tag:blogger.com,1999:blog-73038324015464333992024-02-06T21:09:59.942-08:00ObiJan TechnologiesSecurity, Identity, software design and other musingsJonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.comBlogger50125tag:blogger.com,1999:blog-7303832401546433399.post-79355016826030534902022-09-14T12:20:00.001-07:002023-11-08T14:27:55.737-08:00Accidental Nostalgia Overdose: An old "Cheat Machine" review<p> On a random ego-surfing session, I found <a href="https://hillelstoler.wordpress.com/2008/04/13/cheat-machine/" target="_blank">this post that made me smile</a>:</p><p style="background-color: white; color: #444444; font-family: "Lucida Grande", Verdana, Arial, sans-serif; font-size: 12px; margin: 13px 0px; padding: 0px; text-align: justify;"></p><blockquote><p style="background-color: white; color: #444444; font-family: "Lucida Grande", Verdana, Arial, sans-serif; font-size: 12px; margin: 13px 0px; padding: 0px; text-align: justify;">hillelstoler.com is generally about my own work, but since I don’t like to disappoint my visitors (and since I liked it a lot once), here is Cheat Machine 2.20 by <i style="margin: 0px; padding: 0px;">a Forest Software</i>. To my knowledge this is the most recent DOS version, and the only one that is Freeware:</p><p style="background-color: white; color: #444444; font-family: "Lucida Grande", Verdana, Arial, sans-serif; font-size: 12px; margin: 13px 0px; padding: 0px; text-align: center;"><a href="http://sites.google.com/site/hillelstoler/Home/CheatMachine2.20.zip" style="color: #2277dd; margin: 0px; padding: 0px; text-decoration-line: none;"><span style="color: dodgerblue; margin: 0px; padding: 0px;">Download Cheat Machine – Don’t get mad, get even!</span></a></p><p style="background-color: white; color: #444444; font-family: "Lucida Grande", Verdana, Arial, sans-serif; font-size: 12px; margin: 13px 0px; padding: 0px; text-align: justify;"><img alt="Hit the keyboard with your head to continue …" class="aligncenter" height="273" scale="2" src="https://hillelstoler.files.wordpress.com/2008/04/cm.gif?w=430&h=273" srcset="https://hillelstoler.files.wordpress.com/2008/04/cm.gif?w=430&h=273&zoom=2 2x" style="border: none; clear: both; display: block; margin: 0px auto; max-width: 100%; padding: 4px;" title="Hit the keyboard with your head to continue …" width="430" /></p><p style="background-color: white; color: #444444; font-family: "Lucida Grande", Verdana, Arial, sans-serif; font-size: 8pt; line-height: 12.2667px; margin: 13px 0px; padding: 0px; text-align: center;"><strong style="margin: 0px; padding: 0px;">Note that you will need to set the date to 1998 or so in order for this software to run.</strong></p><blockquote style="background-attachment: initial; background-clip: initial; background-color: white; background-origin: initial; background-position: 10px 0px; background-repeat: no-repeat; background-size: initial; background: url("images/quote.png") 10px 0px no-repeat rgb(255, 255, 255); border: none; color: #333333; font-family: "Lucida Grande", Verdana, Arial, sans-serif; font-size: 12px; margin: 13px 0px; padding: 0px 20px 0px 50px; text-align: justify;"><p style="margin: 13px 0px; padding: 0px;"><span style="margin: 0px; padding: 0px;">Cheat Machine is a handy collection of cheat codes, trainers and easter eggs for antique software. I was very inspired by this specific piece of software around the mid 90’s when I began to program for DOS (using Borland’s Turbo Pascal). I liked the obsession for details and the overall fun atmosphere. The people (or person?) who made this software took their work seriously while not taking themselves very seriously – this, in my opinion, is a great recipe for (software) creation.</span></p><span style="margin: 0px; padding: 0px;"><p style="margin: 13px 0px; padding: 0px;">In the end, this is just a small piece of software that has very limited functionality, but every bit is plated in gold. It was fun to use, and you could clearly see it was fun to make. Software team leaders will argue that such “gold plating” is not only unnecessary, but also puts the project at risk and waste money and time in developing features that the customer did not pay for (while also making the software more complex and potentially buggy). Although I accept this to be generally true, I believe that in software manufacture, like in every other aspect of life, the key to success is the correct balance (which is never exactly halfway btw). You need to have something that will motivate your team and create that good vibe of excitement about the product. Let’s face it, not every project is very interesting to make, and spicing things up by adding some so called “gold plating” will not only make you proud of your work and give you the energy to successfully glide through the rest of the project, it might also give you a competitive edge because even if most people won’t notice your extra work someone somewhere probably will.</p></span><p style="margin: 13px 0px; padding: 0px;"><span style="margin: 0px; padding: 0px;">That said, never put time limitation on your software (especially if it’s freeware!) claiming that a new version must surely be available, because nothing last forever and having to change the date on my computer every time I want to run your 10 years old application is not very hot :) I could try to patch it, but the EXE is protected against just that!</span></p></blockquote></blockquote><p><br /></p><p>I love the fact that he called my unhealthy obsession of "perfect code" and micro-managing development as "gold plating", back in the days that I wasn't paid by the hour for solutions. </p><p>I disagree with him on the time limit. It was added very much on purpose, because the program was only valuable if it contained recent information. Without it, one would have to support every version ever released, and that is not doable. This was in the days before the internet, where you couldn't just hit an "Update" button and the software was magically up to date again. You had to log into a BBS and manually look for a new version and download it. This was something that a lot of users didn't really want to unless they were forced to. </p><p><br /></p><p>For hardcore fans, I did a Youtube demo of an earlier version. </p><iframe frameborder="0" height="270" src="https://youtube.com/embed/AQK4WXDUCXs" style="background-image: url(https://i.ytimg.com/vi/AQK4WXDUCXs/hqdefault.jpg);" width="480"></iframe><br />Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-44326363960697707562019-10-31T15:10:00.000-07:002019-10-31T15:10:16.514-07:00Hall of shame: NetBenefits<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggbsWz216lYFhqUCyPWtbJttR6CwPJWNgvWtU_bd3VQ3rLn5oJE1og7cW8lE7w4aVouwuEpOiyLwPdWiUuxZrWj46GKzYibe8_e1PYZvOhcBAwHwnFYtKfDE5k-EtjlTyjVLJSj4FLju-K/s1600/Fidelity+NetBenefits+Password.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggbsWz216lYFhqUCyPWtbJttR6CwPJWNgvWtU_bd3VQ3rLn5oJE1og7cW8lE7w4aVouwuEpOiyLwPdWiUuxZrWj46GKzYibe8_e1PYZvOhcBAwHwnFYtKfDE5k-EtjlTyjVLJSj4FLju-K/s400/Fidelity+NetBenefits+Password.jpg" width="400" /></a></div>
This may be getting repetitive, so instead of explaining everything that is wrong with <i>this</i> picture, I would like to suggest a new rule:<br />
<br />
If a site has a maximum length restriction on their password, that usually means that they are not storing it securely, which usually means the development team did not pass "Security 101". <br />
<br />
I'll let you decide if that is a prediction of the quality of the rest of their offerings.Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-7048793312640020582015-01-21T16:29:00.005-08:002015-01-21T16:29:32.161-08:00Had enough credit card offers?<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglP6Q8h6yhF6_1HG62qXVva7bZMpInTw5rWagAoVLG8FMp0zlZ4OHkQUgKzFvhhk0dC06sp3Dy9PcuCKNh6woqgw2K6u80w2kH1KhxuFAnsub-g7dSxNmEoixZ0xY7PUoFq_hon0_LyUyz/s640/Optout.jpg" height="344" width="640" /><br />
<br />
Are you getting too many credit card offers? Did you know there is an <a href="https://www.optoutprescreen.com/" target="_blank">official, national site where you can opt-out</a> of getting these? I strongly recommend doing this, not just to safe the environment and the hassle of dealing with junk mail, but also as a security precaution. These offers are easy to steal out of your mailbox, and the credit card companies will gladly send your "new card" to a "new address" without blinking.<br />
<br />
This is also a good idea for those who have issues with the temptation of credit. If you take the offers away, you take most of the temptation away. (People with college-age kids will understand all too well)<br />
<br />
All it takes is name, address and social and you are good for 5 years. If you want it to be permanent, you are going to need to print out a form and lick a stamp (they make it harder or purpose) <br />
<br />
Official site is at: <a href="https://www.optoutprescreen.com/" rel="nofollow" target="_blank">OptOutPrescreen.com</a> Phone: 888-567-8688<br />
<br />
More information available on this at <a href="http://www.consumer.ftc.gov/articles/0262-stopping-unsolicited-mail-phone-calls-and-email" rel="nofollow" target="_blank">the FTC</a>. <br />
<br />
<br />Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-45525973773525022452014-01-19T12:16:00.000-08:002014-01-19T12:16:44.678-08:00I was singled out by RSA!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRwNa3t-cGFrXsHrl2AZSsO8LPOhnVwNaE9nSW_GQFeTseKccI0b3lIdkjq3mbeTdp1mtYMzSt5b2gxEmEsqXN80ea_5uW0kh3h0G7hPk4PNA11WJanQ7tIiFbYlYPVH3V6xQ26LssVPKC/s1600/OnRSA.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRwNa3t-cGFrXsHrl2AZSsO8LPOhnVwNaE9nSW_GQFeTseKccI0b3lIdkjq3mbeTdp1mtYMzSt5b2gxEmEsqXN80ea_5uW0kh3h0G7hPk4PNA11WJanQ7tIiFbYlYPVH3V6xQ26LssVPKC/s1600/OnRSA.JPG" height="248" width="400" /></a>
At the 2013 RSA conference, I was running around killing time before <a href="https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=1493" target="_blank">my talk on building your own intelligence tool</a>, and thought it would be a fun training exercise to participate in their "I am RSA" ad campaign. What better way to get rid of any nerves then to have a dozen cameras and microphones pointed at you?<br />
<br />
I signed the release (I believe I got a sticker or a Starbucks card or something like that too) and I did not think anything of it until a friend pointed out that I was running on the homepage of the 2014 conference. They seem to rotating a bunch of videos on there, and I was in the top spot last week. Looking at their list of uploaded videos, I noticed I seem to be the only person (as far as I can see) that is actually <i>named</i> on-screen in any of them . There are plenty of other people, but they seem to be used only for soundbites, whereas I was deemed worthy for almost a full minute. Where's my internet millions? <br />
<br />
Also: For some reason, it makes it seem like I have huge hands.
<iframe allowfullscreen="" frameborder="0" height="270" src="//www.youtube.com/embed/Ep34TXlhStY" width="480"></iframe>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-91813241116542769532013-08-28T08:47:00.000-07:002013-08-28T08:47:11.811-07:00Dear Apple affiliate team, I hate you because....<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-1P8BhOcRFYWCsUq84h-0t4rKfY1d6dwKkPkfZnxwJ7Ln7SwqLhWhAKw3p-p2seglIWluU5vUQqIjHiQJ0RBchAy0HQdM4QjZhe_iSHTS0L4eE2Ah6k9cNeeutdk98qOQ6aW-zNmwsdlN/s1600/AppleReject.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-1P8BhOcRFYWCsUq84h-0t4rKfY1d6dwKkPkfZnxwJ7Ln7SwqLhWhAKw3p-p2seglIWluU5vUQqIjHiQJ0RBchAy0HQdM4QjZhe_iSHTS0L4eE2Ah6k9cNeeutdk98qOQ6aW-zNmwsdlN/s400/AppleReject.png" width="400" /></a></div>
Dear Apple affiliate team, I hate you because of one or more of the following reasons:<br />
<ul>
<li>The massacre in Ruwanda</li>
<li>Leaving the toilet seat up</li>
<li>Sending rejection letters that are beyond useless</li>
<li>Turtlenecks</li>
<li>That scratch on my car door </li>
<li>Eating the last twinkie</li>
</ul>
I may also hate you if:<br />
<ul>
<li>You drank all the beer in the fridge without asking </li>
</ul>
Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-68904392492080095582012-12-21T15:52:00.002-08:002012-12-21T15:52:37.151-08:00Hall of Shame: Office 365When testing the brand-new Microsoft Office 365, I ran accoss this error:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWrGSlpf2-4wxZP47ZzEf6JklElmguPFmxNTy8eEjHK9hRBvrEUnoYX-P-mr3AFUMWRbojv2KP90QzqmdX-yTwpFbSOVr2quPuxm-Nyo2decoVWWsU_E8FmgggnhZw-H88AlD2nwHWop8x/s1600/Screen+Shot+2012-12-21+at+3.42.12+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWrGSlpf2-4wxZP47ZzEf6JklElmguPFmxNTy8eEjHK9hRBvrEUnoYX-P-mr3AFUMWRbojv2KP90QzqmdX-yTwpFbSOVr2quPuxm-Nyo2decoVWWsU_E8FmgggnhZw-H88AlD2nwHWop8x/s640/Screen+Shot+2012-12-21+at+3.42.12+PM.png" width="640" /></a></div>
All I can say: Why? Why would you restrict password length? This is a new product, so you cannot use the old "We need to be compatible with legacy accounts" on me here.<br />
<br />
There is no good reason to do this. Especially when you are securely hashing my password. <br />
You <i>are</i> storing the password securely, right? Right?Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-44191313116092180192012-09-24T14:37:00.001-07:002012-09-24T16:18:56.225-07:00Hall of Shame: Virgin America<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7mQcasioIag274AqroHvloXfZ72129S-0FnELaC64E9EI_BJooNBbLwShEOTzivyqwHsE42zIO2yn95K0Cun0NPYyRYLkLG0oDcqAhK_Zd9YwSCkPCOPSRpbd0_8pAAFJJ6uk73BRY3iN/s1600/PastedGraphic-1-728692.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5791860591625236258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7mQcasioIag274AqroHvloXfZ72129S-0FnELaC64E9EI_BJooNBbLwShEOTzivyqwHsE42zIO2yn95K0Cun0NPYyRYLkLG0oDcqAhK_Zd9YwSCkPCOPSRpbd0_8pAAFJJ6uk73BRY3iN/s320/PastedGraphic-1-728692.png" /></a>While logging in with the correct password, I get the error message you see here. If you are like me, you are wondering by now...<br />
<div>
<ul class="MailOutline">
<li>What happened?</li>
<li>Who decided that I need to change my password? </li>
<li>Why is that date important?</li>
</ul>
<div>
<br /></div>
<div>
Anybody who has ever worked into a major corporation for more that a few months, know that<b> this</b> is not the way one makes users change their password.</div>
<div>
In the real world, forced password resets depend on the time that the user last changed their password, and <u>do not use the password reset process</u>. Normally, you get a simple form which asks for the old password and the new password twice, and you are on your way.</div>
<div>
<br /></div>
<div>
The fact that one need to do password recovery via email most likely means: Somehow, Virgin's password database got compromised to the point that they can no longer trust authentication with a password set before April 26th 2012. There is no other good explanation.</div>
<div>
<br /></div>
<div>
<br />
<div>
<div>
</div>
</div>
</div>
</div>
Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-23945141815311667592012-06-29T14:30:00.005-07:002012-06-29T14:30:54.369-07:00Packing up my "Second Life" store.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipqSwFh9vLEqq7DP0k2x98yF7_NH-3XXyA_0Ku8cE0p3lOSayL61_Zj-AY7JC4ibdCh4GrJots7qsjQZNgaVHZhrywe5rrDv2qubxPdbMGUjR3-CobGcBYF5ccZrDsOdzot1nzK-Z8Ghrj/s1600/Picture%25201%5B1%5D.jpg_1300136911" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipqSwFh9vLEqq7DP0k2x98yF7_NH-3XXyA_0Ku8cE0p3lOSayL61_Zj-AY7JC4ibdCh4GrJots7qsjQZNgaVHZhrywe5rrDv2qubxPdbMGUjR3-CobGcBYF5ccZrDsOdzot1nzK-Z8Ghrj/s320/Picture%25201%5B1%5D.jpg_1300136911" width="320" /></a></div>
Yes, the moment has finally arrived. I started experimenting with the "<a href="http://secondlife.com/" target="_blank">Second Life</a>" platform in 2005, become moderately in successful in 2006 but since then, after the 2007 boom,<a href="http://www.google.com/trends/?q=%22second+life%22&ctab=0&geo=all&date=all&sort=0" target="_blank"> interest and traffic has kept decreasing</a> at a steady rate.<br />
<br />
When my latest hosting bill came in, the profit number finally fell below zero and turned red.<br />
<br />
It's been a good run, but I have a first life to deal with. If anybody of the SL crowd is interested in any of the systems I have built in the past, drop me a line.Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-28887906833105276042012-01-16T13:03:00.000-08:002012-01-16T13:03:14.462-08:00Hall of shame: Western Digital<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGLkr4c1JjDWhf_RJZbKHqNkWzX0h771rNerV6onN6R593ef1_Lb81IUbE3GPhoVIyzk-X8PeBknqPcmMRUiwgRU5yXB8g3RBeUQJCAK0ym8I8O4vRhSRrkuwKF2M_sLae8-vfrU_TUCYM/s1600/Terra+%255BMY+BOOK%25C2%25AE+LIVE%25E2%2584%25A2%255D+-+Mozilla+Firefox+2012-01-16+125146.bmp.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGLkr4c1JjDWhf_RJZbKHqNkWzX0h771rNerV6onN6R593ef1_Lb81IUbE3GPhoVIyzk-X8PeBknqPcmMRUiwgRU5yXB8g3RBeUQJCAK0ym8I8O4vRhSRrkuwKF2M_sLae8-vfrU_TUCYM/s400/Terra+%255BMY+BOOK%25C2%25AE+LIVE%25E2%2584%25A2%255D+-+Mozilla+Firefox+2012-01-16+125146.bmp.jpg" width="400" /></a></div><div lpcachedvistime="1326747574" lpcachedvisval="1">When setting up my otherwise pretty nifty NAS, I stumbled on this error message when setting up the administrator password. This leads me to the usual questions:</div><div lpcachedvistime="1326747574" lpcachedvisval="1"><br />
</div><ol><li><div lpcachedvistime="1326747574" lpcachedvisval="1">Why limit to 16 characters? Are you storing this in plaintext, and is that the size you allocated for it?</div></li>
<li><div lpcachedvistime="1326747574" lpcachedvisval="1">Why do "double quotes"? Are you not trusting your own input validation and escaping routines?</div></li>
<li><div lpcachedvistime="1326747574" lpcachedvisval="1">What's up with the double errors? Does your system have a stutter?</div></li>
<li><div lpcachedvistime="1326747574" lpcachedvisval="1">Why not let me know <em>before</em> I enter my password, what the requirements of said password are?</div></li>
</ol><div lpcachedvistime="1326747574" lpcachedvisval="1"><br />
</div><ol><div lpcachedvistime="1326747574" lpcachedvisval="1"> </div></ol><div lpcachedvistime="1326747574" lpcachedvisval="1"> </div><div lpcachedvistime="1326747574" lpcachedvisval="1"><br />
</div><div lpcachedvistime="1326747574" lpcachedvisval="1"><br />
</div><br />
<br />
<div style="clear: both; text-align: right;"><a href="http://picasa.google.com/blogger/" target="ext"></a></div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-80454309640264946472011-09-19T20:06:00.000-07:002011-09-19T20:06:47.645-07:00Hall of shame: Ticketmaster.com<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhNd7BMj44V07X6loaZZKId-b-cillX8lONggJzsyD9bv-UrTU5FIDgwW1ZvISh0OjheL2aYS0JK7XVz6dZBQmkJ2s4fl7cO1UH7sZE00Tg0Q4nJzQ8sKz0WK1KIScCw3FyFOufTx7o7Pm/s1600/Ticketmaster+-+Mozilla+Firefox+2011-07-24+190843.bmp.jpg"><img alt="" border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhNd7BMj44V07X6loaZZKId-b-cillX8lONggJzsyD9bv-UrTU5FIDgwW1ZvISh0OjheL2aYS0JK7XVz6dZBQmkJ2s4fl7cO1UH7sZE00Tg0Q4nJzQ8sKz0WK1KIScCw3FyFOufTx7o7Pm/s640/Ticketmaster+-+Mozilla+Firefox+2011-07-24+190843.bmp.jpg" style="clear: both; float: right; margin: 0px 0px 10px 10px;" width="640" /></a>There are many reason why I despise Ticketmaster, such as their ridulous "because we can" fees, "convenience fee for using the website", "fee for printing your own tickets on your own paper, using your own printer, with various ads on it", etc. <br />
<br />
But this series is about security worst practices, so here goes another password FAIL. <br />
<br />
Extra points for having a timer that gives people 90 seconds to fill in the form, come up with a secure password, and read the T.O.S. and privacy policy (each a couple dozen pages).<br />
<div style="clear: both; text-align: right;"><a href="http://picasa.google.com/blogger/" target="ext"></a></div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0San Francisco, CA, USA37.7749295 -122.4194155000000137.7206295 -122.50881550000001 37.8292295 -122.33001550000002tag:blogger.com,1999:blog-7303832401546433399.post-18162781841265523032011-09-06T20:26:00.000-07:002011-09-06T20:26:13.954-07:00Hall of shame: Priceline.com<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiswMXbYAbYVoruYCDdZM5-CO4sjOmRbxIbCDYIKI0RXURBHagJEjhJWwLYYTB7sYurwNhjzoy-BdMWapOm_9hDXpZO6V2iQz6RgqQc36i6cpMNVC4bxPwQdPrvDUdj60o09cl7-ai9-c6Q/s1600/Priceline.com+-+Travel%252C+airline+tickets%252C+cheap+flights%252C+hotels%252C+hotel+rooms%252C+rental+cars%252C+car+rental+-+Mozilla+Firefox+2011-09-06+201810.bmp.jpg"><img alt="" border="0" height="377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiswMXbYAbYVoruYCDdZM5-CO4sjOmRbxIbCDYIKI0RXURBHagJEjhJWwLYYTB7sYurwNhjzoy-BdMWapOm_9hDXpZO6V2iQz6RgqQc36i6cpMNVC4bxPwQdPrvDUdj60o09cl7-ai9-c6Q/s400/Priceline.com+-+Travel%252C+airline+tickets%252C+cheap+flights%252C+hotels%252C+hotel+rooms%252C+rental+cars%252C+car+rental+-+Mozilla+Firefox+2011-09-06+201810.bmp.jpg" style="clear: both; float: left; margin: 0px 10px 10px 0px;" width="400" /></a><br />
<div style="clear: both; text-align: left;">When creating an account, I'm asked for my "<em>preferred</em> internet password". <br />
Seriously?Sound like marketing-speak for "Go ahead and reuse the password here that you use on facebook and bofa. We don't mind!".<br />
<br />
Shame on you for encouraging bad behaviour!<br />
<br />
One extra point for "default opt-in"ing the user to the marketing spam. </div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-26775229967710992472011-08-04T15:00:00.000-07:002011-08-04T22:47:05.996-07:00Hall of shame: Mediafire<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi9NdxBtW4yCLdB8SdlDeMPq6LK9vCrGeAowEpBvI3ry-D7xrL_WyPMKRM5Z-adOLhhIr4MW38ViHEOwVEGEHldGN0_iojZafnJzl9Z5JshX39yY3ov7gqNLhJgW9fgaijMZ89_dZ1ZlgS/s1600/Free+File+Hosting+Made+Simple+-+MediaFire+-+Mozilla+Firefox+842011+25418+PM.bmp.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi9NdxBtW4yCLdB8SdlDeMPq6LK9vCrGeAowEpBvI3ry-D7xrL_WyPMKRM5Z-adOLhhIr4MW38ViHEOwVEGEHldGN0_iojZafnJzl9Z5JshX39yY3ov7gqNLhJgW9fgaijMZ89_dZ1ZlgS/s400/Free+File+Hosting+Made+Simple+-+MediaFire+-+Mozilla+Firefox+842011+25418+PM.bmp.jpg" style="clear: both; float: left; margin: 0px 10px 10px 0px;" /></a> Let's see:<br />
You have a nice "password strength" meter, but once one submits the form, it <b>repeats back the password in the clear</b>, complains that its <b>too long</b>, and can't have any "special" characters. <br />
<br />
Why would that matter, since the password hash would be the same regardless of length? You <b><i>are</i></b> <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">securely hashing the passwords</a>, and not storing them in the database as plain-text, right? <b>Right?</b><br />
<b></b><br />
<b></b><br />
<b></b><br />
<br />
<br />
Also, can you tell me exactly what the difference is between a special character and a non-special one? Is it "special" when it causes a <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL Injection vulnerability</a> (which of course you would defense against by properly escaping database inputs), when storing it in the password in plain-text (<strike>which of course you don't do</strike>) ?<br />
<b> <br />
</b>BTW: I don't think I will be trusting you with access to my Facebook account just yet. Hope you don't mind.<br />
<br />
<u>Update:</u> <br />
I have proof that they store password "in the clear": The password test is case-insensitive!<br />
You can try this out yourself:<br />
If your password is "joshua", you can log in using "JOSHUA" or "JoSHuA". This is only possible if the site doesn't use any password hashing at all. <a href="http://www.besttechie.net/2010/07/22/strong-passwords/">Security 101</a> FAIL!<br />
<div style="clear: both; text-align: LEFT;"></div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-41739286534775613882011-07-31T13:14:00.000-07:002011-07-31T13:14:20.726-07:00"Google Health" on its deathbedThe google giveth and the google taketh away:<br /><br /><a href="http://googleblog.blogspot.com/2011/06/update-on-google-health-and-google.html">Official Google Blog: An update on Google Health and Google PowerMeter</a>: <blockquote>"we’ve observed that Google Health is not having the broad impact that we hoped it would. There has been adoption among certain groups of users like tech-savvy patients and their caregivers, and more recently fitness and wellness enthusiasts. But we haven’t found a way to translate that limited usage into widespread adoption in the daily health routines of millions of people. That’s why we’ve made the difficult decision to discontinue the Google Health service. We’ll continue to operate the Google Health site as usual through January 1, 2012, and we’ll provide an ongoing way for people to download their health data for an additional year beyond that, through January 1, 2013."</blockquote><br />This means that my effort of codifying my health history, and keeping track of my workout regime and it's effect will still have a function: To remind me and other early adopters not to put too much trust in new projects, even from the biggest companies.<br /><br /><br />Now hows that G+ profile building coming along....Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-23766907604726167392011-07-28T22:26:00.000-07:002011-07-28T22:26:50.941-07:00New snooping bill: What could possibly go wrong?<a href="http://news.cnet.com/8301-31921_3-20084939-281/house-panel-approves-broadened-isp-snooping-bill/">House panel approves broadened ISP snooping bill </a>:<br />
<blockquote> "Internet providers would be forced to keep logs of their customers' activities for one year--in case police want to review them in the future--under legislation that a U.S. House of Representatives committee approved today.<br />
<br />
The 19 to 10 vote represents a victory for conservative Republicans, who made data retention their first major technology initiative after last fall's elections, and the Justice Department officials who have quietly lobbied for the sweeping new requirements, a development first reported by CNET.<br />
<br />
A last-minute rewrite of the bill expands the information that commercial Internet providers are required to store to include customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses, some committee members suggested. By a 7-16 vote, the panel rejected an amendment that would have clarified that only IP addresses must be stored."</blockquote>Let's think this through (hey, somebody has to!):<br />
<br />
<ul><li> This is billed as a "protecting children from pornography" act. Where is the official double-speak justification on this? What part of this could even theoretically protect any kid from pornography? Did the spin-doctor on duty call in sick?</li>
<li>This is going to be made available for "police investigating any crime and perhaps attorneys litigating civil disputes in divorce, insurance fraud, and other cases as well". Are we feeling secure yet?</li>
<li>Every other monitoring system of this sort has been <a href="http://tpmmuckraker.talkingpointsmemo.com/2009/12/revelation_8_million_gps_searches_on_sprint_by_law.php">abused on a systematic basis</a>. </li>
<li>Who is going to be paying for this? I see a $6.99/month "snooped data retention" fee coming to a statement near you soon! </li>
<li>The ISP is supposed to be capturing credit card numbers, bank account numbers, personal information, which begs questions such as:</li>
<ul><li>Who is going to be responsible for storing and safeguarding this information? </li>
<li>Can you imagine what kind of tasty target it would be for a criminal? How may credit card transactions are flowing through Comcast's network every day? </li>
<li>Are the ISPs going to be held to the same data confidentiality laws as everybody else?<br />
I see <a href="https://www.pcisecuritystandards.org/">PCI</a>, <a href="http://www.hhs.gov/ocr/privacy/">HIPAA</a> and a few others jump out as being applicable here. Who is going to audit these systems to ensure compliance.</li>
<li>(Luckily) nearly every website these days uses HTTPS from credit card transactions. How is an ISP supposed to capture this information on the wire?</li>
</ul></ul>There are so many things wrong with this idea, and they haven't even started implementing it yet.Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-82902451410883777102011-07-28T14:33:00.000-07:002011-08-01T17:27:58.444-07:00Seriously? A.k.a. "My adventures with "ePolicy Orchestrator"<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2568cDs7acQhDOTdYj77zAjezEcZBlP_X7pPErHpDwu6Ah6NYohBpcrbA3dR9u4IMGynA0M8vvlzSYO_8Pg-aqmvKEyEf1Y9sPrBx3Cgy0lWRxu1ZVSsKYKCeL1t9JcYrtdKs_sRSxKqk/s1600/Input+Capture+Window+7282011+20636+PM.bmp.jpg"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2568cDs7acQhDOTdYj77zAjezEcZBlP_X7pPErHpDwu6Ah6NYohBpcrbA3dR9u4IMGynA0M8vvlzSYO_8Pg-aqmvKEyEf1Y9sPrBx3Cgy0lWRxu1ZVSsKYKCeL1t9JcYrtdKs_sRSxKqk/s400/Input+Capture+Window+7282011+20636+PM.bmp.jpg" style="clear: both; float: left; margin: 0px 10px 10px 0px;" /></a> From the why-oh-why-do-you-hate-me department:<br />
<br />
Seriously? We have to break the official IT computer naming policy because you product refuses to be installed on a system that has a (perfectly legit) underscore in it's name?<br />
<br />
I usually don't get frustrated with a product until <i>after</i> I install it.<br />
<div style="clear: both; text-align: LEFT;"><br />
It only after I change the computer name, that I get this error on my Windows 7 professional installation:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV2eyo1FAc5WE0wIj7KdDCDtAMq2Y9pqlZ2b946if8IVQ2u83SMhmexc9X3YoTfCywq4JqaLwIT6jBXx33B8uAIU262WzOL9__kIH6yre90MgcNGAE0V4bZwDkjMFAkuD2PtNX59F5q_ui/s1600/Input+Capture+Window+7282011+22249+PM.bmp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV2eyo1FAc5WE0wIj7KdDCDtAMq2Y9pqlZ2b946if8IVQ2u83SMhmexc9X3YoTfCywq4JqaLwIT6jBXx33B8uAIU262WzOL9__kIH6yre90MgcNGAE0V4bZwDkjMFAkuD2PtNX59F5q_ui/s320/Input+Capture+Window+7282011+22249+PM.bmp.jpg" width="320" /></a></div><br />
Of course, that document is not part of the installation, only the "product guide" is. <br />
<br />
<u>Update 1:</u><br />
I now have a super duper "Windows Server 2008 R2 - 64 bit" installation. Guess what I get when the installation starts? A new error!<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAuscaw-ZU1G5cVBYfG1zV-bL9Fp5IGh1HuHvI3kIrltCPQHVmEFtbAEcSXoeo2sA4OvFwh5aHYjiPTqpbn42J8Vk53VqZV-mSHGp46QCAl9llD6CpM_qzWfmD6tNIbeltDIZcLNJnSm_T/s1600/ws64-1+-+Remote+Desktop+812011+31900+PM.bmp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAuscaw-ZU1G5cVBYfG1zV-bL9Fp5IGh1HuHvI3kIrltCPQHVmEFtbAEcSXoeo2sA4OvFwh5aHYjiPTqpbn42J8Vk53VqZV-mSHGp46QCAl9llD6CpM_qzWfmD6tNIbeltDIZcLNJnSm_T/s320/ws64-1+-+Remote+Desktop+812011+31900+PM.bmp.jpg" width="320" /></a></div>"8.3 naming convention"? Wait... Didn't you just <i>force</i> me to upgrade to "Windows super duper"? And then you complain that you don't have the <a href="http://en.wikipedia.org/wiki/8.3_filename">features from DOS in <i>1981</i></a>? And no, the "installation guide" doesn't mention anything about this.<br />
<u><br />
</u><br />
<u>Update 2:</u><br />
After some Googleing, a registry change, installing MS SQL, configuring port, choosing various passwords (whose complexity requirement are kept a secret), the installer finally got running.<br />
<br />
And I was awarded with....<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBT1QR-WRomdvYN-6kfvHEvKiwpR826LiAR0uAI5r5oPolnpStUXaPzKRXmg2ADsjGgh6P4y0iz4_cc4yyUE00cjucJsPeTAuPq-zprAnRc-PR2aR2noUKy17X9XKUf5Z0vtv9TC-akBwz/s1600/ws64-1+-+Remote+Desktop+812011+35320+PM.bmp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBT1QR-WRomdvYN-6kfvHEvKiwpR826LiAR0uAI5r5oPolnpStUXaPzKRXmg2ADsjGgh6P4y0iz4_cc4yyUE00cjucJsPeTAuPq-zprAnRc-PR2aR2noUKy17X9XKUf5Z0vtv9TC-akBwz/s320/ws64-1+-+Remote+Desktop+812011+35320+PM.bmp.jpg" width="320" /></a></div></div><div style="clear: both; text-align: left;">At this point, only 1 comment makes sense:</div><div style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://t2.gstatic.com/images?q=tbn:ANd9GcSAyxJEUzuYYkNF7uP6bIfLU4-TYH-cn3WhVIYN_w-riUphy5q8EA" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="http://t2.gstatic.com/images?q=tbn:ANd9GcSAyxJEUzuYYkNF7uP6bIfLU4-TYH-cn3WhVIYN_w-riUphy5q8EA" width="200" /></a></div><div style="clear: both; text-align: left;"><u>Update 3:</u><br />
<br />
Wondering if I was running the latest version, I found out<br />
<br />
<ul><li>McAfee's beta portal is seriously broken</li>
<ul><li>it refuses my (stored) password </li>
<li>it doesn't really execute password resets (although it says it does)</li>
</ul><li>That doesn't really matter, since there is a an open FTP server from which one can download any beta software they ever released.</li>
<li>That also doesn't really matter, since I was already testing with the latest version, EPO 4.6 RC3.</li>
<li>The beta seems to expire really quickly, in this case: May 31, 2011 (it was released mid march)</li>
</ul>So, saying in the spirit, I used an ancient "hack" technique from the 80s. It's called "setting the clock back".<br />
Result:<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvcBJmyKsi0hT92bwjoxXbZGqyZvh-CQLCWLCXNCI9rKR7_k4yavQdUw48aw7YDmPCFDRiGTNDcf-nTOBG9Mg2-DAc-4rWbf7FLAA4LDaB2rPQ5MCyGHXyWubsNh_DtHFk8zGTiyUOpj-t/s1600/Input+Capture+Window+812011+45558+PM.bmp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvcBJmyKsi0hT92bwjoxXbZGqyZvh-CQLCWLCXNCI9rKR7_k4yavQdUw48aw7YDmPCFDRiGTNDcf-nTOBG9Mg2-DAc-4rWbf7FLAA4LDaB2rPQ5MCyGHXyWubsNh_DtHFk8zGTiyUOpj-t/s320/Input+Capture+Window+812011+45558+PM.bmp.jpg" width="320" /></a></div>30 minutes of installation dialogs later:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWtk6AyUZUpMiFgN_Uu37iPDyPq4IQjAw5SojJs0f6Cfwkvrpf4axa2olRwUe6X4IJuTXi_In1Y_sT_A4rPJu86RKRuky5nNQg_u86wDGBDzLfFrvj5LdCSvNeVCt05Z2stGWkoXZB6jv/s1600/Fullscreen+capture+812011+52033+PM.bmp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWtk6AyUZUpMiFgN_Uu37iPDyPq4IQjAw5SojJs0f6Cfwkvrpf4axa2olRwUe6X4IJuTXi_In1Y_sT_A4rPJu86RKRuky5nNQg_u86wDGBDzLfFrvj5LdCSvNeVCt05Z2stGWkoXZB6jv/s640/Fullscreen+capture+812011+52033+PM.bmp.jpg" width="640" /></a></div><br />
Allow me to say:<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-a9uXKXdojWk/TaS2gBBwX1I/AAAAAAAAALw/Wraxd51wuqY/s320/Fuck_Yea.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="http://3.bp.blogspot.com/-a9uXKXdojWk/TaS2gBBwX1I/AAAAAAAAALw/Wraxd51wuqY/s200/Fuck_Yea.png" width="200" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeJb3rz2fVQmcmZx6_i0xoGeqpJgHVw33SNj1k7zphKWQaHluUqnO8wgkCBkh4fHMHpuNsac9_ykazQjLckx2kGNsiZ-OS5u2B0KgrlAb5smB6akkVb6Qbg9WcV4vlx0t6rAzaSy74e3k/s400/fuck_yeah_.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div><br />
<br />
<br />
</div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-1604736911286537622011-07-19T11:20:00.000-07:002011-07-19T11:20:03.735-07:00Pretty Good Ponderings?Yesterday, I finally got around to generate a new PGP/GPG key pair, and obsoleted 2 old ones. They were created in 1994 and 1998. I couldn't even generate a revocation for the oldest one, since the "IDEA" cipher is no longer supported.<br />
<br />
Let me rephrase that in context:<br />
<br />
<blockquote><i>I can mathematically prove that I was active in computer security before many of the attackers that I defend against, were born.</i></blockquote><i><br />
</i><br />
In other news:<br />
Djee, I'm old. But in this industry, we call that "well-tested and peer-reviewed".<br />
<br />
P.S: For those wanted the shiny new bits on their keyring, the magic incantation is:<br />
<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">gpg --recv-keys 0x788a1200b221877e</span><br />
<div><br />
</div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-76146301567680251722011-06-23T16:51:00.001-07:002011-06-23T16:51:08.760-07:00Yahoo & speed of innovation<p class="mobile-photo"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNRFJbbodb-YWkxlkMEupG3Kyg5JUsokvMMSWF-6PddD5ZzmOwFXFM-pi8nEfi5d3oB0nDBu78XwD1-iJOacScXoHhIrFBDclklniHPetBKKMaZBaK3n03MbDInghDEwahZRH_J9mWS0XV/s1600/YahooUpgrade-768760.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNRFJbbodb-YWkxlkMEupG3Kyg5JUsokvMMSWF-6PddD5ZzmOwFXFM-pi8nEfi5d3oB0nDBu78XwD1-iJOacScXoHhIrFBDclklniHPetBKKMaZBaK3n03MbDInghDEwahZRH_J9mWS0XV/s320/YahooUpgrade-768760.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5621567029523690642" /></a></p><div class=WordSection1><p class=MsoNormal>While on my quarterly check of “email address that I haven’t used this decade”, I noticed the congratulatory email from Yahoo.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>After 13 years of spam-filled ugliness, they are going to upgrade their email interface. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I will get right on using them again! (Around 2019 or so)<o:p></o:p></p></div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-21311082549351059142011-03-06T14:34:00.000-08:002011-03-06T14:34:33.755-08:00Physchic computer supportCan you help me with my computer?<br />
<div style="text-align: right;">Is it no longer working? </div><div style="text-align: left;">Eh... yeah.. weirdest thing...</div><div style="text-align: right;">Did you let your kids use it?</div><div style="text-align: left;"> Yeah, little Billies computer was acting up...</div><div style="text-align: right;">And you let him use your login, instead of a "Guest" account?</div><div style="text-align: left;">Yeah, it was just for little while...</div><div style="text-align: right;">And that was a full-privilege administrator account?</div><div style="text-align: left;">Yeah, that's how the computer came...</div><div style="text-align: right;">And you left him alone like that?</div><div style="text-align: left;">Yeah, well, I had to go to work.</div><div style="text-align: right;">So the first thing he did was install "Limewire"?</div><div style="text-align: left;">Yes, how do you know?</div><div style="text-align: right;">So he thought he scored some free music, but nobody told him music files don't end in .mp3.exe ?</div><div style="text-align: left;">Eh... what's an EXE?</div><div style="text-align: right;">So he installed whatever the trojan of the week is, and now your computer won't connect to anything any more?</div><div style="text-align: left;">Yeah, exactly! How do you know? </div><div style="text-align: right;"><br />
</div><div style="text-align: right;"> </div><div style="text-align: right;"> </div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-88386918516440602872010-12-29T11:00:00.000-08:002010-12-30T13:27:22.975-08:00This is why we can't have nice and secure things...<div style="text-align: justify;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4NA31fpGIcMzBKtXaVfJccL5TWagLqL0R8EaH-jyAwqFnJ_xMGcKTKM_5e-MHDFcqKOkryVDggExgIPTlRJAnjxVyY7zqf7mu3wwtBzOSB12uqkl_N-UKhtpkh3duzSCkit_KNVGMh4hr/s1600/Shtyle.fm++Send+Gifts+-+Mozilla+Firefox+12292010+101151+AM.bmp.jpg"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4NA31fpGIcMzBKtXaVfJccL5TWagLqL0R8EaH-jyAwqFnJ_xMGcKTKM_5e-MHDFcqKOkryVDggExgIPTlRJAnjxVyY7zqf7mu3wwtBzOSB12uqkl_N-UKhtpkh3duzSCkit_KNVGMh4hr/s320/Shtyle.fm++Send+Gifts+-+Mozilla+Firefox+12292010+101151+AM.bmp.jpg" style="clear: both; float: left; margin: 0px 10px 10px 0px;" /></a> I recently received an invite for "shtyle.fm". If you never heard about it, you are in good company, as it can best be described as "Myspace's retarded cousin".</div><br />
<div style="text-align: justify;">So when I got the request from a family member to look at her pictures on there, I reluctantly started the sign-up process, making sure to only use throw-away info.... until this screen stopped me dead in my tracks. </div><br />
Some facts about this screen that may to seem obvious at first glance:<br />
<br />
<ul><li>It's a mandatory part of the sign up process</li>
<li>It promises a free virtual teddy bear! </li>
<li>It requires you to fill in the credential of a <b>real </b>email account.</li>
<li>It <b>validates </b>the credentials, and throws an error if you give it fake information</li>
<li>The information is submitted and transmitted in the clear, over http, without any encryption (although the page seems to include an unused JavaScript implementation of RSA for some reason)</li>
<li>The page has (at least) a XSS vulnerability: Enter<i> "+alert(1)+"</i> in the email box (with quotes) and see what happens.</li>
<li>In case a connection is successfully made, the application will sift through your inbox for email addresses of your friends and send them personal invites<i> in your name</i>. </li>
</ul>Are we scared yet? No? Neither seems to be the thousands of happy users on that site.<br />
<br />
<div style="text-align: justify;">The security professional in me gets the shills, but the social human in me appreciates the service provided here. It provides a different view on your friends and acquaintances:</div><br />
<div style="text-align: justify;">If you are somebody who gives up your credentials to anybody who asks, than that indicates how reliable you are. Don't count on borrowing my car keys. </div><div style="text-align: justify;">If you consciously sell out all your friends for the promise of a virtual teddy bear,... I think that says something about your moral value system.</div>Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-18069945015845545802010-09-23T13:48:00.000-07:002010-09-23T13:48:25.166-07:00Facebook Down!<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVPM3BMUhSBe0eZqTwV7OubwjrNP1bkiaQ9sPP_dpTScQA32pofad-r1hX5a_q4xMnA1j51dQVQe7cThS-jMNH6i6LT2NmPgWqxTlqGD05JmB9SF7AXxt4HgOliy2zw_R3-oA0x5jnvEjE/s1600/facebookdown.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVPM3BMUhSBe0eZqTwV7OubwjrNP1bkiaQ9sPP_dpTScQA32pofad-r1hX5a_q4xMnA1j51dQVQe7cThS-jMNH6i6LT2NmPgWqxTlqGD05JmB9SF7AXxt4HgOliy2zw_R3-oA0x5jnvEjE/s320/facebookdown.gif" width="320" /></a></div>Just a quick lunch-time check-in to facebook. And what do I see? It's down due to an internal misconfiguration.<br />
<br />
Just imagine how much it costs a minute for <a href="http://www.allfacebook.com/report-facebook-now-worth-35-billion-2010-03">a site valued at $35 billion</a> to be down.<br />
<br />
<br />
OMG got to post this on Facebook.... oh wait...Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-29416157785365449402010-09-21T19:20:00.001-07:002010-09-21T19:20:52.828-07:00Gym<p class="mobile-photo"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtaEyfXdz11CemmrEUvYrPQ0FxnAY9TtStzSZRj61pg4dPRILf3vdVGB9KY1mqAphHVejQBDtccti1jMb90BtHcDbvsSACev84nyYSFNmsWpRj8s-7no-JOiy1P57TGN7UGqJBY4iaiCM7/s1600/IMG_20100921_191712-752829.jpg"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtaEyfXdz11CemmrEUvYrPQ0FxnAY9TtStzSZRj61pg4dPRILf3vdVGB9KY1mqAphHVejQBDtccti1jMb90BtHcDbvsSACev84nyYSFNmsWpRj8s-7no-JOiy1P57TGN7UGqJBY4iaiCM7/s320/IMG_20100921_191712-752829.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5519557190900076002" /></a></p><p>Most important part of the workout : looking good!</p> Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-24490582094746836772010-07-31T09:14:00.001-07:002010-07-31T09:14:54.266-07:00Defcon 2010 badge<p class="mobile-photo"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTJjrisMKAVvysQp8T2po9omYFOqVjXsMPDEM8mgoIR4uQmh_QB7SUwfabvLBBFvoVafcI6pOm4jS9Xt04OpqpH38XWxMp5kydTVlpeMLH5WYJ_HiaIoO0Rn21Gi_gRtxxyuuN-1HAhxYU/s1600/IMG_20100731_090459-794267.jpg"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTJjrisMKAVvysQp8T2po9omYFOqVjXsMPDEM8mgoIR4uQmh_QB7SUwfabvLBBFvoVafcI6pOm4jS9Xt04OpqpH38XWxMp5kydTVlpeMLH5WYJ_HiaIoO0Rn21Gi_gRtxxyuuN-1HAhxYU/s320/IMG_20100731_090459-794267.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5500104600574956530" /></a></p><p>My colleague Ryan geeking out with the infamous "ninja badge".</p> <p>Look how happy he looks!<br></p> <p>Anybody want to place a bid? I can get it while he is asleep....</p> Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-8782013445060293182010-07-11T22:07:00.000-07:002010-07-11T22:07:26.398-07:00DHS Anti-terrorism technology examined<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBX3i_n3MD8w7tx6_l8K2bEPHAn5lkAvA9qTtvityAlDx_C-VgYVBvlXDo_SqovOOBsXP_xuPGgs5vzOJop3mviLex0JC_iaGyBruhbXAIZ05QXxkiCtzUhR5P9XZ8Px3BBhGIiIwl3T16/s1600/CardProtection.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBX3i_n3MD8w7tx6_l8K2bEPHAn5lkAvA9qTtvityAlDx_C-VgYVBvlXDo_SqovOOBsXP_xuPGgs5vzOJop3mviLex0JC_iaGyBruhbXAIZ05QXxkiCtzUhR5P9XZ8Px3BBhGIiIwl3T16/s320/CardProtection.JPG" /></a></div>Together with my (second) erroneous ID card, I got this cool envelope from the "Department of Homeland security".<br />
<br />
It mentions:<br />
<blockquote>"We recommend use of this envelope to protect your new card and to prevent wireless communication with it."</blockquote>And the same message in Spanish. Because, of course, every "alien" speaks Spanish.<br />
<br />
I have a few questions surrounding this:<br />
<br />
<ol><li> Why on earth is my card even <i>capable</i> of "<i>wireless communication</i>"? Do I really want my personally information to be read remotely? Who thought this was a good idea? The rest of the US burocracy is stuck in the stone age, but somebody thought that contact-read card with RSA encoded chips would not have been fancy enough. </li>
<li>Tinfoil. Seriously? Billions of dollars in funding and the technology that keeps us safe from terrorists stealing our identity is the same that your parents packed your sandwiches in?</li>
</ol><br />
We're all gonna die.Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-14329652913112533222010-06-20T19:16:00.000-07:002010-06-20T19:16:56.726-07:00Your mandatory guide to being a profitable citizenThe article "<a href="http://articles.sfgate.com/2010-05-16/business/20900712_1_credit-score-credit-report-credit-card">Pitfalls of credit reports</a>" touches on many points that everybody suspected for while:<br /><br /><blockquote>"While this does punish profligate spending on credit, it also discourages full payment of debts. The <span class="blsp-spelling-error" id="SPELLING_ERROR_1">FICO</span> score increases if a cardholder keeps spending on credit, paying the minimum balance and taking as long as possible to pay off the full amount."<br /></blockquote><br />Translation:<br />It is your duty to maintain maximal profitability. You are to be in a constant state of debt, not so much that you can't repay it, but enough so you keep on paying until you die. <br /><br />Failure to comply will result in harsh punishments: Existing loans and mortgages will jump in costs. Getting a job will be a lot harder.<br /><br />Thank you for complying.<br /><br />Should you have any complaint, feel free to call the automated help system, where you can leave a message. It's extremely unlikely that a human will ever take the time to listen to it, and nearly impossible to get action taken on it.<br /><br /><blockquote>"There is, however, one way to ensure that a complaint is viewed in detail: According to the TransUnion employee handbook, politicians, legal workers, professional athletes and entertainment celebrities are to be given special treatment." </blockquote><br />Translation:<br />If you are important enough, we might listen you. Or if we really think you may sue us.<br /><br />Personally, I think I am going to try telling them that I am a lawyer.Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0tag:blogger.com,1999:blog-7303832401546433399.post-30820557419411786012010-06-12T19:32:00.000-07:002010-06-12T19:32:57.704-07:00Apple needs a new porn filter!Not so long a <a href="http://www.electronista.com/articles/10/05/15/jobs.explains.views.in.heated.mail.exchange/">The Steve himself declared that all porn applications are banished</a> from the app store.<br />
You know, it's a moral "OMG THINK OF THE CHILDREN" thing. We wouldn't want Apple to be thought of as peddling porn!<br />
<br />
Then there is this:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv-fU3vtvX8zZEclSTRiCmJWTY7189tMi454RAtQ8eER3jhnWPhUNWboK1ZrGYz7sYWemg_hvPgMpS54pN3XKFuA25AU8yvwiepevXH4zP1roFLVxEhnl5pvNE9818hbSQ0JxdgHbo_mH4/s1600/playboyitunes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="489" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv-fU3vtvX8zZEclSTRiCmJWTY7189tMi454RAtQ8eER3jhnWPhUNWboK1ZrGYz7sYWemg_hvPgMpS54pN3XKFuA25AU8yvwiepevXH4zP1roFLVxEhnl5pvNE9818hbSQ0JxdgHbo_mH4/s640/playboyitunes.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: justify;"><br />
</div><div class="separator" style="clear: both; text-align: justify;">Yes, good old playboy still has their app. There is no way this is by accident:</div><div class="separator" style="clear: both; text-align: justify;"></div><ul><li>Playboy is the "<a href="http://en.wikipedia.org/wiki/EICAR_test_file">eircar test</a>" of porn blocking. IT geeks type "www.playboy.com" in a browser whenever they want to test if the "nannyware" system that HR made them install, is actually working. what Coca-cola is to soda, Playboy is to porn.</li>
<li>It has a 7+ rating</li>
<li>It warns for "Frequent/Intense Sexual Content or Nudity". </li>
<li>There's "feed Africa"-sized cleavage on the main screenshot</li>
</ul><br />
Shame on you Steve. You tricked me. You told me that the appstore was safe! Now my innocence is lost forever.<br />
<br />
While on the subject, can anybody explain to me why looking at mammary glands on my iPhone is bad when those pixels are generated by an application, while they are perfectly OK when watched in full motion video:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXrbGPwYglx70BkBqbZ4HX2h1pSbMIH3lV6MuQtXWgnOJ1ZFUQHxlOS0zMeyIHsUpusl8KtNGsrfx-slfrNmAB3kOQCmejZRezawMhyphenhyphenqAgV5q6H9lzp8kGvvnO8UHQoI0JjSoTjDneFrkV/s1600/9weeksitunes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXrbGPwYglx70BkBqbZ4HX2h1pSbMIH3lV6MuQtXWgnOJ1ZFUQHxlOS0zMeyIHsUpusl8KtNGsrfx-slfrNmAB3kOQCmejZRezawMhyphenhyphenqAgV5q6H9lzp8kGvvnO8UHQoI0JjSoTjDneFrkV/s640/9weeksitunes.jpg" width="640" /></a></div><br />
<br />
Anybody?Jonhttp://www.blogger.com/profile/10577171428192244922noreply@blogger.com0