I’m coming up with a new “time to” acronym - ttaf, or Time to April Fooled: The amount of time before you get suckered in by an April Fool’s joke.  It was 46 minutes for me this year.

I was checking my RSS feeds when I saw a post titled Running Mac OS X on Virtual PC 2007. Even though I own both a MacBook Pro and a PowerBook, I was still excited to finally see the prospect of OS X running on a large virtualization platform. I read eagerly through the article, thinking “I hope Virtual Server is going to support it…” and “wow, this is too good to be true!”.  And then finally I hit the last line…

The above -experimental command line parameter will only work if the Host OS clock is set to 4-1-2007.

sigh

I’d been had…this is definitely an April Fool’s Day joke.  The MS Bloggers must think they’re pretty funny this year…there’s even some sort of announcement rumor going around. ;-)

In other news, I’ve decided to move to Australia…

One of the most useful Firefox tips I have come across is the ability to paste lines of text that include newlines into the address bar and have it automatically account for the new lines.  This has come in quite handy recently while perusing some of my apache logs.  It’s pretty simple too:

1. Type

   1	about:config

   into the address bar
2. Look for the preference name

   1	editor.singleLine.pasteNewlines

   or just type

   1

   paste

   into the filter
3. Double-click that setting and change it from 1 to however many lines you think you’ll tend to paste in - I used

   1

   3

Can you can copy and paste multi-line URL’s!

Although I toss my favorite pictures up onto my Flickr page, I just added a bunch of pictures to my gallery on DCortesi.com.  I hadn’t done this in a while because I had to get rid of several thousand spam comments that had infested my gallery. sigh But I managed to do so, enabled captcha to prevent those pesky bots and now you can check out some of the good times in Seattle and see some pics of my backyard now that spring has rolled around.

Check out the pics and enjoy!

Um, what the heck?!

Weird…I couldn’t actually reproduce this behavior on other systems, but I thought it was definitely worthy of a screenshot.

After nearly five months (wow, it’s been that long?!) of living in Seattle, I finally had my housewarming last night. There was a great turnout and some of my best friends showed up for an evening of fun, pool, and Wii Sports.  It was an awesome time and I’m so glad people were able to enjoy my new home.  Thanks to everybody for a great night!  You can check out some of the pictures of my housewarming on Flickr.  I mostly just have pics of the aftermath as I was too busy being a little socialite to take too many pics. ;o)

In other news, I slept in Sunday morning after the festivities but still managed to have a productive day.  It was beautiful so I decided to go for a little bike ride, which ended up to be me touring the three lakes in the area - Greenlake, Lake Union and Lake Washington.  I rode around Greenlake, passed by Lake Union and rode up the side of Lake Washington on the Burke-Gilman Trail.  All-told, I think it was about 20 miles of riding.  I was pretty tired at the end of it, but nothing that a Dick’s Deluxe and a vanilla shake couldn’t take care of.

Finally, I spent the remaining daylight hours cleaning up all the leaves in the flower beds of my back yard.  What a relaxing way to end the day - I filled a garbage can full of leaves!  But my flower beds look much better.  I also came across a few things in the flower bed that the previous owners’ daughter must have lost at one point:

What an awesome, amazing weekend.  Thanks again to all my friends - I am one lucky guy!

I like JavaScript…I really do. Despite what most people say about it, it can be quick, efficient and very effective in a pinch. In the past I’ve used it to automatically capture screenshots and even alert me when I got out of the online waiting room while trying to pick up some Cubbie tix. So without further ado, here’s a quick snippet I came across that you can paste in your location bar to create a GUID:

1

javascript:function S4(){return (((1+Math.random())*0x10000)|0).toString(16).substring(1)}(S4()+S4()+"-"+S4()+"-"+S4()+"-"+S4()+"-"+S4()+S4()+S4())

I must give credit where credit is due - I snagged this from a John Stockon made on the very same issue.

Since that string is kind of long, you can also just click here to try it out.

I’m a heavy user of Parallels on my MBP since I still do all sorts of Windowy things.  Recently I was doing a .NET source code review where the source was living on an encrypted partition on my mac that I had shared to my Parallels via their shared folders feature. As it was an old project, it had to be converted and although some of the projects converted fine, I received the following error with others:

Error converting project file. Invalid URI: The hostname could not be parsed.

It would specify this as a problem with the .csproj file so I assumed it was some parameter in there.  A little while later, I was trying to do something else with a command line tool and received a similar error.  Interesting, I thought, and then it hit me as the path to the file was staring at me from the command line.  I was using the UNC path for the file and Parallels uses

1

.psf

for it’s hostname…which is not a valid hostname.  So obviously, Windows/Visual Studio was having trouble parsing this hostname!

Mapping the share to a drive letter and then opening the file from that drive solved the problem!

aka Yet Another SQL Injection Tool… It seems like SQL Injection tools have been crawling out of the woodwork the past few months and there’s yet another new one that I came across just the other day called PRIAMOS. I haven’t played with it yet, but it seems to be focused largely on usability. Some of the other ones that have come across my radar recently are:

• SQLBrute (Python)
• SQLiX (Perl - OWASP Project!)
• sqlmap (Python) - I really like the feel of this one, but haven’t had a chance to dig into it too much
• Sqlninja (Perl) - Coolest name, in my opinion…

These are all also up on my del.icio.us page as well. And of course, there’s my personal tool, Blink (Perl), but I unfortunately never unleashed that on the world.

I was thinking last night of all the organizations that I’ve reviewed and the procedures at each one for managing the security aspects of their infrastructure.  It has ranged from “Hey Timmy, will you go open up the firewall for FTP” to “Submit a change request for the modification of the firewall ruleset and it will get reviewed by the IT review committee at the end of the week for approval”.  While the former is easier and quicker, I’d rather have the latter if I were a large organization.  Firewalls and networks are obviously huge in large organization and ad-hoc changes can easily lead to a hole that might put the company at a level of risk that it might not be willing to accept.  Documentation and approval of security changes in a large organization are paramount to the maintenance of its security posture, particularly when it’s not just “the IT guy” making the changes, but several members of an IT organization.  Ultimately, those companies that put the time and effort into change and configuration management are much more aware of their security posture on an ongoing basis.  Those companies that do not have such a process in place are driving an ‘85 Buick Skylark in a Nascar race.  They can keep going…but it’ll catch up to them pretty fast in the end.

So a plea to organizations that think change management is waste of time.  If you want to grow your business in a secure manner and maintain a well-thought out security environment…consider implementing some change management.  Perhaps I’ll write some more on this process later depending on if there is any interest on it.

I was buying some coffee at Tully’s this morning (sorry… ;-)) and happened to fumble my Amex Blue card as I was handing it to the cashier. He picked it up and to my horror, peered at the RFID chip embedded into it and thought out loud “I bet this will work”. The world went into slow motion, my heart skipped a beat and I’m pretty sure my face turned white as he waved my card in front of the fancy schmancy ViVOtech VIVOpay contactless payment device. (Insert Flickr picture here at later date)

Knowing what I do about RFID payment card vulnerabilities, I was completely disheartened to hear the svelte beep of the reading station as the RFID chip in my credit card was activated for the first time…or was it? It’s absolutely possible for a malicious person to build a reader that would snag my (likely unencrypted…see RFID link above) credit card information without so much as a beep to alert me. RFID is becoming more and more a reality of daily life, particularly with respect to identify and payment information, and these systems have not incorporated security into their design.

So…how many RFID chips do you have in your wallet?