Archive for November, 2006

Quote of the week: November 27th, 2006

Monday, November 27th, 2006

“I don’t have to take this abuse from you — I’ve got hundreds of people waiting to abuse me.” — Bill Murray, “Ghostbusters”

“Corpspeak”, corporate buzzwords, and communication

Thursday, November 23rd, 2006

You also have to have knowledge of what your talking about.

No way, I don’t believe it. My old boss had no clue what he was talking about and he become a manager of a department.

Just kidding about the “No way, I don’t believe it” part. 😉

You can’t be rambling to someone and expect them to understand you if you know nothing about what your talking about.

Again, my old boss did this a lot. It’s amazing how someone can talk for 30 minutes and really say nothing at all. Some call it “corpspeak”. Not exactly sure what “corpspeak” is yet? If you hear sentences like this, it’s corpspeak:

“They are leveraging their existing properties to create a destination and attract an already vibrant community and drive advertising space.”
Translation: We’re going to try to advertise where our competitors are advertising.

“As always, a customer base will pass the baton to a reconfigurable solution.”
Translation: The customer’s always right.

“We are all impressed to see that paradigm shifts will ramp up progress on drag and drop scenarios.”
Translation: Things change.

“The win-win systems sync up with content creation, however headcount readjustments provide multiprocessor support for each and every one of you.”
Translation: We got rid of half our staff and you get to pick up the slack for no extra pay.

“We feel that quality-assured objectives will enable the enterprise executive.”
Translation: You do all the work and the CEO might throw you a bone…maybe.

“A tangent touches base on a horizontal market, so our product market enhances excellence.
Translation: People like our stuff.

“The leadership positions establish an action item for the leading edge, and the team-building horizontal market attacks the problem of the neophyte.”
Translation: Managers will come up with hair-brained, ineffective ideas over a lunch discussion and will make everyone else follow through on it.

In order to obtain a paradigm shift, we took a close look at the value-added sanity check to understand what it means.
Translation: After management’s idea fell through, they’re looking at layoffs to make up for lost profit.

I tried to make this somewhat humorous, but in reality, you will hear a lot of this garbage come out of management’s mouth in a lot of corporate settings. I can only hope this trend of mouthing out buzzwords in order for people to sound like they know what they’re talking about (but really don’t) ends soon. In my opinion, it’s destroying effective communication.

Quote of the week: November 20th, 2006

Monday, November 20th, 2006

“Macintosh – we might not get everything right, but at least we knew the century was going to end.” — Douglas Adams, Author

“Productivity”

Sunday, November 19th, 2006

Most westerners, and Americans in particular, are sleep deprived as the norm trying to get in some semblence of a life between work. The majority of us have also become stimulant addicts in an attempt to make this easier, which in turn makes the stress of the day even more severe.

On top of all that, we live in a society where it’s increasingly difficult to stay abreast of the latest changes in science, society, and the world and where most of us lack the time to comfortably allocate study time for the sake of pure learning. There’s little time for quality family time, especially with those not in our own household. And there’s precious little time to work on independant and alturistic projects which in theory could be of benefit to soceity. And if one finds any of that objectionable, he’s instantly tagged as lazy.

The world is one messed up place sometimes. Hours at work do not equal productivity!

Quote of the week: November 13th, 2006

Monday, November 13th, 2006

“Imagine the disincentive to software development if after months of work another company could come along and copy your work and market it under its own name…without legal restraints to such copying, companies like Apple could not afford to advance the state of the art.” — Bill Gates, 1983 (New York Times, 25 Sep 1983, p. F2)

Introduction to Linux – a 244 page PDF

Saturday, November 11th, 2006

A very detailed introduction to Linux – good for newbies and experts alike. If you like reading or if you’re constantly told to RTFM, then this is for you.

Get it here.

Dear media outlets,

Wednesday, November 8th, 2006

I am a computer hacker. By this, I mean that I enjoy learning and exploring computer technology. I have a degree in computer science, and am involved in many not-for-profit computer-technology endeavors. I am not a criminal. I do not violate computer security, I do not write malicious software, and I do not intentionally cause harm to the computer systems that I have access to. Any computer system access that I have has been given to me through legitimate means. It has come to my attention that you have used the term ‘hacker’ to indicate a person who intentionally violates computer security systems.

The proper term for such a person is ‘cracker’ or ‘security breaker’, i.e. one that “cracks” computer security. By using the term ‘hacker’ in the way that your publication has done, you spread misinformation about me, and people like me. You are demeaning and destroying a culture that, above all, values learning, knowledge, and wisdom. Please stop insulting hackers by equating them with criminals. For more information, see here: http://www.catb.org/~esr/jargon/html/appendixc.html

Please issue a correction, and please make sure that a clear distinction is made in the future.

Quote of the week: November 6th, 2006

Monday, November 6th, 2006

The most terrible poverty is loneliness, and the feeling of being unloved. When we truly realize that we are all alone is when we need others the most and loneliness is never more cruel than when it is felt in close propinquity with someone who has ceased to communicate.

Social engineering affects everyone

Thursday, November 2nd, 2006

After reading this article, I have some thoughts. Unfortunately, even if you run Ubuntu (or any other Linux distro), you are still vulnerable – that’s the beauty of social engineering.

Sure, you might not fall for a renamed executable on a USB drive, but what if it’s taken a step farther?

Imagine you are walking into work early, and find an open folder on the floor, with some papers strewn around and a CD or DVD in with it. Imagine the paper is an application to put on a SIGGRAPH demonstration, and on the CD is a WINDOWS directory, a LINUX directory, a BSD directory and a SOLARIS directory and each directory has a file named SIGGRAPH_presentation.exe or there is a SIGGRAPH_presentation.jar, (eliminating the need for multiple OS versions), with a README about how to execute it. You figure, “What the heck – I love cool graphics.”

Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them.

I don’t care what OS you are running, if you can be convinced to execute something, there will be some damage done. If you aren’t root the damage is limited, but there is still damage. The attack may have to involve more research on a person’s interests, or require more “found” hardware to convince someone, but it can be done. Maybe someone has to buy some hardware from ThinkGeek and make a fake installation disk, then leave the box, (with the modified disk), somewhere you will come across it.

Doesn’t even need root to steal passwords. There are a ton of config files and startup scripts in your home directory, which a trojan can attach itself to. It can load itself in your bash window, as a plugin in your mozilla, launch an extra program in your X, replace icons on your desktop, and god knows what else. One of those will catch on to something.

Take for example if it’s, say, Suse, I know that there’ll be some programs – e.g., Yast, every time you run the auto-updater – where the system will ask for the root password first. I can just replace the link with one to program that shows an identical dialogue.

Or, yeah, transmitting every file in your home directory is indeed another great way to get a ton of info. Source files that contain the URL, account and password to the productive database are the norm, rather than the exception. Or some cutesy script that goes through the firewall to download the latest nasa pic of the day or whatnot with wget, and in the process contains the user’s name and password to go through that proxy. (Let’s hope they used that password in more than one place.) Or there’ll always be one idiot who exported the productive database onto his local computer, or downloaded the server configs (including all database connections, with name and password) god knows what else they’ve copied there. There’ll often be one idiot who’s built some back door because he can’t be arsed to go through the IT department to have something reconfigured or to properly log in. I’ll love to know about that backdoor. There’ll be emails with forgotten passwords. There’ll be emails where people tell each other about those backdoors. “Oh, if you come from the intranet zone, you can bypass the stupid authenticating proxy completely. Just use http//prod.somebank.com/internalurl/some.jsp?secre t_user_login=admin.” There’ll often be text files or spreadsheets with all the URLs, names and passwords he uses – the geek equivalent of post-it notes.

Config files outside the home directory? Those can be fun too. For instance, everyone will have access to fstab. Maybe they’ll have the name and password for every single file share they use in there, or maybe it’ll be offloaded to some .smbpassword file, but there’s nothing that some trivial parsing can’t extract. Or just send it to me as it is, together with any readable file referenced in it. I’ll do the extraction by hand.

Log files? Now those can be a cornucopia of classified information. I’ve seen people even log each user’s name and password at each login through their clever UserRegistry or Single Sign On module or such. If someone copied a bunch of productive logs to their machine, or I can get the password to the machine where they are, I might be able to login and cause mayhem as 1000 of their customers. Or go to those customers’ profile pages and find out their personal data.

As I was saying, even if you aren’t root, the damage done can be catastrophic. The thinking that all that matters is that the OS survives, can sometimes miss the point. Yeah, some guy’s Linux installation survived perfectly. But then I got access to his company’s servers. Was it that much better? I’ll bet that as far as the company is concerned, they would have cared less if I just wiped out one workstation’s hard drive.

Also, an attack like this could be made virtually certain to work: Desperately ask the receptionist to let you in to the bank, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled “CONFIDENTIAL: Layoff List”. Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.

In conclusion, being convinced you are immune to the dangers of social engineering is not a good way to avoid being social engineered. A healthy dose of paranoia can go far – and it’s only paranoia if there isn’t anyone out to get you.