TKO - Built for disaster

Screw you bapple!

noreply@blogger.com (tko) — Fri, 02 Sep 2011 20:18:00 +0000

Yes.. it took me a while. Several hours. I just cannot understand why Apple is allowed to call their sync for 'sync'... It is not even near to sync. It is "copy stuff from your computer assigned to your phone gadget"... Sucks. Sync for me is: check both sides - if anything is different, change according to configuration established earlier, unless changed thru some kind of configuration aid... Oh my... I will kill someone soon...

iPhone, iPad, i Mac and I

noreply@blogger.com (tko) — Fri, 02 Sep 2011 19:28:00 +0000

I just can't see it. Oh well... I actually can, but hey.

You all know I have been blessed with i-whatevers since I got a new job. I even got a preview of iPhones with my my last position as I wrote a company baseline for iPhones. And yes, I can relate to the user friendliness with these gadgets.

So being a hardcore Unix dude I have gotten a lot of questions and comments about going into this user friendly space called Apple and I have always said yeah yeah... but wait a minute... yeah! Because Mr. Jobs has been right all the way, all the time. And now he has resigned... I have thought about that too but later.

I do NOT like Steve Jobs to dictate how I am supposed to use my phone. I do NOT accept that he is censoring applications I can install on my phone. That is just disgusting, and comparable with any dictatorship. So there! I'll bite my thumb to you any day!

But wait... I don't recall me being root on my Nokia 3310 or Ericsson whatever...

Oh. They were phones, not PC-gadgets. This is true. I can accept my iPhone as a gadget and a social connections, but as a phone it really sucks. Nokia beats the phone part with hands tied behind the neck. And I know there are chips that make your voice SOOO much better. And worse, they are in the phones. This is just politics...

I will come back to my Apple thoughts...

So I quit my job - and started a new

noreply@blogger.com (tko) — Mon, 29 Aug 2011 16:15:00 +0000

It was about time. I was closing to eight years in the same company. Starting as a Unix SysAdm and when I left I was in charge of Operational Security. Day2day means dealing with practical questions and be prepared for the worst with my GCIH in my backpack as a safe net. Needless to say I was very proud of my job, and (I hope) skilled. I have done security related work since late 1980's with computers and there has always been something new to learn, experience and look forward upon. But then came the big wave.

That big wave came, not as a shockwave, but as a slowly growing tidal wave and it swept all engagement and will away. The epicenter of that tsunami was politics. I had grown and roots were stuck. I was stuck. I felt like a Jeep in muddy waters where grey water started pressing its way into the Jeep and all I could do was sit there and watch. I wasn't even in the driver's seat. And it just kept coming in.

I told my boss a year ago that this couldn't go on. I need someone else to help me out. I cannot do this all by myself. We have thousands of servers and you rely on me? That is just ridiculous. What if I break my neck in a motorcycle accident? Or want a holiday?

Talking to deaf ears... No response. I had been promised a colleague for two years, my patience was running on fumes. So I planted a few seeds at companies I knew I liked and specialized in security, and had the same values, and customers that understand what they are buying and not just going by some kind of security hype rumors. I also told these companies that I'm not going to join them and sit down at the office and wait for assignments. I am there to work and I want them to have assignments ready with companies that can appreciate my work, as opposed to my former employer.

It took the better part of a year. But it's done. I quit my job in favor for a place where I feel my knowledge is appreciated and have a few assignments to choose from. On the other hand my former boss realized (too late) that my work was pretty important so he had to hire me as a consultant to fill the gap between me leaving and my replacement to start. I have no problems what so ever to stay on. My workmates are still fun, skilled and a joy to work with. What I can tell you though, my former boss is paying a lot for this... like three times my former salary. Good on him!

Who's to blame?

noreply@blogger.com (tko) — Wed, 03 Aug 2011 21:01:00 +0000

OK... let's lay out the facts: User has a company policy using IE8. Same company has an internal web site using Microsoft web server and MS-SQL backend. This is all fine, as I see it, since it would all fit together as all components are delivered from the same source. And here comes the ridiculous part: It's a clash. In order to display a page it can take up to 20 minutes, yes MINUTES, before you can start working.

My opinion is that if it takes more than 5 seconds before a web page is completely downloaded and displayed there is something wrong with some part of the design. If it is the web design, or the the engine itself, or the backend DB is unimportant, what happens is the user gets out of focus and uninterested, if not straight out frustrated. And if this is a site where you need to attend a lot at times there will be annoyance to say the least.

So, let's call the IT helpdesk, which happens to be in another country where these things are a bit cheaper than Europe. Person on the other end is very helpful and offers to help out in various ways, which in the end fucks IE8 up totally, and you get the comment: "Oh dear, something is really wrong, you need to call someone to help you out". And, well... I actually thought I was doing just that... So the next suggestion is to call the local support (who should be in by now, I start working early) since they are closer to you, have access to your computer, and so are prone to better solve your problem (and so I wonder what we are paying these other guys anything at all, since they got access to my computer too).

Computer guys - where are you? Let's just say the TV show "IT Crowd" is not far from ours, only "IT Crowd" seems to be based on ours, and the TV version has taken out the worst parts.

And the answer is: You need to downgrade to IE7. It is an IE problem.

And the IT department says: You need to use IE8 in order for getting support.

Same guys. None of them refuse to even reflect upon the fact that it takes up to 20 MINUTES to refresh the page?

OK. These are not the programmers of the web page scripts (which call the DB) but the same company.

I could go on and on and on about this. I have been helping out in audits and problem solving in numerous cases and it almost always (I could say 95% of times but I have no hard facts to present) boils down to:

- Talk to one another
- Don't be so bloody proud
- Ask questions
- Listen to the answers
- Don't be afraid to look outside your comfort zone
- Lessons to learned from helps you in the future
- Knowledge needs to be forwarded

All of this will get you through the day on an easier basis and make your life easier. I have not yet gotten the answer of the problem described above. But my opinion is that it is not an IE8 problem (since IE8 and IE[1-7] translates HTML differently). I've tried the code on Firefox 5.0.1 and it works as expected. Programmers need to understand that browsers, and browser versions, translate code in different ways, and so, if company policy is IE7 or 8, or both, their code has to work for both version, or at least the latest version, otherwise they have done wrong.

If this would have been on the Internet, other rules would apply. But the overall rule would be... Keep It Simple Stupid.

Test ---->

noreply@blogger.com (tko) — Wed, 01 Jun 2011 11:18:00 +0000

noreply@blogger.com (tko) — Mon, 25 Oct 2010 13:53:00 +0000

Intel buys McAfee - help me out here!

noreply@blogger.com (tko) — Fri, 20 Aug 2010 05:52:00 +0000

OK... I don't know what to think about this. Exactly where does Intel position McAfee in their portfolio? I guess I will see a ton of posts on this in days to follow. But right now I have not got a clue...
Update 2010-08-24: Thank you, arstechnica, coming to my rescue and bringing some sense into the acquisition. Quote: "The company thinks that they can do security better than a software vendor alone could, and they believe this because they know that security is about systems—not just hardware or software, but services, practices, policies, and user experiences and expectations."
By keeping McAfee as a branded subsidiary they probably feel they will have an edge owning the whole chain up to the customer. But what happens if AV becomes the weakest link in the chain, if McAfee loses momentum and some other AV manufacturers run much faster? Are the customers bound to stick to McAfee/Intel products because they are so closely knitted together?

Oh happy day! Is he on drugs, or what?

noreply@blogger.com (tko) — Tue, 03 Aug 2010 11:41:00 +0000

Lately there has been debate and discussions on Wikileaks and the controversy of publishing information on US Force's behavior in Afghanistan. The leak has been pointed out as Bradley Manning, a US Army Intelligence Analyst. Now new informations has come out saying Adrian Lamo, who turned in Manning, is a member of the highly secretive organization called Project Vigilant. How credible they are, I can't answer, but it seems they have been given a huge mandate to work "behind the scenes" and the leaders of this pack are Homeland Security, NSA, DOJ etc seniors... Makes you scared, huh? But I when I was directed to this interview on BBC, which includes commentary from the beforementioned hacker Adrian Lamo, my heart truly skipped a few beats. What if all the voluntary guys and gals are like him? What do they get fed? I can't think their fringe benefits can be healthy...

Tightening the thumbscrews

noreply@blogger.com (tko) — Thu, 01 Jul 2010 12:36:00 +0000

VISA set a deadline for smaller companies for PCI compliance to yesterday in the US. Bigger dragons have until September 30th to comply. It is not an easy task to comply to the 230 (approximately) requirements in the PCI-DSS. Not for your local news dealer at the corner, nor for the huge department store downtown.

What if the energetic guy selling cigarettes and magazines since 40 years for your dad and you actually cannot understand or is not capable (moneywise or otherwise) of complying? Weird stuff in that self assessment document, strange words... Does this mean a lot of these smaller shops will disappear? Will there be any more local stores thanks to this? It is a sad thought. I love to get my papers and bread from a local dealer.

On the other hand what if they won't comply? The story tells that small businesses are a bigger target than the larger ones in hacking. Logical, since the smaller ones are probably not as aware of patching or updating, or firewalls or viruses or whatnot. Whereas the bigger companies have specialists for these kind of gadgets.

It is a Catch 22. And not a pleasant one.

Why do you do it?

noreply@blogger.com (tko) — Mon, 28 Jun 2010 13:47:00 +0000

I was just thinking about why people are so stubborn. When I went, for the first time, to Amsterdam as a teenager my dad said fine, go there, but don't go near the Red Light district, you'll be robbed. So I went down to Amsterdam, and coming out from the central station I walked down the street looking for a cheap place to stay. I found a youth hostel called Bobby's (which I later discovered was quite legendary), checked in, left my back pack behind the reception and asked for the directions to the Red Light District. So much for the good advice from my dad.

I didn't get robbed, but I soon discovered that there were ladies sitting in the windows, offering the time of my life for a special price. As I was window shopping a number of guys (always guys) came up to me offering the time of my life with a little help from different substances. Well, I wasn't there for either of those, even if a few of the guys really insisted that I needed what they had to offer and wouldn't take a no for an answer, I really had to tell them NO! Instead, on the outskirts of the (in)famous district I found the next whisky bar, of which I became a regular patron for a few weeks, until I found Black & White on Leidseplein, and later also The Last Waterhole, which offered live music every night.

With that in mind, I have become dad. I tell people over and over again that if they click on dubious links and whatnot on the web they will be infected, and even robbed, exactly what could have happened to me in Amsterdam. Whatever my advice, they go there, and they click, and they complain their computers start running slowly, weird stuff appears, and behavior is strange. Well... YEAH!?!?

To be fair, I have to say, how can they know and learn stuff if they don't go where man should not go? Experience will teach, only it comes with a cost. I could have lost money and health there, even my life if I had been cocky. On the Internet Super Highways you might lose money, but you don't usually have to hold on for your dear life if something goes wrong. So go there, learn something from your mistakes, but don't whine.

Makes me sad

noreply@blogger.com (tko) — Fri, 18 Jun 2010 08:59:00 +0000

I found this photo article and it made me sad. I like to think that we, in the western world, have a sane view on most things humanitarian. I know, there are many things and laws and issues we need to change or learn from, but all in all I believe we have pretty fine rulesets to live by. Americans have some hilarious bylaws that we all laugh about, so does a lot of European countries. I have close relations to Australians and sometimes I have to catch my breath when some of their laws become known to me. But still, I get worried when a whole country is degraded and shot back to medieval ages because of religion and beliefs. I can not understand how this can be good for mankind, or the citizens of Afghanistan. I just can't...

New design

noreply@blogger.com (tko) — Fri, 11 Jun 2010 14:15:00 +0000

Most of you will notice (not that there are so many reading this blog) that the design has changed to a slicker, more sophisticated, design. Thought I would see how I like this, and what blogger new design "engine" has to offer. Just need time to play around with it.

Captain Reach 364 sees the light

noreply@blogger.com (tko) — Fri, 11 Jun 2010 12:43:00 +0000

Found a very good blog today. Written by Reach 364, captain and C-17 pilot in the USAF, and he shows great insight when looking at his own cyberworld and gaining understanding on how it works. He also writes about his findings in a very good way so laymen at all levels can follow. It will be very interesting to follow this guy's path to greater knowledge of the darker side. Also the comments are giving away great links to resources if you want to dive and learn more of computer security.

Ubuntu to cease Sparc port?

noreply@blogger.com (tko) — Tue, 08 Jun 2010 12:06:00 +0000

I don't know what to think about this mail sent out on Ubuntu development list. I have been living in Sparc-land for well over 10 years, mainly running SunOS on servers, hundreds of them. Whatever I think of the development in days gone by I have grown attached to them, kind of a love-hate-affair we have. I run Ubuntu on several PC's on Intel platforms, both stationary and laptops, and I am fairly happy about them. I don't do heavy development anymore so performance is not the main issue, functionality is. All in all I'm pleased with the environment when it's tweaked to please my eye and behavior.
What worries me more than anything else is that this might be one outcome of the Oracle acquisition of Sun Microsystems. That Larry Ellison decides he wants to keep things close to him and change the fairly open atmosphere Sun started to market in the latter days. Not only Ubuntu will suffer from this, more importantly OpenSolaris will. If OpenSolaris dies Solaris will probably see a future very much like that of Oracle databases, with patches coming out maybe five years after security issues has been discovered. If Oracle says it is not an issue, then no patches will appear. Period. What's next, MySQL going the same way? That would be a more understandable reasoning since MySQL is a competitor to Oracle in-house, even though no-one at Oracle ever would admit that.
It just worries me a bit...

SecDay at cern.ch

noreply@blogger.com (tko) — Mon, 07 Jun 2010 11:56:00 +0000

I believe this is something worth watching. CERN is launching a series of webcasts with experts giving their thoughts and tips on how to secure your computers. They call it CERN Security Day and takes place 10th of June 2010. Due to the location of CERN (border of Switzerland and France) some of the speeches given are in French, but as I understand it these will be subtitled in English at some stage. The full program for the event is to be found here. Note: Times are Zürich local time.

Interview with Steven Levy

noreply@blogger.com (tko) — Fri, 04 Jun 2010 13:42:00 +0000

25 years has passed since Hackers was published. Based on true stories he made a significant impact on tech savvy kids, as did the movie. O'Reilly has an interview with the author where he's reflecting on what it all was about and how things ahve come where they are. O'Reilly also published a revised version of the book.

Lies, damned lies and statistics

noreply@blogger.com (tko) — Fri, 04 Jun 2010 09:45:00 +0000

Every once in a blue moon someone comes up with indisputable statistics and presents them in pie-charts leaving very little to the imagination. Here's all you need to know to know that you're not alone doing these every day chores et al.

Linux powahh!

noreply@blogger.com (tko) — Tue, 01 Jun 2010 06:33:00 +0000

I've been using Linux since the olden golden days of before 1.0. In the beginning Slackware came on 1.44 floppies and the stack grew on me from approximately 12 of those to over a hundred... tedious work to load all those upon installation. Today it's a bit different with information super highway connections from home and a gazillion of different distros to choose from. My flavor for the day is Ubuntu, mostly because it just works and I like to think I have more interesting stuff to do than fiddle around with libs and compilers more than I do at work. Long gone are the days with building up a 386 from bits and pieces. Today Linux is used for more demanding stuff, like being in top 500 of supercomputers... actually 91% of the top 500 runs on Linux of some kind.

No cold drinks? Chill...

noreply@blogger.com (tko) — Wed, 19 May 2010 14:19:00 +0000

Yeah, I know. To go rock'n'roll you need drinks. And if they aren't already in the fridge you need some help. Enter the Rapid Blitz Chiller, and after approximately two minutes you're good to go with your first cold choice of beverage. Although, someone pointed me at a free version of rapid cooler courtesy of Mythbusters, which is made of a bucket filled with water + ice + salt. Took them five minutes to reach cold beer (38F/3C). Cold enuff :-)

PCI turns rock'n'roll

noreply@blogger.com (tko) — Wed, 19 May 2010 10:21:00 +0000

Who said PCI wasn't fun? Join this fast and furious magical country carpet ride for a quick lesson in PCI-DSS, presented by the PCI Council!
PCI Data Security Standards Rock

Security program to install?

noreply@blogger.com (tko) — Mon, 10 May 2010 11:02:00 +0000

I get a lot of questions from people who want to know what the best security program to install, and which one is the best. And then they get frustrated when they learn that I can't answer their question. There is only one answer, you can't. Yeah, my credibility as "the security guy" just was lowered to a place near zero, if not six feet under.

Once again I must revert to the long answer which is, there is no program designed to do that alone. It is you, as a human being, that protects your data best. Your computer is just a thingie that contains your data. You probably don't give a rats ass if your computer is hacked, or compromised in other ways. What you really are concerned about is your data. People just don't realize this. So that's the pre-requisite. To move along from there you need to protect your data through this computer's perimeters.

Let's just face it first, you will never get it 100% secure. In order to do that you need to put a weight on it and sink it into a very deep sea. But I will assume you want to do something useful with it, which is why you bought it in the first place. Don't aim for the 100% do the next best thing, make it reasonably safe. If you follow the next few steps you will get it approximately 95% safe, give or take a few points.

1. Install a firewall. It's probably there in your ADSL-bridge/modem already. Enable it. The minimum protection should be: let all the traffic out, let none in (unless initialized from the inside). If you are really clever you might want to open it for http/s or/and ssh. But now you've opened it, see to it that these applications listening to the ports open are patched, and all the mechanisms behind them: ASP/PHP/CGI-whatever and sshd.

2. Patch it, let's say once a month. This means not only the operating system, but all the software you decided to install. Office packs, browsers, little gadgets, office extensions, add-ons, designer programs. and all mechanisms/translators and what-not.

3. Subscribe to vulnerability mailing lists. If nothing else you will be on level with what is happening and thus you may be a little more conscious about your own data and protections of it. Start with Bugtraq and lists that deals with your installed fleet of software.

Three steps, and you can sleep better at night. You can of course turn on paranoia mode but then you're dealing with slightly more technical issues and that's a completely different story, told elsewhere on the web.

Sacred house

noreply@blogger.com (tko) — Mon, 10 May 2010 04:43:00 +0000

How about this for an alternative style of living? Knowing the British quality of building and their lack of knowledge on how insulations work, or that it even exists, makes me wonder what kind of a number the heating bill carries... Nonetheless it is an astonishing conversion, and I wish I was as handy. A couple of friends from days gone by re-modeled a smaller country side chapel into a two apartments twenty years ago and I wanted that too, but this brings things up to a totally new level.

CERIASly dumb computer security

noreply@blogger.com (tko) — Thu, 06 May 2010 12:16:00 +0000

Just happened to stumble upon (not via the StumbleUpon service) this series of videos from Purdue campus with Dr. Charles P. Pfleeger where he goes through a few ideas in computer security history that in hindsight could have been thought through maybe once or twice before making reality of them. I like the analogy where he states that in many projects the security guy is involved in a late stage, when everything is almost marketed, shrink wrapped and sold, to bring his little bag of security miracle dust and sprinkle it over the product in order to make it safe... Haven't we all seen that happen!?

Through to the other side...

noreply@blogger.com (tko) — Fri, 30 Apr 2010 08:04:00 +0000

Upgrading this computer to Ubuntu 10.04. Don't know how that will end. The last upgrade gave a whole new collection of grey hair and I learned a few new cursing words along the way. Didn't lose anything except patience during those days of agony and fear. This time the Ubuntu guys promised me nothing could go wrong... oh wait... didn't they do that the last time too? Reports to follow.

Update: OK. Took its time alright... and scared the crap out of me upon reboot. The GDM came up OK, 25 sec boot time, but then it was all black, just a cursor. Console revealed a lot of GdkPixBuf errors... but nothing that should be causing X the hiccups. So I logged out. Logged in failsafe. All is fine. Nothing in the error log. Weird. So login again normally. And yes. All seems to be fine. Good thing. Only thing that was annoying: the minimize, maximize and close button were on the left hand side. Not working for me. So changed them back to where they "should" be:

Alt-F2
gconf-editor
apps>metacity>general
button_layout = :minimize,maximize,close

Nothing else to report really. It just works - knock on wood.

Weekend reading

noreply@blogger.com (tko) — Fri, 23 Apr 2010 13:04:00 +0000

Yeah... blame porn for the recession
McAfee SuperDAT Remediation Tool
Hackers and social networking: A love story
Richard Clarke's Cyberwar at Wired