Learn Some Hacker Skills Online from SANS & Paul Asadoorian

Fellow FriendsInTech.com member Paul Asadoorian is presenting two upcoming SANS@Home courses:

• SEC553 Metasploit For Penetration Testers - Feb 23 & 25, 2009 from 7PM-10PM EST
• SEC517 Cutting-Edge Hacking Techniques - March 23 & 25, 2009 from 7PM-10PM EST

Metasploit is a fantastic tool for testing your network and applications.  Come learn about all of its new features! You can use  discount code "PaulDotCom" and save 20%!

TSA Travel Woes - Post A Comment To Their Blog

I just found out that the Transportation Security Administration (TSA) is now officially blogging (started Jan. 30, 2008) and is accepting comments on their blog posts.

The blog is called "Evolution of Security" and can be found at: http://www.tsa.dhs.gov/blog.

If you run into trouble or maybe have a great experience, then make sure you use this resource to give them some feedback.

Some New Cold War History Recommendations

I am a big history buff. I am particularly interested in stories about World War II and The Cold War. 

I came across a bunch of recently released Central Intelligence Agency (CIA) docs at the Federation of American Scientists (FAS.org):

• "The Secret War in Korea, June 1950 to June 1952," March 1964 [pdf]
  
• "Record of Paramilitary Action Against the Castro Government of Cuba, 17 March 1960 - May 1961," May 1961 [pdf]
• "The Evolution of Ground Paramilitary Activities at the Staff Level, October 1949-September 1955," November 1968 [pdf]
• "The Berlin Tunnel Operation, 1952-1956," 24 June 1968 [pdf]

They all have some pretty interesting information in them.  I am fascinated by considering what the redacted parts contain.

The Cold War has many different angles and perspectives. One of the other resources that is really interesting is from Tony Kahn over at WGBH's Morning Stories podcast.  Tony produced the following series called "BlackListed" (RSS):

In October 1947, the House Un-American Activities Committee opened its hearing into Communist influence in the movie business and promptly denounced 19 prominent directors, producers, screenwriters, and actors as enemies of the state. One of them was Hollywood screenwriter Gordon Kahn, whose films include All Quiet on the Western Front and The African Queen.
    
In this six-part personal history of the Hollywood Blacklist, Gordon Kahn's son, Morning Stories producer Tony Kahn, tells the story of his father's 15 years of persecution and the fear that followed him, his family, and thousands of other Americans for being accused of having the wrong political ideas.

I have currently listened to three of six podcasts, and I am really enjoying this very well produced audio program.  No matter what your political views this is is a podcast that should not be missed.

Windows Mobile 6 Tip - Specific Ports for IMAP, SMTP, Etc.

One of the main reasons for moving to the AT&T Tilt was for the 'faster' network options 3G/UMTS/HSDPA plus Windows Mobile 6 was suppose to address a port mapping bug I've had on the Cingular 8125.

Our IMAP/SMTP services at work use non-standard ports for SSL/TLS connections, and you could not apparently assign these to non-standard ports with previous versions of Windows Mobile or PocketPC without doing some registry hacks.

Now, with Window Mobile 6 you can successfully append the port you want to connect to to the machine you are connecting to.  If your SMTP service is listening on port "444" and you SMTP server is called "smtp.mycompany.net" then the setting in the Mail setup is "smtp.mycompany.net:444" (with out the " quotes).

This tip should help others that might run into a problem with Google's new GMAIL IMAP support.

P.S. It appears that the AT&T Tilt is also referenced by AT&T as the 8925.  The unit is made by HTC that has a family of very similar if not exact models that go by 'TyTn II' and 'Kaiser.'

Taking Something On Purpose By Being "Clever" Is Still Stealing

I just just reading through Bruce Schneier's latest newsletter published on September 15, 2007, and it had this article:

Getting Free Food at a Fast-Food Drive-In

It's easy.  Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food.  This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food.  The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window.  Tell the clerk that you forgot your money and didn't order anything.  Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit.  Basically, it's a synchronization attack.  By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix.  The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food.  Or the second window could demand to see the receipt.  Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer.  But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.

http://www.youtube.com/watch?v=T1jgYPsvsrA

While it is a 'clever exploit, taking something purposely without paying for it is still stealing and stealing is illegal.

Privacy Thoughts - Google Vs. ISPs

There is a lot of good blogger analysis about Google's ability to drill down deep into the search world and possibly get  into trouble by not keeping personal privacy data private. 

Given Google's business model of matching people to ads, it is in their best interest to not blow this, and keep private data private.

However, there seems to be a small group of alarmists raising issue with Google's recent purchase of RSS service provider Feedburner.

I do have to disclose that I am a big fan and happy customer of Feedburner. Congrats to the team over there. 

Based on my above assertion that Google must, if they want to be successful, protect privacy, that this new found very rich data in Feedburner will get the same high-level of protection. 

Plus, I don't see any signs of Google behaving badly, and that can not be said about ISPs.

Wired recently published a piece that outlines one of my big privacy concern areas - the data ISPs can and will be collecting, and what they plan to do with it as it effects public disclosure (overt, covert, and stolen), and possible manipulation as it enters 'their' network and gets to your devices.

EVDO Router Refences Mentioned In Podcast

A recent Kevin Devin's In The Trenches podcast discussed the following email I sent in to him and George Starcher on the topic of EVDO wireless routers:

Here is some background if you want to chat about it (sorry I would send in some audio comments but I can't get any recording done today) ...  I have both the Junxion Box JB110b and the Kyocera KR1.  But I've been using the Junxion box for nearly a year but the Kyocera for only a couple of weeks.  I'll travel with the Kyocera this week and I'll have more to say about it later.

• JB110b:
  • supports EVDO and other services like from AT&T/Cingular
  • ruggedized case (ideal for industrial or field operations)
  • can route/load balance from broadband Ethernet (DSL, Cable, etc.)
  • WI-FI features seem advanced
  • network mgmt features available
  • one thing I don't like is the power brick
  • 2 Ethernet ports (but only one for client if you are route/load balancing)
  • ~$599
• KR1:
  • EVDO only (with support for select EVDO cellphones)
  • consumer looking router (I think is is actually OEM'd from D-Link
  • can not load balance or route
  • WI-FI features don't seem as robust
  • weight is less than the Junxion box
  • comes with a car power adapter and better designed power brick
  • 4 Ethernet client ports
  • ~$299

One of the more interesting thing for me is both units are using open source software as the operating system (OS) on the units and each has a pretty good web interface (not great but better than some).

On the topic of business continuity, I think the Junxion Box would be ideal for that.  It is an idea I am proposing internal at my work. and the

Related to this topic are to recent posts about new gear from Engadget and Gizmodo.

QuadPolar #002 - Hacking, Vinyl, Artwork, & Food

QuadPolar #002 ... links for you and me:

1. Crosley Radio Specials: radio and turntables with support for CDs and tapes. {Crosley@Amazon}
2. Military artwork by Charles Waterhouse
3. Hack-A-Day notes that Metasploit is now running on the Linksys WRTSL54GS.
4. 'Tech' Food Conference (25Jun06 via Wired)

Why?

1. I'm looking to move some vinyl to digital format, and I'd also like to listen to some vinyl directly from time to time, especially Frankie Valli and The 4 Seasons plus I still have a pretty good size catalog of 80's music on vinyl and tape.
2. This is interesting for a yet-to-be-announced new project.
3. Just plain technically cool.
4. Food and technology are independently interesting to me, together they seem even more interesting.

Mini-Link Fest - New Media Focus?!?

I made a recent dent in reading through my RSS feeds, and I have the following items to check up on when I'm working through @Internet, and I thought I'd share them:

• Digg.com - "Al Pacino Podcast"
• Lockergnome - Picasa Easter Egg & Outlook Google Maps Plug-in
• Share OPML
• Bootable Movies
• Build Your Own Fortress Home
• Samsung's HL-S5679W LED-backlit 1080p DLP HDTV
• Eric Mack on how to embed a movie in a blog post
• TypePad supports Skypecast
• CBS Innertube
• UMPC devices are starting to hit the U.S. market
• Alan Cox (Red Hat) discusses computer security (IT Conversations podcast)
• Add a second monitor and get 30% better productivity?
• Open Street Maps in San Diego
• XML is a foundation for MindManager

VisAlert Software for Visualizing Snort Intrusion Detection Data

AFRL Technology Horizons for Feb. 2006 has an interesting pointer article to a tool called VisAlert that was developed by University of Utah's Center for the Represenation of Multidimensional Information for the Dept. of Defense.  The screen shots of the display are very interesting.