My Security Planet » Dominic White's .tHE pRODUCT

Dominic White's .tHE pRODUCT

Quality Vacation Club Bullies Blogger

Posted: November 18th, 2008, 2:48pm CST

Tags: Politics [edit]

Donn Edwards is being sued by QVC, the group who appear to be behind the less-than-honest "You've won a car" scheme I previously blogged about. Read his story, and press statement, and send in an affidavit, legal support or donations if you can.
SOA is a Concept, not a Goal

Posted: November 18th, 2008, 2:19pm CST

Tags: Geek [edit]

I like the idea of a Service Oriented Architecture; all of your applications reorganised as re-usable and generically consumable services ushering in a new capability to mash-up services across your organisation, aligned to business processes rather than application architectures. I just don't think it will happen.

If you build an architecture from the ground up, then possibly you can get a SOA going. Alternatively, if you have a fairly simple business, or one that relies on very few applications, you may get it going. For how long, I don't know. For the rest of the IT shops, I just don't believe it is something achievable. The systems have evolved, so that you end up with a mish-mash of mainframes, Oracle databases with heavy stored procedure reliance, homebrew applications built in some dead language, VB apps on top of SQL, Solaris scripts etc. Now, you could convert all of those to some form of standard (unlikely), or you could wrap them all in a pretty web service. Great, now what? The one guy who knows the dead language won't recode his app to use the new services. Nor will the vendor selling you the next technomasterpiece have made it flexible enough to consume your new webservices. Possible, someone may come up with a new homebrew app which uses your new SOA, but that's one out of many, and it likely won't consume all the services, so just wrapping necessary services in the first place is a better idea.

The concept is great though, and a strong IT architecture team who keep focussed and pushing for it over several years may be able to make some headway. This is very different from the 'implement SOA now' type consulting engagements (internal and external) promised. Additionally, as the pool of devs collectively forgets how to code in the old dead language, and starting building in web services by default, just because that's what they learned at school, some additional possibilities will be realised. However, this leaves me with the strong suspicion that SOA is a concept, not a goal.

I remember the promise of re-usable objects, and a great big store where we could all instantiate our standardised objects from. I remember Microsoft presenting on how this XML stuff would provide new ways of exchanging business data between companies. In a way, these things, happened, but they were incremental innovations that crept into the way we do things, rather than a rearchitecting. Even then, most of your legacy apps still don't do that sort of fancy stuff.

Alternatively, the above could be rephrased as; I'm tired of hearing about SOA, can we get a new architecture buzzword? (Not Virtualisation though)
iCommons is Dead, Long live The African Commons Project (TACP)

Posted: November 18th, 2008, 10:13am CST

Tags: Geek [edit]

iCommons as you know it is dead changed, and is being replaced with The African Commons Project. The whole team from iCommons has moved over to TACP, and unlike Theseus' Ship the name didn't move with it. The new website (if you can't follow hyperlinks) is http://africancommons.org/ and is already starting to fill up with interesting content.
Idle Poking leads to Spam and Pie on Face

Posted: November 14th, 2008, 6:45am CST

Tags: Security [edit]

In a moment of madness, I subscribed to an ad-for-money service. I don't know why, it was silly. After receiving several MMS adverts, I came to my senses and unsubscribed. However, the messages kept coming. What irritated me is that my MMS settings were broken and the MMS would keep being resent on a thrice daily basis starting at 'earlier in the morning than I usually wake up'. So, today, while in a paint-fume fuelled rage, I sent a mail to every abuse@ address of relevance, with the usual ECT act shpiel.In response, a fairly senior exec from the holding company phoned to apologise and personally sort out the problem. I was very impressed and happy that things would work out. A little while later, I received the following e-mail:

Hi Dominic,

As per our discussion earlier, we have complied with your request to opt you out of the [redacted] database. We investigated your case and the following report was generated by our technical team which has in turn revealed the nature of the problems you experienced, as mentioned we are very proactive with regards to SPAM complaints, and since we have never had a complaint of this nature before we were concerned that we had developed a bug in the system so to speak. As you will be able to see from the report below, we have identified the reasons for the problems, and as a result of the investigation it has in fact raised questions about your access to the system.

Report back: The subscriber tried a SQL inject on his record, this created an invalid user record field thus when trying to opt out the record updating failed because of this. Unfortunately the Opt out process could not be completed when then user record was supposed to be updated. Please refer to the user information below

[table details redacted to protect the innocent]

The "' or 1==1;--" in the firstname field is where the injection was used. This was done on 2008/08/21 04:48:31 PM

The nature of the SQL injection that was used was to try and gain access to alter information in the [redacted] database. With this in mind we could therefore from our own side open up a case against this contact. If he/she would have been successful in the attempt, the integrity of other Users could also have been in doubt. We have manually Opted the user out of the [redacted] Opt-In base and blacklisted the number for all [redacted] sites that we control.

I trust that this resolves your query, and confirms that we have opted you out of the service and any related [redacted] service. If you have any further queries please feel free to contact me directly.

Kind regards
[names redacted]

Pie-on-face.

I didn't know the string had cause any abnormal activity, and hence didn't mention it to them as I usually would when I find these things. I replied with a thanks, an apology, and a warning that they should get a security person to address their SQLi flaws before one of the automated SQLi's does it for them.

The more interesting question though is, have I really done anything wrong? I potentially entered my name as ' or 1==1--, nothing more, nothing less. I also had a legitimate intent to use the service. An innocent n00b could have done the same or similar by chance, although the chances are much less likely, and I would think that they wouldn't be in trouble. It would seem intent and foreknowledge comes into it. I possibly knew what could happen, and I possibly did it on purpose, where as a n00b wouldn't. But, if intent comes into it, the full scope needs to come in too, my knowledge would have allowed me to use a benign string that wouldn't damage anything on their systems, and I always report these things when I find them. Hence, my intent was most likely to make the intertubes a safer place. Right, so if your intent was good but you still do something bad, then potentially you should be punished. However, in this case, did I do anything bad? The only person adversely affected was myself (and with a minor irritation at that), and the provider gets to patch a hole before it was seriously 'sploited (hopefully). Also, I am a member of ' or 1==1--, which should allow me to type my affiliations name without fear or prejudice. What do you think?

P.S. The discussions in this post are hypothetical and of theoretical interest, they do not constitute an admission of guilt or a claim to have performed any actions mentioned.

:)
SA Telecoms Edge Toward a Free Market

Posted: November 1st, 2008, 5:08am CDT

Tags: Geek [edit]

I don't think the free market has all the solutions, but in the case of SA's current telecoms landscape, I think it would provide some clear advantages. Our ridiculously inept communications minister's appeal against the original Altech judgement was rejected on all counts with costs. Nice work Altech, and thank goodness for an independant judiciary.
"You've won a car" Scam - Carlswald

Posted: October 1st, 2008, 9:15am CDT

Tags: Play [edit]
I got a phone call from Divine today telling me I was one of 15 lucky people who had made it to the final draw for a Cheverolet Spark. This is part of an ongoing scam (or network marketing) run by a company that keeps changing it's name. They are currently EcoWorld and were previously Prestige Business Solutions, which use the scam to try and get you to buy a time share at the Quality Vacation Club.
Divine told me that Anna, the "events coordinator" would be phoning me tomorrow morning to give me the address. Does anyone have ideas for what I should say? I'm thinking of accusing her outright and getting a response. Ideally someone with lawyering skillz could tell me what charge to lay and get a case number?

Several other's have blogged about it:
- Jo'blog - Scammed?
- Insights and Rants - Prestige Business Solutions QVC Scam Alert
- SundayWorld - It's a trap! No bakkie, no trip to Mecca
- Numerous complaints on HelloPeter at:
They pointed me to the Our Winners scam site, which is part of the Quality Vacation Club scam (qvc.co.za and. A quick WHOIS shows the following registration which matches the address I am supposed to go to to collect my prize:

registrant: Shackel Validations
registrantpostaladdress: 28 Guildford rd, Carswald Midrand

So, even though the company changes, the address doesn't. If you blog about it please include the address to track their activity across company name changes.

Their phone numbers (likely temporary) are:

Divine - 0878052380
Anna - 0763758026

They also own the domains:
- qv.co.za
- qvc.co.za
- qvcweb.co.za
The QV and QVC domains are registered by PCWizards, and the QV domain hosts iTwizards site. It could be that Sean Behr of PCWizards / iTWizards is part of the scam. Although, they should be chided for hosting these scammers for such a long time either way.

When they phoned, I quickly worked out it was a scam, but decided to go along with it. Two funny bits were when he asked that I come with my wife or partner for the photos. In response, I suggested that I was single but had a boyfriend. He them uncomfortably asked that I try and find a woman. We left it at him "getting back to me" about supplying a model for the photo instead.

The other bit which tipped me off it was a scam was when he asked me to pronounce my surname, given that I have a very pronounceable surname, I asked what he had written down. He then admitted he didn't have my surname, just my firstname, so I lied and gave him a false surname. In retrospect I should have said my surname was "Robert'); DROP TABLE Students;--".
German Gov says Google is the Devil; SRWare performs exorcism

Posted: September 24th, 2008, 1:35pm CDT

Tags: Security [edit]
My tin foil, now covered in joyous spittle, reflects the news that I'm not crazy (and neither is the EFF or Tom). In reaction, SRWare provides Iron, which according to downloadsquad had none of the privacy invading evil zombies the German Federal Office for Information Security warned us about (you'll notice the warning is similar to mine, take *that* persistent GoogleUpdate process). If you really need another browser and aren't happy with the one, use Iron instead of Chrome at least.
I have since installed Iron, and done some checking with the source. It appears SRWare has made the following changes (this is based on the Babel translation of the page in German, so is fuzzy):
- They are using 525.19 of Webkit rather than Chrome's current 525.13.
- The unique clientID has been removed.
- The TimeStamp for Chrome's install date has been removed.
- Each keypress from the Suggest feature is no longer sent to Google.
- Google-hosted alternative error messages have been disabled.
- RLZ encoding of information to Google, such as where Chrome was downloaded and other configuration options has been removed.
- The persistent GoogleUpdater services has been disabled (this isn't removed when you uninstall Chrome).
- Something about the homepage and URL tracking has been removed.
Hat tip to cocooncrash for the link.
The Large Hadron Collider - Explained

Posted: September 21st, 2008, 10:33pm CDT

Tags: Geek [edit]

Hitchcock got all fed up with nobody getting this XKCD, so he wrote a human readable breakdown of the LHC (Large Hadron Collider). It's a good read, and certainly upped my dinner table conversation skills.
Privacy Enhancing Techniques

Posted: September 15th, 2008, 2:30pm CDT

Tags: Security [edit]
Ritasha Jethva, our Privacy & Data Protection competency lead added some nice tips to a publicity piece that made it otherwise more useful than it would have been. I'm republishing them here along with some other stuff I've found of late.
You may already be a victim of identity theft if:
- Items have appeared on your bank or credit-card statements that you do not recognise.
- You've applied for medical or other benefits but are told that you are already claiming.
- You've received bills, invoices or receipts addressed to you for goods or services you never purchased.
- You've been refused a credit card or loan, despite having a good credit history.
- A mobile-phone contract has been set up in your name without your consent.
- You have received letters from lawyers or financial institutions for debts that aren't yours.
- Mail expected from key organisations the likes of your bank have not arrived, or even if you are not receiving any mail correspondence at all.
The following tips will help you protect your identity and prevent criminals from committing fraud in your name:
- Turn off extra features in any technology that you aren't using.
- Always think before you click or press a button; personal awareness is key.
- Don't throw away entire bills, receipts, credit-or debit-card slips, bank statements or even unwanted post in your name. If you do need to destroy unwanted documentation, do so using a shredder if possible.
- Keep your personal documents in a safe place, such as a lockable drawer or cabinet.
- Be vigilant around what you publish about yourself, especially on internet sites.
- If your passport, ID book or drivers licence has been lost or stolen contact the issuing organisation immediately.
- Keep your passwords safe and never record or store them in a manner which leaves them open to theft, such as in your purse or wallet.
- Check statements as soon as they arrive. If any unfamiliar transactions are listed, contact the company concerned immediately.
- Never divulge personal information via email or sms' no matter how trustworthy the request may appear to be
Then, to add some stuff I've picked up (mostly from a technical level) that has worked well:
- Give out as little information as you need to, just because they ask for your phone number on the form, doesn't mean you need to give it. Apply your intelligence to when this is appropriate, you will always need to give some people some information. Yusuf, for example has lots of fun signing into 'front-fence security' with ridiculous names that should trigger any half conscious security guards spidey sense, such as "Osama bin Laden" (he has yet to be called on it).
- You can easily pulp lots of bills by putting them in a bucket or sink with hot water and a solvent (ammonia-based cleaners work well). It is much easier than ripping up each bill into tiny bits.
- My new favourite temporary e-mail service is Guerilla Mail, especially since TemporaryInbox and Mailinator rarely have mail successfully delivered to them (likely blocked thanks to spammers). Also, keep your eyes on stuff like Jangl for a telephonic equivalent. US users can use inumbr now.
- AdBlock Plus has always been a great way to block adverts which usually try and invade your privacy in new and exciting ways, including delivering malware. However, I've recently discovered the element hiding helper extension to AdBlock, which makes quickly nuking ads placed in-line (e.g. FaceBook's ad sidebar) quick, easy and permanent.
- NoScript is pretty much standard for members of the security community, but I particularly love that I can block third party JavaScript (e.g. Google Analytics) and it's interrogations, and one click can enable it if necessary and temporarily if so wished.
- Cookie blockers are also useful. I prefer CookieSafe which operates much the same as NoScript.
- Read your e-mail in plaintext, tracking <img>'s are regularly used. It will also stop you from writing irritating and/or poorly structured mail.
Political Compass 2008

Posted: September 10th, 2008, 8:07am CDT

Tags: Politics [edit]

I was interested to see if my political leanings (as described by the Political Compass test) had shifted since having left University, gotten a job, started paying taxes, converted to Catholicism and having grown older.

It is interesting to note that my results are very similar to what they were in 2004, and less libertarian and economically right wing than they were in 2006 . Me and Nelson Mandela are still home boys though.

Economic Left/Right: -7.38
Social Libertarian/Authoritarian: -3.13

Update: Updating my score has lead to most of #clug and # on furion.org (IRC) updating theirs and informing Spinach (a KNAB). cocooncrash wrote an awesome little python script to chart these automagically, the results of which can be seen here. It seems most South Africans are in the bottom left quadrant, and not a single one of us above the authoritarian line; possibly an interesting insight into geekdom.

My previous scores were:

2006

Economic Left/Right: -6.75
Social Libertarian/Authoritarian: -3.64

2004

Economic Left/Right: -7.25
Social Libertarian/Authoritarian: -3.08

← BindShell.Net SecurityFocus News →

My Security Planet » Dominic White's .tHE pRODUCT

Feeds

Dominic White's .tHE pRODUCT

Posted: November 18th, 2008, 2:48pm CST

Tags: Politics [edit]

Posted: November 18th, 2008, 2:19pm CST

Tags: Geek [edit]

Posted: November 18th, 2008, 10:13am CST

Tags: Geek [edit]

Posted: November 14th, 2008, 6:45am CST

Tags: Security [edit]

Posted: November 1st, 2008, 5:08am CDT

Tags: Geek [edit]

Posted: October 1st, 2008, 9:15am CDT

Tags: Play [edit]

Posted: September 24th, 2008, 1:35pm CDT

Tags: Security [edit]

Posted: September 21st, 2008, 10:33pm CDT

Tags: Geek [edit]

Posted: September 15th, 2008, 2:30pm CDT

Tags: Security [edit]

Posted: September 10th, 2008, 8:07am CDT

Tags: Politics [edit]