Phase 2 is done. Read it here. The findings summary is basically:
During the engagement, CS [Cryptography Services] identified four (4) issues, and none led to a complete bypass of confidentiality in common usage scenarios. The standard workflow of creating a volume and making use of it was reviewed, and no significant flaws were found that would impact it.
The most severe finding relates to the use of the Windows API to generate random numbers for master encryption key material among other things. While CS believes these calls will succeed in all normal scenarios, at least one unusual scenario would cause the calls to fail and rely on poor sources of entropy; it is unclear in what additional situations they may fail.
Additionally, CS identified that volume header decryption relies on improper integrity checks to detect tampering, and that the method of mixing the entropy of keyfiles was not cryptographically sound. Finally, CS identified several included AES implementations that may be vulnerable to cache-timing attacks. The most straightforward way to exploit this would be using native code, potentially delivered through NaCl in Chrome; however, the simplest method of exploitation through that attack vector was recently closed off.
So basically, unless you’re concerned about the Windows API generation of the encryption key, the last version of TC prior to the developer bailout remains an effective encryption solution. And TCNext is out there, though they’ve got no new version as yet (7.1 is available there).
One of my clients (and friends) hit me up the other day, out of the blue, asking about the value of domain names. He’d been contacted by a squatter sitting on a name relevant to his business. He called and spoke to the squatter and ultimately agreed to purchase the rights to the name. Immediately after the call Mr. Squatter began snarfing up any and all other domain names similar to the one he’d just sold and started mailing my friend about them. His emails sounded technical and official: “I managed to procure XXXXXXX.com domain name and would like to offer it to you for $150.”
I explained to my client friend that “procure” sounds fancy, but all this dude did was snatch up some domains available out there in the wild for between $8 and $15 apiece, which took him all of 3 minutes and anyone can do, and now he’s marking them up 1000%.
Domain squatting like this is a strange business to be in. Really all a squatter is doing is making a living taking advantage of the ignorance of non-technical people. I imagine that successful squatters fancy themselves clever. Beats accepting the truth, which is that they’re sleazy. I associate squatters with shitty auto mechanics and shitty home contractors. We all know a story about a mechanic or a contractor that told someone something completely untrue to use their ignorance to try to rip them off.
My own story is this: as a kid I owned a Datsun 310gx manual (which I dearly wish I still had, but I totaled it). It was having trouble getting into 2nd gear so I took it to a mechanic who told me that the transmission needed replacing and it was gonna cost me somewhere around $450. That didn’t sound right based upon my driving experience, and I didn’t have the money regardless, so I took my car back. A friend recommended a different mechanic, who within 10 minutes diagnosed my problem and said “You need a clutch adjustment.” Less than a half hour later my car was ready and I think I paid the guy $25 for the fix.
Domain squatters make their money being that first mechanic. And just like that first mechanic does to the second, they make all of us people trying to make an honest living on tech look bad.
I work remote, and use the Cisco VPN client to connect to the network. There’s a timeout set on our concentrator that gives me the boot every day. It’s a minor annoyance to be sure, but still. It’s no fun being deep in thought on a server only to be unceremoniously kicked from the network.
So I’ve been fiddling with the command line interface of the client, to see if I can cobble together a script I can schedule to log me out and back in on my time frame rather than that of the concentrator. Here’s what I’ve come up with so far.
@echo y | "%programfiles(x86)%\Cisco Systems\VPN Client\vpnclient.exe" connect %1 user %2 pwd %3 nocertpwd stdin
The first line disconnects the current connection (if already disconnected the script continues gracefully). The second line needs 3 arguments fed to it in this order: profile, username and password. the @echo y | exists because the concentrator I connect to has a disclaimer splash that requires a Y response to bypass in order to fully establish the connection.
Thus far my only problem is I’ve not found a way to suppress the client GUI window that appears when the disconnect occurs.
I made this to submit as a possible logo for an event. Ultimately I’m pretty meh with how it came out, but making it started me thinking about art. Thanks to technology my generation in particular has seen quite a change in the creation, and potentially the definition, of art. Bearing that in mind, is this creation of mine art? Is it even my creation? The owl began a photo I did not take, as did the moon. The background originates from an image I did not create. The text is in a font I did not create. They’re all found items that I digitally manipulated – some dramatically – to suit my purposes. So is this art? Is it just theft?
The music on The Beastie Boys 1989 release Paul’s Boutique, ranked 156 on Rolling Stone magazine’s greatest 500 albums of all time, is comprised almost entirely of samples. It’s an album that, thanks to changes in laws, would be impossible to make today. The cost of securing the rights to all the samples would be enormous. Here’s just a partial list of samples featured on the album.
Is Paul’s Boutique art? Is it just theft? And, if Paul’s Boutique isn’t art, then what of Warhol? Shepard Fairey? Banksy? Where is the line drawn?
PS: Three things.
1. The word “art” doesn’t mean “good.” There’s bad art. Obviously that’s mostly (entirely?) subjective. So simply not liking something doesn’t make it not-art.
2. Obviously I’m not putting anything referenced above on equal footing. They’re all examples of projects created from existing media or artists known for works created from existing media.
3. It’s my personal opinion that, for the most part, art is the product of exercising creativity. To that end, every time a person picks up a guitar and plays something they came up with, it’s art. Even if they never play it again, and no one ever heard it other than them, for that moment there was art afoot. I believe a carpenter can be an artist. A cook can be an artist. I do not like the line some people try to draw between “art” and “craft.” I understand that crocheting something from a pattern is different from crocheting something of your own inspiration, but too many critics use the former activity to label the medium of crochet not-art. You can make art out of anything, dammit. And art doesn’t have to be paid for or displayed to be art. Art doesn’t have to be shared at all. The pictures my son draws, pulled from his own mind, that he discards once he’s done with them… they’re art. Rare art at that.
I keep my mp3s in directories, separated by genre/artist – album. I like to keep my tags clean and uniform (and I use Tag&Rename for that), but sometimes I let my collection get away from me a bit. When that happens I bust out Perl because, well, I guess because it’s familiar. I’ve written scripts to do simple things like remove non media files recursively from directory structures and alter file and or folder names (say, change underscores to spaces or remove common unwanted verbiage). Because these scripts are for me, there’snever really any error handling or debugging. They’re quick one-offs, written for no one but myself. They’re rarely (never) written as efficiently as they could be. They’re not like my production code, which I’m meticulous about. These are sloppy little tools, written as quickly as possible, made to solve immediate irritations. Here’s an example:
use File::Find::Rule; use MP3::Tag; use List::MoreUtilsqw(uniq);
This one finds all the files in the \\server\music\all\ path beginning with 1 or 01 (or 1_ or 01_ or 1- or… you get the picture), dumps their ID3V1 Artist, Album and Genre tags into an array, winnows that array down to unique values, and dumps that to a text file. Why? Because sometimes I’m unsure what genre I’ve labeled an artist/album (and let’s be fair here. Are the Night Birds Punk or Rock? The Ramones? And is Thom Yorke Rock or Electronic? Hmm? If Tom Petty’s Damn The Torpedoes is Classic Rock, then is Hypnotic Eye as well?) and rather than have to open the directory and look at the tag on one of the songs, I wanted a way to just dump it to a file to refer to later.
Why is it listing the Filename, Artist, Title, Album etc in the CMD as it runs? Because I’m a dork and like to watch things run in command lines.
Why didn’t I write some fancy regex to handle the file name match, or better yet write something that would just pull the data from a single file per subdirectory? Because there’s a tipping point. If you spend more time writing and testing your script than it would take doing manually whatever you’re writing your script to automate, you’re not being effectively lazy.
I’ve definitely been guilty of taking more time to write a script than what it would take to just do the task, but in those instances it’s because I’m enjoying writing and testing and learning. Sometimes I don’t want to write and test and learn. I want to kick some sloppy shit off in a CMD prompt and let it run in the background while I pick my nose and watch redlettermedia. I don’t care how long it takes, so long as I’m not the one doing it anymore. Somewhere there are probably nerds who are very unhappy with me for that statement. Too bad.
I upgraded to a (hand me down) Dell Latitude E6530 not long ago. I loaded it with Windows 8.1 (and Classic Shell, because one must). I kept having wireless trouble – dropping off of networks. It wasn’t isolated to my home. What I believe I’ve determined is that, in a nutshell, Windows handling of N networks kind of sucks. I disabled N and since then have been rock solid.
Navigate to your network adapters, right click on the wireless and choose Properties. Beneath the adapter description choose Configure:
Choose the Advanced tab, then locate 802.11n Mode. Switch the Value to Disabled and OK your way out of all.
The things I’ve held onto over the years. Here’s what I think is the 2nd edition of Gwar’s handmade origin comic. Looks like it’s from 1988. I’m sure I got it from one of their shows at Atlanta’s Metroplex back then. Download it here.
I had installed and configured a trial of a web analytics package for my day job and had the server put through the wringer. Among the issues found was a redirect buried deep in the code to cornify.com, “…the #1 unicorn and rainbow service worldwide, spreading sparkly happiness around the world.” I added it to my list of concerns for the products developers and shipped it to them. They responded that the cornify link was an “Easter Egg” put there by one of the coders and wasn’t a security concern.
My immediate thought was this: What if cornify becomes something else? What if it stops being the #1 unicorn and rainbow service worldwide? What if someone buys the name, or hijacks it, and it instead leads to an unsavory site? How will you explain to your paying customers that you’re rushing out an update to the web app they’ve paid you handsomely for, and that their administrators need to burn their time updating it ASAP, because a redirect you added on a whim now points to something lawsuit inducing? Less dramatically, and more likely, why would you want to deal with that inevitable customer who gave you thousands of dollars for your product and doesn’t have a sense of humor? The one who thinks it’s completely unprofessional and a poor reflection on them that your product did what you think is a lighthearted redirect? Is being clever (and let’s be fair – it’s not all that clever) worth that risk?
And that’s when I realized I’d stopped being the Young IT Guy and I’d become the Old IT Guy.