I just installed OpenVPN the other day and I’m glad I finally got around to it.  I’ve been putting it off for quite some time now, but having somebody else set it up prodded me into doing so as well.  Turns out it’s insanely easy.  It comes with a set of scripts and basically you run those scripts to create your certs, drop the default config in place with a couple of changes and voila, you’ve got yourself an SSL VPN.  I used a few resources during setup and you can find them on my del.icio.us links.

I was not, however, able to get bridged mode to work but the ability to have access to my internal subversion repository from wherever I am is more than enough compensation. ;-)

Now to set up some configs to create that global file-sharing infrastructure between my friends and I that we’ve been planning on for the past few years. grin

I had a brief moment just now where I wanted to be a Blue Man.  This was while I was miming the show while listening to one of their cd’s.  My hopes were quickly dashed, though, as I don’t meet the physical specifications.  You must be “this tall” to ride this ride. :-(  Maybe someday they’ll have a vertically challenged show.

There was mention recently on SecuriTeam about the lack of effectiveness of web application scanners. While they are effective for identifying the low-hanging fruit, I agree that as applications have advanced web application scanners have not kept up.

Web application scanners are now so bad that I won’t even use them if they’re free. At this point, I am officially divorced from automated application scanners. What I’ve been using, primarily, is Proxies and Firefox browser plugins. –Dmitry

Although I have not stopped using them completely (they’ll pick up the easily identifiable XSS and SQL injection), their effectiveness is definitely limited. So without further ado, let me drop a list I came up with in the past five minutes of;

What a web application scanner won’t find!

• Malicious file uploads via standard file upload functionality - Malicious ASP or PHP file
• Blind SQL injection that relies on other stateful variables (revision app that increments a number on the page on the server-side)
• Authorization problems - This user _SHOULD NOT_ be able to access this customer record
• Advanced forms of cross-site scripting - Special encoding - Attacks that require heavy manipulation for JS execution
• Broken Authentication - Similar to authorization, it is difficult for a web application to tell whether a real user really needs access
• Poor Encryption Mechanisms - One of the huge downfalls to any application is custom “encryption” that is poorly designed. Webapp Scanners won’t catch this
• Parameter Manipulation - Oh, you meant $500 instead of $0.05?! No way an app scanner can catch this

So there you go, just a few of the things that your $20,000 web app scanner won’t be able to catch. There are more, but that was the list that came immediately to mind.

p.s. On a side note, OWASP (the Open Web Application Security Project) recently launched a new initiative called the OWASP Spring of Code 2007 (SpoC 007) which will sponsor (Open Source) Web Application Security projects with (at least) $110,000 USD.  Here’s your chance to make the tools better!

On a side note, mostly thanks to Whole Foods, I proclaim myself a culinary genius.  OK, perhaps I’m exaggerating but this dinner was so good!

To my family.

To my family.  To those close and near. Thank you.  I consider myself to be one of the luckiest people in the world…and it is because of you.

As noted, I met up recently with a bunch of people that were heading up to Whistler for a little ski/snowboard trip. Being that they were passing right through Seattle on their way up, there was no way I could pass up an open couch for some great snowboarding. I’d been to Whistler in the summer for some downhill Mountain Biking, but had yet to see it in all its powdery winter glory.

Needless to say, the fluffy white stuff was in abundance.  We arrived Sunday evening and after the ritual waxing of the boards made a (fairly) early night of it.  Then it was out the door by 8am the next morning to hit up Whistler mountain.  Weather conditions weren’t awesome (it was pretty foggy and snowing a little bit) but the great abundance of runs and powder more than made up for it.  My favorite part was when we dropped into one of the bowls.  It was awesome to shoot down the side of that sucker in such beautiful powder.  That was the point where I fell down at one point, got back up and thought to myself: ‘That didn’t hurt…I wonder if…’ and I proceeded to board down a little bit, then throw myself forward and flip off my hands back onto my board.  Despite the fact that I didn’t stay up, it was still awesome and I did it a few more times.  The last run of the day, despite the biting wind, uber-fog, and poor visibility was still a ton of fun and it took us 44 minutes to get back down the mountain.  A quick race back to the condo where I managed to be the first one in the hot tub.  We all (well…most of us hehe) crashed pretty early that night after a full day of boarding…but there was more to come. The next day we were off even earlier to hit up Blackcomb mountain.  I personally like Blackcomb better, as many people did and do.  I felt like I had a little more freedom and the terrain was very appealing.  I could go up to the top of the mountain and bomb through some chutes. Or I could go over to 7th Heaven and disappear into the woods in search of the fluffy white stuff.  Or I could hit the trails over by Crystal chair, which were more of your standard ski trails, but lots of options, lots of terrain, and again the ability to disappear into the woods.  I again hit up the top of the mountain for the last run of the day, which was just amazing.  It was right about then that I was catching my second wind and I was just having a great time carving it up.  As a couple of us were passing a lift to head down to the village, a couple of our crew called out.  The lift was stopped for some reason, so we raced over, hopped on and got in yet another run down the mountain.  And then it was back to the condo for some more relaxing hot tub action.

Then it was time for a little mardi gras action, and after that I unfortunately had to depart the crew to drive back to Seattle and get back to work.  I wish I could have stayed longer, but I know I’ll be back up again soon.  All-in-all, it was an awesome time.  I’m quite happy I moved out to this part of the country.  I’ll be posting a few pics soon.

I once got a pic featured on Chicagoist and it seems I have done the same again with Seattlest. A picture I took of the octopus when JLeyrer was in town and we visited the aquarium recently got used on the Seattlest site.

As Mike indicated - the legend continues. :)

Holy heck.

1. I am alive
2. Whistler was INSANE
3. I just got in from driving back
4. And I have to be at the office in an hour.
5. p.s. Whistler was INSANE!

EOF

Seattle finally got Effen in their liquor stores! YES!  No more importing from Chicago. ;o)

I was on TV last night, after the superbowl on the local KIRO-TV here in Seattle. We did a little bit about Wireless security and it managed to come out pretty decent. You can find the associated story and video over on KIRO’s site - Protect Yourself Against Wi-Fi Hackers.

Interestingly enough, I’ve done this a few times before between April and November of 2002…nearly five years ago now! Regardless, the risks are the same for the most part as are the recommendations.

But check it out - we got billing over the SuperBowl on KIRO’s homepage yesterday!  …and yes, those are my hands. ;o)