In my threat modeling and secure coding classes, as well as directly with my clients, I always stress the importance of introducing security as early as possibile in the software development lifecycle. In addition to raising awareness amongst the developers, doing so can help identify potential problems early in the development process as opposed to later when they will require more effort and more cost to fix properly. I recently experienced a real-world example of this that I wanted to share.

I’m working in a building downtown that uses proximity badges to secure offices on each floor. The elevator has a card reader as well, but it requires you to actually insert a different badge. This process is both cumbersome and unreliable. First because you are sliding a card into a fairly small slot and second because people need to jostle around the elevator so they can get directly in front of the slot in order to successfully use the card reader. In the morning rush, it’s not uncommon for your floor to have gone past before you get a chance to swipe your card.

So what do you think this results in?

You got it. In the morning rush one person gets on, slides their badge in and asks everybody which floor they’re going to.

So due to a poor design decision (low-efficiency access control device in a high-traffic area), that control is now effectively bypassed on a regular basis. Another layer of security does exist, but now you’re one step closer. Perhaps this is an acceptable risk to the original designers of this system given the security level of the building and the additional security, but unfortunately I don’t know to what extent they did consider this.

I’ll be making another post in the near future about how some of the design decisions on today’s sites are there to make users “feel” better about the security, rather than implementing effective measures themselves. Sounds familiar.

Thanks to the new Twitter Tracking, I came across a great blog called Sufficient Thrust that discusses various “life hacking” techniques. As somebody that’s always on the go but gets motivated at odd hours, the post about why I shouldn’t wake up early tomorrow peaked my interest. I frequently get motivated right around 11pm and keep kicking until 3am easily, so getting up early puts a pretty large shadow over my day.

Unfortunately, we do live in a 9-5 world and I often have clients where I need to be productive between those hours. So here are a few tips for forcing yourself to get work done. Note that everybody has different drivers, but these help me get through the day.

Don’t waste time
There’s all manner of things to distract you and when you’re not in the flow, you’ll take every opportunity to procrastinate. Try to ignore those distractions and focus on what you need to get done. If you don’t, you’ll find that 3 hours have passed and you haven’t accomplished a damn thing. Unfortunately, this post is a direct result of that procrastination…

Get yourself in the groove
I find that house music gets me in a very good groove. So when I need to be productive, I put on some giant headphones, crank the volume, and let the beat guide me to getting things done. There’s a podcast called Techtronic Sound that’s pretty good for this, but unfortunately there hasn’t been a new one in two months. Good tunes don’t always work, but it definitely helps drown out the other distractions in the office so I can focus on my work.

A little kick in the pants never hurt
I don’t like to do it, but a little caffeine can definitely help get you fired up when you have absolutely no desire whatsoever to be so. Mountain Dew and Caramel Macchiato’s are my poison of choice, but every once in a while I’ll put down a Rockstar.

Switch things up
Move to a different desk. Start writing notes using pen and paper. Go work in the Starbucks across the street. Anything to change up your routine to give you a little spark.

Be mean to people
People will try to disturb you. We can’t help it, we’re social creatures. But sometimes when you’re trying to get in the flow, you need to ignore, fend off, or otherwise try to prevent them from infringing on your flowness.

Set small, reachable goals and reward yourself
Give yourself small, easily attainable goals. Think increments of 1 hour. It’s good to get up and stretch anyway. Set a goal and a reward. For example: I can go get myself a coffee when I’m done writing these next 10 slides.

Ignore useless websites
There are more than enough useless websites out there to distract us each day. DO NOT GO TO THESE SITES. They suck your time and energy away quicker than you can blink!

Although definitely not foolproof, these are the things I try to do when I need to get in the flow.

Next article of Marina’s that you should read - The Secret to a Successful All-nighter

Hack on.

This is kind of depressing. The new jailbreak method for the most recent iPhone 1.1.1 firmware was publicly announced today…and it relies on a vulnerability within MobileSafari. What a bummer.

Update: I assumed the link posted above was the same as some others floating around, but it is not. The iPhone Dev Team’s jailbreak does not not use the MobileSafari vulnerability. Nevertheless, the below still applies.

When the original iPhone firmware was cracked, applications were loaded on using currently-existing functionality within the iPhone software. I was fine with that. Now, however, you have to actively exploit a vulnerability to gain access to the filesystem. I have a problem actively exploiting software on my phone to install SSH and Yahtzee. This is my phone, my main point of contact…not some handheld game console.

This is what I was expecting from Apple originally. The first iPhone jailbreak was way too easy and I was surprised that Apple would make such a major design decision when they probably had no doubt people would try to break this beautiful little piece of technology. Looks like my intuition was right.

I will follow with a heavy heart as others visit malicious websites in order to put custom apps on their iphones and ipods…ipwn is now even more appropriate, hehe. I for one, will probably just upgrade to 1.1.1 one of these days and say goodbye to those cute little ants crawling across my screen and freaking out people wishing to borrow my phone.

Come on, Apple, give the people what they want. You’re squandering the possibilities of an awesome platform. Here’s a quick tip for you: Web 2.0 partially came about because broadband became cheap and multiple behind-the-scenes calls to a web server were no longer an expensive operation. You can’t put Web 2.0 Apps on a phone that’s got a connection as slow as a turtle and unreliable as a Pacific Northwesterner. Nobody wants to relive the days of the baud-rate modems and spend 10 seconds waiting for a page to load just to use an application.

It was quite the marathon weekend, in more ways than one!

I flew into Chicago’s Midway airport at 1am Saturday morning. I was originally going to fly in at different time, but work situations changed and alas…there I was. So I hopped in my rental for the 4 hour drive to Toledo. Yea, I know - what was I thinking. I think it was worth it when I rolled up to the front desk at the hotel and the woman asked me “Checking out, sir?”. Uh, no…checking in, thanks. Just in time for breakfast? No thanks, just in time to pass out!

So that I did and woke up and went to the wedding, which was beautiful. And then there was a little downtime before the reception, which I was thankful for because I got to take a nap. Staying up working until 5am on Thursday and driving through the night on Friday finally caught up with me. Then we partied until the wee hours of the morning.

Sunday I headed back early to Chicago, only to be informed that the Chicago marathon was taking place. I tuned my radio into the AM station that was covering it just in time to hear the men’s photo finish (!!) and shortly thereafter, the women’s surprise finish. Unfortunately, the marathon was cut short due to the excessive heat in Chicago. I hung out with a few friends and then my cousin was generous enough to delay her trip back home to chill with me for a little while as well.

Then it was on a flight back home and I am about ready to crash, hard! It’s been quite the weekend.

On a nostalgic note, I was driving back from the reception and passed the hotel that I stayed at when I originally moved from Rochester to Chicago and stopped midway in Toledo - the Toledo Dreamplex. It looked like it was shut down and abandoned, but I can book a room next weekend through Expedia if I want to!

Let me just state up front that I’m not a huge fan of VMWare products these days. Sure, the technology is impressive and it’s very useful - but I’ve always run into odd quirks with their software. I suppose I like their desktop products better than their server products, though. Perhaps that’s because I had such a good experience with Microsoft Virtual Server and my ability to easily set up “virtual labs” through scripting…

In any case, I ran into an odd problem last night after some network downtime. I brought the network back up, but the VM’s still weren’t communicating over the second ethernet adapter, configured for bridging. Grepping through dmesg, I noticed the following errors:

e1000: eth1: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex
e1000: eth1: e1000_watchdog: NIC Link is Down
e1000: eth1: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex
e1000: eth1: e1000_watchdog: NIC Link is Down
e1000: eth1: e1000_reset: Hardware Error

…and then there were no more messages about eth1. Googling around a little bit indicated a possible solution would be reloading the kernel module, so…

rmmod e1000; modprobe e1000
ifconfig eth1 up

And then traffic started flowing again!

bridge-eth1: enabling the bridge
device eth1 entered promiscuous mode
audit(1191399073.815:34): dev=eth1 prom=256 old_prom=0 auid=4294967295
bridge-eth1: enabled promiscuous mode
bridge-eth1: up
e1000: eth1: e1000_watchdog: NIC Link is Up 1000 Mbps Full Duplex

Note that the “ifconfig eth1 up” is essential for the vmware bridge to realize the interface came back and it can start bridging info over it again. Unfortunately, it took me several minutes and the realization that I still wasn’t getting link lights after loading the module to realize this…

That’s my tech tip of the day, back to reporting!