T-Mobile Hack Used Known Hole

Wired reports that the method Nicolas Jacobsen used to gain access to T-Mobile accounts was through a known hole in their WebLogic server - for which BEA had a patch available.

This however didn't make Jacobsen a 'script kiddie' - he ended up writing his own custom interface to their customer database.

Another good example of the need to keep those systems patched!

Firefox IDN update

Firefox has released version 1.0.1, which fixes the IDN spoofing issue, as well as about a dozen other security issues, and added some performance enhancements.

Right now it's a manual install, and sounds fairly tricky. You may want to stick with the fix I posted earlier for working around this problem until Firefox releases 1.0.1 via autoupdate - sometime around March 7th.

Microsoft and Cisco aiming to bring more girls to IT

It caught my eye that there were two different articles about major IT companies aiming to bring girls into IT this week.

eSchool News reports on Cisco's efforts to make IT, and in particular, their Tech Academy more appealing to girls. One of the interesting points of the article is that research shows girls are more interested in to learning about technology in the context of "broader social issues."

IT World Canada reports on Microsoft (Canada)'s participation in the Explore IT Conference - aims at interesting 9th grade girls in IT. Lasha Dekker, vice-president of developer and platform evangelism for Microsoft Canada Co., was a keynote speaker and debunked myths such as: fears that their friends will think (working in IT) is a geeky thing to do, and that IT work is not very social.

It's great to hear that effort and progress is being made in this front. I've got a 6th grade daughter who's life ambition is to work at Pixar, and it would be great for her to not have stigma attached to working in IT. As far as the geeky thing though, I'm afraid she's out of luck - she just joined her school's D&D club and qualified for our regional spelling bee. The geekiness won't be going away anytime soon, and I suspect it just might be genetic.

P.S. - Steve Jobs, if you're reading this drop me a line - she might be a good candidate for grooming as replacement CEO in a couple of years!

Password Complexity

There must be something in the water cooler over at Information Week, because I think this week's Secret CIO column is right on the money, and I usually disagree with him, or skip the column because it's just whining about corporate politics.

He talks about the commons sense that short password expiration times, combined with prohibiting re-suing of a large number of passwords just forces people to write them down - with a net loss of security. It's perfect timing for me, as we're currently reviewing our own password policy, and this is perfect reinforcement for not making it too draconian.

Rational RFID reporting

Bob Evans from Information Week has the most sane reporing I've read to date on RFID. I'm not sure why most reporters feel the need to create a stir about this technology, but it's nice to hear a voice of reason.

'easy bake' .ISO's to CDLinux and Windows

A couple of posts ago, I talked about mounting .iso files as virtual CDs, but what if you want to burn that file to a CD in order to give it to a friend? (only legal software like Linux distros, right?) I've been using two easy ways to do this for a while without having to load a mastering program like Nero.

Under Linux you can use a command similar to:
cdrecord -v speed=2 dev=0,6,0 -data file_name.iso

You can get the BUS, ID, AND LUN (the three numbers you must specify in the dev portion in the above code) with the command:
cdrecord -scanbus

Under Windows, I use a powertoy called ISORecorder by Alex Feinman that ads .iso burning (and creation) to the right-click contextual menu. There are two different versions on the site - make sure you're using the beta if you're running XP SP2! A great tool - thanks Alex!

Sysinternals releases free rootkit detector

I've been a big fan of Sysinternals' freeware offerings for some time. They recently released a rootkit detector that they describe as: "RootkitRevealer is an advanced root kit detection utility. It runs on Windows NT4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender"

I definitely plan on using it to scan our master images before finalizing them - its a great tool to add to your arsenal.

Paris Hilton Sidekick hack:breach, blunder or brilliant marketing?

There is a lot of discussion going on about the hacking of Paris Hilton's Sidekick. There seem to be four trains of thought:

1. The bimbo gave out her password or used a weak one. Or was it socially engineered from her? At least, that's what T-mobile should be praying.
   
   
2. This was part of Nicolas Jacobsen's original hack, just now coming out in the clear. Or perhaps it was the same person who hacked her blackberry last month?
   
   
3. This is a new hack - the worst possible case for T-mobile.
   
   
4. This is a publicity stunt or attempt at viral marketing - she is a spokesperson for T-mobile after all. And they are selling the Sidekick II for $100 off.....

What's your take? My guess is social engineering or an aftershock of a previous hack, but it will be interesting to see how it shakes down.

The final word is that it is an excellent warning that if you put your confidential data in the hands of a 3rd party, it's safety is totally out of your hands.

Windows XP SP2 Registry Keys for Student PCs

Andrew White has posted another excellent article @ Novell Cool Solutions on registry hacks for administering student PCs. He calls them 'draconian", but I think they're very insightful.

Asterisk@Home follow-up

Just a quick update on Asterisk@Home.

1st - they have come out with two new versions since I've given it a go - I'm downloading v6 as we speak.

2nd - Install was no problem, I got it up and running with a very minimum of effort. I do not have any cards in my test machine, but it appears to be capable of detecting and installing most of them.

3rd - All management functions are available via the web -this can be a true "headless" box. I've upload pictures for:
the AMP (Asterisk management portal)
log view
built in web-editor for editing the .conf files

4th - I've been using X-Lite softphone software for testing - it works on Windows or OS X, and I've been very happy with it.

5th - Asterisk connections to FWD don't seem to work through NAT, so I'm either going to have to move this box to a public IP address or skip using FWD as a test connection.

Next steps: Actual SIP phones and getting the MultiVoip gateway talking to it.

Mounting .iso images: Windows, Linux & Netware

I've been playing with a lot of different software lately, and have started bemoaning how many times I've burnt a .iso file to a CD for one-time use. I was going to buy a couple of CD-RWs to be less wasteful, but then I wondered if it was possible to mount them as virtual cds. I came across some interesting ideas:

1. Microsoft Virtual CD driver. Unsupported, undocumented. Worked like a charm for me. I'd love to see someone hack a powertoy around this and add right click mount to .isos easy.
   
   
2. Daemon Tools also gives WinXP this ability, and is free for personal use.
   
   
3. Nero (ver 5+) includes a utility called Nero DriveImage that will do this as well.
   
   
4. Linux can mount .iso files natively:
   mount -t iso9660 -o loop /path/to/file.iso /mnt/virtualcd
   
   
5. So can Netware (6.5SP2 or higher):
   NSS /MountImageVolume=volume_name:\path_to_iso_image

   To dismount the volume:
   NSS /RemoveImageVolume=volume_name:\path_to_iso_image

It's good stuff, and I hope you find it as useful as I did!

Why are cell carriers so afraid of data via bluetooth?

So, my 3rd Motorola T720 finally stopped charging, and I decided that even though this phone was free from Cingular, I needed something a little less flaky. I'd really like the ability to have my phone act as a data modem for my PDA (or replace my PDA) and laptop, letting me connect anywhere anytime I need to digitally "thwack" a server into shape. I'm willing to pay the full $80/mo Cingular charges for this service, but don't want to use their PCMCIA card to do so, as my PDA won't take it, and my laptop usually has it's single slot occupied.

A decent phone with bluetooth ought to fit the bill perfectly, right? No way! I've been through a couple of phones and NONE of them allow bluetooth data without some hacking. BlackBerry 7290 comes with bluetooth, and even though the specs say it can act as a serial device, it's been totally disabled. Checking out the new Treo 650 found out that DUN (Dial Up Networking) via bluetooth AND wifi driver have been disabled. Now, Shadowmite has ROMS & patches to overcome these weaknesses, but why are they necessary? If I'm willing to pay for the service, why deny me the opportunity of doing business with you? My (unlocked) Audiovox 5600 worked with bluetooth DUN no problem, but as it wasn't EDGE it was slower than dialup. I've got a Motorola V551 charging as I type, and I'm hoping to get it up and running, but have been told I may have to see if Cingular will "catch on" to the fact I'm using it as a data modem. I don't want to have to rely on workarounds and hacks to get this to work... If I'm going to be paying more than DSL/Cable Modem rates I'd at least like the luxury of calling up tech support if it stops working (not that Cingular phone support has ever helped me out on the data end...)

When will tech companies wake up to the simple facts that:
1) When they try to cripple a technology, workarounds will appear - often before the product hits the market.
2) Not providing paying customers a service they are ready and willing to pay for is pure stupidity!
3) Forcing users to workaround your arbitrary regulations and self-imposed limitations raises up a culture believing they are entitled to steal from you (MP3s anyone?)

I plan on writing a letter formally to Cingular asking them if they are able to supply combination phone/data equipment and service that meet my needs. I'm not hopeful, but we'll see what happens.

Excellent Phone Tech Support Bulletin Board

I have searched a couple of times over the last few years for a discussion forum or other online help for supporting our Executone phone system. We've been doing self-support for about 3 years, and can handle most of the basics no problem. But those weird/rare problems pop up we're at the mercy of hourly support to handle it. A lot of these are easy fixes, if you've seen them before. At $100/hr, 2 hr minimum, and a $100 trip charge - it's at lease $300 to have someone come out and do something stupid like scrape oxidation off the motherboard battery... So the online discussion forum from Sundance Communications is like finding a pot of gold. Thanks to them for being cool enough to bring these forums public and break the secret fellowship of phone service techs that seems to exist!

Music - open source and/or free

My household has been rocking down to O-zone's "Dragostea Din Tei", and I've been thinking "I could have written this with one hand tied behind my back". No really, I could have - back in college I had a rockin' band with a lot of gear. But I really couldn't now, because ever since our first baby was born, the studio became a nursery and the gear was sold off due to lack of use or financial need. My keyboard is currently in the garage due to lack of space for it, and I haven't been very musical for a while. With this in mind, I was very excited about the two musical discoveries I ran across this week.

The first is the release of the 1.0 version of Rosegarden. Rosegarden is an open-source professional audio and MIDI sequencer, score editor, and general-purpose music composition and editing environment for Linux. It's been compared to Cubase in terms of features. The really cool thing is that Fervent Software has put Rosegarden together on a fully-tweaked for music bootable CD called Studio to Go. Unfortunately it's £49.99 (just under $100 US) - so it's out of my league for hobbyist use, but for someone more serious about these tools, it's a great deal.

Now I don't have the time (or room) to set up a Linux box with Rosegarden at home, so I started browsing for other software to tinker with. Finale Notepad seems like it will fit the bill nicely. I've looked at it in the past, but with no support for guitar/bass tab, it didn't fit with what I've done in the past (back in college, I'd sneak into the music lab to get some time on the Full version of finale - which runs ~$600). The new version, Notepad 2005, adds tab, so it seems to fit the bill. It runs under OS X and Win XP, and runs fine on my PowerBook G4. It's much more basic than Rosegarden, but it's an easy way to tinker without needing to break the bank.

The Mac purist will probably recommend Garage Band by Apple. At $79 it's a decent buy, but I just missed it when I bought my Mac, and I've had a hard time ponying up for the updated iLife when I don't need any of the other components updated and just want to tinker.

honeypots & life expectancy

Honeynet has an interesting article online comparing the "life expectancy" of unpatched systems. Apparently, the mean time before compromise of Linux has gone from 3 days to 3 months! While Windows have gone from days to hours or even minutes before compromise. It's also interesting that they note the compromised systems were attempted to be user for IRC bots and phishing scams.

'Easy' screen recording with VNC to SWF

VNC to SWF sounds like the open source equilivent of a rough version of RoboDemo.... It lets you record screen activity to a shockwave file via VNC. I was unsucessful in my attempts to get this running on my OS X box, but had some fun playing around with it in Debian. With the new addon to edit the generated swf file by splicing mp3 sound or cutting/re-arranging scenes, it really does come close to the functionality of early robodemo releases - although with much more text command parameters and a lot less GUI. However, for the tech on a budget, free is always a nice price, and I can be willing to be a little kludgy at that price point!

Fix for Firefox IDN spoofing

I've stumbled across a fix for the IDN spoofing bug (it lets websites look like another site - ie: hacker site appears to be paypal....) that uses Adblock, which I already use and am a big fan of.

I'd definitely recommend implementing this if you use Firefox

Network storage made cheap and easy?

So I ran across the Linksys NSLU2 at ThinkGeek today. A perfectly simple device, it has an Ethernet port and 2 USB 2.0 ports. You can plug in UBS drives (or a memory key) and make it available over the network. Tom's Hardware has a good review of it, where they mention it can also perform simple network backup functionality. While googling to see if it can talk to windows only (it can talk to any SMB compatible client - users claimed no problems with OS X or Linux) I found that there is a open-source community building firmware for it (similar to other Linksys devices). The UNSLUG Linux-based firmware sounds amazing - I read about people running webservers, iTunes servers and much more on these humble boxes.

An interesting Cell to landline adapter

I've been shopping for a new phone, and one of my considerations (although low on the list) was getting one that would work with Cingular's Fast Forward Service. None of the phones I like work with the service, so I gave up on it for dead. Until I ran across PhoneLabs' Dock 'n' Talk. Unlike Cingular's service, it doesn't save minutes by re-routing your calls, but it allows your cell phone to basically become an analog line to your phone service. Now, the cool thing about this is I mainly wanted to not have to 'mind' two different phones while at my desk.

Now I've seen devices like this before, but the cool thing about this one is it connects via cables or Bluetooth, so a whole heap of phones are compatible (over 400). The Bluetooth also means you don't need to replace cables or docks when switching phones. You can take incoming and make outgoing calls via it if desired. For a home user the free nights and weekends long distance could help defray the $140 cost quickly.

Sub $100 laptop for Education?

BBC is reporting on MIT's Media Labs' attempt to produce a very inexpensive laptop, predominantly aimed at education in the 3rd world. It's being aimed at a textbook replacement. They only envision selling in in very large lots (millions) to governments, so don't count on picking one up anytime soon.

Enterprise cell to landline adapter

After reading about PhoneLabs' Dock 'n' Talk in a Slashdot thread, I came also came across Telular Corporation. They make enterprise versions of cell to landline converters that are designed to be integrated with a company's PBX. You could use their Least Cost Routing or other products to make calls to cell phones from your PBX using free cell-to-cell airtime. Another potential big savings in telephone costs.

Windows AMP on a USB

Interesting read - basically instructions on how to install Apache, MySQL and PHP on a thumb drive (USB memory key) so you can run it on different windows machines. It could come in very handy for testing or demos. I only wish they had a zip file of everything ready to go rather than making you download them all separately.

fwdOUT Phone Sharing Network

I stumbled across the new service from Jeff Pulver over the weekend. I'm not sure how I missed the Slashdot article on the story, but I'm glad I stumbled across it. The basic premise is that home Asterisk users 'donate' their outgoing dialtone to internet VoIP users in a Napster-style PTP way. You would get 10 call credits for every 1 call you allow to go out your lines. It could be interesting, but I could see it being a flop if for example I restricted my outbound calls to local only and not a lot of people wanted to call Cleveland - I could be stuck with not having the credits when I need them to call out. I do see the benefit for someone who uses Vontage or a similar VoIP service who has unlimited LD in the US.

There is also some concern about the legality of doing this. Aswath's weblog has an interesting article on it that's worth reading. I scanned my last local phone bill and didn't see anything in it stating that I couldn't share my line - but I wouldn't be surprised to see it added sometime in the near future.

Mobile Personal Server

I just ran across startup Realm Systems' Mobile Personal Server. It's basically a cell phone sized server (400 MHz dual PowerPC processors, up to 64 MByte DRAM, up to 20 GByte hard disk space, up to one GByte Flash memory) that you plug into any USB equipped host computer (OS X, Windows or Linux) and it "hibernates" the host PC's operating system and takes over hardware components such as screen, graphics, keyboard and mouse.

It's definitely worth checking out - especially their 10 minute ad featuring John Lovitz and Gary Coleman.

eWeek review of Zultys MX250 Media Exchange

It took me a while to get to this one, but last week's eWeek has an interesting review of Zultys' MX250. I've been intrigued by their advertisements of inexpensive VoIP systems, and have ready very positive reviews of their phones.

The downside seems to be very restrictive licensing. According to the article, the report detailing their licensing options is 25 pages long! Thanks, but no thanks - that type of micro-managed penny squeezing doesn't sit well with me.

The article also goes to show how the phones and per-phone license fees can really balloon the costs of an implementation. The Base MX250 is only $3,000 - and supports up to 250 users, but comes with no phones or licenses. After adding the phones and the licenses the total cost for 250 users is now over $44,000 - talk about sticker shock!

VoIP over VPN

This week's Network magazine is a veritable smorgasborg of VoIP info. This story is about the offerings MCI and AT&T have for offering VoIP over Private IP VPN services. An interesting read.

More VoIP Hype - "VoIP's Impossible Divide?"

Well, another article is out slamming VoIP - because our networks aren't "ready" for it. I started reading it expecting to find gems of hidden knowledge on VoIP implementation pitfalls, but instead found another naysayer who is holding VoIP to higher standards than POTS.

The main thrust of the story is that VoIP can't possibly be deployed yet, as the protocols used to provide for data network redundancy take between 30 seconds (Spanning Tree) to 3 minutes (BGP). Now I don't know about you, but I don't have a heck of a lot of redundancy in my "traditional" telephony setup. All of my circuits run on a cables out to the same pole and follow the same route to the telephone company CO. This situation leaves me one drunk-driver telephone crash away from some hefty downtime. I just only recently retired some tie-lines between my facilities that only had an uptime of about 80%. Furthermore - all of the analog cards on my current phone system only have one power supply to provide the essential 12V ringtone for all 12 phones on that card. We've replaced five of them this year - and the screwdriver-requiring fix takes much longer than three minutes! VoIP has the potential to overcome all of these problems with better redundancy and failover.

It's time to stop listening to the naysayers and focus on the successes of VoIP rather than the shortcomings - we've been doing so with our 'old' phones for a long time.

Open source LMS - Moodle

Today I took a break from my Mambo and Asterisk work to attend a regional coordination meeting. Had some interesting discussions on a variety of topics - including one on Learning Management Systems (LMS). A variety of software was discussed, including Blackboard (which we currently use), Educator (used by Florida's virtual schools?), and Moodle. Moodle caught my interest, as it's open source and apparently fairly widely used. A fairly comprehensive of LMSes is available here.

After a little poking around on their demo site, I'm very impressed with Moodle. There us a fairly extensive list of extensions and components and it looks like it could be a decent blackboard.com replacement for me. That's good, as I hear our annual subscription for blackboard will be increasing substantially.

Unfortunately, it doesn't look like anyone has successfully hooked Mambo and Moodle together with the same user base (or offered combined event calendars, etc.). Moodle supports LDAP auth, and now that there is a new LDAP hack for Mambo 4.5.1 it could be promising! I'll post any successes I have 'binding' the two together.

Deploy VoIP With Care, Feds Warn

This week's Computerworld has an interesting article on VoIP security.

The article states: "NIST made nine recommendations for implementing VoIP in a secure manner. For example, the report calls for IT managers to build logically separate voice and data networks. Another recommendation is that "if practical," PC-based VoIP softphones shouldn't be used in deployments in which either security or data privacy is a priority."

No not to nitpick here, but are any of your "traditional" voice networks secure or hardened? How many locations have junction boxes on the outside of the building within easy reach? How is it easier to crack an WEP encrypted cordless VoIP call that to pick up an unencrypted corldless phone - our baby monitor used to pick up a couple of my neighbor's when we live in apartments! Now that I think of it, all of my neighbors' phone lines ran through my basement in that same apartment.

I think it is excellent that someone's thinking about these issues. It's probably applicable for the FBI, but not for your average Joe reading Computerworld. I know my current phone system doesn't have nearly the security levels they talk about in the 99 page report. So let's keep it all in perspective, OK?

Live Asterisk CD

After browsing the list of Live Linux CDs this morning, I started wondering if there were live distros of Asterisk or sipX. After a little googling, I came up with the Asterisk Live! CD. It's put together by Andy Powell, the author of the original Getting Started With Asterisk guide.

So far, I've downloaded it and it boots in VMWare. For those of you who missed the root password like me, it's "EPPING". You can also view the README online.

I also plan on checking out Xorcom Rapid , a one disk install of Debian with Asterisk. or Asterisk @ Home , which is said to have an easy web-based GUI. I'll post results when I have a chance to play with it. I've got to pick up a phone still, and figure out who to get the gateways working - so don't hold your breath, though!

Mambo security patch available

From the MamboForge site:

Patches are available for Mambo Version 4.5.0-1.0.9 and Version 4.5.1a at http://mamboforge.net/frs/?group_id=5 to counter a vulnerability within Mambo. All administrators of Mambo sites are encouraged to upgrade at their earlist convenience.

New installations can use the 4.5.1b release, which incorporates these security fixes.

The Live CD List

Neat resource - lists a boatload of rescue CD's available. Lets you sort by purpose or size. I found a couple that are quite useful. KnoppMyth is a great way to get MythTV set up on a box, and the Trinity Rescue Kit has saved me from a couple of crashed hard drives and forgotten/corrupt Windows Administrator passwords.

This can't be my original idea

I had one of those 'eureka' ideas this morning and it goes something like this...

Background first: Out of the roughly 500 phones in place in my district, I'm replacing 2-3 a month. This doesn't surprise me as they're now hitting about 6 years of use, and all of the analog phones (2/3 of the 'fleet') were a discontinued model when we purchased them. I've been replacing them with Vodavi Starplus 2700 series phones, which seem to be nearly indestructible, and carry a 5 year warranty. Seeing how the speakerphone version runs me $30 (from Hello Direct) I haven't given it much thought.

I've been looking at VOIP phones, and the low end ones run $75-100. And I suddenly think, boy, if I could buy a phone that handled both analog and VoIP, I could start buying them now and save $30/phone down the road by not replacing bad phones now and again when we roll out VoIP. I'd end up saving over $9,000 (if I replaced 300 phones) and make the cost of our initial implementation seem $30,000 lower as we'd spread some of the phone purchases out over a couple of years.

Well, I must be a genius, because 15 minutes of googling came up with nada, nothing, zilch. This can't be that hard to do - I see el-cheapo analog phones at the store in the $1-5 range all the time, so it wouldn't make the phone cost that much more. You could even use the same jack and have it auto-sense service or have a switch between analog and Ethernet. So I guess I've got the start to my first patent in my patent portfolio that will make me a gazillionaire.

Seriously, does anyone know of such a device? I honestly can't believe this is my original idea...