Kirt Cathey, NH2GX, JG1FXZ

First things first! WorkPapers Web Edition is now available at https://workpapers.pro. The site still has a few rough edges, but the project has progressed enough to invite blog readers, registered users of the desktop software, and others for a taste of the best work flow software on the ‘net. Register here to get into the provisioning system. At this time all provisioning is manual in order to evaluate load requirements and have a bit more security control over site access. We’ll automate the process in the near future (actually it’s already coded, but not enabled) after we have determined the appropriate load balancing schema and scaling strategy.
During the last phase of this project, over the past couple days while coding the front-end web site, I ran into a couple of OS X applications that literally blew my mind. After downloading, I scratched my head wondering why I had not heard of these apps before.
First, Pixelmator is the most rocking Photoshop replacement you can buy. If you want to do graphics manipulation every once in a while, want the power of Photoshop, but do not want to re-finance the house to get something done, this is for you. A mere US$59 will get you along with a graphics application that opens and saves Photoshop format, handles layer manipulation, and is perfect for web graphics.
Next, CSSEdit is the key to working with CSS without having to memorize all those style sheet selectors. Over the past couple months, I spent hours looking up various selectors online. With CSSEdit, the code-sense will keep you from endless trips to w3schools or other reference sites.
Finally, while at MacRabbit to purchase CSSEdit, right at the purchase page they try to hock Espresso – their HTML IDE – onto you for an additional cost. Well, I bought them both and am not looking back. Espresso and CSSEdit’s real time preview, combined with code-sense in a nice Cocoa-OS X interface.

Share on Facebook

The fine folks over at passwordrecoverytools.com sent a request for an evaluation about four months ago, and as I was ensconced in a plethora of security work and programming, I never had a chance to test the tool for a good writeup. That was, until I decided to go on vacation last week and a client sent a password protected zip file without forwarding the password! That same client has decided that since I am on vacation, that my emails are not worth responding to! Hmmm…. Hahhhh! (small bellows of smoke roll out from the ears)
Well, the password was recovered in all of ten minutes. Five minutes to boot up Parallels (only have my Mac here) and install Accent Zip Password Recovery, and another five minutes to figure out the program.
Overall, the program works fast and as interfaces go, fairly intuitive. I am going to definitely give this tool another run when I find a client relying on WinZip passwords for file transfer. Also, there are many other password recovery tools at the same site for MS Office (including individual licenses for Excel and Word), MS Access, and MS Money – all a good tool chest for a security auditor that wants to prove a point about the reliability of these built-in password mechanisms. Although I did not have to use it, the advanced dictionary features on this software make it even more useful for security testing. As a security testing professional, any password tool does not pass the muster without custom dictionary capability.

Share on Facebook

After much anticipation from the WorkPapers user community, I am proud to announce that invitations for WorkPapers trials and testing will go out throughout the following week. After watching some fireworks tonight (from Honolulu Hawaii), I will setup the first pre-production release that will be setup as invitationware. Those who actively participate in this phase over the next couple weeks will receive a free one year subscription to the service. Please notice the ‘actively participate’ qualifier. That means posting to the user forum with bugs since there will still be a few, suggesting improvements, commenting on your own work application of the service, and answering others questions.
The initial release will include IMAP mail connectivity and allow users to link emails to their working papers. WorkPapers will also feature a ticked-reviewed-complete workflow with user access in three levels – manager, editor, and reviewer. All pretty much the same as the original desktop software complete with a tree interface tied to multiple text editors. Here are a couple (big) screen shots. There are still some style and placement tasks outstanding that we will work on before uploading.

Procedures Tab in WorkPapers

One of the big programming challenges in this release was the addition of email connectivity. As auditors, attorneys, or researchers that need a good working papers solution, our professional lives revolve around email. This release was held back about six weeks due to many intricate email challenges.  In fact, email, Google Contacts connectivity, some Exchange 2007/2010 Outlook Web Access (OWA) connectivity, and schedule integration with Google Calendar and OWA is already coded under the hood and will be released gradually after testing. This initial release is a ‘shaved’ version of solid, tested code.

WorkPapers Review Notes Screen

Also, in good WorkPapers fashion, the user will not be tied into using the workflow tabs that we have programmed into the interface. The tabs across the top of the text boxes are fully customizable by individual project. All other solutions try to lock us into their so-called best practice workflow, which is fine if all you have to do is one kind of audit, review, or research.

WorkPapers Email Screen

These screen shots show only a small portion of WorkPapers functional ability. Not only can you link emails to procedures and evidence, but users with proper access, can send procedures/task details via email. This makes it very convenient for a manager to ‘push’ tasks and prioritize work as necessary.

This is just a small taste of what is to come…. in the next couple days will submit another blog post directing all to a web site to register for the invitation to use WorkPapers.

Oh, and yes, I am a user too. I have been using the software for the past three months on the production server and have found it very useful in juggling the many tasks related to multiple project management at work and task management for development of WorkPapers itself.

Share on Facebook

Hi All. Crawled out of the dark coding dungeon for some fresh air over the next couple days. Then back into web site touch-ups, alotta photoshop, and some rounding out the rough edges, then deployment. Last night uploaded a milestone version of the web version of WorkPapers to the repository. This version pretty much does all of the base functions – tying together workstep and results editors to the tree view, attachments, project tracking, and the first step of Google Apps integration.
Okay, okay, I know you all have no idea on what I am describing… thinking out loud. But when you see the application in a couple weeks, you’ll know. I’ve taken legacy versions of WorkPapers and kept those functions, while adding optional GTD, social media, and application sharing features.
For those of you who have not figured out the hosting web site yet, I will be disclosing that information with an open invite in the next couple days… or weeks, depending on how quick I get things done. For most reasonable purposes, announcements for the invitationware release (with adverts) will go out by the weekend. Paid release announcements will go out in mid-June. Previous purchasers of WorkPapers software will get a one year subscription to the service free of charge and an invitationware invite to become an early adopter.
I must say, web application programming is much more tedious with many more variables than desktop programming. This iteration of the software will ultimately be both – the web application and the application desktop tool. I wanted to stay completely away from a desktop version initially, but after spending a couple months of development, realize a couple things:
1) I want to give users a way to work offline and synch with online contents – added value for higher paying customers.
2) No matter how ‘rich’ and ‘sexy’ you create a web application, depending on the widgets used and target functionality, one web browser is always better than something else.
The solution to both of these challenges is to roll my own web browser that links with some desktop services like email, calendar, and contacts, while presenting the WorkPapers web application in the most visually pleasing, high performance environment possible.
Stay tuned…. will be blogging a lot more in the near future.

Share on Facebook

Hi All! It’s been a while, but since then have been hard at work programming on a couple of projects with a couple of languages. Over the past couple weeks, since mentioning WorkPapers in a blog posting, several users have replied via email calling, requesting, and some demanding a new release. Well, it’ll be out in a few weeks. This next release will enhance the previous version synchronize, file exchange, and export – with a few long-awaited reporting upgrades. A subsequent release will include WorkPapers Web Edition with client software synchronization and/or pure filthy rich online experience. This mix of web and client programming is really challenging, but I like the work since it ensconces the mind for hours and keeps me from going out and getting in trouble.
Speaking of trouble, climbing season has come back around…. I climbed Mt. Kumotoriyama last weekend and it was coooold! The trees were still frozen, but that’s what one can expect at just about 7,000 feet.

WorkPapers Web Edition

Here is a quick glimpse of WorkPapers Web Edition…. the screen icons/buttons will change slightly before release to make it prettier. Trial sign-ups will start in about a week, so let me know if you’d like to try. The release will be an extended (safer) beta release like GMail or other robust web apps, since users will also have the ability to synchronize their data offline to stay safe during the beta final design period – but beta will also be an extended free period with discounts for beta adopters. Join the fun!!!

Share on Facebook

This posting is basically to document the procedure for setup, so others do not have to go through the ordeal that I went through. I am not sure why more explicit instructions are available , since when I Googled for the run-time errors that were produced as a result of using the MySQL DMG package, there were a myriad of comment postings and forum postings but very few solution.

First, download the DMG package and the tar file (both) from MySQL download site. DO NOT INSTALL THE DMG INSTALL PACKAGE. Unpack the tarball and move to /usr/local/yourMySQLVersionFolder (<-substitute with your MySQL unpacked folder name.). Create a symbolic link to MySQL in /usr/local —> sudo ln -s yourMySQLVersionFolder mysql.
A mysql user account is in OS X by default, so move into the mysql folder
–> sudo chown mysql . 
–> sudo chgrp mysql .
Move into the scripts folder and look for a script called mysql_install_db and open in vi, emacs, or your favorite editor and change the line,
localhostname=’/bin/hostname’ to localhostname=’localhost’.
If you do not perform the procedures above, or just go ahead and use the install package provided by MySQL, then all will work just fine after installation. You will develop and program your heart out, feel like the master of your destiny, then once you reboot, MySQL will not let you login to change anything. The error you will most likely see is:
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: NO)
Over and over again, no matter what you do…..
That’s not all…. if you have completed the steps above, you may still get an error that says mysql cannot access /tmp, or something like that. At this point, do the following:
–> cd /usr/local/mysql
–> sudo mkdir tmp
–> sudo chown _mysql:wheel tmp
–> sudo chmod 755 tmp
Then pull up the editor of your choice to edit (or create in my case) /etc/my.cnf to include the following:
[mysqld]
tmpdir=/usr/local/mysql/tmp

At this point, all shoud work. Now go to the DMG package file and double click on the preferences pane icon, and when prompted if you want to include that in system preferences, press the yes button. Then unmount the DMG package and trash it. You’re done.
The frustrating thing about this little adventure were the plethora of install instruction blog sites, but every one of the comments areas were filled with requests about the error above, and everybody had a different solution FOR THE SAME OS!! Hope this saves some time for somebody out there in internet land. If so, please comment. Also, for more morsels of wisdom, please refer to this site and this site, which is where I managed to gather the proper procedures.

Share on Facebook

Hi All!! Still alive and kicking. Been a couple weeks since the last posting but have been hard at work putting together another platform iteration of WorkPapers software. So far, I have created the audit working papers management software solution in Cocoa and RealBasic, so this time around thought I would try one more iteration in Java and Ajax. For more information about WorkPapers, please see the projects page on this web site. This will give a cross-platform solution that will sync with a web-base Ajax interface… sexy! So now that I am in advanced stages of this programming iteration, I thought I would shop around for yet another domain name to host the software on. One of the domain names I searched revealed an imposter that states the product is still in development! Whoever decided to use the name must have thought of it, then said, ‘Yeah, that’s an awesome name!’. Then proceeded to use it without searching or anything. I have not submitted links for it in three or four years as I have a user following, and still get number four or five on Google. What were they thinking? I know what I’m thinking… stop using my name or get ready to offer a serious cut!
I have used the ‘WorkPapers’ name for software since 2003, so whoever is out there trying to use my name will have a hard time collecting money for it free-and-clear because I have all intention of protecting the name…. that’s where DMCA fits into the title. Been learning a bit about that and also that it applies to trademarks too! Also, learned that a copyright and trademark right can be very well enforced even if they are not registered, and furthermore, even if somebody manages to register the trademark after you have used a name. I really hope all is settled amicably.

Along with my job as a security practitioner, I have been looking into developing domain analysis tools (especially AD) with Java and came by this link that outlines all the resources from Sun Oracle that outline how to use the JNDI framework for AD analysis. Good stuff for the hands-on types!
Enjoy…. 73s.

Share on Facebook

Over the past couple weeks I have concluded that enough (bad) breath has been spent ranting about how system and security auditors really are missing the mark. However, one cannot reasonably just point a finger in one direction – it takes two to tango, so it is now time to point out what CIOs and administrators of secure environments should start to consider in order to prevent incidents. And along the way add a rant or two about how the average CIO (too) is an administrative paper-pushing, policy guru that does not really have real systems administration experience – most come from a consulting background and have not had to own a system for more than a year, and not ever even have hands-on experience. Even more amazing, and I see this all the time when we go to propose on PCI projects, are the number of CIOs that really do not know their network architecture. Just as a CPA is now required on the board of every corporation as a result of SOX, a CIO with a minimum certification should be required for enterprises greater than a certain size.

Okay, okay, will hold back on ranting before covering some of the things that are really informative…

First, this article from Network World goes into some detail about how “the hackers” (from China) managed to get into source code repositories and transfer code over Google’s own WAN to sites in China, then successfully transferred the code via local connections. Does anybody besides me think that … hmmm. Let’s go first-person: If I was in charge of security at Google – basically a software company – wouldn’t one of my biggest priorities be to make sure the source code management systems were secure? Or, a better idea would be to split security into domains – internet security for the services offered, development security for source protection, test validation, and release control, then internal security that focuses on internal threats, training, and awareness. Well, it’s not just Google. A couple other companies – that should have already learned these lessons in Intel’s case, and Symantec is in the security business. These companies being this vulnerable and getting taken for loads of source code, or having existing source code changed, should be a bigger shock than the fact that the Chinese government may be backing the whole incident. Where does this take us? Back to the preventive security argument. Preventive security measures would have prevented all (okay, at least most) of this mess point-for-point.

First, training and awareness would have prevented Google employees that were not using Chrome or Firefox from starting Internet Exploder and getting phished in the first place. In this day and age, the targeted attacks use a variety of methods, but the one sure-fire method of late is spear phishing, which is outlined in detail here and here. Our employees and myself have been the target of a couple of these attacks recently. Some of these emails are so well crafted that shivers go up your spine – they know where you work, functional department, work email, and other details. This is a major upgrade to traditional phishing in the sense that the language is a very fluent, official English and unless you are careful, can be convincing. In my case, the attacker knew that I could read Japanese and sent a rather fluent Japanese message with a fluent English follow-up a day later. This level of awareness needs to be taught, reminded, posted on corporate internal banners in break rooms, and made a part of a current and ongoing awareness program.

Second, periodic measurement of certain environment variables would have probably picked up on the code transfer across the Google WAN. Generally, IT and security management fails to appropriately manage their environments with appropriate measurement. In fact, most are tied up and pride themselves in their ‘management’ and people skills, so don’t think they should be a part of the measurement process. Knowing the statistics within your environment cannot be understated, or better, knowing what to measure, why to measure, how to measure, and documenting all of the above, combined with the proper analysis, is one of the best preventive security advances in recent history. In other words security metrics may have saved the day here. A couple good security metrics for a security manager in charge of source code is:
1) number of check-in, check-outs to a CVS system
2) number of check-outs without an associated check-in – number of outstanding check-outs
3) number of check-outs to foreign (or branch) locations
While all of the above do not address a security vulnerability, such as virus definition update metrics, they do assert a risk disposition for source code control. If you are one of those that are afraid of measurement and statistics, start out slow; go to the security metrics link above, then visit the Carenegie Mellon University open and free courses in the Open Learning Initiative. There is a good starter statistics course in there that you could finish in about one to two weeks with just less than an hour a day.
Third, and the most glaring in this whole incident is source encryption and control. In most source code control systems for secure environments, a developer cannot just go to a repository and download a couple gigs of code without some type of higher level authorization. This is so amateur from a security and secure coding perspective that it really begs to be hacked.

Fourth and last, not the least, addresses whether any of this code was actually deployed with back doors – release control and code review. This is one, if not the biggest, flaw in modern software development. We must have somebody that actually knows, reads, and understands chunks of code have the authorization power to release code into environments. I can safely say that over 80% of the banks operating in Japan (including the foreign multi-nationals) have some schmuck named Handa-san with a CISA certification and a title called Information Risk Manager (IRM) that is in charge of signing off on all test results and code releases. That so-called IRM in most cases has never written a computer program nor could begin to decipher a chunk of code from just about any framework in any language. But he signs his name away and when authorities and auditors ask if there is a sign-off, they get the right answer.
Enough ranting……. Hope you enjoyed or found some insight from the sharing or links. On a personal note….
Lately I have been joining a techie group of Japanese for a Sunday night radio show on Radio Tsukuba. Tsukuba University is the MIT equivalent here in Japan, so the audience and participants are as eccentric. The broadcasts are in Japanese and the recordings are here. The team there has also asked if I can do a three to five minute sideline on technical English or useful English pointers for ham radio operators – which is what I’ll start working on in a few minutes… stay tuned. And comment! Retort! Or express yourself in a non-spam fashion otherwise in the comments!

DX 101X: HF + Six Meters DXing Reference Guide: A Comprehensive Guide To The World Of Hf Dxing. Now With Six Meters!

Share on Facebook

This article over in the Dark Reading brings up an issue that power companies apparently have been denying for a long time. However, for those of you who get the weekly SANS newsletter may have seen the sideline from Alan Paller: “The data that will be discussed at the SCADA Security Summit (http://www.sans.org/scada-security-summit-2010/) will make it much harder for EEI to claim it isn’t happening.” The power companies spokespersons seem to be in complete denial, but reports are showing over 120 attacks have been carried out against such systems.

Share on Facebook

This is a great article about Saltzer & Schroeder, two 1970′s computer security researchers that published this paper. The principles in this paper are the most cited in computer security and many apply to secure coding. While many have heard of Saltzer and Schroeder or their basic computer security principles, few actually take the time to read their work.

Enjoy!

Share on Facebook