I've moved...

I've recently moved my blog to a new location. The new address is:

http://blog.unauthorised.org.nz/

Things are a tad messy at the moment but that's the new look for 2008.

Forgotten password - It's a security risk!

The 'Forgotten password' function on websites is not a feature. It is a security risk!

The worst of all is the ones that are able to send your current password to your email account. Let's take a moment to consider what is required to accomplish this. The users' passwords must not have been hashed, as it would then be impossible to know what your password is. Therefore, the passwords must be stored in a plain text form on the server. In the event that the server is compromised, your password is directly accessible to the attacker. Even if the passwords are stored encrypted, they aren't much better off. If you're a software developer, always always store password hashes and not the passwords themselves---unless you specifically need the password in it's plain text form.

Sites that allow users to reset their password by answering a security question is also bad. The problem with this approach is that often the questions are so simple that your neighbours could probably figure out the answers. Take for example, 'What is your pet's name?' or 'What is your mother's maiden name?' Just think how many people actually knows the answer to that question and could potentially hijack your account. Think Paris Hilton. While some sites allow users to disable the function by leaving the security questions empty, most sites make it mandatory. In this case, you can still "disable" the function by entering a long random text as the answer.

Security and usability doesn't mix. One additional way to recover or change your password is one additional way to hijack your account. Is it worth the risk just so it's easier to resolve forgotten password situations? I admit I've had to use the 'Forgotten password' function a few times before but it pays to be aware of the risk. Please check out my next blog post on password management tips. I wonder when that'll be.

Mozilla about:config

Need to edit your Mozilla browser preference settings? Try entering about:config in the location bar. You'll find settings that you didn't even know exists.

It's not flash, but it gets the job done. Saves you having to hunt through numerous screens, especially if you know what you're looking for.

For a reference of what the settings are, please visit:
MozillaZine About:config entries

It is by no means a complete reference but it is a good place to start.

Google Video Player File

Ever came across a Google Video Player (.GVP) file? You're bound to sooner or later with the amount of digital video content on the net.

GVP is not a new video format. Rather, it's simply a plain text file that contains metadata about an actual video file. Take for instance, the following:

# download the free Google Video Player from http://video.google.com/
gvp_version:1.1
url:http://vp.video.google.com/videodownload?version=0&secureurl=ugAAAH_1H8Yu95EJtMuzFT6-X9Oaw1AQYKoyH9Pzbi0LnopJ2uFDOMIQ0ELLeWQe0SzIHN44NrpacmK3Q9OEswjpSJzC1RDc6DxZcL3NRLLcFESJLjErtD-iZXXYDenDBkGpvDXG7Xut9SFmBC8RUqGmLqosWMwS20c04qw55N_BTjeU9d0p93rbjGkOF0GLaNd_yhaN8cBFLkg8NPL82ikRp83CfS16JTeVIS3Ab4x9E_H6VnqIiy-5KSBN-0TGiyF9kQ&sigh=21pimKCTGJiC5qXu2nKy1F5YMTk&begin=0&len=3008680&docid=5464925144369700635
docid:5464925144369700635
duration:3008680
title:Discovery_Channel_-_The_History_Of_Hacking_Documentary.avi
description:the history of hacking

That is the content of an actual GVP file. As you can see, it specifies the url, title, description, and length of the video file. If you try to access the url from a browser or any download manager, you'll be able to save the actual video file to your computer.

503 Bad Sequence, polite people say HELO first

If you ever get an email that fails to send with a 503 error, it doesn't mean that you should add 'HELO Bob' to the start of your email and try resending it. The 503 error actually means that your mail server is not behaving properly or that something is wrong when trying to send your email. The latter part of the message is simply the other mail server trying to be cute.

For those of you that are not aware of how mail servers work, here is a brief explanation of how they communicate. Before your mail server could relay your email, it first have to introduce itself by saying HELO. For the more trendy servers, EHLO works too. If you're bored, scream NOOP, NOOP and the other server will merrily reply OK, OK. (Having said that, I don't guarantee that prolonged NOOPing will not upset the other server, prompting it to sever all connections with you.) If you're ever in need of assistance, just ask for HELP and you'll get an appropriate response.

That's the humorous world of digital communication for ya! If you seriously want to learn more about how mail servers communicate (or if you're looking for a cure for insomnia), then have a read thru the following.

RFC2821 - Simple Mail Transfer Protocol
 

Letters to God

Kids certainly do write the most interesting letters. Here is a bunch of Letters to God. Enjoy!

Always @ Work

I didn't realise that I was always @ work. Not until a friend of mine asked me if I was at work on a Saturday for no apparent reason---or so I thought. On the upside, my manager probably thought I was really dedicated.

Windows Live Messenger 8.1, which was released early this year, included a new feature---roaming Display Picture and Personal Message. This means that your display picture and personal message are stored on Windows Live server, and will always be the same regardless of which machine you're signing in from.

This sounds good as it means you only have to set your display picture once and it will be available everywhere else. However, I like my personal message to be different depending on which machine I'm signing in from. This allows me to have an '@ Work' message on my work pc, and a more personal message on my home pc without requiring me to constantly switch between the two. For a while, I thought those days are gone. Luckily, the feature can be turned off. The option can be found under File > Options... > General > Sign In. Uncheck Use the same display picture and personal message wherever I sign in and everything should be sweet again.

prototype.js

Prototype is a JavaScript Framework that aims to ease the development of dynamic web applications. Featuring a unique, easy-to-use toolkit for class-driven development and the nicest Ajax library around, Prototype is quickly becoming the codebase of choice for web application developers everywhere.

I was working on a web application at work when a colleague of mine introduced me to Prototype. Boy, is this great or what! Prototype version 1.5.0 is approximately 70KB in size. Quite reasonable considering the size of web pages nowadays. I find the CSS selector functions, such as getElementsByClassName and getElementsBySelector, to be really useful. I used to think of CSS as an excellent way of separating a document's content from its presentation. Now, I learned that CSS classes can also be used as tags for the various elements in a page. This makes some tasks a whole heap simpler, especially with the CSS selector functions. Prototype also has a nice Ajax library. It abstracts the browser specific implementations and provides a simple interface to code against. I'm looking forward to trying this out. I've been borrowing AJAX books from the library for the past few months but never seem to have the time to read them. To learn more about Prototype, visit the official website at http://www.prototypejs.org/. Quick Links Prototype Download Prototype API Documentation

Microsoft Home Use Program

I've recently discovered through work that Microsoft offers a Home Use Program (HUP) for some of its software products. The HUP offers the employees of Microsoft Volume Licensing Software Assurance customers the opportunity to purchase a licensed copy of the Microsoft product for a flat price of $20. That's 20 NZD for New Zealand users, and covers the postage and handling fees.

I don't normally pay for software I use. However, considering it's only 20 NZD, I thought I might as well get one. I purchased a copy of Microsoft Office Enterprise 2007. I had always been meaning to give Office 2007 a try. It took Microsoft approximately two weeks to process the order and ship the DVD from Singapore.

As with most things Microsoft, there is a catch. The HUP license is intimately tied to your employment and your employer's Software Assurance coverage. The license ends:

1. when your employer's coverage ends;
   
2. upon termination of your employment;
3. if you are no longer a user of the licensed software at work; or
4. if you install and use any other version of the software under the HUP.
   

Even so, I still think it's worth it. At the very least, it saves me the hassle of finding a copy of Microsoft Office elsewhere.

If you work for an organisation that uses Microsoft products, it may be worthwhile checking with your IT department to see if you're eligible to participate in the HUP.

Security Alert: Windows Animated Cursor Flaw

This isn't the most timely security alert, but just in case you haven't already heard. Exploits for these vulnerabilities have been observed in the wild.

A flaw was discovered late last year in the way Windows handled animated cursor (.ANI) files. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

For more information, please see Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902).

If you have Windows automatic update enabled, then this patch should have already been applied. Otherwise, the patch for Windows XP SP2 is available from:
KB925902 - Updates for Windows XP

Now, chop chop! Go check that you do indeed have the update applied.

Command & Conquer 3: Tiberium Wars

It is the year 2047. The Third Tiberium War is upon us. The long twilight struggle between the allied nations of the Global Defense Initiative (GDI) and the shadowy superpower known as The Brotherhood of Nod has flared into a planet-wide firestorm. Both factions fight over Tiberium, an enigmatic green crystal of alien origin that is both the ultimate resource and the worst environmental disaster in history. The stakes couldn't be higher---whoever controls Tiberium decides the fate of humanity and the destiny of the planet Earth. But this violent global war between GDI and Nod is just the beginning. Humanity is about to discover that it is not alone in the universe... and that it is not the only race fighting for Tiberium.

Command & Conquer 3: Tiberium Wars is the second game I've purchased... ever. The first is Need For Speed Carbon. CNC3 was released at the end of March this year. It certainly has been a long time coming. I still remember the days when I used to play CNC2: Red Alert.

CNC3 is similar to CNC2. However, being set in the future, the military do have more advanced technologies. So far, the most impressive weapon that I've come across is the Ion Cannon---a weapon that fires supercharged ion beams from an orbital battle station. Apparently, by 2047, the human race would also have discovered alien civilisation. I don't particularly like this part of the storyline as I've always preferred CNC over WarCraft type of games because it only involved human civilisations. It just makes it that much easier to immerse yourself in the storyline, which some may argue is a bad thing.

The hardware requirement for CNC3 is quite typical for a recent strategy game. I don't own the flashes system and this is definitely pushing it to the limit. I'm running the game on the lowest quality settings possible. I could only wonder what the graphics would be like on the highest settings.

Next-Blogging

Hey there. Yes, YOU! You've arrived here via the Next Blog link, haven't you? I've found myself next-blogging quite a bit lately too.

In case you're wondering, by next-blogging, I'm referring to blog surfing via the Next Blog link on the navigation bar at the top of the page. I'm still trying to figure out how exactly that link works. Next blog implies that there's an order to the list of blogs, but that's not how it works. In reality, it seems to take you to a random blog each time you follow the link. I said it seems because from my brief experience in next-blogging, I've managed to hit a number of random blogs more than once. Considering the number of blogs out there, the chances of that happening is impossibly small if the link is completely random.

Regardless, I still like the feature. You never know where it's gonna take you. It has taken me to some excellent blogs, a number of annoying ones that are full of ads, and a few nasty ones that should never be seen by... anyone really. There are some seriously disturbed bloggers out there.

If you've not tried next-blogging before, go on. It's right there at the top of the page. You know you want to. Just don't get addicted to it.

World View: Cultural Creative

You scored as Cultural Creative.

Cultural Creatives are probably the newest group to enter this realm. You are a modern thinker who tends to shy away from organized religion but still feels as if there is something greater than ourselves. You are very spiritual, even if you are not religious. Life has a meaning outside of the rational.

Cultural Creative			94%
Materialist			94%
Existentialist			75%
Modernist			63%
Idealist			56%
Postmodernist			50%
Romanticist			44%
Fundamentalist			25%

What is Your World View?
created with QuizFarm.com

Dynamic Text Files

Ever wanted to dynamically create downloadable text files on your website? It couldn't be any simpler using a web scripting language, such as ASP or PHP. All that is required is to modify the response header of a dynamic web page. The text file does not actually exist on the web server. Instead, it is created and sent directly to the web client.

The following ASP code sample demonstrates how this can be achieved:

Response.ContentType = "application/text"
Response.AddHeader "Content-Disposition", _
                   "attachment; filename=greetings.txt"

Response.Write "Welcome to Unauthorised Blog"

Response.End

Normally, the response header sent by a dynamic web page would be that of a standard HTML page. By specifying the application/text content type and adding the additional content disposition information, the web client now expect any subsequent data it receives to be the content of a greetings.txt file.

The same technique can be used to create any type of file, provided that you are able to create raw data for that particular file type.

HOWTO Secure a Wireless Network

Wireless network is an ideal solution if you have a laptop that is constantly moving around the house, or if you simply wish to eliminate the miles of cabling that run all over the place. However, if not properly configured, wireless networks are very susceptible to attacks. These networks are possibly the most popular source of free Internet for... ahem. You know who they are.

The following are a few simple steps that can be taken to vastly improve the security of your wireless networks:

1. Change the default login on your network devices, especially the wireless access points, router, and the modem. The remaining steps are a pointless exercise if anyone could simply modify your settings and hijack your network.
   
   
2. Enable wireless authentication and encryption. Use the strongest authentication method and encryption algorithm supported by your wireless access point and all the wireless clients on the network. Wi-Fi Protected Access 2 (WPA2) should be used where possible. Wired Equivalent Privacy (WEP) is easily cracked. WPA, not WPA2, has also been demonstrated to be vulnerable when weak encryption keys are used. If your only option is WEP or WPA, it is strongly recommended that the encryption key be changed regularly.
   
   
3. Choose a strong encryption key. Use the longest encryption key length supported by your wireless access points and all the wireless clients on the network. It is best if you could generate a random hex key. Otherwise, make sure you choose a strong pass phrase. Weak keys can easily be cracked by brute force attacks.
   
   
4. Disable SSID broadcast. The Service Set Identifier (SSID) is a name used to uniquely identify your wireless network, and must be specified when a client wishes to join the network. Usually, by default, the SSID is broadcasted at regular intervals to announce the presence of the wireless network. This may simplify configurations of your wireless clients but is also an invitation for hackers. Disabling SSID broadcast makes it more difficult, but not entirely impossible, for an attacker to obtain this information.
   
   
5. Rename the SSID. Following from the previous point, you should choose a unique SSID. Lists of default SSIDs are widely available. Additionally, a network with a default SSID suggest that it is poorly configured and is an appealing target for hackers.
   
   
6. Enable MAC address filtering. MAC address is a unique identification for network cards. MAC address filtering ensures that only your wireless devices have access to your wireless network. However, this is not a foolproof measure as the MAC address can easily be spoofed.
   
   
7. Disable remote administration, unless you absolutely know what you're doing. I'm sure you wouldn't want a hacker administering your network. Nuf said.
   

The steps detailed above are suggestions for improving your network security. Some of the features described may not be supported by your network devices, while others may be impractical for your network setup. If not supported, check to make sure that the manufacturer has not released new software or firmware upgrades. For those using Windows wireless client, the following Windows update may be required, if not already installed, to support WPA2:
KB893357 - Wi-Fi Protected Access (WPA2) Update

In the end, you may find the network slightly more tedious to setup but it will be much more secure.

Security Alert: Google Desktop XSS Flaw

A cross-site scripting (XSS) vulnerability has been found in the Google Desktop application. The flaw, first discovered in October 2006, enables an attacker to search for and steal data from a user's system.

Google released an updated version of the Google Desktop client that fixes the flaw earlier this month. If you use Google Desktop, make sure you are running the latest version, 5.0.701.30540. The latest version of Google Desktop can be downloaded from the Google Desktop site, http://desktop.google.com/.

For more details on the vulnerability, please see http://www.securityfocus.com/news/11443.

You have been warned.

Shit Shit

Warning: This blog post is rated R16. It contains coarse language and may offend some people. Parental guidance is recommended for younger readers.

No. You're not hearing double. That is what I meant to say. Shit shit is currently one of my favourite phrases. It's swearing with a hint of humour. If you've seen the movie Red Eye, you'll know what I mean.

I personally don't consider the word shit, or any other four letter words with special characters in them to be particularly offensive when used in an appropriate context. It is merely a way of expressing oneself. As a matter of fact, it is a vital part of social interaction.

In some cases, these words may actually convey additional information. Take for instance, the following example. You're on your way out of the office when one of your colleague happens to come back in after having a ciggy. You asked, "What's the weather like?". He could say "It's very cold outside", which means just that. Alternatively, he could say "It's shit cold outside", which in effect means "It's very cold outside. I hate this weather. Are you sure you really want to go out? If so, I suggest you grab your jacket." I'm not suggesting that that's what you should say to your boss the next time he asks you what the weather's like, but I hope you get my point.

Unfortunately, not everyone share the same view that I do. In the end, it all depends on the delivery, the context you use it in, and who your audience is.


Disclaimer: The information in this blog post is provided "AS IS". Unauthorised and wired4destruction are in no way responsible or liable for any injuries, or loss of jobs that may result from the use of any information on this blog.

Genesis

In the beginning, I was too lazy. After 26 days of procrastination, I decided that I should really post something. Anything really... just to get this blog started. Fingers crossed, this is not a sign of things to come. So, here is a wee bit about what this blog is all about, the motivations behind it, and where it is headed.

Well, this is a blog about ME! I'll blog just about anything that pops into my head. Anything from the mundane to the mind-blowing tech stuff. In a way, it's a place for me to gather my thoughts. With any luck, it will not be all crap and you'll find some of it useful, or at least interesting.

There are quite a few motivations for getting this blog up and going. Amongst which are:

• everyone should have something that says "Hey, I'm here on the net";
• a chance for you to learn more about me;
  
• a New Year Resolution for 2007;
  
• something to help unclutter all the crap going through my mind; and
  
• a way to experience what the blogging craze is all about.
  

At the mo, I don't have a clear picture of where this blog will end up. The idea is to make this an interactive blog where your comments and suggestions will help determine what gets blogged next. So, I would really appreciate any feedbacks you have to offer.

Until next time, safe blogging.