I was woken up by a message from Planet Fitness this morning, informing me that the contract I though had expired in Aug 2009 had happily been renewed each month and I now owed them a large sum of money. I was not informed of any of this, and have not attended a Planet Fitness gym since 2009. While the guy on the line agreed this was pretty dodgy, "It's in your contract," he says without having a copy of my contract. So, now I'm waiting to see this contract while they look for it. In the meantime, I was cheerily informed that if I rejoin the gym, then will write the debt off, or if I pay half I will get 6months "free" and the rest written off. Better yet, while the system says I owe Rxx.xx, the consultant through the use of his calculator assures me I actually owe Rxx.xx * 1.5. Nice to know their billing systems are as dodgy as their customer service.

Paul Rubin had a piece in the Wall Street Journal describing 10 fallacies of Web Privacy. This is my response, and the start of my blogs official "privacy" category.

The ZaCon II CFP is nearing it's closure date (tomorrow!), and this is an overt reminder to all of you thinking about submitting to do it. ZaCon is a great place to either give your first infosec presentation or deliver a tech-heavy presentation to a receptive crowd. All you need do is submit a short abstract to abstracts@zacon.org.za and if your submission is accepted, prepare and deliver a presentation. You don't even need to write a paper. If that isn't lowering the barrier to entry enough, then you're just lazy :)

If my submission is accepted (heavy bribery underway), then I'm hoping to set up an infosec BP-style debate, and will be approaching some of you "I'm smart but never share that outside the office" types to get involved, and hopefully have some fun.

You can read more of my thoughts on ZaCon here. Also, at some indeterminate point in the future, some ramblings about ZaCon will appear in episode 18 of Let's Talk Geek.

This is a cross-post from my other blogging home at SensePost.

Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.)

The talk is an introductory overview of Privacy from a Security perspective and was prompted by discussions between security & privacy people along the line of "Isn't Privacy just directed Security? Privacy is to private info what PCI is to card info?" It was further prompted by discussion with Joe the Plumber along the lines of "Privacy is dead!"

The talk, is unfortunately best delivered as a talk, and not as standalone slides, so here's some commentary:

Scroogle is no longer working for the second time this year (I archived the announcement at the end of this entry). The author claims Google deliberately killed the simple interface they were using. I've e-mailed to point out that Google Custom search works fine, but relying on Scroogle isn't going to cut it anymore. The obvious solution is to use GoogleSharing. However, not all devices support it due to the requirement of a Firefox plugin; my phone for example. After meeting Moxie I discussed the idea of including a search interface with the GoogleSharing server. The idea would be that <googlesharing server>:<port>/search would provide a plain HTTP interface to search through the server.

ifconfig -u|grep -v inet6|grep -v media| grep -v lladdr|grep -v ether|grep -v status|sed "s/flags=.*//"|sed "s/^.*inet \(.*\) netmask.*$/\1/"|sed "s/^\([elfv]\)/#\1/"|tr -d '\n'|tr '#' '\n' && echo

I just want a simple display of the interfaces on my system and their IPs. I was in a rush and came up with that disgusting line. On the one hand it demonstrates the power of Unix, on the other hand it demonstrates the problems with it. So, dear interwebs, please provide me with (in order of preference):

1. A better way of doing it (I'm thinking sysctl, [I'm on a Mac])
2. The right command line magic to get better greppable output from ifconfig
   
3. An optimised command line, specifically:
1. How can you combine the multiple "grep -v" commands?
2. How can I combine the sed & tr commands?

Failing that, here's a command you too can use to give you a fragile list of interfaces and their ipv4 addresses. I've embedded it on my desktop with GeekTool (OSX). It makes the FW logs also embedded on my desktop make more sense :)

UPDATE: I love you my fellow Geeks. The winning solution is from Craig Balding via twitter, who put us all to shame with the ridiculously simple piece of cli kung-fu that is:

ifconfig|awk '/mtu/ {nic=$1} /inet / {print nic " " $2}'

This has been reposted from it's original at my new second blogging home at SensePost.

In my previous role working as a security manager for a large retailer, I developed some password tools for various purposes, primarily to help non-security people with some of the basics. I licensed them under the GPL, and I think it's about time they saw the light of day.

There are a couple of tools, which I will explain below. They're all written in JavaScript, primarily because it is cross-platform, but can be centrally hosted. They all work in Firefox and Internet Explorer, although the automatic copy to clipboard functionality of the service desk tool is IE only.

The intention is for the tools to be placed into your organisation's intranet somewhere. I found they came in much use, allowing me to reference a specific tool and setting rather than esoteric password theory in documents. For example, security standards documents would say "Service account passwords should either be generated by the password generator set to the service account setting, or be rated as "very strong" by the password strength checker", which is far more practical than quoting a list of password rules.

Being centrally hosted also allows updates to be made immediately in the case of a policy change, new common password addition, or bug. This also allowed web logs to provide an audit trail of who was using the tools. Particularly useful in the case of monitoring service desk activity e.g. If the service desk records 100 password resets, and the tool only saw 10 hits, you know something's up.

If you're a tactile learner, you can grab them here.

For years I've had a tinfoil dilemma. I know that companies trying to own the internet love dropping cookies, and then using those cookies to track you around the tubes. It started with the advertisers like DoubleClick who would drop their cookie, then rely on their distribution of banner ads. Every time your browser hit a page with one of their banner ads, it would send it's cookie along and help them track you around the internet.

Verizon's Wade Baker (with assistance from Dave Kennedy, who I will refer interchangeably to as with Wade, Dave or Verizon) published a post claiming that vulnerability/security researchers are given too much leeway, and are closer to criminals than good guys. He suggests they should rather be called "narcissistic vulnerability pimps" (NVPs) in future. Dan Goodin got some clarification when writing his piece for The Register which expands on some of Verizon's motivations and justifications.

While I think I identify with part of his frustrations, he's wrong. Mostly due to an overconfidence in how vendors optimise for "shareholder value", but also because while scrabbling to paint vuln researchers as bad guys, he forgot about the actual bad guys.

Julius Malema has exploded into political prominence by making himself hard to ignore. Inheriting a platform that drew attention to the accidental outrages he tripped into, he quickly learned to stoke outrage and roar back at any responses he provoked. For the media, trying to gauge the state of the nation’s health from moment to moment, this makes him a much more attractive candidate than the business-as-usual official announcements of the ruling party proper. But Malema’s sound and fury signify little, and his disproportionate voice in South Africa’s public conversation is only hurting our ability to speak to one another, and to speak sense when we do. We think it’s time to ignore Julius, and invite you to join us.

For the week of 7-14 April 2010, we undertake to talk about this country, its challenges, its promise, its news, and to ignore Julius while doing so. Join us in this initiative. If you blog, join the roll. If you Tweet, add the hashtag #ignoreJulius to your daily output.

However you communicate, take a week off from Julius.

Over the last few years I've come to notice a few entrenched ideas that, large consulting companies in particular, seem to be unable to deviate from. These ideas specifically relate to how to get the most out of your technical, particularly security, staff, but I'm sure they apply in other contexts too. I'm certainly no expert and these are just my observations, and while I did notice a steady stream of clever people leaving my $previous_employer, including myself (not clever, just leaving) I had some time to muse on the reasons. I'd love to hear comments from people who have/are running their own tech companies.

Today my blog turned six, and I tweeted that fact with the following:

My blog http://singe.za.net/ turned 6 today. The fact that I'm tweeting this rather than blogging it is probably significant.

While blogging remains more a more satisfying and useful means of exploring a thought, twitter let's you skip the work and move onto the conversation (sometimes) a bit sooner, but without any decent record of that conversation occurring (twitter's searchable memory is too short). I'm certainly going to continue blogging, but I don't see my throughput increasing much. Luckily, subscribing to an RSS feed is only a cost if there are too many updates ;).

That being said, I think there's been some fun stuff on the blog in the last year, my favourite posts have been:

• Using Maltego to Data Mine Twitter
• Conficker Claims it's first Human Life
• My first guest post - Efficient extraction of data using binary search and ordering information
• Deloitte -> SensePost for a personal milestone (there was another personal milestone, my marriage, but that wasn't much of a blog entry).