Monthly Archives: February 2012

Mac OS X Unix

Hello Cruel Perl

touch helloperl.pl

Open helloperl.pl and paste the following in there:

print "Hello Cruel Perln";

Make sure you have executable permissions for helloperl.pl. Then run:

perl helloperl.pl

Mac OS X Server

Address Book Server "Groups"

I use the term “groups” loosely here. On my list of features that are needed in Lion Server (a much smaller since the advent of 10.7.3 btw) is the fact that Address Book Server doesn’t have groups, resources or whatever you want to call a logical structure that is a place for groups of users to keep contacts whose access can be limited to only certain users. The Address Book client fully understands such constructs, given that it separates the GAL from a user’s contacts and that user’s can themselves have groups of contacts. This area is a huge miss. The reason this annoys me is that you have the ability to do this stuff with iCal Server, which uses roughly the same technology (Twisted CalDAV vs. CardDAV). You can include LDAP contacts in an Address Book search, which just gives users access to users configured on the local server. Helpful if your user base is a walled garden. And don’t tell me that it kinda’ works the same in Exchange. Because a contact is not a user in Exchange…

Anyway, one way to get a shared list of contacts is to create a user just to be the shared list. This user is going to have a password. That password is going to end up in the keychain for all users who we install this account for. Furthermore, all of those users can delete contacts. And those users will invariably delete an account and blame said deletion on the server. Given that servers don’t delete data on their own, the blame is basically poorly placed.

If you need granular permissions control over shared contact lists, then Address Book server is not for you. But if you just need a “group” or two that is wide open permission-wise for all users, then consider this strategy. First, let’s enable Address Book services. To do so, first open the Server application from an Open Directory Master. Then, click on the Address Book entry in the Server application’s sidebar. Here, click on the ON button (by the way, I could have just used this paragraph as an article on Setting Up Address Book Server).

 Now that the service is started, click on Users. Then click on New User.

At the New User screen, let’s pick an arbitrary name that someone who gets access to this computer won’t think anything of, should they notice this account.

Once created, to make sure that the user has access to the Address Book service. To do so, click on the account and then select Edit Access to Services… from the cog wheel icon and verify that the Address Book service is enabled for the user.

Now, let’s check out how this looks on a client. These accounts can be deployed through profiles easily. But we like doing things the hard way. Therefore, let’s open the nifty Mail, Contacts & Calendars System Preference pane and then click on the Add Account… button. From the Choose an account type  field, click on the Add a CardDAV account button. Click on the Create… button.

Provide the username and password recently created, as well as the name or IP of the server.

Now open Address Book. Click on the red bookmark icon. You’ll then see your contact stash. Click on it and you can create, delete and otherwise do whatever you like here. If you create contacts and install this account on multiple machines then you’ll be able to edit or delete them from any of the stations they’re installed on.

You can install the accounts on iOS devices as well, using the Mail, Contacts & Calendars option in the Settings app.

Good luck. And may Billy Madison have mercy on your Address Book.

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

Podcasting in Lion Server

There have been a number of articles on using the Podcast Producer service in Snow Leopard and previous operating systems. The Podcast Producer service itself in Lion remains unchanged. It still needs shared storage (e.g. NFS, Xsan, etc), Xgrid, Kerberos (for Xgrid) and while seeming to sit atop a house of cards, is one of the coolest and most complex services in Mac OS X Server. But there have been a lot of environments where Podcast Producer seemed out of reach where it shouldn’t have. If you have a single server, why do you need shared storage, a truly scalable grid computing cluster and all that complex workflow goodness at your fingertips? In Lion Server, you don’t. In fact, it’s easier than ever to get up and running, access Podcasts from a web browser and even subscribe to Podcasts in iTunes.

Setting Up the Podcast Service

Podcasting can now become one of the easiest services to use in Lion Server, provided your needs are as simple as the new Podcast service is to use. As with most services in Lion Server, you’ll need a working Open Directory master. You can still use Active Directory accounts, and when you initially configure the Podcast service you can enable an Open Directory master on your server; however, you should configure Open Directory prior to setting it up (as I believe you should with all services). You should also populate the list of Open Directory users with all of the users you’d like to have access to create podcasts and administer them before setting up the Podcast service. Okay, okay, so Open Directory isn’t actually required. You can use local accounts. But don’t, it’s easy to setup Open Directory and it will be very helpful in the future if you need to migrate to Podcast Producer some day!

Once Open Directory has been configured, open up the Podcast service by clicking on Podcast in the Server application’s sidebar. From here, you’ll see a whopping two settings. The first controls who can access the Podcast service. The options are:

  • Anyone: Used for a public podcasting server. Anyone who can access the server can view podcasts.
  • Authenticated Users: Used for a private podcasting server. Anyone with an account can access any podcasts on the server, by default.
  • Podcast Owners: Used for a really private podcasting server. Users can view their own podcasts only.
Setting Up The Podcast Service

Setting Up The Podcast Service

The second option is who can administer the Podcast wiki. Here, use the plus sign to add each user who should be able to administer Podcasts. Once your admins are added, start the Wiki service as well, by clicking on Wiki in the Server sidebar and then clicking on the ON button, leaving the defaults untouched.

Enable the Wiki Service

Enable the Wiki Service

You should also have the Web service enabled, so click on it in the Server sidebar and click on the ON button as well (again, leaving the settings as default for now).

Enable the Web Server

Enable the Web Server

The Podcast service is now setup and you can move on to creating some podcasts and actual content.

Content Creation

Once you’ve enabled all three services, it’s time to create a Podcast and capture some content. To get started, open the Podcast Publisher application from /Applications/Utilities. From here, click on the Podcast Publisher menu and then click on Preferences. Here, you’ll be able to configure the connection to the server. Enter the address (IP address or hostname of the server), username (one of the administrative user names from earlier) and password that you want to use for podcasts.

Connecting to a Podcast Server

Connecting to a Podcast Server

Once you’ve supplied your credentials, close the Settings window. Then click on the New Podcast button to see the pin board, as I call it. Here, provide a name to your Podcast. Each podcast will have its own feed and be able to be subscribed to in iTunes. Each podcast is comprised of one or more episodes. The podcasts appear as pin boards, the episodes will appear as though they were photos on the pin board. Click on the Add a new episode… button. (you can also choose New Movie Episode or New Audio Episode from the list by clicking the down arrow towards the bottom of the screen.

Creating a Podcast

Creating a Podcast

At the Episode screen, you’ll see two buttons in the bottom left corner of the screen. Here, click on the film strip icon (the one on the left side) to record video from a camera or the screen recording icon (the one on the right side) to capture video from the video screen. Click on the button in the middle of the screen with a red dot to start recording.

Recording a Podcast Episode

Recording a Podcast Episode

After a 3 second countdown, the screen recording will begin. Don’t rush. Get ready and then start speaking into your microphone and record video as you so choose. Pay attention to the volume level, trying to keep an even level towards the middle of the indicator. Click on the red button again when you’re finished capturing the video (I usually like to minimize the Podcast Publisher screen and then open it to stop the recording.

Stopping Podcast Episode Recordings

Stopping Podcast Episode Recordings

At the next screen, you’ll be able to provide a title for your podcast. Enter the title and then use the yellow bar at the bottom to remove any video from the front and back of the video you actually want to use (as you drag the double lines you’ll scrub through video). Use the TRIM button to remove any of the video that you no longer need. You can also use the Play button to play the video and pause it to make sure you’re happy or trimming to the right location(s).

Trimming Podcasts for Upload

Trimming Podcasts for Upload

Or if you’d like to start over, click on the Record button, which will bring up the Overwrite screen that basically tells you it’s going to ditch the clip you just created and start over.

Start Recording Over

Start Recording Over

Assuming you would like to save the Podcast, you can now share it or just click done to keep a local copy. Let’s click Done just to see what happens. You’ll now see a photo of your clip thumb-tacked to the pin board. Here, double-click on the board to see a list of all of your local episodes for that podcast.

Contextual Menus in Podcasts

Contextual Menus in Podcasts

When the list of episodes fills the Podcast Publisher screen, you’ll be able to do a new GUI-level feature. Control-click (or right-click) on the podcast and you’ll be able to Get Info or Delete. You can now delete episodes from the GUI. Hooray as my daughter often says!

The Get Info screen also lets you change the title of an episode, add an author and provide a description. Click Show Advanced to see that you can also fake out the date you captured the episode, change the order that the episode will appear in iTunes (no more having to record in the exact opposite order you want episodes to appear in iTunes!) and even add an Advisory Label, which lets you indicate that your podcast is better geared for adults if that’s what you’re into.

Setting Podcast Metadata

Setting Podcast Metadata

At this point, the video is still local to your computer. Click back on the board and then double-click on the episode again and let’s send it to the server. Click on the Share button to bring up a menu of places you can send your video to. These include:

  • iTunes: Creates a QuickTime movie in your local iTunes library.
  • Mail: Creates a new email with a QuickTime movie as an attachment that uses the name of the episode followed by the .mov extension.
  • Desktop: Creates a QuickTime movie on the desktop (of the currently logged in user) with the name of the episode followed by the .mov extension.
  • Podcast Library: Send the video to a Podcast server (which is what we’ve been setting up in this example and so what you should click on here).
  • Remote Workflow: Send the video to a Podcast Producer server (keep in mind Podcast being different than the awesomeness that is Podcast Producer).
Exporting Podcast Episodes

Exporting Podcast Episodes

Once you click on Podcast Library, the video clip will be created, put in the right location and the entry in the Wiki created. You can use then use the All Podcasts navigation towards the top of the screen to go back to the list of podcasts.

The longer episodes are, the longer they take to upload. Once done, you’ll then get an indication that the episode has been published. If it fails, make sure the account you’re using has access to write to the server. Click OK or use the Announce button to send a link to view your vicious rant to your friends/coworkers/stalkers.

Announcing Podcasts

Announcing Podcasts

If you’d like to create another episode use the New Movie Episode or New Audio Episode buttons. Or to create a new Podcast, click the New Podcast button. At the All Podcasts screen, use the left and right arrow keys or click through to new podcast boards. As your library grows, you can also use the spotlight field(s) in the lower right corner of the screen to find recorded content (although I haven’t been able to get Spotlight to work on my library just as of yet). You can also use the View menu to bring up the Media Browser. Here, you can drag video or audio previously captured onto a pin board (podcast) to import the media into that podcasts library on your local computer and share the media if you so choose. You can also trim content from previously captured video, pretty cool if you’re gonna’ be bringing in video from an iOS based device!

Accessing Podcasts

Now that we’ve captured some content, let’s look at how users and administrators will access that content. From the server, you can access Podcasts by pointing your favorite web browser at the URL https://127.0.0.1/wiki/podcasts. From a client, just replace the 127.0.0.1 with the name or IP address of the server. Here, you’ll see a list of Podcasts available.

Viewing Podcasts In A Browser

Viewing Podcasts In A Browser

Keep in mind that back when we set up the service, you defined who should be able to access your podcasts. If podcasts are shared to everyone then you should see them listed. Click on each to see a list of their episodes and click on the Play button to view an episode in a web browser.

Watching Podcasts

Watching Podcasts

Click on the X in the upper left corner of the episode to close it. If you have to authenticate to see podcasts, you’ll need to authenticate now. You can also authenticate in order to delete podcasts or configure who can access each podcast. To authenticate, click on the lock icon in the grey toolbar that runs along the top of the screen.

When prompted, provide the appropriate user name and password. Once authenticated, if you are an administrative user, you can use the x beside any podcast or episode name to delete that podcast or episode. Clicking on a podcast also adds the Settings… button into the cog wheel menu.

Logging Into The Portal

Logging Into The Portal

The Settings screen enables you to configure who can access podcasts. Owners can create, edit and delete episodes whereas users with Read & Write access can create and edit podcasts and Read Only users can only view content. All logged in users includes anyone with an account on the server and All guests are anyone that can load the web page. Add users by typing their name in the provided field and clicking them when their name appears. Click on the Save button when you’ve configured who can access what.

Configuring Podcast Permissions

Configuring Podcast Permissions

One of the coolest aspects of Podcast Producer and the Podcast service are that both can quickly provide access to users in iTunes. To subscribe a client in iTunes, click on the cog wheel icon and then click on the Subscribe in iTunes button. The Podcast will then be added into iTunes automatically and the first episode will begin to synchronize. When it’s done, double-click to watch (assuming your DNS is cool, given that the links are DNS-based).

Watching Podcasts in iTunes

Watching Podcasts in iTunes

The link works by sending a past:// based URL to the client. For example, pcast://127.0.0.1/podcastlibrary/collection/uuid/ followed by the uuid of the podcast you are viewing in the browser.

That’s It!

The new Podcast Library is pretty awesome in how accessible it is to almost anyone with a functioning server. It’s not for anyone that’s going to need an Xgrid cluster to act as a render farm because they’re capturing so many podcasts. It’s also not for people needing custom workflows or the ability to capture podcasts of content from the web (e.g. Windows or Linux clients). But what it is, is easy. If you’re sitting at home and thinking that you’d like to build a podcast so your friends can look at your new hair color, your followers can see the Top 10 Screamo Videos of All Time you like to post, helping a classroom podcast as a way of teaching them various subjects, capturing corporate training videos or you’re showing your parents videos of your children, the new Podcast library is simple, fast and can be highly impactful.

If you need more, then look to Podcast Producer. It can write to a variety of systems, has a full suite of command line management functions and in general is the grown up version of Podcast. Not that Podcast isn’t pretty cool in and of itself in the right circumstances. It’s like having your own little YouTube!

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment MobileMe

Apple + BYOD Doesn't Just Mean iPad

Whenever someone mentions Apple and BYOD devices, this is what immediately springs to mind as what will invariably walk through the door requiring support:

newton

Apple's Newton

Mac OS X Mac OS X Server personal

Baby Mountain Lions

“We’re too young and still under NDA, so please don’t talk about us publicly just yet!”

Mac OS X Mac OS X Server Mac Security Mass Deployment

Pentesting Mac OS X Server With Nessus 5

One of my favorite tools for penetration testing is Nessus from Tenable Network Security. Nessus 5 is the latest release in the family of vulnerability scanners that is probably amongst the most prolific. Nessus 5 does discovery, configuration auditing, profiling, looks at patch management and performs vulnerability analysis on a variety of platforms. Nessus can also run on a Linux, Windows or Mac OS X and can be used to scan and keep track of vulnerabilities for practically any platform, including Mac OS X.

To install Nessus, go to the Nessus site and click on the Download button, around the middle of the page. Agree to the download agreement and then choose the version that is right for you (Mac OS X in this case).

Download Nessus for Mac OS X

Download Nessus for Mac OS X

The software will then download and need to be installed. Once downloaded, open the Nessus dmg and extract it. Inside will be the Nessus 5 package installer.

The Nessus Installer pkg

The Nessus Installer pkg

Open the installer and click through the defaults to perform a basic installation.

Installing Nessus

Installing Nessus

Once done, you’ll have the Nessus Server Manager and Nessus Client.url in a Nessus folder in the Applications directory.

The Nessus Applications

The Nessus Applications

Open the Nessus Server Manager and authenticate as an administrator when prompted. When you downloaded the software you would have been prompted for registration. Provide that information in the registration field. Then click on Update plugins to make sure all of the Nessus plugins are running the latest version. Finally, click on Manager Users… to create your users.

Nessus Server Configuration

Nessus Server Configuration

At the list of Nessus users, click on the plus sign and create a new user, likely making the user an admin (I see few vulnerability scanning stations that have non-administrative users, which would just be for viewing reports and the such). Click Save to create the user and then close at the List of users screen.

Create Nessus Users

Create Nessus Users

If the Nessus server isn’t started, click on Start Nessus Server. Then click on the Nessus Client.url file back where the Nessus Server manager was accessed. At the Nessus login screen, provide the username and password for the Nessus server that was previously created.

Authenticate to Nessus

Authenticate to Nessus

Once authenticated, you will be placed in the Scans screen. Before we configure any scans, we’re first going to create a Policy (which defines how a scan operates for the most part). To do so, click on Policies and then click on the Add button. There are four policy tabs (aligned on the left sidebar). In the General pane, you will configure the name for the Policy, “Mac Servers” in this example. Then we’re going to check the boxes in the Scan section for Designate Hosts by their DNS Name, Log Scan Details to Server, Stop Host Scan on Disconnect and Avoid Sequential Scans. Then check the boxes in the Port Scanners section for TCP, SYN, SNMP, Netstat SSH and Ping Host. Leave the Port Scan Range set to default and the Performance options at their default values as well. These are useful when you’re done tinkerating to get better performance out of the system, but we’re not really there just yet.

Nessus' General Policy Settings

Nessus' General Policy Settings

Click on the Next button to define any credentials you’ll use during scans. Initially, I’d leave this blank, although you can provide SMB information for up to 4 accounts to see what kind of access users have. You can also define Kerberos, SSH and various cleartext credentials as well. We’re going to skip that for now and click Next to define the Plugins.

Giving Nessus Credentials To Your Boxen

Giving Nessus Credentials To Your Boxen

At the Plugins screen, we’re initially going to leave all of the plugins on. The reason for this is that many of the Lion Server services are similar to those of the various Unix and Linux variants and we can scan SMB with the Windows plugins. These can’t hurt, they might just waste a little time though. Clicking on a Family and then a plugin will show you what each does. Clicking on the green light for each will disable it.

Choosing Nessus Plugins

Choosing Nessus Plugins

Click on Preferences and define any preferences that you need. Amongst the plugin preferences I usually enable network printer scanning, CGI scanning, Enable experimental scripts, set my Report verbosity to Verbose, provide any certificates needed and then hit Submit to create the new Policy.

Defining Nessus Options

Defining Nessus Options

Next, let’s click back on Scans in the navigation bar on the screen. As you can see here, I’ve created a few template scans, but we’re going to create a new one by clicking on the Add button.

Adding A Nessus Template

Adding A Nessus Template

Provide a name for the scan and then choose the Policy you just created. Set the Type to Run Now (since we’re just testing) and put the IP address of a target into the Scan Targets field. You can also import a large set of targets using the Brows button and a csv file or use Schedule or Template rather than Run Now in the Type field to schedule scans or create a template scan. Click Launch to kick off the first scan.

Running a Manual Test Scan

Running a Manual Test Scan

Once started, click on the Reports button in the top nav bar to see the status of the scan.

Completed Nessus Scan

Completed Nessus Scan

Once the scan is finished, click on the scan to see a list of vulnerabilities and open ports, sorted by the severity of issues. Here, double-click on the host.

Nessus Scan Results Overview

Nessus Scan Results Overview

The Report screen then shows each service and the vulnerabilities found for that service. Click on one of the vulnerabilities to see what Nessus thinks is problematic with it.

Nessus' Service List

Nessus' Service List

Now for the fun part. Each of the vulnerabilities listed will have CVEs attached.

Nessus Vulnerability Listing

Nessus Vulnerability Listing

By default, Nessus is just looking at the service banners to determine vulnerabilities. If you look up the CVE at CVE Details or PacketStorm you’ll see that it was patched a few months ago by most vendors. Now Nessus can get things wrong with Mac OS X. The issue is that Apple forks the code for many open source projects, not always updating version numbers on banners. Looking up or testing whether a vulnerability is still applicable can be tedious but would likely need to be done per service according to your internal security policies.

An easy way to test these vulnerabilities is to use Metasploit, a tool I’m long overdue to write an article on. Another way is to try and run the exploit against the host. Apple does a pretty good job of addressing CVEs in their security updates, so don’t waste a lot of time trying things if Apple has already patched them. I have found a really good tool for automatically attempting to exploit via msf + nessus to be Carlos Perez’ auto exploit tool, available on github.

Finally, Nessus is a great tool for scripting. One of the big differences that throws off many an experienced Nessus operator off with the version for the Mac is the location of the Nessus binaries. They are in /Library/Nessus/run/bin. In here you’ll find nasal, nessus, nessus-fetch, nessuscmd etc. The command line control here is pretty awesome. Let’s run nessuscmd to scan a net mask of hosts (192.168.210.0/24):

sudo /Library/Nessus/run/bin/nessuscmd 192.168.210.0/24

There are tons of other options for nessuscmd, such as adding ssh keys, smb logins, scanner options, using a remote nessus server, etc. Or use the nessus binary to kick off scans using a nessus config file. The nessus.conf file is also stored in the /Library/Nessus/run/etc/nessus directory, worth looking into.

Mac OS X Mac OS X Server Mac Security Mass Deployment

Google Open Sources FileVault 2 Code (aka Cauliflower Vest)

In an email to the Mac Enterprise list, Ed Marczak of Google announced that Google is open sourcing their much heralded FileVault 2 code, once again proving how awesome the Mac team at Google really is:

I’m very happy to announce Cauliflower Vest: a new, open source
product that is an end-to-end Mac OS X FileVault 2 recovery key escrow
solution. In short, this brings missing features that allow you to
better manage FileVault 2 machines.

Cauliflower Vest allows you to:

– Forcefully enable FileVault 2 encryption.
– Automatically escrow recovery keys.
– Delegate secure access to recovery keys so that volumes may be
unlocked or reverted.

If you *just* want to have a command-line tool to enable FV2, that’s
in there, too.

For more information about Cauliflower Vest, please see the blog post
at http://google-opensource.blogspot.com/2012/02/cauliflower-vest-end-to-end-os-x.html,
and visit the Google Code page at
https://code.google.com/p/cauliflowervest

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

iOS Device Sales Outpace All Macs Ever (in 2011 alone)

In search of the American Dream? Apple has sold approximately 122 million Macs over the course of 28 years. They have sold 55 million iPads since those were released in April 2010 (in less than 2 years) and sold 156 million iOS Devices for 2011 alone, bringing the total of iOS devices to 316 million. The handset market is set to increase by around 33 percent and there’s really no telling where the tablet market is set to go over the course of the next few years.

What does all of this mean? It means that iOS is continuing to increase in visibility, that App Store sales will continue to rise and that integration into mainstream business will continue. The traffic for mobile device data is set to increase 8 times over the course of the next four years, Cisco and other companies are starting to jump into the mobility space with product offerings and Windows 8 is supposedly going to make a big splash on release.

The Apple App Store is about to hit 25,000,000,000 downloads. That’s a lot of zeros. And that’s a lot of Angry Birds, 99 cent fart jokes and useful business apps that are driving innovation. Mobility as a term is on every CIOs mind at at the tip of their tongue. Giants such as IBM and HP are starting to jump into the MDM space that has previously been occupied by companies like JAMF Software and AirWatch.

I witnessed something similar to this twice before. The first was the final and complete domination of all things IT by Windows at the beginning of my career. Back when I was swapping out 32 floppies to install Windows 95, a vicious process that will make even the sanest person nasty with hallucinations, I had the chance to go to COMDEX a couple of times. The first year I went, it seemed like a lot of people interested in hacking things together. The second year, it was all corporate headhunters, looking to seize the IT revolution occurring inside their businesses by placing golden handcuffs on the best and the brightest in the industry. And of the companies presenting, well, they mostly got acquired by large companies with big names and their products diluted. A complete turnoff, this led me down the path of open source and security.

After COMDEX, I went to DefCon and Black Hat for a number of years. I used to love watching the random weirdness that these otherwise completely reclusive people would throw together. There were capture the flag events (that is, finding the flag on someone else’s box), people went out into the desert to shoot guns and of course, dumpster diving competitions. There still are all of these things actually. And DefCon itself has managed to very much stay true to that form. But the companies that used to have booths at Black Hat have now mostly been acquired by companies like IBM and HP. These corporate denizens only want to complete a portfolio or gain access to “synergistic” products. Mergers put great little companies with people that really care about their products as small parts of Symantec. And the top talent at those organizations usually leave once they realize they’re not in the least bit impactful and they move on to other companies. They’re replaced by people who’ve achieved the title of Vice President at a competitor, whether that person deserves it or not. In some cases they thrive, but in far more cases, the products flounder, end up getting renamed, repositioned and either sold off to another company for the brand recognition or simply fade into the distance.

In each of these there has been a moment. A moment where I said, you know, something substantial has changed here. There are a few things happening that make me leery about the Mac/iOS IT space, and a few things to look for.

  • The first is recruiters. Whenever a college football team wins a national title, their coaching staff is gutted. I’ve been noticing recruiters all over the place trying to pick up top Mac talent. But this isn’t the ACN here or there or the graphics department in a company, it’s corporate head hunters after IT or business unit talent. I spoke to at least 6 or 7 at Macworld/MacIT. The things to look out for here are strategy. Do they have one, do they want one, or do they just want to hire someone to make the CIO happy?
  • The second is the big boys. IBM and HP have both announced MDM products. Dell continues to make KACE and I have heard rumors from other large companies that they’re looking to get into the space as well. The thing to look for here is acquisition.
  • The third is consolidation. Many of the MDM vendors are privately held. A company like IBM, HP, Symantec, Dell, etc can throw enough money at most of these companies to bring them into their fold. Once there, the companies would have an almost unlimited sales and marketing purse, but be careful of a drop in innovation and engineering effort is often had to counteract those slick sales efforts. I would also expect the people who really drove the products, you know, the ones to get the big paydays, will also be the ones taking an extended vacation (wouldn’t you?). Today there are something like 21 products for MDM (I count RobotCloud and Casper as one). I anticipate the next two years will see a good number of those acquired. It’s easy to assume Symantec has an MDM provider on their shopping list, considering their keep-up-with-the-jones thing with McAfee, who’s already jumped into the market. I would expect none of the MDM providers that run on Apple hardware only to be acquired (if you’re after a big payday, run on *nix or Windows). Look out for the disillusioned ones that don’t get the big payouts from these companies after putting in 100 hour weeks for years…
  • The fourth is more sales people. Anyone at Macworld this year would have noticed scantily clad lasses selling software to fix your iTunes. But when larger companies start getting involved in things such as this, I would expect slicker, more professional sales people, more booths (more money after all) and less nerds. The big problem here is a diluted message of technical excellence and a bigger messages of interconnectedness to other systems. Someone still needs to build the middleware though.
  • The next thing I expect to see is those recruiters go after people at mobile companies. The same way the bastards scavenged the carcass of every security company in the earlier part of the 2000s, and the same way that Auburn’s, Alabama’s and LSU’s assistant coaching staffs got hit after each of their recent national titles, I would fully expect top brass at all mobile companies to start trading places, or getting acquired by other companies. These will range from going to work for competitors, to going to work for resellers to going to work for other industries that want that level of innovation. The architect of Apple Retail now works where?
  • The consumerization of the technology is going to be driving many of the best and brightest into larger IT. This will mostly mean taking those puppet, cfengine and custom python hackeration skills to another platform. It’s regrettable, but I could easily see it happen to the top tier of people, as we’ve seen it happen a few times already. But sticking with the platform and finding the niches that allow for working with these devices is likely still a good way to go, or at least, staying close. Keep in mind, you’ll be the senior fellows of the platform if you’ve already been around for a few years…

But here’s the thing about all of this. It doesn’t have to be bad. If we all keep our eyes wide open about what’s going on around us the continued influx of massive amounts of money isn’t going to be a bad thing. Basically, our opportunities will explode over the next few years. If we learn our lessons from the dot com era, from COMDEX, from the rise of info sec, then we’ll stay off the coke, not buy really fast cars and remain engaged. I hope not to look at this as I’ve looked at other revolutions in the past. While he wasn’t much of a computer geek, Hunter S. Thompson put it into words best:

And that, I think, was the handle—that sense of inevitable victory over the forces of Old and Evil. Not in any mean or military sense; we didn’t need that. Our energy would simply prevail. There was no point in fighting—on our side or theirs. We had all the momentum; we were riding the crest of a high and beautiful wave.…

So now, less than five years later, you can go up on a steep hill in Las Vegas and look West, and with the right kind of eyes you can almost see the high-water mark—that place where the wave finally broke and rolled back.

Top 25 Best Hacking and Computer Geek Movies

Hacking, phreaking, computing and gaming. There are a lot of movies that really hit on some of these topics. Everyone is going to have their favorites, but I wanted to share mine in case you had Presidents Day off and needed some nerdy fun to get you through the forced vacation!

1. Office Space is the story of Peter Gibbons, a computer programmer who spends all day doing mindless tasks. Thanks to a hypnotic suggestion, Peter decides not to go to work at the same time his company starts laying people off. When layoffs affect his two best friends, they conspire to plant a virus that will embezzle money from the company into their account. The movie sports the scene where they take the fax out and smash it with baseball bats, the traffic scene on the way to work, the scene where he gets asked to work on Saturday, the scene where he pictures his boss and his new girlfriend (Jennifer Aniston) and of course the stapler. It is a classic and would be very easy to end up watching again tonight, as I write this…

2. Sneakers is probably one of the best hacking/phreaking movies of all time. Sure, it’s a little dated, but they all are. It was pretty good for the day though, and no completely off-the-wall ideas about what is and is not possible. The guy from 30something is awesome (aka “Dick”) and Martin Brice (Robert Redford) does a great job. River Phoenix is awesome and Dan Aykroyd is just like every conspiracy theorist ever. “It’s Not About Who’s Got the Most Bullets, It’s About Who’s Got the Information”. Great lines, great writing, great cast and still holds up as a pretty good movie after all these years (20, since it was released in 1992).

3. War Games is about Ferris Bueller (or a nerdy whizz kid of a Ferris Bueller) who connects into a top secret military mainframe and ends up with complete control over the United State’s nuclear arsenal. He then has to find the physical mainframe and disable it. What’s so awesome is that it’s InfoSec 101: use a password, put multiple layers of security in place and don’t hook ICBMs up to unsecured systems. Really makes the Wozniak quote “never trust a computer you can’t throw out of a window” make sense. I’ve been waiting for years to hear “shall we play a game?” Just like when I consider having an argument with my wife, “the only winning move is not to play.”

4. Tron is a movie about Kevin Flynn, a video game designer that gets converted into a digital person by an evil software pirate named Master Control. Disney somehow manages to take Jeff Bridges and turn him into a 3D version of himself. Complete with geometrical landscapes that comprise cyberspace, games and there’s even a girl (the one place where Tron isn’t very lifelike).

5. Hackers is the story of a young boy gets arrested by the Secret Service for writing a computer virus. He’s banned from using a computer until he turns 18. As a teenager, he moves to the big city to discover an awesome 2600-style underground of computer hackers. This one is complete with a teenage Angelina Jolie, skateboards, trench coats and modems. While it’s not completely realistic, it’s not utterly fantastical either (other than the hax0r kid getting the hot girl part). Imagine my disappointment when I got my first job with computers and Jolie wasn’t waiting for me…

6. Weird Science is a typical 80s flick about two unpopular teenage boys who “create” a woman via their computer. Their living and breathing creation is a gorgeous woman, Lisa (the name of the predecessor to the Macintosh, whose purpose is to boost their confidence level by putting them into situations which require Gary and Wyatt to act like men. On their road to becoming accepted, they encounter many hilarious obstacles, which gives the movie an overall sense of silliness.

7. Antitrust is a fictional account of computer programming extraordinaire Milo Hoffman. When Milo graduates from Stanford, he is recruited by Gary Winston, a character loosely based on Bill Gates. Winston is the CEO of a software company called NURV, on the brink of completing a global communications system called Synapse. Tragedy soon after strikes when Teddy Chin is murdered by a pair of Milo’s co-workers who made it look like a hate crime. Milo’s girlfriend Alice Poulson is turns out to be helping Winston and there are even bad guys working for the company inside the Justice Department. Basically, the message of the movie is that if you like computers, you should trusting no one and that nothing is as it seems. Luckily, in the real world, secrets can’t be kept for long (the more money you have the harder it seems to actually be to keep secrets). Which is why things like this don’t actually happen. But hey, at least we geeks get to feel important for a little while and this movie was actually well made. Having said that, Ryan Philippe is mediocre. Which was actually good enough in this one to be acceptable.

8. The Matrix is a fantastical look at futuristic hacker/programmer Thomas Anderson, living an ordinary life in 1999. Until Morpheus leads him into the real world, which is actually 200 years later and taken over by evil robots machines. The computers have created a fake 20th-century life called the Matrix to keep the human slaves asleep. The robots get power from the humans. Anderson is constantly chased by Agents (the opposite of that shirt that reads “I could replace you with a very tiny shell script”). At one point, the agents start replicating (I’ve accidentally filled a drive up by looping through cp before too). Anderson gets a cool name “Neo” and gets to be played by Keanu Reeves. All’s well (albeit varying degrees of well) until he becomes one with the matrix after about 7 or 8 hours of watching the movie. Actually, movies. It’s a trilogy. But Trinity (Reeves’ love interest) does use Nmap to run sshnuke against SSHv1 CRC32. Not a bad exploit for a lady wearing all leather…

9. The Net is the story of Angela Bennett, a computer expert whose interconnectedness comes back to haunt her. Back when Sandra Bullock was young and beautiful, she played an analyst who was never far from a computer. A friend like many of my own, whom she’s only spoken to over the net, Dale Hessman, sent her a program with a weird glitch needing debugging. She finds an easter egg on the disk which turns her life into a nightmare. Her records are erased from existence and she is given a new identity, complete with a police record. The best line is “computers are your life aren’t they?” Mostly because I find it easy to identify with such a line…

Oh, and she uses a Mac!

10. The Girl With The Dragon Tattoo is the most recent movie on this list. And there are more than one. I won’t say to see one over the others, but do check out the hacker girl. The latest installment has the most awesome song from Trent Reznor in the soundtrack, which I could totally listen to while writing scripties (and have).

11. Takedown is probably the movie that cost the least on the list to make. It’s not a great movie, but worthy of cult status to many. But here’s the thing: hacking stuff is pretty boring to watch. Unless of course, it’s the 2 days a year you leave your basement to go sit in Las Vegas and hack stuff with real humans around you…

12. The Pirates of Silicon Valley is a documentary about the tycoons that took control of the personal computer market. It starts with their time in college and then covers the actions that built up global empires now known as Apple and Microsoft Inc. My favorite part of this is the way that they made Steve Ballmer out to be a complete idiot. The parts about Bill Gates, Steve Jobs, Wozniak and Paul Allen were pretty well known to me, even before I saw the movie. With Noah Wyle I kept thinking that at some point he was going to throw on his scrubs and start giving someone an ER-style heart surgery. Anthony Michael Hall plays an uninspired Bill Gates. The best part of his part is when he does Saturday Night Fever on roller skates and then falls down. When he became the wealthiest man in the world I wonder if he got skate-dance lessons.

13. Swordfish was just a bad movie. But every computer nerd is going to watch it and hopefully turn it into a drinking game of some sort. Let me get this straight: a guy is supposed to hack into some of the most complex systems in the world and was supposed to do so while having relations with a lady and having a gun pointed at his head. Oh, did I mention, he’s dead if he isn’t done in 60 seconds? There are some really good uses of real computer stuff on some of the screens at time. But, Travolta should still give up his SAG card.

14. Johnny Mnemonic is the story of a data courier, again Keanu Reeves, who accepts a payload to big to keep in his head for long, that he then must deliver before it kills him. Classic Reeves, a cheesy flick. Has Dolph Lundgren, so must be at least funny-bad. Ice-T and Henry Rollins make appearances too (the 1990s, baby).

15. Live Free or Die Hard is the latest (4th) installment of the Die Hard saga. In this one though, the Mac Guy helps Bruce Willis hack into stuff and blow stuff up. This gets to be on the list because Bruce Willis says: “Command Center, it’s a basement.” I thought maybe he was talking about my place…

16. Minority Report is on the list because the tech that guy has was awesome. Not as good as the tech that Iron Man has, but a bit more realistic in some places. I actually think that a few products were developed after engineers watched this movie personally, and I’d love to see the rest made possible. Might have been higher except the cast.

17. D.A.R.Y.L. – After watching D.A.R.Y.L. I think I spent years thinking I was some sort of robot. Probably explains plenty. When I finally got around to reading Isaac Asimov’s Robot Series I guess I didn’t think I might be an android any longer. “It’s only human to make mistakes, but Daryl never does.” In this movie, a kid realizes he’s actually an artificial intelligence. He then gets chased down by the government, looking to reclaim their intellectual property. Classic ET-style the government are the bad guys kinda’ moments ensue.

18. Untraceable is a move from 2008 where Diane Lane plays a fed trying to track down a serial killer who posts live video of killing victims on the Internet. It’s borderline B-movie, but it’s not too badly done. Any plot gaps or technical mistakes I let slide due to the fact that the movie is set in Portland and the fact that I’ve always enjoyed Diane Lane.

19. Tron: Legacy is the second installment of Tron, which comes almost 30 years later, his son joins him in a movie that is more like the Big Lebowski turns digital samurai than the original… I’m kinda’ suck of the rich brat concept. But at least he breaks into a data center and blows stuff up before getting sucked into the Matrix…

20. Eagle Eye is the story of Jerry and Rachel, two strangers thrown together by a phone call from a lady they have never met. She makes them and others perform a series of increasingly dangerous situations, using everyday technology to track and control their moves. Turns out she’s a computer. Shia LaBeouf is the star of this. How he got to be the star of this, Transformers and the replacement for the Indiana Jones movies is beyond me. He’s not a terrible actor, but he’s not worthy of such reverence from the nerd/action movie elite… This is not as awesome a nerd movie as it is a symbol of the future of nerdy movies. I guess this one is more about that thing people call Mobility than computing, but close enough…

21. Lawnmower Man should have just been one movie. The only one with Stephen King, this was the first VR movie I remember seeing. Pierce Brosnan is the not-really-bad guy, but the creator of the bad guy. This is like a digital Frankenstein flick.

22. Disclosure is another movie from the 1990s (1994) that shows Michael Douglas getting seduced by a woman. But this time, he ends up stopping before he closes the deal. So instead of boiling the family pet, he just gets sued for sexual harrassment. Lots of computers and screen shots. And Demi Moore in a 90s power suit. Awesome stuff!

23. Virtuosity is about a virtual reality serial killer who’s actually more of a composite of serial killers. Weak plot, but Russell Crowe wasn’t a big star yet. It’s like of like Demolition Man, but with the VR spin on it. Russell Crowe is totally psycho. And he wears a couple of awesome suits in the movie (I’m pretty sure one of them was in Cool World as well). 50 terabytes was a lot back then!

24. eXistenZ is another artificial reality movie, but Jennifer Jason Leigh is a video game designer. I thought that the BioPort concept was too much, especially for the time. The theme was already a bit done by then, but it was at least a weird new twist…

25. The Computer Wore Tennis Shoes had Kurt Russell. It was from the 60s. But the time spent on explaining all the computing was awesome! The best part about this movie is that glimpse you get of what computers were like before the advent of the personal computer. Thank you to the Altair, Apple and other machines that helped to get us into a new world order!

Finally, while this clip isn’t a movie, if you were curious what hacking stuff really looks like most of the time:

Honorable mention:

  • Every movie by Marvel Comics (except the Punisher movies – someday they’ll get that franchise right).
  • Catch Me If You Can because of the social engineering awesome it happens to be.
  • Independence Day because aliens apparently have Windows running on all their ships.
  • Jumpin’ Jack Flash because Whoopi Goldberg is actually a somewhat convincing engineer (or not).
  • Inspector Gadget because while it’s television, Penny has a laptop built into a book!
  • The Big Bang Theory because while it’s television, the Warcraft episode was awesome!
  • Mission Impossible gets a nod for having an upside down Apple logo (for the time).
  • The Italian Job gets a nod for the real inventor of Napster (I guess he can duke it out with Metallica next).
  • Revolution OS for being a documentary about Linux. I’d love to see more of this kind of thing in the years to come (there’s certainly enough money floating around in the computer world to make more of them happen).
  • Jurassic Park had some computing in it, but doesn’t really count.
  • The Thirteenth Floor doesn’t make the list because it wasn’t original enough in its look at virtual reality.
  • Code Hunter was terrible.
  • Enemy of the State didn’t make the list because I’m sick of movies making people into conspiracy theorists.
  • Max Hedroom for being cool, new and unique at the time – and perfect for the era.
  • Netforce – Oh wait, no, that was a typo.
  • Ghost in the Shell – No wait, wasn’t doing animated here, was I…
  • Electric Dreams because of the soundtrack.
  • One Point O – Which might have gotten higher had the star not become a police officer in Law and Order.
  • Wargames 2 – If only I could go back in time and stop it from happening…
  • Real Genius – Why not…
  • GoldenEye – Two Words: Boris Grishenko
  • All of the Star Wars movies because of R2D2
  • All of the Star Trek movies because if you read this far down you watched those too…
  • Blade Runner because even nerds dream of electric sheep
  • And the final for honorable mention is the Transformers series, because Transformers are robots

Very much excluded from this list:

  • iRobot because if you need to ask why, you didn’t make it down this far…
  • All of the Punisher movies by virtue of disgrace
  • The Blade sequels, because while they did have hacking and computers later in the series, unless you’re Kate Beckinsale you don’t get to do movies about vampires
  • Gone in 60 Seconds had a hacker named Toby, but it also had Nicolas Cage
  • Ocean’s 13 had Roman but it also had Brad Pitt
  • Superman III had Gus, but then, it was total crap
  • XXX: State of the Union had another Toby (popular name for movie hackers) but then, it had Vin Diesel
  • Ace Ventura had a hacker named Woodstock, but I can’t in good conscious put it on any list whatsoever

Link Baiting 101

I almost called this article “Aliens Can Listen To Calls on Your iPhone” or “How To Hack Into Every iPhone Ever (Even When They’re Powered Off)”. But then I thought that maybe it would be a bit too much. I’ve been a little melodramatic at times, but that’s when I was younger and needed the rupees. But TechTarget isn’t young (although I don’t know if they need the rupees). I’d like to point out two recent articles of theirs:

I remember reading an article awhile back claiming that the first virus for the iPhone had hit. This was a pretty big site (not TechTarget btw), but they had jumped on Apple and jumped quick, for a lack of good security on the iOS platform. Why? Because Apple’s huge, popular and a frickin’ easy target. But every security researcher knows that if they can hack an iPad or an iPhone that they’re going to be famous. Still, only one has managed to do anything remotely close to cool and you had to download his app, which got him banned, for the “exploit” to work (the “exploit” was actually javascript taxies). Security researchers do most everything they do for fame. Therefore, if there were going to be serious flaws with iOS, they’d have come up by now.

Let’s look at these headlines and vs the content of the articles. The first, Apple iOS Security Attacks A Matter Of When, Not If, IT Pros Say. The title isn’t actually that bad, (although I don’t know that the IT Pros quoted are worthy of punditry). It’s the headers within the article that set me off a little. “A false sense of iOS security” was the first: Here they said that iOS users are going to run something if it comes out because there haven’t been any vulnerabilities to iOS. Counter argument would be that since a vulnerability *will* (or would) be on CNN, MSNBC, NPR, every web site, every magazine and possibly a PSA on flights, I think they’ll figure it out pretty quick… The next header, “Responding to iOS security attacks” goes on to explain that (to summarize) iOS virus protection blows. OK, we should develop more FUD-based apps to check for viruses of data that those apps would actually have no access to due to sandbox controls.

The next header, “Entry points for iOS security attacks” tells us that someone will exploit HTML5 or post an app with a Trojan or Logic Bomb on the App Store in order to destroy your iPhone as if it were a planet slated for demolition. Each app can only communicate with resources outside of that app using an API Apple allows, an API that doesn’t cause combustion of the phone. If the app goes through the app store then that has to be a public, not private API. It is possible that someone could run a fuzzer against every possible variable exposed by every possible method and come up with a way to do something interesting, like cause the phone to reboot. But that kind of thing is going to be true of every platform and isn’t worthy of the pretense that it’s security consulting. I can dig on the possibility of that kind of vulnerability, but the author then indicates that Apple’s security is 7th worse in the IT industry with a 12% growth in vulnerabilities. Thus an insinuation that people are actually exploiting holes in iOS rather than Google monitoring iPhone user data a bit more than they should…

The second headline is much better though: How an iOS virus can infect the enterprise and what to do about it. Reading it, my first impression was that there was an iOS virus; you know, one written for iOS. But no, they’re talking about a virus that someone sends through your corporate Exchange server that is then copied to your Windows XP computer through the magical XP Virus Stream (like Photo Stream but more specific features for XP) and executes the virus that wipes your computer. I like it. I can dig that virus, but regrettably that virus doesn’t exist. And apparently no good anti-virus exists, according to the article. Why not? Because Apple has overly secured the OS and anti-virus has to be invoked manually.

Over-security is what makes iOS so great for phones. I’m one of those people that likes to hack stuff. And iOS isn’t for hacking around in unless you have jailbroken the device. That’s why my phone always works and I’m able to actually get stuff done on a consistent basis. There are certainly things Apple could do better. But iOS security is a hard one to point the finger at. I would like to see security researchers more warmly welcomed and for the Apple community to see those researchers as people who are building a stronger product rather than the enemy. I would like to see some technical features added or centralized control over features added.

It isn’t just Apple. It’s any company big enough to care about. The tech sites are mostly what I look at, and every time there’s something they think they can hop on with Google or any of the other big names in the tech industry they hop right on that to drive readers, whether well founded or not. Not all tech sites/magazines mind you, just some. And when the company is famous enough (Google, Apple, Microsoft) for mainstream media to care about, all the better…

At the end of the day though, the way to get action is to file a feature request with vendors, not to make up crazy headlines aimed at selling FUD as a means of getting someone to go to your website…