Category Archives: Operating Systems

VirtualBox Install on Mac OS X

I thought that I’d give this a go – this is a very short run through of an install of VirtualBox on Mac OS X. Comments on production issues are very welcome, I’d like to improve these to the point of getting them useable !

Thanks !

 

Tagged , , , ,

How to Automate Twitter – a bit at least !

Perl

Perl (Photo credit: Wikipedia)

I’ve been trying to push up the readership of the blog here ( and get some people to stick around a bit, subscribe, follow on twitter etc. )  I’m not a Facebooker – I do have an account ( or two … ) but they contain nothing much of interest, they were created in order to investigate how FB worked, rather than anything else, so I’m not exactly the stereotypical user ! I make use of LinkedIn and Twitter as my online “social” tools and I’ve not graduated beyond that. The trouble is, I believe, in the transient nature of Twitter – I Tweet and it disappears off the bottom of the screen in seconds as other’s posts come in and push it down. I’ve watched for a while, and it seems that the “successful” Tweeters post their links frequently – keeping them in view for a longer period of time.

Now, I have to admit that I am lazy, but also geeky – I want to post a tweet advertising the blog frequently, but without user interaction. I’m sure that people will pop-up and tell me of things that automagically do this for me – HootSuite springs to mind – but having used it, it has already upset me with it’s scheduling system – the CSV upload is a pain, and, as of yet, I’ve not managed a single one without an error. Sooo, as I spent a while ago messing around with Twitter and Perl, I thought that the easiest way forward might just be to write my own.

For want of a better methodology, as I intend to post once a week, I want each entry alerted on immediately, and then in increasing intervals until the next post is due out ( 1 week hence ). I don’t want mid-term posts to reset the last weeks worth, but if it is relevant ( like I hope all posts are !) then I do want to publicise it for a full week as well. I’ve tried a couple of exponential increases, (2 * last period, 1.5 * last period ), but to be honest as I’m sure you can imagine, it gets up to over a day fairly quickly … (Google “exponential” if you want to know more !)  So I’m going to say day one is once every two hours, day two is once every three hours, day three once every four hours, day four is four times in the day, day five is three times a day, day six is twice, and just the once on the seventh day – heck, if God can take a rest, so can our program ! That gives us a total of 36 Tweets, weighted towards the start whilst the post is fresh and tailing off as the new post comes along.

As always stated with my programming posts, I’m not a programmer, any similarity to programmers living or dead is entirely coincidental. I like programming in Perl, because, not only is “there more than one way to do it”, I can usually figure out at least one of those particular permutations – elegant as my solution may not be … [ if you want to see elegant programming – and the output of the man that I go to when I get stuck – have a look over here. Shamefully he wastes his time in the world of Microsoft, but we forgive him a lot 😉 ]

It turns out, much to my annoyance that the authentication methods that I was using in the “Hacking around with Twitter” is no longer valid. It seems that I now need to use OAuth1 … However, after several hours of buggering around with it I failed completely to get it to work. So back to the drawing board there …

Python anybody ?

English: Python logo Deutsch: Python Logo

English: Python logo Deutsch: Python Logo (Photo credit: Wikipedia)

I’ve been meaning to get cracking with Python for some time. I was a die hard Perl fan until the day I saw the graphs that came from matplotlib – I was taken by the quality and professionalism of them, and I immediately spent far more money than can be considered sensible on all sorts of Python books so that I too, could make maths and art become one and the same thing. It seems though that I have the same level of programming ability as a garden slug when it comes to moving languages, and the same sort of speed of movement. It took me three years (ish) at university to learn C [ and ML and Prolog – but let’s be honest, neither of those actually count as programming languages ] and it’s taken me countless years since to learn to threaten, coerce and cajole Perl to do my bidding at least 50% of the time.

This, then, is my forced introduction to Python – my baptism of fire ( although God only knows why, if I can’t do it in Perl I stand the least bit of chance in Python ! ). And, not only that, I’m going to push it out here for your ridicule and derision.

Another day, I’d like to walk through the Rackspace cloud with you, but that’s for another day – let us just say, that I quickly threw up an Fedora 15 (Lovelock) instance to play with, and was deeply relieved that Python appears to be a standard part of the distribution. For reference my development environment also consists of Komodo Edit, which is excellent, with supported syntax highlighting for both Perl and Python ( and HTML and C and C++ and … ) also, when correctly configured, is quite happy using scp to remotely edit files and browse remote directories.

I understand that the Python equivalent of CPAN is PyPI – the Python Package Index – and, after installing the package, I’ve used that to install the Tweepy library. I’m not going to repeat the guidance on creating a new application in either (both!) of the blog links below – what I will say though is that you should remember to set your application settings to Read and Write – otherwise it won’t work 😉2

I’ve split the examples out so that there is a config file that holds the various keys. It’s format is as follows:

[consumer_keys]
CONSUMER_KEY = consumer_key_here
CONSUMER_SECRET = consumer_secret_here
[access_keys]
ACCESS_KEY = access_key_here
ACCESS_SECRET = access_secret_here

Obviously insert your own, hard earned keys in here – no inverted commas or anything they get parsed in a minute with ConfigParser. [ Basically, I couldn’t go through the rest of this worrying about accidentally publishing my keys every five minutes. ]. I used the script provided in the example to do this, although it seems that you can generate these keys for your own Twitter account in the developer section of the site without going through the pain or the learning experience.

I’m getting worried how long this post is getting – especially after a discussion with a young man the other day who said that his dissertation was 5000 words only and I’ve written a 5th of that ! – so below is the remainder of the sample code for a command line client, this takes text after the command ( contained in ‘ ‘ ) and updates your status with it ( e.g. ./twitter.py ‘It lives!’ ):

#!/usr/bin/env python

import sys
import tweepy
from ConfigParser import SafeConfigParser

parser = SafeConfigParser()
parser.read('twitter.conf')

CONSUMER_KEY = parser.get('consumer_keys','CONSUMER_KEY')
CONSUMER_SECRET = parser.get('consumer_keys','CONSUMER_SECRET')
ACCESS_KEY = parser.get('access_keys','ACCESS_KEY')
ACCESS_SECRET = parser.get('access_keys','ACCESS_SECRET')

auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)
auth.set_access_token(ACCESS_KEY, ACCESS_SECRET)
api = tweepy.API(auth)api.update_status(sys.argv[1])

I’ll write a second post within the next week to update the remainder with a full program to automate the remainder of the posting process – I want to get it running asap to be honest, as I think I’m missing out !


1. With thanks to David Moreno’s blog post on the issue as my starting point on OAuth for Perl, and perhaps the first and last bit of it that I understood ! And Jeff Miller’s blog post for the Python equivalent.
2. Which may well be why I couldn’t get the darn Perl version to work, I realise now. However, a kick in the pants, is a kick in the pants for whatever reason it comes …

Tagged , , , , , , , , , , ,

Elgato game capture HD – A quick review …

It’s been a bit of a perfect storm – the step up in blogging, my son’s birthday request and a review in the times – all within a few weeks of each other – has led me to buy an Elgato game capture HD. I wasn’t convinced that, as a life necessity, the need to record a kill streak on MW3, or, more to the point my son knifing me in the back yet again was really that great a plan – but when I discovered that this device was happy to accept any HDMI input, it started to gain ground. For some time I’ve been using the HDMI output from my MacMini, and a couple of laptops ( as well as the PS3 ) as the standard video/audio connection rather than faffing around with other connections, usually with far less successful results, so, as I had been thinking about capturing some video tutorials for the “Introduction to PenTesting” series that I’m running on Forensic Focus the Elgato gcHD seemed to be quite an interesting fit to the problem.

English: A standard HDMI connector for hooking...

English: A standard HDMI connector for hooking up audio/visual equipment. (Photo credit: Wikipedia)

Anyhoo … I wouldn’t go as far as to say that it’s hard to get hold of – Amazon is Amazon as always, however there isn’t exactly a crowd of people trying to sell you one of these, so perhaps it is rather a niche market. There was a rather long lead time predicted ( 2 to 4 weeks ) although this seems to have disappeared, and, mine didn’t take that long to arrive in any case. When it did get here, I must admit to being rather surprised at how small it is. I don’t know what had given me the impression that it would be more substantial, but it is maybe 3.5″ by 2″ by 1″ of rounded shiny black plastic. Feels substantial enough. What was a pleasant surprise was that it comes with all the required cables – a short HDMI, an PS3 special cable, a composite cable and a USB cable – everything that you need as it requires no additional power beyond that drawn from the ports.

Connection is easy enough, provided you read the manuals – the device won’t work with the PS3 HDMI out for example, only the special cable – which did cause a little head scratching ! However that’s not what I was interested in – and I’ll let my son write and post a gaming perspective guest review shortly – for me I couldn’t wait to try it with a PC HDMI connection. My quick test rig is a Sony Vaio running Windows 7 with an HDMI out and my MacBook Pro taking the USB feed. The software isn’t included in the package – but is only a quick download from the Elgato website. There are both Mac and Windows versions ( so I may try this the other way round before long – I have a Mac MiniDisplayPort to HDMI adaptor cable ) and it took no time at all to download and install. The software isn’t very “feature rich”, but it is straightforward and easy to use.

Basic Recording Screen for Elgato game capture HD on MacOS X

There are a number of built-in submission tools for the likes of YouTube, FaceBook, Twitter but also for conversion to various “i” formats ( iPad, iPhone), e-mail, ProRes ( whatever that is … ) and just dumping them in your movies folder. I’ve not experimented with these yet, but I might have a go with the Twitter one at a later date. I think that the boy has ideas ( partially because I pointed them out to him when the times article quoted a £60,000 a month profit of online games review sites ) of uploading some things onto YouTube, again, I’ll let him address the effectiveness of this in his review.

Basic Editing Screen for Elgato game capture HD on MacOS X

Basic Editing Screen for Elgato game capture HD on MacOS X

I wasn’t that impressed with the editing features of the app, which are, to say the least, basic. I’m a long term Mac user though, and thus am not afraid to nip into the App store and put down some hard earned cash on an “i” app – a quick “iMovie” purchase later ( less than £11 ) and I was able to import the .m4v file for some more capability in post-production as it were.

All in all I’m impressed, I’ll update this as time goes on and there are actually some videos created that I’ve uploaded and might – very might – actually contain some real content …

Until such time, check this one out – this is the Mac with HDMI out, feeding back into itself …

Tagged , , , , , , , , , ,

Five free ways to improve your security

Peer Review

Peer Review (Photo credit: AJC1)

We’re in recession, lest we forget – it isn’t like the press is going to let it slip from our minds – so money in a tight field is getting tighter. However, even for large businesses improving security need not cost the earth, or indeed anything at all ( apart from some time, and we must recall that time is equal to money ). To that end, I thought that I’d put down five very cost-effective and pragmatic ways to significantly improve your security.

1. Patching

Certainly at a desktop or server OS level, patches are mostly available for free. ( If you have devices, operating systems or applications that require a maintenance contract for patch updates – this isn’t quite for free, however let’s, for the time being assume that this cost is covered off already. ) Patching up to date ensures that, with the exception of those pesky “zero-day” problems, that your system is protected against known vulnerabilities. I’ve been to many, many organisations where patching is so out of date the measure is years – that’s seriously wrong. The excuse is often – “our application is so unstable we can’t” – let us think carefully about this statement and consider, under these circumstances what we should do about it … if and only if this is true and there is nothing that you can do to get the application maintained – then can it remain as is – however the device or server should be isolated behind other mitigations. ( So much so that if I am scanning your network in a vulnerability or penetration test – I don’t want to be able to see the patch level. )

2. Review your Firewall Rules

When was the last time you reviewed your firewall rules ? You’ve added some recently I’m willing to bet, but have you purged old entries ? Do you have a process for deleting rules when they are no longer needed ? Each “allow” rule is a doorway into your network – if it isn’t needed, lock the door. Incidentally, at this time it is wise to pre-empt the next point, is there supporting documentation surrounding your firewall ruleset ? At a minimum, you need to know what the rule is for in English, ( e.g. “allow port 80 tcp to 123.234.123.234 from 123.235.0.0” doesn’t tell me anything, “http website access to the stock server from the warehouse subnet” does. ) And who owns it ( John Smith from Warehouse Control ). That way, a review involves going through the list calling Bob and asking him if he still needs that rule.

3. Documentation

Review your docs – dry run through processes and procedures – do they still work ? Update them if not. Are there any documents that are clearly missing ? Write them. Review your policies, you are of course doing this annually anyway aren’t you, but IT moves faster than on a yearly basis, and I’m pretty sure that a mid-term review wouldn’t do you any harm – issue errata if you don’t want to actively change the policy at this stage – but keep the changes to hand for the updates and it will save time later. Check that your supporting documentation is up-to-date and relevant – such as your firewall rules above – if it isn’t in English, make a translation – you might know what it means, however if you get hit by the proverbial bus ( or get an offer you can’t refuse ) – then your successor will need to figure it out – the more uncertainty there is in that time the higher the risks of an incident – if you want an incentive a public breach that might be blamed on you after you’ve left ( “My predecessor left such a mess it was impossible to manage” ) might haunt you for a long time. It never ceases to amaze me how small this industry actually is.

4. Cull dead accounts

Like old firewall rules, old, unused accounts are opportunities to an external attacker. Hopefully you have a policy in place for removing accounts when an employee leaves, but it is still well worth going through and auditing. Look for test accounts, administrator accounts, contractor or supplier accounts and system accounts that wouldn’t be identified by a leavers process, and may well not have the same lockout or expiry controls. At the same time, have a quick check to make sure that all accounts have the correct settings – there are many tools and code available for walking AD or other directories to look for specific settings freely available on the net.

5. Educate a bit

I’m not talking about a huge CBT on security here – that’s hardly free. However writing and sending an e-mail to all staff is. Give some thought to what your major concerns and issues are, write a positive statement of ways to manage these risks ( one per e-mail, send a few ) and get it out there. Creating awareness, putting ideas into the heads of staff and giving them details of whom to contact with concerns or questions is going to reap long-term benefits that you can only imagine now. This is probably the largest return on investment that you can imagine – proactive staff will head off problems you have yet to conceive, and, given a voice, they’ll give you ideas and suggestions that will not only improve security, but could well make your business more profitable overall.

These are just five simple suggestions – you could extrapolate a little I’m sure to find a few other things that won’t cost a thing, but will improve your security ( here’s a clue – if you start with the word “review” or “audit” and follow with things like “running services”, “configurations” or “file/folder/group permissions” you’ll probably come up with another few ). It’s an interesting time to be in Security – budgets are down, but threats are up – pro-active low-cost work could be the difference between success and failure – these things really should be part of a security routine anyway – but we are so often firefighting or implementing the next new thing that we don’t get much of a chance – this breathing space might actually be what the doctor ordered …

Tagged , , , , , , ,