Archive for the ‘Useless Shizz’ Category

OK, so in the spirit of kicking back on the Friday, please to enjoy the picture of this self-proclaimed drone kicking up some rowdy festiveness on his banjolele.

Or, if you prefer something that makes you think instead, check out this video of pure awesomeness courtesy of Liz Safran’s Through the Looking Glass blog. The blog is worth a subscribe, by the way, if you don’t follow it already.

Emergent Chaos, because they’re awesome, posted this discussion the other day responding to Ars Technica calling most users idiots. In case you don’t feel like reading the background material on this, a bunch of scientists over at the Psychology department of North Carolina State tested the response behavior of a number of subjects when presented with “fake” dialog boxes such as might be presented by malware, trojans, or other unwanted software.

What they found was that users click on fake dialog boxes – no matter how outlandish they look or what warning signs that they include that the dialog box is dangerous (or suspicious). Now, from this evidence, Ars Technica concludes that the users in question are (in their words) “idiots”. Sigh. Emergent Chaos claims that it’s the developers who pop up useless dialogs that are the idiots. Hmmm… Closer to the truth maybe, but I think there’s a much different process going on here.

First of all, you can’t blame the users. You absolutely cannot. Not just because that would be “blaming the victim” (which is admittedly uncool), but also because they’d be hard-pressed to behave any other way than how the NC State folks found them to behave – in other words, they are just responding in a way that is consistent with human nature. It’s called “habituation” – in other words, the more dialog boxes that you show somebody, the more people just respond without analysis.

Which moves us to the developers. Do you blame developers for putting up dialog boxes? Well, I’m not sure about this one either. Developers usually learn pretty early on the principal of “when in doubt, ask the user.” All kinds of crazy shiz could happen in any snippet of code – how do we know what to do or how to try to recover? Throw up a dialog. So that’s already ingrained. But even if developers could write an app that didn’t put up any dialog boxes at all, don’t forget that Windows would still pop them up anyway without our knowledge or consent. In fact, that error box that the NC State guys used? NOT a developer-initiated dialog box – Windows puts it up “automagically” given a certain set of parameters. it’s the default behavior for a corrupted pointer: no intervention necessary on the part of the developer to make it happen. Somebody just trashed a pointer a mite early – it happens *all the time*, and it’s *crazy hard* to fix. Now, I’m not saying that developers don’t come up with all sorts of unnecessary dialog boxes (I see thousands of them every day), but I’d say a good 50 percent of error boxes are just windows being windows (or macs being macs, or linux being linux).

So, who’s fault is it? Well… I’m not sure I know, but I’m not going to be first in line to point fingers… Maybe we can just agree that it’s a confluence of events and work on fixing the problem rather than assigning blame.

So, the IRS got audited and it turns out that their security sucks. I mean, it really sucks. The part about them having 2000 or so servers with security weaknesses is pretty much par for the course, but what really freaks me out are the additional 2000 or so (alright, 1811 – but close enough) unapproved internal web servers.

Wait. Unapproved? You mean like somebody just came in and dropped some arbitrary web server into the IRS infrastructure? Yep. Now, as you probably know, this happens in every organization. People set up software without permission, deploy apps under the radar, etc. They do all kinds of crazy shiz. But 1811 times? That’s more than I’ve ever seen – even at organizations that dwarf the IRS in size and that are run more or less like the wild west.

Now, this concerns me, don’t get me wrong. But are you really all that surprised?

How cool is that?

Atom Smasher does it again. This time, it’s a do it yourself puzzle generator. Awesome, right?

What’s cooler than X2: The Threat? Why, X3: Reunion of course! And what’s even cooler than that? Playing them both at the same time…

What’s awesomer than Activision’s Vampire: Bloodlines RPG? Easy: Bloodlines with the Unofficial 2.2 Patch!

I saw today on the EmergentChaos del.icio.us feed that New Hampshire is resisting the national ID strategy. How much do I love living in New Hampshire?

So, you know the site ranking value on the Netcraft toolbar? If you don’t – basically every page in the world has a rank according to NetCraft and that rank gets shown to you in the toolbar. I thought this was interesting – interesting enough to spend some time thinking about how accurate these numbers are or aren’t. I even did some research to find out – and, in the end, I came to the conclusion that they’re not very accurate.

Actually, random inaccuracy isn’t such a huge deal, but the NetCraft numbers are actually more “skewed” than “inaccurate.” In particular, it’s the methodology that skews the results. To see what I mean, consider the position of NetCraft in the pecking order (#7) – just a few entries above eBay. Don’t get me wrong, NetCraft’s statistics and the toolbar are cool and stuff, but more traffic than eBay? That’s suscpicious, don’t you think? Unless you take into account that all the informational links on the toolbar go to Netcraft and the only population surveyed are those with the toolbar (Ah-Ha!) – in which case, it’s actually possible since each click on a toolbar button (prominent on the browser window) counts as one “cha-ching” for the Netcraft site listing.

We can also tell that the Netcraft values are skewed in favor of FireFox usage patters (different from IE usage patterns). This is because a statistically large portion of the population running the Netcraft toolbar on FireFox – how can we tell that? The numbers tell us. Because Google is the top site for Netcraft (#1) and is the default homepage for firefox; Alexa (the spyware people) who use a similar methodology for ranking sites but only run on IE show Google at position 3. In Alexa (again, only IE) – we would expect a high incidence of MSN since it’s the default page for most incarnations of IE. It’s #2 on Alexa and #19 on Netcraft. What does that mean? Higher ratio of firefox to IE…

Maybe you’ve heard about the VIA Strongbox challenge? Basically, VIA is offerning a paltry sum to anybody who can break their product. So we’ve all heard that these contests are bogus, but what about this one? Let’s investigate to see if it is also rigged… So you know I’m not making this stuff up, I’m pulling the details from VIA’s own account of the proceedings:

In this particular challenge, VIA gave (initially) a time-limit of 1 hour for the “hacking” to take place. Since no details of the product and the architecture thereof were given to the challengers, breaking the product has to start with reverse engineering. As anybody who knows about reverse engineering knows, even setting up a debugger to start the analysis would take longer than an hour. As a result, VIA “graciously” extended the contest to last two days. I ask you: in the real world, will an attacker who has something to gain from attacking the product actually stop after two days and give up? Somehow, I doubt it.

Not to mention that the quality and quantity of the researchers was intentially kept small. This was done in two ways: first, by having the contest only open to attendees of the Hack In the Box conference, the challengers were at a maximum a few thousand. Also, the minimal prize money (5k dollars) ensured that from the participants, only those with a desire to waste time would actually participate. So, at the end of the day, we have – what – 20 or so people trying to break it for two days? Guess what – that’s not gonna happen.

So the conference is rigged… who cares right? After all, who listens to this stuff anyway? Apparently, the press does. A google search for “VIA strongbox challenge” (no quotes) yields 13,900 hits. Press outlets like “ComputerWorld” are covering this thing like it’s legitimate news. In fact, ComputerWorld has no less than three stories on this particular event.

VIA made one hell of a coup – with absolutely no risk to themselves, they have gained a ton of media attention. Let’s just hope that security folks out there have the sense to shun VIA until/unless they stop the showmanship and start actually backing up their claims.