Weekly security week wrapup 23 and 24

It’s been two weeks since the weekly security wrapup, which makes ‘weekly’ a rather week term. Lots of excuses I could utter, but they’re all saying: “been busy”, which is another way of saying “I decided that other things were more important to do”. However, here we go again.

Cheap GPUs are breaking passwords faster

Obviously, they’re good at doing stupid things fast(er), and cracking passwords is about the stupidest task possible for a computer. However, for some of the strong stuff out there, like truecrypt, it does not really matter.  Truecrypt, for instance, has a rather slow initialization routine, which takes about 10ms on an average processor, which means you can check 100 passwords/sec. If a CUDA implementation were to increase that 1 million times (10^6), you can check 10^8 passwords per second. But if you have a 10 char password (upper/lower/digits), there are roughly 10^17 possibilities. Checking 10^8 passes/s means it takes 10^17/10^8/2 ~= 10^8 seconds. Which is another way of saying 76 years. That’s longer than the average time it takes for a disk to disintegrate by itself, last time I checked. Still, using CUDA to speed things up is quite cool.

http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Mac Reversing: Starter’s guide

I’ve found this article on (OSX) malware analysis for beginners. It talks you through the beginning of using IDAPro and how to start analysing it. It’s excellent, but you need to keep paying attention, or you loose track quite easily.

http://jsz.github.com/reverse_engineering_mac_defender.html

Electric car trouble

And we’re not talking about the trouble you have driving your new electric Nissan Leaf and looking for a place to have lunch, dinner and a nap before your car is charged up. No, we’re talking about the car’s builtin firmware’s RSS reader telling all servers your current location, speed and whether you have the aircon on. That’s not funny.

http://www.theregister.co.uk/2011/06/13/nissan_leaf_privacy_invasion/

Wrapup for week 21

I’ve started to do something different. I’ll try and create a wrapup of the stuff on the security and/or forensics arena that got my attention. Some may be quite interesting, others may be more fleeting.

Chrome false start

Google has added a feature to Chrome which enables it to perform a SSL-handshake in less messages, resulting in a quicker session setup for the end-user. The beautiful thing is, that the only thing that needs adjustment is the browser, not the server. That’s very nice, and here is a writeup by @cyberwar on the implication that this effort will have on the adoption of SSL.

IPv6 failure coverup in chrome

If you have a network setup where IPv6 is somewhat broken, you are in trouble. The definition in this case for ‘somewhat broken’ reads as: you have a IPv6 address, but no real IPv6 connection to the interwebs. What happens is that you ask for an address to the DNS, which hands you a AAAA and an A record back. You try the AAAA record, which will fail, but it may take some time for the browser to actually notice that the IPv6 connection will not do what it intended to do, after that it will try the A record for IPv4. Chrome now has a feature called IPv4-fallback, which works like this: chrome tries to use the AAAA record, but sets a really low timer (300ms) on that connection. If it doesn’t get an answer within that time back from the server, it will start an IPv4 connection as well for the A record. The first connection to complete, either the AAAA or A, will be chosen to transfer the request and/or data. On a fast connection, this is a quite elegant way for the browser to solve the end-user’s broken network. Naturally, the end-user should fix his network, but with broken CPE it might not be that easy to do. Networkworld has an article on this, as well as the upcoming IPv6 world day (8 June 2011).

Google prediction API

The Google Prediction API may be the prelude of an upcoming trend, where the algorithms and computing power from Google can be used for your own benefit. The example described in the article is done by Ford motor company, but when you start to think about it, there may be a lot more cases where it makes sense to use the Google machine learning algorithms to make the business more profitable by helping the end-user attain his goals more easily.

Roll your own Supercomputer for $1060/h

To finish this weekly wrap-up: how to roll your own supercomputer for $1060/h, which is quite cheap once you think about it. I cannot run computing power like this for this tariff (when also including downtime and idletime).

Randy Pausch

I’ve recently come across the last lecture by Randy Pausch. It’s very inspirational and it works to look at stuff from his perspective. Last week I ran into a brick wall trying to accomplish something which I really wanted.

At first I was really disappointed about things not working out the way I wanted, but one day later I remembered the following:

Brick walls are there for a reason. The brick walls are not there to keep us out. The brick walls are there to show how badly we want something. Because the brick walls are there to stop the people who don’t want something badly enough. They are there to keep out the other people.
– Randy Pausch ( 1960-2008 )

When I was considering this, I also remembered a remark by Zedd from the Sword of Truth Series: Don’t think about the problem, think about the solution.

So far these small pieces of advice, although one is from a fictional character, if anything, it helped lift my spirit to a considerable higher level. Actually thinking about the solution is a lot more creative than wallowing in despair.

Blogging with OneNote

All of a sudden there is a small note inside the ‘right-click’-menu that says “Blog This”. Now, that sounds interesting. It may be the feature that I’ve been looking for some while. Currently I’m using the Microsoft Live Writer to create new postings to the blog, but if I can keep the number of dependencies down to get a working laptop, I’m all for it.

So, does it work, is the general question?

First we think of a new subject for a blogpost. In this case, it concerns creating blogposts. Of course, this is quite a stupid subject and a bit of a meta-blog in itself. But then again, sometimes you have to get stuff like that written out. It even gets worse. When you tell OneNote to ‘Blog this’ it copies everything into MS Word. How about an unexpected result. But, how to get to the rest? The ribbon tells there’s a ‘Publish’ button.

When you press it, it offers to enter the essential information for blogging, and then you’re off. And, surprise, surprise, it actually seems to work. Well, sort of. All the stuff you ordinarily expect, like adding tags, setting the categories, is not quite where you expect them. Actually, I haven’t been able to find them at all.

Further, the text becomes riddled with html tags, which makes the layout quite different from your average blogpost. That’s really not what you would expect from a blogging client.

Concluding, there is a very slim chance that Microsoft Word will become a very well received blog-writing-client. It’s quite dysfunctional in this respect. But, if all you have is the ‘trusted’ MS Word, it’s better than nothing.

Windows 7, continued

Well, so far I’ve been quite happy with Windows 7. It doesn’t crash on me, it’s just there. Even hibernation works like it should (which it never, ever did with any Linux version).

But, on the other hand, I’ve been forced (…) to do a complete reinstall because I could not upgrade Visual Studio Professional to SP1. Because it had conflict somewhere in the Web devel with Office Home & student. Because of that it totally abandoned upgrading to SP1.

Ok, then just uninstall office, do SP1, and reinstall Office and do Office SP2.

Nope. It would not, because it could not uninstall because of some half-successful, but not quite, install of SP1.

Ok, I’ll uninstall VS, and then upgrade Office to SP2. Oh wait, it could not uninstall VS, because of some half installed web devel thingy which could not complete.

That sucked.

But, I would not abandon my conversion from Linux to Windows in a mere week and a half. Usually it takes about two months before I get really fed up with everything and throw the towel in the ring.

No, I did a total reinstall of Windows 7, with Office (professional trial), VS Professional, OneNote (which, for some reason that totally eludes me, is included in Home&Student, but not in Professional. I guess OneNote is not professional than to use), Kaspersky Internet Security(thanx for giving a voucher for a year free Kaspersky, great for tests like this) and TortoiseHG.

It took less than four hours, which is quite good. It didn’t take as many reboots as it used to. About four, if I remember correctly. Which is very nice. In the four hours I also BitLocked the 100GB drive in my laptop, so all in all, that wasn’t that bad an experience and I could get to work on it after four hours. An ubuntu install takes less time, but before I can actually go to work, it takes about the same amount of time (getting window managers set up, install all the freaking packages I forgot, etc.).  Hmm, that’s not very fair of me, because the windows machine is not quite ready yet. I don’t have emacs. It always takes a while to get emacs working properly on any platform. But that’s for another day.

At the end of this day, I’m still a happy camper, while writing this post in Windows Live Writer. That is, if I’m successful at actually posting this.

In the mean time my verdict so far:

  • coolness: 7/10 (it looks ok, but aero gets old really fast)
  • crashes: 10/10 (none, so far)
  • reinstall: 1/10 (if I have to reinstall to get a setup working again, that’s bad. Really bad).
  • wonkyness: 7/10 (Win7 doesn’t really get in your face, which is good, but the jury’s still out on the actually liking of the Libraries. That feels, well, we’re still out on that one)

Maker’s schedule

I’ve read a very interesting aricle by Paul Graham about two different ways of scheduling: a manager’s schedule, which divides the day in hours, and a maker’s schedule which breaks the day into ‘half days’. Having an appointment somewhere halfway your ‘half day’ totally breaks your productivity. Having too many of these appointments are a 100% chance to ruin your entire week. That’s why a lot of people are starting to like to work between christmas and new year’s day for instance. Almost nobody is there to interrupt whatever you’re doing.

I know the feeling all too well and so far, haven’t seen it worded like this. Now, if I only can get my boss to understand this.

Getting things not quite done

Cleaning the mess on my desk has made me more aware, again, how much stuff one can accumulate in such short time. Getting things done is quite difficult when you have the stuff on your desk. On the other hand, if you don’t have a proper inbox, that’s what you opted for. Hmm. Increasingly I find that the method I’m currently using is not really working out for me. One of the problems is too many inboxes, a fatal accident waiting to happen to the followers of the True Way. So far that accident is waiting to happen because I have a rather diverse work environment. There’s the computer at work, the laptop, the home computer, meetings, babysitting in the park, in the train or when visiting friends and relatives. Well, not that diverse, but diverse enough to end up with more than one inbox. One on the work computer, one on the home computer and one in a paper notebook I keep around. I like the paper notebook, because I have a readable handwriting, you can scribble, and it has nice in-the-bright-sunlight-in-the-park properties and friends and relatives don’t really mind when you scribble something in your paper notebook thingy. Start using a laptop on that occasion and people are seriously upgrading your geek status.It would appear I’m not alone in this.

But paper notebooks have one main setback, you keep repeating yourself. Entering stuff from email into the paper notebook doesn’t feel like you’re accomplishing something. When you have two pages of to-dos and notes it looks quite neat. Start doing things and crossing things off (Feel good moment) it starts to look rather messy. So, after a while, you rewrite your list to get a good overview. But hey, I’m not in this world to rewrite my to-do list for the umpteenth time.

I thought about getting a nice iPhone 3GS, but that sort of appeals to my geekness more than to my I want to get stuff done-ness. Other than that, I have a hard time believing that it has the nice properties a paper notebook has.

Maybe the future will bring something like a Kindle which you can write onto and then organize it. Maybe I should get a scanner, that would at least save the rewriting. That’s two maybes that may rank a bit too high on the ‘wishful thinking scale’.

For the time being I see no other option than to muddle forward in this way.