Thoughts of Bryan Geraghty

I knew this was coming...

Jan 05, 2007

Security researchers to target Apple in January

While I don't agree with exposing end-users to unnecessary risk, Apple has just been begging for it.

Firefox and Mac OS Security

Oct 03, 2006

This is a followup the the letter that I sent to the Internet Storm Center.

For the past year or so we've all been hearing how Mozilla's Firefox is "more secure" than Microsoft's Internet Explorer and how Mac OS X is "more secure" than Microsoft Windows. The worst part of it all is that I personaly know people who believe that these ideas are true!

I'm not going to get involved in the argument over which is a better choice. But to chose one over the other based on higher security is not wise. As I stated in my letter, the main benefit you will get is less exposure to the "bad guys" which is merely an extension to the principle of "security through obscurity". It has proven to provide minimal security if any at all.

The real problem here is that there is a false sense of security that is spreading. This is more dangerous than no security at all because users *feel* safe and let their guard down. I'm not going to go into the details of programming and explain why it would be nearly impossible to create completely secure software. I just think that the idea of security should not be used as a marketing ploy.

I'm no fool and I know that I'm not the first person to notice this problem but I think that we need to be doing more to curb it. Maybe if enough people rant about it, it will become common knowlege. This is about educating our users.

Most of us have seen the Mac Commercials and I'll admit that they're mildly amusing. I won't say that what they claim is untrue because they are very cleverly worded. But the fact is that most people who see those commercials won't be able to recognize the techicalities. I only say this because as aforementioned, I have a couple of friends who have adamantly stated, "I've never gotten a virus and Macs are faster!". Anyone who is trained in basic security and computer architechture will recognize that these users are *not* well trained. But knowing that people truly believe these fallacies means that we, as an industry, should be doing something about it.

Perhaps there should be more strict standards by which advertising should follow. I understand that the commercials may not be technically saying anything false but it is a problem when a false idea is propagated; especially in regards to security.

My letter to isc.sans.org

Oct 03, 2006

One of my daily tasks at work is monitoring the Internet Storm Center for alerts. While reading today's post regarding a possible Firefox security flaw, I was inspired to write in with my feelings on the matter:

While reading this post and coming across the section how Mac and Firefox users react to security vulnerabilities, I finaly snapped. Don't get me wrong, I'm a Firefox user myself. But chosing to use it because it provides higher security is just plain wrong. Everyone in the security industry knows (or should know) that part of the equation in a vulnerability is exposure. It's more than likely that the main reason Firefox and Mac users have not seen more serious vulnerabilities is the sheer number of Microsoft users compared to them. It's a simple matter of logic from the threat developers' point of view. They want to develop something that will give them maximum impact. Right now, that target is Microsoft. Producing fault-tolerant code plays an essential part in good security but even the best programmers make mistakes. I've been programming professionally for 7+ years and I still make plenty of mistakes (shh, don't tell anyone).

My point in writing this is to say that we need to do something to resolve this false sense of security as it's more dangerous than no security at all. I think anyone connected to a network should have a healthy level of paranoia. It'll keep the money in your bank where it belongs!

First impression of Windows XP64

Aug 31, 2006

My main daily tasks at work have me dealing with large SQL Server databases and each day seems to bring me larger datasets to fish through. As such, I decided it was time to step into the dual 64 bit Xeon world.

The verdict: Unless you're ready to upgrade all of your software to the newest and greatest versions, don't bother yet.

My latest desktop at work is a Dell Precision 490 with 2 64 bit 3.2 GHz Dual Core processors, 2 GB of RAM, etc. I knew off the bat that with only 2 GB of RAM I wouldn't be utilizing the main benefit of 64 bit processors (native support of > 4GB of RAM) but I figured I could get used to how 64 bit operating systems handle things. Boy was I in for some trouble.

At first everything was great. With Windows XP Pro 64, Office 2003, and Roxio preloaded I didn't have much to really test out the dual processors. I knew that MSSQL Server 2000 doesn't have 64 bit support and I didn't want to install the developer test copy of 2005 because I use the 2000 tools all day long and I presume, knowing Microsoft, that they can't reside peacefully on the same machine.

So, I installed photoshop CS. (No, I haven't shelled out the $150+ for the upgrade to CS2) After installing, the first thing that pops up is, "Could not load multi-processor support because it does not work with this version of Photoshop". Great. Not only will I see no benefit of the 64 bit memory space, I can't even enjoy the multi-processor goodness! This was the first moment that I seriously considered reverting back to 32 Bit Windows. But what a waste of 64 bit architechture that would be. All this aside, Photoshop runs great.

Along with the new architecture, I ordered a keyboard with a smart card reader built into it. I'm testing for my CISSP certification soon and I figured it wouldn't hurt to have some first-hand knowlege of how they work. The software installed fine but lo and behlod, when I log into windows, the software doesn't prompt for my card. I spent a couple of hours trying to find a fix and gave up - I have more important things to focus on at work. Strike two!

The last annoying thing that plagues this installation is that none of my right-click context modifications seem to work. GRR!!! "Edit with Vim" and Ultimate Zip's "Compress" are two functions that I use all the time.

The good news is that everything else seems to work fine. I even installed RSA's SecurID server on this machine and it's working without a hitch. Occastionaly, I'll forget and have to re-download a program in 64 bit form but that's just something you have to get used to.

All-in-all, things work pretty well. It's no worse than the incompatibilities that arose for people switching from Windows 98 to NT 5.x. For practical purposes, I wouldn't suggest this move quite yet. I say wait until 64 bit support becomes a standard and all of the kinks have been worked out.

MySQL 5 Scripting Limitations

Nov 14, 2005

The other day, I had an email exchange with a good friend of mine about MySQL 5 scipting that stemmed into a discussion about the use of logic in databases. As a database admin, I feel that I have the experience to back up some of my views on the subject and that this is a good topic that newcomers to the database world may find usefull.

MySQL 4 and below did not support scripting at all. There was no support for stored procedures, triggers, functions, or views. The press for MySQL 5 has been claiming that all of these things would be added to the engine for quite some time. To be honest, the lack of this functionality was my biggest issue with the engine. So I was pretty excited about the release of the new version. I'm a big supporter of the open-source community because I believe that it will produce gunuinely supperior products. The fact that everyone is welcome to inspect the code and suggest changes (if not even contribute some code) makes for the best QA department out there. So I've been hoping that this release would come up to par with products like Microsoft SQL Server and Oracle.

When I did the November upgrade for this site, I decided to build an upgrade facility into the code. When the code is uploaded to the server, it validates the backend. If the backend version does not match what the code expects, it gives you the option of automatically upgrading rather than giving you a bunch of errors or choking.

When I was working on the procedure, I ran into an issue and asked my friend if he done any conditional scripting in MySQL:

IF a < b THEN
EXECUTE SOME CODE
END IF;

In his reply, he said that he hadn't. He also said he believes that logic should be kept seperate from the database structure. This is where I gave him a few scenarios where he agreed that it would be useful:

- In a database upgrade, you may want to check for some pre-existing conditions
- If you have an audit table, you can set up a trigger to handle tracking of the old data. That way, if you have multiple front-end interfaces, you only have to maintain the code in one place

The problem I ran into is that MySQL will only process conditional statements if the code is within a stored procedure or function. You can't simply put the code above into a text file and tell the MySQL client to execute it. My solution was simple. Create a procedure with the code in it, execute the proceudre, and then delete the procedure when it completes. It all worked great until I moved it to our production environment.

The production server is set up in binary logging mode for replication. MySQL replication is a really simple process where each command is put into a log and executed on the slave server. The main problem here is that the slave execution is run by the database admin account rather than the user who originaly issued it. This is why MySQL has built-in protection for this exact situation. The only way around it is to grant super-user privileges to the account that needs to create a stored procedure. You see my issue? I don't feel comfortable with a program running on the server (whether I wrote it or not) that has super-user privileges on the master and slave databases. You never know when it may be hijacked. When that happens, you want it to be as restricted as possible.

Back to square one. My frontend program does all of the error-cheking in advance before running the upgrade script. Overall, I'm impressed with the progress that the MySQL project has made but this is an issue that needs to be resolved if they truly ever intend to compete with the bigger, industry standard engines.

If anyone has found a solution to this issue, please drop me a line and I'll revise.

It helps to read the full text

Nov 03, 2005

For the past year or so, I have turned into a standards fiend. When I implement anything into a site that I'm working on, I make sure that it would comply with most of the popular W3C standards. If I can't come up with an implementation that will be standards-compliant, I discard the idea.

A few weeks ago, I had a post on this site that challenged the developers of Firefox. (A popular web browser) The Firefox development team pride themselves on the fact that their software is standards-compliant and I thought I had found and instance where it was not. The post had to do with the handling of floating CSS elements. When I discovered that I was wrong, I deleted the post. In hindsight, I wish I had kept it.

After a few days of aggravation, I was determined to come up with an implementation that would do what I wanted it to. So I pulled up the CSS 2.1 standards definition and started reading. The particular section I was focusing on was 9.5 Floats. A few minutes of reading made me realized that I was wrong. Firefox was doing exactly what it was supposed to. In my original accusation I had merely looked at the picture and read the first few lines; what a moron I was.

Today, I was prepared to make another post about some of the problems in the WIA standards definition but decided to do my research and read the whole document first.

My original complaint was that the standard required an accesskey attribute for any form element. (The accesskey attribute is used to assign a shortcut to an element) I gathered this assumption by running a WIA validator against my site and addressing the errors and warnings it gave me. Some of the sites I have developed contain hundreds of input fields on one screen and there are only 26 letters in the alphabet! When I was reading the entire document, I came across the section regarding accesskey. It says:

Provide keyboard shortcuts to important links (including those in client-side image maps), form controls, and groups of form controls. For example, in HTML, specify shortcuts via the accesskey attribute.

Provide keyboard shortcuts to form controls! It's not required on every form element. It all makes so much more sense.

The verdict: know what you're talking about before you go passing accusations that something is wrong or needs improvement. It's true, reading through an entire W3C document can be likened to shaving with a cheese grater but in the end, you'll know what you're talking about.

Peace. boo...

Entertainment for the Blind

Mar 10, 2005

I don't remember how I came across this article but it takes me back to my days as a pre-teen. Days of watching Hackers and Sneakers; fantasizing about the power they possessed.

The article, �Secrets of the Little Blue Box� (Source), was written by a guy doing interviews of phone phreaks and explaining some of the methods of their trade. Reading about the construction of long-distance tone generators (a.k.a. Blue Boxes) reminded me of a collection of programs I used to have that would generate these tones. As a kid, I did little with them. I didn�t have the money or access to the equipment I would need to make them work, so I never investigated it much further. Eventually they were all deleted or wiped out by hard drive failures.

Today, a quick search on Google revealed� nothing! Apparently, blue box programs aren�t as prevalent as they used to be. I even visited some of my main sources of utilities to no avail. I did run into a site that laid out schematics and a parts list that you would need to build something similar. After contemplating for a while, it seemed archaic. You would use dip-switches to tell the device what tones to generate. If you�re trying to generate the tones for a phone switching system, you�d have to know those switches pretty well and be able to switch them pretty quickly. I figured that there would have to be a better way.

A few months ago I was looking for a good audio editor for a good price or even free. Through much installing, testing, and uninstalling of demos and freeware, I ended up with a few that I liked. One of them happens to be free, supports multiple tracks, and it has a built-in tone generator. The name of this wonderful software is Audacity (Audacity Website). Despite all of the features mentioned above, it also has the best screen layout I�ve ever seen in an audio editor. It has nice, big buttons, quick input selection, and input monitoring.

After a glance at a guide to the 2600 based phone system frequencies I ended up with the tones that you would use to control a long distance switching system. Awesome! Back to square one. I have tones but no way to get them to a pay phone. Then it dawned on me, �I do have a way�. I realized that I could record a sample of each of the 16 tones, put them on my portable MP3 player, and set up play-lists to send a series of commands. Setting up a miniature speaker that plugged into the headphone jack of the MP3 player to play into the phone receiver would be fairly simple (much easier that building an entire blue box). The thought occurred to me that the player may not have enough power to drive a speaker loud enough for the phone to recognize but that could be easily remedied by a portable headphone amp. You have the simplicity of the old tape recorder method with the flexibility and quality of a specialized electronic model.

The only problem with this whole scheme is that most phone companies don't use the 2600 system anymore. Maybe that's why you can't get blue boxes anymore; they don't work!

Hehe, oh well, it was fun reading anyway.