Bio
Russell Mickler, Principal Consultant, has over 14 years of professional experience leading and managing IT organizations.
Contact Information
- Mickler & Associates
- Vancouver, WA
- Voice: 360.601.0818
- Fax: 360.397.0468
An Interesting Statistic
Written on October 28, 2005
Leave a Comment
|
According to InformationWeek (Oct. 24, 2005, pg. 24), only 8% of the 500 largest public companies have an IT executive on their boards. They classified an IT executive as a CIO or former CIO.
The largest Indian companies, on the other hand, are most likely to have IT execs on their board – 42% of the Economic Times 25 companies do.
Things that make ya go… hmmm.
R
www.micklerandassociates.com
A Conversation on Due Care
Written on October 8, 2005
Leave a Comment
|
Taken from a discussion this week between myself and a student:
Student:
The risk of having no controls or auditing going on is that you are a potential victim to virtually every kind of system attack.
This can be compared to the relatively few people who keep their doors unlocked. Even in a small town this is not a good idea. Someone will eventually break in – it is just a matter of time.
Add to this the potential security holes that frequently occur in complex systems, and you have a recipe for disaster.
This situation is definitely NOT “due care.”
Russell Mickler:
This is true. But let me ask you this. Let’s say Grannie Gertrude uses a computer to store recipes and book club information and somebody exploits a vulnerability in the o/s to steal Grannie Gertrude’s PPI (Personal Private Information).
Who is at fault: Grannie, or, the o/s OEM? At what point should we draw a line between personal responsibility and accountability for defective manufacturing?
Unfortunately, our legal system has yet to really answer this question or effectively challenge EULA disclaimers. I believe software manufacturers _should_ be held liable for defects and that if defects contribute to mass exploit – think Blaster Worm for a minute – then the losses experienced by a firm because of the OEM’s negligence should be compensated for. This, in turn, would lead crappy software manufacturers to leave the industry because of the cost of securing software prior to release, and, consumers get better quality of products. (Nobody wants to do this because of the negative effect it would have, surely, on the software industry, but still…)
As consumers, are we all _required_ to become security experts because of the defects released by a company, or, should we demand higher forms of accountability from OEM’s? Who is the real victim here? I say the consumer in general, not just Grannie Gertrude (grin).
Discussion About Cracking 4-Char Passwords
Written on October 6, 2005
Leave a Comment
|
This was from one of my students this week…
“In my opinion, 4 character passwords are very weak. I could create a password generator in C to brute force a 4 character password using all 95 possible characters (33 special, 10 digit and 52 mixed char) and crack any 4 character password in less than 2 days using a single desktop computer.”
Two days!
“This is worst case scenario and with some tweaking (i.e. parallel processes all working a subset of the problem, a more powerful system like a dual Xeon, starting with a a small dictionary attack, etc) I could seriously shorten that time to a few hours at most.Using all 95 possible ASCII characters (which most users will not) there are only 81,450,625 possible 4 character combinations. Not using special characters reduces this by more than a factor of 5 (around 14.7 million combos). We won’t even talk about if someone uses a PIN style password (all digits).Here are some password crack tools you can use to test passwords if you have the ability and permission to. I haven’t really looked at these in a long time. Some might not even run on Windows:> – Anger> – Cain & Abel> – Crack> – Hydra> – John The Ripper> – LCP> – LM Crack> – L0phtCrack 4> – PWdump3> – RainbowCrack> – THC KeyFinder> – Venom> – YaHa”
Found it very interesting…
R
www.micklerandassociates.com
Text Hacking the City
Written on October 6, 2005
Leave a Comment
|
This was passed to me today by a student -
Interesting Article:Text Hackers Could Jam Cellphones, a Paper Says:
Bypassing Windows Authorization
Written on October 6, 2005
Leave a Comment
|
This was hacked about four months ago – it may not continue to work, but it allows a bypass of official Windows validation for content downloads from Microsoft’s Updates sites…
Bypass Windows Authorization
As reported by Boing Boing: http://www.boingboing.net/2005/07/28/microsoft_genuine_ad.html
Microsoft “Genuine Advantage” cracked in 24h: window.g_sDisableWGACheck=’all’ AV sez, “This week, Microsoft started requiring users to verifiy their serial number before using Windows Update. This effort to force users to either buy XP or tell them where you got the illegal copy is called ‘Genuine Advantage.’ It was cracked within 24 hours.” Before pressing ‘Custom’ or ‘Express’ buttons paste this text to the address bar and press enter:
javascript:void(window.g_sDisableWGACheck=’all’)
It turns off the trigger for the key check.
R
www.micklerandassociates.com
GREP the CIA Factbook
Written on October 6, 2005
Leave a Comment
|
GREP is one of those awesome command-line utilities that never made it officially into Windows. GREP is a utility that performs complex search-and-replace operations on files and is most commonly found on UNIX environments.
This is a cool script that will allow you to GREP the CIA Factbook for data extracts -
http://douweosinga.com/projects/ciagrep
From the author:
“This project is just a quick python script that parses the CIA world factbook, searches for a specific property, like population, and prints this property for all countries in the database. Type: grepCia.py capital and you’ll get a list of countries and capitals. It works for almost all properties speficied in the CIA datase. The program makes a good start for any CIA data harvesting hacks.”
Don’t have a UNIX box or shell? No problem! The following location will allow you to dload a program to convert Python script to Windows executables:
So you can download both of these and convert the script into an executable for Windows. An excellent tool for research…
Disabling the Mixed Content Message
Written on October 3, 2005
Leave a Comment
|
Internet Explorer displays some awefully annoying messages at times that are just click-throughs for the user. Here’s one that’s quite common: the Display Mixed Content options.
When accessing a secure site (SSL layer, HTTPS) and insecure content is preparing to be downloaded – say, pictures for example, or Flash objects – then you’re prompted by default:
“Security Information This page contains both secure and nonsecure items. Do you want to display the nonsecure items?”
I find this message really annoying; it appears even after I have added the target site into my trusted sites list. Here’s how to disable it:
In IE, go to Tools…Internet Options…Security tab, click the Internet Zone to select, click Custom button, scroll down to the Misc. section and set “Display mixed content” to Enable or Disable. You currently have it set as Prompt.