matt | June 6, 2013
It looks like September was my last blog post.
The problem with trying to keep up with blogging about things is that it proves difficult when one is actually doing things.
Firstly, I want to apologize for flooding various folks’ LJ friends page with an “all Matt, all the time” session. When I set up my new blog software, I imported my LJ posts with generic categories. In fits and spurts, I’ve been going through and recategorizing them. However, I still have something like 500 old posts to go through and fix up. Apparently, however, when I do that, it causes them to be ordered by modification date, not original posting date, in some peoples feeds. In the future, when I make those changes, I won’t go changing the LJ side of things, just the wordpress side.
In other news, after getting fed up with my venerable WRT54G routers running out of RAM and periodically rebooting, I bought A TP-Link WDR4300, selected because of its large amount of RAM and the fact that it runs OpenmWrt.
Finally, in case anyone ever doubted that my paranoia and predilection towards cryptofetishism was justified, they are watching. Not that this is new, of course – Carnivore, anyone?
Anyway, I will endeavor to publish more frequently – I’ve just been busy living life and all that jazz. Perhaps I shall install the WordPress app on my tablet, and that will make life easier.
matt | June 8, 2011
Skimmers and keypad overlays installed on ATMs, on the swipe cards to get in to the ATM area, and on fuel pumps.
matt | February 17, 2009
People can send an email and p0wn your Exchange server.
Meanwhile, an enterprising individual has found a way to compromise Linux boxen, and talks about how Linux users should stop being so haughty, because they're not invulnerable either.
Let's see.. remote server compromise from anyone sending an email to your server vs. an exploit where you have to trick a user into opening an email, saving the attachment, and then clicking on it.
I think I'll continue to be haughty, thanks.
(And with regards to that compromise, I'll just say that “you can't fix stupid”.)
matt | January 25, 2009
I know I harp on this a lot, and make broad, sweeping statements about “Windows is insecure as a side-effect of its design and it's really hard to make it secure without breaking stuff”.
Well, don't take my word for it, read what this guy, who used to write adware says.
Specifically, things like:
At the same time, we also made a virtual process executable. I’ve never heard of anybody else doing this before. Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it. Each process would all know about two of the other ones. This allowed them to set up a ring … mutual support, right?
We also wrote a device driver and then a printer driver. When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows.
Now, I'm not saying Unix (either System V or BSD, the latter which includes OSX) or Linux are perfect. However, the fact that all of these systems were designed from the get-go as multi-user, and a lot of time and effort has been paid to protect and isolate processes from each other, puts them ahead of Windows in this regard.
Remember, when Microsoft advertising talks about how great Windows is as a platform, and how it's easy to attach to and debug running processes and write multiprocess applications with easy interprocess communication, this should translate to: It allows one application to steal data from another!
(Processes talking to each other is fine, but the danger is when any process can talk to any other running process, without both processes expecting/wanting it. Another facet of this are various DLL injection techniques).
matt | January 18, 2009
- SSH to a machine via other machines. This is very useful when hitting machines through the one machine with port 22 forwarded to it. Sure, you can specify an alternate port, but this would allow you to set up convenient aliases ahead of time, which is nice.
Set up pam_ssh – login automatically unlocks your key (which is, likely
not a good idea).
matt | December 21, 2008
The pastor for the church running this gun turn in was on the news saying “each one of these guns turned in saved someone's life”.
Congratulations – you just called everyone who turned in a gun a murderer.
matt | August 9, 2008
Following various vulnerabilities recently in Firefox (which concerns me) and IE (which doesn't, but it might concern you) which allow for the stealing of all saved passwords from your browser, regardless of whether you've set a master password or not, I have decided that it is not safe to store passwords in your browser (and likely never was), because of the potential ability of things to steal them.
Further, there are applications for which one needs to save passwords but are not accessed through a browser. Quite frankly, I'm running out of brain space for all my passwords, and have started to re-use the same ones. This is not good.
Enter Keepassx, which is a *nix port of Keepass. The version in hardy is pretty old, so I've added this PPA to my sources.list which has an updated version. Further, I've managed to import all my saved passwords by exporting them using password exporter fed into a modified version of this script which I have reposted here.
Seems to be working well.
I need to go make pizza for supper now.
matt | May 3, 2008
I was issued a new Discover card. I call in to activate the new card and actually have to talk to a rep instead of using the automatic menu system.
This is annoying, and I mention it.
I was told that the reason I had to talk with a rep was because of the security issue.
What security issue?
Well, apparently, someone with whom I did business got hacked and my information may or may not have been leaked.
Hmmm.. Will they tell me who it is?
That should be illegal. They should be required by law to disclose potential security breaches of which they have been advised related to my account.
But, of course they don't want to. One, it would scare folks into not using their Credit Cards. Two, it would negatively affect the company which had the breach, and they don't want to be responsible for that.