great migrations

For large set of reasons, I have decided to move my blog site from the confines of WordPress to a different hosting solution; thus, https://veggiespam.wordpress.com becomes http://veggiespam.com. WordPress.com has a great advantage: preexisting userbase and by moving the site to differently-hosted, I am giving that up. Since I get few comments on my public and private posts, it will make life easier just to not allow users on this site; I don’t want to self-manage posts and users. Pluses and minuses, but this move has to be done.

The old website and user commentary will remain at https://veggiespam.wordpress.com and there could be a future occasion where I cross-post to the old site so as to enable commentary. But, that will be rare. I copied existing comments to this site.

However, the old http://veggiespam.com site contained tons and tons of private information, about ¼ TB according to my provider. So, I had to ensure that all data can still be accessed by those that need it while not getting overwritten or preempted by the WordPress index.php processor. Thankfully, WordPress now allows this with a starting set of instructions Giving WordPress Own_Directory#Pre-existing subdirectory.

  1. Reconfigure the website to “use both http://www.veggiespam.com/ and http://veggiespam.com/ ” instead of forcing www. I guess I’ll go begrudgingly into the non-www named server era.
  2. Follow the directions 1-3 from the URL above.
  3. At step 4, be careful to not wipe the existing root-level .htaccess with the WordPress .htaccess file. WordPress really should caution people on that…
  4. Follow the directions 5-7.
  5. Go back to Settings and change the “site url setting to http://veggiespam.com/blog/ ” (note, if you go there directly, you’ll get page not found, but that’s fine).
  6. Configure the site for: “Remove WWW: Make http://www.veggiespam.com/ redirect to http://veggiespam.com/ “.
  7. Profit.

If you forget step 1 and just do step 5 first, then you’ll just get into a redirect loop. Doh.

Let’s hope a future auto-update to WordPress doesn’t wipe all of this out.

&crosses-fingers;

how to track down your ex(if) – talk given 26 feb 2015

How To Track Down Your Ex(if)

Adding Jpeg Exif detection to your penetration regiment and learning how to practice Safe (s)Exif

Abstract:  We unintentionally distribute GPS data with every photograph, including indoor pictures. This talk will describe a real-world scenario involving remote education site where teachers & students exposed their confidential home address via profile pictures. Two new ZAP & Burp plug-ins will be released to automate the GPS data discovery during normal security assessments. In addition, suggestions for websites to protect their users and to remove the GPS data will also be provided.


I gave this presentation about information security and privacy around images to the Organization of Web Application Security Professionals for the New Jersey chapter at the February 26 colloquium.  I also released two pieces of software: plug-ins for ZAP and Burp.  As promised, here are the slides, silent video, and links to the source code.

Thanks to the sixty-five of you who attended my talk.  And thanks to the few of you who e-gifted me a coffee.  If you haven’t done that and wish to keep me caffeinated, send do the gifting at starbucks.com/shop/card/egift using my the email of owasp <åt> veggiespam <døt> com.  You can also send questions about the talk there too.

I will present more on this topic at a future date.  Comments via email, the twitters @veggiespam, or in this blog are appreciated.  Thanks.

-j

net neutrality & isp religion

If you haven’t heard, 15 July 2014 is the last day to submit comments to the FCC about Net Neutrality. You can read what people have said on this page and submit your own comments over here on 14-28.

Basically, the cable companies argue that they need to get rid of Net Neutrality so they may offer better products to their customers as the “all bits are created equal” clause of net neutrality prevents this. My wonderful ISP Cablevision is making record profits according to their SEC filings and the speed of my Internet service is slower than when I first subscribed. Plus, every 13 months, my bill goes up 10% in price. I’m wondering what extras and goodies I get for my slower and pricier bandwidth? What sorts of research did they do with all of those record profits to create new services? What is next?

Nothing. They don’t give a shit about you or me. They are a monopoly. They will not research new products as they don’t need to. I have no other options for high speed Internet; my ISP does not care about me. Killing Net Neutrality will simply give them another means to extort money from me to get back what I have now.

But, enough of that cruft. Let’s talk about Anthony Scalia. Basically, he said that it is acceptable for corporation to have a religion and that they can choose to foist their reproductive opinions upon their employees. Ok… Well, Wheaton College is taking it a step further, they refuse to fill out the two page / five question form that would exempt them from the requirement to offer reproductive insurance as even talking about the issue is considered an affront to their religion (see this). So now, a company can refuse to even acknowledge the discussion. Ok…

What if an ISP decided to find religion that refused this reproductive discussion? What if Cablevision, mostly owned and controlled a single family (who I believe are Catholic), decided to forbid people from connecting to websites that discuss contraception? †  Scalia said it is okay for a company to not even acknowledge it and if Net Neutrality is killed, it makes it doubly okay to refuse the traffic. Joy.

But, this is America, land of competition! I can choose a new ISP. Except, I can’t, there is a monopoly in my town. And moving elsewhere doesn’t work either – every town has a monopoly. Plus, the #1 and #2 ISPs in America are trying to merge (see 14-57). I wonder if their religion will require them to merge.

Keep the net open. If you don’t speak now, they won’t let you speak later. Keep Net Neutrality.

† Note, I’m not saying the Dolans would do this, but it won’t be illegal if they did.

isc^2 2013 nomination results

I would like to express my thanks for each and every one of you who gave me a nomination for the ISC^2 Board of Directors.  Unfortunately, I did not get enough endorsements to meet the ISC^2 minimum, but let’s look at what did happen:

  • I am not a blogger by any stretch
  • I have zero publications in the security field
  • I have only given one public security presentation
  • My twitterverse following is in the teens (@veggiespam)
  • I have no zero-day disclosures that publicly announce my name
  • … Ergo, I’m basically a nobody in the Infosec world.

My run for ISC^2 consisted of:

  • One tweet
  • The ISC^2 delayed e-blast
  • A blog post
  • One email to my coworkers (of which almost none have ISC^2 certs)
  • And a scorched-Earth campaign platform
  • … So, it was a campaign of extreme change with little promotion.

And the results:  50 endorsements.  That’s 10% of the way to the ballot with minimal publicity by some anonymous guy with a destructive plan for the CISSP.  If people are that dissatisfied with the ISC^2 and the CISSP to give me a shot at the BofD, then there is something seriously wrong.

The other people running for the board need to take notice of the problems.  Why do so many established computer security professionals want to do away with the CISSP?  Why do people think the certification is a joke?  Why do they think the organization is scam to keep a small synod of people employed with the dues?  What of the budget; where does the $25M go?  Why are the candidates segregated and those board-endorsed ones get a ten day head start on the e-blast campaign?  We need answers.

Once the final set of candidates is announced, I’ll provide a list of those who I endorse.  There are some that also want accountability and change.

Again, thank you for your support

-jay ball, GSNA, CRISC, CISSP

isc^2 board of directors 2013

At the encouragement of many friends, I have decided to throw my hat in the ring and become a member of the ISC^2 Board of Directors, an organization for computer security professionals, who sponsor the CISSP (Certified Information Systems Security Professional) certification.  The first step is to get 500 confirmed ISC^2 members to nominate me.

The approved ISC^2 process states you must send me an email to my address – isc2board@veggiespam.com – from the email address you use to log into the isc2.org website.  This email must contain your ISC^2 membership number and your name.  I would appreciate it if you used tabs in the email’s body:

     I would like to nominate Jay Ball for the ISC^2 Board of
     Directors.  My ID, email, and name are:

     isc2number    registered isc2 email    your name

Your ISC^2 membership number can be found by mousing-over “Members Only” header, clicking “My Profile”, and then clicking “View Profile”.  Find the line “Contact Number/ Certification Number” to obtain your ISC^2 number.  All nominations are due to me by 11:00 AM New York City time on Tuesday 17 September 2013 after which I’ll compile into a spreadsheet (ergo, tabs) and send to ISC^2.  [Note: on Windows, use numpad ALT+009 to insert a tab in web-based emailers. thx Paul]

My Platform

As a member of the ISC^2 board of directors, I will work to:

  1. Discontinue the CISSP Certification.  It is dead. It is a joke in the Infosec community.  It cannot be saved.  Bury it and create a new one.
  2. Publish the detailed budget and financials for members to see for all years since since the ISC^2’s founding.  With 88672 CISSPs @ $85/yr, where does our $7.5million go?
  3. Donate part of the hoarded funds to other security organizations or worthy open source projects.

About The CISSP

I’ve held my CISSP for seven years, dutifully paying my $85 and filling out the CPE form every year.  I’ve been a penetration tester, SAS70/ISAE3402 guru, system security architect, risk analyst, and lead security auditor with side training in forensics, firewalls, network security, secure coding, and system administration while working for boutique security companies and for internal security at a Big 4 accounting firm; I’ve seen much of the Infosec world.  However, each time I go through the annual renewal process, I try to remember how the CISSP relates to any of my daily Infosec jobs and I come to the same conclusion every year: the CISSP is a meaningless thing.

Like many people in the industry, my employer required me to earn and keep my CISSP certification as a condition of employment.  We asked “why” and were told that company leadership needs to tell our clients the Infosec department is CISSP-certified; basically the CISSP is a marketing buzzword.  We never used the CISSP as a means for job candidate filtering, in fact, we hired more people without CISSP than with; so it didn’t help with recruiting efforts.  Sometimes vendor personnel had CISSP certifications, but that was usually non-technical sales people; so we wondered if working for five years at a security vendor is good enough.

Maybe the ISC^2 website can give me more information on what the CISSP is about; but it looks more like a sales website where I buy books, exams, and attend training conferences.  I would go to my local ISC^2 chapter meeting, but my “small town” of New York City started a chapter under a year ago and appears to have not had a meeting since.

Funding

You’d think there would be a link to the budget in the member’s only section of the website, but I don’t see one.  You’d think a 501(c)6 not-for-profit would spend more money on educational programs (24%) instead of administration and sales (61%) (2012, page 28), but they don’t.  We can be thankful that much was published, who knows what it was in 2011 (page 22).   And with a $7million dollar profit between 2010 and 2011 and $25million in the bank, what’s going on?  If we really have that much money, why are we hoarding it?  [Update: FY11 tax return says about $400k for the executive director, but what is the whole budget?  thx Thistle]

Who Am I?

I’ve been doing Infosec for 10 years in many capacities. I have a SANS GIAC GSNA, ISACA CRISC, and the ISC^2 CISSP along with traditional BS and MS degrees.  I volunteer for OWASP, participate in ISACA, and am a member of various computer & security meet-ups.  I’ve been to Black Hat, Defcon, HOPE, and other random conferences.  I’ve taught Infosec to newbie pen testers and to people in the boardroom. I’ve found security issues in software and hardware in your data center and got the vendors to fix it.

In other words, I’m just like you and I’m sick of paying $85 for nothing.  I appreciate your nominations for ISC^2 Board of Directors.  If you have questions, drop an email otherwise, please nominate me to appear on the ballot.

-jay ball, GSNA, CRISC, CISSP

[Updated 2013-08-21 19:17 – added tax return]

Watch iPad movies from SD Cards

Note: updated 2013-01-07 per suggestions from h0lleyb.

Scenario: long trip, ADHD viewing practices, filled iPad to capacity, no wifi/cell.  Whether whiny husband or child, here’s how to add movies to your iPad at 40,000 feet.

The trick is to use SD memory cards for offline storage of the movies and transfer them to the iPad when needed.  As a bonus, by using SD cards, you can delete the movies and recycle the cards to record your photos.  No Jailbreaking required.  No special iPad software is required. This technique builds on what others have done with a few new twists.

Two major steps are required, the preparation of the SD cards and the instructions while you are on vacation.  First, how to prepare the SD cards.

Requirements

You will need specific hardware and software to do this:

  • Apple Camera Connection Kit (CCK) or similar adapter.  The official Apple one can be bought from Amazon or Apple; alternatively, you can get generic versions such as http://amzn.to/SWKtNg .  If you have the newer iPad with the Lightening connector, use one of these from Apple or find something with more than 1 star rating on Amazon or NewEgg.
  • SD Card, such as http://amzn.to/TMxz6J or http://amzn.to/QQU9dQ
    — 32gb should be more than enough.
  • Handbrake or tool to convert DVD into an mp4 file.
  • Computer with SSD slot or an SSD adapter.
  • iPad with some free space.

Prepare SD Cards

We must first prepare before the trip.

Movie Conversions

First, use the software of your choice to convert the movies into an mp4 video file; I suggest Handbrake. Basically, launch Handbrake, put the DVD in the drive, choose the source location, set the destination location, choose the conversion optimization (e.g., iPad), and click start. I generally use the movie name as the filename and affix “_ipad” to the name.  You can find the Handbrake manual here.

Movie Titles (optional)

Because the iPad does not show you the filename of the movie, you won’t know which movies are stored on the SD card. So, we have to trick the iPad to telling us the name. Older cameras create movies using two files, the movie file and a still frame jpeg. With this knowledge, we can create a picture of the title of the movie then pair it with the movie – this gives us visual knowledge of the movie

TextPad & screen shot

For the still frame, it is best to simply use the title of movie so it can easily been seen on the iPad.  On the Mac, one manner to create the still frame is to open Textpad, type the name of the movie in big & colorful letters, and take a screen shot (Cmd-Shift-4). Rename the screenshot to the same name as the movie file. If your screen shots are in a different format, like png, open the image in Preview, do File → Export, and save as jpg with same name. Be sure to include a margin in the image as the iPad will crop to some degree in the icon preview mode.  If using Windows, it is probably easier to load up MS Paint and create the jpeg image manually.

Generated from parameters below

Generated from ImageMagick parameters

You can also use ImageMagick to generate the images from the command line. The snippet below produces a decent image at a 4×3 aspect ratio.

convert -background grey60 -fill blue \
-font Times-Roman -gravity center \
-size 760x560 \
caption:"The Wizard of Oz" \
-mattecolor gray40 -frame 20x20+6+6 \
Wizard_of_Oz.jpg

I’ve created a special website where you can type movie titles and get the images using the ImageMagick parameters above. Just Save-As the image after generated.

Copy to SD Card

Insert the SD card into the computer.

  1. Create a folder called DCIM at the top level of the SD card if it doesn’t exist.
  2. Copy the movies and the images into the DCIM folder.
  3. Rename the movie and the image to be PICT0001.mov and PICT0001.jpg.  You will probably get an warning message when changing the m4v file into a mov file – but it is safe to ignore it.  If you have multiple movies, increment the numbers for PICT0002, PICT0003, etc.
  4. Properly eject the SD card.

SD_filesystemAfter you’ve added the movies, your SD card should look something like this.

Be sure to verify that everything works before you leave on your trip by testing the transfer to iPad, described below.

Transfer to iPad

During your trip, you’ll need to copy the files onto the iPad to watch the movies.  You need to make sure there is enough free space on the iPad to hold at least a single movie.

  1. Insert the Apple Camera Connection Kit into your iPad.
  2. Place you SD card into the CCK.
  3. The iPad could take a few seconds, but should auto launch the Photos application and take you to the “Camera” tab. You should see a screen similar to this one.  You may have to manually launch the “Photos” application otherwise. SD card import
  4. Simply select each of the movie(s) you wish to watch onto the iPad by touching them (a check mark appears). Then, click Import followed by Import Selected.
  5. It will take a minute, but the videos will eventually get copied into the iPad.
  6. The iPad will ask if you wish to delete the movies after import; say “Keep”.
  7. When you are done, remove the CCK.

After loading, your photos page iPad photos pagewill now contain the new videos. Unfortunately, once on the iPad, the name of the movie will disappear as can be seen in the screen shot, hence the advice to delete after watching. To watch the movie, load it by clicking on it. Then, click the play button in the upper left of the screen.

When you are done with movies, they can be deleted from the iPad.  If you use iPhoto, it is best to delete the movies before you sync the iPad.  If you wish to watch the same movie again, simply re-import it into the iPad.

Other Ideas

Instead of using an SD card, it is possible to use a USB stick along with an iPad ↔ USB adapter; however, not all USB sticks are created equal.  The higher capacity stick and those with lights draw more power from the iPad and iOS shuts down the sick if it uses too much.  You will have to experiment or use the googles to figure out the best sticks.

Why does changing m4v into mov work?  For Quicktime, mov was the original file extension and still means “generic Quicktime file.”  The m4v is a very specific version of Quicktime movie.  Most cameras generate mov files when capturing video, so we simply take advantage of that fact.

Can you use other files, like those bought from iTunes?  Good question, I’ve never tried.

What about using the JACKET_P image; that would make an awesome title jpg?  If you want to convert it, go for it.  But, since the title is so tiny in thumbnail mode, it probably isn’t worth it. Make your suggest for an enhancement to the authors of Handbrake.

internet destroying laws

There are a few bills going through Congress right now and I encourage you to write you congress-critter to voice your opposition. They are:

  • H.R.3261 – Stop Online Piracy Act
  • S.968 – Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011
  • H.R.1981 – Protecting Children From Internet Pornographers Act of 2011

The SOPA and PROTECT-IP bills are very similar. Both would force your ISP to filter your Internet traffic and not allow you to go to “bad” sites. The problem is, if a site is even accused of hosting illegal music files, your ISP must prevent you from going to the site. No guilt of violation is required. In addition, the mechanism used to enforce this literally breaks the Internet and leaves you open to attack from viruses, malware, and outside attackers since you are no longer allowed to use DNS-SEC for protection. Nice. I sent similar letters to both NJ senators and to my NJ House rep, but this is the version for Bob Menendez, my NJ senator actually co-sponsoring the bill:

I am writing to you regarding your sponsorship of S.968 “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011.” This is a horrible bill and I would like to see you withdraw your sponsorship of it.

On your own web page, from which I am sending this letter, you have links for me to become your Facebook friend, for me to watch your speeches and opinions on Youtube, and a Twitter feed so I may keep up with you. Each one of those three companies has come out very publicly against this bill. In fact, with the bill’s “assume guilty, take down site, then call lawyer” mantra, there is a very real chance that one of your endorsed sites will go offline for something that another person does. There is no safe-harbor provision as with the DMCA.

More troubling is the fact this will break the new Internet-protection mechanism called “DNS-SEC.” DNS interception and poisoning is a very real Internet attack, basically, the attackers give your machine their IP address instead of the real IP address during a DNS look up. Malware, viruses, and compromised upstream computers use DNS attacks to fool your computer into going to the wrong place. Your computer may think it is speaking with Facebook.com, but is is really talking to the attacker’s machine. This works because your machine will not know the difference. The attacker can forward all of your traffic to the real Facebook while keeping a copy for themselves. Imagine if they did this using a bank … or any .mil site. DNS-SEC is currently being rolled out on the Internet to prevent this attack. It would encrypt the traffic so that only the root servers or trusted servers could respond to the DNS look up query. But PROTECT-IP requires all upstream providers to filter DNS, ergo intercept and read it. So, you cannot use DNS-SEC to protect yourself.

Please, withdraw your support for this bill. It goes too far.

Though I didn’t point it out, the bill would also make unlicensed incidental background music illegal in an online video. So, if there is a radio playing when you upload video from a party, you would be guilty of a crime. For someone like Justin Bieber, the latest singing sensation who was discovered because he sang a song on Youtube, he would be guilty of violating the law, fined, and perhaps thrown in prison for 5 years — see www.freebieber.org.

The other bill is ostensibly said to protect children from predators. It would require your ISP to record most of your Internet traffic just in case. Sounds kinda big brother to me. Please, as a side effect, it will kill free Internet in coffee shops and parks. If you were a small coffee shop, you’d have to start checking the IDs of your customers, write down their information, match their web surfing to their machine, and log all of this data for a period of time. Would a Ma & Pa coffee shop do that? Imagine a park ranger in a city park walking over to people to check IDs. Won’t happen, so they’ll simply kill the free Internet. My letter to Albio Sires of NJ-13.

I wrote to you a few months ago about H.R. 1981, ‘the Protecting Children from Internet Pornographers Act of 2011′ and my thoughts about how the bill goes too far and will accomplish nothing. I’ve thought further and discovered another unintended consequence of the bill: it will kill free Internet access.

While on a vacation, I enjoyed free Internet at many small, family owned coffee shops in MA, NYC, and NJ. If this bill becomes law, those small businesses would need to start tracking all of the people who use their wireless connections. They’d have to check IDs, write down the information, record all traffic as mandated by law, ensure they’re not mixing each patrons’ data, and log it for some time. Or, they’d need to subscribe to some service that performs these checks at added cost. For a small business, would this be worth it?

Starbucks and McDonalds also offer free Internet today and may be able automate the ID checks to some degree. These big stores could have the user enter a valid credit card number to match to a name and allow the user to continue – they need not bill the person, only use the credit card as an ID card.

What happens if my credit card is stolen and used at Starbucks for ‘bad?’ What happens if a waiter at another place simply writes down my credit card number and only uses it to perform this ‘authorization check’ at Starbucks? To be absolutely certain, the big stores still need to manually validate IDs – which takes the time away from an employee. Do they now need ‘bouncers’ for Internet checks? It might be easier for them to simply discontinue Internet or to begin charging for it.

If a small shop did not do these tasks and one of their patrons went to an illegal site, would the owner of the store now be accused of viewing child pornography? Eventually, the charges would probably get dropped, but only have the owner was arrested, called a pervert in the media, sold the shop, and burned through their savings to pay for a lawyer.

Or, they just might stop offering free Internet. If this bill comes to a vote, please say no.

I encourage everyone to stand up for your rights and to prevent big brother from getting closer to reality.

Hurricane Monday

So, I’m slow.  I’m finally getting around to the last bit of pictures from Hurricane Irene, only a few months late.  Lots more pictures located here: veggiespam.com/foto/Hurricane-Irene-Monday/ for your viewing pleasure. There are basement pictures, street aftermath, even a guest appearance from our controversy-free mayor. The last one was slightly sarcastic if you didn’t notice.

We had 1.23 meters of water in the basement and it cost $300 to hire some guy on the street with some old rust bucket of a pump to help excise the liquid.  Our maintenance company, who gives us preferred rates, wanted $2000. One of our fellow building owners had some appropriate, but not family friendly comments over the situation.  After 6 hours of listening to the racket and clatter far into the night, how much water was removed?  Building width 7.6m times length 30.5m times water depth of 1.23m = 285 cubic meters = about 1/9 of Olympic swimming pool (i.e. 79,300 gallons).

We’re dry now… until global warming raises the ocean level more.  Maybe I should sell before that day comes.

evening splashing

I’ve added a few videos, like of the fire truck making waves in my new door-front babbling brook, all of which can be found in my photo site.  My upstairs neighbors went for a walk, here is Elif with something in her shoe (water perhaps?).

How bad is/was the flooding?  Well, the image to the right (click on it for full size) shows the height of the Hudson River around 1015 at The Battery (see map) on the tip of Manhattan near my house from the US Gov Weather Site (site is constantly updated).

Here are a bunch of pictures from a local website; I’ve picked out four nice ones:

  • Click here to see a great picture 1.5 blocks from my house looking down towards me.  The guy in the far distance in the middle of the road is standing in the intersection at my house.
  • Here is an image on block over and one down from my house.
  • Not quite sure where this picture was taken, but row row your boat.
  • And finally, the ferry terminal, this is the land side of it, not the water side.

The wind has started again, seemingly more constant that before the storm hit.  And the sun actually shone its shinny face, if but only for a few minutes. Nevertheless, some streets are still impassable, like mine.

The flooding, wind, rain, and such has knocked out the Internet for a bit.  And since I have a viop-based telephone, that gets knocked out every-so-often too.  Plus, the cell service went down to one bar (OMG!) at one point.  But power has been fine, no flickers even.

I leave you with a comic: http://theoatmeal.com/comics/weather

morning breath

I just heard the fog horn of a large ship.  I certainly hope it remains at least a two blocks away.  Its wake may take out a few buildings.  I also heard a building fire alarm but couldn’t tell from which direction it came.  I just surprised I only heard one.

The flooding is hitting the front of the building, but not the side where the entrance to my apartment is.  They evacuated the city’s evacuation center last night, so I went to bed expecting a meter of water.  But, woke up with both power and Internet, though only one bar of signal on my cell phone.

The eye of the storm was calm, but now the rains have started again.  The map on the storm shows the extent with the eye centered around us – From Maine, to Washington, to Buffalo.  And now, the storm surge has started again.

Some pix: http://www.veggiespam.com/foto/Hurricane-Irene-Sunday-0900/ — click for full size.

« Older entries