Tech Tracking #001 - New News, Mobile, Video, Security, Books, Training, Etc

Here are some new items I am tracking --

• MaximumPC has a good list of Microsoft Windows Phone 7 feature and tech stats
• Amazon’s cloud services continue to see improvements: new lower S3 storage pricing, increased HTTPS support, Mechanical Turk upgrades, etc.
• NVIDA has announced GeForce.com as their new home for latest drivers and other resources.
• If you use QuickBooks 2011, then you might want to check out a new book from O’Reilly.
• Zimbra Desktop 2.0 is out: open-source, multi-platform collaboration tool now with social media integration.
• ScotteVest has a new Expedition Jacket with 37 Pockets (it looks great for camping,  hunting & hiking)
• Mac OS X v10.6.5  Security Update 2010-007 has a lot of fixes include ~55 just for Adobe Flash
• computertechnician.net is a site run by a non-profit to list “different degree & school options as well as career, job & salary information”
• The Winter Quarter for UCLA Extension's Computer Science & Information Systems courses and certificate programs starts 1/5/2010
• SANS On Demand's 2011 Course Catalog has been announced (video, hands-on exercises, test prep, etc)
• Dynamism has announced availability of the Sony Vaio Y Series laptop & the Viewsonic Viewpad 7 tablet

Safer Browsing with Google Chrome - No JavaScript (Unless Authorized)

One of the lessons learned from attending DEFCON#18 was that as a FireFox user that running NoScript was a highly recommended tool. Many of the presenters who were talking about Internet browser vulnerabilities mentioned NoScript as a defensive tool to help mitigate the risks they were discussing in their presentations.

While I still use Firefox with NoScript a lot, I have also been using Google's Chrome browser more and more running on Mac, Windows & Ubuntu.  There is no NoScript version for Chrome but you can turn off by default JavaScript via:

1. Options (aka Preferences)
2. Under the Hood tab
3. Privacy > Content Settings ... button
4. JavaScript tab
5. Do not allow any site to run JavaScript
6. Close button

Once you have turned it off, there will be a 'no JavaScript icon' that will shows up in the Link Box on the far right-hand side of the box on the first site you hit with JavaScript:

  

You can now click on that icon and allow the specific sites you frequent and trust to be in a trusted list. And you'll need to reload the page to get the exception registered so that the page will display and function as the publisher expected.  Here is what Hulu.com says if you go there without JavaScript turned on:

IMHO, this is better than running JavaScript on every site you go to by default.  The best security practice is now to only allow JavaScript on sites you trust and know.  Not perfect but better than the alternative.

P.S. If you use Chrome's Incognito feature with JavaScript turned off then there appears to be no way to go turn on JavaScript for specific sites in Incognito mode except for those already in your approved list.

Learn Some Hacker Skills Online from SANS & Paul Asadoorian

Fellow FriendsInTech.com member Paul Asadoorian is presenting two upcoming SANS@Home courses:

• SEC553 Metasploit For Penetration Testers - Feb 23 & 25, 2009 from 7PM-10PM EST
• SEC517 Cutting-Edge Hacking Techniques - March 23 & 25, 2009 from 7PM-10PM EST

Metasploit is a fantastic tool for testing your network and applications.  Come learn about all of its new features! You can use  discount code "PaulDotCom" and save 20%!

TSA Travel Woes - Post A Comment To Their Blog

I just found out that the Transportation Security Administration (TSA) is now officially blogging (started Jan. 30, 2008) and is accepting comments on their blog posts.

The blog is called "Evolution of Security" and can be found at: http://www.tsa.dhs.gov/blog.

If you run into trouble or maybe have a great experience, then make sure you use this resource to give them some feedback.

Some New Cold War History Recommendations

I am a big history buff. I am particularly interested in stories about World War II and The Cold War. 

I came across a bunch of recently released Central Intelligence Agency (CIA) docs at the Federation of American Scientists (FAS.org):

• "The Secret War in Korea, June 1950 to June 1952," March 1964 [pdf]
  
• "Record of Paramilitary Action Against the Castro Government of Cuba, 17 March 1960 - May 1961," May 1961 [pdf]
• "The Evolution of Ground Paramilitary Activities at the Staff Level, October 1949-September 1955," November 1968 [pdf]
• "The Berlin Tunnel Operation, 1952-1956," 24 June 1968 [pdf]

They all have some pretty interesting information in them.  I am fascinated by considering what the redacted parts contain.

The Cold War has many different angles and perspectives. One of the other resources that is really interesting is from Tony Kahn over at WGBH's Morning Stories podcast.  Tony produced the following series called "BlackListed" (RSS):

In October 1947, the House Un-American Activities Committee opened its hearing into Communist influence in the movie business and promptly denounced 19 prominent directors, producers, screenwriters, and actors as enemies of the state. One of them was Hollywood screenwriter Gordon Kahn, whose films include All Quiet on the Western Front and The African Queen.
    
In this six-part personal history of the Hollywood Blacklist, Gordon Kahn's son, Morning Stories producer Tony Kahn, tells the story of his father's 15 years of persecution and the fear that followed him, his family, and thousands of other Americans for being accused of having the wrong political ideas.

I have currently listened to three of six podcasts, and I am really enjoying this very well produced audio program.  No matter what your political views this is is a podcast that should not be missed.

Windows Mobile 6 Tip - Specific Ports for IMAP, SMTP, Etc.

One of the main reasons for moving to the AT&T Tilt was for the 'faster' network options 3G/UMTS/HSDPA plus Windows Mobile 6 was suppose to address a port mapping bug I've had on the Cingular 8125.

Our IMAP/SMTP services at work use non-standard ports for SSL/TLS connections, and you could not apparently assign these to non-standard ports with previous versions of Windows Mobile or PocketPC without doing some registry hacks.

Now, with Window Mobile 6 you can successfully append the port you want to connect to to the machine you are connecting to.  If your SMTP service is listening on port "444" and you SMTP server is called "smtp.mycompany.net" then the setting in the Mail setup is "smtp.mycompany.net:444" (with out the " quotes).

This tip should help others that might run into a problem with Google's new GMAIL IMAP support.

P.S. It appears that the AT&T Tilt is also referenced by AT&T as the 8925.  The unit is made by HTC that has a family of very similar if not exact models that go by 'TyTn II' and 'Kaiser.'

Taking Something On Purpose By Being "Clever" Is Still Stealing

I just just reading through Bruce Schneier's latest newsletter published on September 15, 2007, and it had this article:

Getting Free Food at a Fast-Food Drive-In

It's easy.  Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food.  This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food.  The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window.  Tell the clerk that you forgot your money and didn't order anything.  Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit.  Basically, it's a synchronization attack.  By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix.  The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food.  Or the second window could demand to see the receipt.  Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer.  But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.

http://www.youtube.com/watch?v=T1jgYPsvsrA

While it is a 'clever exploit, taking something purposely without paying for it is still stealing and stealing is illegal.

Privacy Thoughts - Google Vs. ISPs

There is a lot of good blogger analysis about Google's ability to drill down deep into the search world and possibly get  into trouble by not keeping personal privacy data private. 

Given Google's business model of matching people to ads, it is in their best interest to not blow this, and keep private data private.

However, there seems to be a small group of alarmists raising issue with Google's recent purchase of RSS service provider Feedburner.

I do have to disclose that I am a big fan and happy customer of Feedburner. Congrats to the team over there. 

Based on my above assertion that Google must, if they want to be successful, protect privacy, that this new found very rich data in Feedburner will get the same high-level of protection. 

Plus, I don't see any signs of Google behaving badly, and that can not be said about ISPs.

Wired recently published a piece that outlines one of my big privacy concern areas - the data ISPs can and will be collecting, and what they plan to do with it as it effects public disclosure (overt, covert, and stolen), and possible manipulation as it enters 'their' network and gets to your devices.

EVDO Router Refences Mentioned In Podcast

A recent Kevin Devin's In The Trenches podcast discussed the following email I sent in to him and George Starcher on the topic of EVDO wireless routers:

Here is some background if you want to chat about it (sorry I would send in some audio comments but I can't get any recording done today) ...  I have both the Junxion Box JB110b and the Kyocera KR1.  But I've been using the Junxion box for nearly a year but the Kyocera for only a couple of weeks.  I'll travel with the Kyocera this week and I'll have more to say about it later.

• JB110b:
  • supports EVDO and other services like from AT&T/Cingular
  • ruggedized case (ideal for industrial or field operations)
  • can route/load balance from broadband Ethernet (DSL, Cable, etc.)
  • WI-FI features seem advanced
  • network mgmt features available
  • one thing I don't like is the power brick
  • 2 Ethernet ports (but only one for client if you are route/load balancing)
  • ~$599
• KR1:
  • EVDO only (with support for select EVDO cellphones)
  • consumer looking router (I think is is actually OEM'd from D-Link
  • can not load balance or route
  • WI-FI features don't seem as robust
  • weight is less than the Junxion box
  • comes with a car power adapter and better designed power brick
  • 4 Ethernet client ports
  • ~$299

One of the more interesting thing for me is both units are using open source software as the operating system (OS) on the units and each has a pretty good web interface (not great but better than some).

On the topic of business continuity, I think the Junxion Box would be ideal for that.  It is an idea I am proposing internal at my work. and the

Related to this topic are to recent posts about new gear from Engadget and Gizmodo.

QuadPolar #002 - Hacking, Vinyl, Artwork, & Food

QuadPolar #002 ... links for you and me:

1. Crosley Radio Specials: radio and turntables with support for CDs and tapes. {Crosley@Amazon}
2. Military artwork by Charles Waterhouse
3. Hack-A-Day notes that Metasploit is now running on the Linksys WRTSL54GS.
4. 'Tech' Food Conference (25Jun06 via Wired)

Why?

1. I'm looking to move some vinyl to digital format, and I'd also like to listen to some vinyl directly from time to time, especially Frankie Valli and The 4 Seasons plus I still have a pretty good size catalog of 80's music on vinyl and tape.
2. This is interesting for a yet-to-be-announced new project.
3. Just plain technically cool.
4. Food and technology are independently interesting to me, together they seem even more interesting.