It’s been a long weekend. I had too many posts ready for Friday, so I moved Bookmark Friday to Bookmark Sunday. Sorry for the delay this week. Lots of bookmarks this week, especially for Martin, who was asking about them when I went out last night.
Despite being late, we’re going to start off with some Twitter users you should follow. Remember, all anyone had to do was follow me on Twitter and tweet the following:
@joetech I want that free link in your Bookmark Friday post : http://www.joetech.com/suggests/bmftw
Thanks to everyone who retweets my requests for Bookmark Fridays and sends me bookmark suggestions, too. Now on with the bookmarks for the week:
Credit card processing with the iPhone – This is one of those “why didn’t I develop that?” apps. It’s a simple idea that enables anyone with an iPhone to process credit cards anywhere.
Hummer H3 Hybrid = 100+MPG – It’s a little hard to swallow, right? Apparently, this hybrid H3 will make you think twice about Hummers being eco-horrible. They’re still too big for my taste, though.
Which Date Works? – This is another simple idea with elegant execution. Get everyone to hit the site, choose their available dates (for, say, a dinner party), and the site mashes it all together and spits out the best date for everyone.
TileStack – This is a platform where non-developers can create applications by stacking various components together instead of writing code. I’m actually working on something along the same thought process, just not as pretty or proprietary.
Nine Inch Nails iPhone app – Trent shows his geeky side again with a NIN iPhone app. It’s pretty cool, too. My screenshots are all here: http://www.flickr.com/photos/nodomain1/sets/72157616853639142/
Making of Doom – This is a pretty cool video inside ID Software while they’re getting Doom ready for release long, long ago, in… this galaxy.
Space Invaders coasters – Nice! I’m working on an idea similar to (but better than) this, too.
Catapult business card – This is one of the best business cards I’ve seen for an engineer. No need for a resume. Just hand your future employer this card and tell them how much to pay you.
Zippo laser projector – You know how I love lasers. This guy crammed a lase projector into an emptied out Zippo.
LCD gift wrap – Write your own message on this LCD wrapping paper.
3D printing at home – We’re getting closer and closer to decent yet affordable home fabricating. In 5 years, I’ll bet you can buy a good 3D printer for under $300. With more and more people launching their own products with Ponoko end Etsy, it’ll be a welcomed offering.
Yesterday, I wrote about getting paid to hack. Part of what I talked about was computer forensics. Earlier in the day, I was presented with an opportunity to practice my own IT security skills. Below, I’ll explain what happened to my client, how an employee of mine and I found the source of the problem and what we did to fix it.
Discovering a problem
A client called, complaining that the content management system we built for them was not working properly, so one of the developers took a look at the code and immediately alerted me to a problem. When he looked at the code, he discovered two extra lines at the end. The lines were similar to the following and existed at the bottom of every index.php file in the site:
My first thought was that someone hacked in and changed the files. What about the rest of the server? This is where you get that sick feeling in your stomach and hope it’s not as bad as it could be. I emailed my wife and told her I’d be unavailable via phone/email/etc. for the next few hours.
Finding the cause
Tracking down the source of a hack or code injection like this can often be tricky. How tricky it is depends on your individual skill set, past experiences, and the complexity of the problem, itself. This one turned out to be easy, partially because I’ve done this before and know many of the places to look, but mostly because it wasn’t really a hack. Not locally, anyway. One of my developers and I sat down in my office and I started looking at the hacked files. Using the following command (from the client’s web root), I displayed a list of all files that were modified that day:
ls -laR |grep "Apr 24"
What it returned was a list of the index files I was already aware of. Good. I then ran the same command on other sites to be sure this was isolated and it was. Next, I checked “last” to see who’s been logging into my server:
last |grep [client username redacted] |grep Apr
Last shows all the recent logins from SSH, FTP, etc. Immediately, I noted a large number of FTP connections for the client site I was investigating, which looked suspicious. I headed to my FTP log files and grepped my “secure” log files for “Incorrect”:
grep Incorrect /var/log/secure*
Your system may use something other than “Incorrect” to indicate a bad login and your “secure” log file location may vary. This grep showed only a few bad attempts, which is fairly normal and not what I expected to see if the account had been brute-forced. I moved on to the FTP log file to see what transfers were made. You’ll need to find your own FTP log location if you don’t know where it is already.
grep "Apr 24" xferlog*
I did this mostly to confirm that I was on the right track, but it uncovered even more oddness. Here’s a bit of what I saw:
Fri Apr 24 11:17:32 2009 0 [ip redacted] 4289 /var/www/vhosts/[domain redacted]/httpdocs/index.php a _ o r [username redacted] ftp 0 * c
Fri Apr 24 11:17:38 2009 2 [ip redacted] 4402 /var/www/vhosts/[domain redacted]/httpdocs/index.php a _ i r [username redacted] ftp 0 * c
Fri Apr 24 11:17:51 2009 0 [ip redacted] 2836 /var/www/vhosts/[domain redacted]/httpdocs/admin/index.php a _ o r [username redacted] ftp 0 * c
Fri Apr 24 11:17:56 2009 0 [ip redacted] 2949 /var/www/vhosts/[domain redacted]/httpdocs/admin/index.php a _ i r [username redacted] ftp 0 * c
For each index file that had the iframe HTML added to the end, there was a download and then an upload five or six seconds later. The speed indicated that it was a script and the fact that it was all done via FTP indicated that if there was a compromised computer somewhere, it was remote and my server was safe.
Cleaning it all up
In this case, cleanup was easy. First, I backed up all the log files for further review just in case I need them. Then I changed the client’s FTP password. Finally, I pulled the latest (clean) versions of the affected index.php files from our subversion repository and uploaded them back to the site.
Preventing future occurrences
I wanted to find out exactly how someone who should clearly not have the client’s FTP credentials wound up with them. My theory was that the client’s computer had been compromised. I headed to arin.net and used their handy IP whois tool to see who the one prominent IP address from the log files belonged to. It turned out to be a COX IP registered to Atlanta, GA. We called the client and asked them if they had anyone there. They did not. The FTP logs also showed uploads, recently, of files documents that related to the client and looked to be legitimate, so we asked who uploaded them and conferenced him in. A couple questions quickly revealed that not only was the IP their local office computers, but the computers there had been “acting funny, randomly rebooting, etc.” for the last day or so. We sent their computer guy out to take care of the problem, which turned out to be a trojan.
Conclusions
First of all, this was a very easy problem to diagnose and fix. I’ve been on the bad end of some serious hacks and this was by no means a bad one. For the client, however, the day proved much more frustrating. The expense incurred from having the IT guy come out and the thought that it could have been much worse (like their site replaced with something untoward), should be a lesson to be very careful about what you download, what you click, and the sites you visit. The best policy is to only open or run things from sites and people you trust, and even then, use caution.
One of the things I love most about computers is the ability to learn something new every day. The internet helps me do that from the comfort of my own home and gives me more options than I can shake a stick at for learning new things. You can even take classes online and not just the boring ones, either. This sponsored post is about some of the coolest IT Security classes you can take online. Learn to hack online and then make money doing it.
Ethical Hacking
There’s a couple different ways to think about what hacking means. To some people, it’s just seedy characters in seedy places trying to break into your computer and steal your identity. While there’s people out there who do things like that, it’s not the true definition of a hacker. A hacker is someone who thinks outside the box to obtain information and learn new things that is normally unavailable via popular channels. That said, bad hackers are out there, but there is such a thing as Ethical Hacking. Since the EC-Council site does such a good job explaining ethical hacking, I’ll let them tell you in their own words:
The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits.
It’s important to note that Ethical Hacking can be learned on your own, but it’s a slow road. Besides, a Certified Ethical Hacker is bound to have better odds making more money. Friends of mine have done this as teams or solo projects and if you’re good, it pays well and is a lot of fun. Now, the pay is better than ever, even in our economy. According to a recent article on CIO.com, the pay for an ethical hacker is up 40%. One of my friends was flown to Japan to hack in to a large company’s network and make a dramatic point about their security needs by walking into a security needs meeting in a highly secured part of the building using only his skills to gain access. “You should have seen their faces”, he told me with a big grin. Speaking for the other side, I manage several servers myself and I can tell you it’s a lot cheaper to pay someone to find all the holes than it is to clean up the mess that an unethical hacker can leave if you don’t.
Roles in IT Security
What if you don’t think hacking is for you? Hacking is rewarding, but there are other IT Security roles that can also be very rewarding and they all pay well. Some of these include pro-active positions like Security Awareness, Security Fundamentals, Advanced Penetration Testing and Application Security as well as some more re-active roles like Disaster Recovery (be the hero), and Computer Forensics (see my post tomorrow for a great real-life example of this from what I dealt with today).
One thing many online classes seem to miss is that a lot of people benefit vastly from the interaction with an actual instructor that a class room environment offers. These guys know that better learning comes from the ability to talk to a real live instructor and get detailed answers to unique and specific questions. They give you access to a real person to help you along as you go.
It’s really a good looking package and I just have to pound the point home… Ethical hacking and IT security is just plain rewarding financially as well as in every other way. If you’re thinking about a career in IT, you should look into this.
Trying out the projector
I know you want to see the projector first, so I’ll just jump right in. The 640×480 projector can focus with a projected image as small as just a few inches or it can project an image up to about the size of a 42 inch TV. The projection is bright, but still hard to see with the lights on, of course. Turning the projector on (as you can see in the video below) requires just hodling down one of the little buttons on the left or right of the face of the phone. One is for internal projection while the other projects from an external video source. The external video source is handled by a small included cable for RCA in. In my testing, I simply plugged by XBox into this cable and the cable into the phone to hook it up. Then I hit the external source projection button, chose between PAL and NTSC and was projecting video. I live this feature because you can easily hook it up to any device with RCA out cables, like a personal media player, for larger viewing. Imagine you’re at a party and a friend wants to show everyone a funny video but it’s on his small PMP. Just hook it up to your phone and everyone can watch… after they’re done reeling at the fact that your phone has a projector in it.
The alternative to an external video source is internal memory. When you press and hold that projection key, it just displays what the phone’s internal display would otherwise show. That’s good and bad, really. It’s good because you’re not limited to just projecting stored video files. I don’t see much of a reason to project anything else, but at least you have the option. It’s bad because in this mode, the video projects in the same orientation as the phone’s internal display. This means you have to turn the phone on it’s side to view the video upright and the phone’s design is such that it doesn’t sit flat on its side. It comes close, but doesn’t quite do it. The other problem with this is that you have to see the whole video player interface when you play an internal video file. It would be far better if they changed it to swap the orientation to landscape when a video file is played and fill the whole viewable area with the actual video.
To focus the video, there’s a little glider switch on the bottom of the phone. I thought this would have been better placed on a side and should have been a wheel just because it would make the task of focusing the picture that much easier. In my tests and playing, I found that I would focus past the point of a crisp picture in either direction a few times before landing on the crisp picture.
Other features While you probably came to drool over the video projection functionality of this phone, I think I should still point out everything else it has to offer. First of all, like many of Chinavasion’s phones, it’s a touch screen and comes with a stylus. Along with the touch screen, it has a normal phone key pad as well as left and right side navigation buttons, the internal and external projection buttons, the call and end/power buttons, a home button, and surrounding the home button is a 4 way navigational rocker button. That’s all just on the face of the phone. The left side includes the standard volume rocker buttons and the right has two input connections. I scratched my head a bit about the multiple inputs, but there’s certainly technical reasons for doing that. My guess is that it has a lot to do with the many things you can plug into this phone.
The user interface for this phone is strikingly familiar. It looks an works a lot like the iPhone. Actually, the interface looks almost exactly like the iPhone, from the layout right down to many of the icons. It doesn’t work as smoothly as the iPhone, but not much does, and really, they managed to pull over a couple of the nicer things into this phone. For example, unlocking or turning off the device with a swipe of the finger is still my favorite method.
You’ll find many of the standard applications, such as the web browser, calculator, note pad, camera, video, music player, etc. bundled into the phone’s software as well. One thing I’ve noticed with Chinavasion is that they tend to load their devices up with a lot of features and programs, which is a good thing.
What else comes with it?
Everything came is a white, plain box. This box included the phone, a user’s manual, a wall charger, a data cable/USB charger, a hands-free headset that also works as regular stero headphones, two batteries, and a wall battery-only charger for the extra battery. Again, Chinavasion likes to make sure you’re covered, so they throw in everything they can think of. I can almost never get everything back in the box with their products.
Video and conclusions
These days, a phone is a phone is a phone. What I mean is that for making calls, the hardware doesn’t vary much. It’s the design and everything else that the manufacturer packs into the phone that makes it the device you must have. In this case, Chinavasion has done a good job adding in all the stuff you’d expect from a phone plus a little more. Then they threw on this projector, a feature that has been talked about before but one that I (and most of the planet) have never seen implemented in a consumer-released cell phone until now. The projector has a few areas for improvement, I think, but over all, they did a great job with the device. While it’s a little heavy, I must remind myself that the extra weight is worth the additional “wow” factor. This is another great phone for the money.
