

Now first, let me address that I don't believe "educational disclaimers" constitute "educational hacking". The original intention of these was to CYA, although I wonder if the disclaimers were ever tested in court. Essentially the person is saying, "This can be used for malicious purposes, but that wasn't my intent. I'm not responsible if you choose to use it that way." It's basically like seeing a gun with the disclaimer, "Not for use on Humans".

In the end, Federico decided not to debate the issue but instead to question the academic merit of the tools. One comment addressed the Malware creation toolkit pointing to personal AV testing. If your AV software can't detect basic viruses created with these toolkits available on purchase by anyone, do you really want to be using it. This isn't the only benefit to malware creation toolkits. The biggest benefit I can see is for those interested in AV analysis. You create the virus via point and click... picking specific vulnerabilities, actions and packing processes. Afterwards you run the virus and attempt to work backwards to the initial settings you chose. You watch it's actions with a debugger and a sniffer. I would say this is definitely educational and there's a good chance many people in InfoSec did this sort of thing when they were first playing with security.

As for some of the other items offered, I believe that the single comment on the post had merit on this point as well. Know thy enemy. That is an educational purpose... is that the primary purpose? Perhaps not, but it is a secondary purpose now that the software has been released. I cut my teeth with a couple of networked computers and plenty of software that said "For Education Purposes Only"... it's why I'm in security today. So yes, I'd say that these tools do have educational value, even if their authors don't intend that when they release them.

In the end the disclaimer is there to add legitimacy to the software and (potentially) cover their ass. The truth is that this software is educational to those people without malicious intents. Would I call this educational hacking? Nope... Would I call it an interesting conversation? Definitely.

The new iPod Nano has caught my attention. Since I have an smartphone with wifi and everything else I don't find the iPod Touch overly appealing, but the 8GB Nano is looking very attractive right now (I currently have a 4GB Mini).

So I was over at The Apple Store (Canada) and I was looking at the comparison page for the various iPods. I was a little concerned by the numbers on the comparison chart [boxed in Red]

So we've got more storage on the Nano if you store Songs but less if you store Pictures or Video? How does that make sense? At first the Songs portion made sense... the iPod Touch probably requires more space for software, but I don't get how the numbers are higher than the Nano, especially since they are both 8GB models. Thoughts?

Wow... a 13 year old virus makes it's way onto computers that happen to have a Microsoft OS pre-installed and suddenly it's an embarrassment to Microsoft that the virus was on there? It seems that a German laptop manufacturer shipped somewhere between 10,000 and 100,000 laptops with Stoned.Angelina, a virus first released in 1994. I first read about this on the McAfee Avert Labs blog, but mention of it is popping up everywhere (Virus Bulletin, The Register, Liquid Matrix).

I find a couple of things that have come out of this funny...

1. The PR rep for Bullguard (the AV software installed on the machines) said, "that the 'unfortunate' issue could cause embarrassment for Microsoft and Bullguard but also pointed out that the anti-virus firm's development team had quickly provided a "tailor-made" Vista fix as soon as it learned of the problem." Why will this cause embarrassment for Microsoft? They decided not to ship Vista with AV, instead you purchase OneCare... these computers didn't have OneCare subscriptions... you also don't install Vista via boot disk... so how could anyone, in any way, shape or form, say this is an embarrassment for Microsoft?
2. Additionally we have Joel Esler's blog post; Mr. Esler lists his work experience as Sourcefire, ISC Incident Handler and GIAC Gold Advisor. His post is fairly useless, stating "wtf ever that mean" (in regards to 'Windows Vista Home Premium') and asking "What happened to that MSFT anti-virus?". How am I supposed to take anything he's associated with seriously at this point, given that he's just come out as a Mac Zealout and asked completely ridiculous questions.

While there's no real way to be 100% polite... I'll try to be as polite as possible... If you feel that in any way this is Microsoft's fault... turn off your computer and throw it out... You don't deserve to own it or use it... in fact the world is probably a safe place with you not using it.

As for the AV vendor not detecting the virus... I've actually had AV Vendors tell me that they pull old and out-dated virus signatures... The company's AV found it, it just couldn't remove it... This is at most, as Dave from Liquidmatrix put it a mild embarrassment... so I'm not sure why everyone keeps writing about it and making a big deal about it.

Chalk one up for VMWare... One of the (minor) problems with VMWare is that getting VMWare tools installed reliably in a VM can be a bit of a pain.... some *nix distributions just don't play nice.  VMWare has responded to this problem by releasing an open source version of VMWare Tools called Open VM Tools.

Functionality includes:

*  File transfer between a host and guest
* Improved memory management and network performance under virtualization
* General mechanisms and protocols for communication between host and guests and from guest to guest

Early today I posted a comment on ITSecurityExpert.co.uk... now that the day is almost over, my comment has still not been approved... so I have little choice but to raise my issues with that post in a post of my own.

The blog post in question, 'Facebook: Welcome to the World of Google Hacking', is one of the biggest pieces of FUD I've ever read... and I've seen a lot of FUD. It's one of those things, that when you hear (especially from someone who labels themselves an IT Security Expert) you just sort of convulse in fear. It's taking a shot at something for no reason other than taking a shot... It's 'FUD-Spreading' in it's purest form and it's a shame to see happen.

By now it's fairly common knowledge (to those that use Facebook anyways) that they are making a public version of the user profile. The public version will contain less information than a "non-Friend profile" on Facebook. For you non-Facebookers, a full profile can include contact information, pictures, messages, status updates, and a plethora of other information. You can also make a limited profile (picking the information you want to share) available to select users. Users that don't qualify for either of those, can search for you by name / network and find: Profile Picture, Name, Network and occasionally Status Update. The Facebook Public Profile (indexed by search engines) will contain Profile Picutre, Name. That's all...

Yet Dave Whitelegg (CISSP [yes that's included at the bottom of every blog post]) spent 5 paragraphs telling us how horrible this is... how Facebook is making all sorts of private information available, including date of birth. This is somehow a huge security risk... Heaven forbid anyone know my date of birth. Dave feels that it's bad because of how many places require Date of Birth to reset your password... Is this 1995? I can't even add additional channels to my cable package without providing my full name, the name on the account, mailing address, date of birth and a pin number. Most places these days have "Secret Questions" that allow you to customize the question (or at least select from a variety of questions) and the answer.... 'Date of Birth' verification has primarily gone the way of the Dodo.

Here's the way I see it. If someone wants to access my cable account or my cell phone account and already knows the account number, associated phone number and mailing address... they probably already know my date of birth. Even if they don't, who cares because SURPRISE SURPRISE Facebook will NOT be publishing that information... they've said that since they announced the public profiles and their "searchability". I don't doubt that some people will choose to make this information available but Facebook isn't doing it, that individual is making their own choice.

Now I realize that Dave openly admits to being anti-Social Networking but really... a 5 paragraph FUD post to bash a company that is actually concerned over user privacy? I'm sure that there are better websites that could be attacked, more useful information that could be shared.

Jesper has an interesting blog post up on some toys he found in Sweden.

It's an interesting idea, taking networking and putting it onto a railroad track... I don't know if I wish I was a kid again, or that I had kids... even though I can't use either of those as an excuse to buy the toys, I may order them just for the hell of it.

Have you ever posted to a mailing list? I'll admit I read a lot of mailing lists, but I seldom post to them... it's probably been quite some time since my last mailing list post, until today anyways. I posted to Bugtraq and was quite surprised at the number of return emails I received. While the total was quite small compared to the total Bugtraq subscribers, I received 29 responses that divulged information of various sorts.

Included in the responses were:

• Scheduled Vacation Dates
• Names / Email Addresses / Phone Numbers of other Company Employees
• Internal Server Names / Addresses
• Verification that the individual is no longer employed by the company
• OU Related Information (CN and O)
• Company "Registration Numbers"
• IT Helpdesk email addresses
• Alternate Contact Information
• Type of Spam Filtering Software Used

Now, some of this stuff I could see possibly existing in valid 'Out Of Office' emails, but some of it I was surprised to see. You'd think that policy would dictate that mailing lists don't receive OOO responses or that some of the information just not be made available.

I attempted to reply to a thread on Bugtraq the other day from a Gmail account. When I hit reply, the new message was created with Rich Text Formatting enabled. I typed out my email and sent it off. It was bounced back to me with the message:

Hi. This is the qmail-send program at lists2.securityfocus.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

< bugtraq@lists2.securityfocus.com>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3)

Since the message was sent 'reply-to-all', it was received by some people and quoted. I decided to attempt to reply again, so once again I selected 'reply-to-all', only this time I left Rich Text formatting and went to Plain Text. The message was sent without issue, so if you're a reader of any Security Focus mailing lists, ensure that you are in plain text mode if you are sending from a Gmail account.