Domain: patternizer.com
Stories and comments across the archive that link to patternizer.com.
Stories · 6
-
Canadian Ice Shelves Halve In Six Years
eldavojohn writes "The CBC reports on new research that shows thousand-year-old ice shelves (much different than sea ice) are breaking up and have been reduced by half in a region of Canada over the last six years. 'This summer alone saw the Serson ice shelf almost completely disappear and the Ward Hunt shelf split in half. The ice loss equals about three billion tonnes, or about 500 times the mass of the Great Pyramid of Giza.' More detailed pictures can be seen at The Conversation, with a quote from Professor Steven Sherwood, Co-Director of the University of NSW's Climate Change Research Centre: 'The real significance of this, in my view, is that this ice has reportedly been there for thousands of years. The same is true of glaciers that have recently disappeared in the Andes. These observations should dispel in one fell swoop any notion that recent global warming could be natural.'" -
Graphene and Quantum Hall Effect Could Help Redefine Metrics
eldavojohn writes "The National Physical Laboratory has published research in Nature that could lead to redefining two of our most commonly used metrics. There's been a lot of trouble stemming from defining an exact Kilogram as some lump of platinum-iridium sitting in a glass case somewhere, so the proposal was put forth to study the quantum hall effect with different materials. Enter the Nobel prize winning, super strong, silicon usurping graphene. NPL now says you can add quantum resistance metrology to the list of graphene's many conquests as they say the quantum hall effect in graphene is 'very robust and easy to measure.' With this at their disposal, the Kilogram may be redefined in terms of h, the Planck constant, and the Ampere may be redefined in terms of e, the electron charge (alias Elementary charge or the charge of a proton). You can find the full paper here." -
Book Review: Scalability Rules
eldavojohn writes "As a web developer in the 'Agile' era, I find myself making (or recognizing) more and more important decisions being made in developing for the web. Scalability Rules cemented and codified a lot of things I had suspected or picked up from blogs but failed to give much more thought to and had difficulty defending as a member of a team. A simple example is that I knew state is bad if unneeded but I couldn't quite define why. Scalability Rules provided this confidence as each of the fifty rules is broken down in a chapter that is divided into what, when, how, why and key takeaways. A strength of the book is that these rules cover all aspects of web development; but that became a double edged sword as I struggled through some rules meant for managers or technical operators." Read below for the rest of eldavojohn's review. Scalability Rules: 50 Principles for Scaling Web Sites author Martin L. Abbot and Michael T. Fisher pages 272 publisher Addison-Wesley Professional rating 8/10 reviewer eldavojohn ISBN 978-0321753885 summary 50 Principles for Scaling Web Sites You might recognize the authors as two of the three partners of AKF Partners which means that the book pushes a lot of their concepts like the AKF Cube. A bonus is that they have a very long list of clients and aren't afraid to remind the reader that they have consulted to hundreds of companies so when they say they see these rules solving problems frequently, there's weight to that. Also, they have two books but don't confuse Scalability Rules with The Art of Scalability as the latter focuses on people, processes and technology instead of the rules of scaling.
First off this book gives you a primer of rules for you to start with depending on whether you are mostly a manager, software developer or technical operations personnel. I'll concentrate on the specifics of the software developer chapter and summarize the others at the end of this review. Also note that aside from some SQL, I only saw PHP code in this book. Luckily there's only a handful of snippets presented and they are easy to follow. Additionally each chapter ends with solid references (usually online resources) to back up the claims listed in those sets of rules.
The first chapter is devoted to reducing the equation and focuses on removing needless complexity from your solution. You can find this chapter here if you want to see how the layout looks. They give a lot of solid reasons for this and also a lot of good examples like understanding what your users care about. Why build a prompt to export a blog post as a PDF if 99% of the users don't care about it? Next up they say the rule to design to scale means designing for 20x capacity, implementing for 3x capacity and deploying to 1.5x capacity. A strength of the book are the grids that illustrate what is low, medium or high cost and impact through the chapters. Every time they discuss options at different parts of the solution development process, the user is given a chart to understand why. The next rule stresses that you can usually identify 80% of your benefit achieved from 20% of the work (80-20 rule). Rule 4 is strangely specific and implores the reader to simply reduce DNS lookups. However — and this is the first of many — they remind the reader that this rule must be balanced with putting your system all on one server just to reduce DNS lookups. Such a strategy can result in that becoming a choke point. Rule 5 quite simply instructs the reader to use as few objects as possible in your webpage.
The final rule of chapter one is the first one I disagree with in the book. The rule says "Don't mix the vendor networking gear." And this goes against every fiber of my being. Why even have networking standards if you are not to mix the vendor networking gear? Looking to upgrade one component? Better stick to brand X no matter how crappy they have become. This results in being nickeled and dimed and vendor lockin. If scalability is your sole goal than perhaps this is sound instructions. But I cannot understand how anyone would indicate lockin to a vendor — especially in today's networking gear.
Chapter two is incredibly short but potent. It covers some basic database concepts like why ACID properties of databases make them difficult to split. This chapter is spot on and calls upon the AKF cube for dimensions of scalability. Three dimensions are: You can clone things, split different things and split similar things (like by country region). This cube reappears throughout the book and it should be noted that the book does a good job of giving examples of when each dimension is a good choice for scaling and when it is a bad choice compared to the other two. In my line of work, massive scaling solutions have implemented all three.
Skipping to the next developer chapter on not duplicating your work, the text ranged from the incredibly obvious "Don't double check your work" to relaxing temporal constraints. The chapter is short like chapter two and didn't offer me a whole lot. A third rule was again oddly specific in saying not to do redirects and even getting down into the very fine specifics of what HTTP codes are and how they affect your response times.
The next chapter for developers is chapter ten on avoiding or distributing state. Rule 40 actually came in useful at my job as it simply states "Strive for Statelessness." There was an easy solution to a problem in one of our projects that involved storing an object in the session to keep track of what was being displayed to the user. Having read the book, I instead made this web application nearly stateless (except user authentication and the like). Later on, as we started testing the application in multi-tabbed browsing and users began opening many search tabs and viewed several objects at once to compare them, I was glad that I had not gone down this path. Doesn't have much to do with scalability but I think all web developers should read this chapter as it really does pay to avoid state when possible.
As the rules grew closer to 50, they lost their potency. The authors did a good job of trying to put a bit of ranking in the appearance to these rules. The final developer chapter on asynchronous communication and message buses is probably the most specific and was the least useful for me. While all the rules in this chapter are true, they again border on the banal with examples like "Avoid Overcrowding Your Message Bus."
Having read this book cover to cover, it is a very short book with extremely succinct and organized summaries (the final chapter is a short review of each rule). The manager and operations chapters didn't really do a lot for me overall but would occasionally have very interesting chapters that opened up a lot of the logic behind content delivery services to me. Occasionally I would take slight issue with some rules but the most egregious rule I read was Rule 28 "Don't Rely on QA to Find Mistakes" and then the chapter opens with calling the title of this rule "ugly and slightly misleading and controversial." Because it is and could probably be replaced with another sentence from the chapter: "You can't test quality into your system." Why rely on sensational headlines when I'm already holding your book? I think this book would have been a solid 9/10 if not for this oddity in the large rule set.
I've given each of these rules a decent amount of thought and will keep them at the back of my mind as I write code in an agile environment. Mistakes made early on can be very costly in scaling terms. This book will definitely be kept around at work when I need a solid argument for those design decisions that might take more work but save in the future when it needs to scale.
You can purchase Scalability Rules: 50 Principles for Scaling Web Sites from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Purdue Researchers Demonstrate Low-Power, Fast FeTRAM Memory
eldavojohn writes "Researchers at Purdue University's Birck Nanotechnology Center have released news of a proof of concept new ferroelectric transistor random access memory or 'FeTRAM.' This new technology is nonvolatile and the researchers claim it could use up to 99% less energy than current flash memory. Unlike most FeRAM technology that uses a capacitor, FeTRAM provides nondestructive readout by storing information using a ferroelectric transistor instead. From the article: 'The new technology also is compatible with industry manufacturing processes for complementary metal oxide semiconductors, or CMOS, used to produce computer chips. It has the potential to replace conventional memory systems.' So if they get this into production, you might not have to worry about your laptop cooking your genitals. They've been published in ACS (paywalled) and the professor leading the research has many patents filed relating to transistor nanotechnology." -
Book Review: Metasploit The Penetration Tester's Guide
eldavojohn writes "The Metasploit Framework has come a long way and currently allows just about anyone to configure and execute exploits effortlessly. Metasploit: The Penetration Tester's Guide takes current documentation further and provides a valuable resource for people who are interested in security but don't have the time or money to take a training class on Metasploit. The highlights of the book rest on the examples provided to the reader as exercises in exploiting several older versions of operating systems like Windows XP and Ubuntu while at the same time avoiding triggering antivirus or detection. The only weak point of this book is that a couple chapters refer the reader to external texts (on stacks and registers) in order to meet requirements for crafting exploits. The book also gives the reader a brief warning on ethics as many of these exploits and techniques would most likely work on many sites and networks. If you're wondering how seemingly inexperienced groups like lulzsec constantly claim victims, this would be an excellent read." Keep reading for the rest of eldavojohn's review. Metasploit The Penetration Tester's Guide author David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni pages 300 publisher No Starch Press, Inc. rating 10/10 reviewer eldavojohn ISBN 978-1593272883 summary A thorough guide to penetration testing with the Metasploit Framework. In 2007, Metasploit was migrated from Perl to Ruby. The book opens with a brief history of the framework and mentions this but does not address any complaints of performance loss. Instead, the authors argues that this increased contributions and adoptions. As a result, all the code in this book (which the exception of some SQL payloads) is written in Ruby. If you don't know Ruby but you know many other languages, it's a fairly simple language to pick up.
The first chapter of this book clearly indicates that the objective is to empower white hat hackers and researchers. They lay down a predefined set of phases that one takes while pen testing a target. They are Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post Exploitation and Reporting. Chapter two covers the terminology that is used across the Metasploit Framework so if you're unfamiliar with concepts like 'shellcode' or 'payload' this chapter will set you straight. It also mentions a UI for Metasploit called Armitrage but my personal tastes kept me using the minimal MSFConsole and MSFcli.
Chapter three begins to cover intelligence gathering and covers everything from the basic whois tool to writing your own custom scanner. The chapter does a great job of carefully explaining in detail the difference between passive and active scanning. The stealth TCP scan that nmap provides was a new thing for me and the chapter also details how Metasploit can use several database technologies to record and store the results of your scans to be used later on. The chapter shows how to use Metasploit to scan ports, server message blocks, MS SQL servers, SSH servers, FTP and simple network management protocol sweeping. Most of these techniques are a few quick commands in Metasploit's console and with Ruby mixins the chapter illustrates how to write your own scanner for use in Metasploit in about 20 lines of code. But all of this is just to get a grasp of what's up and running on the server.
Chapter four starts to get interesting with actual vulnerability scanning. Banner grabbing is an important technique in pen testing and the book suggests using NeXpose community edition (also a Rapid7 tool). This is covered in more detail in the appendix but NeXpose is a web GUI interface for scanning, storing and managing site scans. This provides great reporting features, it's intuitive and reduces everything to point-and-click for the user. But luckily this tool can also be run from the console (something I preferred). The chapter also covers another popular scanner called Nessus and shows to import the results to Metasploit for use. The chapter also includes noisy options like SMB login scanning or just looking for open VNC or X11 servers. Mentioned here first (but also frequently later in the book) is Back|Track for connecting to such targets. Something neat about this chapter is that if you don't care that your target knows you're attacking them, you can just move from these results collected with NeXpose, Nessus or OpenVAS and drop them into the 'autopwn' tool in Metasploit. It's three commands on the console and apparently works more often than it should.
Chapter five familiarizes the reader with the MSFConsole and its basic commands like showing all the exploits, payloads and targets available in the Metasploit Framework installed. These are constantly updated and maintained so they often change. With that information, the chapter proceeds to step the reader through an exploit in a Windows XP SP2 (MS08-067) and then a Samba exploit in Ubuntu 9.04.
Chapter six spices things up by introducing Meterpreter that extends the Metasploit Framework to serve a shell to the exploited system and from there perform additional attacks. The chapter shows how to brute force an MS SQL server and use the stored procedure xp_cmdshell to gain remote access. Meterpreter has a lot of neat features like keystroke logging, capturing screenshots and dumping password hashes (including the pass-the-hash technique). Simple commands in meterpreter can allow the user to easily and effortlessly accomplish many things: privilege escalation, token impersonation, pivoting to another system, process migration, killing antivirus software, system scraping, the list goes on. The chapter finishes by briefly mentioning an intriguing tool called Railgun that I wish they had spent more time on.
Chapter seven covers avoiding antivirus detection through tools like msfencode (to avoid your exploit being fingerprinted). Even better is encoding it many many times. If you know what antivirus your target uses, you can simply run the antivirus on your encoded exploit on your local machine to see if it's picked up. The chapter also covers the basics on continuing normal execution of a backdoored executable and packers that compress an executable for you with decompression code built in.
The book gets progressively more technical with chapter eight focusing on client side attacks. The chapter covers the NOP slide technique and also introduces the Immunity Debugger. It covers the Internet Explorer Aurora Exploit (MS10.002) as an end of chapter exercise for the reader to do. Chapter nine takes a quite look at Metasploit's auxiliary modules that allow the user to do many other things than just exploits. They run through the source of a mischievous Foursquare Location Poster that can make you appear to be everywhere on Foursquare. They also cover heap spraying attacks in web browsers — a topic that was particularly discomforting for me considering how long I often leave my browser open for.
Chapter ten was probably one of the more boring for me but a very important tool for pen testers. It shows how to turn the Metasploit Framework into a social exploitation tool that can be used to send templated e-mails to distribution lists. The intent of this, of course, is to get one user in a large company to click on a site that looks like their company's homepage and perhaps enter their credentials. By just selecting from lists of options, you can create java applet exploits that appear to be legitimately signed, clone a website like gmail and harvest credentials, tabnabbing, webjacking, man-left-in-the-middle and finally mixing those all together in a multipronged attack. The next chapter is just more exploits via Fast-Track (an open source Python based tool that builds on top of Metasploit).
Chapter twelve covers Karmetasploit, a Metasploit implementation of the wireless security tool Karma. The strategy of this exploit is to present your machine as a wireless access point. When a user connects, you can use karmetasploit to host fake webpages and grab their credentials or even gain shell access through a client side attack. Knowing how frequently people attach to anything in coffee shops and airports, this sort of attack could be particularly brutal and extremely easy to execute given Metasploit's simplicity for users.
The final chapters do an okay job of showing you how to first build your own module for Metasploit in chapter thirteen. Then in fourteen, the book looks at building your own exploit and goes into detail about fuzzing applications on your local machine and using the Immunity Debugger to look at what's happening given the fuzzed input. What follows is a lengthy discussion of the Structured Exception Handler (SEH) and the Next SEH (NSEH) and how you can manipulate registers and utilize JMPs to hit a NOP slide into your shellcode. This is one of the longest and most complicated chapters with probably the most technically intensive writing. I would like to see further editions of this book expand on things like this as it was important for me as a software developer to understand how these attacks are manufactured.
Chapter fifteen was similar to fourteen but showed how to port exploits to the metasploit framework. This chapter covers more so the general guidelines for writing exploits for the metasploit framework and doing it so that you leverage metasploit's flexibility. Chapter sixteen covers the scripting abilities of meterpreter and customizing that to execute further exploits once you have access to a target machine with meterpreter.
The final chapter brings the key steps together for a simulated penetration testing of a preconfigured system with web server (the book lists the Pirate Bay as a source of this torrent). As you work through this chapter, the phases of pen testing are exercised with all the aforementioned strategies employed.
This book was a real eye opener to read for a software developer. I haven't done formal pen testing aside from testing my own code so a lot of these advanced concepts were new to me. I enjoyed how the code was laid out with circled numbers marking code (instead of every line being numbered) that were referenced later in the text. I hope future editions of this book provide progressively more and more material as there's clearly a lot of sections that are condensed into a few paragraphs but could be expanded upon almost endlessly. I'm glad this sort of tool didn't exist during my younger more mischievous years as this book demonstrates that it could be used for gaining access to just about anything (depending on how much free time and skill you have).
You can purchase Metasploit: The Penetration Tester's Guide from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
China Calls For Even Firmer Internet Control
eldavojohn writes "Chinese state media has published a long article detailing why China needs to take even firmer stances on sites like Twitter and the internet as a whole, or risk backlash to the Communist Party from 'Internet opinion.' The commentary warned, 'Unless administration is vigorous, criminal forces, hostile forces, terrorist organizations and others could manipulate public sentiment by manufacturing bogus opinion on the Internet, damaging social stability and national security.' China seized upon the London riots recently to justify tighter internet censorship. The article, of course, ends with the conclusion that 'Clearly, in the future when developing and applying new Internet technologies, there must first be a thorough assessment, adopting even more prudent policies and enhancing foresight and forward thinking in administration.' While this provides China with their Emmanuel Goldstein and his Brotherhood, it should be noted that the People's Daily is often over the top."