Archive for January, 2012

Jan 26 2012

Standing Desk 2.0

Published by under General

If you follow the blog, you may remember several months ago that I built myself a standing desk out of some cheap lumber and plywood I had in the garage.  It took an afternoon to build and was a proof of concept as to whether or not I’d actually like working at a standing desk.  The funny part of the project was that it took me longer to draw it up in Google SketchUp than it did to actually put the desk together itself.  After several weeks of working on the desk I decided I really liked it and wanted a more permanent version of the desk that I could feel was an actual piece of furniture and not just something that looked like an escapee from the lumber pile.

The first week or two that I had the desk, there was some definite back and foot pain as I transitioned from sitting 12-14 hours a day to standing for the same amount of time. But it was very apparent after I’d made the adjustment that a standing desk was the right decision for me.  I felt better at the end of the day and there’s a certain mental energy that comes from standing and walking around the office that I never had while sitting.  It’s hard to describe, but standing seems to put me in a slightly different state of mind than sitting does.  And, along with walking 2-3 miles a day, I’ve lost nearly 10 pounds since the beginning of the year, though I attribute that more to the walking than the desk. Oh, and there was one problem which was created by playing MineCraft for about 6 hours straight over the Thanksgiving weekend, but I don’t blame the desk for that.

There were a few things about the desk I wanted to change after working on it for two months.  The first was the top shelf; the original shelf was six inches shorter than the desktop on each side and while it fit two monitors fine, I wanted to add a third so I can put my work laptop on it as well.  Making it the same width as the desktop was the perfect solution, all three monitors fit perfectly on the shelf.  I can check work email, personal email and twitter with just a glance.  I also wanted the bottom shelf to be lower, since the space underneath it was wasted and I hoped to add another shelf.  Finally, I wanted it edged, sanded and finished so it actually looks like a piece of furniture.

All of this is why I asked my father in law to help me build version 2.0 when he came down for Christmas week.  He’s not a professional carpenter, but he does woodworking for fun like I do computers and security for fun.  Except he’s been doing the woodworking since before I was born and experience counts for a lot.  We went shopping for wood, picked up some decent 2×4’s and 4×4’s, cabinet grade plywood and a really big can of stain/polyurethane mix for me to put a finish on with.  At which point I gave him my plans from the original, the changes I wanted to the design and got out of his way.  He came back with an offer to add a pair of drawers to the design, something I wanted, but didn’t have the skills to make myself.

When I made version 1.0, it took a Saturday afternoon; when my FiL made version 2.0, it took five days to complete the desk and another week for me to put two coats of stain/poly on the supports and 4+ coats on all the other parts of the desk.  I got slightly carried away and put six thin coast on the front of the drawers.  And because the desktop is two pieces of 3/4″ plywood together, it took calling my younger brother in order to manhandle the desk into the office.  But once everything was in place, it was worth every bit of the effort we’d put into it!

So there you have it, my experience in building a standing desk.  I’d say it was worth it, but maybe I’ll write more on it in a year or so.  I have a lab stool to sit in when my feet start to hurt, but I only use that about 15 minutes a day, maybe a little more if I decide to play any games on my PC at the end of the day.  I get a little confused once in a while when the mouse doesn’t work, until I realize I’m using the wrong mouse and have to take a step to left or right.  I also had to put a piece of stained wood under one of my monitors, since they’re not the same height.  And version 1.0 wasn’t dismantled, it was moved into the garage where it will spend the rest of it’s life as a workstation for playing with arduinos, Lego Mindstorm and occasional light soldering.  And maybe a little locksport as well.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 25 2012

Kill pcAnywhere right now!

If you haven’t already heard, the code base for Symantec’s pcAnywhere was stolen in 2006, and bad guys are now using that code against the installed base of users in the wild.  This sort of compromise really isn’t anything that new or different.  But what is different is that Symantec is now telling users to flat out disable pcAnywhere until a fix is released.  Which is a good, smart move, but a better move would be to remove pcAnywhere and never, ever start it up again!

I remember the first time I used pcAnywhere; I was working my first helpdesk job and they let me finish part of my shift from home when I was doing mail server work, I could start up the scripts on the server, drive home and finish my work from there.  Being pcAnywhere, every couple of times I’d also have to drive back to work because the program would crash, but hey, an 80% success rate wasn’t too bad at the time.

Fast forward a decade (and more) to when I’m a QSA and pcAnywhere is still out there, and in all too many cases, it’s actually the same version I was using, or nearly the same vintage.  But it’s not me using it to manage a OS/2 Warp mail server (yes, OS/2 Warp), it’s being used to manage Point of Sales (POS) systems all across the US.  You see, mom and pop stores with POS systems don’t have a clue on how to set up a computer, so they find a nice, local service provider who will set up the POS for them, trouble shoot it when they have problems and just generally manage the system for a price.

Herein lies the problem.  If you’re a small, local service provider who makes their living servicing these folks, you have to be able to work quickly and cheaply with clients in a large are if you’re going to make a living.  You need to be able to get on their systems quickly to troubleshot problems and get them back online.  So of course you use a remote desktop client like pcAnywhere and you’re going to leave it directly exposed to the Internet since that’s the easiest way to make sure it’s always available and you don’t have to do a lot of troubleshooting of network equipment.  And you probably use the same password on all your clients, since you don’t want to have to rely on having the right password written down somewhere when the client calls screaming that they’re system is down.  After all, no one would scan for open pcAnywhere servers, nor would they guess the user name is ‘admin’ and the passphrase is “Let me in!” (at least it has complexity).  And you don’t worry about changing passwords when an employee leaves or updating to the latest patch levels.  In other words, a security nightmare.

In 2009, when I worked for Trustwave, one of the things that annual security report dug into was some of the repercussions of this type of remote management of POS systems.  And no surprise, one of the things they discovered was that remote desktop applications like pcAnywhere were one of the leading causes of small business compromises, especially compromises that involved either small chains or a group of geographically close stores.  An attacker would scan for the remote desktop client and then brute force the password and spread out to the other clients of the service provider.  Soon you’d have a whole segment of the local merchant community who’d been compromised and didn’t know how or why it’d happened.  And things have not gotten better since then.

I doubt things will change, I doubt most of the people who actually use pcAnywhere as a tool are going to even notice or read Symantec’s posting.  It’s the only way that the current business model works, not just in the merchant community, but in many other small business communities as well.  The service provider model requires remote tools, otherwise the travel time to and from locations kills any chance of making a profit.  Which means the folks who want compromise systems and steal credit cards are going to continue to have access to the remote desktop solutions. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 24 2012

Network Security Podcast, Episode 265

Published by under Government,Podcast

Unless you were hiding under a rock the last few weeks you’ve probably heard about the Stop Online Piracy Act (SOPA), Protect IP Act (PIPA) and their even more evil brother Anti-counterfiting Trade Agreement (ACTA).  Many sites went dark last week, including Securosis, in protest and SOPA/PIPA were at least stalemated for the moment, if not entirely defeated.  And since it’s a big story, we decided to discuss it at great length, probably saying many things that have been said by much smarter people than us.  At least we hope it’s the smart people we’re agreeing with.

Zach was unavailable tonight, so we had to pull in two special guests in order to replace him.  First off, Rich’s partner in crime at Securosis, Adrian Lane, joins us.  Second, we’re joined by Liquid Matrix author and friend of the show, Jamie Arlen, aka @myrcurial.  Jamie brings a little bit of an outsider’s viewpoint to the conversation as he’s not native to the Phoenix area and comes to us from north of the border.

No real show notes tonight, if you’re intersted in learning more about SOPA/PIPA/ACTA, do a little Googling.  Or just go to the Electronic Frontier Foundations web site.

Network Security Podcast, Episode 265, January 24, 2012

Time:  55:00

Tonight’s music:  Signs are Signs by The Midnight Hour


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 20 2012

SOPA was only an opening salvo

I generally try to stay out of the political arena on the blog, mostly because politics is such a contentious topic in and of itself.  And I’ve been staying away from SOPA in particular because there’s been so much coverage that one more voice added to the choir wouldn’t have done anything.  The music and movie companies once again tried to introduce legislature that made pirating content a crime and gave the entertainment industry incredible power to police the internet and block any site they felt *might* link to copyrighted content.  But we, the Internet, rose up in unison as major sites blacked themselves out in protest and support for the legislation is suddenly falling away as if the Stop Online Piracy Act might be toxic.  Yay Us, we won and the bad entertainment industry was put in it’s place.  War’s over and we can all go back to our daily lives.  At least that’s what it seems like in a nutshell to me.

But it’s not over, not by a long shot.  In an oddly coincidental case of good timing, yesterday the US Government took down the site Megaupload, a hugely popular file sharing site.  Since this event probably took months of planning to set up, the timing probably was mostly accidental, though I wouldn’t be surprised to find out the date got accelerated a little in response to this week’s Internet blackout.  And in response to that, the group Anonymous started a DDoS campaign¹ against the likes of the White House, the FBI, DoJ, MPAA, RIAA and a number of other sites using the LOIC tool.  There are quite likely one or two other groups using some of the noise created by Anonymous in order to perform some slightly quieter attacks under cover.  And according to my count, the move is now back to the Government, probably coming in the form of a kinder, gentler form of SOPA or additional site take downs.

The movie and music distribution engines only see the Internet as a method for taking money out of their pockets.  The technorati see the Internet as a boon and the current distribution model used by the entertainment industry as antiquated and only serving the big studios, not the artists.  There’s a certain amount of truth to both arguments, though I find myself far more in line with the thought that the entertainment industry has refuse to adapt as technology and societal norms have changed, so they have to pay the price.  This is a lesson Kodak is learning the hard way.  Now the real battle of finding out if we make the technology and society bow to laws that are counter to how we want to act or if we change the laws to be more in line with how people want to act in the first place.

The ethics of file-sharing aren’t really important to the folks backing legislation like SOPA, they’re defending a business model and nothing more.  Therefore, they have to continue to push for this legislature in one form or another in order to gather more power to bolster a dying business model.  They have no choice, other than completely reworking the way they do business, which is more risky than doing battle in the court systems.  While the Internet may have risen up and smashed down the SOPA legislation today, it’s the long haul of trying to get the power clauses passed into law that the lawyers excel at.  Expect to see several more forms of this Act come up for  consideration and votes, later this year.

The interesting part will be see how the dynamics between the creation of laws and the Internet change over the coming year.  Between blackouts in protest and DDoS in protest, it’s clear that a lot of attention can be drawn to an issue very quickly.  But can it be sustained and will these forms of protest have any long term affect?  Part of what led to the uproar against SOPA was the technical infeasibility (or possibly stupidity) of the act; what would happen if the backers of SOPA created something that was more reasonable and technically possible to combat piracy? Will the resistance fade if something more palatable comes along?  I somehow doubt it, but more I doubt I’ll have a chance to find out, since a compromise like that isn’t even something I believe the entertainment industry could even conceive of.  It’s more likely we’ll continue to have a chance to see the evolution of the Internet as a political force.

So the back and forth between content distributors and pirates will continue, with the ball now in the government’s court.  There could be more take downs like, the folks who supplied the thralls for LOIC could find FBI agents at their doorsteps, or there might be a lull while newer legislation is created.  But the reality is that what we’ve seen in the last few weeks is just an early set of skirmishes on the battlefield.  What the next step in the escalation is remains to be seen, on both sides.
¹I know where that graphic came from! 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 10 2012

Network Security Podcast, Episode 264

Published by under Podcast

As Zach prepares for his jaunt down to Miami Beach,
Rich waxes paranoid about his newfangled Microsoft-powered car — and
the prospect of Martin remotely hacking throttling the engine.  It’s
hard to imagine a few of Rich’s ‘friends’ won’t try hard to get their
hands on his new remote and the system port on his car.

(Also, check out our nomination in the Social Security Bloggers Awards — and vote if you’re eligible to do so!)

Network Security Podcast, Episode 264, January 10, 2012
Time: 37:31

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 264

Jan 09 2012

Open tabs 01/09/12

Still feels a little funny to be putting the ’12’ in the year column, doesn’t it?  I’m sure the feeling will go away by March or April.  And it’s getting started as an interesting year already, with Symantec’s source code and courts approving warrantless GPS monitoring.  I bet neither of those were captured in the “Top 11 Predictions for 2012” so many pundits and bloggers put out at the end of the year.

Personally, I’m starting the new year with a ton of writing to do.  Despite my best efforts, I didn’t blog as much as I would have liked to in the last few months, but I know that has to change.  I have to start writing for the Akamai blog, I’ve got information for the Security Bloggers Meetup to post and I get several offers a month to write for other publications.  Then there’s the internal projects that are in motion, at least one of which is requiring me to think in new and interesting ways in order to get concepts on a page properly.  Plus I’ve got lots of interesting toys at work to play with; what questions would you be looking for answers for if you had access to the logs for a significant portion of the Internet?  That’s actually a serious question I have to blog about some day soon.  I’d like to hear what people want to see in a report.

And speaking of the Security Bloggers Meetup, I was nominated for two Social Security Awards last week.  Rich Mogull, Zach Lanier and I were nominated for the work we do on the Network Security Blog and I was nominated for Best Post for my “Curing the Credit Card Cancer” post.  Rich and I both sit on the committee that puts together the Security Bloggers Meetup, though neither of us works on the Social Security Awards, so before this year, we’d ruled that everyone on the committee was not eligible to be nominated.  Alan Shimel changed the rule this year; he felt that since we had nothing to do with the SSA’s, it was unfair to exclude us.  So, go vote for us. I’d love a chance to beat PauldotCom and the other contenders for Best Security Podcast.  I’ve read the other blog posts, I don’t have much of a chance for the Single Best Post. 

Open Tabs 01/09/12

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open tabs 01/09/12

Jan 03 2012

Network Security Podcast, Episode 263

Published by under Podcast

It’s our first show of the New Year… wherein Rich describes server upgrades good and bad, being a victim in a data breach, and we discuss the rest of the latest news. We have to say, it’s a weird start to the year.

Network Security Podcast, Episode 263, January 3, 2012
Time: 36:45

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 263