Pages

Wednesday, December 26

OSX, Windows, and security

Posted today as a comment. Please read inline (Italics is for the comment, non-italics is for me).

You are correct that third-party applications are weak points. This applies equally if not moreso to Mac OS X. I think there is use of more third-party apps under Mac OS X than typically by Windows XP/Vista users.

I'm not talking about 3rd party apps. I am talking about Open source apps that are integrated into the OS. Apache, Mysql, tcpdump, bind..etc.. Neither OS supports the updating of a 3rd party app through their Software Update package. They SHOULD. I talked about this back here.

Windows is, in fact, much more open than Mac OS X. Mac OS X upon release looked nothing like FreeBSD 4, which it was based on. Note that FreeBSD 5 was almost done at the time Mac OS X was released and FreeBSD is now on version 7.

Windows is more open than OSX? OSX contains Open Source code, and Windows total code is closed. So right there, by default, you are wrong. OSX was BASED on Freebsd. No one says it is anymore. Far from it. Technically it could be argued that OSX is based on NEXTSTep.

Microsoft provides symbol tables and wonderful debugging tools for its applications. Apple provides nothing in this area of comfort.

Apparently you have never looked at Xcode and all the debugging apps that are OSX based?

When Microsoft releases a specification, especially one based around security - thousands of intelligent code reviewers with the right kind of security backgrounds get to review it. Microsoft offers Blue Hat and other forums where the best and brightest in the security world get to give input into their process of building a secure operating system along with secure applications.

Yes, when Microsoft releases a SPECIFICATION, it is reviewed. Not CODE. Neither does Apple. Btw -- how did that OpenDoc xml specification do? Oh that's right, got rejected. Microsoft does offer Blue Hat and the such, but the attendance is thin, is under NDA, and is secretive.

Apple throws rotten apples at vulnerability researchers.

Apple's product security team gives credit where credit is due. What do you want the product security team to do? Pay vulnerability researchers? MSFT doesn't do that either. That comment just makes no sense. Anyone that has actually worked with Apple Product Security team (and yes, I have) know they take the time to respond to an issue. Don't believe everything you read in the press.

Microsoft launched the Trustworthy Computing Initiative in 2002. Apple has never spent a dime or taken any "breaks" to check their code for security. Microsoft has been doing this for almost 6 years now and have applied it to all of their software. Security is baked into Microsoft applications.

WRONG. Apple does spend dimes on security, lots of them. Except they don't need a separate department, (oh wait... they have one it's called the Product Security team), to manage all the vulnerabilites.

For Apple, it's iced on as "features". You can just look at Matasano or anyone's assessment of the security features in Mac OS X LeoTard. It's abominable to think that Apple is doing a good job with regards to security.

I agree. Apple could do more. A lot more. I know they are taking steps to improve security especially in Quicktime. I can't talk anymore about that though.

I am anxious to see the mantra "replace Mom and Dad's computer with a Mac this Christmas" backfire this year.

That's what they said last year too.

Do you remember why people write viruses?

Lack of a home life? Or to make money?

They write viruses to teach stupid people lessons.

Yeah? Or they are doing it for fun and profit. I'll stick with my thoughts.

You are that stupid person. Apple fanboys will eat their words when something bad happens this year.

That's what they said last year, and the year before. I'm not stupid. I know it's a reality. Our time is coming. I take a few extra steps to secure my computer.

And Apple doesn't care. They will wash their hands of liability while their customers suffer. They aren't "doing anything to stop the problem".

Wrong. See above. I can't talk about it any further.

They aren't "solving the QuickTime vulnerability problem". This would mean implementing a software assurance program. This would mean implementing something such as the Microsoft Security Development Lifecycle. Apple has not done this.

It doesn't mean that, it just means that the Quicktime team needs to re-look at all their code and secure it. You don't need a program or another acronym to solve the problem. Apple just needs to fix their code, they are, again, see above. Can't talk about it any further.

Apple does not "test test test test and test". That's what Microsoft does. Apple does not test at all... they think that testing and debugging are the same thing! A "quality test program" means integrating Quality Risk Management.

Riiiight. So Apple never seeds developer releases to test stuff?

It is held strongly by the Enterprise and research community that Sourcefire is the worst security company in the history of security companies.

Really? Is that why Snort is the IDS to which all other IDS's are measured? Is that why we have products that other companies can't even fathom? Please, show me this "strongly" held opinion.

Why haven't they been bought yet?

Tried that once, remember the whole CHKP thing?

Why are they going out of business?

What? Who said we are going out of business? Last time I checked we IPO'ed? We're making money?

I would never start a company based on an open-source product that is doomed to fail because of its architecture. Network intrusion detection was dead on arrival, but you think the 1998 Ptacek/Newsham paper would have killed it for sure. What is wrong with Sourcefire to think that they could continue this on for 10 years?

You would never make any money either apparently. Also, Um, what code do we have that counters the Ptacek/Newsham paper? Target based fragmentation? We've even take it a step further and countered Target based stream reassembly?

Windows vulnerabilities cause less damage.

$ lost by Blaster < $ lost by Quicktime. Yeah, um, no? Let's check our facts here.

Most are under a risk management plan, where an Enterprise business or government agency has compensating controls. They also have backups. Mac OS X users never have backups. I have never met a single one that does backups.

Time Machine was invented to solve this problem. Works for me.

Most Mac OS X users are complete newbies, that's why they are using Apple in the first place. If they already knew Windows well - they would stay with it.

Yeah, all people want that bloatware and Vista that doesn't work with their hardware. However, I will agree that most OSX users are newbies. Welcome. I will also disagree and say that most security people I know use OSX.


In the event of an emergency, Mac OS X users cannot help themselves. They rely on Apple to fix their problems. They can just take their laptop or iPod back to the Apple store and a Genius can order their replacement.

I know, isn't that a novel idea?

Even if it's a simple matter such as a battery or hard drive - expect to wait 4 to 8 weeks while your new equipment arrives.

Or, um... they have a shitton of them in the store. I've went to an Apple store for a battery problem. Walked out with a brand new battery. I've never walked into a Microsoft Store and done that... oh yeah, that's because....

This is what is known to me as "a lot more damage". It's no wonder that Enterprises and government agencies don't use Apple computers!

Hm.. Didn't read the news this week did you? I know LtC Wallington, and I applaud his efforts.

Most Apple users don't care; they are used to crappy service and long wait times. They waited in line for their iPhone for 26 hours -- waiting for their replacement iPhone that doesn't have a faulty antenna or battery (or whatever) "isn't that big of a deal" -- even if it takes 6 weeks!

I only waited 4 hours. On release day. They people that waited 26 were just trying to make the news. They succeeded.

Most Apple products are purchased by Dad or on credit anyways -- so it's not like it's real money!

Where do you get this utterly pointless statistic?

Where did this conversation go anyway? You were wrong "ANONYMOUS".

Tuesday, December 25

Merry Christmas

I have no entries for today.  Today is a day for spending time with family and friends.

Sorry to all those that are forced to work today.  Hopefully your companies make it up to you.  

It was my daughter's first Christmas, so she is really enjoying herself today.

Merry Christmas all!

Merry Christmas

I have no entries for today.  Today is a day for spending time with family and friends.

Sorry to all those that are forced to work today.  Hopefully your companies make it up to you.  

It was my daughter's first Christmas, so she is really enjoying herself today.

Merry Christmas all!

Sunday, December 23

Fake Steve Jobs is out -- is a joke!?

Take a look at this blog entry. FSJ speaks as if he has had a meeting with an Apple lawyer. However, he may be joking. Andy Kaufman style. If he is, it's genius.

If it's real, then, he was offered 500,000 dollars to stop writing on FSJ. Anyone have any thoughts about this?

BTW -- Make sure you read the comments if you do.

Fake Steve Jobs is out -- is a joke!?

Take a look at this blog entry. FSJ speaks as if he has had a meeting with an Apple lawyer. However, he may be joking. Andy Kaufman style. If he is, it's genius.

If it's real, then, he was offered 500,000 dollars to stop writing on FSJ. Anyone have any thoughts about this?

BTW -- Make sure you read the comments if you do.

Fake Steve Jobs is out?

I read fake steve jobs everyday (actually, through the magic that is RSS, it'd delivered to my inbox via Mail.app). Apparently here is some info that Apple has apparently contacted FSJ about his blog and asked him to shut it down, and is going to pay him to do so.

Which I find interesting. While this would be an excellent opportunity for the Real Steve Jobs to start a blog, which would have so many people reading it, it wouldn't even be funny.. but.. since that won't happen.

Apple has a apparently threatened legal action if they don't take his offer. I kinda feel bad for the guy, since he basically started the blog as a joke, and now it's this huge thing which has thousands of readers. (I know that the blog has driven over 60,000 hits to my website just on my posting about his tie alone, as of this morning.)

Should he have to shut down the blog? Nah. But if is getting paid to do it? Sure. Could be lucrative. I wouldn't tangle with big corporate lawyers. I'd take my money and stfu.

Fake Steve Jobs is out?

I read fake steve jobs everyday (actually, through the magic that is RSS, it'd delivered to my inbox via Mail.app). Apparently here is some info that Apple has apparently contacted FSJ about his blog and asked him to shut it down, and is going to pay him to do so.

Which I find interesting. While this would be an excellent opportunity for the Real Steve Jobs to start a blog, which would have so many people reading it, it wouldn't even be funny.. but.. since that won't happen.

Apple has a apparently threatened legal action if they don't take his offer. I kinda feel bad for the guy, since he basically started the blog as a joke, and now it's this huge thing which has thousands of readers. (I know that the blog has driven over 60,000 hits to my website just on my posting about his tie alone, as of this morning.)

Should he have to shut down the blog? Nah. But if is getting paid to do it? Sure. Could be lucrative. I wouldn't tangle with big corporate lawyers. I'd take my money and stfu.

Saturday, December 22

Forbes.com - LTC Wallington and Macintosh

This is an excerpt from an Email I wrote about Apple and Microsoft:

I agree I am biased, I like Apple's products. Granted there are
improvements to be made in several areas, however I thought was
pretty neutral in that particular posting. Both os'es have flaws.
Period.

Diveristy is good in the way it lowers the attack impact, (more
later) and I agree with your points about code red and slammer being
bandwidth hogs. But of course there was other stuff going on behind
the scenes of those "noisy" attacks that was not very public. Also
both of those attacks were not against Windows itself. But against
components of windows. (iis, mssql) let's use msrpc, dhcp attacks,
and the like for reference instead. We could compare the
vulnerabilites in the actual os and get a better set of numbers.

Btw-- osx isn't just for publishing anymore. This year is my 5th
year without windows as my desktop. And my third year without it
totally.

I applaud both msft and aapl's efforts to become more secure and
interface with the public. I have personal dealings with both
product security teams for both companies, and I can assure you that
security for the os'es is headed in the right direction. Most
people do hot have the opportunity to work with the apple team, so
they are not familiar with their goals. People also have to
remember that patching for proactive security is a benefit, not a
downfall.

I still stand by my points of diversity is good.

We'll see.

--
Joel Esler
Sent from the iRoad.

Forbes.com - LTC Wallington and Macintosh

This is an excerpt from an Email I wrote about Apple and Microsoft:

I agree I am biased, I like Apple's products. Granted there are
improvements to be made in several areas, however I thought was
pretty neutral in that particular posting. Both os'es have flaws.
Period.

Diveristy is good in the way it lowers the attack impact, (more
later) and I agree with your points about code red and slammer being
bandwidth hogs. But of course there was other stuff going on behind
the scenes of those "noisy" attacks that was not very public. Also
both of those attacks were not against Windows itself. But against
components of windows. (iis, mssql) let's use msrpc, dhcp attacks,
and the like for reference instead. We could compare the
vulnerabilites in the actual os and get a better set of numbers.

Btw-- osx isn't just for publishing anymore. This year is my 5th
year without windows as my desktop. And my third year without it
totally.

I applaud both msft and aapl's efforts to become more secure and
interface with the public. I have personal dealings with both
product security teams for both companies, and I can assure you that
security for the os'es is headed in the right direction. Most
people do hot have the opportunity to work with the apple team, so
they are not familiar with their goals. People also have to
remember that patching for proactive security is a benefit, not a
downfall.

I still stand by my points of diversity is good.

We'll see.

--
Joel Esler
Sent from the iRoad.

Wednesday, December 19

Mac versus Windows vulnerability stats for 2007

byte_bucket over in the #pauldotcom IRC channel turned me onto this article, simply because I am a self proclaimed Apple fanboy. Sounds good, I don't mind, I like it when people point me to articles. I read alot of news during the day, but sometimes I don't get to see all the news articles.
Anyway, George Ou writes on zdnet.com an article comparing the amount of vulnerabilities for XP, Vista, and OSX. At first glance we look at this column comparison and say "holy crap, osx had a hell of alot more vulnerabilities than Vista or XP combined!"



True. Now, in my usual Microsoft punditry and OSX defender stance, let me point out the less obvious in these three operating systems.

1) OSX hasn't had to deal with a bunch of hackers before, now that it's being increasingly targeted, especially Quicktime, Apple is dealing with it.
2) XP and Vista are closed platforms. Apple, save for their internal binaries, is pretty much open. You can see how it all works.
3) and probably the most critical, OSX is built, and contains a TON of open source software. Cups, apache, pcre, mysql, the list goes on and on and on.

So not only does Apple have to patch their own stuff, but they have to wait for the open source community to patch, then get the communities patch, tie it into their products, test test test test and test, then release their own patch. Makes sense so far right? OSX Server even contains software owned by my company. Sourcefire. OSX Server contains ClamAV.

Are there more vulnerabilities in OSX then there are in Windows? Yes. But you are comparing apples (no pun intended, okay, well, slightly) and oranges. Windows has 94% marketshare! Just one vulnerability for Windows has the potential to cause alot more damage than 30 vulnerabilities for OSX.

Then you have to look at the security models of the two. OSX, most everything runs in "userland". Whereas in Windows, applications and services run at alot of different permissions, system, admin, user, etc...

One thing I don't like about Leopard is the same thing I didn't like about Tiger. The firewall. There is no "DENY ALL". There is a "Deny all, um.. except stuff that will break osx". Which is fine, as long as there aren't any vulnerabilities in things like mDNSResponder. (port 5353) But, there have been remote vulns in mDNSResponder! The other thing I don't like about the Leopard firewall? It's OFF by default. Granted, there is only one port open by default in OSX (5353), as opposed to Windows where there are at least 3.

So, yes, OSX has more vulnerabilities then Windows, but does it matter?

UPDATE: From the comments: iamnowonmai says "I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook? And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?"

Brings up a good point. Windows doesn't have to patch all the "other" software that is on it's system. Apple does. Apple includes alot of software to make their user experience better and more seamless. Windows relies on 3rd party developers for this. Say what you will, but these are things you need to take into thought when you read this article.

Friday, December 14

Getting free Ringtones out of your iTunes songs

So you know how Apple charges you like 99 cents for a ringtone?  Well, wouldn't it be great to put your own songs, either mp3's or iTunes purchased songs on your unhacked iPhone for free?  Welp, I just figured it out.

You are going to need basically two things.
#1) Garageband version 4.1.1 (available via Software Update)
#2) an mp3.  

(yes, that's it)

Okay, so, Garageband (GB) 4.1.1 allows you to make your own songs and turn them into Ringtones on your iPhone.  Nice feature huh?  

UPDATE:  You don't need Magic GB at all, just drag your iTunes media into the Garageband screen, set your loop, and export it as a Ringtone!  Thanks Apple.

So, go open Garageband.  Select Magic garageband from the spash open screen, you can select any genre you want, then click the audition button.  This will make up a track to a song by selecting instruments and what not, but that's not what we are here for is it?  okay.

After you have it open, click the button on the right of GB that says "Create Project" (down at the bottom).

GB will take your magic GB tune that you just "made" and turn it into a looped song with 5 tracks (by default)

Now, down at the bottom right (THE VERY BOTTOM RIGHT BUTTON) in GB, it's your media button.  After clicking this, you will get a drawer that will allow you to import music or videos or what not.  This drawer will show all the music you have imported into iTunes.  Take whatever song you want and drag it into the main loop screen.  

So then you will see your 5 loops from Magic GB and your mp3 track.  Now, make sure that your mp3 track is highlighted.  (It should be by default, it'll be blue)  Tap the "s" key.

This will mute all other tracks in your Project EXCEPT for your mp3.    

Now, click your loop button, (at the bottom, it looks like two arrows going in a circle)  When you click it, you will see a yellow colored bar appear at the top of your GB project.  This is the length of your loop.  Move this loop and resize it to wherever in the song you want your ringtone to be.  Very simple, just drag the yellow bar to the right or left, then resize it with the ends.  

Now from your GB menu at the top of the screen click "Share", then click "Send Ringtone to iTunes".  It will immediately export your looped portion (with the other loops still silenced) to iTunes and play it.  You can then sync it with your iPhone for free. 

No hacks.  All you'll have to do is rename it once it gets to iTunes, because it will be named "Magic Garageband Song" or something.

Select your Ringtone on your iPhone after you sync.  Done.

Subscribe here:

Add to Google Reader or Homepage

Thursday, December 13

Quicktime 7.3.1 Update is out.

I blogged about it back here, and here. Apple has finally put out an update for Quicktime 7.3.1.  Good thing too, cause the exploits are making the rounds.  Did you guys hear about the Second-Life Quicktime exploit.  I think we talked about that in PaulDotCom as well, I think I have blogged about almost everything we talked about in the podcast now... heh.

Reposted from the Apple website:

QuickTime 7.3.1
  • QuickTime

CVE-ID: CVE-2007-6166

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

  • QuickTime

CVE-ID: CVE-2007-4706

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted QTL file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in QuickTime's handling of QTL files. By enticing a user to view a maliciously crafted QTL file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

  • QuickTime

CVE-ID: CVE-2007-4707

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Multiple vulnerabilities in QuickTime's Flash media handler

Description: Multiple vulnerabilities exist in QuickTime's Flash media handler, the most serious of which may lead to arbitrary code execution. With this update, the Flash media handler in QuickTime is disabled except for a limited number of existing QuickTime movies that are known to be safe. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET), Mike Price of McAfee Avert Labs, and security researchers Lionel d'Hauenens & Brian Mariani of Syseclabs for reporting this issue.


Quicktime 7.3.1 Update is out.

I blogged about it back here, and here. Apple has finally put out an update for Quicktime 7.3.1.  Good thing too, cause the exploits are making the rounds.  Did you guys hear about the Second-Life Quicktime exploit.  I think we talked about that in PaulDotCom as well, I think I have blogged about almost everything we talked about in the podcast now... heh.

Reposted from the Apple website:

QuickTime 7.3.1
  • QuickTime

CVE-ID: CVE-2007-6166

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

  • QuickTime

CVE-ID: CVE-2007-4706

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted QTL file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in QuickTime's handling of QTL files. By enticing a user to view a maliciously crafted QTL file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

  • QuickTime

CVE-ID: CVE-2007-4707

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Multiple vulnerabilities in QuickTime's Flash media handler

Description: Multiple vulnerabilities exist in QuickTime's Flash media handler, the most serious of which may lead to arbitrary code execution. With this update, the Flash media handler in QuickTime is disabled except for a limited number of existing QuickTime movies that are known to be safe. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET), Mike Price of McAfee Avert Labs, and security researchers Lionel d'Hauenens & Brian Mariani of Syseclabs for reporting this issue.


2007 Top 10 Developers in the category Action/Skill games - Vote now!

2007 Top 10 Developers in the category Action/Skill games - Walkthrough, comments and more Free Web Games at FreeGamesNews.com

Buddy of mine, whose name is Joel Esler, is an artist and flash game developer.  FreeGamesNews.com is having a contest of 10 different flash based games, and luckily, Joel is one of the 10 nominees!

So, do him a favor, go to the above link and vote for him.  The game is fun and challenging as well!

The Secret of the Time Machine-Assisted Hard Drive Swap

Gizmodo published this article this morning.  I thought it was brilliant.


Restore_System_Time_Machine.jpgThere's never been a better time to void the warranty on your MacBook and upgrade to one of those sweet 2.5" WD Scorpio 320GB drives. That was what made me throw caution to the wind and attempt a Time Machine-assisted swap. The good news is, it works as billed. You get a bit-for-bit transfer to the virgin drive with minimal fuss. The bad news is, if you don't use a little trick we discovered today, you probably won't get it to work at all.

I said "void the warranty" and I meant it. The process I went through today means it'll be harder for me to complain to Apple if things get weird, so be cautious! Given the experience I've had, I think HDDs will soon be given easy-access panels, like RAM has, because swapping a 2.5" SATA turns out to be straightforward, and the software, at least as far as Apple goes, is ready for novices.

The key here is that there's no preparation needed for the new drive. As long as you've backed up your old drive to an external disk using Time Machine, you can prepare for the grand opening. I won't bore you with gory details, except to say that I found a good bit of guidance from this dude's blog. MacBook_Pro_Guts.jpg
The Process
Once you open up the system and swap out the drives, you can set the old drive aside, hopefully never to use it again. Assuming all went well, you restart the system and insert an OS X Leopard installation DVD. You won't need the OS installer on it, but you will need it to act as mediator between the Time Machine backup drive and the newly installed blank drive. Once it boots up (you may need to manually restart to get it to work right) follow these instructions CAREFULLY:

1. Choose your language.

2. At the main screen, choose Disk Utility from the Utilities pull-down menu.

3. Select the drive itself and click on Partition.

4. In the Partition menu, select 1 Partition and Options... where you choose GUID Partition Table. Click OK then Apply, then say "yes" to whatever warning comes up.

5. Once you have reformatted the drive, close the Disk Utility window.

6. Do Not Go Forward. Instead, when you see the main Welcome screen, click the Back button, which takes you to the language select page. It sounds silly but DO IT. This shakes the system into action.

7. Once you have reselected your language and are back on the Welcome screen, click Utilities and select Restore System From Backup...

8. The process should go smoothly from that point on. You simply select appropriate disks to copy your chosen backup data from your Time Machine drive to the new internal drive, as shown in the following sequence:
Restore_1.jpg
Restore_2.jpg
Restore_3.jpg
Restore_4.jpg
Restore_5.jpg

The Back Story
Originally I tried my swap without first clicking back to the language page, and the installer could not find my new hard drive. Disk Utility saw it and happily formatted it with the GUID partition, but even on the second pass, the installer wouldn't show it as a target option. All I got was this hollow emptiness:
Searching_for_Disks.jpgI spoke with Jeerun Chan at Western Digital and asked him to try the same process, which yielded the same results. Then I tried it with another virginal hard drive, this time a 160GB SATA from Seagate. Between the two of us, we ran this test on three different configurations, with the same negative results.

The obvious but depressing solution was to just run the Leopard system installer, then use the migration tool to back up from my Time Machine drive. It's fairly smooth, and smart if you want a clean install on your new drive, but it's boring: it takes a few steps, and they're all obvious. I wanted a bit-for-bit dump from backup to new drive, fully automatic.

As I was installing Leopard on my second drive, the phone rang: it was Jeerun with the crazy back-button technique. I don't know how he thought to do it—I don't even think he knows, but the fact remains: when you have formatted your destination drive and are on the Welcome screen, click the back button and the process will work. If you don't click it, well, in our experience, it seems you will fail in your objective.

Obviously, this won't work if you don't regularly do a full system backup in Time Machine. If the omitted folders in your Time Machine options include system files, you won't be able to do this.

In truth, it might make sense to backup only personal files, especially since this process requires a Leopard install disk even to write the whole image back onto the new drive. Chen swears by SuperDuper, which is perhaps a better pro technique, one that doesn't require a system-install DVD. Still, I wanted to see if this major boast of Time Machine was all that it was cracked up to be. It is, and the end result will be tasty, as long as you don't forget that one little catch.

As with my last Time Machine HDD discovery, this one involves a little hocus pocus. While this method works, you may have your own trick, or a more scientific approach. If so, please share it in the comments below, and spare any fellow Mac users a frustrating afternoon.

Thanks to Jeerun and Heather at WD!

2007 Top 10 Developers in the category Action/Skill games - Vote now!

2007 Top 10 Developers in the category Action/Skill games - Walkthrough, comments and more Free Web Games at FreeGamesNews.com

Buddy of mine, whose name is Joel Esler, is an artist and flash game developer.  FreeGamesNews.com is having a contest of 10 different flash based games, and luckily, Joel is one of the 10 nominees!

So, do him a favor, go to the above link and vote for him.  The game is fun and challenging as well!

The Secret of the Time Machine-Assisted Hard Drive Swap

Gizmodo published this article this morning.  I thought it was brilliant.


Restore_System_Time_Machine.jpgThere's never been a better time to void the warranty on your MacBook and upgrade to one of those sweet 2.5" WD Scorpio 320GB drives. That was what made me throw caution to the wind and attempt a Time Machine-assisted swap. The good news is, it works as billed. You get a bit-for-bit transfer to the virgin drive with minimal fuss. The bad news is, if you don't use a little trick we discovered today, you probably won't get it to work at all.

I said "void the warranty" and I meant it. The process I went through today means it'll be harder for me to complain to Apple if things get weird, so be cautious! Given the experience I've had, I think HDDs will soon be given easy-access panels, like RAM has, because swapping a 2.5" SATA turns out to be straightforward, and the software, at least as far as Apple goes, is ready for novices.

The key here is that there's no preparation needed for the new drive. As long as you've backed up your old drive to an external disk using Time Machine, you can prepare for the grand opening. I won't bore you with gory details, except to say that I found a good bit of guidance from this dude's blog. MacBook_Pro_Guts.jpg
The Process
Once you open up the system and swap out the drives, you can set the old drive aside, hopefully never to use it again. Assuming all went well, you restart the system and insert an OS X Leopard installation DVD. You won't need the OS installer on it, but you will need it to act as mediator between the Time Machine backup drive and the newly installed blank drive. Once it boots up (you may need to manually restart to get it to work right) follow these instructions CAREFULLY:

1. Choose your language.

2. At the main screen, choose Disk Utility from the Utilities pull-down menu.

3. Select the drive itself and click on Partition.

4. In the Partition menu, select 1 Partition and Options... where you choose GUID Partition Table. Click OK then Apply, then say "yes" to whatever warning comes up.

5. Once you have reformatted the drive, close the Disk Utility window.

6. Do Not Go Forward. Instead, when you see the main Welcome screen, click the Back button, which takes you to the language select page. It sounds silly but DO IT. This shakes the system into action.

7. Once you have reselected your language and are back on the Welcome screen, click Utilities and select Restore System From Backup...

8. The process should go smoothly from that point on. You simply select appropriate disks to copy your chosen backup data from your Time Machine drive to the new internal drive, as shown in the following sequence:
Restore_1.jpg
Restore_2.jpg
Restore_3.jpg
Restore_4.jpg
Restore_5.jpg

The Back Story
Originally I tried my swap without first clicking back to the language page, and the installer could not find my new hard drive. Disk Utility saw it and happily formatted it with the GUID partition, but even on the second pass, the installer wouldn't show it as a target option. All I got was this hollow emptiness:
Searching_for_Disks.jpgI spoke with Jeerun Chan at Western Digital and asked him to try the same process, which yielded the same results. Then I tried it with another virginal hard drive, this time a 160GB SATA from Seagate. Between the two of us, we ran this test on three different configurations, with the same negative results.

The obvious but depressing solution was to just run the Leopard system installer, then use the migration tool to back up from my Time Machine drive. It's fairly smooth, and smart if you want a clean install on your new drive, but it's boring: it takes a few steps, and they're all obvious. I wanted a bit-for-bit dump from backup to new drive, fully automatic.

As I was installing Leopard on my second drive, the phone rang: it was Jeerun with the crazy back-button technique. I don't know how he thought to do it—I don't even think he knows, but the fact remains: when you have formatted your destination drive and are on the Welcome screen, click the back button and the process will work. If you don't click it, well, in our experience, it seems you will fail in your objective.

Obviously, this won't work if you don't regularly do a full system backup in Time Machine. If the omitted folders in your Time Machine options include system files, you won't be able to do this.

In truth, it might make sense to backup only personal files, especially since this process requires a Leopard install disk even to write the whole image back onto the new drive. Chen swears by SuperDuper, which is perhaps a better pro technique, one that doesn't require a system-install DVD. Still, I wanted to see if this major boast of Time Machine was all that it was cracked up to be. It is, and the end result will be tasty, as long as you don't forget that one little catch.

As with my last Time Machine HDD discovery, this one involves a little hocus pocus. While this method works, you may have your own trick, or a more scientific approach. If so, please share it in the comments below, and spare any fellow Mac users a frustrating afternoon.

Thanks to Jeerun and Heather at WD!

Wednesday, December 12

Security 2.0 feedback

Warning, this is a long one. I was asked by a reader to consolidate all of the feedback I got from the Security 2.0 posts and put them into one post. Sure! No problem. However, I got alot. No names though. If you want your name mentioned email me, and I'll edit the post to include your name (if you have a blog or something, and you want me to link to you, provide that info too). Let me just say exactly what I said on PaulDotCom, just because you don't understand the technology, isn't a reason to restrict it. You need to understand the technology, then make a risk assessment of what kind of impact it can have on your network.

To the commentary --

"iTunes is P2P by default on the local subnet, and possibly further with Wide Area Bonjour. ie. out of the box it will search for shared music, and it is one click for a user to share, no selection, their entire iTunes Library. In our University environment we have no shortage of bandwidth, and all protocols are permitted. iTunes is a useful teaching/learning tool. But the Authorities lean heavily on departmental IT admins to lean heavily on users to keep those Sharing buttons clicked OFF. The bogeyman is Copyright."

I disagree. iTunes, IMO, is not P2P. You can't trade music with it, you can, however, stream music from another person's iTunes list on the local network. But there isn't a way that you can trade music via this medium.

"I think one reason we have a restrictive policy set at work is because the default is 'fail'. That is, just because bittorrent is blocked here doesn't mean they've decided to block bittorrent; rather, it means that they haven't decided to open up bittorrent. Another similar reason is the security appliance -- rather than think about some security issues, we appear to simply go with whatever the Cisco box thinks is a reasonable thing to filter, including web pages. Many are blocked, many aren't, but no local thought has been put into most of it. It's a convenient excuse for management -- "justify why we as a business should allow IM" is easier for them than deciding whether or not IM is useful. This way, it actually costs someone's time to open up the hole, and therefore you need a business purpose to justify it. Does it "work"? To answer that I'd have to know what they're really trying to accomplish, and upper management is really trying to accomplish making the business make money -- more specifically? I don't know what they have in mind. Apparently, they don't think I need to know what they have in mind...or I could make a business case for them taking the time to tell me. :)"

Okay, so your organization isn't really against the use of these tools, but you have to have a legit reason to open it. Okay, I can understand that one. No problems there.

"The equipment I monitor is paid for with tax dollars. The public expects County employees to be processing their paperwork, not using tax money to download iTunes or play Internet Poker. By policy, County-related business purposes only."

This one obviously came from a county employee. I can also understand this one. This is more of a business restriction, not so much a "we are disallowing it because we don't understand the security of the technology".

"Web filtering: used to stop malware, legal liability from sexual harrasment (a porn site on a monitor makes an employer liable for creating a "hostile working environment"). Also, filtering logs are used when an employee's productivity is lacking, and they seem to be on web sites instead of working. iTunes, et. al.: Actually, all personal electronic devices were just banned at my company, because one person became annoyed when she tried to get the attention of an employee who was listening to their iPod. This is NOT a small company - it's a $2B multi-national manufacturing firm. This was NOT a security decision. IM: IM is banned because of SOX and IP concerns, along with past incidents of employees using IM and clearly losing productivity. Management does not consider spending any money (or time) for IM monitoring to be a priorpty."

Web filtering -- No porn because of harassment. Okay, I can understand that one. However, let's take a look at another side of that. One of the places where I have worked didn't allow us to go to porn sites. However, where I worked, we had to get exploits, and other random nastyness, to be able to write IDS signatures against them. Most of those sites have some explicit pictures on them. Because of the bureaucracy where I worked, getting a person "unblocked" was an act of God. Even though we had a legit reason. iTunes -- Now that's just stupid. IM -- Okay, that's a legit reason. Insider information. However, I'd rather allow people to do it, and monitor it, then to disallow it totally.

"I can tell you what my Draconian company does from a security standpoint. In terms of actual security, sure we have firewalls, A/V, spyware tools and the like, but that isn't what upper managment cares about. Hell, they're the last people to run they're spyware removal tools or not install unapproved software. No, they like using technology to either monitor us, or limit us in any way possible. According to the president of the company you need to be working every minute of the day and if you can't do something as if he were looking over your shoulder then you shouldn't do it at all (he has said this many times), namely it needs to be work related. All external email is blocked. Corporate email is not allowed for personal use. IM is not allowed, not for any of the reasons you mention, but rather to prevent us from chatting all day. Many websites are blocked. He randomly monitors throughout the day what we are doing via Network Lookout Pro, which shows all of our monitors tiles across his computer screen. If he sees something he doesn't like he zooms in to verify and then will take disciplinary action. He is old fashioned military and thinks you need to constantly keep "the troops" in check. As if allowing them to surf the web a bit or use personal email or IM will hamper their work. Granted excessive use could, but as long as they get their work done who cares!"

I discussed this on PaulDotCom as well. This is just insane! Apparently there is absolutely no reasonable expectation of privacy

"A few examples why we filter web access: Webmail - we block webmail because we can't monitor it properly for exfiltration of PII. In the past we used to block it because we AV scanned email, but not web traffic. Besides running your business out of your yahoo.com email address isn't fitting for an organization our size. Calendar sites - yes, we block google calendar. Why? Because some jackass was syncing his PDA to it and set it as public access. So a journalist was able to see that we had conference calls on the security issues in our SANs and what the conference participation code was. File storage sites - you don't want to know the number of spreadsheets holding customer data we found on these sites. Pr0n - people sue us if they work in a hostile work environment. Gambling - we do business in countries where they're behead you for doing stuff like that, but more importantly, they'll take away our license to operate. I don't mind losing a few employees in a Turkish prison, but I can't give up all of that oil money. Why we filter IM: In a word, regulators. SEC really frowns on traders having unmonitored communications. That, and a week doesn't go by that there isn't an IM worm. Also, I have enough cases open with email harassment, I don't need IM cases as well. iTunes: We don't block this one yet, but I'm working on it. Mainly because I don't have an iPod and I'm jealous. Actually it's because we've been working really hard on information control, encrypting our laptops, adding USB controls. So I really don't want to encourage them to plug a hard drive into my laptops."

Okay. I received another email that said that they don't allow iTunes because the company is not going to pay to have your songs backedup to the local backup server. I had another one write in saying that the company was concerned about Copyright issues. Maybe someone from Apple can talk about this. I know there are Apple employees that read this blog.

"
Let security people implement policy instead of people whose eyes roll when you talk about mitigating a risk and think that they should implement every security control possible "because it's there"."

Good thought.

"I would say that, having worked in DoD for the last 10+ years, many times sites/services are blocked for bandwidth conservation or to prevent timewasting by unit members. These include sites such as Pandora, MySpace, Blogspot.com and Itunes. I'm not sure how effective some of these blocks are. For instance, Pandora is blocked but there are dozens of other sites that are easy to find and access. MySpace and Blogspot.com and their ilk were blocked I believe because people spent WAY too much time updating their blogs rather than working. (I overheard conversations regarding how people would spend 6+ hours a day updating their MySpace) Also, I believe information was put on these sites that shouldn't be on the web. But again, is that the best way to moderate this? Blocking the sites addresses the first concern, but not the second as again their are dozens of other social networking/blogging sites to use. Your question about how effective all the regulations and policies are is another matter entirely. Like I said, I've worked in DoD for 10+ years, doing IA for most of that time. Have things gotten better over that time period? Yes and no. DoD is a LOT smarter about IA, but as we all know, it only takes one hole for the bad guys to get in while we have to defend every wall, door, window, nook and cranny. And DoD is not immune to similar demands that occur in the commercial world; namely that the General and/or his staff (CEO equivalents) want to do X and that want to do it now and this app is mission critical and IA doesn't have the power, and isn't included in the planning... you know the story and how hard it is to secure all that. Add to that how fast technology is moving and how hard it is to be REALLY sure that the neat new app you just installed doesn't have a security hole that allows remote access to your domain. And then there are home grown apps and did your developers (contractors or government) really follow best practices (or did they even know about them)? And finally, how can you stop users? Even smart users (see the recent break-ins at the labs in Tennessee and Los Alamos which I believe were attained through spear phishing)? Like I said, it only takes one hole. DoD is a lot smarter, but then so are the bad guys and at the moment, they outnumber us. I don't believe they are smarter than us, but we have limitations they don't. So, the final question is: Is it harder for the bad guys to get into DoD networks with all the current regulations as compared to 5 or 10 years ago? I think so, but without an objective external verification, it's hard to say for sure."

Excellent post. I used to work for DoD too. I think the "fear" of something happening is greater then the emphasis on the actual something happening.

Thank you all for posting your thoughts. If this prompted some more ideas, please feel free to leave it in comments. If you don't know want to post as your name, please feel free to post anonymously.

Subscribe here:

Add to Google Reader or Homepage

Fake Steve Jobs

If you came to my website yesterday and it was a bit slow, I apologize. It was kinda busy.

I wrote a little funny about Steve Jobs being at Al Gore's Nobel Peace Prize award ceremony yesterday. It was only significant because he wasn't wearing his trademark black turtleneck, jeans, and sneakers. He was wearing, what appears to be, a suit and tie. (Click on the link to see the picture).

Well, fake steve jobs picked this up and blogged it at fakesteve.blogspot.com.

Fake Steve Jobs, for those of you that don't know, is a blog ran by, what turns out to be an editor (or writer) for Forbes.com. He presents a very funny and satirical view of the world, skewed by what he thinks Steve Jobs (the real one) would say about topics. It's a good blog, I encourage you to add it to your daily rss feed.

Anyway, FSJ picked up my blog post, and blogged about it himself. Simply saying "So big deal, I wore a tie, who cares? Apparently this guy does. He even ran a photo." Pointing people to my website.

Heh. As you can imagine, FSJ gets a LITTLE BIT more traffic then joelesler.net, and here came the traffic.

I noticed it at about 7 am. Lights on my switch were ON. Not blinking. They were just on. I maxed out my bandwidth in about a half hour, and it remained that way for about 4 hours. Nice.

At about 10:20 am, I had over 6000 people (open sessions) at the same time. The network held this rate for about an hour and a half (started slowing down at around noon). When I went to bed last night at around 10:00 pm, I was tracking about 5000 people (open sessions) at the same time.

Snort didn't drop a packet. Not one. It analyzed every single bit of it. (Go Snort!)

So, go FreeBSD (my webserver), Go Snort (2.8.0.1), 37,935 hits yesterday isn't bad.

Tuesday, December 11

Safari wins for the first time today.



I took a look at my Google.com/analytics stats for joelesler.net today. Looks like Safari won for the first time today. So that either means that I am either getting more popular with OSX crowd, or it means that Apple is getting more prominent.

I am guessing the first.

Safari wins for the first time today.



I took a look at my Google.com/analytics stats for joelesler.net today. Looks like Safari won for the first time today. So that either means that I am either getting more popular with OSX crowd, or it means that Apple is getting more prominent.

I am guessing the first.

Pastor: Cop told fourth wife he killed third wife

So, the pastor of the 4th wife of Drew Peterson told the news that Drew had confessed to her (then then her to the pastor) that Mr. Peterson had killed his 3rd wife.
Well, it really _is_ he said, she said in this example.  But, I think the moral of this story for women is:  Be cautious when marrying anyone with the last name of Peterson.  Seems you wind up "not-healthy"..
Need I remind you, said 4th Wife is now missing?

Pastor: Cop told fourth wife he killed third wife

So, the pastor of the 4th wife of Drew Peterson told the news that Drew had confessed to her (then then her to the pastor) that Mr. Peterson had killed his 3rd wife.
Well, it really _is_ he said, she said in this example.  But, I think the moral of this story for women is:  Be cautious when marrying anyone with the last name of Peterson.  Seems you wind up "not-healthy"..
Need I remind you, said 4th Wife is now missing?

Steve Jobs wore a tie.

Those of us that remember back in the pre-Steve-return-to-apple days have seen him in a Suit and Tie. But in recent years, I haven't seen him wear anything but a black mock turtleneck, jeans, and sneakers.  Original Article here.

So it's quite interesting to see him in a suit and tie.




If it were anyone else, it wouldn't be news.  This was to see Al Gore receive his Nobel Peace Prize.

Steve, you're the man.  Wear what you want big guy.
UPDATE:  Found this picture of him in full dress.




Subscribe here:

Add to Google Reader or Homepage

Steve Jobs wore a tie.

Those of us that remember back in the pre-Steve-return-to-apple days have seen him in a Suit and Tie. But in recent years, I haven't seen him wear anything but a black mock turtleneck, jeans, and sneakers.  Original Article here.

So it's quite interesting to see him in a suit and tie.




If it were anyone else, it wouldn't be news.  This was to see Al Gore receive his Nobel Peace Prize.

Steve, you're the man.  Wear what you want big guy.
UPDATE:  Found this picture of him in full dress.




Subscribe here:

Add to Google Reader or Homepage

Monday, December 10

PaulDotCom Security Weekly

Episode 91 is live!  Go have a listen.  I sound a bit clogged up (nasal), and nervous at the beginning, but after I get into it, it went well!

CompUSA is done.

Compusa is done.  
This brings up several points.   I remember the fond days of CompUSA where you used to be able to go into the store and get random computer parts.  The problem is, there are SO many places to do this now, CompUSA never did anything to differentiate itself from the competition.  The only thing that CompUSA ever had that was different was the Mini-Apple Stores inside them.  Well, then Apple started their own stores, effectively killing the function of the Mini-Stores, so I am sure that didn't help.

Second, CompUSA's in general do not have the expertise that other stores do.  Now, in CompUSA's defense, they always tended to have more of a variety of products then the other guys, take keyboards for example.  CompUSA always had like 30 keyboards to pick from, while the other guys would not even have a third of that.  Especially not in a display where you could physically touch them and see how they felt underneath your fingers.

Apple must have saw this coming and that's why Apple started reselling their stuff through Best Buy as well.  I mean, everyone sells iPods, but not everyone sells the desktops and notebooks.  Best Buy does.  CompUSA does (or did).

The only thing that CompUSA really did that was over the competition is that they sold individual parts.  All kinds of Graphic Cards, power supplies, computer shells, and the like.  Best Buy doesn't break it down to this degree, however, most people that buy these individual parts can get them for a better deal online.

That's where CompUSA is getting their butt kicked.  People can order stuff online and have it shipped next day for free from some sites.

So, hasta la vista CompUSA.  You will be missed.  However, now that I am a mac guy, and I have an Apple Store that is closer to my house then your nearest store, I really don't care.

However, where am I going to take my certification tests?

Classic Vista Error

Saw this on Gizmodo.





Classic.

MSFT convinces you to buy crap

MSFT apparently isn't getting the sales of Vista that it wishes it had. So it's written an article on how to convince your managers that you need to upgrade.

By and large I have to deal with tons of Windows users on a daily basis. I've met two, seriously, two that are on Vista. The rest are on XP.

Hate to say it MSFT, but XPSP2 is the new 98SE. It is stable. Leave it alone. Why dump more shit on top of a already big pile of shit? Oh, to try and compete, that's right. Anyway. (*rolls eyes*)

So let's hit the bold points on the list (click on blog post heading for link).

"Security is the message"

"...management may not be aware that the most compelling reason to migrate to a newer operating system, such as Windows Vista, is to take advantage of the latest security features..."

MSFT, absolutely nothing about Vista that I have seen so far makes it less of a target. I have seen a bunch of upgrades for Vista, even updates that came out for Vista before it was even released!

"The challenges"
"Johnson said upgrades can be challenging for IT as well. It requires the team to be a lot more involved in the installation and testing of the individual machines, because users are typically not going to be the administrators. Users may also be resistant to this idea at first, because they can no longer download all those fun, quirky applications that may, inadvertently, make their machines vulnerable."

So, make like every other operating system, only execute things in the user space, get rid of the registry, and stop requiring "Administrator" access for every little thing!

"The hidden cost of vulnerability"

"What management may not realize, however, is that they are already paying a hefty hidden cost by having outdated systems in place, “because you are paying for an administrator’s time to deal with these issues,” Johnson said. The trick is to show management this in a way that translates into dollars saved."

Is that the trick? Nice word. "The trick." So we are now using the sys admin's of the networks to try and sell management on a piece of crap? Oh wait, did I say sell? I meant trick.

"Make a list"

"...itemize the work that they do in several categories: improved productivity, security breaches, recovering from problems..."

How do fancy graphics, Aqua Aero, and widgets gadgets make productivity higher? There are these fancy things in OSX, but they are just a nicety on top of an OS that makes things easier to operate, and you can get your work done. Vista has centered its whole idea around this graphical interface. Stop copying MSFT!

"Save me the money"

"So how do you convince management to buy new machines, or upgrade the RAM and get the latest OS, if what they are doing right now seems to work OK?"

Yes, MSFT, how do you do that?

"Proactive versus reactive"

"The best thing about the upgrades, once they are done, is that administrators will have more time to devote to preventing problems before they happen, Johnson said."

The only proactive thing I see about Vista is "Hey Boss, we need to upgrade to Vista, not for any other reason than, eventually... MSFT will stop supporting XP!!"

Not because it works better.

CompUSA is done.

Compusa is done.  
This brings up several points.   I remember the fond days of CompUSA where you used to be able to go into the store and get random computer parts.  The problem is, there are SO many places to do this now, CompUSA never did anything to differentiate itself from the competition.  The only thing that CompUSA ever had that was different was the Mini-Apple Stores inside them.  Well, then Apple started their own stores, effectively killing the function of the Mini-Stores, so I am sure that didn't help.

Second, CompUSA's in general do not have the expertise that other stores do.  Now, in CompUSA's defense, they always tended to have more of a variety of products then the other guys, take keyboards for example.  CompUSA always had like 30 keyboards to pick from, while the other guys would not even have a third of that.  Especially not in a display where you could physically touch them and see how they felt underneath your fingers.

Apple must have saw this coming and that's why Apple started reselling their stuff through Best Buy as well.  I mean, everyone sells iPods, but not everyone sells the desktops and notebooks.  Best Buy does.  CompUSA does (or did).

The only thing that CompUSA really did that was over the competition is that they sold individual parts.  All kinds of Graphic Cards, power supplies, computer shells, and the like.  Best Buy doesn't break it down to this degree, however, most people that buy these individual parts can get them for a better deal online.

That's where CompUSA is getting their butt kicked.  People can order stuff online and have it shipped next day for free from some sites.

So, hasta la vista CompUSA.  You will be missed.  However, now that I am a mac guy, and I have an Apple Store that is closer to my house then your nearest store, I really don't care.

However, where am I going to take my certification tests?

Classic Vista Error

Saw this on Gizmodo.





Classic.

Friday, December 7

Certification Litmus Test



Click on image to make it bigger. Go ahead. Then hit the back button.

Back now? Okay. There's the thread for the discussion on the DShield list about the SANS change for certifications. Notice the ads on the right of the screen? THAT'S MY PROBLEM.  See how commercialized the CISSP is now?  Ads for bootcamps.  Even though the thread thoroughly discusses GIAC certs, you see no ads for GIAC testing centers or bootcamps in there.

What is to say that it won't become that?

My whole point in this discussion is to not let the GIAC certifications (no matter how much you don't or do respect certifications, I don't really care for them one way or the other, I have a couple) go to the dirt.  So many "CERTS" have went downhill it's horrible.

I understand why this is taking place.  I just don't agree with it.  I understand that standards and that kind of thing are good.   The exams and the practical are hard. (I don't really care for the Silver GIAC cert.  I am a Gold kinda guy, I really like the practical.  That's why I like grading them.  If it were up to me, I'd reinstate the practical for everyone.)

Daughter is fine

I have had a couple people ask me about the condition of my daughter, who had some minor surgery this week.

She is totally fine.  Little blood and pus still coming out of the ears, but it is MUCH less, and we are applying drops.

Thank you all for your concern!  I appreciate it.

Snort question from the Mailbag

I got this email today in the mailbag:

"i have configure and running snort for NIDS (network intrusion detecting system), when i make DDOS attack simulations the snort can be detect the attack and rise alert. in another side there is gateway who contain general firewall. my purpose is when snort rise alert this is can make gateway computer applied the firewall, would you like to give me solutions for that.
thanks you very much."


What I think this person is asking is, "How can I get Snort to automatically update my firewall based on it's alerts."

Well, there are several answers to the question, the most reliable answer being: "Buy a Sourcefire 3D system"  Not only do you get the ability to do that, but you get SO much more.
The second answer to the question is, "Use SnortSAM".  SnortSAM is a project started (I believe) by Frank Knobbe.  

I've never used SnortSAM, so I can't say good or bad about it, but YMMV.

PaulDotCom Security Weekly

Referring back to my Podcast 101 story.

I was on PaulDotCom Security Weekly, the podcast last night as a Guest Host.   We had a good time talking about all the weekly security stories.

It was a good time, I communicated the whole time from my office in my house via Skype.  Can't complain about that.  It took about an hour and a half to do the whole thing, from setup to end of podcast.  All in all, a great time.  

Thanks go to Larry and Paul for having me on.

Certification Litmus Test



Click on image to make it bigger. Go ahead. Then hit the back button.

Back now? Okay. There's the thread for the discussion on the DShield list about the SANS change for certifications. Notice the ads on the right of the screen? THAT'S MY PROBLEM.  See how commercialized the CISSP is now?  Ads for bootcamps.  Even though the thread thoroughly discusses GIAC certs, you see no ads for GIAC testing centers or bootcamps in there.

What is to say that it won't become that?

My whole point in this discussion is to not let the GIAC certifications (no matter how much you don't or do respect certifications, I don't really care for them one way or the other, I have a couple) go to the dirt.  So many "CERTS" have went downhill it's horrible.

I understand why this is taking place.  I just don't agree with it.  I understand that standards and that kind of thing are good.   The exams and the practical are hard. (I don't really care for the Silver GIAC cert.  I am a Gold kinda guy, I really like the practical.  That's why I like grading them.  If it were up to me, I'd reinstate the practical for everyone.)

Daughter is fine

I have had a couple people ask me about the condition of my daughter, who had some minor surgery this week.

She is totally fine.  Little blood and pus still coming out of the ears, but it is MUCH less, and we are applying drops.

Thank you all for your concern!  I appreciate it.

PaulDotCom Security Weekly

Referring back to my Podcast 101 story.

I was on PaulDotCom Security Weekly, the podcast last night as a Guest Host.   We had a good time talking about all the weekly security stories.

It was a good time, I communicated the whole time from my office in my house via Skype.  Can't complain about that.  It took about an hour and a half to do the whole thing, from setup to end of podcast.  All in all, a great time.  

Thanks go to Larry and Paul for having me on.

Thursday, December 6

SANS proctorization part two

I just talked to someone from SANS.  Appparently the reason for the change is because GIAC has be ANSI certified.

Why you ask?

DOD Directive 8570.

DoD Directive 8570.1 was approved in December 2005 and requires DoD IA workers to obtain a commercial certification accredited under ISO/IEC standard 17024. ISACA's Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications, accredited by the American National Standards Institute (ANSI), are among only 13 certifications approved by the DoD.

Apparently SANS has to meet this mark by the end of 2007.

I still don't agree with it.  It sounds like SANS is really making it difficult for the non-.gov/.mil folks.  

In the interest of full disclosure though, I did get my cert while I was .mil.  However, now I am not.  It still sucks.

RSS Feed, now at full throttle

I moved the RSS feed back to full.  Now that I have a descent count.  

I appreciate all the people that clicked through, either on the short rss article, or on others, it gives me a better count.  I think the bandwidth that I have is sufficient since I removed the bigger video files and what not from the site.  We should be good now.

All SANS exams to be proctored?

What kind of crap is this?

"Effective December 1st, 2007, all new GIAC certification attempts and
re-certification attempts are required to be proctored. The price of a
GIAC certification attempt in conjunction with SANS training is $499,
the challenge price remains $899. The price of a recertification
attempt is $325."

This is why people like the SANS certification.  Not only is it hard, (the test and the courses speak for themselves), but you get to take them in the comfort of your own home, on your own computer, in your own web browser.  This is one of the huge selling points of the GIAC certifications, and one that I have personally pushed.  No one wants to go take time out of their week to go to a testing center!  People want to be at home, late at night with the lights turned off, (insert whatever analogy you want here), and take the exams where they have no distractions.  I really don't agree with this.

"If you started your GIAC Silver Certification attempt and received
access to your exams before December 1st, 2007 your certification
requirements will remain unchanged."

Good.  I took mine several years ago.  Does this mean that re-certs will have to go to a testing center?  Will we have access to Google and other materials in order to take our tests?

"GIAC has selected Kryterion as our partner to deliver proctored exams
through their network of host locations. Kryterion has nearly complete
coverage in the USA and many testing centers throughout the world. In
addition, Kryterion has been very responsive to adding GIAC proctored
testing centers in locations where we need them. The list of Kryterion
test center locations posted on the GIAC website,
http://www.giac.org/proctor/kryterion.php. If you will be taking a GIAC
proctored exam in the future and do not see a site near you, please fill
out the form provided with your location specifics, so that we can work
to get a site added near you:
http://www.giac.org/proctor/kryterion.php#form"

Okay, so looking at this site, the nearest one to me is in Wilmington, at a CompUSA.  What is that?  50 miles from my house?  One direction?  So not only do we have to pay for the course, and the exam, but now, i have to get off my ass, and pay for the gas on my car to drive 100 miles to take a damn exam, which I used to take in my house!  Also, Kryterion has alot of CompUSA locations.  Okay, that's interesting, however, if BGR's rumor is true, that might be shortlived.  Then I have to drive God knows how far?

"All GIAC certification attempts purchased after December 1st, 2007 will
be comprised of one single exam that covers all the certification
objectives. This new exam format is four or five hours in length,
depending on the specific certification."

Okay, so not only get to sit in CompUSA for 4 to 5 hours, but then I have to take the exams all at once!  Not allowing for a nice break in between the TCP test and the class test like it used to be?  Bullshit.

"All GIAC certification attempts purchased after December 1st, 2007 are
open book format, but not open internet or open computer."

That sucks.  Really Really sucks.

"Candidates will be allowed to bring one back pack or briefcase of course books,
reference material, printed notes, printed spreadsheets, etc., but no
electronic devices such as extra computers, CD-ROM or USB flash drives."

Again, stupid, and it sucks.  But they didn't state the size of backpack or briefcase.  So if I can get my duffle back on my back?  Is that okay?

Dear SANS,

This is the stupidest thing you have ever done.  Far stupider then your practical drop that you did. (Which you fixed with the Silver/Gold program.)  I do not agree with it, and I think you will lose a very large majority of your certification base with this.  Why are you doing it?

"GIAC will soon be ANSI/ISO certified as a certification..."

What does that mean for me?  An extra cookie?  Does that get me hired, uh, less?  Does that give me more money in my bottom line if you get ISO certified?  No.  

Some of you are sitting there and saying "holy crap Joel, all you have to do is drive to a testing facility".  Yes.  That is the point.  You just lost the most motivating factor of your certification.  Me.  Being at home.  The world is moving to telecommuting and the ability to do anything from anywhere.  Hell, before now, I could have taken the SANS test on my iPhone!

Seems like SANS is going backwards.

RSS Feed, now at full throttle

I moved the RSS feed back to full.  Now that I have a descent count.  

I appreciate all the people that clicked through, either on the short rss article, or on others, it gives me a better count.  I think the bandwidth that I have is sufficient since I removed the bigger video files and what not from the site.  We should be good now.

Tuesday, December 4

Still a Quicktime ZeroDay out there!

WabiSabiLabi is reporting that the Quicktime vulnerability that I wrote about last week is NOT the one in their "for sale" repository.  
Now, the way I look at this is that WabiSabiLabi is not doing the responsible thing and disclosing it to the vendor.  They are selling it.  Basically trying to blackmail or hold the vulnerability for ransom.  

I'm not of the opinion that everything needs to be disclosed to the public, but it should at least be disclosed to the vendor.  If there is an exploit, and it's not being reported to the vendor, then it's irresponsible in my opinion.  

WabiSabiLabi says this is their philosophy: "Wabi-sabi nurtures all that is authentic by acknowledging three simple realities: nothing lasts, nothing is finished, and nothing is perfect."  

I can understand people trying to get paid for their research, but there is a certain line.  They should apply for a job at the vendor or something.  I don't know what the proper procedure is, but holding the vulnerability for ransom isn't fair.

If you are going to have a vulnerability, try to get the vendor to pay you for it.  Or keep it to your damn self.

If you are interesting in paying into WabiSabi's coffers: 442.62 will get you a Quicktime exploit for Windows XP.

A small price to pay for Apple to ensure the security of it's customers.