The Ramblings of a Geek with A.D.D.

Paros Web Proxy

noreply@blogger.com (Chris) — Sun, 20 Nov 2011 23:24:00 +0000

As this semester wraps up at both universities I found myself rapidly trying to grade papers as well as complete my own projects. One of the projects I needed to complete was a network and web security course at DSU. I used nikto in a previous post to discuss the use of the software in vulnerability assessment.

I have used proxy software in the past, but never in the capacity of vulnerability assessment. Now the project was to break a PHP script and gain remote access. This actually turned out to be more simplistic than I anticipated, but what was surprising was how useful the paros proxy software was in accomplishing that particular goal.

The software is designed to allow you to see all the GET and POST messages, content, delivery of regular web traffic between your host and the remote server. It has two nifty features though; cookie storage and spider crawl. I used the spider functionality to grab the listing of html the did a directory grep for *.php to find my script call. This saved hours of time looking though the site and really let me get to the heart of the assignment.

Paros should be added to any suite of network vulnerability tools for use in pen testing. I highly recommend it.

My Apple Story

noreply@blogger.com (Chris) — Thu, 06 Oct 2011 13:26:00 +0000

To all of you in Cupertino and Austin and to the family of Steve, my heart and thoughts are with you.

The world is mourning the passing of Steve Jobs today, and so am I. Steve passed away yesterday after a long battle with cancer. For those of you who use apple products, the iPhone, iPad, iPod, Macs, this is a sad day. For those of us who spent time at Apple, it's almost a personal loss.

My first computer was a Commodore 64 with dual floppy (5.25) drives. It was soon and quickly replaced with the first Macintosh. I was in love. I bounced from the 128 to the 512k model in a year, then to the SE, SE/30, and ultimately to the LC I. My first personal computer at home was the LCII followed by a Performa 6116CD (my first PPC chip), 8150 WGS, beige G3/233, and finally Blue&white G3 with a G4 upgrade. Twenty years of history and memories defined by the Apple products I used at home and at work. I learned almost everything I know about computing (which is a lot, but not exhaustive) on the Macintosh Platform.

In 1995 I started a contract with Apple at a call center for the AAC (I still have my 1990s Apple Assistance coffee cup). I worked for Apple during the dark times. The times of licensing the OS, clones, Pippen, OS 7.5, and Gil Amelio. It was a hard time for Apple, there was a loss of focus on innovation, easy of use, and technology. Stock prices and market share were at an all time low and nay-sayers were constantly predicting the closure of Apple's doors. Yet there was always this spirit of hope. In the last few months of my tenure there, Apple bought NeXT, and it was announced that Steve would be returning as a consultant. I left that job to go work elsewhere. I received my hardware and software certifications during that time and was happy to see things beginning to change.

Then the most amazing thing happened, iMac. Ditch the beige boxes of yesterday and make the internet and home computing fun again for the everyday person. Apple stopped trying to compete with the PC market and made something fun and interesting again. iTunes and iPod were just around the corner bringing to the masses the wonders of mp3s. iPod was not the first mp3 player. I owned a Rio (which worked with iTunes at the time), but in my opinion, the iPod changed the world. Mobile devices were never so easy to use, so well integrated with the GUI and operating environment.

With the dissolving of the AIM alliance and the release of OSX, Macintosh computers exploded on the scene as well. Innovation and design was alive again at Apple.

I could go on about the innovation of the iPhone and iPad as well, but those are much less personal to me. I turned many people to the Mac platform. I've used it for 27 years now.

The world became a better place for the technology and innovation developed by the Steves (yes I hold Woz in the same regard). My only hope is that Apple continues to foster and nurture the abilities of other visionaries and innovators.

Thank you Steve, you will be missed. Rest now our friend.

Nikto2

noreply@blogger.com (Chris) — Mon, 26 Sep 2011 12:49:00 +0000

I have been working on a project for my information security class. It requires me to test and gather information on a server before attempting to penetrate it. I have managed to build a good list of information on the server, but I have not managed to penetrate it yet. Of course I'm trying to do this without the use of scripts or applications designed for this server's vulnerabilities, so I'm doing it the hard way, but honestly, did anyone expect anything less of me?

So I'm working though trying to find all the tools I can use to discover all the possible vulnerabilities and I remember nikto. For those who are not familiar with Nikto, it is a web server vulnerability tool, a very vertically aligned form of metasploit (which I wish had student licenses). Nikto 2 has come along way since the last time I looked at it and seems to be very stable. The thing I like most about Nikto is the mutation capability, being able to change what I need to accomplish my goal. This goes beyond just adding parameter tags, to being able to actively get content loaded on the server. It also has a export to metasploit function which enables this to be added to a pen tester's suite of tools. Nice.

Within a few minutes and a good nmap scan I was able to determine a mostly complete range of vulnerabilities on the project server. Of course the hard part is actually utilizing these vulnerabilities and exploiting them, but then again, that what I'm being graded on. Nikto 2 is working flawlessly on my ubuntu server, my Solaris VM, and my OSX laptop (10.7 Lion).

Slowloris and RDP

noreply@blogger.com (Chris) — Tue, 30 Aug 2011 11:57:00 +0000

I was reading up on one of the latest worms to be released this week. It uses RDP to initiate a session and then attempts a dictionary attack against windows based hosts. It would seem that this is one of the first attempts to utilize what is really thought of as a utility to initiate a penetration. If one were to be cleaver enough, RDP as a utility and terminal services could become a more prominent attack vector.

I remembered reading about a HTTP SYN flood utility in an IRC channel once a few months ago. Slowloris had been demonstrated at a defcon at one point (I'm not sure which one), but it made me wonder if there have been attempts to initiate half open sessions to terminal services in the past. It could be argued that since the TCP stack in slowloris actually initiates and completes a connection, many of the more common remote options could be targeted via DoS. Since most use the TCP stack and then hand off to another service, most of them could be real targets, especially ones which are not used in the main arena of remote connectivity, like TeamView or something similar.

Now I know that there are defenses against Slowloris, but it requires looking at the number of open connections and determining if that number is too many. This defense would need to be set against each type of remote connection across any number of ports for RDP, ARD, and VNC. Whitelists and constant monitoring would also have to be setup.

It also make me wonder if NetFlow can detect the number of simultaneous connections rather than leaving it to a script running on the host. I will look to see if snort has any specific signatures to determine a slowloris attack and if that sig can be tweaked to look at other services beyond HTTP. I also wonder if Metasploit has a similar vulnerability in the framework.

I guess it's time to go read more...

Regular Expressions

noreply@blogger.com (Chris) — Wed, 06 Jul 2011 11:30:00 +0000

I was setting up a sed script last week when I realized that I needed a regular expression. No big deal right, Google is your friend and I should just be able to find it quickly. I can never do things the easy way though.

I went on a search to improve my limited understanding of regex. I found it...a book. Sam's Teach Yourself Regular Expressions in 10 minutes. I'm not normally a fan of the Sams Teach Yourself line. First off with work, school, and classes finding extra time to read something "on the side" is more than problematic (just ask my growing collection of unread Asimov's Sci-Fi). Secondly, I have found in the past that the tutorials in the Sams books have been inadequate for what I was needing. I am pleasantly wrong about this book.

The examples are simple, to the point, and reasonably well explained with each lesson building on the last with good results. Being able to use this in command line with grep is solidifying my grep practice as well. I'm hitting one chapter each morning just after normal studies and before my sysadmin jobs starts. Completing a chapter and being able to use what I learned throughout the day is a pleasant feeling and quite rewarding.

Now I just need to see if they produce a vi book, I'm probably the last emacs holdout in North Texas and the pressure is mounting, the senior unix admin refuses to let me install emacs or nano on any of the solaris boxes.

If you want to beef up on regex, check out the book. I believe I got it from Amazon for about $11. I would also recommend getting a copy of the Added Bytes Cheat Cheets, which is an excellent resource for regex as well as many other programming topics. You can find Added Bytes here.

Summer Semester: Shift in Focus

noreply@blogger.com (Chris) — Mon, 30 May 2011 19:40:00 +0000

EC2...wow, just wow. As I sit here trying desperately to wade through the massive amount of material I must read and prep in 23 days, I sit in awe of how Amazon has implemented the EC2. You are probably wondering why I have sprung this topic without any sort of prelude or previous mention, well that's a funny story actually and it all revolves around being flexible.

So I registered for a seminar course this summer, INFS 890. I must take and pass six of these courses to meet the requirements for the DSc program. What I did not realize involves two things: 1. I have completed my core and 2. It's all specialization and dissertation work from here on out. INFS 890 prepares you for dissertation by allowing you to schedule time and resources for your dissertation topic. I now have a dissertation area, professor, and direction. So when discussing the needs of the course with the instructor I came to a choice, a fork in the road if you will, between network security and cloud security. Given the resources and position of my current work projects I chose cloud security, and to quote Indiana Jones, it would seem that I have chosen wisely.

I started playing with EC2 last week after reading the apology letter from Amazon regarding the recent outage. The way that the infrastructure is set up is amazing. I started creating my own instances and modifying other AMIs to meet my curiosity. Wow...30 seconds to VM creation. So many distributions and so inexpensive. Being able to set the instances in a good arrangement then setting that arrangement as a cloud formation. Wow. I loved being able to setup Ubuntu in just minutes. I doubt I will ever need a home machine to do OS testing and learning. I have been trying to get back into SuSE and instead of buying or re-purposing a machine to do this, I can now just launch a AMI, make the changes I need, and continue on my merry way.

This does leave some serious security questions though, and if the literature at this point is any indication, EC2 security is being left in the hands of the users. The literature on this is far from sparse (YAY), meaning it's a hot topic and there is no great silver bullet answer. I have seen some excellent ideas in the articles so far and I am starting to implement them myself in my own test cloud. Of course I do have to watch the cost, but that's why I applied to the AWS in Education program, perhaps with a little luck, Amazon will allow me to play and learn at a reduced cost.

Spring Update: So Far Behind!

noreply@blogger.com (Chris) — Thu, 24 Mar 2011 12:03:00 +0000

I managed to pull away from work and studies for two stimulating days and drive to San Antonio for the 1st annual ACM SIGSAC CODASPY conference. I learned quite a lot and managed to meet some fascinating academics and practitioners.

The conference itself was good and the papers were a great read. Dr. Sandhu made an excellent keynote presentation about the upcoming challenges in security, especially on application security in a mobile market. I also really enjoyed several of the discussions I had with the presenters. I was also extremely excited to know that my curiosity in certain fields, mainly security related to mobile and embedded devices, seems to be a expanding field. I even managed to meet the author of a textbook I plan on using at my local university in the next year to meet my teaching requirement.

I also walked away having met some fantastic people in the realm of practitioner security. I am now, more than ever, ready to take and pass my CISSP exam. I received a lot of great advice and encouragement from current CISSP holders and was taken up on my offer to assist in the working of the conference next year.

All in all - an awesome experience.

DSU Spring 2011 Semester

noreply@blogger.com (Chris) — Wed, 19 Jan 2011 16:41:00 +0000

Well I am registered for this semester and taking System analysis and design as well as Information technology Strategy and Policy. It looks like it is going to be a great semester although a very busy one. After this semester I will be in specialization coursework only (Yay for core completion)!

I am going to throw my spring project ideas out to my FB friends and see what comes up as a possible spring project. I will post here what the results of that will be.

Gawker Breach and Strong Passwords

noreply@blogger.com (Chris) — Mon, 27 Dec 2010 14:05:00 +0000

I used Lifehacker and Gizmodo, of course I was a member before the war between Nick/Adrian and 4Chan, before the dark times. What can we learn from this incident, well several things!

1. The first is that strong password security is a must.
It's not just a good idea that some person in a classroom somewhere mandates. It should be good policy for every person connected to the internet. I downloaded the files from gnosis, the group claiming responsibility for the Gawker breach. They has access to those systems for a long time (weeks if not months). Long enough to crack good, strong passwords. I was surprised to see how many people use children names, their own names, colleges, and the word "password" as their password.

People, these are not strong. No word easily found in any dictionary is "strong"!!!

I typically use strong passwords. Even after 48 hours of brute force against my own passwords which were in the list obtained from gnosis, I went through every site which I felt had security issues, and changed passwords ahead of my 90-120 day schedule. Yes, you should change your passwords at least every 90 days. This is no laughing matter. I spent most of the weekend changing my passwords.

This is my forumla for making strong passwords: Letters + Numbers + Capitals and for grins throw in a !@#$%& character or two. Make it more than 8 characters.

This is an example of a strong password: !iWng24Cea@39

Note the use of capitals, print characters (!@#$%&*), and numbers. The password is also longer than 8 characters.

DO NOT REUSE PASSWORDS ON MULTIPLE SITES, EACH SITE NEEDS A SPECIFIC PASSWORD. This is what ultimately lead to the massive amount of personal information on the gawker media employees to be leaked and posted.

2. Pay attention to emails and news regarding the sites we use on a daily or weekly basis.
Keeping apprised of a situation is no small feat, but we do this in so many ways already. You would certainly notice if the front door to your home was open all day long. I am not saying that everyone should learn intrusion detection, but be aware of the sites and services you use, and be aware of any issues they have.

3. Site designers, make password changing/entry friendly to strong passwords.
In the process of changing the passwords to sites this weekend, I noticed a disturbing trend. Many sites do not allow the storing of what I consider strong characters, mainly the !@#$%* characters. This is a serious issue to me. I realize that storing these types of characters is more difficult in the short term, but in the long term this adds the longevity of the cracking attempt. Do not limit me on password length either. Making a limit of 12 characters is silly and outdated. If I am capable of remembering a 32 character string then let me have 32 characters.

Sticking to these tips will help you in the long run maintain some measure of safety. Remember that security is not a matter of stopping someone cold, but making it as difficult as possible to breach the measures taken. No security is full proof, but do not make it easy for anyone to breach your data.

Fall Personal Project: Update 4 PHP/MySQL Install

noreply@blogger.com (Chris) — Fri, 05 Nov 2010 12:42:00 +0000

So we have discussed the need to watch the install order. I have found that when installing things which require LAMP, inevitably you will need to make a change to the database at some point.

Since BASE, the software which stores and provides segmented analysis of the snort traffic, uses a MySQL backend (you can use postgres), it is a good idea to install an interface to the database if you are unfamiliar with the command line. This is even more useful if you are like me and have forgotten almost everything about the open source database systems (although MySQL isn't really open anymore). I prefer the phpmyadmin GUI. Of course there is a specific order to getting things installed here too, if you want it to work programmatically.

Step 1: PHP5
The current PHP core is 5, so make sure that is fully installed first. A full install of PHP will usually cover the database dependencies for MySQL, postgres and Apache2. Here are useful commands:
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install libapache2-mod-php5

Once you have this install completed. Run the phpinfo.php script we discussed in the last post. Verify. I know I have said the instructions for this before, but 20 seconds of verification can save you time later.

Step 2: MySQL
The MySQL install is just as simple. Since you have already run the installer for the PHP libraries, this will just consist of the DBMS itself. The current version of MySQL DBMS is 5.1.x.
sudo apt-get install mysql-server

That's it. Seriously that is all it takes. Verify in the command line that the DBMS is working by typing mysql or sudo mysql depending on the user level. If you get "MYSQL>" it is working.

Step 3: phpmyadmin
The next step for easier DBMS manipulation is to install phpmyadmin located here: http://www.phpmyadmin.net. This will allow you to have a web front end to the DBMS and it makes the lives of visual people a lot nicer. Installing this uses (yes you guessed it) apt-get
sudo apt-get install phpmyadmin

I will not go into the configuration of it because this is well documented here on the Ubuntu Server Forums.

Follow that guide for the configuration and you will be ready to configure snort having your DB backend ready, your dependencies ready, and a front end to all of it. The next (and last installment) will cover the actual snort installation as well as the configuration guide and the resources I used to get it all working.

Fall Personal Project: Update 3

noreply@blogger.com (Chris) — Fri, 29 Oct 2010 13:09:00 +0000

As promised today's post will be about some of the things I learned during the installation of Snort on my Ubuntu box. The things I learned are more about the process of the setup more than anything else and the correct order in which to run the installs. You have to love dependencies right? Let's get started.

Acquired Knowledge Bit #1: Client install over Server install
The client install went a little better for me on the Zino for one reason only, I have to install a second NIC. On the Zino that is an issue because of it's form factor and the lack of a second ethernet port. I used the Cisco 300M USB to RJ45 adapter. This functions as a second NIC. Although all the documentation I read said that this would work hands down on the server install, I could only get it to work easily in the client install of ubuntu. This is not to say it will not work, just that I could not get it to work in a reasonable amount of time. On the client install the process was simple. I plugged it in, scanned for new hardware, and let the updater download and install the drivers. This was my primary reason for sticking with the client install over the server install. Installation on the Zino was nice, fast, and easy.

Acquired Knowledge Bit #2: LAMP, Package Manager, and apt-get
The nice thing about a server install for the ubuntu distro is that it comes ready to install LAMP. In fact it's a toggle option during package selection. For those of you who do not know LAMP is an acronym for Linux Apache MySQL PhP. The four basic packages which will accomplish most anything. On the client this is not an option but the installation of the necessary components can be run after the OS is running. If you want a decent install guide, there's an ~~app~~...un site for that...head over to www.lamphowto.com to get some guidance. Now here is what I learned in my post install LAMP, nothing works quite right unless you learn to love the apt-get command. Learn to use this over the package manager in the GUI. The command is faster, easier to script and chain, and leaves nothing to question. I found that the feedback from the terminal session was more informative than that of the GUI. Stick to apt-get install, you will be thankful.

Acquired Knowledge Bit #3: LAPM
LAMP should really be called LAPM. The order matters. I like to make sure things are working. Apache 2.0 first. Be sure to check the browser first to make sure the host is responding on that port and that you can see the default index.html page in your browser. PHP is second. This is critical in my opinion. Installing PHP next will allow you to make sure that it is working and that you can install the necessary tools you will need to maintain your MySQLDB, mainly phpmyadmin. Even if you are missing some dependencies, you will want to follow Apache with PHP. Next you will want to create the phpinfo.php page with the following code:

This will show you all the php configurations you have running. A great tool to use when trying to install LAMP (LAPM). Call this page (phpinfo.php or whatever you called it) in your browser. This will verify that Apache and PHP are talking and that you have PHP installed correctly.

MySQL deserves it's own time, so I will talk about that in the next installment as well as setting the snort.conf file and some of the pitfalls I learned there as well. So in the meantime have a great one!

Fall Personal Project: Update 2

noreply@blogger.com (Chris) — Fri, 22 Oct 2010 22:06:00 +0000

And working!....The Snort home project is a success. At least the setup and configuration of the project is a success. I have not tried to mess with the rules yet, but I will get there. I'm sidetracked at the moment by a layoff, contract work, classes, and job hunting. Honestly I'm surprised I got any of it done at all.

All said and done this is pretty sweet, and I would like to thank the guys at the snort forums and on the snort mailing list for all the help. I would also like to thank the guide writer for the in depth guide.

Here is a list of the equipment I used:

1. Dell Zino (aka Inspirion 400)

2. 1 Router (any type with a built in switch)

3. 1 unmanaged hub or a switch which you can set as a repeater (I used a Netgear DS108)

3. 1 Cisco USB to Ethernet dongle (USB 300M)

4. Ubuntu 10.4 or higher

5. UTP patch cables

6. 1 UPS for the networking equipment.

I will go through the configuration in an upcoming post, but needless to say it does work. There are some tricks I learned outside of the guide which will help along the way.

Here some photos of the setup all completed:

I have cleared the DB several times and started traffic over and it is working like a charm. The next post will cover the guide, software installs, and getting LAMP running.

Why I use SSID

noreply@blogger.com (Chris) — Wed, 15 Sep 2010 13:00:00 +0000

This is going to be a long one. It comes from a debate I had on irc a few days ago. I've heard this time and time again, to increase security, disable SSID broadcast. It's true, if you want to be absolute in your wifi network security, you should disable SSID broadcast. Now let me tell you why I don't.

I like things to work: Yes, in a nutshell this is my primary reason. I like it when I know my Wii can see my wifi network. I like it when my mother brings her iPod over and it works seamlessly. There is something to be said about technology doing what it was designed to do, making my life easier and improving the quality of it. I dislike having to stop what I am doing to troubleshoot a wifi connection, if the device can see the SSID, then I know the hardware is at least functioning somewhat properly. It saves time and effort, something geeks like to do.

How do I secure my wifi network? Simple steps will always work:

1. Change the default password on your router.
This should be the first thing you do. All it takes is determining the router type and someone can lookup the factory username and password. Once they get into your router, find your connected IP, turn off your SPI firewall, and lock you out, well, it's game over. Seriously speaking this keeps so much from happening. Usually you cannot change the default username, but make your password strong. Letters + Numbers + Capitals and for grins throw in a !@#$%& character or two. Make it more than 8 characters too.

2. Change the SSID broadcast name.
Do this as soon as you have changed the default password.

3. Set the radio encryption level to high.
It boils down to this, a wifi network still uses plain old fashioned radio waves for communication (which is why you have channels on your router). Just like regular radio waves they can be intercepted by anyone with the basic knowledge and equipment. Encryption of the radio signal is crucial! When you set the encryption of a router you are encrypting the radio transmission and reception, the information floating (waving) through the air is encrypted. This protects against interception. The current standard for high encryption is WPA2, go as high as you can. This will not stop a determined person, but it will make it extremely difficult, which is the basics of security.

4. Use MAC Filters.
Here is where I depart from the "standard". Each and every device which connects to a network uses a media access control address (MAC). Most modern routers allow a person to setup a list of MACs which will be allowed on the network. If the MAC isn't on the list, it is not allowed on. Now here is the problem with MACs, they can be spoofed, easily spoofed. Here is the counter argument. Most will not take the time to try and discover the connected MACs, they will move on to another target. Spoofing a MAC requires someone to take the time and effort to capture radio traffic, find the correct MAC, and spoof it. Remember if you have done the previous steps, this is just another road block in the way of a intruder. It is better to have it than to not have it. It should not be implemented on its own as a security plan, rather it should be implemented as a part of a security methodology.

5. Check your logs/activity.
So many people do not take the time to review their router. I do mine about once a month, but I take security very seriously. At least check it every few months. There are ways to set routers to email you when certain activity happens. Do so! Just like you check your windows and door by looking at them, do the same for your network.

Fall Personal Project: Update 1

noreply@blogger.com (Chris) — Mon, 13 Sep 2010 13:25:00 +0000

So the fall home NIDS project is going well. I have removed the old router and replaced it with a newer Netgear b/g/n router. I also took the opportunity to do some cable management.

There is one feature I wish manufacturers would add to the routers and that is to export the machine address ACL to a file. It would have been really nice. As it s I just copied the table from the html, but still, since I use MAC ACL filters, it would make things easier.

So the 10/100 hub is on the way, I will order my dell zino this week after I finish some papers which are due. I would really like to thank all the folks over at the snort forums for their assistance and guidance in this project. They really know what they are doing.

I spent some time this weekend looking up the literature in some major journals on snort usage. I'm almost positive that my final dissertation will somehow involve the use of snort, but I'm not sure how yet.

More updates as the equipment comes to me. I will post a topology diagram later on the next update once I make sure everything is running.

Fall Personal Project

noreply@blogger.com (Chris) — Tue, 07 Sep 2010 14:48:00 +0000

So this fall's personal project will be to install a personal IDS at my home, then try like crazy to penetrate it. Snort snort snort. After writing several papers on the software I have come to respect it even more.

I often check the basics of a site or of a home network setup by using the "shields up" but I know that my router kills the majority of the traffic which the service tests for in a vulnerability test. I am looking to setup a fully functioning DMZ with a snort based NIDS and then slam it until I can break it (without cheating of course). I have ordered a new router simply because I have been a little lapse on keeping my encryption as strong as I can and it's time to do so. I also reall like some of the new functions in netgear's newer routers which allows the creation of a DMZ out of the box.

Also, I will probably use Ubuntu and some sort of small form factor like a mac mini or a dell zino since I need power to be a consideration. I would love to keep it in the ubuntu family line though, I need to beef up my skills in administrating one since it has been almost a year since I set a box up with ubuntu.

We will see how it goes. I will post to a page here or keep it updated in the blog.

Weebly: Simple and Easy Sites

noreply@blogger.com (Chris) — Thu, 12 Aug 2010 13:28:00 +0000

As you can tell, my site has gone through yet another revision. The long and short of it is that I am reducing the number of servers I run entirely. I am shutting down my primary portal site and converting everything to Weebly accounts, both for my clients and myself.

What is Weebly? I'm so glad you asked. Weebly is ridiculously simple web hosting. Now if you want to run a php application or something in the .NET framework, Weebly is not for you. If you want a simple site, clean, efficient, and gets the job done with very little issues, Weebly is right up your alley.

What Weebly does is allow people, with very little coding experience, to create rich and easy to maintain content driven sites. It includes integration to the paypal shopping cart engine, easy to set meta tags for SEO purposes, and a module based layout similar to most CMS features, allowing more flexibility for those that want to do special things, like my twitter feed on the front page.

Easy part, it's free with a point and click interface. I highly recommend this for anyone wanting a quick and painless site.

Chrome Extension: Incredible Startpage

noreply@blogger.com (Chris) — Mon, 07 Jun 2010 13:33:00 +0000

I am finding that for search and daily tasks, Google Chrome is rapidly replacing Firefox as my default browser. I'm still amazed at how this transition has happened. I still use Firefox for download management, debugging, and the like, but my main browser now is Chrome.

This leaves some slight functionality issues with Chrome. All in all I have managed to find what I need to complete my tasks and make things seamless. Then I find this little jewel of an extension. The company is Visibo, the extension is the "Incredible Startpage". This little add-on grew rapidly on me. I find the native and default startpage on Chrome spacious to a fault. I cannot really reorder my list, and the thumbnails of web lages are unnecessary for me. The bookmarks bar is limited to the length of the window, so things are not as elegant as they could be in my humble opinion. Incredible Startpage fixes most of my issues.

First the bookmark frame, this allows me to keep a double column list of my most commonly used bookmarks on a new tab. This is nice. It keeps the fav icon as a reference and offers more than what the bookmarks bar offers in terms of space (I like a fixed width window).

The next is the columns for closed tabs and a longer bookmarks list, which I can use to add and remove bookmarks to my bookmark frame. Lovely!

The next cool feature is the post-it. This allows me to write in small things and then post them as an email or calendar item to Gmail or Google Calendar, both services I use extensively.

Add to this the fully customize CSS and background images which allow you to tailor your new tab page as you like, and I feel right at home (of course I've totally geeked it out with Dr. Who wall papers). By default the extension has an array of images, but you can also direct link to any image out on the net, the downside is no local image support, but that's fine by me.

All in all this is a great extension for my daily operations (email, web, search, school). I love the arrangement and layout as well as the personal touch. Great Job Visibo!

Wardriving (whitehat of course)

noreply@blogger.com (Chris) — Thu, 03 Jun 2010 13:00:00 +0000

Wednesday night, I thought I would kill two birds so to speak. I needed to pick up my lovely wife from the airport and at the same time, complete an assignment for my networking class regarding wardriving. Let me preface this by stating I know the difference between scanning for a network and connecting to it. I have done this many times in the past and I am not about to break the law now. So I fire up VIStumbler on my laptop, jump in my nifty car and drive 26.1 miles to DFW international airport. The results were more than interesting.

I found what I expected getting out of my neighborhood, lots of unsecured open wireless networks. On the drive to the highway I found plenty of businesses which would offer WiFi to their customers; McDonalds, Starbucks, Hyatt, even a KFC. Then I get some more than interesting hits; Bank of America, Wells Fargo, a local doctor's office. These were just a few of the businesses which I would think would at least encrypt their network. Leaving it open for access is one thing, it makes it easy for customers to connect, but traffic encryption should be a no quarter point of interest.

Having spent lots of time as a network and system admin, I would find it very unnerving to have an open and unsecured WiFi network for a doctor's office, bank, or any retail operation which accepts credit cards (and stores them locally). I understand that many businesses simply offer internet service to their customers, the local coffee shop for example. I have personally seen local businesses though, connect their POS system to their WiFi network. Here is where things can get tricky.

Here are some reasons why. For all those doctor's offices out there, HIPPA is no laughing matter. If the network inadvertently transmits HIPPA related patient information on an unsecured network and that transmission is intercepted...well good night Sally. This is a major issue. For businesses which accept credit cards, you must follow PCI-DSS standards for card data security set by VISA, MasterCard, Discover, and American Express (The PCI council). The fines you could receive for a breach could literally put the business down for the count.

Do not take WiFi security lightly. Set up encryption, use it, access points and wireless routers have it built in for a reason. Set up authentication when you can, again these access points come with this ability out of the box. For you data paranoid types (like me), use good encryption and authentication with a IDS setup on the inside of the network. None of this may stop a determined intruder, but it can slow them down and make them move on to a more viable target, which is what security is all about.

Google Bibliography?

noreply@blogger.com (Chris) — Tue, 04 May 2010 14:01:00 +0000

No, Google Bibliography is not a real product. I really wish it was though. I am currently starting to collect documents for my doctoral dissertation proposal and I keep running into the same issue over and over again, redundancy. I am absolutely fearful that my EndNote library is going to get squashed by any number of possible deaths. Call me paranoid, but when it comes to data, well...ok I guess I'm paranoid.

Large journal sources such as ACM already have a system for exporting to any number of citation storage packages, including the ever popular EndNote, here is the issue I have though, EndNote does a great job of keeping my references together, but does so in such an inelegant way. After 3 years of Gmail, 3 years of Google Docs, and access to a lot of these services on the fly via mobile, I came to rely on elegance of Google software, even more than that elegance, I rely on the cloud to store the most critical information as a backup device. The culmination of my academic career is more than "critical" to me.

What to do? I could just continue to use EndNote X3 which my university makes available to me for free. I then have the issue of storing my library, and all pdf articles associated with it in a central repository and "syncing" them. I use multiple computers for this process, so now I am almost tied to those little flash drives for my sync. Ug. I suppose I could "upload" my library files to Google Docs as a backup, but that again seems "inelegant". Why could I not have a solution where I can store, modify, read, relate, tag, and organize my citations in the cloud, as an integrated service with the apps I already rely on from Google?

What I want: I want a service which ties in to a document storage package like Google docs, can easily be updated like Google Bookmarks for Scholar searches, easily tagged (like all Google products). I want a Google citation database! In the cloud, massive storage, tags, easily searchable (search through the pdf uploads too), and linked to Google Talk for collaboration. I think this need fits right in the middle between Google Docs and Google Apps.

Please don't make me carry all my research and literature on a flash drive...please?

Goodbye Lala, You were good to me

noreply@blogger.com (Chris) — Fri, 30 Apr 2010 13:45:00 +0000

My Friend Tivo25 introduced me to lala.com a few months ago. I am always looking for new music and even spins on old music. Lala is great, it offers a queue for sampling music, social networking to find people with interests and get introduced to music and share it with other networks (facebook), and most of all a great way to easily and comfortably purchase music on a tier.

Chairman Steve at Apple thinks it's good too. Apple recently purchased Lala.com. Like myself, many users had hoped this site would become an extension of iTunes or simply just left alone.

Nope....it goes down May 31st. Thank you Apple, you cheeky B&^@6@!(&%#s. This is something I expected from the likes of Microsoft, not Apple. The iTunes store has many merits, and I am loyal fan, but social networking really leads to music discovery, something Apple has yet to grasp in it's push to appease the big labels, which I hope die in a fiery, brimstone laden, smelly, smoky ball of financial ruin. Sorry, lost it there for a second. Nothing stifles new music faster than shutting down avenues of discovery. Not everyone can go to SxSW every year and we rely on services like lala to produce new music for us.

Today, another avenue was roadblocked, and unfortunately it looks like music lovers on the web will ultimately suffer the consequences. Had it not been for lala and a local radio station (PBS funded 91.7 in Dallas-FortWorth), I would have never discovered St. Vincent, Passion Pit, Little Dragon, Aqualung, Fanfarlo, Efterklang, Shiney Toy Guns, or Ok Go. This leaves Pandora and perhaps last.fm. I will be showing my support for Pandora now with a paid subscription and will create an account on Last.fm probably this weekend.

Bye Lala, I hope to see you on the other side. :(

eCalc

noreply@blogger.com (Chris) — Thu, 25 Mar 2010 14:12:00 +0000

This last weekend I was working on some ANOV problems for my class. I found that I was having problems looking at my handheld calculator (only purchased for my proctored exams) and the standard calculator on windows was lacking a square root function.Now I know I can get around it by giving a power of .5 to whatever number to which I'm trying to find the root, but I find this silly. It's literally more work. This is why software was created.

This annoyance put me on a 30 minute chase on the web to find a software calculator which is not connection dependent. I wanted to find one which was available on the web for both windows and OS X. Someone read my mind.

I found eCalc. Web based, OS X dashboard ready, runs in windows. I found it nice, easy, and intuitive. This is great software! It does the following effortlessly:

Scientific Functions (Algebra, Trigonometry, Engineering)

RPN or Algebraic Operating Modes

Interactive Unit Converter

Linear and Root Equation Solver

Complex Number Math with Polar and Rectangular Formats

Drop-Down Stack with History

Interactive Decimal to Fraction Converter

Free Online Calculator

Windows Desktop Version (Win98,ME,NT4,2k,XP,Vista) (Also works in Win 7-64b)

Mac OS X Dashboard Version

Plus: A square root button...I'm so easily entertained.

$14.95. Done. Sold. My handheld crappy TI-blah-blah cost me $9 at target. I have to admit I do like well designed software and I have a tendency to purchase based on functionality and design and this calculator won my devotion on both fronts. There is even an iPhone app ready and available.

Benford's Law

noreply@blogger.com (Chris) — Wed, 24 Mar 2010 16:41:00 +0000

A friend of mine recently introduced me to Benford's law, also known as first digit law a few days ago. I had never heard of it until then, granted I'm not up on the majority of statistical probability laws, but I found it fascinating.

It made me wonder. I have a wonderful book, "Tables of Integrals and Other Mathematical Data" by Dwight Herbert (1961 ed). I used this book heavily in college and still hit it for reference every so often. Is there anything like it for statistical models specifically?

Thanks to Don for the Benford's Law intro too!

Google Buzz, bright idea but why?

noreply@blogger.com (Chris) — Wed, 10 Feb 2010 21:02:00 +0000

Maybe I'm just not getting it. Maybe I never will. I read the information, watched the video, and have been "buzzing" with my friend TiVO25 for nearly 20 min now. What does Buzz accomplish?

Let me share with you a few things it does do well first. The application does share and start conversations well. I can follow the conversation with absolute ease and the user interface is easy and clean. Everything is within Gmail so I'm not really having to learn anything new. Very intuitive and fast. The response time is quick and I'm not left wondering it buzz is working. There are features which I would expect to see like email this and reply commenting as well. Yep, that's about it.

Now here are the things I do not like. As Buzz is rolled out to people, they are automatically added to my followers. I never manually added anyone to my followers or to be followed, it was automatic. By default all conversations are public and are stored on the web along with a profile page. Here is mine as an example (http://ping.fm/veXvi). I never asked for the profile page, and all my conversations in buzz to be auto added to a page, which can now be crawled and added to the search cache. Oops when I added the other sites to Buzz it auto posted my last tweet and blog entry, thanks for asking first! I auto spammed my gmail friends with materials. There is a link in my mailbox side nav for buzz, so why am I also getting it in my mail inbox? My blackberry is having seizures trying to keep up with Gmail mobile because I'm having a buzz conversation? No thanks.

My biggest concern is that this only takes information from other sites, it doesn't send it out. It would have been better if this was like ping.fm (where I am writing this now as we speak). I want ease of use. It is easy for me to login to mail and send an update to all my syndicated sites (facebook, twitter, blogger, etc). What does it accomplish to have my buzz updated from these sites, where my friends, family, and followers already exist? Who is reading my buzz then? Is it to try and convert more people to Gmail? Why would I do that? Email is a personal choice. Do I believe Gmail is better? Yes! Am I going to say that buzz is a reason to migrate over to gmail as a mail platform? No.

All in all buzz looks great, works fast, and does what exactly? My already used, flexible, and well established services are not enhanced by this product, neither am I for that matter.

Program of Study

noreply@blogger.com (Chris) — Tue, 09 Feb 2010 15:21:00 +0000

Well after some reworking and decisions on my part I have decided on my program of study direction at DSU. I will be specializing in Information Assurance and Computer Security (yay!). Now to work through all the fun stuff.

Of course I will need to complete the smaller coursework which everyone has to take along the way, but at least I can start preparing my literature review now though. I am learning EndNote however I really wish there were a solution in the cloud for this. EndNote does a fantastic job and I love the fact that I can download trees of citations from the library and post them directly into the application, I just feel that there is a better way to accomplish this goal.

There is going to be a proposal defense sometime this week and I love sitting in on these. The proposal will be on "Virtual Teams: Towards Improving Work Effectiveness through Collaboration Process Structure Training”. This sounds so interesting. I wish Dawn all the best on the defense.

Christmas Break

noreply@blogger.com (Chris) — Mon, 14 Dec 2009 16:52:00 +0000

Wow what a semester. My first one at DSU has gone well and I learned quite a bit. For Xmas I get to sit and learn SQL reporting services in an attempt to save my company some money. I also get to relax a bit and catch up on fun things again, at least for a few weeks.

I am already registered for Spring, Management and Evaluation of Information Systems and Applied Statistics. More stats....sound like fun. Although I did learn a lot more than I anticipated in my project management class. I am quite surprised by how intuitive the Visual Studio Express editions were to use and work with.

In the meantime I'm gonna be resting at home playing my old fav. Fallout 2, catching up on my large pile of unread Asimov monthly, and watching Avatar.