dmac blog

Accepted Password Characters Standard Please???

Fri, 31 Mar 2006 23:44:43 -0600

I could be completely wrong, but to my knowledge there is not a Standard for accepted password characters. For those of you that have ever developed an authentication/account management system on the web, you know that deciding what password characters you are going to accept is somewhat of a pain. You want to protect against multiple types of injection attacks, yet still provide your users with as much flexibility as possible. Every type of user input on your site is one more gateway to a malicious hay day.

When developing your own system, the accepted password characters are up to you. You make the decision based on what type of security you want to provide your users. They choose the password that follows your guidelines and case dismissed. Here is the show stopper. What if the project you were developing actually managed passwords from other sites? Then you have to be able accept dang near every character there is yet still protect your users and yourself against injection attacks.

When other sites (Some Big Names) allow characters such as:

' " < > ? { } ....

You are now forced to allow your users the ability to enter these characters so that you can manage their actual passwords. Allowing these characters is like handing them a loaded gun and saying, "I trust you won't shoot me".

Using input sanitation techniques is out of the question. Your normal password is stored after being ran through a Hash Function (md5, sha1, sha256, etc). Your sanitation strips characters for protection and creates the hash. Repeating this process every time the user enters their password will result in the hashes matching and the user will authenticate. The user never knows that characters are actually being stripped. When using Symmetric Key Algorithms such as TDES and AES, your recovered clear text must match the users initial submitted clear text. See the problem??

There are ways around these problems and I use them quite regularly, however a strict password character standard could solve all our woes.

Bye Bye Bible Run

Sun, 19 Mar 2006 19:32:22 -0600

The Bible Run has officially been ended by yours truly. I gave it the old "rm -rf" for the geeks out there. I am as much to blame as everyone else. I honestly think that Sozo would have been the only one to stick with it (Great Job Bro). A straight through reading of the bible is probably not the best approach. I hope many of you are still reading the bible daily. It was fun while it lasted.

It has been a while

Wed, 08 Mar 2006 14:37:00 -0600

I figured I would make post and catch everyone up. As you probably already know I have not made a post in sometime. I have been pouring blood, sweat, and tears into an "Identity Protection Suite" I like to call DEFYGO. We are currently finishing up some of the latest features and we are getting ready to do some advanced testing. Basically, I am going to try to break it every way I can so that we can debug as much as possible. After about 10,000+ lines of Server/Client side code, it is nice to finally do some testing. Who knows, it might just be available for download in the near future. Expect a link!

Are you up for the CHALLENGE??

Sat, 28 Jan 2006 19:25:07 -0600

I am personally challenging all those who read my blog to join "The Bible Run". It is a little idea that I have come up with and want to share with all those that are interested. The question is, "Can You Handle It".

CLICK HERE FOR MORE

Are you in my class?

Fri, 13 Jan 2006 16:51:38 -0600

I just found out about 5 minutes ago that I am officially teaching "Network Systems Security I" online for the Telecommunications Systems Management program at Murray State University. The class number is TSM 352 and it is only taken by students who are specializing in InfoSec. This is an exciting opportunity and I plan teach more classes next semester.

Addition: I wanted to clarify that I am actually teaching this online.

It's Nice To Be Noticed

Sun, 08 Jan 2006 20:12:31 -0600

I was browsing the "Internets" when I came across the "Applied Computer Security Blog". It is a blog ran by the folks over at Find Protected. Two particular posts they made grabbed my attention. They are as follows:

Both of these posts referenced an article I wrote here on the blog titled "The Day When Security and Laziness Combine". You never know when people are actually reading the things you type.

You Almost Got Me Steve

Fri, 06 Jan 2006 16:10:01 -0600

For those of you that don't know Steve, you are really missing out. There is one unique thing about Steve. He loves to do webdev and has a way of talking you into diving into random projects. Recently, he tricked me into wanting to code my own blogging software. This can be really simple, but for those of you that know me, I have to go all out. So I spent a few hours laying out my tables and thinking about the features I wanted to add. I spent a little while thinking about the things that I like in both Movable Type and WordPress. After the brainstorming conceptual design phases I asked myself, "WHAT THE HECK AM I DOING. WHY AM I RE-INVENTING THE WHEEL".

I need a webdev project, but this is not the answer. Got anything else Steve??

Giving The House A Makeover

Tue, 27 Dec 2005 09:13:39 -0600

The wife and I both have this week off and have decided to give our house a bit of a makeover. The current agenda is as follows:

Spackle and sand a few rough spots on our walls to prepare for painting
Paint the Kitchen Sage Green
Paint the accent wall that connects to the vaulted ceiling in our living room maroon
Put up ClosetMaid Shelving in the Garage for more storage
Put up some additional ClosetMaid shelves in our closets
Paint the back bedroom (color not decided) and make it the Office (e-Liberty Headquarters)
Make the current office a smaller guest bedroom
Re-Paint the baseboards in most of the house
KILz a few spots on our ceilings
Put a better floor and a light in our attic storage

This is definitely a hefty work load, however I plan on finishing it this week. It really reminds me of the two years I spent working for McCallum's Custom Paint and Decorating. I was 12/13 years old at the time. Wish me luck and hopefully it will be ready to see at the next Monday night gathering.

Removing Friend Links

Mon, 26 Dec 2005 09:33:37 -0600

I have noticed recently that two links in my friends section, "BrownHosting" and "Brian's Blog", have been giving me errors. I am taking them down for now. Brian and Heath, if you get a site up going soon let me know and I will link you again.

My Christmas Rant

Fri, 23 Dec 2005 15:23:38 -0600

Lately I have come to the realization that I rarely use my blog as a ranting ground. After all, it is my blog and these actions are fully justified. So I dedicate this RANT to my cousin johno.

Ok, so in the last few days my wife had a very strange conversation in which she was told that many Church of Christ do not celebrate Christmas as Christ's birth. Instead they celebrate it as a time of giving, friends, family, and even Santa. These are all good reasons for the season, however I had never heard that they didn't celebrate Christ's birth. I was completely surprised.

The individual that supported this gave us a few reasons. I also did a little online research and from all of this I was able to come up with 3 common reasons why SOME (not all) COC's don't celebrate Christ's Birth on Christmas. They are as follows:

Christ was not born in the winter months, he was born in the spring. We know this, as we know when Jews were to pay taxes and Mary and Joseph were going to pay taxes at the time of Jesus’ birth.
Nowhere in the Bible are we asked, commanded or encouraged to celebrate Christ's birth.
December and the Solstice was a Pagan celebration and Catholics borrowed it to celebrate a special Mass or Christ-mas and as such is not a Christian activity. My church celebrates Christ's life everyday of the year, with no day being greater than another.

So the RANT starts here.

Christ was not born in the winter months, he was born in the spring. We know this, as we know when Jews were to pay taxes and Mary and Joseph were going to pay taxes at the time of Jesus’ birth.

HAHA, so apparently you are not allowed to celebrate anything unless it is historically accurate down to the day. Assuming this stipulation is a good reason, we need to go ahead and throw out about half of the other days we celebrate over the year. After all, we are not 100% sure of the exact time of the year of many of them so there is no need to celebrate them. Historical accuracy is the trump card. Oh yeah, lets not forget about the Sabbath that you still celebrate on Sunday. In case you have forgot, Sunday is the first day of the week and God rested on the 7th. Why are you not moving your services to Saturday?? I guess it was just easier to worship on Sunday with everybody else. But Christ's Birth??? I guess you will selectively put your foot down on that one. Moving on..

nowhere in the Bible are we asked, commanded or encouraged to celebrate Christ's birth.

This is my favorite of the 3 points. Have you asked, commanded or encouraged anyone to celebrate your birthday lately?? You better make sure you get those requests out or WE WILL NOT CELEBRATE IT THIS YEAR!!! After all, we are not going to go above or beyond the call of duty here. I am almost sure that if Christ wanted his birthday celebrated he would have taken time out while on the Cross to let us know....right?? I am going to have to throw the Bull Crap flag on this one. Is it even necessary for me to explain how ridiculous this sounds? As a human my purpose is to Glorify God. Occasionally, I like to take time to worship him and praise his name without being asked!! What glory lies in actions that are only to fulfill orders or requests??

Lastly..

December and the Solstice was a Pagan celebration and Catholics borrowed it to celebrate a special Mass or Christ-mas and as such is not a Christian activity. My church celebrates Christ's life everyday of the year, with no day being greater than another.

This is almost as good as the last one. So basically they are saying that Catholics decided to create a Christian celebration during a very popular Pagan celebration. Wow!! That sounds like a really bad idea. UMM NO! That sounds like a great idea and a great evangelism tool. Why do so many churches have activities on Halloween?? You think this might be for the same reason?

On top of this, you’re saying that Catholics "borrowed" it. I ask you, are you still celebrating Christmas? Oh yeah, that’s right you are. I guess you "borrowed" it from the Catholics to celebrate giving, friends, family and even Santa. You also improved it by removing that horrible tradition of celebrating Christ's birth. And all because you "celebrate Christ's life everyday of the year, with no day being greater than another." This is a decent policy I have to say. So in support of this belief they don't celebrate Easter either right?? Oh wait, They DO!!

I would not have made this post if they would show their true beliefs by not celebrating Christmas. Instead they choose to celebrate it by making it very clear that Christ's Birth is not the reason.

I wish you all a VERY MERRY CHRISTMAS from the bottom of my Christ's Birthday Celebrating Heart!! Jesus didn't ask for it, but he is sure going to get it. I guess we will call this Birthday Celebration a Surprise and maybe he will forgive us for not getting the day perfect. Afterall, he is in the forgiving business.

A Brief Update

Thu, 08 Dec 2005 23:59:38 -0600

As many of you have probably noticed, it has been a while since I have updated the blog. So I decided to drop in on it for a little while to implement a new style, xhtml validation once again, and this post. Over the past few months I have been a busy man to say the least.

Did a complete site redesign on e-Liberty.org. We are getting ready to bring it out of its dorment stage in the near future.
Co-Authored an Identity Protection Suite with Craig that will be available free on e-Liberty.org in the near future. It is aproximately 7000 lines of code (server side and client side combined).
Learned a great deal of PHP
Just finished my last homework assignment of my undergraduate life an hour ago.

I am sure there are a few more things that probably need to be mentioned, but my brain is currently mush.

Office Terminology Explained

Fri, 21 Oct 2005 16:02:20 -0600

Lately I have realized that the talk around the office would almost appear as if encrypted to the unstrained ear. I wanted to take a little time to explain some of the words.

Gross:
Dictionary: Offensive; disgusting
Office: used to describe a geek form of creativity

Disgusting:
Dictionary: To excite nausea or loathing in; sicken
Office: used to describe a geek form of unprecedented creativity

Boughetto:
Dictionary: N/A
Office: a mixture of boughy(French term for rich, fancy, etc) and ghetto(urban term for opposite of boughy) EX. Authenticating a user by passing credentials to a webpage and then searching for the text "You have successfully logged in" on an authentication page instead of checking it against an encrypted password file is boughetto.

Huge:
Dictionary: Of exceedingly great size, extent, or quantity
Office: Used to describe a major geek breakthrough. When used properly it is pronounced more like Hewge!

Hu Huuu:
Dictionary: ???
Office: Vocal Yelp to relay to others that a time of celebration is at hand in regards to a major geek breakthrough. This is performed by the individual experiencing the breakthrough screaming "Can I get A" and a co-worker is responsible for yelping "Hu HUUUU". Leaving someone hanging on a Hu HUUU is punishable by mandatory use of IE for a week (New Policy).

Nuts:
Dictionary: An indehiscent, hard-shelled, one-loculated, one-seeded fruit, such as an acorn or hazelnut
Office: Used to praise geek efforts, but it really means I don't have time to think about it right now NEXT!

Jim McPete(Totty I may have the spelling wrong):
Dictionary: Some Dude???
Office: A glorious use of the up yours signal. Ex. Man, you should give that jerk the Jim McPete!

I know I have to be leaving something out. Is there anything else guys??

I got a bone to pick!

Tue, 11 Oct 2005 09:43:02 -0600

As you all know, many Americans have experience disaster due to hurricane Katrina and Rita. I am very happy to see many people lending a helping hand. However, I am somewhat disappointed in the reaction I have seen in many Christians (or at least they call themselves one). I have heard them say that this is God's punishment on a sinful society or maybe it will teach them a lesson. My question is, maybe the hurricane victims are not the ones being tested here. Maybe God is testing Christians to see if they will get off their judgmental butts long enough to lend a helping hand in the name of the Lord. It's just a thought.

Disgruntled Minister

Nice Sign!

Fri, 30 Sep 2005 15:17:37 -0600

You know you like that!

Bypassing Firewall Restrictions using Shunnels (IRC)

Tue, 06 Sep 2005 08:15:44 -0600

I'm probably going to regret showing how simple it is to get around firewall restrictions, but here it is. This is also a learning experience for administrators. The first thing you have to remember is that it is "all about the traffic". A firewall blocks most traffic based on patterns. For demonstration purposes I am going to use IRC as an example due to it being blocked behind many firewalls.

First, you must realize that if you can Masquerade IRC to look like an accepted protocol then you GOT IT! This is how easy it is using a SSH tunnel AKA Shunnel.

Technology needed:

SSH Service to computer outside the firewalled network: Linux OpenSSH, Windows OpenSSH
Putty (SSH client): download here
One .BAT File (we will create this later)

Step 1: Acquire an SSH service outside the firewalled network. You can use the SSH service for you web hosting or you can install one on a home computer using OpenSSH. If you are going to setup one at home I recommend using OpenSSH for Windows due to its simplicity and ease of setup (those of you that have Linux boxes feel free to use OpenSSH for Linux). Below are instructions for installing OpenSSH on a Windows Box.

Installing OpenSSH on Windows:

Download the .zip file linked above and unzip it
Run setupssh.exe
Choose to install the client and the server
Now open command prompt and move to C:\Program Files\OpenSSH\bin
Once you are there type the following two commands separately: "mkgroup -l > ..\etc\group" then "mkpasswd -l > ..\etc\passwd"
Now that the install is finished you must start your server. Open the command prompt and type "net start opensshd". To stop the server type "net stop opensshd". You can also create a .bat file with the start command and link it to the Windows Startup Folder if you would like for your server to start automatically on windows boot.

At this point you should have a SSH connection outside the firewalled network. If you set this up at home without a static IP I recommend creating an account at DynDns.org. They will provide you with a free domain name and a client to update your current IP when changed.

Step 2: Download Putty to a Directory on your computer.

Step 3: Open up Notepad and type the following line:

Putty -D 1080 -P 22 -ssh your.domain.com

"your.domain.com" is the domain of the computer outside the firewalled network that you’re ssh is hosted on. It can also be the IP address. Save this file as IRCshunnel.bat in the same directory as Putty.

Step 4: Now you must configure your IRC client. We will be using mIRC for our IRC client. Click the option button or navigate to View-Options. Under "Connect" on the left sidebar click on "Firewall" and configure as follows:

Also, make sure that you fill in your information under "Connect". Example as follows:

You have now done everything necessary to begin your chat on IRC. Initiate the session as follows:

Click the IRCshunnel.bat
It will open Putty and prompt you for a username and pass for the SSH connection. Enter your username name and pass.
At this point you should have Putty open to a prompt on your ssh machine outside the firewalled network. Leave this open. DO NOT CLOSE IT!!! You can minimize it if you want to.
Lastly, Open mIRC and connect to your favorite server.

Don't be afraid to smile when you finally get to chat on IRC again. If you have any problems setting this up just leave me a comment and I will try to help you out.

Other Suggestions: If your firewall does not allow outgoing SSH or If you just want to show off, open the config file for you’re SSH server and edit it to listen on port 443 instead of 22. Then edit your batch file to the following:

Putty -D 1080 -P 443 -ssh your.domain.com

This will make your Shunnel appear as if it is a HTTPS connection which is allowed to pass on most all firewalls.

This Shunneling technique is not limited to IRC. It works with anything that allows a Sock4 or Socks5 configuration. You can create other .Bat files for Internet Explorer, Firefox, and other messaging clients. Configure their SOCKS proxy settings to point to server 127.0.0.1 and the port of your choice (make sure to edit the port in you .BAT file). You will then use the IP of your home computer when using these programs.