I came across an interesting application today. Google has released an application named Jarlsberg that is full of security holes. The intent is to make developers learn how these holes work and put them in a position to combat the security vulnerabilities.
You can visit the app to learn more. Security flaws to be detected are classified under the following categories
- Black box. You dont know the code
- White box. Requires you to see the code to understand how to break it.
- Gray box. Some code will be made visible.
I also came across an instructor’s guide that has problems to be solved in the application, graded by their difficulty level.
What better way to learn an exploit than to perform it on a test system ? Some of the exploits involve
I use remote linux services often and exposing them as local services can be performed securely using SSH. For example you can access a tomcat server or email server hosted at IP 1.2.3.4 by opening a secure SSH tunnel between your local machine and the target address – 1.2.3.4.
The OpenSSH tool can be used to perform SSH related activities on your machine. Simply install it with yum, apt-get or Yast, if it is not already available. Once you have it use the following command to open multiple SSH tunnels to your services
Open tunnel and execute commands:
ssh 1.2.3.4 -lmyUser -L 3098:1.2.3.4:21 -L 3099:1.2.3.4:80 -L 3100:1.2.3.4:443
The command is explained below
1.2.3.4 – Your target IP
l – The user to login as
L – A local tunnel to a remote port
3098 – The local port to use when establishing this tunnel
I logged into a gmail inbox today, surprised to find ‘Google Buzz’ asking me if I wanted in. I clearly said ‘No’. Not yet another social network. pfft. So after I said ‘No’ there it was sitting comfortably on the navigation bar and telling me people were following me and I could follow them.
There is a small link on the bottom of your Gmail page that says ‘turn off buzz‘. Click on that and you get disconnected from the social network. I wonder what google plans for Orkut.
After project owners were asked to move out of kenai.com, Oracle now admits that it did a poor job at communicating its plans for the project. An updated post from Oracle says that the future of kenai.com projects is secure. Those projects will be migrated to java.net and continued as is. Here is an extract from the post
We don’t believe it makes sense to continue investing in multiple hosted development sites that are basically doing the same thing. Our plan is to shut down kenai.com and focus our efforts on java.net as the hosted development community. We are in the process of migrating java.net to the kenai technology. This means that any project currently hosted on kenai.com will be able to continue as you are on java.net. We are still working out the technical details, but the goal is to make this migration as seamless as possible for the current kenai.com projects
I ran into a weird little error while trying to tune the performance of a query in the oracle database. A table had an index on a VARCHAR2 column. After a fair number of inserts were made the population of this table grew to 1.5 million records. A query that did an join on the VARCHAR2 column was talking ages to get the results. Well, it was taking 900ms actually but the SLA for the API call is way below that.
An “explain plan for QUERY” statement was run followed by a select from plan_details. It turns out the index is never used and a full table scan was used to get the data. Hence the problem.