A couple iPhone flaws released by a frustrated Aviv Raff illustrate that Apple has a ways to go to become a respectable security citizen (to their defense, so do most people and companies).

One flaw released takes advantage of the iPhone not displaying the middle sections of long URL links. This could lead to a rise in Rickrolling. The second flaw leverages the iPhone’s behavior of automatically downloading images in mail. Both of these issues are old, obvious use-cases.

Hey, when business wants to move forward, security/insecurity just isn’t a stopping power.

Last week I finished putting everything together for my 2008 gaming machine. It’s been about 6 years since my last gaming machine, so I was due for an upgrade. The parts list is saved on my wiki. Special props to NewEgg, my hardware supplier for many, many years. And I added PetrasTechShop.com as my water cooling parts supplier. Excellent service at both, and absolutely no bad parts this go-around! My source of most information comes from the HardForum.

Total cost is probably somewhere around $1100-1300 (not including monitors), with probably the largest chunk being all the water cooling parts. Six years ago, I saved a lot by putting the system together myself, but these days gaming boutiques and other computer outlets have pretty damn good pricing, and I likely didn’t save all that much off a comparably performing pre-built system. But few of them do water cooling at all without a premium cost. So to get silence with water, I did save a bundle.

The system is running on WinXP 32-bit right now. I know, I lose some performance, but I didn’t want to spend any huge time (getting everything to work and run) or money (a real, honest license [damn Microsoft]), until I hear more details on when Windows 7 will be out and how long Windows XP will be extended. If they start to overlap, I’m just going to skip Vista like I skipped ME. (DirectX 10 support/availability may make a difference when Starcraft II comes out.)

Everything works great. Wow sits at 60 fps no matter what I do (including fraps recording), and isn’t taxing the system at all. Temperatures stay barely above room temp, even after hours of gaming, so I’m very happy with the water cooling.

I ended up water cooling my GPU as well. When powering up system components the first time, I was terribly disappointed with the noise from my HD-3870 fan. With that gone, the system hums away unnoticed.

What would I do differently with my setup if I knew what I know now:

Bigger case. It took a lot of experimenting to get everything in a good position in the midtower case I got. I lucked out with the top fan (didn’t have to drill more holes to mount the top radiator), but I got screwed with the hard drive cage and other crap in the lower right corner of the case. I moved what I could, but the pump still is at a non-optimal angle. Also, I wouldn’t mind making a bigger hole on the top and mounting the radiator on the inside of the top of the case rather than the outside. Alas, not a huge deal.

Bought all the water cooling parts at once. Since this was my first time parting water cooling out, I did it in very small orders. I think 6 total! I would have planned a bit better too: gotten a flow indicator somewhere in the line, better fill setup (currently the only thing still in progress) so I don’t even have to open the case to add liquid (not that I will need to very often), and maybe a drain port if I ever upgrade stuff and need to remove parts. As it is, I’ll need to turn the case upside down and around to fully drain it.

It has been almost 2 years since I changed my job situation up. I was hoping, 2 years ago, to get into a networking or security job when I took up my current role as a Network Analyst. Instead, I found myself back in the hole of Windows web administration and developer support, among many other things some of which does include security. I’ve been slowly clawing my way out of that area, but now the more senior coworker that managed our company’s web environment with me has resigned, leaving me as the sole expert in this area on our team. I’ve definitely had happier days as I now try to catch up on what he managed while also my own stuff. I was hoping I would get out of here before he did so I could avoid this! 🙂

So that means I’m even more stuck in web administration (and various other things) for at least another 6 months here. It really does start to cause one to question one’s career direction or personal happiness just a wee little bit

On the bright side, I do have more things to look forward to here, such as a Foundstone vulnerability scanning box I have sitting in the corner and a web app firewall/load-balance solution on the way in the next few weeks. And I do have a project to upgrade our host-based firewall solution and assume full control over it. But oh how I wish I could leave the developer/web support behind!

I also received access to my Offensive Security coursework this weekend. The material includes a couple PDFs and a nearly 700MB rar of tutorial videos. I’ve yet to extract the movies, but I’m really excited they’re just a download and I don’t have to bother picking them from the server one by one. I also have my access to the virtual labs on their VPN. I’m anxious to start in on learning more about BackTrack 3!

Had an outage on my home cable network which may have been related to weekend reports of midwest AT&T issues (I use Qwest). The outage started Saturday evening and lasted until Sunday morning. The cable modem lost connection and reverted to its default internal IP (192.168.100.14).
A note to myself not to mess with the Internet On/Off button on the device. Since it didn’t behave like a switch (when you push it, it doesn’t sink in and stay in and then pop out with a second push), I didn’t think it would save state over a power cycle. Alas, 2 hours after physical connectivity returned, I finally hit the button and everything came back up.
On the bright side, my IP was not renewed. Pretty odd for that long of an outage.

Last night I finally moved my last (and main laptop) system up to Ubuntu 7.04 (Feisty). The install was painless. Started up the Update Manager, clicked the button to upgrade to 7.04, waited about 40 minutes where I also had to click Ok/Accept/Forward a couple times, and that was it.

I upgraded for a few reasons. First, some things I wanted to get working on my laptop were (supposedly) easily fixed in Feisty, but still overly complicated on Edgy, including using Silc/Tor with IRSSI and OpenVPN client management. Second, I believe in keeping software as updated as possible (within bleeding edge reasons, of course). You don’t want to ever be left behind with unsupported (or unloved!) software that has reduced functionality. It’s a lot like living in the past.

For any other WoW players out there, thought I’d throw down an update for no other reason than I want to. My focus has shifted to simply leveling up and a bit towards pvp; something that doesn’t require me to be a slave to other people 6 hours a night 6 days a week. This is fully just a distraction for me, now.

My Draenei Shaman is now level 61 on Kul’Tiras. He’s been Enhancement spec while leveling with a friend who plays a Hunter. I’ll respec him to Resto in a few levels, I think, and likely look into going pvp with him. I don’t anticipate ownage in pvp over any pure classes, but he should do ok once I get him some gear bought through pvp. A fun class, nonetheless.

My “main” is finally getting some love again and putting on some levels and pvp honor. My 64 affliction gnome warlock on Crushridge is having tons of fun in pvp, especially since his previous raiding gear is better than any but the top level 70 pvp gear so I can save up all my points. Likewise, at 64, I don’t shy away from level 70s. Being a warlock has always owned; it fits my playstyle, and I really can’t enjoy a class more. At level 61, I scored my first legit, 1on1 non-BG level 70 kill…another warlock no less! And about half the time, I am top 1 or 2 in overall damage in AB or WSG. Two more talent points and I’ll fully enjoy an instant cast aoe fear.

Lastly, I am also playing my level 60 priest on Crushridge as well. I happily spent his refunded (from last christmas!) talent points and made him a shadow priest (he was a backup dorf healer in raiding back in the day) to see what it is like. So far it has been fun, especially since I solo him in the Outlands. I doubt I’ll ever devote too much time to him, but he’s at least an option and fun.

The past weeks’ worth of business days I took some vacation time, not just from work, but also from reading security blogs for the most part. I also was able to look at my own time spent here (in between rediscovering WoW pvp), and decided to shift things up a bit (or so the plan goes).

I’m really…I want to say sick or tired, but those words are too strong. I guess I’m just really bored reading security industry or business commentary (with some exceptions for those people who do excel at writing) with almost zero technical content or anything beyond feel-good vagueness (or maybe vagary), otherwise known as best practices. A lot of this is common sense and while I understand other people have things to say (I do too!), I sometimes just find myself skimming fluffy posts that really leave me with absolutely nothing new.

Sometimes it is cathartic to vent (or as most people call it, “post commentary”), and I’ll likely still do so now and then, but I really see little need for it most of the time, at least on my site. I can vent just fine in person, on IRC, on IM, or in comments. And maybe Skype someday if I get back on it.

This is just me telling myself to stay technical and actionable, for now. 🙂 I used to post a lot more information about tools and things to do, and have gotten away from that in the past year. I can see a correlation between this shift and my personal and work lives, so I think I know the problems and the measures on how to fix them.

Of course, this itself is a rant, but it is one I have the compulsion to post for my own benefit.

A drunk employee knocks out the power for 365 Main. That’s awesome. I’ll just take this time to say if you ever see my work desk, that’s iced tea in that cup, not beer! I can also happily say that I am not an easily irritable or angry or berzerk-prone kind of guy at all, whether sober or drunk. If you’re a not-so-happy drunk, just keep that in mind if you’re on call or working the next day… In the immortal words of Socrates (and later expounded by Thoreau), “Know thyself.”

Thanks for the clarification, dre. Damn, I thought this felt too funny to be true. 🙂

I’ve been quiet this week and weekend for really one reason: took a stab at the CCNA test yesterday. I didn’t pass, but I didn’t expect to pass either. I was finding myself spinning my wheels more and more with my studying, especially since I’m not getting very much of a chance at work to get hands-on with the equipment we have. So I used the test period to get myself re-oriented on where I stand. I scored a 783 and needed 849 to pass. I was pretty happy as I felt I would do worse than that, even when taking the test. The bottom line, though, is that I get a chance to mix things up and refocus on what I stumbled on, what I didn’t expect, and what wasn’t tested that I did expect. Things look good, and I plan to retake the test in a couple weeks or so. Kinda like running a long race, passing the starting line and getting a look at the time to see whether I’m on pace or not and what I need to do to stay on pace to win out.

What I expected that didn’t happen: More detailed WAN questions on implementation commands and the minutae of such settings. Instead, I got two questions about what DLCIs do and how they relate to the local and remote routers, and one question about which WAN technology to choose given a situation. Heck, I even only got one OSPF question and one EIGRP question… Not much there with my luck of the draw.

What I didn’t expect: To not only be tested heavily on switch commands, but to actually stumble and not know those answers as quickly or accurately as I should. Definitely focusing on switches for a while, since I even have some at home! Ugh to having missed those! Switches, VTP, VLANs, STP.

Item #1: As much as I think SMTP is broken, spam filters make it even more so. I run my own home mail server for one of my domains, which means sometimes my mail gets dropped because I am using a DHCP/residential service. In other words, my ISP address space is blacklisted by some services. Lame. So then I try Hushmail or Gmail, which is also sometimes blocked. A pretty big WTF situation…

Item #2: You have a Yahoo and Gmail email account. Service is excellent and you nearly live by these email accounts. What one thing would make it better? Being able to replace @gmail.com with your domain, of course.

Conclusion: Enter Google Apps. I just got signed up for a beta service through Google Apps using the domain name terminal23.net. I went through all I needed to go through and about 25 minutes later, I have a couple working email addresses on this domain, and I can add new ones within seconds. Rock on! The interface is exactly like Gmail, although I could change the top logo if I wanted to, and I can stay logged into it and Gmail at the same time. Slick!

Feel free to check it out. It took maybe 2 weeks to get approved and an invite emailed out, but it is well worth the wait. This will make an excellent backup to my normal domain and home mail server.

“Nothing great was ever achieved without enthusiasm.” -Ralph Waldo Emerson

Yeah, I love quotes, and some of my favorite authors (the naturists, or maybe transcendentalists) are the most quotable. I’d not actually read this one before, but coming across it today reminds me about what I want out of work and career, and what lots of people want. An inspiration and a barometer.

Pardon me for a moment while I think out loud. If I got into a web application security job of some sort, how long would it take me to get to a personally acceptable level of competence (for me: a decent enough expert in the field)? Given a day job that lets me focus on that topic and my propensity for self-study, I think it would take me a year to become satisfactorily proficient. This can differ, however, based on how deeply I will need to know various programming languages when it comes to code reviews. My self-study would likely be designed around working and familiarizing myself with various codes by doing some personal projects here and there… Food for my brain.

I think this way because I am open to “awesome” job opportunities lately, and if something in this space opens up, I don’t want to spend a week trying to play introspective catch-up and miss the opp.

Sometimes you really just have to be able to laugh and enjoy yourself in this field. Often we can get frustrated (especially as we get more experienced!) when we do new things and they don’t work on the first or second try. Or maybe something you just don’t do all that often. Part of being jaded by users and management, I think…? Failure (i.e. troubleshooting!) becomes less tolerated.

Two things have been giving me grief all week, but thankfully I really enjoy my personal time when working on stuff. Put on some music or pop in a movie on a laptop nearby, grab a beer or tea and have some fun. (Just to inject more personality in here, I watched The Crow, one of my favorite movies ever.)

The first thing I’ve been working on is getting OpenVPN working on an Ubuntu Fiesty VM. None of the pre-fab tutorials online seem to be complete. I think every one leaves out some important steps or makes detrimental assumptions. Either way, the progress has been slow, but I’m getting there. I’m familiar with the client end, so that shouldn’t be a problem. It is just really getting the routing and bridging and junk figured out; getting the server stood up and performing.

The second happened last night. For my VM box I had bought a new DVD burner. Instead of letting this go to waste in the VM box, I swapped it with a DVD-ROM from my gaming rig a few weeks back. I had forgotten about this until yesterday, so on the way home I bought some DVD+R Lightscribe and DVD+R DL disks and vowed to get things working. I spent about 2 hours trying to get it recognized by Windows. Windows Device Manager showed an Asus CRW device. WTF? No, it’s Samsung! Firmware failed! Why the crap is this coming up as Asus?!?

It wasn’t until this morning as my alarm went off that I thought, “wait, I already have a drive in this computer and…oh god…it’s an Asus CD-RW drive. Ugh, I’m an idiot!” Yup, the drive, while powered, is probably just misjumpered or loose on the IDE cable or something else such that Windows or the BIOS were not really seeing it. I kept trying to get my Asus drive to turn into a Samsung burner. Poor bugger…kinda like treating a daughter like a son?

If you don’t watch Diggnation and you even remotely like my blog, watch it. Here’s some gems from this past week.

Top 15 quotes from Han Solo that you can use in daily life – omg I love it!
You know you’re in college when… – Too true…ahh memories!
10 reasons it doesn’t pay to be the computer guy – More memories…eek!

Sometimes life turns into a pinball machine for small stretches; shot up the lane and into play, rolling and bouncing around and not really able to do anything about it. That’s the story of my weekend and likely the rest of this week. I’m a pretty laid-back guy, but sometimes life’s little needs and emergencies require immediate attention. And no, none of my issues are hugely important. 🙂

My vmware box has just been cleared from the infirmary. Last week, fairly randomly, two things kept occurring that might have been related. Every few hours the kernal would throw some irq alerts to do with my video card. At other random intervals, the networking on the box would “lose itself.” Once I would get on the console and attempted to access the network, the system would realize that eth0 had timed out, bring it back up, and all was well for another random period. I added “irqpoll” to the startup parameters for reasons I cannot explain, and all was solid all weekend. So now the system is cleared and back to building vms. The IRQ alerts still come in, but so far I’ve seen no reason to pursue fixing those.

Tomorrow I have a major service appt for my car, but yesterday my battery decided it had had enough. It had corroded enough to affect the leads and died in the afternoon. Sunday afternoons are maybe the worst time to have a car issue since few shops are open. I waited until this morning to get a jump, drove it in to the shop, and got the battery replaced. Since this is the first time I’ve had it die on me, at least I got to see the effects on my car of a dead and/or weak battery: what things worked and what didn’t (beyond the obvious lack of action upon key-turn).

I also am hoping to ramp up more focused CCNA studying. I finished the book I have at the dealership this morning, albeit in between being distracted by Regis and other stupid morning television. I’m pretty happy with the knowledge I gained, and I just need to look into some more detailed things like making sure I can quickly calculate subnets (evil).

And this week one teammate of mine is off on a cruise which leaves me caring for all his duties for the next week+. A bit hectic and overwhelming, but things should be fine, albeit busy.