Archive

Archive for August, 2009

Yeigh.

August 25th, 2009 1 comment

I passed the CISSP exam.  Now I can stop making fun of it for a while.

Categories: Misc

My database backup cron job

August 12th, 2009 Comments off

Once upon a time, I wasn’t satisfied with WordPress’s backup feature for some reason.  I can’t remember why.  This was way back in 1.2 or something, and I’m sure it’s fixed now.  Nevertheless, I set up a system for database backups which I think works pretty well.  It runs as a cron job on my host, backs up the database, compresses the backup file, uuencodes it, and emails it to my Gmail account.  There I have a filter which directs such emails to the Trash.  This way I never have to actually deal with the backups, but they stay in the Trash for 30 days until automatic deletion – so I have backups of every day for a month.

So I thought I’d share.  My cron job is set to run at 3 AM every day.  It’s a string of semicolon-separated individual commands:

Read more…

Categories: Misc

Dear plaintext-email password people,

August 11th, 2009 1 comment

A while back I wrote this on another blog.

An open letter to websites that require your registration, then email you your details, including the password, in plaintext.

Read more…

Categories: FAIL

Thithp

August 10th, 2009 Comments off

While I wade through my CISSP study guide and take practice exams, I can’t help but wonder how much useful information I would’ve learned in the past month if I had studied, say, rootkits.  Instead of bullshit.

These people are basically telling me that if I don’t know – off the top of my fucking head, mind you, even though the answer is always a four-second Google search away – details of the token ring standard, and what class of fire extinguisher belongs with what fire, then I can’t possibly be an Information Security Professional.

I just took a practice quiz for a Body Of Knowledge I haven’t started to study yet, just to see how I’d do.  It’s the Application Security section.  I figured it’s the one I’d know offhand more than any of the others, y’know?  Because, I actually work with applications.  And their security.

Nope.  The practice questions were all about Software Capability Maturity Models and Database Design Principles and which features of prototypes are (ISC)2’s favorite.  So I only got 50% of the questions right.  I guess I’m a Certified Information System Security Retard, because the test said so.

I can’t imagine how many people are making money hand over fist just to have their heads up their asses and come up with this.  It’s college all over again.

Categories: FAIL

Scapy crash on Vista / Windows 7

August 7th, 2009 Comments off

I love Scapy, a Python library that wraps around Pcap and various other things to let you do all kinds of cool network stuff.  I originally got into Scapy because I wanted to do packet forgery and injection in Windows.  It can also do sniffing, modification, and visualization.

Scapy is the sole reason I got started in Python.  For someone familiar with Python, it’s really easy to use; for everyone else, these examples should help.  Scapy requires a bit of setup on Windows, but it’s not too difficult – follow the setup guide here.  Unless you use Vista or Windows 7.

Until recently, Vista/Win7 users suffered some weird crashes in Scapy.  I found a related bug report on its Trac system and added some details to it.  Happily, the smart developer person fixed the bug (see the whole conversation here).  It was in the custom, patched version of pypcap, and he posted a link to a new one.

Update: The setup guide has a link to the correct version now, so everything should be just fine if you follow it.

Categories: Tools

Security experts FAIL

August 7th, 2009 Comments off

Update: I decided this post’s original title, “More journalism FAIL,” was unwarranted.  The fail in the story is more due to the “security experts” interviewed.

Yesterday’s fail just wasn’t stupid enough.  Today, Computerworld brings us a delicious banquet of stupid, each morsel more stupid than the last: “Security experts scramble to decipher Twitter attack.”  I don’t know whether to attribute the stupid to each individual interviewed in the story – maybe it’s not their fault; maybe they were asked really stupid leading questions.  All I can do is ruthlessly mock it.

Read more…

Categories: FAIL

Journalism FAIL

August 6th, 2009 Comments off

Caroline McCarthy, of CNET News, “a downtown Manhattanite happily addicted to social-media tools and restaurant blogs” whose “pre-CNET resume includes interning at an IT security firm and brewing cappuccinos,” wrote a story about this week’s DoS attacks on Facebook and Twitter.  A nice story, with a good timeline and interviews with some experts.  Nice until the end:

There has been no indication that a single party, or groups of hackers in tandem, was responsible for the Facebook and Twitter attacks, or whether there was any connection to the other DoS attacks on smaller sites earlier this week. But it’s probably not a coincidence that they all happen to coincide with the annual Defcon hacker convention.

This is not attributed to any of the experts interviewed, probably because they wouldn’t say something that stupid.  The linked story doesn’t make it any better, either – it’s just some random CNET story about the Defcon badges.

There were some attacks (not DoSes) that were explicitly related to Blackhat and Defcon – they targeted the sites of some prolific security researchers.  But these DoSes?  Against Consumerist, Twitter, and Facebook?  I don’t see any connection, except that the conferences are about hacking and the use of botnets for DoS may or may not involve some measure of hacking.

Either throw in some evidence to back up that idiotic suggestion, or throw it out.

Categories: FAIL

Mystery!

August 6th, 2009 2 comments

Studying for the CISSP exam makes me really bored, so here’s a whim I pursued.  I got a spam comment from the IP 93.185.199.117 .  Allowing a system to post spam comments on my blog constitutes consent for me to do whatever I want to the system, so here’s what I did.  First stop: DShield.  There were no other reports of activity from this IP, but the Whois info contained this:

organisation:   ORG-Cjc5-RIPE
org-name:       Closed joint-stock company "AVIEL"
org-type:       LIR
address:        CJSC "AVIEL"
                Vadim Maksimovskiy
                2, Sovetskaya str
                140108 Ramenskoye
                Russian Federation

OMG THE RUSSIANS ARE HACKING ME!  The next logical step was to run Nmap on it.  I just did an Aggressive scan (service detection on the 1,000 most common ports and whatnot).  The results were a little odd:

Read more…

Categories: Malware

Screw Barnes and Noble

August 3rd, 2009 1 comment

They’re shit.  Use Amazon instead.

Updated with less obscenity and more details:

1) I get a B&N gift card.  It’s a nice gift.

2) I use it to order a copy of Malware Forensics: Investigating and Analyzing Malicious Code.  Since B&N prices are at least $10 more than, say, Amazon prices, I order through B&N from a different seller and save money.

3) The seller confirms my order, payment, and shipping information.  I throw away the card.

4) Three weeks pass.

5) I get a notification that my order actually is canceled, and I’m getting  a refund.

6) I go to order the exact same thing, because I want the damn book.

7) Since I already threw away the card which now has the gift amount restored on it, I call customer service to have them clear it up.  They explain that I may either be mailed a new card, or I can place my order over the phone and refer back to the canceled order to have the card’s balance transferred to the new order.

8) I do the latter, because I want to get the book, not wait a few weeks and then get the book.

9) They explain I can’t order from other sellers by phone.  I have to order direct from B&N, where their price is the list price and their shipping is more expensive.

10) Result: I get the same amount of book, only more than a month later and for more money/gift card value.

Here’s what should have happened: back at Step 7, they should have said “We’re terribly sorry about that; we do our best to help our customers get along with other sellers smoothly.  Can I help you find another copy at a comparable price, and order it for you right now?”

I’ve had similar experiences with two other major sites that act as used/third-party marketplaces, Amazon and Half.com.  Both of them have processes in place to deal with fraud and mistakes.  And if a reseller confirms an order, then waits three weeks and fails to deliver, it reflects poorly on that reseller when other buyers consider buying from them.  I didn’t get a chance to review this customer experience or anything.

In summary, B&N gives me the lowest buying power and its service reps care the least of any major bookseller I’ve dealt with.  Screw them.  Go with Amazon.

P.S.  It was still a nice gift and I still appreciate it.  Ty, bro.

Categories: FAIL

Surely a misprint

August 2nd, 2009 Comments off

The assurance that the components are enforcing the abstract idea of the reference monitor is proved through testing and functionality.

— Shon Harris, All-In-One CISSP Exam Guide 4th Ed., p. 328

Nnnnnnnno, actually testing can’t possibly give that kind of assurance, and I’m not sure what “functionality” is supposed to mean here – it runs fine, so it must be working as expected?  The Third Commandment of the Reference Monitor, which had just been given in the text, is that it must be small enough to be completely verified.  That verification is the assurance.

Categories: Books, FAIL