Technology

The $300 GoTenna turns your smartphone into a CB radio

The $300 GoTenna turns your smartphone into a CB radio, lets you send messages when you have no cell signal. This is promising tech. It would be incredible in an emergency. The huge negative is that it only transmits to other goTenna’s. If it transmitted over frs, or gmrs frequencies it would be that much more appealing. Early adopters can get a pair for 150.00 after that it jumps to 300.00

Check it out here

First independent FBI spec test on the G2 RIP round (there is no magic bullet)

First video, is his basic analysis of the physics of the round. Second video is against the state of the art Federal HST. As you can guess there was no barrier sawing observed

gethead released

Friend, and colleague Nathan LaFollette has released a new tool to analyse http headers for security vulnerabilities. It is called get head. Here is the info from the github page

gethead

HTTP Header Analysis Vulnerability Tool

View the Project on GitHubhttphacker/gethead

gethead.py is a Python HTTP Header Analysis Vulnerability Tool. It identifies security vulnerabilities and the lack of protection in HTTP Headers.

Usage:

$ python gethead.py http://domain.com

Changelog

Version 0.1 – Initial Release 

  • Written in Python 2.7.5
  • Performs HTTP Header Analysis
  • Reports Header Vulnerabilities

 

Features in Development

Version 0.2 – Next Release (November 2013 Release) 

  • Support for git updates
  • Support for Python 3.3
  • Complete Header Analysis
  • Additional Logic for Severity Classifications
  • Rank Vulnerabilities by Severity
  • Export Findings with Description, Impact, Execution, Fix, and References
  • Export with multi-format options (XML, HTML, TXT)

 

Development Seed, operating out of their garage. May have been why the ACA site failed so badly

There is an article on the washington post outlining how the site got off the ground. You can check it out here.
By looking at the article, it looks like it was not properly tested. They also talk about all of the components of the site.

This sounds like Service virtualization could have been a critical testing component.

I bet they were an agile shop <sarcasm>

Python for beginners

What does SQLMap, pypcap, uhooker, diStorm64, and powerfuzzer all have in common. They were written in python. So if you want to extend them, logically you are going to have to know some python. Here is a great site to begin learning python basics

http://www.pythonforbeginners.com/python-overview-start-here/

Posts like this show everything that is wrong with modern developers

So this is a clip from an article on ARSTECHNICA

The entire article can be found here!

 

dev

 

 

 

The short answer to this persons question is no, it is not okay to develop in production.

The reason I got out of the SDLC world was this kind of thinking. People claim they are Agile/RAD shops but have never implemented a methodology. Agile is a framework, SCRUM is a methodology within the framework. You do not implement a framework without implementing a methodology to accompany it. There are other agile methodologies besides SCRUM. Here is a short list

  • Agile Modeling
  • Agile Unified Process (AUP)
  • Crystal Clear
  • Crystal Methods
  • Dynamic Systems Development Method (DSDM)
  • Extreme Programming (XP)
  • Feature Driven Development (FDD)
  • GSD
  • Kanban (development)
  • Lean software development
  • Velocity tracking

 

I do not care what methodology you use, or even what framework (waterfall/agile).  You never touch production. I can’t tell you how many times in my career I have been asked to debug a production software issue. Only to find some rouge instance from a dev running on the box with a memory leak,  sql blocking/locking, thread locking/collisions, or some other issue that dorks up the server. In the world of virtual machines it is very tempting to develop on prod box, because we can revert to a snapshot. But very few times have a seen a plan outlining a method for recovery. This is generally cowboy coding mentality. No matter what you choose for methodology, you should dev locally, and push to a duplicate box for your QA team to test before pushing to production. While we are at it, lets look at some steps you should be following no matter what framework/methodology you are using.

 

  1. Dev Locally
  2. Unit Test (NUnit/Xunit is unit testing, not functional testing)
  3. Commit to CVS
  4. Push to testing ( No, we do not test in production either)
  5. Properly Functionally Test Application (I would suggest using something like HP’s UFT (Unified Functional Test, or if your broke, Selinium)
  6. Track testing in repository like HP ALM/QC, or Rational Clearquest
  7. Performance Test Application (LoadRunner/Performance Center or NeoLoad)
  8. Security Test Application (Web Inspect or AppScan)
  9. Repeat steps 2-8 till application is production ready
  10. Push to production

If you are not properly testing your application. Then all you are doing is making your clients your testers. This never ends well.

 

If you would like to read a great series of blogs on agile testing, go here

i-dont-always-test-my-code-but-when-i-do-i-do-it-in-production

 

Watch a Chinese hacker in real time!

 

 

 

Image provided by http://www.flickr.com/photos/brianklug/

Think you have great regex chops. Then give this a whirl

This is from the MIT 2013 mystery hunt

The puzzle is here

Hints are here

Interactive hint grid is here

evasi0n – iOS 6.x Jailbreak is live

Let the testing begin

http://evasi0n.com/

New Java Update

Oracle is pushing out an update with over 50 fixes in it. Go get it, and lets hope it does not introduce anymore horrific issues

photo by p!xeltree