Certification resource: Professor Messer

Certification Students:

You never can get enough review and practice. CompTIA provides, of course, their certification objectives on their site http://www.comptia.org/, as well as some sample questions.

I have mentioned Proprofs.com to most of you; it’s a decent practice and community site at which you should spend some time.

Recently I learned of Professor Messer, at http://www.professormesser.com/. The focus there is on online video training, which is a very good complement to our time in class and your own study time. As I’ve discussed many times, optimal learning happens when you use multiple learning modalities. Give it a try and let me know what you think.

A Hacker Space in Albuquerque

New contributor VM (now there’s a good set of initials) let me know: there’s a “Hacker Space” here in Albuquerque called QueLab. Their website is at  http://quelab.net/wordpress and in fact they recently ran a swap meet.

They’re talking about “hacking” in the classical sense: modding machinery, making it do things far beyond original specs, that kind of thing. So it’s not per se a “cracker” club, which is to say, their focus isn’t on penetration testing.

That said, it looks like a cool org, with lots of machinery that’s been donated. Could be fun!

Thanks VM.

Windows 7 God (or Satan) Mode

How about that: there’s a hidden master control panel in Windows 7 (surprise, surprise!) that you can access by creating a specially-named folder. Voila! That folder gives you “God Mode” access to all sorts of interesting things. Since I primarily work on a non-Windows platform, I’ll have to, ahem, access a Windows 7 machine to try it.

As one tipster tells me:

Hey Glenn,

Here’s the God Mode trick. Just make a new folder in windows and paste in this name:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Have fun!

Oh, yes. That’s sweet. So please, tell me more about undocumented means of accessing and modifying system configuration.

I did a quick AltaVista and found a CNet article with some details:

Understanding Windows 7’s ‘GodMode’

http://howto.cnet.com/8301-11310_39-10423985-285/understanding-windows-7s-godmode/

Just one thing: what do you want to bet this is disabled in a patch or service pack soon?

Webutation.net: Rating the web reputation of websites

You know quite well by now that some websites are places you shouldn’t go. But if you ask 100 users, 99 of them will shrug and say they don’t go anywhere unsafe.

Yes, ignorance is bliss.

But what tools do we have to judge our degree of trust in a website? Webutation.net is trying to give you one: http://www.webutation.net. They grade sites along several parameters: direct reviews, Google Safebrowsing (sounds like an oxymoron), virus reports, Web of Trust, and child safety or “G” rating.

Amusingly enough, they consider my site quite safe: http://www.webutation.net/go/review/gnorman.org. As always I leave you to make your own judgements.

Don’t piss off the IT guy

One of the hottest areas of security auditing is auditing the actions of IT administrators. Admit it: we have unparalleled access to everything. We dictate other peoples’ privileges. We enforce, if not outright make, the rules.

Which is why rogue IT admins are so dangerous. They can do everything from punking you, to destroying your company or paralyzing a city government. Check out this story at http://www.cracked.com/article_19528_5-true-stories-that-prove-you-shouldnt-piss-off-it-guy.html:

5 True Stories That Prove You Shouldn’t Piss Off The IT Guy

Networking: 10 things not to do when running network cable

If you’re not familiar with TechRepublic, you should be, for a very large number of reasons. Networking students, for instance, can really benefit from articles like this one that clarify some of the basics. If you’ve pulled cable for years, you probably take these things into account already. But if you’re new to the game, you should read “10 things you shouldn’t do when running network cable.” See the whole article here:

http://www.techrepublic.com/blog/10things/10-things-you-shouldnt-do-when-running-network-cable/2837?tag=nl.e101

Bonus points for advanced network techs: How many of these things can you name before reading the article?

You have the right to privacy, unless you are a Facebook user

I do very openly use Facebook, with a high degree of self-censorship of course. I came to the game late and leery, and still have grave doubts about Facebook. Are they really looking out for my best interests? Because we all should clearly understand that any corporation is bound by corporate law to maximize profit, regardless of the costs or benefits to users or the public. Do you, for instance, really believe that Bank of America has your best interests at heart? Because, although legally a corporation is a “person,” it has no heart. Nor can it be imprisoned for crime. Awfully convenient, isn’t it?

So, about cookies: these little bits of user information have long been suspected of a potential for evil. This has been mostly unjustified. However, you do have to be aware that Facebook can access Facebook.com cookies from any site that displays a Facebook button. Which makes for a magnificent way for Facebook, and its affiliates, to track you as you move from site to site. Maybe that doesn’t bother you.

Maybe it should.

See this story at http://extragoodshit.phlap.net/?p=148138:

Facebook tracks sites you visit even after logging off

NEW YORK: Facebook has reportedly admitted tracking which sites its users visit even after they log off, thanks to plug-ins and cookies.

Facebook, which has more than 800 million active users, also keeps close track of where millions of non-members of the social networking site go on the web, even after they visit a webpage for any reason only once, USA Today reported.

No problem, right? Except that Facebook has become a prominent target of attacks, like the recent porn-storm that swept some users’ pages:

http://www.computerworld.com/s/article/9221904/Facebook_users_reel_from_porn_spam_attack

But hey, you can always request your data from Facebook, and see exactly what they’re keeping, right? Well, no, not really. You used to be able to, but now you get much less, because they claim some data is their intellectual property:

http://www.zdnet.com/blog/facebook/facebook-releasing-your-personal-data-reveals-our-trade-secrets/4552

Apply trust analysis to this situation. Remember, any one answer can be grounds for complete non-trust.

Symmetry: Does Facebook allow you to gather data about its functions and processes? Actually, that would be a violation of your Terms of Service.

Transparency: If you’re providing complete data, will you or nil you, is Facebook required to do the same? Ha, ha ha ha!

Integrity: Meaning, do the rules of the game change mid-play? Only every time Facebook changes its Terms.

Consistency: Is Facebook consistently safe, secure and considerate in its practices? Good grief, how can you even ask?

I’ll leave you to ponder the remaining trust parameters. See this article on InfoSecIsland for a good, and simple, example of trust analysis:

https://www.infosecisland.com/blogview/14652-Broken-Trust-Part-1-Reflections-on-RSAs-SecurID.html

The one that finally wins out, however, is:

Value of Reward: Is what I get from Facebook worth what they’re gathering on me? So far, I keep deciding in the positive. It’s looking like a potential bargain with the Devil, though. Good thing I like those shared photos and stuff.

You have the right to privacy, except when you use Google

For those who don’t work in the industry, understand that Europe has some of the most rigid privacy laws in the world. It’s a downright certainty that there is going to be a huge inquiry into Google’s release of European citizens’ online information to US authorities. Google, of course, is caught between a rock and a hard place.

Clearly, it’s incumbent on all of is to understand with whom and what we’re dealing when we use Google in any of its myriad forms. I do not use Google metrics, Google email, Google Docs, Google AdSense or Google AdWords, precisely because of privacy concerns. Your mileage may vary; choose based on your own judgement.

Here’s the story from ZDNet: http://www.zdnet.com/blog/igeneration/google-admits-patriot-act-requests-handed-over-european-data-to-us-authorities/12191:

Google admits Patriot Act requests; Handed over European data to U.S. authorities

Google has become the latest company to admit the vulnerabilities of an insecure European cloud due to the USA PATRIOT Act….

Specifically, U.S. intelligence, according to one source, asked Google to hand over data stored in a European datacenter.

Admitting to complying with Patriot Act requests, it follows Microsoft’s admission earlier this year, proving that EU-based data is insecure and at risk from U.S. inspection, if local subsidiaries are linked to a U.S. based headquarters.

Google confirmed this to German media group WirtschaftsWoche.

You have the right to privacy, except when you’re on the phone

From http://www.philzimmermann.com/EN/testimony/index.html:

Testimony of Philip R. Zimmermann to the Subcommittee on Science, Technology, and Space of the US Senate Committee on Commerce, Science, and Transportation.

26 June 1996….

I’m the creator of PGP (Pretty Good Privacy), a public-key encryption software package for the protection of electronic mail. Since PGP was published domestically as freeware in June of 1991, it has spread organically all over the world, and has since become the de facto worldwide standard for encryption of E-mail, winning numerous industry awards along the way. For three years I was the target of a criminal investigation by the US Customs Service, who assumed that laws were broken when PGP spread outside the US. That investigation was closed without indictment in January 1996…..

In 1991, Senate Bill 266 included a non-binding resolution, which if it had become real law, would have forced manufacturers of secure communications equipment to insert special “trap doors” in their products, so that the government could read anyone’s encrypted messages. Before that measure was defeated, I wrote and released Pretty Good Privacy. I did it because I wanted cryptography to be made available to the American public before it became illegal to use it. I gave it away for free so that it would achieve wide dispersal, to inoculate the body politic.

The 1994 Digital Telephony bill mandated that phone companies install remote wiretapping ports into their central office digital switches, creating a new technology infrastructure for “point-and- click” wiretapping, so that federal agents no longer have to go out and attach alligator clips to phone lines. Now they’ll be able to sit in their headquarters in Washington and listen in to your phone calls….

A year after the 1994 Digital Telephony bill passed, the FBI disclosed plans to require the phone companies to build into their infrastructure the capacity to simultaneously wiretap one percent of all phone calls in all major US cities. This would represent more than a thousandfold increase over previous levels in the number of phones that could be wiretapped. In previous years, there were only about 1000 court-ordered wiretaps in the US per year, at the federal, state, and local levels combined. It’s hard to see how the government could even employ enough judges to sign enough wiretap orders to wiretap 1% of all our phone calls, much less hire enough federal agents to sit and listen to all that traffic in real time. The only plausible way of processing that amount of traffic is a massive Orwellian application of automated voice recognition technology to sift through it all, searching for interesting keywords or searching for a particular speaker’s voice. If the government doesn’t find the target in the first 1% sample, the wiretaps can be shifted over to a different 1% until the target is found, or until everyone’s phone line has been checked for subversive traffic. The FBI says they need this capacity to plan for the future. This plan sparked such outrage that it was defeated in Congress, at least this time around, in 1995. But the mere fact that the FBI even asked for these broad powers is revealing of their agenda. And the defeat of this plan isn’t so reassuring when you consider that the 1994 Digital Telephony bill was also defeated the first time it was introduced, in 1993.

Sky God Ole Olson’s Hang Gliding Thrillogy

My other major interest in life, hang gliding, spills over from time to time onto this page. It is so much like security: the thrilling challenge, taking your heart in your teeth and leaping, occasionally the dismay of calamity.

Long-time hang-gliding legend John Quinn “Ole” Olson led the Fly Mexico tours for years, and has the stories to prove it. He’s collected them into three volumes of raw, no-bullshit, naked truth. A good deal of it is purely hilarious: misadventures with Euro-trash sky-scum, knuckleheads of every kind, and an, uh, object too large ever to flush like it should. There are plenty of tales, too, that we in the hang-gliding world call “There I was, thought I was gonna die” stories. Including one where Ole very nearly does.

Ole just got a nice review on NewBookJournal.com, which I quote below. If you’ve ever been curious about the flying that hippies invented, get a paper or digital copy of one of his books, and you’ll likely laugh so hard you’ll buy all three.

From http://newbookjournal.com/2011/11/the-wild-blue-yonder-series-by-john-quinn-olson/ :

Three tales from “The Wild Blue Yonder” series by John Quinn Olson — Recipes for Disaster, Living Dangerously and Taking Mexico Flying

Tales From The Wild Blue Yonder *TAKING MEXICO FLYING* by John Quinn Olson

Tales From The Wild Blue Yonder
*TAKING MEXICO FLYING*
by John Quinn Olson

Flier Recounts Foot-Launched Flight

After more than 30 years of flight, veteran hang glider and trike pilot John “Ole” Olson has published a trio of flying adventure books, Tales From the Wild Blue Yonder, which are now widely available as paperbacks and e-books.

John Quinn Olson, Port Huron High School Class of 1971, departed the flatlands in a big hurry after graduation, drawn by the lure of big mountains and high adventure. Nearly forty years later Mr. Olson has written three thrilling autobiographical novels—a Thrillogy—based on his experiences.

After a dozen years spent flinging himself off cliffs and mountains from Vermont to California on skis, one fine day Mr. Olson saw his first hang glider and realized in an instant that Mankind’s Most Ancient Dream—to fly with the birds—-had come to pass.

Joining his winged friends with enthusiasm and alacrity, the young adventurer determined to fling himself from the heights. Only now he would go up instead of down—up into the Wild Blue Yonder on Dacron wings, rather than down to the valley below on fiberglass boards. More…