| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Wilkins Law of Modern Life | (2008/09/22 17:11) |
Some of the renovations I've been doing around the house have lead me to believe this: If what you're doing sucks and isn't in a field invented this decade, then someone has invented a better technique or a tool to make it easier. If the tool is really expensive or the technique is hard to learn there are 2 corollaries: Corollary 1: If what you're doing is common, you can usually find someone with the appropriate tool or training to do it cheaply. If what you're doing is obscure, it'll cost you a lot. Corollary 2: If it's obscure and you have any interest or limited funds, learning it or building your own equivalent of the tool is a good approach. Corollary 3: Not having a clue how it's supposed to be done leads to novel solutions, some of which are better than any you'd be taught. I refinished my kitchen floors. They were cement underneath linoleum. Initially I used a solvent to get rid of the bulk of the glue and then sander to remove the rest. Then I discovered angle grinders and an area that had taken an hour, took me 5 minutes. Along the way, I also learned how to match cement colors, something that everyone I talked to said wasn't possible, but I've learned they probably meant not worth bothering with. I've also been messing around with video. Building a good steadycam can be done for $30 (or a passable one for almost free) or you can dish out $800 for one made by Steadicam. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| What nations are for | (2008/08/04 14:07) |
"The world is full of unimaginable horrors and humans being deprived from basic necessities and rights. The idea of a nation is to divide the world into blocks that are small enough that you could possibly do something about the terrible condition in which you and your fellow citizens exist." - digg_url = 'http://www.bitland.net/2008/08/04#nations-200808041352'; digg_skin = 'compact'; digg_bgcolor = '#000000'; --> +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Conducting interviews | (2007/11/16 13:50) |
I haven't interviewed anyone in a long time, but I had a thought today. The next time I do one, I'm not going to ask any coding questions or logic problems. Instead I'm going to ask a series of questions like:
|
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Switching | (2007/06/17 16:45) |
So I've made the switch, though not the one that most people in the security industry have made. Instead of going to Apple, I've gone to Ubuntu. I used to use FreeBSD way back in the day, but switched to OpenBSD as my preferred Unix sometime in late 1996 or early 1997. I always had a PC running some version of Windows as well since there was always something I needed or (post vmware) that didn't quite work in a VM. I made a couple of forays into the Linux world, but various things just didn't work properly. RedHat *almost* got it right, just before they abandoned desktop Linux and spun off the Fedora project. Mandrake got my hopes up for a little while and I had a file server using Loop AES that was a major improvement over my prior OpenBSD/cfs setup. But there was always some major issue with desktop Linux that made it unbearable for me. And while OpenBSD and FreeBSD were OK, they just didn't keep up with the apps I wanted. (For instance, OpenBSD gave up on VMWare ages ago and VMWare 3 is the latest they seem to support.) I looked seriously at the Mac laptops, but the screen resolution and weight factors just didn't compare to PC laptops. The latest screens have some promise, but I've gotten pretty offended by Apple's treatment of the security community (Maynor et al) and their relationship with the RIAA/MPAA and their stance on DRM. (BTW, if you can get a DRM fix out in hours, you can do the same with security fixes...). But I digress ... I've been running Ubuntu on my laptop (a Thinkpad X60 Tablet) and I can't say how much I like it. No major problems. VMWare 6 works beautifully. Disk crypto (in the form of Loop AES and TrueCrypt) are both happy. Video is solid. Drivers, including the one for my pre-N wireless card, work. The only thing that doesn't work is the pressure sensitivity for the pen interface in virtual machines, and that *does* work if I plug in a USB tablet instead of using the built in tablet, which isn't as good as the external Wacom tablet I use anyway... Given my experience, I'm probably days away from killing my last physical Windows box and moving to Windows in VM's only.
OpenBSD will continue to be my server OS and run my mail/web servers, but
I have to say that desktop wise, Ubuntu is my favorite. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| GMail supports perl style regex | (2007/02/26 19:35) |
I knew that Google's Code Search supported regex style searches, but I didn't realize that GMail did too. Gmail supports a slightly different syntax than Code Search though. It's the perl syntax, so, if you're reading this, there's a good chance you're familiar with it. If not, you can read about perl regex syntax As an example, if I want to quickly check that nothing related to my upcoming talk has been thrown in the spam filter (which it had, argh), but I didn't want to hear about windows vista warez, I could do: blackhat OR scarabmon in:spam -/windows vista.*download/A quick search on google doesn't show anything useful in the first few entries so I'm posting this in hopes of letting people know. PS: for a great intro to google's code search, check out Dug Song's Static Code Analysis Using Google Code Search UPDATE: I was wrong about standard google search, it's just gmail |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| ScarabMon at BlackHat Europe | (2007/02/19 18:00) |
I've been working on a new tool for automating web application penetration tests and I'll be presenting it at BlackHat Europe 2007. You can check out the ScarabMon abstract
I hope to have the web site up soon, but if you have questions, just
email me (jwilkinsatbitlanddotnet). I'll also be looking for beta testers
pretty soon. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| FireBug - JavaScript Debugger Extension | (2006/11/21 12:14) |
FireBug is a new Firefox extension that provides JavaScript debugging and a much improved DOM inspector. The author (Joe Hewitt) has more detail on the FireBug home page There is also a video on FireBug from a talk he gave at Yahoo. The console is also really handy for watching AJAX transactions and you can directly type javascript at it, just like python in interactive mode. Update: SecurityFocus just released an article on FireBug |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Page load time digression | (2006/11/20 18:38) |
This has almost nothing to do with security, though I suppose you could say it helps with DOS resistance, but is interesting none the less. A couple of weeks ago, Slashdot featured a rather self serving article from Akamai that said that web surfers would only tolerate a 4 second load time for web pages. Ignoring the fact that Akamai makes huge amounts of money on web site caching, the question of optimizing page load occupied me for a couple of hours since I thought I'd speed up page load time for my photography web site. One good resource was Aaron Hopkins page on speeding up page load time I also found a few good firefox plugins, like LORI, which shows page load time in your Firefox status bar. It also turns out that the Tamper Data extension, which may already use, has a really neat feature that graphs page loads. This feature isn't obvious, but Simon Willison has a page that describes it. Also helpful was the WebSiteOptimization.com Web Page Analyzer |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Leaving Microsoft | (2006/01/14 10:57) |
January 9th was my last day at Microsoft. I joined MSFT in March of 2002, which means that I was there for almost four years, which is also the longest I've ever stayed at one job. I'm sure that a lot of people who know me are probably surprised that they put up with me that long. From day one, the vast majority of my machines were running OpenBSD. I will say one thing. From the moment I got there (a little after the billg security email), people were willing to work on security and get issues resolved. I'm joining a small security consulting company (Information Security Partners) effective the 23rd of the month. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| 100,000 host BotNet | (2005/10/10 09:00) |
Apparently 3 Dutch hackers managed to build a botnet containing 100,000 machines and had been using it for DDOS attacks as well as to harvest financial info and site credentials (PayPal and eBay for example). The Register has the full story The interesting thing is that when you get to botnets of this size, the usual large company defense against DDOS attacks, excess capacity, may not be enough. A 10,000 node botnet can do about 1-2Gb of traffic, a 100,000 node net should be able to deliver >10Gb. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| More alternative energy - Ocean Power | (2005/05/26 11:00) |
Another from Wired. This time they're talking about some experimental Oceanic power possibilities. Basically, it appears that it's feasible to extract energy from the temperature differential between water near the ocean floor and water near the surface. It also has applications for cooling and water purification. It also can be used to accelerate crop growth. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Up to 72 Terawatts in wind power available | (2005/05/24 16:40) |
Wired reports a new study of 8000 sites worldwide finds that if one were to set up turbines at 13% of these locations, you would be able to generate 72 terawatts of power which is more than 5 times the world's consumption in 2002. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Hamming's "You and Your Research" Talk | (2005/05/22 14:00) |
Richard Hamming (a mathematician who worked at Bell Labs in the days of Feynman, Fermi, Teller and Shannon and who is responsible for many innovations in computer science and related fields such as the Hamming code and Hamming Distance) gave a talk in 1986 which centers on the question "Why do so few scientists make significant contributions and so many are forgotten in the long run". I think anyone working in any scientific or engineering field should read this transcript. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Technical Video Rental | (2005/05/22 10:45) |
Always wanted to learn to weld? The Make Magazine Blog points to Technical Video Rental which you can think of as a NetFlix for all sorts of geeks. They have videos to teach everything from linguistics to HAM radio to gunsmithing. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Expect more frequent posts | (2005/05/17 10:15) |
I started relying on Bloglines to store interesting articles from the various blogs I read, but it's been losing my saved articles lately. Complaints to the admins have generated nothing. Which means it's time to stop trusting other services with stuff I'd like to remember. This is a good thing as I've been feeling guilty about neglecting the blog anyway. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Evolved antennas rock | (2004/06/28 19:40) |
NASA has a project going to Evolve Antenna Designs.
Some of these defy conventional wisdom and come out looking very cool and
performing significantly better than standard designs. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Assorted cool stuff from Kevin Kelly's Cool Tools blog | (2004/06/28 17:35) |
Kevin Kelly runs a blog called Cool Tools that lists all sorts of cool stuff. Here's a brain dump of things that are I thought were especially useful or just neat.
|
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Neat chemical supplies | (2004/06/28 16:45) |
SmallParts.com has tons of fittings for interesting projects (Copper tubing, Lead bricks and the like. Even cooler is United Nuclear's Chemical section which has everything you need to make your own fireworks. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| LinkSys USB to WiFi NAS | (2004/06/27 09:25) |
LinkSys has just released a cool little device. The NSLU2 Network Storage Link converts any USB drive into Network Attached Storage over 802.11b. And it's available for as little as $75 if you shop around. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Bypassing lame web registrations | (2004/06/21 14:10) |
One of the real annoyances to hit the net over the last few years is the preponderance of required registrations at various sites online. It appears that most sites are just doing it so that they can more accurately report the number of viewers to their advertisers. (See Hits or Misses @ the Christian Science Monitor In the old days, you could pretty much rely on cypherpunk[s]/cypherpunk[s] working everywhere, but these days that account's been deleted most places or the password changed. But now there's BugMeNot.com . You can go to this site and tell it the URL that's requiring a registration and it'll spit out a username/password pair. Also very useful is Mailinator.com which basically is a shared mail system. No passwords, no security, but it's perfect when you just need to confirm a throwaway account or get a reg key for a freeware application mailed to you. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Free Cisco manual | (2004/06/21 14:05) |
According to This SP Times article a fellow named Matt Basham has written an 800 page manual that covers a pile of Cisco technologies. He's giving the electronic version away for free. The book (titled "Learning by Doing: CISCO Certified Network Administrator 3.0") is available for free download at http://www.lulu.com/content/59202 |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| LawMeme's Law School in a Nutshell (Law for Geeks) | (2004/03/07 00:15) |
I saw this page while Lessig was arguing the Eldred case and was recently telling a friend what an amazing resource it was. Everyone who has any interest in the way law is imacting technology needs to read this. The author James Grimmelmann takes you through how a brief is structured so that you can understand what's really going on. Law School In a Nutshell - Part 1 Law School In a Nutshell - Part 2 Law School In a Nutshell - Part 3 |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| CD Shredders | (2003/11/13 18:15) |
I recently bought what I thought was a CD shredder from Fry's Electronics and when I got it home I discovered that all it did was put divots all over the surface. Obviously this is pretty useless. I was much more impressed when I saw Time Magazine's cool invention list which had a real CD shredder When you happen to impulse buy, be sure to get one of the latter devices, not one of the former. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Blogging inspiration | (2003/05/02 21:00) |
Cory Doctorow wrote an article for the O'Reilly network on blogging about a year ago. He discusses his blog as being an outboard brain and talks about why he thinks it's a more efficient way of dealing with the large amounts of information that we all have to manage these days. Also, since he's a really great writer it's an excellent read. Cory Doctorow's "My Blog, My Outboard Brain" The upshot of this is that I've decided to move all of the links I've assembled at backflip.com over here in the hopes that they will be more useful. I've got about 300, so not all will make the cut, and it will take some time but I think it's a sound plan. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Alive again | (2002/02/01 10:14) |
I finally got around to finding some software to run this thing again. I had been using PHP-Nuke, but after frequent (seems like monthly) security flaws I got tired of patching all the time. So I wanted something totally simple and secure. I finally found Blosxom which doesn't need a DB, doesn't need PHP or anything except a cron job and perl. I can (and do) write my entries with cat. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |