I want to go somewhere.

I don’t know where, I don’t know when - But I want to go somewhere. Preferably across seas. I’ve been tossing around the thought lately of just buying a plane ticket and leaving the next day for a week; no plans, no hotel reservations - Just go.

A friend showed me Google Flights (It’s like most other flight sites - but of course Google has an incredibly clean and simple UI) the other day and I’ve probably been hitting the site a few times everyday now, just checking out random places that seem interesting: Tapei, New Zealand, Tokyo, Ghana, etc. As soon as I can find a good time to do so I’m jumping on the plane and taking off for a week or two.

When I moved to California, coming from Cincinnati, I made it a week long road trip when I could have pushed for just a few days instead. The experience was great - I was able to see new things in a whole different light than what’s available when you are traveling with others. I visited St. Louis, Oklahoma City, Flagstaff, Kingman, and the Grand Canyon. 

image

It was incredible, and a complete eye opener as to what is out there. There’s so much to see and I can only hope to catch a glimpse of what’s available while I can. There’s no better way to clear your mind.

I’m trying to keep an open mind on great new places to see - What are your suggestions?

Vulnerabilities

I just spent the last half hour or so digging through CVE-2013-0249. A more extensive write up of what’s going on can be found here, but in short - It’s a bug in the libcurl library - Which for those of you who don’t know, is used in pretty much any application that will be downloading something from a remote server.

The vulnerability occurred when you would send a curl request against a POP3 server (Or get redirected to one un-intentionally by not specifying to only follow HTTP(S) redirects) in which that server would response with a malicious payload that had too large of a string in the ‘realm’ parameter. The curl library specifies the variable as a char with a length of 128 bytes, so sending any data over that amount would cause a buffer overflow, such as in the proof of concept that Volmea wrote.

Reading through the source for libcurl gave me an opportunity to read through code that wasn’t mine and see what exactly was going wrong that caused this to happen. My C skills are pretty subpar, but I did an alright job tracking it down - And after looking at the patch I was happy to find I was right on track for where the bug was located.

It’s good to “Stretch yourself in different directions” (James Paul Holloway) and put yourself out of your comfort zone. The other month I cloned in the ubuntu-precise repo and poked around, and it was great to see how a few things were done - I’d like to continue doing that but rarely think to do so. Perhaps I could add something like this to my daily programming kata.

Why I hate PayPal

I’ve been wanting to get back into blogging - so what better way to do then when you’re pissed about something, right?

%!@# PayPal. Seriously. I hate it.

And I’m not the only one, seriously - 30,100,000 results for such a vulgar statement? That’s saying something.

PayPal, you need to change. And you need to do it fast. Your fraud department is absolute bullshit, you don’t follow your own ToS, you don’t listen to your customers, you’re a monopoly, want me to keep going? Okay - You side with the wrong person, you steal money (Bullshit charges that you can’t refute), you hold money hostage, okay I’m wore out.

I’ve been operating VPSInfinity, LLC for around 2 years and am now closing down (Unrelated). I have used PayPal and only PayPal ever since then. I really had no other real alternatives, everyone has a PayPal and if you don’t offer it - well there goes the majority of your customer base. I’ve lost, easily, $2-500 in chargebacks. I know, not a massive amount - But for the amount of money I was pulling it, it was a decent chunk of change; and still, the point is that PayPal completely screwed me over. 

VPSInfinity rented Virtual Private Servers catered towards game macros. Everything was setup to be instantly activated upon receiving payment - WHMCS was the billing system I used, and SolusVM was the provisioning system I used. Invoices were matched to each server, which you had to register in the system to place an order to begin with, servers were automatically provisioned and emails automatically sent. My support channel was always open and I always responded to tickets in a timely manner, and of course had hundreds of previous orders that had gone through the same account - and even with all of this information thrown at PayPal, they still would instantly conclude that the “item was not delivered” when those were the disputes that arose.

Oh - and seriously PayPal, you need to follow your own damn ToS. Disputes are not allowed to be open 45 days after payment. My servers are delivered instantly - and are on a month-to-month basis, so if someone charges back there’s no way I can at the least, terminate their server and sell the space to another customer - I’m just screwed at that point. I had a dispute come in last week like this, PayPal messaged me saying “This dispute has been deferred because it was not opened within 45 days of payment.” but what happened not a day later? “Recently, PayPal received a notification from a user regarding unauthorized access to his PayPal account. As a result, one of the payments credited to your PayPal account has been placed in a temporary hold while we investigate the claim.”

What.. What!? You just told me that you were deferring this crap. Which leads me to my next point.

What really irks me, is when a dispute comes up with “Unauthorized payment”. Really.. Really? You’re punishing me, the seller - because some moron doesn’t know basic security protocol in how not to be phished or have a strong password? So they get their money back, and I lose mine? So who I do get to dispute? No one. Yup, I’m just out the money.

So what does PayPal need to do?

  1. Work with your customers. It’s a 1 message process for each party normally during a dispute. Buyer opens a dispute - Seller responds - PayPal decides. Message what ou want to help prove who’s in the right here, especially when it’s a “virtual good” like hosting.
  2. Unauthorized access claims are bullshit. Sellers shouldn’t be punished. Case in point.
  3. Fees! This isn’t a big enough point to merit a paragraph in my rant, but you really need a flat fee - percentages take way too much out of my revenue!
  4. Man, I don’t know - You have so much to fix that I’m overwhelmed trying to come up with things to say. Seriously, listen to your customers - There’s enough rants about your company; however sadly, that’s what happens when you have a monopoly - you lose sight in your purpose and how to become better.
The Rise of Cloud Storage

Big news today in all things tech, and more specifically - the cloud storage arena. After years of rumors, Google Drive has finally been released; but what’s more interesting is just the other day Microsoft (re)released their cloud storage solution: SkyDrive.

Cloud storage and syncing is nothing new - DropBox, Box.net, SugarSync have been doing it for quite some time now. So what’s the big deal with Google and Microsoft jumping into the game? Hell, Apple has been in it for a while as well with iCloud - Steve Jobs even tried to buy out DropBox! Well the “big deal” is exactly that - these guys are big. Microsoft and Google have the potential to really bring cloud storage mainstream and have the rest of the internet jump on this opportunity - and that’s going to really change things.

All of these services have their ups and downs, and that’s exactly what we need - Companies to innovate and bring new features to the table to drive down prices and increase usability.

Personally, I’m an absolute huge fan of Dropbox; I don’t think I could live without it anymore. I have my desktop, netbook, and Android phone all synced up to the service. My pictures, documents, videos, projects, etc are all stored on the cloud and I’ve gotten it to the point where if any of my devices were destroyed, completely obliterated, I’d be alright (Except for the fact that I’d be out a computer/phone…). Currently I don’t pay for the service, but I have 15GB of free space available to me (Thank-you referral links and other bonuses) and I’m only using about half of it, but I’ve looked at Dropbox’s pricing and to be honest - it’s too much, even if I needed the space. Both Microsoft SkyDrive and Google Drive are really undercutting Dropbox’s prices and I’m curious to what Drew Houston is planning to do about that. 

Competition is always a good thing - at least from the consumer perspective. To be honest, that’s why I don’t bother participating in iOS vs Android debates anymore - both are pushing each other to become a better product and you should just pick the one that suits you best (And for me, that’s Android).

I’m really looking forward to see what all of these companies are going to push out. I think I’m going to stick with Dropbox regardless though, unless something really blows me out of the water. As much as I love Google, Dropbox is a perfectly viable alternative and switching over to GDrive doesn’t seem to benefit me right now - so I’d prefer to keep some sort of distance between the company, considering they already own every other part of my online life.

I would love to give some reviews on all of the Android apps, but right now Google won’t let me update - their app said they would “notify me” when it was ready.. and SkyDrive is making a bold (And stupid) move of not (currently) supporting Android - and well, iCloud is iOS only. So, not much I can review there.

What does everyone else use for the cloud storage solutions - and if you don’t have one, which would you choose?

Tightening up security - Part 2

If you haven’t already, check out my original post: “Tightening up Security”.


Over the past couple weeks I’ve really been trying to ensure all my bases are covered (Or at least as covered as I can - unfortunately when the bad guys have the will, they have a way) regarding my computer security. My first post brought up network and data encryption, backups, monitoring software, and making locking down your computer to thwart amateur physical attacks; but I left out a few things that I wanted to come back and touch on.
 

The first things I want to talk about is 3rd party software:
 

After years of using computers, most people know what their default go-to software applications are for various computing scenarios. For instance they use Browser X for web browsing, Y reader for PDF files, and Z program for file compression. Unfortunately, as we get into our comfort zone - the bad guys are sneaking in the back door quietly while we’re kicking back and taking a nap. 

Time and time again will show that the more popular a program is - the more likely it is to be targeted for exploits and malicious use. Just throw up the Windows vs. OSX debates; yes, OSX is safer since it is Unix based - but it also has a much lower market share, so why should the bad guys bother with it when they can get 3x as many users by targeting an easier and larger user base? Now, just because a program is popular doesn’t automatically mean that it will be bad - but you can be sure that individuals are working to break it. 

Anyhow, a few programs that I use as alternatives (Feel free to add to this by reblogging or replying to the question box below - Also keep in mind not all of these are security issues, some I just like to switch out for other reasons):

  • Internet Explorer - Chrome or FireFox (I use Chrome)
  • Adobe Acrobat Reader - FoxIt Reader (Definitely should switch to this or another alternative PDF Reader, Acrobat Reader is bad news)
  • WinRar - 7Zip
  • Windows Media Player - VLC Player
  • Microsoft Windows Office - Open Office or Libre Office (Actually I still use MS Office since I get it for like $10 on campus, but definitely think these are worth mentioning)

The second item I would like to address is passwords:


Passwords are used for everything - and for good reason, they keep your information safe! But this is an example of a chain is only as strong as it’s weakest link, and guess what - that weakest link is you.
Absolutely everyone needs to follow good password protocol. But what does that mean? It means a lot of different things, I could lecture for hours on end just on very simple things - but I’ll try to knock a few out right here.


Length - For just a single password - this is probably the most important property in a good password. At DerbyCon last year one of the speakers was demonstrating how to crack every Windows password hash on the computer if an attacker had physical access; during this - we watched as a more complex password (Something like b3nk3n0b1) was cracked insanely quickly while a longer, less complex password, (Something like LolNoOneWillEverGuessThisPass) took incredibly long - if it even was cracked, I can’t remember - but point being that length definitely matters, and if you throw in complexity as well - you’re golden.. which drives me into my next point.
 
Complexity - People, it’s so simple. Just add a few random symbols, spaces, and capital letters, and for the love of God, stop making your passwords dictionary words or well known facts about yourself. Just a short example here on how much of a difference this can make just by adding one abnormal symbol.
 
The password “mypassword” would take a desktop PC about 6 days to crack.
The password “mypassword1” would take a desktop PC about 16 years to crack.
The password “mypassword%” would take a desktop PC about 69 years to crack.
 
Source: www.howsecureismypassword.net

Please, please, please keep in mind that this is strictly for informational purposes related to brute forcing a password and this does not take into consideration smarter analyzing - so please do not use “mypassword%” because in reality it would be cracked very quickly when using various techniques if you were sincerely being targeted. The point I want to make here is that using symbols will drastically increase your security - so do it!

Stop using the same password for everything - This is so, so important. Every time you sign up at a website or service and you use the same username/email/password that you always do - you’re digging yourself a deeper grave. It just takes one of these sites to be compromised and then an attacker has access to an entire database of username password combinations in which probably 1/3 - 1/2 of these will be working for many other sites as well. The more you do this as well, the less chance you have of even knowing some of your data was compromised - how often do you go on a website to never do so again? You could come back a year later and find out someone has been posing as you, or worse - using other services as well that you didn’t know about. Not. Fun. 

So you think you’ll have a harder time remembering all of your passwords if you stop using the same one? Setup a system for your passwords that allows them to change for each website - but in a way that you’ll easily be able to distinguish the passwords apart from each other, but still have someone not be able to guess what another password is by looking at another. Maybe throw in the name of the site you’re on, or something like that. There’s a world of different combinations - and you best come up with one since this is extremely pivotal point in password security.

Facebook/Twitter/G+/etc Single Sign-On - This one is pretty easy to do. If you’re using Facebook or some other network to register and login for websites - never re-enter your password! The cookies are saved and unless it’s a malicious (Or extremely poorly coded site which you don’t want to be a part of anyways) then never input your sensitive information on the website, they should be making a direct call to XYZ in which if you’re already logged in (If not, go login on XYZ’s site and then refresh the page you’re trying to register/login to) then it should just prompt you if you want to add the website or something - but it should never ask you to input your information unless they’re just trying to steal it.

Whew - *wipes brow*

That turned out to be a bit longer that I expected, but glad I got to it - Actually this post has been sitting in my Tumblr tab for a day now since I got busy and wanted to make sure to come back to this. As I continue to go into lock-down mode to protect myself from the bad guys if I come up with anything else I’ll be sure to write about it and hopefully others can work to protect themselves as well!


As always - if you’d like to, add what you do to increase your security by either reblogging or answering the question below!

What do you do to increase security?
Tightening up security

Lately I’ve been trying to be better about following good security protocol, even for things I may think don’t need as much of a lock down. With the increasing influence of the US government infringing on our privacy rights with ACTA, SOPA, and CISPA - it’s becoming more and more prevalent that we really need to take matters into our own hands to ensure that our online anonymity is preserved and our rights not left on the curb.


There are many ways in which to protect your information and I’m trying to (eventually) pull out all the stops. A few things that I’ve added are below:

VPN (Virtual Private Network)

This is probably one of the best things someone can invest in; especially with all the recent crack down on internet traffic privacy. I’ve been meaning to look into getting one for quite some time, and finally am getting around to it. I read a bunch of reviews and noticed a trend among a lot of “popular” VPN services, and that was that they were keeping logs on all of your data! Now that’s a big no-no if the reason you’re getting a VPN is to preserve anonymity. After a bit of research I found a nice article by TorrentFreak that really helped me make a decision in who I would go with (Which I’ve decided on these guys, by the way). A VPN will also, and this is another huge benefit for me, encrypt all of your traffic so if you’re on a public wi-fi you don’t have to worry about having your data be snooped upon.

TrueCrypt (Data Encryption)

Now I’m sure we all have things our computer that are sensitive, such as financial information, that we most definitely would not want prying eyes looking upon. My original reason upon using TrueCrypt (Or just any encryption in general, just TrueCrypt is known for being excellent) is that I use DropBox for everything - and I mean everything - I could throw my netbook and my desktop out the window and still have all my data preserved. Now as far as I know, DropBox only encrypts their data in-transit, and not actually on their hard drives - and I’ve heard a few horror stories of security issues in DropBox’s early days, so definitely doesn’t hurt to be on the safe side; plus now my data is also encrypted from a physical theft or break-in.

BIOS Password

Having a password on your BIOS is just an extra layer of protection from physical theft. I bring my netbook with me just about everywhere, and while I have any sensitive data in TrueCrypt drives - I still don’t like the thought of someone running through my stuff. This will prevent users from re-installing the operating system (Assuming they don’t physically take out the harddrive) as well as from booting up the machine to begin with. It’s not a perfect solution, but I think it would definitely help thwart those who are less tech savvy.

Prey (Or other monitoring software)

Prey is software that you can install on your machine that can do a little bit of extra snooping for you if your computer is stolen. You can check out their website for a full list of features, but in short it can: Take pictures of the thief, lock your computer, play sounds, monitor any changed files, etc.

Personally, I have a non password-protected guest account on my netbook - and then my password protected main account in order to lure the thief into the guest account which has limited privileges. (Yes, I know this is imperfect as well since a tech savvy person can always use a tool to crack the Windows password hash - but regardless, all my sensitive data is stored in TrueCrypt files).

Dropbox (Backup and syncing solution)

This one doesn’t really fall under security - but I think a proper backup routine is absolutely essential since you never know when shit will hit the fan. Read my notes above on TrueCrypt on my setup for this to ensure your data is secure. I live by Dropbox though, I have 3 flash drives on my key-chain and I don’t even use them (Okay, that’s a lie - my 8GB drive has 5/6 of the Star Wars Episodes on it and BT5 was on another, but I think that drive failed anyways - regardless, I don’t use it for working data like most people would). I keep all my pictures, documents, work, code, etc. all backed up onto Dropbox - As well as a folder simply for installation executables that I can’t live without on a new Windows installation, so if I ever reformat - boom, I have all the programs I could possibly want.

Well that’s all I’ve got - for now. What are you doing to help tighten up your own security?

Time to pull the trigger!

I’ve been saying for months now that I want to move out to California and join my good friend Zach LaGreca in the heart of technology, Silicon Valley. While I was previously waiting on a job offer, or something else to really make me feel comfortable in getting out there - I have come to realize that this is an excuse and if I want to do something, I have to do it!

For that reason, I’m flying out there at the beginning of next month to scope things out (Meaning hang with friends for an extended weekend, shh - I’m trying to sound professional) and then a month after that, once the school quarter is over, I’m packing up and driving across the country!

"But Thomas, what will you do for a job?" If you’ve followed my previous posts, I’ve been working on a few Android Applications - These have been to help me get comfortable with the Android SDK; so I plan to work with others and develop applications for clients on a professional level. I love the Android platform and I think this would be an awesome fit for me, especially since I won’t have to report to anyone else and can truly learn and work on what I want to better improve my abilities!

Wish me luck, world. Time for me to take you on.

Don’t be afraid to take a big step if one is indicated. You can’t cross a chasm in two small jumps.
Nerd Movies

The other day I was watching a comedy show with my Brother and the two comedians mentioned some obscure movies that I had never heard of; this got me thinking - what other great films have I missed out on? Now I’ll be honest, there are some movies that I’m somewhat ashamed to say I’ve never seen, or haven’t finished a series, like the Lord of the Rings films.

Browsing through forums and other sites (Cough, Reddit) it’s not an abnormal occasion that I don’t get a joke because I haven’t seen a movie. For that reason - I’ve decided to build up a good list of movies that every nerdy person (Or if you just like good movies) should see.

And we begin.

  • Star Wars Episodes (Order is personal preference)
  • Primer 
  • Matrix (Your choice if you want to watch the full Trilogy)
  • Lord of the Rings
  • Hackers
  • Spaceballs
  • Tron (New and Old)
  • Planet of the Apes
  • Short Circuit

That should last me at least a little while - what else would you add?

I was working in a 60,000 line file today - all I could think, lol.

I was working in a 60,000 line file today - all I could think, lol.