Today is Saturday, May 17th, 2008

Taking The Red Pill: Thoughts On A Week of Professional Hacking Training

This week I really got to see just how deep the rabbit hole goes. Five long days sitting in a lab in Orlando with 20 professional hackers has opened my eyes to just how insecure the systems and connections we trust every day really are. The experience was nothing short of mind-bending. Passwords were pulled from the air at the touch of a button, CNN’s home page was defaced in front of my eyes, and tens of thousands of dollars could have easily gone “missing” from e-commerce websites at checkout - and these guys were loving every minute of it. The bigger and more complex the hack, the greater the bragging rights, and the capture-the-flag competitions in our little “closed loop” lab got pretty intense. I say this with a smile - I’m just as paranoid now as I am stricken with awe and admiration of people who have mastered this particular brand of technical hocus pocus.

Before last week, I was pretty green when it comes to black hat hacking - I’m grateful for having the opportunity to learn so much and meet the great group of guys that took part in the pilot training program. It’s funny, I hear horror stories from my clients all the time, but I’ve never really seen the true extent of what is possible by looking over the shoulder of someone waving the magic wand. This week was awesome because I actually got to get my hands dirty and try things in a closed network that I couldn’t even attempt in my own time without breaking the law. For that reason alone, this week was invaluable - it gave us all a chance to trade our white hats for black ones, if only for a few afternoons, and get to “know our enemy” on a much more intimate level. For those of you wondering, here’s a high level overview of what 50 hours of “Ethical Hacking” training covers:

  • Abusing DNS
  • Abusing SNMP
  • Passive intelligence gathering (techniques for gathering info remotely, what types of info bad guys go after and how multi-pronged attacks are planned)
  • Hacking TCP-IP
  • Stealthy Network Recon Techniques
  • Breaking Windows and Unix Passwords (terrifyingly easy, btw)
  • Learning exploitation (using zero days, reverse engineering and gathering info on known exploits from the net)
  • Exploiting Windows OS, Apps and Linux (ever seen someone hack into a machine by writing and executing code directly into windows media player? Jaw dropping stuff)
  • Deep Target Penetration (how to go after info on the CEO’s laptop from outside the firewall, for example)
  • Offensive Sniffing (you’d be shocked at how many passwords you can get with free tools just sitting in a hotel lobby)
  • Covert Channels (think a firewall can stop everything? Wrong.)
  • Covering Your Tracks (manipulating logs, using stenography to hide information in plain sight, matching traffic types and patterns, exploiting how intrusion detection systems work)
  • Wireless insecurity (this module made me never want to connect to the net in public places again, but also taught me how to get free wireless at just about any Starbucks or public hotspot - very cool)
  • Attacking Routers
  • Hacking Web Apps (defacing web pages, e-shoplifting and SQL injection to exploit interfaces with web databases etc. - coolest thing was that we saw the instructor change the price and quantity of an expensive set of items in his shopping cart on a real e-commerce website using just a free firefox extension.)

All of this is pretty scary stuff, really.

Overall, my memories of this week will be bitter sweet. The good is that the experiences I had will significantly change the way I approach my work from now on, and will definitely improve the way I engage my clients. The bad is that….I can’t go back to not knowing what’s out there. I worry that the geek in me won’t get the same kind of “job-well-done” rush that I used to get when I’d finish a security assessment or an IT audit. A week ago, I thought we were really designing good full-body armor, but now it feels like I’m handing my clients some cheap fencing gear, patting them on the back and reassuring them that they should feel confident about going into battle. My heart sinks a little, you know? I know now that we just don’t have the budgets, the equipment or permission to be able to do what’s truly necessary to protect a company’s systems from the really dangerous attackers. That all may change as our industry evolves, but for now, the cold hard truth is that even an IT security expert with an unlimited budget, no restrictions and infinite time couldn’t get your risk to zero. It’s a scary world out there and my eyes are wide open. The only question now is, if Google can be your worst enemy, and novice hackers can download powerful tools for free, and attack an organization from virtual, anonymous “clouds” from anywhere in the world without much fear of getting caught, how do you really circle the wagons effectively? Or more importantly, how do you stop paranoia getting the best of you? ;-)

May 11, 2008 | Filed Under Experiences | Leave a Comment 

What Matters Most When Determining Popularity Across the Web? All Time Stats or Momentum?

Fraser, Alex, Adam, Pat and I are having an awesome debate today on the BlueBlog. Feel free to weigh in.

On context: http://tinyurl.com/6qqbnk and the “Beckett Rule”: http://tinyurl.com

April 25, 2008 | Filed Under Technology | Leave a Comment 

The Mystery Box

J.J. Abrams is just plain awesome. Thanks to Alex for twittering this link.

April 10, 2008 | Filed Under Videos | Leave a Comment 

Getting To Know You In 140 Charaters Or Less

At first glance it might seem counter intuitive that microblogging could allow you to get to know someone more intimately than a regular blog. Closeness and familiarity in 140 characters or less? You might ask yourself: What could I possibly say in a series of text messages that would be meaningful enough for acquaintances to bother to keep reading? People everywhere are discovering that the answer is actually “a lot”.

iphone twitter

A fundamental fact about microblogging platforms like Twitter is that the mobile devices we use and the speed we can post changes not only how we blog, but what we blog. Stuff that I’d never blog about makes it to Twitter, and I’m sure that’s true for most Twitter users. Even capping out at 140 characters per post, a stream of small posts about where you are, where you’re going, what you’re doing, eating, enjoying, reading, watching, feeling in near real time is actually far more personal and meaningful than reading a more lengthy article written by someone on the realities of, say, “microblogging.” :)

The recent rise and success of microblogging platforms like Twitter has shown us that people crave the personal, even in short snippets. Places you go, meals you enjoy, small comments and opinions on things you like as you’re experiencing them. These snippets of personal data matter in the blogging world. That they matter, coupled with the fact that microblogging allows us the speed and convenience to share this data with others conveniently, means that microblogging will only increase in popularity.

(Here’s my Twitter link for those curious folks interested in following me.)

April 3, 2008 | Filed Under Blogging, Technology, cyberculture | Leave a Comment 

The Rise Of The Liveblogging Phenomenon

It’s amazing how fast information travels nowadays. With rapid adoption rates of multi-function, browser-ready devices like the iPhone becoming a norm, people are blogging constantly - Liveblogging, a term that I’ve seen used on tech-centric blogs like TechCrunch and Read Write Web, describes the act of blogging an experience as it’s happening. I didn’t notice how common a phenomenon liveblogging was until going to ETech - during keynotes and presentations people would hold up their iPhones take a picture of the slide and then quickly email it to themselves and (presumably) post it to their blogs, even before the next slide was up. Talk about rapid exchanges of information - imagine a TechCrunch blogger posting in real time to 753K RSS readers around the world. Recently, I’ve seen tons of “liveblogged” posts on tech blogs - yesterday’s post on CrunchGear titled Live from the CTIA Wireless 2008 Keynote is a perfect example of the Liveblogging phenomenon - you can even see people’s heads in the photos showing the slides. Of course, along with people photoblogging using their iPhones, they’ve also got their laptops open, Twittering and emailing at the same time. Doesn’t anyone just listen anymore? You can be damn sure that tons of new apps for the iPhone (and similar devices) are going to focus on streamlining these kinds of activities.

Here’s a video I found on YouTube that shows just how easy it is to Blog in real time on an iPhone. For those of you wondering, no I don’t have one, and yes, I do want one. Badly. :)

April 2, 2008 | Filed Under Blogging, Technology | Leave a Comment 

Analysing The Results Of The Gmail Custom Time April Fools Post

So yesterday was April fools day, one of my favorite days of the year. Suffice it to say that I was bored at work and feeling a bit mischievous. Although the bullpen I sit in is full of lively and fun-loving IT and forensic accountants, the morning went by without incident, which was pretty lame and disappointing (Everyone’s trying to close out their 3-31 projects, so I can’t blame them really). By noon I was dying to see something go down. And then I saw Gmail’s little “Custom Time” April fools spoof and decided to try and have a little bloggy fun on my own.

To be completely honest, I didn’t really know what to think of the Custom Time page that Google put up. It was definitely creative, but it seemed so obvious, and not that funny…would people even notice? Would they really believe it? Was it worth it to Google to actually pay a team of employees to brain storm the idea, make a creative, and go through the process of getting engineers to add a little red link in the top right hand corner of Gmail for just a day? I asked a couple of guys at work what they thought and I got some quick validation - Creative, but also obvious, pointless and ignorable. A couple of guys even said they were really irritated at first. Interesting. Still, I wasn’t convinced that my IT audit buddies were a true representative sample of “all Gmail users.” I needed some hard data. After all, these guys spend all day analyzing data for potential fraud. So after I got back from lunch I decided it was worth a half-hour to see if I could push the lie and get a rise out of a few people. In retrospect it was a feeble attempt to have some fun, but I half expected some people to be legitimately pissed. Maybe non-Gmail users hadn’t heard about it or didn’t notice? Maybe people knew about the spoof, but thought it was lame….but maybe some people were infuriated? I was legit curious. All things considered, I started to wonder how April-fools-aware the average stumble-upon user really was, and, given that it was April 1st, I posted a quick-and-dirty rant about Google being evil.

April Fools TrafficAfter hitting “publish” and asking a couple of friends to stumble the post, I waited. I half expected a bunch of comments that just called me out — Hey idiot, it’s April Fools!Fraser gets 50 points for his reaction time and wit in that regard. But I was secretly dying to spark some heated debate about the sanctity of time with at least a few unsuspecting idiots, who, unaware that it was 04/01 might have felt threatened/outraged by Google’s little white lie. Despite a small spike in traffic to 113 unique visitors yesterday, I had no such luck in that regard. In fact, I only got one comment from a stumbler “hahahah. That’s funny“. But the data I did get from Google analytics was interesting enough, and confirmed that either (A) I am a bad liar, or (B) most stumblers agree with the IT Auditors. The truth is probably a mix of both ;-). As you can see, the high bounce rate and low average time spent on the post shows pretty definitively that people didn’t care at all, and the lack of comments on the post confirms it, which, I think, begs a few questions. Did people even notice or care about the spoof yesterday? Did people think it was funny? The title of this morning’s TechCrunch’s post “Gmail April Fools Not Very Funny. On The Upside They Started A Wikipedia War” kind of says it all. And 753,000 RSS readers were delivered that slag post this morning. So why did Google devote any resources to the spoof at all if they ran the risk of pissing people off, and provoking bad PR on big blogs TechCrunch? Thoughts anyone?

April 2, 2008 | Filed Under Ethics, Technology | 1 Comment 

Gmail’s New “Custom Time” Feature Opens The Floodgates to Time Stamp Manipulation

Gmail Custom TimeYou’ve probably seen novelty programs like TimeMachiner that allow you to send emails into the future. But what about being able to send emails into the past? Better yet, what about being able to send emails to a recipient marked as read into the past? Gmail’s new beta “custom time” , which was released yesterday, lets you do just that. Kiss your trust in time stamps goodbye.

At some point, we’ve all had or witnessed (some form of) the following argument:

Person A: Why didn’t you do X? Dude, I sent you an email about that a week ago….
Person B: No you didn’t. I check my email 40 times a day. I would never miss something like that.
Person A: Check your email. Trust me. It’s there…

From now on, if you’re “Person A” in this argument, it’s entirely possible that you’ll rush to your inbox expecting validation and instead be surprised and embarrassed to find a “read” message from “Person B”. Of course, you’ve never actually read the message before, but there’s no way to prove that you didn’t. What do you do then?

I’ve always found comfort in the sanctity of time stamps. I trust and count on them, so just reading about this beta set me on fire. In regular Google fashion, they’ve made the functionality super easy to use, which makes it all the more terrifying.

The only saving grace, really, is that Gmail says it’ll limit users to just 10 pre-dated emails per year, siting that Google researchers have concluded that “allowing each person more than ten pre-dated emails per year would cause people to lose faith in the accuracy of time.” Maybe it’s just me, but it would only take ONE pre-dated email showing up in my inbox to render me faithless.Gmail Custom Time Testimonials

If you haven’t seen the testimonials on the Custom Time Beta description page, I wholeheartedly encourage you to take a quick gander over there. I’ve captured my favorites in a screenshot. Dude, I thought Google’s motto was “Don’t Be Evil“?

What do you think? Please comment freely.

April 1, 2008 | Filed Under Ethics, Technology | 2 Comments 

Praying for A Premium News Jackpot

adiiAdii’s running a contest that WordPress theme designers can’t miss. Along with re-releasing upgrades of all the Premium News Themes this week (Live Wire, Original, NewsPress, Flash News & Gazette Edition) Adii’s made a new All-Inclusive Developer’s Package available. The package includes Developer’s Licenses for all 7 themes, allowing the owner to use any theme on as many websites as they wish. The package is available for purchase at $499.95, which is a fantastic deal for any aspiring designer (this aspiring designer definitely thinks so!).

So what’s Adii’s contest about? It’s pretty simple - you can win yourself a copy of the new All-Inclusive Developer’s Package by blogging about the contest. Right on. Being a hardcore photoshop and wordpress junkie, I’ve always wanted to dive into WordPress theme design development. I so admire the functionality that Adii’s team has packed into the Premium News Theme designs, but being a self taught coder, I’d have to go to great lengths to add all that functionality in myself. To start out on projects with one or two of Adii’s function-packed designs would be a dream - being able to leverage the care that’s been put in on the back end would really allow me to focus all my energy on tweaking the designs and turn the themes into something unique and different.

My personal favorite of the 7 is the Gazette Edition. I’ve had my eye on it for a while, and I’m pumped that Adii’s added the recent Live Wire-inspired upgrades. The rotating featured post section, along with the prime ad spots makes it a perfect candidate for my next blog project redesigningtheworld.com, a blog focusing on rethinking design(s) we take for granted. I’ve been psyched about the project and I’ve been hunting for just the right theme, so winning this contest would make my year. It’s so important to launch a blog with a great, unique theme and Adii’s work continuously sets the bar for WP design. In this humble blogger’s opinion, his attention to details like the Premium News Theme’s admin panel (making populating ads, video, flickr streams etc a cut and paste job) do so much for people who want to focus on content, not code. Attention to those kinds of details make him a trend-setting designer, and set him apart from other Premium Theme designers like Brian Gardner and Michael Pollock. In any case, that’s my two cents. Until April 4th, I’ll be sitting on the edge of my seat.

March 29, 2008 | Filed Under WordPress | 1 Comment 

Feasting With A Foodie

50mealsWe all eat, but some of us enjoy it more than others. Sometimes a lot more. Eating with someone who truly appreciates not only food, but everything that goes into the experience of eating, can be a total joy.

Last night I went out to dinner with a “foodie” friend of mine, Kevin, a staff writer for LAist.com whose up and coming blog 50meals.com is a must read for food-lovers living in, or around, Los Angeles. I admit that I go out to eat sushi a lot when I’m on projects in L.A., but I had never been to Little Tokyo, so when Kevin, a seasoned pro, excitedly suggested Sushi Gen I was in. From beginning to end, the night was full of lively conversation about food, life and all the small things that make the whole experience of meals so great. What I love about Kevin is that his energy and appreciation of all the meal’s details is infectious. He doesn’t just talk about food being “good” - Textures, aromas, colors and flavors all get an uncommon level of attention in the across-the-table banter. And, of course, sometimes no words are necessary - you can see it written all over his face when he takes a bite of something he’s really satisfied with. He totally lights up. (Kevin - how good was that melt-in-your mouth toro, or that black cod!?). All in all, the night reminded me of just how important it is to be around people who appreciate the small, simple things that make an experience joyful. Thanks to Kevin for such a memorable night in L.A.!

March 28, 2008 | Filed Under Blogging, Experiences, Friends | Leave a Comment 

Think No One’s Listening? Think Again.

The power of the Internet totally fascinates me. Not 12 hours goes by after I publish a post reviewing The Adsense Code and the AUTHOR shows up on my blog. That’s kind of a mind f#@$. Thank god I really liked the book. lol. It just goes to show you that even though there are millions of blogs out there, word can get around quickly and people can find you in an instant.

Joel Comm My Blog Log

March 23, 2008 | Filed Under Book Reviews, Influential People | Leave a Comment 

Next Page »