The Inners of a Small Computer Security Firm

Posted on March 1, 2011 by Lloyd

From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
ok,
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure.
your password is changeme123

i am online so just shoot me if you need something.

in europe, but not in finland?  

_jussi

...

I stayed up much too late last night reading the fascinating Anonymous vs Aaron Bar, HGary, HBGary Federal, Greg Hoglund, rootkit.com well researched and written articles on Ars Technica, mostly by Nate Anderson. (Fascinating at least to a software developer, particularly web developer.)

Start with “How one man tracked down Anonymous—and paid a heavy price“, then read “Anonymous speaks: the inside story of the HBGary hack” by Peter Bright. If you still want more also read “Spy games: Inside the convoluted plot to bring down WikiLeaks“, “Black ops: how HBGary wrote backdoors for the government” and take a look at Joseph Bonneau’s “Measuring password re-use empirically“.

Some high (or lowlights depending on how you see it) technical elements include:

An email admin with an 8 letter all lower and number password used on many other sites.
Custom CMS on two sites with unsalted password hashes.
Custom CMS with non-complex SQL injection.
Classic computer system access social engineering.

This is negligence at any company with sensitive customer data, but at a computer security firm this is dereliction of duty.

There there is the unsubstantiated public accusations that could result in severe USA federal criminal charges for the accused, and down right criminal behavior by a white hat security firm.

Aaron Bar for all his arrogance, ego and unethical behavior still comes across to me as the fall guy for a whole (small) computer security firm that had failed to take care of its own security, and has lost its moral compass.

WordPress does one thing very well…

Posted on October 4, 2010 by Lloyd

…allow everyone to easily publish on the Web!

And to make that happen, WordPress must be an easy to develop and design web publishing environment.

Stop! This is comparing apples and oranges. [WordPress] is a honed, refined blogging product that does one thing very well, whereas Drupal is a flexible, extensible CMS plus a huge set of tools for building websites, web applications, and integrating with other tools.
By “jam – Senior Wr….”, “The time is right for Drupal products“

It’s frustrating that competitors are still trying to pigeon-hole WordPress. The satisfying irony is that I expect WordPress’s use for non-blog sites is growing faster than the competitors.

Sure, we have biases. We are biases towards familiarity, usability, and not stressing people — letting people be awesome!

A leading example of what you can do with WordPress 3.0 CMS features is what CBS, with the help of VOCE Communications, have already created for nearing 200 CBS Radio and CBS Local properties. Sites like:

There are countless other examples, but a few have been cataloged at wordpress.org/showcase/tag/cms/

New Project to Find Movable Type Community’s Melody

Posted on June 23, 2009 by Lloyd

Interesting development today in the blog publishing space with the announcement of Melody and the Open Melody Software Group.

Melody is a new WordPress competitor — bring it!

Based on Movable Type Open Source (MTOS), Byrne Reese writes “[the project's] focus initially is consciously not about features, but rather upon laying the groundwork through a well-documented set of processes by which future features and contributions can be made.” to live up to it’s tag line “Community Powered Publishing”.

The tag line seems to directly take aim at Movable Type for not being community powered, though in interview Byrne suggests that may be part of the overhead of Movable Type being an enterprise product.

From my position looking over the fence, I’m sympathetic to how the Movable Type community has suffered since “in 2008 [when] the hyper dedicated Movable Type product manager, Byrne Reese, was laid off from Six Apart”. Sure, the MT community isn’t just that one person, but he sure was a catalyst and one of the only open channels to the inners of Six Apart. Since then there doesn’t seem to have been anyone there for the developer community, or for me, as a member of another project, to collaborate with. Even Byrne’s own recent email to the MTOS-dev list asking “Who is the lead engineer of MTOS?” went unanswered. Here is that email:

“I hate to ask such a seemingly odd question, but I have recently had questions I wanted to address to the lead engineer of MTOS — offlist, but am honestly not sure who that might be right now. Who is the best person to address questions about governance and process to? Is there one?”

Mark Carey writes today on mt-hacks.com:

“Over two years ago, Six Apart, the creator of Movable Type open sourced the code for the core Movable Type application. While its was an exciting and bold move, the announcement and product naming choices were confusing to many — the differences between Movable Type Open Source and the Movable Type Commercial product and closed source add-ons sold by Six Apart weren’t easy to grasp, and some even disputed the newly open source nature of core application.”

Although Six Apart promised that they would continue “fighting for openness” when they announced “Open Source Movable Type ” at the end of 2007, Melody is now the hope for a Movable Type-based openly developed product. The Open Melody FAQs includes:

“The community created Melody out a shared passion for Movable Type and a shared desire to see it flourish as a platform. We felt that the best and quickest way to achieve that goal was to create a product in which the community was inherently entrusted with a greater degree of control over its direction, communication channels and roadmap, and rewarded with more transparency and a greater sense of belonging.”

Serdar Yegulalp writes “To see a new way for the same framework to be improved, and to allow for feedback and suggestions that stem from my own use, is deeply heartening”

I’m very interested to see how the source code flows. The greatest gift of open source isn’t the right to fork, but the ability to merge.

Wih founding members and leadership including the likes of Byrne, Tim Appnel, Jay Allen , and Jesse Gardner, Open Melody is off to an incredible start. ((By incorporating as a US non-profit there commitment is beyond doubt — if only in surviving the painful process that the WordPress Foundation has recently come out the other end of.)) The web site looks great, and they’ve chosen open and friendly development tools.

What is good for blogging and open source is good for WordPress, and Melody seems very good for both:

I’m eager to put my frustrations trying to collaborate with the often opaque Six Apart behind me, and collaborate through the Open Melody conduit.
I can’t wait to see a leaner, more modular open source MT based product emerges that is also more feature rich — further confirmation of WordPress’s own approaches, and more good open source products are great for open source.

If you love blogging or open source, then Melody needs our love, participate! (hence this post)

Drupal Camp Victoria next Weekend

Posted on August 27, 2008 by Lloyd

Drupal Camp Victoria is happening all day Friday and Saturday Sept 5th and 6th. It’s hosted by North Studio at their training center, 301-771 Vernon Ave (plaza just coming into Victoria, near Save-On-Foods, Walmart).

It’s a free event, and if your work is any way related to the web, you will be missing out if you don’t attend. Register now before the event is full.

Besides, we need to support the grass roots Victoria tech scene — stop the Vancouver tech drain

Dave Olson points out that it’s “strategically scheduled for the same weekend as The Great Canadian Beer Festival”. So it seems safe to expect a good turnout from Drucouver. I know Boris Mann will be in attendance, and participating.

I hope to at least make an appearance. I’ll be looking for opportunies for WordPress collaboration. But me making it there is based on the whim of my baby son — and I won’t have it any other way.

Movable Type Pro, Setting Social Networking Free, Vaporware, WordPress, BuddyPress

Posted on August 20, 2008 by Lloyd

Six Apart VP Anil’s response today on the official Six Apart blog to my Movable Type Pro Introduction video parody doesn’t surprise me, but where is the link love?

Continue reading →

Site Maps, SEO Alchemy?

Posted on March 16, 2008 by Lloyd

A site map seems like a really good idea, but if WordPress is on your team, you are already in great shape, and they offer no real benefit.

Continue reading →

Congratulations to the Drupal 6 team!

Posted on February 14, 2008 by Lloyd

Drupal 6.0 was released yesterday. DaveO of Raincity Studio writes, “I think these changes (while admittedly lacking in really exciting talking points for the non-geeks) reflect an increased focus on usability and offer ways to do more with less.”

Congratulations to the Drupal community!

A Fool’s Wisdom

A fool and his blog are soon parted.

Tag Archives: CMS

WordPress does one thing very well…

New Project to Find Movable Type Community’s Melody

Drupal Camp Victoria next Weekend

Site Maps, SEO Alchemy?

Congratulations to the Drupal 6 team!