Anyone who uses UNIX and UNIX-like operating systems knows that the true power of the OS is held in the command line.  Many people fear the wonderful world of the cli, but only those willing to embrace its power could ever hope to be a guru.  Command-Line Fu is a website that acts as a reference for some of the more esoteric things you can do from the *nix command line.  Most of them are very specific tasks that do certain things (like play an organ sound from the command line and convert PDFs into JPGs), but if one examines the command strings on that site and does some more research, they can very quickly become proficient with the command line environment in all *nix variants. 

It is clearly intended as a repository for useful command line functions rather than a tutorial.  In my opinion, this is far more useful than any tutorial could ever be.  This forces the UNIX way of learning things yourself.  Remember kids, man is your friend.

OK, I normally don't cover things like this but here's some simple fact for everyone.  The Gnu General Public License is bad for open source in industry.  Simply put, any derivative software based on software licensed under the GPL is required to release the source code of the final product.  Anyone who is familiar with corporate software production knows that this would be an uncomprehensible clusterfuck for any company producing software that would be required to be proprietary (yeah, it exists) with anything licensed under the GPL.  That software that was modified to create whatever software that company needed would be required to be open source as well.

The company I work for would love to use some GPL software for its needs, but simply can't because a: it would enable competitors to produce the exact same type of system with little effort and sell it cheaper, giving them a competitive edge and b: it could potentially enable a whole new generation of spammers to be born because it would enable anyone to make mass notifications to any number of people very quickly by using the software appropriately.

A year ago, I would have punched someone in the face for saying such nonsense, but upon further inspection... its true, unfortunately.  If free software is to be successful, it has to remove its restrictions on its use.  Yes, I do believe that all software should be open source and free.  The only problem with that is, it would only work if everyone was trustworthy.  It works quite well for most forms of software, but fails miserably with others.

While the GPL requires all derivative works to be open source as well, the LGPL and some other licenses do not have this restriction.  This does lend some flexibility to the open source movement, but the problem is that most people are unaware of this.  Developers of open source software may or may not be aware of the various laws involved with various licenses and/or the impact they may have on the propagation of their software in the industry with companies that may want to modify it for their needs.  Some clarification needs to be done regarding this.

Licensing and law is far beyond my scope of understanding.  I'm a technician and I don't have the time to learn all the intricacies of such and so are most other technicians, developers, etc., so this poses a big problem for us who wish to instate a new world order of free software.  As anyone who has worked in tech as long as I have knows, technology is driven by its adoption in industry.  That's why Microsoft products are so prevalent in today's world, they got started early and marketed correctly even though, they've shown weak with shitty products in recent history.  Most lawyers are unfamiliar with these laws and any lawsuits that are to be defended are normally defended by a lawyer uneducated and ignorant of the details of the various licenses that may be involved.  This grants an unfair advantage to the lawyers who represent the FSF, EFF, and various other enclaves of free software salvation.

Don't get me wrong, I love free software.  I am a proponent of the open source way of life.  I promote, educate, and use free software on a daily basis but the simple fact of the matter is, in its current state free software is unfriendly to the one market that could propel it into the mainstream, industry.  Sure, its fine for use as web, email, file, and directory servers.  The Linux kernel is safe in most situations, but alot of other free software is not.  Many libre projects can be modified and used in countless proprietary applications to make those applications better but is not economically or strategically feasible because any modifications would require the release of the modification's source, eliminating any benefit from using free software in the first place.  Sure, some of it can be licensed under a different, more business-friendly license, but at the end of the day it ends up being more expensive.

Come on GNU, cut industry some slack.  This is not a perfect society and it won't be for a long, long time.  Loosen your restrictions on the GPL and perhaps we CAN hope for a more open future while embracing the simple fact that some software isn't feasible to be release openly.  And yes, it does pain me to say such things.

BTW, if someone can prove me wrong about what I've ranted about here, please do.

There are umpteen billion books teaching linux these days.  Most of them are either written so that they can be understood by a 4 year old or are so scatterbrained that you'd think the author was epileptic and/or narcoleptic.  I have found one that actually gives great information without dumbing it down too much, yet staying comprehensive enough to represent the culture and mind set of the Linux community very well.

LINUX: Rute User's Tutorial and Exposition is written by Paul Sheer, an IT consultant and writer.  The book covers pretty much every aspect of administration of a Linux server (minus the secrets and tricks discovered by an experienced Linux admin) and follows a logical flow through the operating system's features.  Everything from hardware to regular expressions, shell scripting to custom kernel configuration to advanced security configuration.  This book is clearly meant to lead someone new to Linux through the process in a natural way, but also be useful as a reference for more experienced Linux admins.

This is by far the best book covering administration of a Linux system I've ever seen.  It teaches the fundamentals of Linux use in an easy to understand way without making it read like a children's book.  A highly recommended read for most people, and definitely worthy of a bookmark for everyone interested in Linux administration.

In my nightly internet travels, mainly guided by StumbleUpon (shout out), I found an interesting little collection of articles written by my buddy Steve Mallard.  Steve is an instructor and IT manager at a technology school in southern middle Tennessee and has over 40 years experience in the industry.  Most of his articles are more intended for beginner to intermediate IT audiences, but all are well written with concise information.  A good read for anyone interested in the subject matter, regardless of experience or skill level.

Steve Mallard @ BrightHub

In today's world of suspision and paranoia, it's sometimes beneficial to do some research about the people around you.  Pipl is a new service that makes this easier and free to boot.  Pipl compiles data from Google, MySpace, Plaxo, Picasa, state governments, and quite a selection of other more specialty websites.  All you have to do is enter the first name, last name, city, and state, and Pipl goes to work compiling a boatload of information on the information you provided.  It's not perfect, it still gets non-relevant information, but it does a pretty good job about sorting by relevance.

Services like this have been around for a long time, but they've always been either prohibitively expensive, of poor quality, or of questionable trust.  Granted, this is no guarantee of trust, there is no such thing.  Regardless, it can be a wealth of information and might well be worth consulting for hiring managers, law enforcement, or even job hunters wishing to find out more about an organization.  Its a new service, so should the response be good, the higher the chance for advancement and addition of features to the site.  I highly recommend it, though it probably wouldn't yeild as much information as the legit paid services (yes, there are some).

Pipl

That's right folks, the search behemoth has released a web browser!  Its fast, its sleek, and it does some pretty cool things.  The default start page is a replica of Opera's  Speed Dial interface,  which is nice. It has reinvented the way tabs work, moving the address bar below the tabs, meh, not too impressed with that one but ok.  It's at least different, and some people might really like it.  There are some pretty cool about: page easter eggs.  Its *very* fast, using the WebKit engine, pages load tremendously fast and it seems to be very good about rendering pages properly (unlike IE, yeah, sorry, still haven't fixed the crap that's broken with this page but hey, you could always use a better browser), 

Sounds pretty good, right?  The people that make everyone's favorite search engine is now out to provide a good, solid browser that will allow people to use the web in a new, innovative way.  Great!  Good job, Google.  We appreciate it.

By the way, there's already a denial of service for it.  Click here for a demonstration.  Here is the explanation.  Nothing big, it won't crash your computer, it won't upchuck any data, it just crashes the browser.  Happy browsing!

SQL Injection has been a method in the pen tester's toolkit for a long time now.  In the early days, it was very easy because very few people gave thought to security in their web applications but lately it's becoming more difficult.  As more and more people are becoming aware of the dangers of unprotected code, more and more ways of preventing SQL injection are being invented.  Of course, there are still plenty of holes, they just take a bit more technical knowhow to exploit.

Two whitepapers have been released recently describing more complex methods of performing SQL Injections.  The paper entitled Deep Blind SQL Injection by Ferruh Mavituna describes a very complex method of retrieving data from certain database servers, MS SQL and Oracle are named in the paper, though more may fall victim to the same type of attacks.  His method involves using time delay differences to speed up the process of Blind SQL Injection.  This method is much slower than the tried and true ' or 1=1 -- string but it can work in some environments where that method does not.

Discovery and Fuzzing for SQL injections with Web 2.0 Applications from Blueinfy AppSec Labs explores the more specialized world of enumerating databases used by Web 2.0 apps by evaluating the Javascript in the page and traffic to and from the HTTP server.  This method is more about Injecting Javascript and HTTP requests than direct SQL and can provide a new attack vector for web 2.0 applications.

These are both fun papers to read and provide methods you may not already be familiar with.  Good input.

Python is one of those languages that people either love or hate... wait, thats all programming languages.  Anyway, I found this wiki that has some snippets of some pretty useful things to do in Python.  Included are howtos on opening and writing to files, both ascii and binary, working with email, xml, web programming, SVN, linux shells, SQLite, and more.  Its a pretty handy thing to have around, just in case you ever start a project that requires you do something regarding one of these areas.  It may not teach you everything about working with whatever you're looking up but it'd give you a jumpoff point anyway.  Plus, its a wiki!  If you know of a useful snippet that isn't there, add it!

Alot of buzz has been spewed by Microsoft about how secure they made Vista.  With its "Address Space Layout Randomization", which randomly moves a program's stack and libraries in memory, and Data Execution Prevention, Vista was supposed to be the most secure operating system around.  While we all know this not to be true, Vista is just as insecure as anything else, only a few major security flaws have been discovered... until now.  This one's a doozy.

Mark Dowd of IBM's Internet Security Systems and Alexander Sotirov of VMWare have found a way to completely demolish the relevance of Vista's security features.  They have found a method to plant binaries anywhere in the filesystem, with any permissions, and execute them.  This, like most attacks these days, is found at the application layer and deals with how Internet Explorer deals with active scripting.  Few details have been released at this point, but it is said that the method is simple and reusable. 

Dowd and Sotirov were able to load data on the system wherever they wanted and with any permissions they specified via Java applets, and ActiveX and .Net objects, The ramifications of this find is predicted to change the way technologists think about computer and network security.  Evidently, this is not only limited to Internet Explorer, but other browsers as well (possibly IE derivatives like Maxthon, not sure about Firefox/Opera).  Security and IT personnell should keep their eyes on this story, I have a feeling this will have a long lasting impact on IT policy.

2600 Magazine is the oldest surviving hacker magazine and has spurned local chapters all over the US.  These chapters have monthly meetings and some of them even hold conferences.  The Nashville chapter is one of these.  Every year, the 615 chapter holds the Phreaknic conference in Nashville and the time is nearing for the 2008 conference.  Things are still getting setup and not much has been announced.  If you would like to speak at the conference, check out the Call for Papers page and submit your work for review.

The con will be October 24th and 25th at the Days Inn Stadium in Nashville.  Over 120 rooms have been reserved for the conference and a special rate has been cut for Phreaknic attendees.  Its $65 for a room for up to 4 adults.  The presentations will be broadcast over the hotel's CCTV system so if you're not able to get to the speaking floor for some reason (hangover), you can just lay in your room and watch.

Not only will there be speakers with interesting views on security, there are also some pretty cool contests and games.  Wifirace is a foxhunt with a mobile wifi target around Nashville that you must track down and compromise before your opponents.  Oh, and don't forget the G33k Shoot crew which will be bringing their arsenal of weaponry.

So if you're looking for a bitchin con to go to in the Southeastern US, come on down to Nashville, Tennessee at the end of October.  This conference should be a blast, and as an added bonus, you can meet me!