Hey, i found a website with your pic on it… LOL check it out here <link>

As soon as it arrived, my spidey sense went off:

• Unsolicted? Check.
• Vague message? Yup.
• Wants me to click on a link? Indeed.

This  instantaneously causes me to think “Bad link! Do not click!” and I quickly tweeted my concerns. Thankfully many people did the same which probably saved more then a few people from clicking the link. It did garner a fair bit of attention since this was the first-ever phish that came via DMs on Twitter and some people are seeing strange activity on certain accounts, but for the most part it has faded back into the noise of a usual Monday morning on Twitter.

This was bad, and I feel it was the opening salvo in a major change in the way spammers operate on Twitter, but I think the worse may be yet to come. For those of you not on Twitter, the way spammers have been operating is by setting up an account, following a lot of people, then waiting for the unsuspecting users to follow back. Once they feel that enough people have started following them, they start spamming their links. Now, with the phishing attempts, they can cut out the middle man and start spamming your follower lists with their links. Ruh Roh Shaggy…

Now, lets ratchet this up to the next level. Imagine if the phishing page had some kind of exploit embedded into it? Let’s say @britneyspears posts “Hey guys, check out my new track at (link)!” Thousands of devoted Britney Spears fans clamor to hear their idol’s screeches talents and are directed to a page telling them to log in with their twitter ID. That page exploits their browser and assigns them to a botnet. The few who think Twitter is trustworthy fork over their credentials, at which point a PHP script logs into their Twitter account and DMs all their friends the same link with a random headline.

Lather.
Rinse.
Repeat.

Congratulations! We now have the first Twitter worm! With Twitters somewhat notorious instability under high load, at which point would we see a Twitter DoS?

This Twitter phish was bad. However, I think the community dodged a bullet and we may not be so lucky next time. Many people think Twitter is a safe sandbox on the Internet and not the same as their e-mail or IM. The million dollar question is how can we teach people that Twitter can be a nasty place before “the big one” hits?

In a word: Wow.

The station consists of a TS-570 and a recently-donated TS-940S and a 40 through 6 yagi on top of an 80 foot tower. I operated almost exclusively on the 570, as that was controled by Ham Radio Deluxe. I must say, I’ve heard the praise for HRD and I’ve been wondering what the hub-bub was all about. The interface and the integration is an incredible blend of the radio and the various tools on the Internet. The integration between the DX cluster is amazing. It really is point, click, QSO.

It was rather quiet for me as most of the activity on the band was focused on the RTTY contest that was this weekend, but soon after I sat down I saw ZR2CR spotted on the cluster and jumped in. I never knew how much a Yagi and tower helps, as I was able to work her on my 2nd try, something I would likely not be able to do at home. I then saw ZD8UW and decided to try my luck. I tuned over there and was curious when he was announcing that he was working split (Listening on one frequency and transmitting on another for you non-Hams) a quick Google showed that it was a DXpedition on Ascension Island in the South Atlantic. It took some time to figure out how to set the 570 into split, and I had a couple of false starts when I was transmitting in LSB but listening in USB, but after that was sorted out, I worked him after about 5-10 tries. I then popped over to 17 Meters and worked PJ2/N9JZ in the Netherlands Antillies.

I had been on the radio for a bit at this point, and Bob was curious about Ham Radio Deluxe so I handed the mic over to him. I showed him what I had learned and he was impressed, working 4A1DXXE, HK1NK, and a couple other stations in short order. He then tried to work an Australian station, but the band was closing up and we both had to leave.

Bob informed me that I can get a key to the station as I was a club member. Bob is fairly active trying to get interest going in operating the club station so I think he was happy that I was excited to use it. I must say, after using that tower and HRD, I’m am very interested, as its a bit of a step up from my TS-120 and my tree-strung dipole. Plus, with winter here, trudging out into the snow to set up my antenna isn’t the most alluring thought in the world.

I’m slowing my Twitter “Tweets” and following of Twitter based on a difficult to use Signal/Noise Ratio.

…

One very active Twittering Ham has a goal of posting 10,000 Tweet posts during the year.

If everyone of those Tweets takes but a second or two out of my attention, that is asking me as a Twitter Follower to give up 5-6 hours of accumulated time.

It’s simply not going to happen.

This was followed up by N0HR’s Twitter Overload post:

Steve notes that one ham has a goal of “tweeting” 10,000 times in a year. Yikes. What possible value could that have to anyone? I could see some value in group using Twitter to meet at the Dayton Hamvention - when you’re all trying to meet you’d know that Frank’s at Denny’s having breakfast, Chuck’s in the flea market and Stan is lugging a boat anchor to the car. That’s about it though.

First off, let me state for the record that I am the said “active Twittering Ham”, but I do not have a “goal” of having 10000 tweets in a year. I did wonder if I’ll hit that number which is looking more and more likely now that I’m less then 50 shy of 9000, but I wouldn’t consider it a goal. Next off, I’m not pissed at Steve for unfollowing me at all. I did mention it in a tweet, but I am not saying that I am sad, angry, or disappointed in Steve.  I am very much in @mediaphyter’s corner regarding following:

…let me make a list of what Twitter is not:

1. A venue for a popularity contest
2. An obligatory mutual instant message system
3. A place where anyone has anything to prove

Exactly. Twitter is different things to different people. Suit your follow list to what you want to see. I’ll be the first to admit that I am a prolific tweeter. My sister never added me to her phone because it she was overwhelmed by texts. I tweet about Ham Radio, InfoSec, the MBTA not working, and any other completely random thing that floats into my head. A lot of my friends are the same. However, I know that this does not suit everyone. I have no problems with someone unfollowing me because I tweet so much, if you’re not going to follow a smaller group of people, I’m going to quickly overwhelm your “stream” on your page, likely providing more signal with noise. There are ways to sift through volumes of tweets, but a lot of people have neither the time or inclination to do so.  Don’t feel the need to follow anyone because “everyone else does it” or if they’re following you. Only follow the people that tweet topics that you’re interests and tweet at your pace. Also, look at the option of turning of

If you’re on Twitter, don’t think you’re going to hurt someones feeling by unfollowing them. I occasionally go through my lists and “purge” people that no longer interest me. If I no longer intrest you, unfollow me! Please! If I follow you, I’ll still reply when you say something I want to comment on and it will still show up in your stream.

Steve, I’m still following you, as you’re one of the Hams who’s tweets I always enjoy. I hope to see you around, and I look forward to you live-tweeting Dayton.

From: uucp <uucp@inetgate.telecom.gomel.by>
Message-Id: <200811150241.mAF2fnrj009642@inetgate.telecom.gomel.by>
To: (ME)
Subject: UUCP job killed

Message from UUCP on gml Sat Nov 15 04:41:49 2008

UUCP job

zip.CK9GSD2AAFVV

for system

zip

requested by

daemon

has been killed.

======

Reason: Your mail message has been expired after 672 hours.

====

The job was queued at 2008-11-17 14:43:48.

It was

rmail oot@zip.belpak.gomel.by

UUCP? Really? I haven’t seen that in use since the mid-90s, when I first started with the crazy “Internet” thing. But I guess in Belarus it’s still in use. Wow….

It’s the kind of development that could give “zero-day” a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero.

What in the Wide Wide World of Sports is “experimentally validated cases?” Did I miss something here? Is this some kind of new InfoSec standard that I was previously unaware of? How much verification do you want? Take your pick: ISC, Trend Micro, F-Secure, ZDNet, or the  Washington Post. What else does he want, have the hole paint itself purple and dance naked on the table in front of him singing “zero day exploits are here again?”

This IS being actively exploited. I have a list of sites that are being used to host exploits sitting in my INBOX right now. If you use IE, you need to patch ASAP or switch you web browser over to something else. To suggest this may not be “actually valid” is irresponsbile and is undermining the efforts of security people across the Internet.

I had a few requirements:

1. It had to be cheap
2. It had to be easy to set up and break down
3. It had to be simple
4. It had to not require a tuner

Since then, times have changed a bit: I have a tuner now, and I wanted to operate more bands. However, the cheap, simple, and easy to set up and break down requirements stayed the same. My mounting situation has more or less stayed the same. I use a tree that is outside my office to hang my antenna up and then when I’m done I take it off. It’s not the best situation and the “half wavelength above the ground” rule is definitely flaunted:

Click For Larger

You can see my radio room from the outside in shot. Also visible is my 2M on-the-ground-plane. This is permanently left outside and is connected to my IC-27H.

Again, click for Larger

With the original 20M elements and the 10M elements I added a few months ago, I think it looks like a giant spider when it’s hung in the tree. Thankfully it breaks down in about 5 minutes of work and is a rolls up into a nice manageable size. I use Velcro cable ties on the end to keep the elements wrapped up and neat.

Guess what? Click For Larger

I love my antenna, as it’s the first “homebrew” project I ever did. It also works quite well, I’ve worked as far as the Ukraine on it with 100W. Sure, it’s a pain to shuffle out at night and take it down and I can’t wait until I get a house in which I can simply have an antenna that I can leave up all the time, but in my current situation, it gets the job done.

I’ve been wanting to test out my HTX-100 since I recieved it. SEMARA has a weekly 10M Ragchew net on Tuesdays and that was the first and only time I’ve talked to someone on it. The signal reports were good, but there is a slight difference in working somene across town, and working someone across the country. So, I strung up the dipole, popped up DXAnywhere on the computer and scanned the bands. I wasn’t interested in scoring points, I just wanted to see if I was “getting out” and everything was working well. I tuned up and down and heard W4SVO calling CQ. I tried calling him a few times but he kept responding to other stations. Finally he came back to me with a 5 by 9, which he gave everyone but I digress. I continued tuning around and heard another Florida station, WD4IXD, calling CQ, so I got ready to work him.

Now, the HTX-100 has a high and low power setting. It puts out 25W on high power and if you pull out a knob, it puts out 5W. After thinking about it for a moment I decided to be adventerous. My other radio, a TS-120, is 100W all the time unless you fiddle with the mic gain and then your max output is a bit of a guessing game. I worked W4SVO with relative ease and I wanted to have some fun. I pulled out the knob and flipped the radio into low power mode. It took slightly longer but after quite a few tries of losing out to other stations, I finally contacted him. I was pleased, it was my first HF QRP contact! I did the math out on the Google Maps Distance Calculator and it came out to be 1099 miles! Thats 219.8 miles/watt. Not bad! I moved lower on the band and came across a 3rd Florida station, but the band seemed to swallow him up before I could get to him. I then unsuccessfully tried to work @dskaggs, N4EA but the band seemed to be closed at that point, and it stayed that way until I packed it in around 7:30PM.

It was a good couple of hours and I’m glad to have my first 10 meter “DX” contact and my first QRP “DX” contact in the logbook. I need to sit down and QSL WD4IXD as I want to get the QSL for posterity. I also need to start looking at getting the HTX-100 into my car, as that was my original objective for it.

Oh, and I think my final score for the 10 meter contest was a whopping 4 points. Go me!

There are two types of penetration testing that should exist: The kind of penetration test that is worked into the QA process, and the “How screwed are we?” audit-type penetration test. The former should be worked within the application development process, testing the codebase as the project moves forward and giving the application one last assessment before it moves into production. The latter is one where you have a no-holds-barred scan on your network. Both of these accomplish two similar, but different goals: Within the QA process, it gives you and the developers ideas on how secure a certain application is and if there are any show-stopping security bugs. As an audit, it gives you a better idea as to where the weak spots are on your network.

Both of these need to be accomplished by an independent party who do not hold an interest within the project. If you have an independent security team, they can usually handle the tests within the QA process. However, for audits, more often then not, it is a good idea to call in the consultants and let them go to to town. Now, I loathe consultants and feel that they often aren’t worth half of what they charge, but, there needs to be an air of impartiality to upper management. Also, by not putting the security group in charge, it gives them equal time within the crosshairs, something that may be glossed over if they are the ones running it.

More often then not, companies don’t have an independent security team. This has given rise to numerous “penetration testing” companies that specialize in shining a flashlight into all of the dusty corners of your applications and network. This is great and fills a vacuum for a lot of small businesses who just has a “computer guy” who realizes that security is an issue, but does not have enough cycles to address it. However the major issue is, as Jack correctly points out, that we don’t have a common criteria to judge what kind of “penetration test” we’re getting. Are we getting some ninja dropped into our environment to wreak havoc for a week or are we having someone show up with Nessus, scan, and drop off a report later that day? Also, what happens afterward? Does a report get dropped off and the auditor washes their hands of it or will they assist within the remediation phase of the problem? Does the report even get read by upper management? If management and IT is relatively clueless about what a good “penetration test” is, there potential for abuse is very high. When dealing with security that is a very dangerous game to play.

I don’t have a solution to this, besides suggesting that outreach and education is key. The issue is who should be doing the outreach and do companies really want to be reached out to. There is no quick and easy solution to this, just like a “penetration test” is not a silver bullet for solving security issues.

I, like any other red-blooded netizen, posted comments on the post and the YouTube page saying in no uncertain terms on how I thought his thoughts bore a striking resemblence to a large pile of edible offal from the stomachs of various domestic animals (”a load of tripe”). I don’t think Morse is the cat’s meow, but I do know it (despite being one of the dumb no-code hams) The bile flowed from my fingertips and my circle of Hams on twitter was abuzz at the video, most of the talk being negative.

Then it was gone…

Steve, K9ZW tweeted that he couldn’t get to the video via the weblog post. Sure enough, the video had been removed. I forwarded him the YouTube link, which he replied he also couldn’t get too. Looks like someone had second thoughts. Finally, the title and all the comments were deleted from the post and all further comments needed to be moderated. All that was left was a non-functional little nubbin of a post that previously had about six people’s comments. I assumed that it was over and that the creator of the video retreated. I would have preferred some kind of discussion or an apology, but it’s his call.

Flash forward to Friday morning, where I see that the video has been reposted. I was glad I can now link to it to talk about it some more, but it did ruffle my feathers that the creator, rjkd732, essentially tossed all the previous discussion down the memory hole. About ten people commented on the various postings and he has seen fit to flush it all down the tubes. I posted my comments regarding this and reposted my original comment regarding offal. This time, he did reply saying that he took down the video because (para-phrasing here) I was being rude and calling other people names.

He then took it down again…

Then this little gem showed up in my Youtube INBOX:

those who passed code ARE BETTER! stick that in your pipe, whiner.

Hahahaha!

Oh wait… You’re serious…

Let me laugh even louder….

HAHAHAHAHAHAHA!!!!!!

OK. So I’m not a saint. What?

The Internet is a great place for meeting people that say things that make your blood boil and pray for the ability to punch people via TCP/IP. I seem to have a silly habit of tilting at windmills and trying to engage them and talk. What annoys me is when people do the electronic equivalent of “taking their marbles and going home” by deleting threads and comments. Although he’s well within his rights to do these things, it sets off a giant flashing red light that says he’s not interested in hearing an alternate viewpoint.

Wow. Just Wow. Sorry kids, if you got your license or upgraded after December 2006, you’re not worthy to be here. Might as well turn your ticket in to your local FCC office. I’ll be joining you. Does anyone want all my equipment?

What a load of tripe.

I know Morse code. I learned it after I upgraded to General last November. It’s a good skill to have. I have no problem with people extolling the virtues of CW operation. Operate it exclusively for all I care. I know more then a few Hams who love their CW and I have no problem with them. However, certain CW fans go a little over the top. Suggesting that I am dumbing down the hobby because I didn’t pass a Morse Code Test? Please.

Attitudes like these do nothing but hurt the hobby. YouTube videos, flames on forums, and rants on mailing lists have left many a newcomer to the hobby annoyed and insulted. What does this accomplish? It doesn’t advance the hobby, it certainly doesn’t advance CW’s reputation, and it turns off throngs of people from the hobby. But, it continues: We’re dumbing down the hobby; CW is the one true operating mode; FCC is allowing the riff raff in by lowering the bar; etc, etc, etc.

If you have opinions, add to the discussion. Don’t insult the other side wholesale.

UPDATE: Apparently rjkd732 has seen fit to remove the video, again. Thankfully, this time I mirrored it. I’ll repost it tommorow.