Monday, February 29, 2016

Apple V FBI

I've been reading articles regarding the dispute between Apple and the FBI regarding the FBI trying to force Apple to create an operating system to undermine the security of Apple's devices so that the FBI can acquire evidence in cases.

I stand with Apple.  The reason that I stand with Apple is because the constitution of the United States was made to protect businesses from this sort of government interference.  If the government has their way, and is allowed to force one company to create something, no matter how well-meaning their intentions are, it sets a precedent for them to use to require companies to create the same thing, or even other things.  This is a government overreach.  I'm in favor of a government that has just enough power-not too much, and not too little.

This also affects Apple's market share.  The government directly influences whether or not a business succeeds or fails.  I know, that I personally, would take issue using a device if I knew that it was extremely easy to to be hacked.  One of the reasons that I chose my current device was directly because of its security.  I can't imagine that I'm the only one who feels this way.  What about other countries who use Apple for the very reason that it's secure?  Apple has to say good bye to those contracts.

Aside from the political reasons;  from what I understand, the devices used in the government right now, for government communications are Blackberries.  I would think that they'd want the best encrypted devices, which isn't difficult to argue, is probably iOS devices.  So what if Apple makes an OS capable of taking that encryption down?  Then you have a device that it useless considering its intended design is to be secure.  All of those government officials who use any Apple device are vulnerable to attack.  All it takes is for one person, whether inside Apple, or out, to exfiltrate that OS. Then government officials and private citizens alike are vulnerable.  I can see headlines of officials resigning because someone got information that they shouldn't have even been able to access.

Wednesday, February 24, 2016

Security Researcher Gets Accused of Being a Hacker

I read some articles yesterday that detailed a dispute between a company and a security researcher.  The company claims that the security researcher hacked into their database.  The security researcher claims to be a white hat hacker-i.e. a person who hacks for good.  I'm attaching links below that describe the dispute.  I do not claim that any sites are secure/insecure, so instead of clicking on links, I suggest that you use your favorite search engine and look for them. 

http://www.zdnet.com/article/uknowkids-child-tracker-firm-in-row-with-security-researcher/
http://www.theregister.co.uk/2016/02/24/child_tracker_firm_uknowkids_admits_breach/
https://threatpost.com/uknowkids-goes-on-attack-after-database-of-1700-kids-found-insecure/116427/

I've seen blog postings in support of the security researcher.  I don't personally know the security researcher.  I don't know if he was specifically hired to do a pen test-I don't think so, considering the organization's response to him tampering with their database.  I don't know if the organization's allegations of him refusing to delete documents are true.  My opinions are based on the information that I have at hand-which isn't a lot.

I think that both parties are at fault.

The organization is at fault because they disclosed the name of the individual before having any real proof that he tampered with their database.  They used IP Addresses to "prove" who he is.  IP Addresses can be spoofed.  I understand needing to warn your customers of the breach, but there is a proper way to handle it.  I don't know law, but I think that this may potentially open them up to a libel case depending on the laws of their government, state, and local government.  The security researcher could potentially lose his job and prove the damage that they caused him if he is innocent.

The security researcher was at fault because he could've only gone so far as to prove a vulnerability.  He did not need to copy parts of their database.  I don't know much about law, but I do remember reading SANS articles stating that laws could apply in the case of retrieving information from companies that you pen-test-laws like HIPAA.  HIPAA law probably don't apply in this case, but it makes me wonder what laws could apply in this case as far as protecting information? The security researcher, in the act of retrieving this information, may have made himself responsible for protecting the information depending on the laws of his government, state, or local government. 

Depending on his reasoning for hacking into the database, he may have also put his job at risk.  The 2nd IP is presumably the IP Address of his employer.  He's potentially causing them legal issues because company resources were used in his discovery of the organization's vulnerability.

In my opinion, the security researcher isn't a white hat hacker as he claims.  He's a grey hat.  The one thing that is important in this case is permission, and from what I understand, he didn't have permission.  He will be lucky if a civil or criminal case doesn't come out of this.  He did break laws.

I understand that security researchers have it difficult.  Many of them want to help people, and they risk getting in trouble for it.  I appreciate their desire to make people more safe by disclosing vulnerabilities to companies, but there is a correct way to do it.

Tuesday, February 23, 2016

Easy Solution to Kids That Have Trouble Typing Addresses

I made a custom homepage for my kids using html and images that I had gathered from their favorite websites a while back.  My daughter was too young to know how to spell things, but she wanted to play games on websites any time I let her.  Unfortunately, she wanted to be independent as well, which meant that she wanted to type the websites herself.  She didn't know how to spell most of them.  So, to save my sanity, I made a folder and put images of her favorite websites in it.  Then I created a homepage with the images in it.  Each image was a hotspot to one of her favorite websites.  She had no trouble navigating to her favorite websites.  The only issue:  I have each page opening in a new tab, which means that I can have quite a bit of music going at once.  She can close pages, but chooses not to close the pages most of the time. 

You don't need to know a lot of html or css to create a custom homepage.  Simply typing the syntax below into a Notepad document, and saving it as an html files works. (Make sure to change the "Save as Type" elevator button that usually has ".txt" to "All Files", then type in "desiredfilename.html" in the "File name" textbox.  I suggest creating a folder in your Documents folder called "KidHomePage" and putting all of the files in there.  Save the html file as "KidHomePage.html".  In Notepad, type the example below. Replace the purple part with your desired website address.  Replace the red part with the name that you saved your desired logo.  Replace the green part with the name of the Website in case the logo doesn't load for some reason.  Your kids may not be able to read it, but it's good practice.  They might surprise you and know what is supposed to go there.  If you add the logos one after another, they will appear next to each other.  If you want them on separate lines, add a <br> tag at the end, after the "</a>" tag.

<html>
<body>
<a href="http://www.example.com" target="_blank"><img src="example_img.jpg" height="50" weight="50" alt="Example Website"</a>
<a href="http://www.example.com2" target="_blank"><img src="example_img2.jpg" height="50" weight="50" alt="Example Website2"</a>
</body>
</html>

If you want to change your homepage to point to this custom made homepage, you'll have to configure your browser to do so.  In Edge, you click on the ... menu on the top right hand side of the screen.  Then you select settings from the drop down menu.  Under "Open With", Click the radio button next to "A specific page or pages".  Then you type in the path of your file in the "Enter a web address text box", then press enter.  To point to files on your local file with your browser, in Windows, you have to prepend the path with file:///.  Most of the time the path is something like "file:///C:/Users/Username/Documents/KidHomePage/KidHomePage.html"  (It's wherever you saved it when you created the file.  Make certain that the file is in the same folder as the logos, or the logo images won't load.)

Wednesday, February 10, 2016

Linux Foundation Training

I'm finding myself seemingly short of time of late.  I'm now employed.  My job isn't extremely time-consuming, but I do have the family life and wanting to learn.  I have to find a balance in those activities.

I purchased a Linux Foundation Training Course a few months ago as kind of a Christmas present to myself.  They had Black Friday pricing on this particular course.  I had no idea that training could have Black Friday pricing.  I can see why now because some posters claim that the training and certification that I'm doing are considered "trivial".  It's a start though.  As part of the pricing they sent me a Linux Foundation Certified Systems Administrator penguin t-shirt.  I hope to earn that title.

The course has a prerequisite course.  Fortunately the prerequisite is free.  The only problem that I have with the prerequisite is that it is so easy.  I'm almost tempted to skip it, but I'm afraid to because as I've said before, learning the basics is important.  I know everything that I've seen in the course so far.  Hopefully there will be some interesting thing that I have not learned, yet.

I did have a bit of a hiccup getting the paid Linux Foundation course to work.  The customer service was decent.  They were having technical difficulties across the board the exact day that I decided to try the course.  They had it fixed overnight though.  So far, I'd recommend the training to anyone interested in learning about Linux.