One of the coolest booth prizes at RSA had to be from an appliance builder that was having a draw for a free prototype appliance ($2000 value). Thinking this would be an awesome win, i quickly filled out the form and placed it in the fish bowl. That was the last I heard of this until yesterday. I came into the office and had a voicemail from last week. It went something like this (close approximation):
Hi Tyler, it's Ed ******** calling from MBX Systems. I just wanted to let you know that we drew your name for the RSA drawing and it would be great if you could give us a call back to go over the details.
Now at this point I'm rather excited... I've got plans for this win. I'm thinking ComputerDefense.org appliance installed in a rack somewhere instead of a hosted page for this blog. I call back and end up having to leave a voicemail. After a brief game of phone tag, I finally get Ed on the phone. He does some standard sales guy talk and then asks how he can meet my needs, and since I just want my free system that I won, I ask how it works. At this point I'm informed that someone else won the free prototype... I've won a free eval! W00T! Stop the presses... a FREE eval! Needless to say the phone call quickly ended.
This was, to date, the sneakiest trick I've seen to get someone on the phone. At this point I may not be directly involved in appliance purchasing but I'm a big fan of the vendor space and who knows where I'll be in 1, 5 or even 10 years. I do, however, know who I won't be doing business with.
You know, if I'd won and their systems were half as good as their marketing material claims, I probably would have written up a blog post praising them... at the very least they would have gotten positive mention just because I'd won it. Since I didn't win, they could not contacted me or gone with a standard sales call and I wouldn't have had anything bad to say about them, at least I'd know the name should I ever be in the position to purcahses appliances in the future. Instead they took this sleazy approach and now I'm going to always know who I'm not doing business with.
A recent SANS ISC diary entry mentions an interesting configuration point that I had been previously unaware of. It seems that AddType doesn't just enable the extension, it enables all files containing that string.
Example: AddType application/x-httpd-php .php
In the above example, both phpinfo.php and phpinfo.php.bak would be parsed as PHP. I found this to be rather interesting and started testing with a few servers I have handy.
It appears as though this isn't the case 100% of the time.
I tested 3 servers running Apache 1.3.34, 2.2.4 and 2.2.8. It was true on the server running Apache 1.3.34, however it wasn't true on the two Apache 2.2 systems.
I contacted the handlers at ISC to follow-up with them, however I haven't heard anything confirming one way or another. Has anyone else tested this on their servers?
One of the patches released yesterday has a serious flaw, in that an already compromised host will not have the patch properly applied. I provided a full write-up on this yesterday on the nCircle blog and felt that the importance of the issue warranted posting a link here to increase awareness.
[Update: Due to Bandwidth concerns and the popularity of DVL, I've had to remove the public mirror. If you really require a direct download and can't get one... contact me and I'll share a private link. I just need to limit the number of downloads.]
DVL 1.5 is out, and I have mirrored it again.
There is also a call out for people to create training materials, so if you can, swing by the DVL forums and volunteer to make a video or two. However, I'm unsure of where to find the forums (there's no link on the main page and I'm not a user). Please share a link if you know how to get to them.
So I mentioned some of this to someone the other day and they were surprised by it (and a Blackberry user) so I thought I'd do up a quick post about it... some people may not realize how much information can be determined about you. Note, these are based on my observations.
Blackberry IM Status:
- Active -- User can be sent messages and will receive them immediately
- Contact is Unreachable (Icon: (- (not quite sure on this one but that's what it looks like) )
- Out of cell range
- Phone is no longer active
- On a phone call
- Pending -- They haven't authorized you yet. (Icon: Green +)
- Unavailable -- Set by the user (Icon: Red X)
Blackberry IM Icon:
- Clock -- Waiting to Sent
- Bulls Eye Circles -- Sending
- Checkmark -- Sent successfully
- D -- Delivered
- R -- Read
Now... you'd think that this limits what you know, but it really doesn't. Generally you'll know if one of your Blackberry IM contacts has had their phone deactivated and depending on where you live, you may also know when they are in or out of cell range (the exception may be if they turn their phone off).
Something that was recently pointed out to me is that GSM will continue to deliver messages while you're on the phone, while CDMA (which is what both the Blackberries in my house are) won't.
This means that you can further determine:
- Unreachable + Checkmark == Phone Off or CDMA on a Call
- Unreachable + D == GSM on a Call
I know, to most people this probably doesn't seem like much, but I figured it was worth sharing... if one person learns something new... mission accomplished.
Those of you that follow me on twitter may have noticed that yesterday I was posting quite a bit more frequently and most of them contained the word 'test'. I was playing around with twyt and decided to build a curses-based Twitter GUI. I've never done any curses programming before, so this was my way of learning the functionality. I implemented command-line support in a style I found more to my liking (even though twyt already has this) and then started buliding the curses GUI. If I go very far with this, I may eventually rewrite the API to fit in with the rest of my code, but for now I'll use twyt on the backend.
The code is very basic, but already it can do a few things:
- Display latest friends list updates.
- Display recent replies.
- Display recent sent and received DMs.
- Update your status.
- Send a DM.
Unfortunately the next update is most likely a week away, but when I get around to it, I plan on splitting the screen into multiple windows with your current status always displayed, along with a regularly updated friends list. Right now everything is jammed into a single window.
I do need to figure out how to get Twitter to display my client name (apparently I need to contact them for that) but so far, so good. Anyone wishing to take a look at my (very alpha) code, can check it out here.
For those of you wondering about the name... TwCuP kinda reminds me of 'hiccup', so I found it slightly amusing at ~4am when I was trying to come up with a name.
Eventually this will (hopefully) be a client that can be left idling in a screen session... that's my goal anyways.
I wanted to take a minute to mention a new project that Marcin and I have started that we're calling SSLFail.com. One of the primary purposes of the site is a gallery of images of sites with failed SSL due to invalid certs, bad domain names, etc. Browsers can add more and more protection against sites with poor SSL implementations, but until these big players on the web ensure they have valid SSL, users are going to continue to click through these error messages.
This isn't all the site will be though. Expect to see future discussions on our reasoning for the gallery, as well as tips and tricks and anything else.
We've already added two additional contributors. Jay Graver and Romain Gaucher.
I got my first smart phone about 2 years ago. It was the UTStarcom 6700, a rebranded HTC Apache. I used it for ~8 months and was a big fan of the phone but it had major battery issues, and even getting a replacement battery didn't seem to help. So I finally got fed up and took advantage of a Blackberry Pearl promotion. Since then, my HTC has sat, untouched. Recently I contemplated installing some sort of Linux on it, and using it as a PDA. It has a large touch screen, a slide out keyboard (that I find rather useable) and WiFi. Then I stumbled across this website, where someone is building Android for the Apache.
The project is still in alpha, and while it states that CDMA is working, the currently release doesn't seem to have working CDMA (I eagerly await the next release). Anyways, I installed it and played and I must say I'm rather impressed with Android. I'd imagine on a phone that's been engineered for it, it's probably amazing. Even on the Apache it looks and feels great. I imagine if I used an iPhone that I'd see these similar slide menus, but I have, so far, successfully stayed away from the iPhone.
Once this build gets to be further along, I think I'll be fairly happy with it. It's fast and looks great. I may even go find a extended battery and carry it instead of my blackberry.
So, as I said yesterday, I'm a big fan of Microsoft Tags. There have been many times when I've been out and about and I've seen an ad or poster that I've wanted more details on, snapping a picture of a small barcode is much easier than jotting down the details. However, as I played with creating my own barcodes last night I thought about the security implications of them.
Let's imagine it's a year from now and tags are wildly popular. They are on every concert poster on every light post on the street. They are on billboards, bus schedules and in stores (put a barcode on your box so shoppers can pull up additional product info). Everyone is snapping pics and storing information. It's fast, it's easy and it's convenient.
Now I come along, Mr. Malicious... I visit the Microsoft Tag website and create tags pointing to malicious sites. The site detects if you have a Blackberry, iPhone or Windows Mobile and serves up custom browser exploits. I print out hundreds of these tags and start going into stores and pasting them to products, or walking down the street and covering up the tags on the posters with the malicious tags.
There's no confirmation of the site you're visiting, no testing (that I'm aware of) to ensure the link in the tag isn't malicious. Where's the defense against this?
What if they contain a malicious vcard file that harvests your contacts, or turns your phone into a sms spamming device?
I realize that Microsoft Tag is still a beta product, but I'm wondering what thoughts Microsoft has had around tag security, if any. Before I become to attached, it would be nice to know that when the subway gets Tag support, I won't be killing my phone by snapping the tag to get updated route schedules.
I thought this was pretty cool
treguly@ns:~$ host -t txt foobar.wp.dg.cx
foobar.wp.dg.cx descriptive text "The term foobar is a common
placeholder name, also referred to as metasyntactic variable, used in
computer programming or computer-related documentation. In technology,
the word was probably originally propagated through system manuals by
Digital Equipmen" "t Corporation in 1960s and early 1970s. Another
possibility is that foobar evolved from electronics, as an inverted
foo... http://a.vu/w:Foobar"
Simple replace foobar with the search term of your choice.
The Author's page describing this is available here:
https://dgl.cx/wikipedia-dns