Skip navigation

Category Archives: Software

Dear $VENDOR,

2012 is nigh upon us and with the new year, I am throwing down a challenge to each and every IT vendor out there. 2011 was a brutal year of incidents, breaches, outages and FUD and the last thing anyone needs is a repeat performance. Instead, please take this list back to the development teams, product managers, marketing department and sales team and do your best to be part of the solution this year, not another problem.

  • Do not ship any product with insecure protocols used for administrative/programmatic access even available in the configuration options

    Router/firewall vendors: remove telnet completely from the configuration options. All vendors: Only make your web interfaces & APIs available via TLS/SSL (even if that means shipping with default, self-signed certificates). Where you must leave a choice (e.g. legacy support), present the default configs with only secure options for new installations and slap enough warning dialogs to annoy organizations’ IT workers into Doing The Right Thing™.

  • Default to integrating with centralized identity & access management systems

    I understand the need for one “failsafe” account to get into the application prior to full integration, but if you should be ashamed of yourself if you ship a product that uses local accounts &amp groups and has no robust means of integrating with SiteMinder, Active Directory, LDAP or other centralized systems. Every organization need to be able to control all access as centrally as possible and you are doing us all a disservice by not providing this functionality.

  • Have multi-factor support for administrative access

    Lack of control of admin-level access is one of top findings in audit reports. There are a multitude of multi-factor authentication systems out there, many at little-to-no-cost. Giving organizations the means to stave off hackers and auditors in one stroke will score you major points, especially at contract re-up time.

  • Provide robust & open reporting out-of-the-box

    You all claim to provide good reporting and you all lie. All of you. Capture every action and event and make it easy to get to that data, even if it means providing access to the back-end database (read-only, of course). The ability to tie reporting sources together is one key weapon in our arsenal as we try to defend our organizations from malicious individuals (both internal and external). Giving us the ability to slice & dice what is happening in your systems (using any tool we want) is a crucial component in this defensive strategy.

  • Don’t use “cyber” or “APT” in any of your literature this year

    I’ll give you a pass if more than 75% of your revenue comes from the U.S. government as you have to sell you wares to them with those keywords in your proposals or you’ll never get in the door. But, when selling to the rest of us, forget buzzwords and give us practical solutions to help in ailing areas such as signature-based anti-malware or managing a ton of boxes in a private cloud effectively. We don’t need FUD, we need to be fed a healthy diet of cost-effective, easy-to-manage, enterprise-capable wares.

  • Align your licensing structure to fit “the cloud”

    Many of us are having to become contract, legal and finance experts just to be able to figure out how to make your products cost-effective in public and private clouds. I guarantee you that no matter how inbred you may be within an organization, you will be easily supplanted by the first competitor who makes it easy to transition from your tool and had a easy way to manage licenses in modern dynamic computing environments.

Those are just a few points, but it will be difficult for most of you to tackle even one of them. However, if even one of you does manage to check even one item off that list, you stand to help make Christmas a little more merry and a little more bright this time next year*.

*Apocalypse not withstanding.

Spent some time today updating the missing bits of the OS X version of the Dropbox cloner I uploaded last night. You can just grab the executable or grab the whole project from the github repository.

The app can now backup/restore of local config, clone dropbox configs to a URL/file and also impersonate a captured Dropbox config.

Use it all at your own risk. As stated in the original post, all comments, bugs, additions, fixes etc. are welcome either here or at github.

One of my most popular blog posts — 24,000 reads — in the old, co-mingled site was a short snippet on how to strip HTML tags from a block of content in Objective-C. It’s been used by many-an-iOS developer (which was the original intent).

An intrepid reader & user (“Brian” – no other attribution available) found a memory leak that really rears it’s ugly head when parsing large-content blocks. The updated code is below (with the original post text) and also in the comments on the old site. If Brian reads this, please post full attribution info in the comments or to @hrbrmstr so I can give you proper credit.

I needed to strip the tags from some HTML that was embedded in an XML feed so I could display a short summary from the full content in a UITableView. Rather than go through the effort of parsing HTML on the iPhone (as I already parsed the XML file) I built this simple method from some half-finished snippets I found. It has worked in all of the cases I have needed, but your mileage may vary. It is at least a working method (which cannot be said about most of the other examples). It works both in iOS (iPhone/iPad) and in plain-old OS X code, too.

– (NSString *) stripTags:(NSString *)str {

NSMutableString *html = [NSMutableString stringWithCapacity:[str length]];

NSScanner *scanner = [NSScanner scannerWithString:str];
NSString *tempText = nil;

while (![scanner isAtEnd]) {

[scanner scanUpToString:@"<" intoString:&tempText];

if (tempText != nil)
[html appendString:tempText];

[scanner scanUpToString:@">" intoString:NULL];

if (![scanner isAtEnd])
[scanner setScanLocation:[scanner scanLocation] + 1];

tempText = nil;

}

return html ;

}

I’m putting together a computer & online safety presentation for an upcoming talk at a senior center in Portsmouth (NH) and came across Support Details in my information hunting trek. This site makes it dirt simple to get basic information from whomever you are providing remote support to (a task I’m sure many of us have to do on occasion). I suspect it could also be handy to a developer who wants to double-check client settings. If you’ve ever tried asking someone what their IP address is or even what browser they are using, you know how helpful it might be if you could find out simple information quickly and painlessly.

Support Details collects data on the following system/browser elements:

  • Operating System
  • Screen Resolution
  • Web Browser
  • Browser Size
  • IP Address
  • Color Depth
  • Javascript
  • Flash Version
  • Cookies
  • User Agent

Support Details | Tech Support Management

Both Windows and OS X provide internal utilities to do full screen sharing – and more – for remote assistance if you’re on that same platform. There are third party services such as GoToAssist and Copilot that enable remote support across platforms. While Support Details does not even come close to either types of interaction it does provide basic data to help you triage where to go next…and, it’s free.

If you’re preparing to install Windows 7 or Windows Server 2008 R2 Service Pack 1, now would be a good time to give Microsoft’s Attack Surface Analyzer a spin. ASA takes a baseline snapshot of your system state and then lets you take another snapshot after any configuration change or product installation and displays the changes to a number of key elements of the Windows attack surface, including analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters.

Ideally, you’d take your baseline after a fresh install of your workstation or server from known, good media/images and after your own base configuration changes.

This would also be a good thing to do when building your base VM images so you can then validate their state as you duplicate and modify VDIs.

The installation of a Service Pack is a pretty radical change to your environment. If you run ASA prior to the SP install you can see if there are any significant changes to your system’s security profile after the bundle of patches and hotfixes are put down. You could also use the SP1 event to baseline post-install, provided you’ve done as thorough of a malware & rootkit sweep as can be done (you still cannot truly trust the results).

It may take some discipline to run ASA regularly on your personal systems every time you update software or drivers. IT shops should have an easier time scripting ASA during system deployments as well as application code updates. In either scenario, this free tool from Microsoft should help make you a more informed user and also aid you in building and maintaining more secure systems.

See also: MSDN SDLC blog post on the new Attack Surface Analyzer

Security

  • VSR uses some high-ish profile attacks from 2010 to provide fodder for the VAR community :: Security Risk: Top Hacker Attacks of 2010. I include it as the examples they provide should make it easier for folks doing presentations where they need to show real-life attacks (without sifting through the individual entries at the various data breach web site databases). [Vertical Systems Reseller]

Windows

  • Windows 7/2008 SP1 looms large. OEMs, VLCs & MSDN/TechNet subscribers get it on February 16th and the rest of the masses can give it a go on February 22nd. It looks like it has a decidedly enterprise-y focus, but one can hope it continues Microsoft on the path to robust desktop & server experiences :: Announcing The Availability of Windows 7 and Windows Server R2 SP1 [Microsoft]
  • Autoruns – the ability to automatically perform tasks when certain devices are made available to Window systems (e.g. USB sticks) – are a boon to malware writers. While Microsoft has somewhat mitigated the threat they pose in more modern versions of their operating systems, it can be tricky to make older systems safe. With the latest round of Patch Tuesday updates, they included a way to disable Autoruns in older systems. W00t! Microsoft Update Offers an Easier Way to Turn off Autoruns [PC World]
  • Succinct and informative article by Chris Sanders on how to determine if your systems is being actively compromised. Chock full of screen shots and examples of what to look for. While not exactly aimed at the general Windows community, it does provide a solid introduction to core tools that technically-inclined users should make room for in their toolboxes :: http://www.windowsecurity.com/articles/Determining-You-Actively-Being-Compromised.html [WindowsSecurity.com]

Programming

  • Pageforest helps you ship complete web applications without having to write any server-side code. You can build your application using HTML[5], CSS & javascript and the Pageforest service provides application hosting, user authentication & data storage. You only use client-side javascript and are free to include jQuery, Prototype or any other frameworks that you need to include in your app. Hosting is currently free and the site includes a full IDE to help you get started coding :: A Pure JavaScript Web Application Platform [pageforest.com]

UPDATE [2011-02-05] Added VirtuaWin to the list thanks to a tip by @ken5m1th.

I’ve been setting up a relatively new 64-bit Windows 7 Ultimate machine and decided to see if the virtual desktops landscape had changed much in the recent past. It’s amazing that with all of the feature duplication between OS X, *nix (esp Ubuntu) and more modern Windows systems that the ability to create, manage and use more than one desktop is not yet a built-in feature that one can just enable.

Poking around, I saw a few contenders, including:

Given that this is a built-in (i.e. I don’t have to pay extra for it) feature on two of my other operating systems, I immediately excluded the ones I’d have to pay for, even though a couple of them looked pretty snazzy.

I started with Finestra since I’ve used it in the past (under it’s old name) and was greeted with numerous “shortcut key conflict” errors and some .NET soft-app-crashed and working with the taskbar icon. It did it’s job, but it also made Xshell completely lose its window when I quit the switcher.

I decided to give Microsoft’s offering a go next as you’d think that they could use some of there seekrits to make for a very rich desktop switching experience. Unfortunately, it felt more like an app that I might have written (no polish, kinda clunky but functional). A big plus is that it did not require going through a slow install process. Download->run>->try->quit. I wish more software for the Windows platform was like that.

The last one I tried and have stayed with is WindowsPager. I was immediately impressed that it had a 64-bit compiled version and also that it did not require an arduous installation process.

WindowsPager lets you move individual windows from one desktop to another with a right-click in the title bar and presents a spiffy and functional mini-desktop view in the taskbar:

There are also many more ways to move around and place objects on individual desktops (you can see all the features in WindowPager’s documentation).

For the time being, I’m sticking with WindowsPager and am happy to have added functionality that really should have been there in the first place.

(Haven’t given VirtuaWin a go yet, but it looks like it might be a decent contender.)