The Critical Analysis

So even ING goes down sometimes

2011-09-06T11:38:00.000-05:00

Currently the login page redirects to
https://home.ingdirect.com/unavailable_content.html

Under the guise of maintenance....

This area is undergoing maintenance and currently unavailable.
We've got the guys with pocket protectors working to upgrade your web experience as we speak. We apologize for the inconvenience. Please try back later. Or, feel free to check out some of our most popular pages.

Oh well......

Fundamental Business Principals

2011-06-14T12:30:00.000-05:00

Buy items that appreciate in value; rent those that depreciate.
If its too good to be true, don't.
That which is free, costs.
A pressured decision will always rupture.
Fast. Cheap. Perfect.........Pick two.

Finding Duplicates in Excel

2011-06-07T08:57:00.000-05:00

One of my customers wanted to do the same type of summary in an Excel spreadsheet. We were both surprised that there was no function like this in Excel. But after a few Google searches I came up with a workaround that lets an Excel formula do the same thing as the Distinct Count summary function in Crystal:

=SUMPRODUCT((A1:A99<>"")/COUNTIF(A1:A99,A1:A99&""))

You replace the three sample ranges “A1: A99″ with whatever your data range is. I am not sure I could explain why it works, but it does.

Dropbox: Not recommended for business or secure financial or private medical organizations.

2011-04-13T12:36:00.000-05:00

Two disturbing issues have been found in the authentication and privacy of Dropbox.

The first from Derek Newton, Titled Dropbox authentication: insecure by design, reads as follows, quoted in its superb entirety

For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings. The basis for this finding has actually been briefly discussed in a number of forum posts in Dropbox’s official forum (here and here), but it doesn’t quite seem that people understand the significance of the way Dropbox is handling authentication. So, I’m taking a brief break in my forensics-artifacts research, to try to shed some light about what appears to be going on from an authentication standpoint and the significant security implications that the present implementation of Dropbox brings to the table.

To fully understand the security implications, you need to understand how Dropbox works (for those of you that aren’t familiar with what Dropbox is – a brief feature primer can be found on their official website). Dropbox’s primary feature is the ability to sync files across systems and devices that you own, automatically. In order to support this syncing process, a client (the Dropbox client) is installed on a system that you wish to participate in this synchronization. At the end of the installation process the user is prompted to enter their Dropbox credentials (or create a new account) and then the Dropbox folder on your local system syncs up with the Dropbox “cloud.” The client runs constantly looking for new changes locally in your designated Dropbox folder and/or in the cloud and syncs as required; there are versions that support a number of operating systems (Windows, Mac, and Linux) as well as a number of portable devices (iOS, Android, etc). However, given my research is focusing on the use of Dropbox on a Windows system, the information I’ll be providing is Windows specific (but should be applicable on any platform).

Under Windows, Dropbox stores configuration data, file/directory listings, hashes, etc in a number of SQLite database files located in %APPDATA%\Dropbox. We’re going to focus on the primary database relating to the client configuration: config.db. Opening config.db with your favorite SQLite DB tool will show you that there is only one table contained in the database (config) with a number of rows, which the Dropbox client references to get its settings. I’m going to focus on the following rows of interest:

email: this is the account holder’s email address. Surprisingly, this does not appear to be used as part of the authentication process and can be changed to any value (formatted like an email address) without any ill-effects.
dropbox_path: defines where the root of Dropbox’s synchronized folder is on the system that the client is running on.
host_id: assigned to the system after initial authentication is performed, post-install. Does not appear to change over time.
After some testing (modification of data within the config table, etc) it became clear that the Dropbox client uses only the host_id to authenticate. Here’s the problem: the config.db file is completely portable and is *not* tied to the system in any way. This means that if you gain access to a person’s config.db file (or just the host_id), you gain complete access to the person’s Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).

Of course, if an attacker has access to the config.db file (assuming that it wasn’t sent by the user as part of social engineering attack), the assumption is that the attacker most likely also has access to all of the files stored in your Dropbox, so what’s the big deal? Well, there are a few significant security implications that come to mind:

Relatively simple targeted malware could be designed with the specific purpose of exfiltrating the Dropbox config.db files to “interested” parties who then could use the host_id to retrieve files, infect files, etc.
If the attacker/malware is detected in the system post-compromise, normal remediation steps (malware removal, system re-image, credential rotation, etc) will not prevent continued access to the user’s Dropbox. The user would have to remember to purposefully remove the system from the list of authorized devices on the Dropbox website. This means that access could be maintained without continued access/compromise of a system.
Transmitting the host_id/config.db file is most likely much smaller than exfiltrating all data found within a Dropbox folder and thus most likely not set off any detective alarms. Review/theft/etc of the data contained within the Dropbox could be done at the attackers leisure from an external attacker-owned system.
So, given that Dropbox appears to utilize only the host_id for authentication by design, what can you do to protect yourself and/or your organization?

Don’t use Dropbox and/or allow your users to use Dropbox. This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (do not store your passphrase in your Dropbox or on the same system/device).
Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn’t be, unlink it immediately.
Hopefully, Dropbox will recognize the need for additional security and add in protection mechanisms that will make it less trivial to gain long-term unauthorized access to a user’s Dropbox as well as provide better means to mitigate and detect an exposure. Until such time, I’m hoping that this writeup helps brings to light how the authentication method used my Dropbox may not be as secure as previously assumed and that, as always, it is important to take steps to protect your data from compromise.

And then we have a legal issue from slight paranoia, Titeled How Dropbox sacrifices user privacy for cost savings, reads as follows, again quoted in its entirety

Dropbox, the popular cloud based backup service deduplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.

The service tells users that it "uses the same secure methods as banks and the military to send and store your data" and that "[a]ll files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." However, the company does in fact have access to the unencrypted data (if it didn't, it wouldn't be able to detect duplicate data across different accounts).

This bandwidth and disk storage design tweak creates an easily observable side channel through which a single bit of data (whether any particular file is already stored by one or more users) can be observed.

If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user.

Introduction

For those of you who haven't heard of it, Dropbox is a popular cloud-based backup service that automatically synchronizes user data. It is really easy to use and the company even offers users 2GB of storage for free, with the option to pay for more space.

The problem is, offering free storage space to users can be quite expensive, at least once you gain millions of users. In what I suspect was a price-motivated design decision, Dropbox deduplicates the data uploaded by its users. What this means is that if two users backup the same file, Dropbox only stores a single copy of it. The file still appears in both users' accounts, but the company doesn't consume storage space nor upload bandwidth on a second copy of the file.

The company's CTO described the deduplication in a note posted in the "Bugs & Troubleshooting" section on the company's web forum last year:
Woah! How did that 750MB file upload so quickly?

Dropbox tries to be very smart about minimizing the amount of bandwidth used. If we detect that a file you're trying to upload has already been uploaded to Dropbox, we don't make you upload it again. Similarly, if you make a change to a file that's already on Dropbox, you'll only have to upload the pieces of the file that changed.

This works across all data on Dropbox, not just your own account. There are no security implications [emphasis added] - your data is still kept logically separated and not affected by changes that other users make to their data.
Ashkan Soltani was able to verify the deduplication for himself a couple weeks ago. It took just a few minutes with a packet sniffer. A new randomly generated 6.8MB file uploaded to dropbox lead to 7.4MB of network traffic, while a 6.4MB file that had been previously uploaded to a different dropbox account lead to just 16KB in network traffic.

Claims of security and privacy

There are long standing privacy and security concerns with storing data in the cloud, and so Dropbox has a helpful page on their website which attempts to address these:
Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military to send and store your data.

Dropbox takes the security of your files and of our software very seriously. We use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure. Your files are backed-up, stored securely, and password-protected.

Dropbox uses modern encryption methods to both transfer and store your data...

All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password

Reading through this document, it would be easy for anyone but a crypto expert to get the false impression that Dropbox does in fact protect the security and privacy of users' data. Many users and even the technology press will not realize that AES-256 is useless against many attacks if the encryption key isn't kept private.

What is missing from the firm's website is a statement regarding how the company is using encryption, and in particular, what kinds of keys are used and who has access to them.

Encryption and deduplication

Encryption and deduplication are two technologies that generally don't mix well. If the encryption is done correctly, it should not be possible to detect what files a user has stored (or even if they have stored the same file as someone else), and so deduplication will not be possible.

Dropbox is likely calculating hashes of users' files before they are transmitted to the company's servers. While it is not clear if the company is using a single encryption key for all of the files users' have stored with the service, or multiple encryption keys, it doesn't really matter (from a privacy and security standpoint), because Dropbox knows the keys. If the company didn't have access to the encryption keys, it wouldn't be able to detect duplicate files.

While the decision to deduplicate data has probably saved the company quite a bit of storage space and bandwidth, it has significant flaws which are particularly troubling given the statements made by the company on its security and privacy page.

Cloud backup providers do not need to design their products this way. Spideroak and Tarsnap are two competing services that encrypt their users' data with a key only known to that user. These companies have opted to put their users' privacy first, but the side effect is that they require more back-end storage space. If 20 users upload the same file, both companies upload and store 20 copies of that file (and in fact, they have no way of knowing if a user is uploading something that another user has backed up).

Why is this a problem?

As Ashkan Soltani was able to test in just a few minutes, it is possible to determine if any given file is already stored by one or more Dropbox users, simply by observing the amount of data transferred between your own computer and Dropbox's servers. If the file isn't already stored by Dropbox, the entire file will be uploaded. If Dropbox has the file already, just a few kb of communication will occur.

While this doesn't tell you which other users have uploaded this file, presumably Dropbox can figure it out. I doubt they'd do it if asked by a random user, but when presented with a court order, they could be forced to.

What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.

Responsible Disclosure

On April 1, 2011, Marcia Hofmann at the Electronic Frontier Foundation contacted Dropbox to let them know about the flaw, and that a researcher would be publishing the information on April 12th. There are plenty of horror stories of security researchers getting threatened by companies, and so I hoped that by keeping my identity a secret, and having an EFF attorney notify the company about the flaw, that I would reduce my risk of trouble.

At 6:15PM west coast time on April 11th, an attorney from Fenwick & West retained by Dropbox left Marcia a voicemail message, in which he reveled that: "the company is updating their privacy policy and security overview that is on the website to add further detail."

Marcia spoke with the company's attorney this morning, and was told that the company will be updating its privacy policy and security overview to clarify that if Dropbox receives a warrant, it has the ability to remove its own encryption to provide data to law enforcement.

While I want to praise the company for being willing to clarify the security statements made on its website, I hope this will be a first step on this issue, and not the last.

It is unlikely that the millions of existing Dropbox users will stumble across the new privacy policy in their regular web browsing. As such, the company should send out an email to its users to let them know about this flaw, and advise them of the steps they can take if they are concerned about the privacy of their data.

I also urge the company to abandon its deduplication system design, and embrace strong encryption with a key only known to each user. Other online backup services have done it for some time. This is the only real way that data can be secure in the cloud.

You are encouraged to follow and contribute to the discussion at those locations above.

Email disclaimers are as useless as they look

2011-04-13T08:27:00.003-05:00

So over at economist they have a great writeup on those legal disclaimers you see in business like emails. No need for them really, so any more requests for Exchange disclaimers, or the like will first be directed to here, if you still want it, well, we will do. The customer is always right.

“IF THIS e-mail is received in error, notify the sender immediately.” “This e-mail does not create an attorney-client relationship.” “Any tax advice in this e-mail is not intended to be used for the purpose of avoiding penalties under the Internal Revenue Code.” Many firms—The Economist included—automatically append these sorts of disclaimers to every message sent from their e-mail servers, no matter how brief and trivial the message itself might be.

Very common, and annoying in long email exchanges.

E-mail disclaimers are one of the minor nuisances of modern office life, along with fire drills, annual appraisals and colleagues who keep sneezing loudly. Just think of all the extra waste paper generated when messages containing such waffle are printed. They are assumed to be a wise precaution. But they are mostly, legally speaking, pointless. Lawyers and experts on internet policy say no court case has ever turned on the presence or absence of such an automatic e-mail footer in America, the most litigious of rich countries.

Many disclaimers are, in effect, seeking to impose a contractual obligation unilaterally, and thus are probably unenforceable. This is clear in Europe, where a directive from the European Commission tells the courts to strike out any unreasonable contractual obligation on a consumer if he has not freely negotiated it. And a footer stating that nothing in the e-mail should be used to break the law would be of no protection to a lawyer or financial adviser sending a message that did suggest something illegal.

So why are the disclaimers there? Company lawyers often insist on them because they see others using them. As with Latin vocabulary and judges’ robes, once something has become a legal habit it has a tendency to stick. Might they at least remind people to behave sensibly? Michael Overly, a lawyer for Foley & Lardner in Los Angeles, thinks not: the proliferation of predictable yada-yada at the bottom of messages means that people have long since stopped paying any attention to it.

If you must, link to your company Terms of Service (TOS), make it a short link

How is that for file size?

2011-03-30T14:00:00.002-05:00

Thats like 274 TB!

My Google Reader stats

2010-12-12T17:08:00.003-05:00

I just happened to check my trends in Google reader.
WOW, what a waste of time...

FAKE: Blackberry messenger (PIN Chat) alerts, do not continue the madness.

2010-12-06T12:15:00.005-05:00

Several people have sent this to me, please don't. Blackberry will not send out messages like this.

This is the real broadcast from Blackberry© All rights reserved.
Broadcast this message to every single contact on your BBM© to reset your display picture, sorry for any inconvenience.
‎This message is to inform all of our users, that our servers have recently been really full, so we are asking for your help to fix this problem. We need our active users to re-send this message to everyone on your contact list in order to confirm our active users that use BlackBerry Messenger, if you do not send this message to all your BlackBerry Messenger contacts then your account will remain inactive with the consequence of losing all your contacts
Symbol will automatic update in your  ,when you broadcast this message. Your blackberry will be updated within 24 hours it will have a new lay out and a new color for chat.
‎Dear Blackberry users, We are going to do a update for bbm from 11pm till 5am this to day. You if you don't send this to all your contacts your update will be cancelled and you would not be alowed to chat with your contacts as you have the old version

Update: Snopes has more info here

VBS script to create shortcut to network location

2010-09-27T10:21:00.001-05:00

Set objShell=Wscript.CreateObject("Wscript.shell")
strDesktopFolder=objShell.SpecialFolders("Desktop") & _
"\"
Set objShortcut=objShell.CreateShortcut(strDesktopFolder & _
"Company Files.lnk")
objShortCut.TargetPath = "\\server\Folder"
objShortCut.Description = "Company Files Description"
objShortCut.Save

Whats wrong with this question?

2010-09-27T10:12:00.003-05:00

Took this test a short while ago, note the 2007 Copyright.
Anyway there is something very wrong with this question, can you figure out what it is?

Hosted CRM Comparison

2010-07-06T15:06:00.004-05:00

Part of a new product launch, I decided to embark on a journey. Hopefully my travels will save you time, since I wasted pleanty of mine.

So first I stated with SugarCRM. Its hailed as the gold standard almighty CRM. Sorry, It aint!
Its basically a fat Rolodex that all your company can use to keep track of contacts. I tested the community edition, the paid versions may have more. In any case it left a bad taste in my mouth, so much so I did not bother with the paid versions.

Moving along

vTiger: Touted as the alterntove to SugarCRM but "really free" It is actually almost identical, but has some of the advanced features I was looking for. But still it did not feel right, just clunky and not exactly user friendly.

Finally I buckled and tried MS Dynamics CRM. So first it is not free and not cheap, but wow. It just blew me away. Unreal. So ya I tried the free, but you get what you paid for.

If you are serious about your business you would go with the top, even if its not free, it will make more money for you.

Migrate old computer to new computer, with all users data

2010-06-08T21:07:00.011-05:00

So I have an old computer from a client, and need to collect all pictures and files, but not all the junk of the old computer. So utilizing 7z v9.14, (~~Still in beta as of now~~) and the command line I can maintain the folder structure and grab all those file in one swoop. This is something that I could not get xcopy to do, so I 7Z saved the day.

Anyway here is my command line

"C:\Program Files\7-Zip\7z" a -tzip "\\server\Files.zip" -r c:\*.pdf c:\*.jpg c:\*.doc c:\*.docx c:\*.xls c:\*.xlsx c:\*.mp3 c:\*.rax c:\*.mov c:\*.wma c:\*.ppt c:\*.pptx c:\*.mdb c:\*.accdb c:\*.gif c:\*.efx c:\*.pst c:\*.nk2 c:\*.rdp c:\*.wav c:\*.zip c:\*.avi c:\*.qbw c:\*.qbb c:\*.ost c:\*.one c:\*.odt c:\*.ods c:\*.odp c:\*.odb c:\*.odg c:\*.odf c:\*.wmv c:\*.tax c:\*.bkf

UPDATE 06/10/2011: Added new file extensions

Note that you can add any file types to suit your needs, my client only needed the above files. Modify as you see fit.

~~Or you can use Windows Easy Transfer. But there is no fun in that ;)~~ - Dead

If you spot an error or a better way, please comment!

Spotted driving down the highway

2009-12-02T20:46:00.004-05:00

The stool bus!

When I got home I noticed the other two slogans and this made my day!

"we're #1 in the #2 Business"
and
"Urine A-1 Hands, With us!"

Rescue CD 3.11

2009-09-25T12:16:00.001-05:00

F-Secure is awesome.
They just updated the Rescue CD, add some cool new tools.
YAY.

Looks like all of gmail and google apps is down as of right now

2009-09-01T14:48:00.006-05:00

Waaaaahhhhh, still down...........

Mandatory Ingenuity

2009-08-23T19:46:00.007-05:00

One of the perils of living in an older home is that some times the floor is slanted such that everything must be shored up. Kinda like living on a ship.
On a recent trip to a friend in such a home I snapped these two brilliant solutions. What happens when the book shelf fits, but not quite at the same elevation :)

ING Direct has a sense of humor

2009-07-29T12:56:00.003-05:00

"We gave our site a minor facelift. So if you notice anything different, don't freak out. You're in the right place."

Offline Defrag of Exchange 2000

2009-06-29T06:48:00.001-05:00

cd C:\Program Files\Exchsrvr\MDBDATA\
eseutil /d /p "c:\program files\exchsrvr\mdbdata\mailbox store.edb" /t"H:\tempdfg.edb"

Take your time, just 10 hours to go....

2009-06-05T11:47:00.003-05:00

Trend Micro Messaging Security agent Installation.

(Snagged at a client site)

Love it

2009-05-18T12:32:00.002-05:00

HP updating firmware

2009-04-02T10:44:00.003-05:00

Had a client call with a scanning issue on a HP all in one printer/scanner.
I figured I might as well update firmware. Download, double click, pick printer, and hit send firmware......progress bar slowly creeps along, me getting kinda nervous................hmmm............ bingo I get the smiley.
Cute.
Thanks HP

SugarExchange: Product Details

2009-03-23T15:41:00.000-05:00

SugarExchange: Product Details
This is a potential power add on that should work well if I do ever get Sugar CRM installed.
Right now I am having a hard time with
The session.save_path setting in your php configuration file (php.ini) is not set or is set to a folder which did not exist. You might need to set the save_path setting in php.ini or verify that the folder sets in save_path exist.

So, who is Gene Sperling?

2009-02-10T22:42:00.003-05:00

In the name of transparency the government has a shiny new web site about the "Stimulus" Package, scroll down to the Fact sheet. By Gene Sperling. He is the author of the new Financial Stability Plan Fact Sheet.
He might me this Gene Sperling. That's scary! Now he works for Obama, somehow.

Federal Bail Out Paralysis

2009-02-06T14:38:00.005-05:00

Of the two methods to help the economy, the federal infusion of capital is logically the best choice.

What better way to get things moving again than by have your best "Customer", the Fed, put in a big order (a bridge painted, and road fixed) to the company (you and me).

However.

In all government projects of this scale, there is fraud, corruption and the legendary government efficiency. That sets back the stimulation by %50. Now it ain't so pretty.

So a 800 Billion dollar project is now 400 Billion.

So then there is plan B

Tax cuts. While not a sure fire way of boosting the economy, its actuality the best option and most efficient per dollar.

Now about that paralysis; Doing neither is the worst. A struggling entity that may receive a load of cash in the future can now sit back and claim full stop we are doomed. There is no incentive to figure out the hardship, work it out. This then breeds victim-hood attitudes and further deteriorates our economy.

Thanks Obama.......but no thanks.

OpenDNS Updater is annoying again

2009-02-05T09:17:00.004-05:00

I love the service, but OpenDNS updater is truly annoying.
I may switch...........