adric: (writing)
Please *do* glorify some great hackers and not crime

Re: "Stop Glorifying Hackers"(sic) from the

M. McWhorter,

I'm sorry you had trouble safely sharing data with yourself online using free and inexpensive services. How much extra would you be willing to pay for safe versions of your online services?

Equally I am sorry you did not value the free (to you) advice of the professional at Earthlink who advised your to secure private data offline as it was good advice given in good faith. You could pay a great deal to get worse advice.

The majority of your editorial seems to be aimed at journalists, whom you chastise for glorifying the exploits of online criminals. That's a valid complaint, though hardly specific to online crime. Many of the problems with modern journalism are related to the economics of publishing, including the dominance of "if it bleeds it leads" editorial decisions.

Instead I would caution your target audience and yourself about words: diction, connotation, and meaning. The words that you choose to use have meanings and even political significance that you would do well to pay more attention to.

Decrying the criminal activities of "hackers" in one sentence and then asking where all the "white hat hackers" are demonstrates your ignorance and does nothing to help anyone. The hackers are the good guys and your rhetoric isn't going motivate them (us) to help you much.

Regards,
Adric Net
BBST, CISSP, GSEC, GCIH, GCIA, LPIC-1, ITILF, AS CS, AS Psy.

http://www.nytimes.com/2014/03/09/opinion/sunday/stop-glorifying-hackers.html

Originally on G+ here: https://plus.google.com/102299631906745519234/posts/9du7rqrSY81
adric: books icon (c) 2004 adric.net (Default)
Or sign # 875,675 that I should have gone to university at age 12 or not at all: further punishment for taking AP courses
 
Greetings,
 
I took AP courses and exams in high school in the twentieth century (1993-1995 CE) before your web site existed. Despite that universities continue to insist on AP score transcripts and I am trying to get some sent. I have registered a username on the College Board site but am unable to complete account verification because I do not know my student ID nor was there (as far as I recall) an email address entry on my score sheets.
 
I appreciate any help you can provide.
 
Very respectfully,
[adric]
adric: books icon (c) 2004 adric.net (Default)
I worked through the lab assignment's questions and now need to covert this into a list of risks for other to critique. This was so much fun to write I wanted to hang onto it anyway even as an intermediate product. My actual submission for class is below the cut.

1) The variable of lastname is input (optionally) in the wizard that runs on first program execution of OOo applications, modified in the Options dialogue of any OOo application, and used in every facet of the office suite.

2a) Undefined is a valid state for this variable and any code path that uses the variable without checking for undef or doing so incorrectly will introduce errors in its functions. Additionally, too much data in this field would also be dangerous to any of the code that uses it do the likelihood of buffer overruns and unexpected characters or encoding in this field could lead to format string errors or exceptions in library string-handling code. If you can get a non-character or non-string value into this field due to input validation failures then wholesale memory and stack corruption becomes a concern.

2b) Use of lastname as well as the companion variables first name and initials is widespread throughout the SUT applications. Beyond the dialogs which directly manipulate this value (new user wizard, Options) many other functions read this variable and incorporate it into interface displays (document properties) or include it in requests to other modules (printing). The name variables are included in various places in the document data saved to disk automatically and intentionally including the document properties. If change tracking is enabled a tag generated from name variables and dates is displayed next to each change made by a particular user and recored with version information in the document files. Perhaps most excitingly the name variables are posted to Internet servers with registration information allowing for the small possibility that an error related to this variable could affect not only systems that process the document but completely remote systems as well!

2bi) Lastname is used in (at least) many display functions in all parts of the SUT applications, change tracking functions, save/load functions, printing functions, macros, user preferences, data generating functions such as headers and footers, and online registration.

2bii) Values of lastname are displayed in numerous parts of the UI, in change-tracking feature's tags, inside saved documents (and temp/autosaved ones), and may be printed depending on settings for header/footer and cover pages.

2biii) Values of lastname are sent to the operating system as part of stored data about the user and document as well as to remote devices for printing (settings dependent) and to remote Internet servers with optional software registration. I'm unsure about how lastname values may be used in API calls and macros.

2biv) Values of lastname are sent to the operating system as part of stored dat
a about the user (registry UserProfile.xcu) and document (meta.xml).

2bv) Values are read from the registry user profile files if available and may be input into the SUT via the first-run wizard or on demand with Options dialogs.

2c) Changes to the presence or boundedness (?) of last name during program operations could lead to corrupted data in memory, on disk, and displayed to users.

2cviii) Display of user data, document data or metadata could be impacted by incorrect information about the presence (undef), values (could change), or boundedness (wrong data type) of last name.

2cix) Boundary errors on lastname could influence other variable values in document metadata, document content, or application configuration leading to problems with these unrelated variables and functions. Gross misbehaviour on the part of lastname could completely corrupt XML program and document data structures rendering the document or preferences unreadable and thus broadly disrupting document or application functionality.

2cx) There any number of cases where software errors could cause the value of lastname currently in memory and on disk in the user registry or document to become de-synched. This could lead to incorrect data being saved or printed. Some of these cases include local or remote file system errors, unaccounted for 'races' with other OOo (or alien) process running on either the SUT or the file storage device, or just faulty RAM.

2cxi) Lastname is optionally sent with registration information to remote Internet servers operated by the OOo project. A chained failure of input filtering or other unlikely occurrence could cause unexpected format, encoding, or sized lastname to be injected into the remote system and processed. It is not entirely far-fetched that this could lead to serious problems on the remote system(s) that receive and process the data such as a buffer overflow or SQL injection attack.

2cxii) Perhaps the most outlandish and unlikely risk is to the hardware of a printer that receives a document to print with malformed or corrupt lastname information in the cover page, headers, or document body. The could lead the printer to malfunction, develop sentience, or start making toast if enough failures chain together in just the right (wrong?) way.

Risks for OOo Last Name: a continuum of failure stretching towards disaster )
adric: (Bug)
Comment left on threatpost story: Apple Trips Up Again on Security https://threatpost.com/en_us/blogs/apple-trips-again-security-110911#comment-117253

There's a pretty serious flaw in the argument presented in this article starting with the incorrect comparison between Apple's App Store policies and those of the Android Market: "The process is still light years ahead of what's in place for the Android Market, which has seen a number of malware-laced apps get through, as well as proof-of-concept apps submitted by security researchers."

This comparison is completely false because Android Market does not filter or screen applications for posting in the manner Apple purports to do. In fact this a key difference between the two services in their business models. Both systems have seen malware distribution.

If as you assert "Reviewing the apps before approval is the right idea" and Apple was able to do this flawlessly ... nevermind, Charlie proved again that this is not the case and the argument falls apart.

Apple's handling of the two vulnerabilities involved here is poor and gives strength to the arguments of their detractors that the App Store approval process is a marketing feature and not a security feature.

adric: books icon (c) 2004 adric.net (Default)
If so please clue me in. I have a useless "An error has occurred" message in App Store, an Install button that no longer clicks, a code that has already been redeemed and cannot be reused, and no log messages about any of it.

This is really making a strong argument against the App Store model being useful for anything.

Posted to threads on /. and osnews.
adric: books icon (c) 2004 adric.net (Default)
In which I send mail to a total stranger via whois to tell them their site has likely been hit by a drive by exploit
Hi,

I came across your site while searching for OmniGraffle swimlane templates, and hit your post:
http://www.princeofswords.com/2006/08/20/adventures-in-my-macbook-omnigraffle-riva-world/.
While looking around I saw your post about TortoiseSVN and ScPlugin, reachable here:
http://www.princeofswords.com/2008/02/05/tortoisesvn-member/, but the link in your bottom menu points to:
http://www.princeofswords.com/2008/02/05/tortoisesvn-member/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%/

This is either glitch in your sites scripts or an attempt to exploit some security misfeatures in the PHP scripting language (It looks a lot like some live
exploit code I have dealt with previously. I suspect your site was attacked and may have been modified without your knowledge!). Either way you should take a look.

Sorry to bother you and I hope this helps. I didn't see any mail address listed on the site, so I used this address from Whois.

hth,
adric
adric: books icon (c) 2004 adric.net (Default)
So I'm attempting to investigate a file save bug report for class and not making much progress with that. I did trip over some behaviour that seems odd to me: OOO process BMP to PNG silently and mercilessly when you add one to a presentation, and when you save it. This is odd because it does not do this to gif, png, or jpg. Gif, png, and jpg files came through the process fine, though they were renamed. I just checked a tif and it was also unaffected (renamed but checksums match).

Must be a feature?

shell transcript )
adric: books icon (c) 2004 adric.net (Default)
Well, after finally crawling out of bed at 10 I have:

* read over the final exam study guide, (terrifying)
* read over the assignment guidelines (phase 1 is due at midnight tonight latest),
* read over a dozen OOo Impress bugs, (I need to comment on one)
* installed OOo on the Dell mini 12 (might be able to reproduce a crash bug on that platform!)
* bought two three** Social Distortion albums from Amazon MP3
* grazed on crackers, crisps and jerky
* finished a cup of citrusy green and brewing a cup of PGtips now.
* made a presentation of no worth in OOo Impress to get familiar with it.

I still have to:
* pick a bug report, and then both comment usefully on it and write about the report
* make intelligent sounding remarks on answers to previous exercise (others and my own, should have been done earlier in the week)

And this is just the first week of the crazy accelerated 4 week class. WTF was I thinking trying this again while working fulltime?

** So far: Mommy's Little Monster, Social Distortion, Prison Bound
adric: books icon (c) 2004 adric.net (Default)
After reading http://www.roughlydrafted.com/2009/10/12/microsofts-sidekickpink-problems-blamed-on-dogfooding-and-sabotage/ ... I'm partly willing to believe this is the answer, perhaps running in cron every month:
* * 2 * /usr/gnu/bin/ruby -w /exports/home/user/apoc_check.rb
#!/usr/gnu/bin/ruby -w
## apoc_check : not a misnamed time check function, 
## but a preparation for the apocalypse

def unthinkable_has_happened?
  ## various checks to determine if world has ended, 
  ##  company has been sold to Microsoft,
  ##  stock price has dropped beyond a certain $
  ##  or your favourite unthinkable catastrophe has occurred
end

def destroy_all_data_irrevocably
  ## write pseudorandom data to the disk blocks 
  ##   that used to contain the master database control files,
  ##   indexes, backups, and other good stuff
  ## low level format the SAN, and any system drives, 
  ##   and replace the bootloader code
  ##   with something fun of your choosing. 
  ##   Remember, ASCII art is fun.
end

destroy_all_data_irrevocably if unthinkable_has_happened?
## eof
Although it probably wasn't written in Ruby or even in cron. I think my oversimplified example could represent an explanation, as suggested by Mr Dilger in the article linked at the top. Sadly that's not the most interesting thing in his writeup. I twittered this logic lesson quote to tease:

Asserting that it’s a ridiculous supposition is in no way disproving it.

and you'll just have to look at his piece to find out the topic or relevance and whether it has anything to do with meteorology.
eta: This one has some juicy hearsay including the name of a vendor: http://www.hiptop3.com/archives/what-caused-the-sidekick-fail/, but be warned the comments are almost unreadable.
adric: books icon (c) 2004 adric.net (Default)
Immediately remove premium channels from my account and refund erroneous charges. Please see my previous email on this subject in case there is any confusion about whether I ever wanted to pay for premium channels (hint: I did not). Note the change I made to my account package on the web last week, which inexplicably also did not remove unwanted premium channels which I had already erroneously been charged for.

Fix your web site so that customers can remove unwanted expensive programming without having to call you or use this form.

If I wanted to deal with this crap I would do business with the local cable monopoly.

Try harder.

ETA/b>: response: June 13, 2009 11:54:13 PM EDT
unhelpful, if true )
adric: books icon (c) 2004 adric.net (Default)
Finally found this trick:

  1. Start in a big language, like "Pretty Big".

  2. Execute e.g.: (current-directory "c:/program files/plt/") in the bottom pane.

  3. Then you switch to your lesson language (HtDP Beginnig Student for me) and reload (Run).


Found here: http://www.cs.utexas.edu/users/novak/drscheme.html

This allowed me to create in.dat so DrScheme could read it, allowing me to finish Exercise 2.2.1 in How to Design Programs (HtDP). Still no idea where it was looking for the file before I set that to my Desktop, lame..
adric: books icon (c) 2004 adric.net (Default)
One of the reason I probably have had some much trouble with some of the fundamentals of object-oriented programming is that it is so dualistic and most of my theology is not. Surely this is why it took so long for me to finally start to get class methods and instance methods.

The remainder of my difficulty with that I blame on Java, though Ms LeMay and Mr Horton tried very hard to work through it.

Along those lines, has anyone translated the Blonde Girl Book (Head First Design Patterns
) into a less .... well into Python or Ruby, basically, although I'd take Smalltalk?


The random reboots that have been plaguing my G1 phonethingy recently were not alleviated by either newer JF firmware or Cupcake. Uninstalling various bits of unused software did not seem to have a reproducible effect. They do seem to have greatly reduced in occurrence when I leave the phone closed and play with the onscreen keyboard...

The Jetta exhibited odd non-debilitating software problems yesterday when I was trying to drive to an argument. We were completely unable to reproduce the behaviour after the mechanic touched it, but I did make sure the service rep saw it first.
adric: books icon (c) 2004 adric.net (Default)
The Moodle security advisory mail just came out. It give registered Moodle admins a week advance notice of the patches coming out next week. That's nice of them. Some excerpts follow, emphasis mine:

PLEASE DO NOT PUBLISH INFORMATION OF THESE ISSUES ON THE INTERNET! This mailing list goes out to nearly 50,000 people  )
adric: (Bug)
This way be the sweetest bug report I've recently crafted. The form I filled out is here.
Mr [Last],

Good afternoon. I don't recall requesting information about mail filtering services, but thank you none the less.
I was actually inquiring about career opportunities with your firm. Perhaps I filled out the wrong form?

Sorry to trouble you, then. Please let me know if you have any openings for Linux administrators or security
analysts.

Thank you,
[adric]

On Feb 24, 2009, at 1:35 PM, [First Last] wrote:

[adric],
Your FREE six months of expert Spam protection is on the way! Please reply with some times that you will be available for your initial phone call.

We'll call and set up a time to help you rid your inbox and those of your employees of all of that time consuming and objectionable spam.

I'm looking forward to speaking with you.

Thanks,
[First Last]
CEO
800-xxx-yyyy
adric: (bolts)
Please stop echoing your Twitter to your LiveJournal, everyone. Very few people's Twitter feeds are so interesting as to merit this, and they are all readily available from the failwhale herself so there is no need to copy them in here as well.

If you need technical assistance with this issue, please ask away and I'll try to help. There are other better ways to syndicate your Twitters, if that's what you need, including having a separate lj (community) for it.

Thanks for reading. Help put a stop to this noise today.

While we are here if any one has any technical questions about LJ backups, I'll try and field those too.
adric: (Bug)
from the American Medical Association, Allah's peace be upon them, in "cpt distribution license appln.doc".
4. Redistribution of CPT material alone is not permitted; licensed products must

include additional code-level content (i.e., content that appears when codes

are displayed). For example, in an electronic medial record, the added content

would be the patient encounter information such as date, patient name, and

diagnosis
. List the additional code-level content that will be contained in the

product.


So, basically, in these terms you have to include HIPAA protected patient data (PHI) in order to satisfy AMA's licensing. That's ... funny. I wonder if anyone has told Medicare about that, or if others have complied, if any of them have been busted. Yet.

For expats and foreigners, I'll note that HIPAA is a big ol' bundle of legislation passed by the US Congress in the late 1990s that set up guidelines for protecting the privacy and security of healthcare data the the US. It's mandatory, and violations are Federal crimes with big penalties for organizations and individuals. AMA is merely the largest lobbying organization in the USA and they hold the copyright over the procedure codes used by the entire US healthcare system.
adric: books icon (c) 2004 adric.net (Default)

Behold the note I left, and the door tag they stuck 6 inches from it. Note carefully the polite request to leave the package referenced and the signature. Glance at the checkbox for reason the package was not left: signature required.

Marvel that having confused their chatbot and reached a human named Marquesha I was told that "home delivery service" drivers do not make it back to station before it closes, and so they will reattempt delivery or I could come pick the parcel up tomorrow.

I am so annoyed I almost want to refuse it and make the vendor ship it back UPS or postal. Gah. At least they will either leave it on the stoop or let you come get it. The fact that the delivery location, my location, and FedEx are all well within 5 miles of each other is not making me less annoyed in any way.

adric: books icon (c) 2004 adric.net (Default)
>> So that means OpenLDAP on Debian is still not recommended if you don't compile your own OpenSSL and OpenLDAP.

Since they're committed to using GnuTLS, yes. Unfortunately for the Debian community, just because software is released under the GPL doesn't say anything about its quality.


More tasty tidbits in this thread, entitled GNUTLS considered harmful.

Meantime, if you run OpenLDAP, don't upgrade to lenny.

March 2014

S M T W T F S
      1
2345678
9 101112131415
16171819202122
23242526272829
3031     

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated 18 August 2017 01:10 am
Powered by Dreamwidth Studios