Site: The Daily WTF?
URL: http://www.thedailywtf.com/
Summary: An amusing stroll through some wondrously pessimized program code
For those not in the know, "WTF" is Internet shorthand for "What The ..." (I will leave "F" as an exercise for the reader). This site allows visitors to post program code from real-life production applications that, when looked at, makes one utter "WTF??" (either internally or aloud).
If you have not had any programming experience at all, you will likely not understand much of what is going on for most of the site's content. Languages making frequent appearances include Visual Basic, SQL, Java, JavaScript, and Perl, among others. Sometimes, the "WTF" in the code is so amazingly blatant and hits you in the face that you wonder what the developer must have been thinking, while other times it is so subtle that it only shows up after careful review.
The thing I like best about this site (in addition to making me feel better about my own meager coding skills) is the user comments section. Each entry (and there is usually at least one per day) will usually generate between 50-100 comments from readers... and I must say that the comments on this site are absolutely the most creative, well-formed, witty, and amusing out of every other single web site on the Internet. Even if you never read one line of the code, the comments will have you awed or in stitches (or both).
One item per day makes this site a quick read, but it is well worth the 5-10 minutes.
I don't speak Perl, however I do understand the notion of a "regexp" or "regular expression" (they are used in many programming languages). For those not in the know, a regexp is a way you can use various symbols to do text matching -- this can help you isolate particular strings or values in very long documents.
I just ran across this regexp used in a Perl module that validates email addresses according to the RFC standard:
http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html
Most regexps look like line noise, but this one takes the cake. I cannot fathom the number of man-hours it must have taken to compose and debug this one.
Stealing the Network: How to Own the Box
by Ryan Russell, et al.
Published by Syngress Publishing, Inc.
2003
Stealing the Network: How to Own the Box is a couple years old, and is the first in a series of books that provide information on computer and network security by combining fictional narratives with genuine techniques. It is not written as a "how-to" guide, which makes it an easier read for a non-geek, though there is enough real technical information contained in the short stories to give a sysadmin or security enthusiast something to go on.
The book is divided into ten chapters (and an appendix that non-geeks may take a pass on), each one of which gives a short story dealing with some aspect of security. While there are clear roles associated with the protagonist in each story -- some white hat, some black -- overall the book does a nice job of presenting the information in a useful way without imposing morals on the reader.
The stories give a wide variety of scenarios, which include:
- a general "break into a network" hack
- worm analysis
- hardware hacking
- printer security
- hacking without hacking (relying on the general laziness of users)
- wireless security
- social engineering
- forensics and post-incident analysis
The narratives are all more or less easy to follow (though a couple are somewhat long and dull), and help to illustrate good security by showing just how powerful poor security can be in the hands of an attacker. By riding shotgun on several different scenarios, you can spot the weak points and see where exactly vulnerabilities can be exploited. It shows that many networks, even those with SOME security in place, can often still be compromised relatively simply. Although it has been repeated to the point of being cliche, it is true that a chain is only as strong as its weakest link -- and many times, the weakest link is plain human laziness or ignorance.
This book is a quick read; I finished it in a little over a week. However, the effect it has had on me will be much longer-lasting. Although it is a bit dated by modern standards, there is enough real information to serve as a reminder that, while it is easy to talk about security on a web forum, true security is found only when you roll up your sleeves and get your hands dirty. It is not always enough to assume you are secure simply because you know a thing or two about firewalls and Windows Update. Security is a process, and it ends up being a process that is never truly finished.
I would like to close by sharing a quote from the book that, for some reason, has stuck with me:
"What’s funny is that I’ve never needed to resort to some fancy theoretical
exploit that security researchers talk about, because the script kiddy stuff
usually works just fine. I’ve seen administrators go to great lengths to prevent
man-in-the-middle attacks. But I’ve never actually used such an attack
myself, I don’t know anyone else who has used one, and I don’t know
anyone who was ever a victim of one."
I highly recommend this book to anyone with a real interest in the guts of security. The dead tree edition retails for around US$50, though you can probably find a cheaper one used, or if you don't mind reading electronic copy (or if you have a printer that can handle it), you can download the eBook here: http://abel.sk.tsukuba.ac.jp/~janos/pool/bookshelf/book/
Site: http://earth.google.com/
I just ran across Google Earth the other day. In short, it is a humdinger of a GIS application that combines aircraft/satellite imagery with a host of other data that you can overlay.
For example, I wanted to locate my home. I could zoom in on the houses in my street, and see my house and yard clearly (and it looked like a car parked out front). I went into the "Driving Directions" module, and entered my work address. Not only does it give you directions, but it plots the route out on the map for you. You can also add or remove street names, restaurants, hospitals, ZIP code and city boundaries, census data, railroads, and almost anything else you can think of.
I was most interested in my hometown (naturally), though they claim to offer a comparable level of detail for most cities in the world. If that is the case, then Google has once again hit the Grand Information Nail on the head... the possibilities of a tool like this are almost endless.
This blog has been added to the Pittsburgh Webloggers site.
The site's homepage is here: http://www.pghbloggers.org/