Wednesday, December 18, 2013

Why you should pause before signing up for the Circle

If you have a Facebook account you've probably been overwhelmed by invitations to join the new "Local Network" the circle. If you're thinking about signing up for it, I'd encourage you to


Cyber Security Exhaustion



Do you feel overwhelmed by cyber security?

Me too. Let me give you my brief personal background.

Tuesday, December 10, 2013

How do I patch the things good?



My team was recently asked to do an assessment of our companies patching strategy and to suggest improvements. Senior management's questions came down to, "How do we patch the things good?"

Thursday, December 5, 2013

That AIN'T REST

I don't have screen shots for this because it happened a while back and I've switched jobs, so I'll tell this tale in text.

Working on migrating articles out of a company wiki I wrote a script to download these articles automatically using the wiki's rest API. Here's the general algorithm:

1. Start with article 0 and request a batch of 100 articles (maximum allowed)
2. Request the text for the first article returned
3. Request list of attachments for each article
4. Download each attachment
5. Repeat for the next article in the batch
6. Grab the next batch
7. Stop when the batch returned is less than 100

Since the API is labeled "RESTful" this should be fine, right? Each batch of 100 will always return the same 100 articles, so asking for them sequentially is fine, right?

Wrong. So very wrong. Putting the word "REST" next to the word "API" does not necessarily mean they gave you a REST API.

One article was failing, making my whole script bomb. Thinking I could pop in and try to exclude that specific article, I found the index number and excluded it. But the next day it failed again. I tried to figure out why and realized that the bad index was moving down the index once every 6 - 10 hours. Which means that the indexes were stateful. Which means it's not REST.

I get it. I honestly do. Not cleaning up indices makes for a painful system that can get bloated fast. But don't use the buzzword if you can't actually make it work.

Tuesday, November 12, 2013

OWASP Top 10 For the Average Internet User: Broken Authentication/Session Management

Where can it happen?

This can happen anywhere you need a username and password to login or anywhere that you are uniquely identified from other internet users.

What is it?

When you log on to a website that website needs a way to identify your internet traffic and keep you straight from all of the other people that are out there. Let's say when you log on to Facebook, Facebook tells you to identify yourself as user 150 everytime you go to a new page. As long as you send that number, Facebook knows to show you your friends, allow you to post new status updates, comment on pictures as yourself, etc.

But what if I (as an evil internet hacker) decided to browse Facebook and send them 150 as my identifier? Suddenly I become you! I can ask for my (your) chat history and see what girls you've talked to, I can post witty comments on your mothers pictures, I can unfriend your girlfriend! Mwwahaha!

Why should I care?

We really just covered this, but in case you don't care that I can unfriend your girlfriend on Facebook, what if I get your session token for your bank? Or your fandango or paypal account? Now your finances as well as your social life is at my mercy, which is very bad.

How can I protect myself?

Make sure that your websites log you in over a secure connection. This means that you should log in over ssl (you should see HTTPS at the beginning of the URL). Not many companies provide it, but it doesn't hurt to ask your bank or credit union how they handle your internet security before agreeing to do business with them online. That being said, the larger the company the more likely they are to put time and resources into ensuring your online security.

Tuesday, November 5, 2013

OWASP Top 10 For the Average Internet User: Injection

Where can it happen?

This can happen anywhere that a website allows users to enter text (Literally anywhere. Comment boxes, twitter updates, payment fields, username and password fields, etc, etc, etc) or anywhere that a website accepts text from the internet.

What is it?

A computer program is really just a series of letters and symbols put together by a person that a computer understands as instructions and then executes. When a computer program (like a website and your browser) handles text that you type, the distinction between the text and program is completely created by the computer. Think of it like a chocolate bar in a wrapper. The wrapper contains the chocolate bar and you can tell the difference, so you know to eat one and not the other.

But what if someone made a wrapper that looked and smelled like chocolate? You'd probably wind up with a mouthful of paper.

Injection is someone making the text they type into your website look and smell like program code so that the computer will run that code.

Why should I care?

Usually the program that is injected is SQL or javascript. Both of these are very bad. Javascript can make your browser do almost anything. The possibilities are only limited by the attackers imagination and the time they have to search for javascript tricks on the internet. If the attacker can find enough information about the website, they can make find a lot of information with SQL.

How do I protect myself?

Unfortunately this one is mostly on the people running the websites. The best thing you can do is to be careful what websites you visit. If someone sends you a link that doesn't look familiar, or you don't know why they're sending it to you find out more from them first.

You can also search for the name of the website on google. If you add "virus" or "malware" to the website's name, google should return some helpful results telling you if the website is known for suspicious activity.

Monday, October 28, 2013

And now go write the perfect program....or you will die!

As a disclaimer, this post is mostly me reassuring myself that I shouldn't give up computer science completely and go live as a hermit somewhere.

Wednesday, October 23, 2013

I want an iPad! Part 2



In the previous post we established that tablets are in general are a good idea for executive/VP/Management typed jobs to have so now the big question: Android, iOS, or Windows tablet?

Sunday, October 20, 2013

Miss Teen USA Hacked

My wife recently showed me an article about Miss Teen USA having her computer hacked. Let me start off by saying I konw this is a delicate subjct and I have a lot of sympathy for this lady as I know people who have gone

Monday, October 14, 2013

Tuesday, October 8, 2013

Security Theater: Checking a receipt

This isn't a technical post, just something I noticed when I was in a Sam's club recently (if you don't know, it's basically CostCo).



Wednesday, October 2, 2013

When a Script Becomes an Application (Sub: "What? It has to do that too?/You're still using that?/Comeon guys, it's not that many lines!")

I've posted a couple times recently about a migration project between one wiki to another and work I've done to create a script to move the content. I'm going to give a spoiler here: Whenever you offer to automate a part of a project and prove you

Tuesday, September 24, 2013

Program all the things!

I'm going to walk you through a scenario that's played out over the past couple months after I setup a Tomcat environment for a developer at our company. It's gonna be condensed and go fast, so

Tuesday, September 10, 2013

Dot on Dot off

We can all agree that the folks over at Google are web programming wizards, right? If you've ever even heard of google docs and what it does with javascript, you won't argue with me (not that you could anyways, this is a blog, not a conversation).

Now that we're all on the same page, let's poke fun at

Monday, September 2, 2013

Read the whole stacktrace/Be careful when using spring

As a disclaimer, I am critical of a lot of Spring frameworks. Don't get me wrong, they're often useful and can save a lot of time when they're used right. But it's really easy to shoot yourself in the foot (or the head) when using a lot of them. For this post, exhibit A will be Spring DI. I recently had a developer forward me the following exception:

Tuesday, August 20, 2013

Security Theater: Believing Screenshots



I heard a statement today that interested me greatly. I'll quote it directly for accuracy:

"Our auditors accept screenshots for proof of our licensing use, but not spreadsheets because spreadsheets can be manipulated."

Wednesday, August 14, 2013

Overflowing

Do you ever have trouble learning outside of work? I certainly do. In college, during the summers, I felt like I had tons of time and concentration to dedicate to personal projects and ideas. Now, when I try to pick up a technical book outside of work, my brain stalls. Have the time, when I try to pick up a technical book at work my brain stalls. Here's my theory. Your brain is like this:


And the water is all of the topics you're expected to keep

Tuesday, August 6, 2013

Platonic Computer Science



Recently I encountered a file permissions issue. Long story short, I had a service that needed to run a .bat file, but because of a Windows quirk, it needed list access to the root of the drive the file was on. I called up my friends at our Information Security department and after getting transferred around a bit, I was informed that their policy was to not grant special access to the root of any

Monday, July 29, 2013

Knee-jerk Scripting

Some people become programmers because they like math, some because they like video games, but most because they are lazy. That's right, lazy. Picture this scenario (the names have been changed to protect the guilty).

Monday, July 22, 2013

Hold on....why did they let it do that?

When we work with computer systems, we rarely imagine the people who designed them. If we do, we only think of them in their work context, abstract entities that give us their product and answer our questions about it. We don't like to think about them being dumb, or having a sense of humor. I'm not sure which of those two to chalk this

Tuesday, July 16, 2013

I was told there would be support?

If you work in a technical position and use any sort of vendor product you have likely had to call them for help with their technology.

Here we run into a question: do you have engineers answer the questions more slowly or hire non technical people to answer more quickly.

Thursday, July 11, 2013

No Progress Bars in Hacking

I have played through the following scenario at least three times now.

Me: Hello Information Security, I need admin access to <server> for <amount of time> to complete <activity>. Would you be able to give it to me?

Info Sec: Thanks for the request. We'll get back to you.

Thursday, March 7, 2013

Perspectives: Purchasing Technology

As someone who works in enterprise IT, I can understand developers' frustration with purchased technology.  As developers, however, we must learn (for the sake of our own jobs, if for no other reason) to understand the perspectives of those around us.  Doing so will allow us to fully understand the roadmap behind business decisions, and provide the organization with synergy.  Take an enterprise class web server, for example.  This tool could potentially be perceived in any of the following ways . . .

Purchasing