Wednesday, December 22, 2010

Fix Your Code

Something a little fun to add to your day.  Think of the melody to the American Christmas song “Jingle Bells” as you read the lyrics below.  Credit goes to a friend for the overall inspiration and partial lyrics of the chorus.  As an otherwise original adaptation, I do like the way it turned out.  Geek humor.  Enjoy.

“Fix Your Code”
Sung to the tune “Jingle Bells”

Scanning through the code
Using all the tools today
O'er the fields we go
Tracing flows all the way
Bad coding practice brings
Dashboard colors bright
What fun it is to laugh and sing
A scanning song tonight

Oh, fix your code, fix your code
Fix your code today
Oh what fun the assessors have
In the team doing SCA
Oh, fix your code, fix your code
Fix your code today
Oh, no WAF can ever provide
A one fix to open SIAs

Checking all the vulns
Finding needles in the hay
O'er the source we go
Rating findings 'long the way
Bad coding practice brings
Dashboard colors bright
What fun it is to laugh and sing
A scanning song tonight

Oh, fix your code, fix your code
Fix your code today
Oh what fun the assessors have
In an ethical hack today
Oh, fix your code, fix your code
Fix your code today
Oh, no WAF can ever provide
A guarantee for your SLA

Monday, December 13, 2010

Keep Your Eyes Open

Often after a Windows cleanup or conversion to Linux the question comes up - "Is my PC secure/safe now?"  What is usually meant is "Am I safe to surf the web now?"  There is a distinction.  The short answer is no.

A relatively short and excellent example of why, written in layman's terms, was posted by Jeremiah Grossman.   Note that (at the time of this writing) visiting this site will put a harmless link in your Google history by way of demonstration, if you're logged in.

No operating system (Linux, OS X, Windows), full patched, loaded down with watchdog applications like anti virus, anti spyware, ad blockers, firewalls, etc will protect from browser based exploits.  No browser (Firefox, Safari, IE) or combination of plugins (NoScript, AdBlock) will make surfing totally secure either.  Content filtering and reputation based services (OpenDNS, SiteAdvisor) don't close the door.  Browser based exploits rely on vulnerabilities in the web sites you visit.

There are valid analogies between owning a computer and owning a car such as both requiring maintenance.  The key is that where and how you drive both can make a real difference in how safe you and your assets are.  Knowing what website to trust is very difficult, even for security professionals.  How do you make the selection - company size, market share, revenue?  Remember the exploit above - it was on Google - which ranks pretty high in each of those categories.

There is no easy single answer.  I've listed some suggestions previously for safe PC usage.  Secured operating systems, browsers and addons can help.  They just don't make things completely safe so you can close your eyes while driving web surfing.

Saturday, December 11, 2010

A Big Savings

Everyone thinks their dog is the best in some way.  I recognize that when I say that we thought our Yorkie-Poodle mix was too.  Last October, after thirteen plus years of companionship, we had ample opportunity to reflect on that when she passed on.

We knew we'd get another one.  It was only a question of when.  There were a couple of months of contacting shelters, rescue operations and private breeders.  That odyssey itself is enough material for another post, particularly the rescue operations that required more paperwork to just talk to us than I've signed buying some cars.

The question was finally answered when my wife visited the Petland Arboretum location.  The frustration of the previous months and the irresistible nature of holding anything small, warm and furry won out.   A full AKC Yorkie, now named "Oscar" resides with us.

This many months later, while organizing some files, I ended up handling the receipt for Oscar.  These little dogs are in demand.  We learned that from the private breeders.  We really learned that at Petland.  Such is a free market economy.  Nobody forced us to buy him, but he was well over our original target amount.  What struck me fresh today was at the bottom of the receipt:

"You Have Saved:  $13.10".  Hmmm.  What exactly was the cost comparison here?  This wasn't a commodity purchase.  No mass market comparison shopping is possible on individual dogs that I know of.  Possibly on the "free" stuff that was thrown in as part of the package?  So what is the amount - an automatically added random number designed to induce customer loyalty?  If it wasn't for the seemingly random and inconsistent pricing on the dogs we've seen there since while buying supplies, it probably wouldn't have struck me this way.

Oscar is a good dog, although a bit of a rascal since he is still a puppy.  All in all I'd have like to have paid less, but we did get what we paid for.  Most importantly, my wife loves the little dog so I guess it was a big savings.

Friday, December 10, 2010

Eating My Own Dog Food

I've written about "needs based computing" before as part of the decision process in buy vs clean in the Cleaning an Infected PC post.  This last week I had an opportunity to eat my own dog food when the integrated video failed on our home desktop.

This desktop is over six years old.  The power supply failed first a few years ago, which I replaced.  Then the integrated NIC failed a year later, which I disabled and added a 3Com PCI card to restore.  Lately the power supply has been running warm and I'd started to think that the over 52K hours that this machine has been in service had taken its toll.  When the video failed I was sure of it.

So what were the family computing needs?  Had they changed?  Increased?  Not really.  Basic web surfing, document creation, money and photo management, podcasts and music.  Pretty pedestrian stuff that the old 3.0Ghz system handled well.  Given the chance, I'd like to swap the desktop for a laptop, but this isn't the time to spend the significant money it would require to get comparable laptop performance.

Therefore, I decided to find a used system compatible with the known good components from my current system.  While there was some risk of transferring age related problems to the next machine, the immediate value equation seemed balanced.

So began checking Craigslist and the local computer shops for systems with comparable performance and compatable hardware to my current system.  The memory would be the biggest concern and the detailed specs at MemoryStock really helped speed the identification process.  The third leg the stool was insuring that the new target system was hardware compatible with my OS of choice - Linux Mint.  The Linux HCL is the definitive single source, plus Googling never hurts.

In the end, I purchased a Dell mid tower system from a local computer shop (Best Tek Support) and added in the working parts from the old machine.  Besides offering a 30 day warranty, they were incredibly flexible in configuring and pricing the system with only what I needed in it.

There's probably a "never say never" lesson for me in here too.  I stated when I bought the last desktop new, that I'd never build another custom system, piece by piece.  This came close, but I had a little fun with it too.  It has every kitchen sink media component I own installed (3.5", 250M Zip, 6-in-1 media reader, CD-RW/DVD-RW, IDE, SATA and more USB ports than I can count).

All in all a good value.  So far, we're enjoying it.  It meets our needs.