Skip to main content

Posts

Showing posts from 2007

OSX, Windows, and security

Posted today as a comment. Please read inline (Italics is for the comment, non-italics is for me).

You are correct that third-party applications are weak points. This applies equally if not moreso to Mac OS X. I think there is use of more third-party apps under Mac OS X than typically by Windows XP/Vista users.

I'm not talking about 3rd party apps. I am talking about Open source apps that are integrated into the OS. Apache, Mysql, tcpdump, bind..etc.. Neither OS supports the updating of a 3rd party app through their Software Update package. They SHOULD. I talked about this back here.

Windows is, in fact, much more open than Mac OS X. Mac OS X upon release looked nothing like FreeBSD 4, which it was based on. Note that FreeBSD 5 was almost done at the time Mac OS X was released and FreeBSD is now on version 7.

Windows is more open than OSX? OSX contains Open Source code, and Windows total code is closed. So right there, by default, you are wrong. OSX was BASED on Freebsd. No …

Merry Christmas

I have no entries for today.  Today is a day for spending time with family and friends.
Sorry to all those that are forced to work today.  Hopefully your companies make it up to you.  
It was my daughter's first Christmas, so she is really enjoying herself today.
Merry Christmas all!

Merry Christmas

I have no entries for today.  Today is a day for spending time with family and friends.
Sorry to all those that are forced to work today.  Hopefully your companies make it up to you.  
It was my daughter's first Christmas, so she is really enjoying herself today.
Merry Christmas all!

Fake Steve Jobs is out?

I read fake steve jobs everyday (actually, through the magic that is RSS, it'd delivered to my inbox via Mail.app). Apparently here is some info that Apple has apparently contacted FSJ about his blog and asked him to shut it down, and is going to pay him to do so.

Which I find interesting. While this would be an excellent opportunity for the Real Steve Jobs to start a blog, which would have so many people reading it, it wouldn't even be funny.. but.. since that won't happen.

Apple has a apparently threatened legal action if they don't take his offer. I kinda feel bad for the guy, since he basically started the blog as a joke, and now it's this huge thing which has thousands of readers. (I know that the blog has driven over 60,000 hits to my website just on my posting about his tie alone, as of this morning.)

Should he have to shut down the blog? Nah. But if is getting paid to do it? Sure. Could be lucrative. I wouldn't tangle with big corporate lawyers.…

Fake Steve Jobs is out?

I read fake steve jobs everyday (actually, through the magic that is RSS, it'd delivered to my inbox via Mail.app). Apparently here is some info that Apple has apparently contacted FSJ about his blog and asked him to shut it down, and is going to pay him to do so.

Which I find interesting. While this would be an excellent opportunity for the Real Steve Jobs to start a blog, which would have so many people reading it, it wouldn't even be funny.. but.. since that won't happen.

Apple has a apparently threatened legal action if they don't take his offer. I kinda feel bad for the guy, since he basically started the blog as a joke, and now it's this huge thing which has thousands of readers. (I know that the blog has driven over 60,000 hits to my website just on my posting about his tie alone, as of this morning.)

Should he have to shut down the blog? Nah. But if is getting paid to do it? Sure. Could be lucrative. I wouldn't tangle with big corporate lawyers.…

Forbes.com - LTC Wallington and Macintosh

This is an excerpt from an Email I wrote about Apple and Microsoft:

I agree I am biased, I like Apple's products. Granted there are
improvements to be made in several areas, however I thought was
pretty neutral in that particular posting. Both os'es have flaws.
Period.

Diveristy is good in the way it lowers the attack impact, (more
later) and I agree with your points about code red and slammer being
bandwidth hogs. But of course there was other stuff going on behind
the scenes of those "noisy" attacks that was not very public. Also
both of those attacks were not against Windows itself. But against
components of windows. (iis, mssql) let's use msrpc, dhcp attacks,
and the like for reference instead. We could compare the
vulnerabilites in the actual os and get a better set of numbers.

Btw-- osx isn't just for publishing anymore. This year is my 5th
year without windows as my desktop. And my third year without it
totally.

I applaud both msft and aapl's efforts to become mor…

Forbes.com - LTC Wallington and Macintosh

This is an excerpt from an Email I wrote about Apple and Microsoft:

I agree I am biased, I like Apple's products. Granted there are
improvements to be made in several areas, however I thought was
pretty neutral in that particular posting. Both os'es have flaws.
Period.

Diveristy is good in the way it lowers the attack impact, (more
later) and I agree with your points about code red and slammer being
bandwidth hogs. But of course there was other stuff going on behind
the scenes of those "noisy" attacks that was not very public. Also
both of those attacks were not against Windows itself. But against
components of windows. (iis, mssql) let's use msrpc, dhcp attacks,
and the like for reference instead. We could compare the
vulnerabilites in the actual os and get a better set of numbers.

Btw-- osx isn't just for publishing anymore. This year is my 5th
year without windows as my desktop. And my third year without it
totally.

I applaud both msft and aapl's efforts to become mor…

Mac versus Windows vulnerability stats for 2007

byte_bucket over in the #pauldotcom IRC channel turned me onto this article, simply because I am a self proclaimed Apple fanboy. Sounds good, I don't mind, I like it when people point me to articles. I read alot of news during the day, but sometimes I don't get to see all the news articles. Anyway, George Ou writes on zdnet.com an article comparing the amount of vulnerabilities for XP, Vista, and OSX. At first glance we look at this column comparison and say "holy crap, osx had a hell of alot more vulnerabilities than Vista or XP combined!"


True. Now, in my usual Microsoft punditry and OSX defender stance, let me point out the less obvious in these three operating systems.
1) OSX hasn't had to deal with a bunch of hackers before, now that it's being increasingly targeted, especially Quicktime, Apple is dealing with it. 2) XP and Vista are closed platforms. Apple, save for their internal binaries, is pretty much open. You can see how it all works. 3) and …

Getting free Ringtones out of your iTunes songs

So you know how Apple charges you like 99 cents for a ringtone?  Well, wouldn't it be great to put your own songs, either mp3's or iTunes purchased songs on your unhacked iPhone for free?  Welp, I just figured it out.
You are going to need basically two things. #1) Garageband version 4.1.1 (available via Software Update) #2) an mp3.  
(yes, that's it)
Okay, so, Garageband (GB) 4.1.1 allows you to make your own songs and turn them into Ringtones on your iPhone.  Nice feature huh?  
UPDATE:  You don't need Magic GB at all, just drag your iTunes media into the Garageband screen, set your loop, and export it as a Ringtone!  Thanks Apple.
So, go open Garageband.  Select Magic garageband from the spash open screen, you can select any genre you want, then click the audition button.  This will make up a track to a song by selecting instruments and what not, but that's not what we are here for is it?  okay.
After you have it open, click the button on the right of GB that says "…

Quicktime 7.3.1 Update is out.

I blogged about it back here, and here. Apple has finally put out an update for Quicktime 7.3.1.  Good thing too, cause the exploits are making the rounds.  Did you guys hear about the Second-Life Quicktime exploit.  I think we talked about that in PaulDotCom as well, I think I have blogged about almost everything we talked about in the podcast now... heh.

Reposted from the Apple website:

QuickTime 7.3.1
QuickTime
CVE-ID: CVE-2007-6166

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination b…

Quicktime 7.3.1 Update is out.

I blogged about it back here, and here. Apple has finally put out an update for Quicktime 7.3.1.  Good thing too, cause the exploits are making the rounds.  Did you guys hear about the Second-Life Quicktime exploit.  I think we talked about that in PaulDotCom as well, I think I have blogged about almost everything we talked about in the podcast now... heh.

Reposted from the Apple website:

QuickTime 7.3.1
QuickTime
CVE-ID: CVE-2007-6166

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination b…

2007 Top 10 Developers in the category Action/Skill games - Vote now!

2007 Top 10 Developers in the category Action/Skill games - Walkthrough, comments and more Free Web Games at FreeGamesNews.com

Buddy of mine, whose name is Joel Esler, is an artist and flash game developer.  FreeGamesNews.com is having a contest of 10 different flash based games, and luckily, Joel is one of the 10 nominees!

So, do him a favor, go to the above link and vote for him.  The game is fun and challenging as well!

The Secret of the Time Machine-Assisted Hard Drive Swap

Gizmodo published this article this morning.  I thought it was brilliant.
There's never been a better time to void the warranty on your MacBook and upgrade to one of those sweet2.5" WD Scorpio 320GB drives. That was what made me throw caution to the wind and attempt a Time Machine-assisted swap. The good news is, it works as billed. You get a bit-for-bit transfer to the virgin drive with minimal fuss. The bad news is, if you don't use a little trick we discovered today, you probably won't get it to work at all.I said "void the warranty" and I meant it. The process I went through today means it'll be harder for me to complain to Apple if things get weird, sobe cautious! Given the experience I've had, I think HDDs will soon be given easy-access panels, like RAM has, because swapping a 2.5" SATA turns out to be straightforward, andthe software, at least as far as Apple goes, is ready for novices.The key here is that there's no preparation needed…

2007 Top 10 Developers in the category Action/Skill games - Vote now!

2007 Top 10 Developers in the category Action/Skill games - Walkthrough, comments and more Free Web Games at FreeGamesNews.com

Buddy of mine, whose name is Joel Esler, is an artist and flash game developer.  FreeGamesNews.com is having a contest of 10 different flash based games, and luckily, Joel is one of the 10 nominees!

So, do him a favor, go to the above link and vote for him.  The game is fun and challenging as well!

The Secret of the Time Machine-Assisted Hard Drive Swap

Gizmodo published this article this morning.  I thought it was brilliant.
There's never been a better time to void the warranty on your MacBook and upgrade to one of those sweet2.5" WD Scorpio 320GB drives. That was what made me throw caution to the wind and attempt a Time Machine-assisted swap. The good news is, it works as billed. You get a bit-for-bit transfer to the virgin drive with minimal fuss. The bad news is, if you don't use a little trick we discovered today, you probably won't get it to work at all.I said "void the warranty" and I meant it. The process I went through today means it'll be harder for me to complain to Apple if things get weird, sobe cautious! Given the experience I've had, I think HDDs will soon be given easy-access panels, like RAM has, because swapping a 2.5" SATA turns out to be straightforward, andthe software, at least as far as Apple goes, is ready for novices.The key here is that there's no preparation needed…

Security 2.0 feedback

Warning, this is a long one. I was asked by a reader to consolidate all of the feedback I got from the Security 2.0 posts and put them into one post. Sure! No problem. However, I got alot. No names though. If you want your name mentioned email me, and I'll edit the post to include your name (if you have a blog or something, and you want me to link to you, provide that info too). Let me just say exactly what I said on PaulDotCom, just because you don't understand the technology, isn't a reason to restrict it. You need to understand the technology, then make a risk assessment of what kind of impact it can have on your network.

To the commentary --

"iTunes is P2P by default on the local subnet, and possibly further with Wide Area Bonjour. ie. out of the box it will search for shared music, and it is one click for a user to share, no selection, their entire iTunes Library. In our University environment we have no shortage of bandwidth, and all protocols are permitt…

Fake Steve Jobs

If you came to my website yesterday and it was a bit slow, I apologize. It was kinda busy.

I wrote a little funny about Steve Jobs being at Al Gore's Nobel Peace Prize award ceremony yesterday. It was only significant because he wasn't wearing his trademark black turtleneck, jeans, and sneakers. He was wearing, what appears to be, a suit and tie. (Click on the link to see the picture).

Well, fake steve jobs picked this up and blogged it at fakesteve.blogspot.com.

Fake Steve Jobs, for those of you that don't know, is a blog ran by, what turns out to be an editor (or writer) for Forbes.com. He presents a very funny and satirical view of the world, skewed by what he thinks Steve Jobs (the real one) would say about topics. It's a good blog, I encourage you to add it to your daily rss feed.

Anyway, FSJ picked up my blog post, and blogged about it himself. Simply saying "So big deal, I wore a tie, who cares? Apparently this guy does. He even ran a photo." Poin…

Safari wins for the first time today.

I took a look at my Google.com/analytics stats for joelesler.net today. Looks like Safari won for the first time today. So that either means that I am either getting more popular with OSX crowd, or it means that Apple is getting more prominent.

I am guessing the first.

Safari wins for the first time today.

I took a look at my Google.com/analytics stats for joelesler.net today. Looks like Safari won for the first time today. So that either means that I am either getting more popular with OSX crowd, or it means that Apple is getting more prominent.

I am guessing the first.

Pastor: Cop told fourth wife he killed third wife

So, the pastor of the 4th wife of Drew Peterson told the news that Drew had confessed to her (then then her to the pastor) that Mr. Peterson had killed his 3rd wife. Well, it really _is_ he said, she said in this example.  But, I think the moral of this story for women is:  Be cautious when marrying anyone with the last name of Peterson.  Seems you wind up "not-healthy".. Need I remind you, said 4th Wife is now missing?

Pastor: Cop told fourth wife he killed third wife

So, the pastor of the 4th wife of Drew Peterson told the news that Drew had confessed to her (then then her to the pastor) that Mr. Peterson had killed his 3rd wife. Well, it really _is_ he said, she said in this example.  But, I think the moral of this story for women is:  Be cautious when marrying anyone with the last name of Peterson.  Seems you wind up "not-healthy".. Need I remind you, said 4th Wife is now missing?

Steve Jobs wore a tie.

Those of us that remember back in the pre-Steve-return-to-apple days have seen him in a Suit and Tie. But in recent years, I haven't seen him wear anything but a black mock turtleneck, jeans, and sneakers.  Original Article here.

So it's quite interesting to see him in a suit and tie.




If it were anyone else, it wouldn't be news.  This was to see Al Gore receive his Nobel Peace Prize.
Steve, you're the man.  Wear what you want big guy. UPDATE:  Found this picture of him in full dress.



Subscribe here:

Steve Jobs wore a tie.

Those of us that remember back in the pre-Steve-return-to-apple days have seen him in a Suit and Tie. But in recent years, I haven't seen him wear anything but a black mock turtleneck, jeans, and sneakers.  Original Article here.

So it's quite interesting to see him in a suit and tie.




If it were anyone else, it wouldn't be news.  This was to see Al Gore receive his Nobel Peace Prize.
Steve, you're the man.  Wear what you want big guy. UPDATE:  Found this picture of him in full dress.



Subscribe here:

MSFT convinces you to buy crap

MSFT apparently isn't getting the sales of Vista that it wishes it had. So it's written an article on how to convince your managers that you need to upgrade.
By and large I have to deal with tons of Windows users on a daily basis. I've met two, seriously, two that are on Vista. The rest are on XP.
Hate to say it MSFT, but XPSP2 is the new 98SE. It is stable. Leave it alone. Why dump more shit on top of a already big pile of shit? Oh, to try and compete, that's right. Anyway. (*rolls eyes*)
So let's hit the bold points on the list (click on blog post heading for link).
"Security is the message"
"...management may not be aware that the most compelling reason to migrate to a newer operating system, such as Windows Vista, is to take advantage of the latest security features..."
MSFT, absolutely nothing about Vista that I have seen so far makes it less of a target. I have seen a bunch of upgrades for Vista, even updates that came out for Vista b…

CompUSA is done.

Compusa is done.   This brings up several points.   I remember the fond days of CompUSA where you used to be able to go into the store and get random computer parts.  The problem is, there are SO many places to do this now, CompUSA never did anything to differentiate itself from the competition.  The only thing that CompUSA ever had that was different was the Mini-Apple Stores inside them.  Well, then Apple started their own stores, effectively killing the function of the Mini-Stores, so I am sure that didn't help.
Second, CompUSA's in general do not have the expertise that other stores do.  Now, in CompUSA's defense, they always tended to have more of a variety of products then the other guys, take keyboards for example.  CompUSA always had like 30 keyboards to pick from, while the other guys would not even have a third of that.  Especially not in a display where you could physically touch them and see how they felt underneath your fingers.
Apple must have saw this coming an…

Classic Vista Error

Saw this on Gizmodo.




Classic.

MSFT convinces you to buy crap

MSFT apparently isn't getting the sales of Vista that it wishes it had. So it's written an article on how to convince your managers that you need to upgrade.
By and large I have to deal with tons of Windows users on a daily basis. I've met two, seriously, two that are on Vista. The rest are on XP.
Hate to say it MSFT, but XPSP2 is the new 98SE. It is stable. Leave it alone. Why dump more shit on top of a already big pile of shit? Oh, to try and compete, that's right. Anyway. (*rolls eyes*)
So let's hit the bold points on the list (click on blog post heading for link).
"Security is the message"
"...management may not be aware that the most compelling reason to migrate to a newer operating system, such as Windows Vista, is to take advantage of the latest security features..."
MSFT, absolutely nothing about Vista that I have seen so far makes it less of a target. I have seen a bunch of upgrades for Vista, even updates that came out for Vista b…

CompUSA is done.

Compusa is done.   This brings up several points.   I remember the fond days of CompUSA where you used to be able to go into the store and get random computer parts.  The problem is, there are SO many places to do this now, CompUSA never did anything to differentiate itself from the competition.  The only thing that CompUSA ever had that was different was the Mini-Apple Stores inside them.  Well, then Apple started their own stores, effectively killing the function of the Mini-Stores, so I am sure that didn't help.
Second, CompUSA's in general do not have the expertise that other stores do.  Now, in CompUSA's defense, they always tended to have more of a variety of products then the other guys, take keyboards for example.  CompUSA always had like 30 keyboards to pick from, while the other guys would not even have a third of that.  Especially not in a display where you could physically touch them and see how they felt underneath your fingers.
Apple must have saw this coming an…

Classic Vista Error

Saw this on Gizmodo.




Classic.

Certification Litmus Test

Click on image to make it bigger. Go ahead. Then hit the back button.

Back now? Okay. There's the thread for the discussion on the DShield list about the SANS change for certifications. Notice the ads on the right of the screen? THAT'S MY PROBLEM.  See how commercialized the CISSP is now?  Ads for bootcamps.  Even though the thread thoroughly discusses GIAC certs, you see no ads for GIAC testing centers or bootcamps in there.

What is to say that it won't become that?
My whole point in this discussion is to not let the GIAC certifications (no matter how much you don't or do respect certifications, I don't really care for them one way or the other, I have a couple) go to the dirt.  So many "CERTS" have went downhill it's horrible.
I understand why this is taking place.  I just don't agree with it.  I understand that standards and that kind of thing are good.   The exams and the practical are hard. (I don't really care for the Silver GIAC cert.…

Daughter is fine

I have had a couple people ask me about the condition of my daughter, who had some minor surgery this week.
She is totally fine.  Little blood and pus still coming out of the ears, but it is MUCH less, and we are applying drops.
Thank you all for your concern!  I appreciate it.

Snort question from the Mailbag

I got this email today in the mailbag:

"i have configure and running snort for NIDS (network intrusion detecting system), when i make DDOS attack simulations the snort can be detect the attack and rise alert. in another side there is gateway who contain general firewall. my purpose is when snort rise alert this is can make gateway computer applied the firewall, would you like to give me solutions for that.
thanks you very much."

What I think this person is asking is, "How can I get Snort to automatically update my firewall based on it's alerts."
Well, there are several answers to the question, the most reliable answer being: "Buy a Sourcefire 3D system"  Not only do you get the ability to do that, but you get SO much more. The second answer to the question is, "Use SnortSAM".  SnortSAM is a project started (I believe) by Frank Knobbe.  
I've never used SnortSAM, so I can't say good or bad about it, but YMMV.

PaulDotCom Security Weekly

Referring back to my Podcast 101 story.
I was on PaulDotCom Security Weekly, the podcast last night as a Guest Host.   We had a good time talking about all the weekly security stories.
It was a good time, I communicated the whole time from my office in my house via Skype.  Can't complain about that.  It took about an hour and a half to do the whole thing, from setup to end of podcast.  All in all, a great time.  
Thanks go to Larry and Paul for having me on.

Certification Litmus Test

Click on image to make it bigger. Go ahead. Then hit the back button.

Back now? Okay. There's the thread for the discussion on the DShield list about the SANS change for certifications. Notice the ads on the right of the screen? THAT'S MY PROBLEM.  See how commercialized the CISSP is now?  Ads for bootcamps.  Even though the thread thoroughly discusses GIAC certs, you see no ads for GIAC testing centers or bootcamps in there.

What is to say that it won't become that?
My whole point in this discussion is to not let the GIAC certifications (no matter how much you don't or do respect certifications, I don't really care for them one way or the other, I have a couple) go to the dirt.  So many "CERTS" have went downhill it's horrible.
I understand why this is taking place.  I just don't agree with it.  I understand that standards and that kind of thing are good.   The exams and the practical are hard. (I don't really care for the Silver GIAC cert.…

Daughter is fine

I have had a couple people ask me about the condition of my daughter, who had some minor surgery this week.
She is totally fine.  Little blood and pus still coming out of the ears, but it is MUCH less, and we are applying drops.
Thank you all for your concern!  I appreciate it.

PaulDotCom Security Weekly

Referring back to my Podcast 101 story.
I was on PaulDotCom Security Weekly, the podcast last night as a Guest Host.   We had a good time talking about all the weekly security stories.
It was a good time, I communicated the whole time from my office in my house via Skype.  Can't complain about that.  It took about an hour and a half to do the whole thing, from setup to end of podcast.  All in all, a great time.  
Thanks go to Larry and Paul for having me on.

SANS proctorization part two

I just talked to someone from SANS.  Appparently the reason for the change is because GIAC has be ANSI certified.
Why you ask?
DOD Directive 8570.
DoD Directive 8570.1 was approved in December 2005 and requires DoD IA workers to obtain a commercial certification accredited under ISO/IEC standard 17024. ISACA's Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications, accredited by the American National Standards Institute (ANSI), are among only 13 certifications approved by the DoD.

Apparently SANS has to meet this mark by the end of 2007.
I still don't agree with it.  It sounds like SANS is really making it difficult for the non-.gov/.mil folks.  
In the interest of full disclosure though, I did get my cert while I was .mil.  However, now I am not.  It still sucks.

SANS proctorization part two

I just talked to someone from SANS.  Appparently the reason for the change is because GIAC has be ANSI certified.
Why you ask?
DOD Directive 8570.
DoD Directive 8570.1 was approved in December 2005 and requires DoD IA workers to obtain a commercial certification accredited under ISO/IEC standard 17024. ISACA's Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications, accredited by the American National Standards Institute (ANSI), are among only 13 certifications approved by the DoD.

Apparently SANS has to meet this mark by the end of 2007.
I still don't agree with it.  It sounds like SANS is really making it difficult for the non-.gov/.mil folks.  
In the interest of full disclosure though, I did get my cert while I was .mil.  However, now I am not.  It still sucks.

RSS Feed, now at full throttle

I moved the RSS feed back to full.  Now that I have a descent count.  
I appreciate all the people that clicked through, either on the short rss article, or on others, it gives me a better count.  I think the bandwidth that I have is sufficient since I removed the bigger video files and what not from the site.  We should be good now.

All SANS exams to be proctored?

What kind of crap is this?
"Effective December 1st, 2007, all new GIAC certification attempts and
re-certification attempts are required to be proctored. The price of a
GIAC certification attempt in conjunction with SANS training is $499,
the challenge price remains $899. The price of a recertification
attempt is $325."
This is why people like the SANS certification.  Not only is it hard, (the test and the courses speak for themselves), but you get to take them in the comfort of your own home, on your own computer, in your own web browser.  This is one of the huge selling points of the GIAC certifications, and one that I have personally pushed.  No one wants to go take time out of their week to go to a testing center!  People want to be at home, late at night with the lights turned off, (insert whatever analogy you want here), and take the exams where they have no distractions.  I really don't agree with this.
"If you started your GIAC Silver Certification attempt and re…