Primate Brow Flash

This weekend is like “Leaving Lost Vegas” except with dairy products.

The time has come for The All-Day Breakfast Party

Inspirational OWASP meeting last night. The speaker, Andrew van der Stock, threw out many terms and ideas that he expected the audience to be familiar with. I wrote down many of these for later lookup.

• extJS is a woefully insecure ajax framework. If someone is using extJS, their application is likely vulnerable to Cross Site Scripting. In the words of a lead developer of extJS, Jack Slocum:
  

  “It’s not the view layer’s job to do data security cleanup. In fact, doing so there could have a huge negative impact on performance of your application. That should be on an entirely different layer. I would recommend that when you do validation of data entered, you also do clean up to remove any insecure content.”

  Wow. Run from this. Don’t pause to collect your stuff. Just Run.

• Clickjacking. In Andrew’s view, Clickjacking is going to render the internet unusable once it gets better understood. As I understand it, an attacker can position an invisible button above an ordinary button on a web page you are viewing. So,you think you click on a “Submit” button in some forum, but you actually click a hovering invisible button that ends up linking to your bank account or email account. Kind of like when Sylvester’s tail gets painted like a tweety bird and he bites it. At this point, noscript addon for Firefox is the only defense against this. but:
  

  For the moment, the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 percent at this point.”

  In the next breath, however, he called the Firefox-NoScript solution a stop-gap fix suitable only for technical users. “If my Mom was using NoScript, I’d be taking all kinds of technical support calls,” he said. “It’s not the right solution.”

  Interestingly, the noscript site itself employs clickjacking for more positive ends. The spot where you click, “Install now” actually has an invisible overlay of the real firefox add-ons site that your browser already trusts. This allows a more seamless install of the software because your browser thinks it is getting it from mozilla. Based on this example, I can think of 3 ways to implement clickjacking

  1. You visit a nefarious site that has coded an invisible button over one of the visible buttons on the page
  2. You visit a benign site that has been compromised into creating one of these invisible buttons
  3. You visit a site vulnerable to XSS that is then used to create a clickjacking situation.

  In each of these, clickjacking seems to be a combination of two or more other attacks (XSS,CSRF)

• ESAPI. This is one I should really have known about. It is a set of interfaces by OWASP that provide foils for each of the major web application attack vectors. The initial release is for Java, but .NET and PHP versions are in the works.
• HoneyComb Project: This is an attempt to create a comprehensive storehouse of information about application security. It exists in wiki form as well as a giant word doc.
• Paypal Security Key. Andrew was impressed by the security devices that Paypal gives to their users for next to nothing. Leading the way in two-factor identification over the web, Paypal has “The Security Key, “a device that generates a temporary 6-digit security code every 30 seconds. Use it every time you log in for added security” If Paypal can do this so cheaply, then everyone should.
• Log4J no security logging level. I use Log4J all the time, but never questioned why it didn’t have a security logging feature. I found “How to add a security logging level to Log4J“, but I’m not sure if it meets all the needs that Andrew had in mind. I’m going to test this out.
• Volunteers: OWASP needs volunteers. It needs PHP experts to work on the PHP ESAPI. It needs technical editors to work on the OWASP Guide for developers. Testers, writers, and wikipedians. It needs volunteers to organize the HoneyComb project. It is a good way to learn more, get your name out there, and contribute to a valuable organization.

In the most recent vmware release, we have the ability to break individual windows out of the VM and integrate them into the host’s desktop. I recently erased my windows Vista and replaced it with Ubuntu. I’ve been happy as hell with that switch, but still need to test web pages on IE. So, I have a windows VMware image and because of Unity, I can just tell it to give me an IE window on my Linux desktop. I understand that VMWare Fusion on Macs has had this feature for a while now.

I drove off with a heavy metal travel mug full of fresh coffee. When I turned a corner, the top-heavy, shitball travel mug tipped over onto the floor and began gurgling coffee out. By the time I pulled over and picked it up, it was nearly empty. Naturally, I screamed “BULLSHIT!” and smashed the cup holder as hard as I could with the mug. This spread the remaining coffee evenly over everything in the car and atomized the cup holder. Pieces of it ricocheted around the car for 15 seconds.

I saw a fascinating documentary about Lon Cheney, AKA The Man Of A thousand Faces, last night. Never heard of the guy until now. He made movies featuring grotesques. In “The Unknown” Alonzo the armless knife thrower falls in love with the lady he throws knives at (Played by Joan Crawford). Conveniently, she is afraid of being touched. Then it turns out that he is actually hiding his arms because he is a wanted murderer and his arms would give him away because ahhhhh! double thumbs. So here the audience is thinking this guy has no thumbs when he really has 4! Anyway, when he is discovered, he decides his life would be better if he really had no arms and so he has them removed for real. And so he goes back to this girl but she got over her fear of being touched and she’s getting married to the circus strong man. D’oh! So, then, Alonzo’s face does this half-hour long dance of grief, despair, and insanity. And that is probably one of the tamer plots. Midgets posing as babies. Insane clowns. Madness! It opened up a whole new world.

One spot just left me chilled in “The Miracle Man” View this and tell me that it isn’t the creepiest thing you ever saw:

Pulse is an Eclipse package installer. It not only manages mirrors and dependencies for eclipse and its packages, but it allows you to save (and share) profiles. The potential for this includes setting up a profile intended for the developers at your company so they don’t have to mess about installing their needed eclipse plugins by hand, making it easier for you to migrate your eclipse install between systems.

Last week, the installation was very slick indeed and I thought a new era of ease had arrived. Unfortunately, their servers (pulse or eclipse project) are moving verrrrrrry slowly today. I hope they nip that in the bud, toot sweet!

Here is the letter I just mailed to Senator Coleman:

Dear Senator:

I do not trust the “bailout” and I don’t think you should approve any legislation that comes with the warning, “approve this immediately and don’t debate it”. I kind of feel like I’m being called by some boiler-room punks pumping a stock. I also don’t like the language in the bill that takes all power away from congress and the judiciary to prevent abuse.

I’m also perplexed why we are being so gentle with these bankers who insisted on secrecy all these months and then show up with their hats in their hands and explain that they need 700 Billion “right away”. If, IF, we do some deal with them, I would prefer they be tied to chairs with red rubber balls stuck in their mouths while we pick through their assets for the ones we like.

Also, regarding your statements last weekend that we could make 10 to 20 times our money on this deal. Well, define “could” and then explain, if we could make 10 or 20 times our money, why there isn’t a private company interested in snapping up these “bargains” at this time. Then, you could explain why, if these assets are there for the taking today, why they won’t still be there next week, next month and even next year. Why can’t we buy them slowly as we see fit?

Now, If I can poke so many obvious holes in this plan, surely you could get together with economic experts, throw the current draft in the garbage and come up with a better plan.

Just finishing The Day of Battle, the second book in the liberation trilogy. Just as astounding as the first one, this features careful research into battle plans and military controversies that still rage today.

I’d heard of Anzio and Cassino before, but never knew how brutal they were. These fronts resembled the stalemates and waste of life of World War I. The allied generals certainly lacked any tactics newer than 1917. They also repeatedly underestimated the Germans. Allied victories were largely due to total domination by air and sea and artillery might. Complete access to German communications through ULTRA intercepts helped as well. Even with all that, the Germans still beat our asses repeatedly… until they didn’t. Most galling is the high fiving and bicep kissing in Sicily while the bulk of the German force escaped to the toe of the Italian boot. No one seemed to think it was their problem. Soon after that, another huge German force escaped from Corsica.

Certain stories I had never heard before. An allied cargo ship carrying mustard gas on hand in case the Germans started a gas war. In the harbor of Bari, this cargo ship was bombed and spread mustard gas over the port. Civilians and soldiers alike began to die of mustard gas exposure but the allied command decided to keep the existence of mustard gas a secret, so steps that might have saved lives were never tried.

I had always believed that the Germans had been using the Monte Cassino Monastery as a fort and lookout tower and so the allies had to destroy it. The German commander had carefully left the monastery alone and there were only monks and civilians in there when we demolished it with blockbuster bombs and artillery. After the monastery was destroyed, the Germans did fortify it, digging in machine guns and artillery among the body parts of monks and civilians. So it goes.

After reading these two volumes, where Germans fought like banshees, I found myself wondering how they were motivated to fight like that when the war was clearly lost. Surely the author could have replaced a biographical paragraph about some of these feeble generals with some speculation about the German psyche?

This is a good instructional video demonstrating exactly how Sarah Palin’s yahoo email account got hacked:

http://www.irongeek.com/i.php?page=videos/how-sarah-palin-email-got-hacked

Everyone who uses a web based email should view it. As you will see, it is pretty easy to pull this off.

Speaking of virtualization, I’ll review the talk I went to this week on virtualization and security. It was disappointingly devoid of details and high level to the point of not being much use, but I did take a few ideas home. One is that the main advantage of virtual systems, the fact that you can screw them up and then roll back to a previous version, turns out to be a disadvantage from a security standpoint because when you roll back, you risk rolling back out of security patches. Is this a constant concern? No, but it is an extra management step. Also of concern is the fact that when you take a snapshot of the vm, you collect what is living in memory as well as what is on the disk. He went into a lot of vague stuff about how the organization going virtual needs to change security tests without explaining exactly how or even giving one threat or breach as an example. For technology talks, and presentations in general:

1. Consider not using slides. Slides suck. They are a prop to hide behind
2. If you feel the need to show slides, don’t read from them.
3. A few anecdotes can save even the driest presentation. If you don’t have one single story or example to throw out to support your talk, you probably shouldn’t be giving it.
4. A little audience participation can also save a dry presentation. He had some SWAG to give away and he could have done so by throwing the items to people who answered questions.

1. In VMWare player, why does my vmware console come in a tiny screen? Because you suck! At least that’s what I thought for many months. I am using a ubuntu server vmware appliance without a windowing system. It turns out that the tiny console window is a function of the screen resolution in the linux guest. This is set in a file in your guest’s boot loader (in my case grub) It lives in /boot/grub/menu.lst. If you add your settings to the boot command, you can manipulate the screen size of your guest console. Detailed instructions are here and they work: http://ubuntuforums.org/showthread.php?t=258484
2. What do I do when my vmware image can no longer connect to the internet? Turn that frown upside down!
   The VMware guest works for a while and then stops being able to connect and if you download another one it won’t be able to connect either? Yeah, I’ve been there. Check Out: http://yoopergeek.blogspot.com/2007/07/vmware-loosing-eth0-after-youve-copied.html. In some cases, when you fire up the VM and are asked, “did you copy this vm?” and you click “I copied it”, your network interface eth0 ends up attached to a non-existent MAC address. if you do ifconfig -a, you will see an entry for eth1 and it will be unusable. To clear this, erase the file that links eth0 to the wrong mac address. On my guest OS (ubuntu server) this file was /etc/udev/rules.d/70-persistent-net.rules. Reboot. Then smile.
3. Can I delete some of those huge vmdk files? Yeah. You can also poke your eyes out and still see just fine. Give it a try. Sorry. I know what you’re saying. You start out with one large vmdk file. Then they breed like Catholics. You figure you should be able to delete one of the older ones. These files are virtual disks and vmware needs them for reasons I’m not clear on. There is a tool to consolidate some of these virtual disks and shrink the space they need a bit. It is part of vmware workstation, of course. If you are using vmware player, I would leave these alone.
4. I wish I could cut and paste between guest and host. If wishes were horses, beggars would ride.
   VMWare tools enables this. VMWare Tools is included in VMWare workstation. If you are using VMWare Player, begin with a VM that has vmware tools installed.
5. What is vmware server? If you like the idea of seven people fighting over the same cursor, vmware server might be for you. VMWare Server provides a virtual environment for multiple remote users and potentially multiple remote operating systems. It helps if those several users log in as different people. You have a server where several VMs are installed. Your co-worker can log in to this server and do his work. You can log in and see it. Just like a real server. The VMware server product is a console interface where you can configure and use your various remote vmware instances.
6. In what cases do I need to buy vmware workstation? If your company will pay for it, then you need to buy it. It allows you to build a custom operating system and create a VMWare Appliance out of it. For general use, it brings certain usability and performance advantages, some of which are mentioned in #3 and #4.
7. My system clock in vmware never matches my host system clock.
   Dude! Its a VM! If the clock gets off, blow it away and start a new VM. That’s what they are for!
   In the notes, or readme file in the folder on the host system where the vmware files live, there is a note to the effect, “VMware Player has measured your CPU speed… and found out that you suck!” . There is an easy fix for this.

http://traffic.houstontranstar.org/layers/layers.aspx?mapname=galv_all&inc=true&cam=true#

Some empty streets in Galveston and Houson.

The anti-spore web site is good for a laugh.

Listen to this poor misguided girl talk about evolution after playing Spore.

It really makes me sad… I hope that somehow I can prevent more damage from being done.

You would think that as a member of the Episcopal Church, a smart man like Will Wright would not be capable of creating Spore. However, we must be reminded that the Episcopal Church is the only church in america that ordains homosexuals on a regular basis.

It makes sense that a perverted church would cause a man to make the creations he has in this game. It just may be that evolution is not the only thing to fear this game teaching your children.

I heard a rumor that Kim Jong Il is dead. Let us dance.

I can’t seem to get on a bike this season without getting a flat tire. The upside of this is that I’ve built up some opinions on patch and pump products that I can share.

I’ve found that more convenient “glueless” patches are unreliable. I won’t use them anymore. I’ve removed three flat tires this summer to find that the air is coming out from under the patch, which has been beat-up by the ordinary friction of tire against tube. Screw that!

More substantial patches, such as the Rema Tip Top, applied with glue, seem to hold. That is, None of the Tip Top patches applied this summer came loose. The 3speedblog recommends clamping the patch after application.

I made a resolution to always carry pump, patch kit, tire irons and a spare inner tube. I recently bought a Topeak Road Morph G pump. This is an excellent pump. I find “frame pumps” really frustrating because of all the effort it takes to hold them in position and not rip your god-damned valve out. After all that effort, you’ll be lucky to get your tire 75% inflated. This pump takes away the frustration by unfolding a foot to brace with, a flexible tube so you don’t need to protect your valve or maintain position near your valve, Finally, the handle folds out for easier gripping. It is nearly as easy to use as my floor pump. Most valuable, it gives me confidence that I won’t be stranded somewhere. And it won’t get whipped into the bushes or wrapped around a lamp post out of frustration, like a few of my frame pumps have.

Sheldon Brown has the same findings, plus loads of great advice on changing and preventing flats. He advises not to ride in the gutter, as I have been doing on busy Industrial Blvd., but to take my rightful piece of the lane. Seems good on paper, but those drivers might not see it the same way. They might not notice anything about my rightful piece of lane until they hose my spinal fluid off the grill of their Escalades.

We went to Bar Salut American last night with my family. After the waiter spoke his introduction, Frank asked, “why did he say ‘frog legs?’” and as an explanation we had to order some. Frank loved them. So did little Ted. I didn’t enjoy them so much. I’ll save all my praise for my steak sandwich. Man alive! I could eat a few more of those right now, with their rich melted cheese and tender, flavorful steak-bits. Their french fries are the best in town. I finished of Maureen’s cold fries after I was done with mine, they were so good.

I came home and did a late-night fix-a-thon. Without a book I’m engrossed in, I can finally do something constructive. I glued an IKEA dresser back together and took apart our broken DVD player and removed a fried capacitor with my soldering iron. This is the first time I’ve used one of those since I welded a bazooka into the arms of a lying down army man. According to this web site, all I need to do is go to radio shack and buy a new capacitor. I’m going to be bragging this around town if it works.

When I first moved from Visual Basic to web applications, I couldn’t really believe that everyone was trying to cram so much functionality into such a limited platform after coming so far in client server. I understood the benefits of web applications and so went along with the crowd, but I still dreamed of a browser for web applications to meet needs such as auto-complete combo boxes, offline functionality, stateful connections and modal windows. The web server needed to be made aware of client side controls and that whole top down rendering scheme needed to be replaced. A lot of that has come to pass through Ajax and other technologies and Google has led the way for a lot of it. Now, with their new browser we have another step down the road towards a web application client. I’ve been reading through the documentation and testing out the features. They say they have rebuilt the javascript engine from the ground up to optimize javascript with better garbage collection and pre-compilation to help deal with more complex Ajax. They say they have enclosed each tab in its own process so that a crash of one tab will not crash the entire browser.

This is all explained nicely in a comic book.

The much anticipated “offline” web application revolution hasn’t really arrived yet for me. It will be here when GMail is merged with Google Gears. Chrome is ready for that day with Gears already installed.

The interface enhancement I took to right away is the “Omni Box”, which combines the search box and the address box into one super combo box.

It is clearly built with a developer in mind with inspection features such as a “task manager” within the browser that shows what each tab and plug-in is up to as far as memory usage. I can’t find a Firefox plugin that will do this, probably because Firefox is one process. If a tab freezes your Firefox, you can open up Windows task manager and kill Firefox. If a tab freezes Chrome, you can open up Windows task manager and kill that tab only. I also like the “inspect element” feature that lets you view the properties of any html element. This one is obviously available in Firefox with certain add-ons.

See also: http://www.labnol.org/software/browsers/best-google-chrome-features/4388/

One missing convenience is a file…open menu item. you can type a file:///C:/test.txt type address into the address bar or navigate through your file system by typing file:///C:/ into your address bar, but that isn’t as easy as the file… open menu option I am used to.

Web sites are pissing all over themselves in their effort to complain about a clause in the Google terms of service, but Google has already issued a statement negating the controversial phrase, so I think the freakout is unwarranted, but might go on for some time.

One of my computers is infected by some malicious software that is making Kaspersky Antivirus scream bloody murder. The most obvious feature of this malware is disembodied voices coming from my computer. A lot of people in the anti-virus forums are reporting this today.

A central file seems to be C:/WINDOWS/System32/udxfytw.sys
I renamed this file to udxfytw.sys_old and that seems to have killed the infection…. for now. Process from rundll32.exe are also blocked for now. I’ve stopped using IE for now.

I went to Boone, Iowa with the Three Speed Blogger for a 24 hour mountain bike race this weekend. I was unprepared mentally and physically for this, but it still turned out to be fun. Though I refer to it as a race, at no moment during the event did I, in fact, race.

At the beginning of the first lap, I was seriously wondering if I was in one of those dreams the night before a big event where things go absurdly wrong, A 60-year-old hiker complete with walking stick and long white acid beard who passed me and offered encouragement compounded the surrealism. I would push my bike up a steep switchback only to get to the top and be to afraid to ride down the other side. There were hills where I couldn’t begin to guess where I might land if I tried to ride down. I might slip off the trail on that root or bang my pedal on that bank or miss the narrow space between the two trees. The final quarter of the course was much more reasonable and I was able to stay on my bike for nearly all of it.

My second (and final) lap was much better. Knowing what to expect, I was more confident I rode on many of the parts where I wasn’t comfortable on the first lap. The good part is that I’m stiff and sore in all the right places and have more confidence going over “technical” terrain. I find myself wanting to go back and try it again.

3-speed-blogger respected the course as very advanced and that allowed me to take my difficulties in stride. He was a great, learned person to pair up with for my first Mountain Bike race. My first lap went so long that after he had a two hour nap and I wasn’t back, he began to worry.