Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Category Archives: Strange

{Quick Post} URL shortcuts

I’ve had this little snippet hanging about for a while, and I’m almost sure 99% of people are already aware of this, but hey, that still means 1% aren’t. So here’s a quick quirk that I noticed a few years back in the way browsers process values entered into the location bar.

If you’re like most users, you type google.com to get to Google much more than you type http://www.google.com… after all, if HTTP is the default and the remote site handles the redirect to the right place, it’s all good! Still, in the location bar, HTTP isn’t the default! Before tying that, your browser is going to check you didn’t mean something else…

To test this, create a shortcut on your Windows desktop called yahoo.com and assign the shortcut to go to http://www.google.com… if you want to do this programatically, just open an editor and enter the following :

[InternetShortcut]
URL=http://www.google.com/
IDList=

Now save that as yahoo.com.url on the desktop and open your favourite browser. Type yahoo.com into the location bar and see what happens!

Conclusion:

As far as a security issue goes, I’m not sure you can class this as a problem. After all if you have the ability to edit files on a system, then surely altering the etc/hosts file would be more effective. Still, maybe on restricted systems this might come in handy!

Note:

A few people have mentioned that this seems fixed in the latest Chrome and in IE 8. Tested this end and IE 7 is “vulnerable” to this quirk. Nice to see browser vendors have started fixing this over the past year or so!

2012 Predictions

It’s only a month before 2011 is officially over and 2012 kicks-off… so what better way to waste my time and yours than to write a stupid list of things that will probably never happen in 2012… or to go back and say why all the things I wrote last year didn’t happen! Yes, that’s right boys and girls it’s the silly season, where smart people the world over start telling you what they think might possibly happen next year. From wild predictions about the rise of Linux on the desktop, to the coming of the IT apocalypse, and everything in-between.

So, just to not get left out in the cold on this one I’ve spent a good 20 to 30 second thinking up some points that are worth listing. Just to keep on point I’ve restricted myself to the top 3… don’t want to overload you with amazingness this late in the year after all ;)


Shit will happen

There’s nothing you can do to stop this… shit happens all the time. Chances are, shit will happen to you, your friends and your next door neighbours cat. You should learn to live with this, for your own good!

People will panic

OMGWTFBBQ another exploit in Adobe PDF reader… it’s the end of the world as we know it!!!!11111oneoneone

No, it’s not. Just relax, think for a second, and then uninstall that shit! (see point 1)

Life will go on

We’ve lived through MS08-067 (some of you still are apparently), we’ve lived through the ” I L ove You” virus (and the movie it spawned), and we’ve lived through over a year of people thinking Rick Rolling is still an art form (it’s over… no, really!)

People get all stressed up about this shit (see point 1, and point 2). Relax, take a breath. Just remember, it could be worse! You could be at a Justin Bieber concert!

So, what does this mean for us in 2012… other than the phrase “same shit different day” obviously. Well if I were you, and I’m not, I’d take 2012 as the year you go back to basics. Your shiny new WAF/IPS/Firewall Mega box with flashy blue and orange lights is going to do less to protect your enterprise than changing default passwords and making sure your phpMyAdmin is patched and restricted to your management LAN IP range!

It’s not sexy… it’s not even fun… but it’s where we’ve been going wrong for the last X years. You build a tower of security on sand, it’s going to crumble… and you’re going to get sand in your crack! So build a solid foundation!

Have a good 2012, let's try and make it better than 2011 shall we!

Klout: Because we’re all special little snowflakes!

I’ve never really been interested in the whole “I’ve got more followers than you” stuff people on twitter sometimes get into. At least, not to some crazy level. Sure, I checked my follower list every now and then (mostly just to cull the spammers etc..) but that’s about as far as it went. Still, when I moved over to using Seesmic I couldn’t help but see these odd little >K symbols and final, curiosity got the better of me.

What I found on Klout when I signed on was interesting, at least interesting enough for me to share with you guys…

Wow.. look, aren’t I special. I’ve got a Klout of 61! Yes, I have no idea what 61 means, there’s no range here… 61 out of 62 is high… 61 out of 1000 not so much. Great start. So far you’ve reduced me to a number and asked me to share that with the world! I’m gonna go out on a limb here and so, no I won’t be sharing that useless fact!

So… lets see what other gems they have for me shall we. Lets start off with the profile and see what they can tell me that I don’t already know about myself. After all, they know things I don’t I’m sure.

Ok, seriously, I get that 61 is a big thing for you, but I’ve still no idea what the scale is, so for me, it’s kinda like a big sign that say “Dunce”. What else do you have for me. Ok I’m an influencer of 1K (I’m guessing that’s 1 thousand, although I doubt that highly… why would anybody listen to a chump like me for goodness sake!). Ok, now this makes more sense… apparently I’m influential about Information Security, hacking, and popcorn! This must be some sort of weird twisted version of me that likes to eat sweat (and/or salty) snacks and talk about them endlessly on social media! It’s a strange world… but wait a minute. It says I’m a specialist! At least it didn’t say thought leader (hint: checkout my Eurotrash Security co-host @CraigBalding’s Klout page).

So what is a specialist, at least according to Klout. Ah such nice words… I’m not a celebrity (thank fuck for that) but I’m still special… it’s like Klout is somehow there to reinforce people’s ego and make them feel less like the people they really are. Lots of tweeting about a single topic doesn’t make you a specialist… it makes you a loudmouth who doesn’t know when to shut up.

I disagree with your opinions here Mr Klout sir… so, some playing around in the DOM will fix this up quick proper I think! A little tweak here, a correction there….

There, that looks so much better than before. I wonder what other misguided ideas they have about me. Lets take a little look in the score analysis. Ooooh look, pretty charts with lines on them. They go upwards, this must mean that something great is happening right? Pity the history only goes back a month or so. Guess they don’t like large (i.e. realistic) data sets. Well at least they give a scale on some of these things. Still, just a chart on its own doesn’t help much. Lets see if I can compare a chart from me to a chart from somebody who really HAS some Klout… HD Moore for example. (sorry HD, first name that came to mind)

Wow… if there was ever a result that made you realize that these sort of sites were as useless as a chocolate teapot, it’s this one.

(Almost) no words come to mind to describe this… but I’ll try, as it is a blog after all.

If you think services like this offer you a realistic outlook on who YOU are, then you really need to rethink these misconceptions.

This whole “everybody is special” thing has been taken to the nth degree. Do you think Klout (or any other such service for that matter) is going to tell you that you suck! That you’re boring and nobody cares what you have to say! No… they’re going to tell you what you want to hear using stats, nice graphs and the virtual pat on the back to tell you that you’re great. You’ve unlocked the “Pat on the back” achievement.

None of this makes a difference. People don’t ignore other people who’s Klout number is less than theirs, and I certainly don’t respect people who have a high Klout number especially. Numbers can say anything you want them to say. They can also lie to you.

TL:DR – Stats like this are based on false logic, bad stats and a desire to make you feel “special” about yourself… be your own little special snowflake and ignore this kind of thing! Talk about what you want to talk about, don’t bow to the pressure to be something you’re not!

Maintenance Window!

Maintenance Window!

I’m sorry, but the Catch22 (in)security blog is currently offline due to the ongoing maintenance window!

This post brought to you in association with #ExoticLiabilty

Follow

Get every new post delivered to your Inbox.

Join 123 other followers