Get FLACed!

May 26, 2008

I usually do not brag about personal possessions but I bought some high-end headphones and courtecy of some flac encoding later, i was re-enjoying some of my best tracks in a totally new way (like ive been hearing it from some crappy tapes and mp3s)…

Get FLACed!

Isn’t it great …

May 9, 2008

… when “leaked” exploit source code is

• Cleanly formatted, following a clean proper coding style, proper variable naming conventions, the works
• Properly commented, including “THIS IS PROPRIETARY SOURCE CODE OF JIMBOB HACKING CREW”
• Has a comprehensive listing of members, often including email addresses etc
• (last but not least), the word “PRIVATE” are repeated every 10 lines or so ….

More on the hypocrisy of Information Security to come … Perhaps making fun of the script kids and the fame seekers is an easy target. So, for the next “Isn’t it …” line of posts, we will be making fun of our friends, the IT security industry (to use a cliche, “modern age snake oil merchants”. And yes, it will be a “name and shame” game, so keep watching this space.

The Shock Rockers of the IT Security Industry

April 2, 2008

Shock Rock: borderline musical idiom. The performers usually play something relatively extreme as compared to the mainstream of the contemporary music. The main stimuli is visual, as shown in the various acts live performances (or “shows”). Usually, the music is not that good and most of these bands prove to be nothing more than a one trick pony. The amount of shocking acts in public permitted by law is deterministic, the genre is quite unpopular now as most of what is to be seen has been shown already back in the 80s. “How is this related to the IT Security industry?”, the astute reader might remark?

Today I had the dubious pleasure to use a port scanner made by a known security company. I will give no names but trust me you have heard this one and maybe bought a book from them or two. It is your typical win32 software, version X.Y, with X being much much greater to 1 (therefore, been revised and improved with every iteration. Running a portscan towards a firewalled VM, it reported filtered ports as open, while nmap was displaying them as closed or filtered. At first I thought that there was something wrong with my firewall configuration. Upon further investigation, when the tool was trying to make a simple connect() scan, reporting timed out ports (-j DENY) as open.

If you are familiar with Bruce Schneier, in his “Secrets and Lies” book, introduces the “snake oil” merchants. Unfortunately, even with a slightly more security educated IT community, frauds like them described in the book can often be encountered in the field. Like our pals from [CENSORED]. Hey guys, is it too much to ask that your connect() portscanner (with a version greater than 1, mind you) at least expects the presence of a firewall someplace? I am sure that quite a lot of pimping goes into your books, I would not know. I have bought one of your books back in 2001 something and it was a terrible waste of money and time. To cut a long story short, you have a bunch of clueless posers with a good PR department charging the hell outta their clients and presenting themselves as authorities within the IT security industry. Unfortunately, the shock rock effect of their material, the overestimation of how “them pesky hackers are out there to get YOU“, soon will wear off and those morons will be exposed for the frauds they are.

Optimizing Joomla Sites for Speed

December 5, 2007

As I have blogged before, I have the dubious honour to work as a web application developer/Linux administrator/general IT “Mr fix-it-all” guy at a Joomla based shop. (hey it pays the bills and it’s not like I will be here for long ). This is essentially a mom-and-pop store with a tight budget so one has to cut corners. In that light, the decision was to buy a linux VPS (Virtual Private Server, for the uninitiated). As my projects are not connected with the Joomla development team, I have left them happily turning one cookie-cutter page after another. Like many other techies, I am a content-over-style person so I felt that the graphics ladden pages were at least atrocious. But hey! its the customer’s wish so they get their money’s worth in .swf animations, animated .pngs, the works.

It came of little surprise when the pages viewed not in our Gigabit LAN but over a run-of-the-mill DSL line where slooooooooooooooooow. Guess who comes to the rescue. Since it is only logical that many other shops fail to hire web monkeys that adhere to web development best practices, I decided to share my experiences in trying to solve the problem (ok, I use the verb solve more in a “band-aid applied over multiple 7.62mm wounds” but I am sure you knew that already).

• When using CSS and Javascript, try to keep them in external files as much as possible (always for you and me). This way, they get cached and you save some precious user experience time by using that.
• PNGcrush is your friend. I cannot stress this enough. Even if you get only a 10% reduction in filesize for each .PNG, they quickly add up. Speaking from experience, I got reduction between 5% and 25% in each file, which was well worth it.
• Since you are using a database to store your content, turn RAM caching on (if you can afford it). While memory hungry (total memory consumption of our server is 280Mb), it gives a tremendous boost. MySQL documentation has an excellent section on how to do this and some consideration/poor man’s benchmarks. I can assume that your database has something relevant (between you and me, while MySQL gets the job done and has tons of support, it certainly is not the pinnacle of technological achievement in the open source database field).
• If you are using Joomla (or Mambo or a similar CMS), try to keep the number of modules to a bare minimum. Each module, even if it is lightweight in actual size, is at least one HTTP request so that bogs the performance down.

So, if you have to face the all-too-common “clueless management with incompetent web designer” syndrome and teaching (enforcing should be a more appropriate term) web design best practices is out of the question, the (kinda obvious, to be honest) tips above might squeeze an ounce of performance or two that can make a difference.

Ruby On Rails real strength

October 16, 2007

• Faster in development time than J2EE (the claim that a small RoR application can be the size of all XML documents required to work with J2EE is correct)
• Better than PHP (forces you to avoid bad development practices, a case that is seen all too many times)
• YAML
• Cool kid on the block

Other than that, if you are outside DHH’s frame of mind, good luck

Web Application Frameworks to keep an eye on in the future

October 2, 2007

If you are doing small to medium scale web application development (btw, I do not want to imply that the frameworks  here are unsuitable for large projects, but since I have no personal experience using them in a large project, I will not add a hearsay opinion) you really should keep an eye on these:

1

2

3

4

Which one of them will survive (since there is a ton of Java frameworks, many claim that Ruby is a fad and two frameworks for python?) will depend on many factors, not all relevant with technical excellence or ease of use.

I have the honour to work with #2 to make ends meet and #3 for personal projects. I like them both but the common thing is that innovation is shared (i.e. they have many things in common ) . DRY anyone?

Yet another quick J2ME tip for newbies

September 24, 2007

While checking the logs I came across “j2me png manipulation”. So, a few tips that you probably have heard before:

• The less, the merrier. If you can combine the images in a single file, you save JAR space.
• Indexed PNGs are your friend. You can do a lot with 256 colors (hell, I grew up on the Amiga 500 that had 32 colors for gaming).  If you have a lot of  black an white graphics, MAYBE you can save some space by combining them  and using indexing and keep your colored ones separate,but this is on a case by case basis.
• Try a few different PNG encoders. Their mileage may vary
• Another bonus is that if you have few (or even better one!) PNG file, you can encrypt it (most of the encryption I have seen is XOR but ok, that will stop the casual thief), decrypt it in memory (which in most Nokia S40 phones is more than you have available for your filespace), hope the garbage collector does its job ( calling gc() does not guarantees execution and you might be a victim of memory fragmentation but most of the time works ok).
• Since reading from the JAR is slow and space is extremely limited anyway, the evident benefit of keeping your assets in a single file (like most PC/console games) is not of concern.
• If the API has extensions for mirroring, by all means use them. Once again, you trade off JAR space over RAM.

Piracy, lack of open source(reprise) and a story from the code trenches …

September 6, 2007

Since this turned out to be my most often quoted post, I decided to add a few more experiences about piracy that happened to my work place. I will not be giving any specific names but still it is an interesting story. Ironically, I get a lot of traffic from people who are searching for DEFCON/Uplink warez (this is why I refused to post the magic offsets in the first place).

My current employer is in the process of designing and deploying a collaboration system for a small to medium sized media organization. The current process so far is an incoherent hell . 3 editions of MacOS (notice the lack of X ), zillions of different versions of MS-Office and lots of paper. The paleolithic process so far:

• Dude writes story to a version of MS-Word and prints related pictures
• Article goes to chief editor (and assorted people for authorization, if it gets authorized, editing takes place
• after editing, dude rewrites article in ms word and sends it in MS-word format to final editor
• final editor converts its to ASCII, replacing lost Greek characters along the way
• in the meantime, original author reprints photos corrected by photoshop and writes at the back the title
• DTP guy gets the pics and the ASCII text, formats it, adds the pre-rendered ads from the Advertising Dept
• All gets exported to .PDF and gets send to printing press (um, there are a couple of more steps involved but let’s assume that creation of .PDF is the overall objective).

The major problems identified so far IMHO are the following (but not limited)

• Lots of time lost. A casual estimate is 4 out of 6 hours is lost. Factor in the average office worker’s lost efficiency and it gets lower than that.
• No archiving facilities. So if guy #1 ask guy #2 where is the picture he used last month, good luck searching desk by desk.
• Why not homogenize formats? Why not assign roles?
• The whole process is error prone.
• Data cannot be mined and efficiently searched.

So my suggestion was to built some kind of web application so the fellas can at least standardize their process. My proposal was this: Since the MS-Office document is using only as a temporary container, why not substitute it with a rich text form, like the one I am using right now (or for that case, any person who has ever blogged somewhere, after 2004 )? I mean, hell, the text output before going to DTP is ASCII, for crying out loud!

- We cannot afford the training. Our personnel has to use what is already using.

-Think about all the money you will be saving from MS-Office licenses.

- It is irrelevant, we are using pirated copies anyway(!)

Having that out of the way, we began discussing choice of client and server software. The whole MacOSX software will be pirated. Quarkexpress 7 (and later) is straight out of the conversation “because we are not able to find a pirated version of it“, thus losing some of the more useful features of it. The CEO of the company also confided that “look man, Oracle is out of the question, we can use something that our clients can find pirated, perhaps use SQL-Server instead?” (in order to be fair, the shop I am currently working in is a fully licensed MS partner, so the piracy bit is not from our part. And, in case you were wondering, it took some convincing that there are other quality databases for x86 other than Oracle and MS SQL Server).

After a bit of in-company fighting, the design decisions were the following:

• Ruby On Rails. This was a personal choice. I mean I am the lead developer in the project, why not work with something I like? Ok, not the epitome of proficiency but, dig this, they really did not want J2EE with any assorted framework (they want to save some $$$ by not having to use a separate JBoss server) and I really do not like (read: don’t think it will look as nice as Ruby On Rails on my CV) PHP.
• Tentatively MySQL or PostgresSQL.
• The whole system will act as a file manager (If we are lucky, lots and lots of links to a file server, if we are not, a huge DB consisting of large BLOBs).

Not the best of designs (and perhaps I give a bit much of the game away) but please take a moment and reread the start of the article. The following questions can be raised:

• Since when PIRATED software factors into the equation of software system design? The manhours that can be saved potentially from a successful software project (i.e. a project that does consistently enough the job it was assigned to do, most of the time, all with narrow definitions of “enough” and “most of”).
• What happens if Greece takes a harder stance versus piracy? What happens if someone tips the BSA? Are them guys in for a world of hurt or what?
• How can you explain the simplest of all benefits of Open Source, cost, when all software appears “free” to them? If they are unable to grasp this basic thing, how can you start to preach them the freedom of formats and no vendor lock-in?
• What is the point of using closed source software if you lose the benefit of support? Microsoft is taking the fight to pirates with the attack on Autopatcher and the WGA program. Since the client in question has the same NT server since 1994, good luck keeping up with the patching (did I mention that some of the client machines have internet access?).

Linksys RV042 dual DSL aggregation in 5 easy steps

June 27, 2007

For this guide I will assume that you have a twin DSL connection and want to join them up using Linksys RV042.

1) Put the modems in 1483 bridging mode

2)Using the web interface connect to the RV042 device

3) Put devices on PPoE and add correct username/passes (or any other data required from the ISP)

4) Turn ‘em on and let it rip (in other words push the Connect button )

5) If you see that you can resolve names but do not get enough traffic (i.e. large FTP listings, webpages with images and the works), set MTU to 1480

Hope this helps someone out there

Oracle sues SAP for hacking, data theft

March 25, 2007

Via SecurityFocus.com

Robert Lemos, SecurityFocus 2007-03-22

Database and enterprise software firm Oracle filed a lawsuit on Thursday against German application maker SAP claiming that the European firm pilfered an enormous number of documents and software from Oracle’s customer-only support systems.

“ SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts. Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers. ”

Claims from Oracle’s lawsuit against rival SAP

The lawsuit, filed after the close of SAP’s European business day, alleged that the German software maker and its subsidiaries used the usernames and passwords of former–and soon-to-be-former–Oracle customers to download more than 10,000 support documents between September 2006 and January 2007. In some cases, the activity appeared as a “systematic pattern of sweeping” Oracle’s database just days before a customer’s support contract was about to expire, downloading information for products that the customer did not have deployed.

Oracle traced the suspect activity to the Texas-based offices of customer support subsidiary SAP TN (formerly, TomorrowNow), which SAP purchased in January 2005. The company had provided support services for customers of PeopleSoft, an enterprise software maker that Oracle acquired earlier the same month. In its court filing, Oracle charged that SAP TN used the access to Oracle’s system to clone its support database and offer discounted services to former Oracle customers.

“In short, to try to ‘keep the pressure on Oracle,’ SAP has been engaged in a systematic program of unfair, unlawful, and deceptive business practices that continues to this day,” Oracle stated in the filing. “Through its legitimate and illegal business practices, SAP has taken Oracle’s Software and Support Materials and apparently used them to insinuate itself into Oracle’s customer base, and to attempt to convert these customers to SAP software applications.”

SAP was still analyzing the claims in the lawsuit and could not comment on the specific allegations, a company spokesperson stated in an e-mail to SecurityFocus.

“We have just been notified of the lawsuit, and have taken note of Oracle’s news release and what is on its Web site,” said spokesman Steve Bauer. “We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation.”

Attacks on information systems for competitive intelligence has increasingly become a problem. In 2005, government and corporate information-security specialists detected a number of targeted attacks aimed at fooling knowledgeable employees. The number of attacks, many appearing to come from China, has only risen in the past 18 months.

Oracle and SAP have had a knock-down rivalry brewing ever since Oracle bought PeopleSoft and became a serious competitor to SAP, said Judith Hurwitz, president of analyst firm Hurwitz & Associates.

“Clearly these guys are going after each other pretty ferociously,” Hurwitz said. “For SAP to buy a company to undercut Oracle’s maintenance pricing … It clearly was to get access and knowledge of Oracle’s customer base, that is clearly why SAP bought them.”

Oracle’s lawsuit alleges that the purchase did not deliver enough. The 37-employee SAP TN focused mainly on sales and not on technical development, the filing claims. Instead, the company allegedly used the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials.

“SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts,” Oracle stated in the filing. “Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers.”

In late 2006, Oracle noticed “huge, unexplained spikes” in the number of its customers that had kept searching for more information after receiving the initial results of a search. Moreover, the renewed search attempts occurred within seconds of each other, suggesting that the actions had been automated, not performed by a human.

“Oracle soon discovered that many of these ‘customers’ had taken massive quantities of Software and Support Materials beyond their license rights, over and over again,” the court filing states.

The conclusion caused Oracle to embark on an investigation into what was happening. The company allegedly found that the unauthorized access to its network originated from SAP’s computers, not from the customers whose credentials were used. Credentials assigned to electronics maker Honeywell, pharmaceutical giant Merck and industrial technology firm SPX were all used to access Oracle’s system, the software company stated.

Oracle’s lawsuit repeatedly points to wording in software and service license agreements that stipulate that the customer support material is proprietary and only for use by the firm’s customers.

The lawsuit makes eleven claims under the Computer Fraud and Abuse Act, economic espionage laws and regulations against unfair competition. The court filing does not specify what damages or penalties are sought by Oracle.

————————————————————————————————————————

First of all, I do not see how this is related to “hacking”. Using a client’s login details and creating a dummy user is not the epitome of penetration testing art. Now as far as I can tell SAP is not a dirt-poor, cheap company operating from a ghetto basement using a stolen WiFi link. Being one of the largest software corporations, surely they can afford to buy an Oracle solution or two and then peruse the related documentation at will (or perhaps take it even further and reverse engineer the hell out of competitor’s programs), hire and debrief a couple of Sr Engineers (human assets were always a crucial part of intelligence) and whatnot, being “sleazy” but staying well within the law. Using soon-to-be-former Oracle customer accounts and then downloading documentation directly into their servers? Come on, there are a ton of ways to anonymize traffic and since they are committing “hacking” (the article’s wording, not mine, mind you), they must know that if they get caught red-handed there are many things at stake (including valuable corporate image). My assumptions are that there is perhaps a rogue element within SAP, as from a senior managerial perspective, this move is suicide. The fact that this appears to be a low tech level attack (once again, it is not like SAP cannot afford a highly technical yet ammoral person), stengthens this motion further. Perhaps a couple of bored techies under the command of a middle level manager at best? It just does not make sense. Anyway, this will be a subject that I will keep my eyes on.