The Sad State of American Brick and Mortar
@ June 13, 2011, 7:25 p.m.
Filed under: Personal Tech Frustration
Over the last year I've been keeping a close eye on Android tablets. It hasn't been until this latest round of releases that I really got interested in making a purchase. It took Monk pointing me at the Asus eee Transformer to finally make a decision. After using Google to see if anyone in the area had stock and finding that no one had any listed I decided to wait for a little bit. After a short bit I was told that one of the local HH Greg's was getting a shipment in on a Monday.
"Great!", I thought, "I can run to the store this coming Monday and buy one!". But then something hit me, I should probably call and make sure that they will have a unit available. I gave the store a ring and to my surprise I was told they had two units in stock right then. One unit was the floor model, the other was a unopened unit. I rushed to my car and got over to the store as fast as I could during my lunch break. I went through the whole purchase process and was ready to get my tablet ... and that is where the disappointment began.
The manager couldn't find a new unit. He said that a shipment was coming Monday if I could wait they would give me a call when it came in. I figured that wasn't a bad wait. I had already paid for it and it was better than calling every hour Monday to try to get one of the units before other geeks did. The guy who did the sale was very apologetic about the mix up saying that he really should have checked the back first. I understood how it happened, but it was still frustrating! The guy I spoke to on the phone said there were two and did not physically check. The guy who then helped me when I walked in talked to the first guy, was told there were two and took him at his word. In any case, that was Friday and I spent the weekend looking forward to getting my new tablet Monday.
Monday came and by noon I was getting antsy. I decided to give the store a call and check up. A guy picked up and said he would look up the purchase. I'm not sure if he thought he put me on hold or not but I then heard him say something similar to the following to another employee some distance away: "Hey! I don't know how to do this. What am I supposed to hit?" I kind of chuckled a bit at that being that one of HH Gregg's selling points as a company is that they have 'the best trained associates in the business'. He then told me the truck didn't come in yet and try again later. I thought "OK, I jumped the gun. I'll wait for their call."
By 8pm I was getting antsy again. The store closes at 9pm and here I was without the tablet I purchased. I decided to give a second call. This time a young lady said that the tablet did not show up on the truck. They were expecting the tablets but they did not come. She offered to transfer me to the manager but I instead asked when the next shipment was to arrive. She said that it would be Thursday. I decided to wait till then.
Thursday came and while I was at work I decided to give a call to HH Gregg. Surely they got the unit that I purchased in store almost a week prior in by now! I gave the store a call and was told it still didn't show up. It was time for me to call the main corporate customer service line.
I spoke with a lady who did truly try to help resolve the problem. She looked in the warehouses in the area and other stores and found none in stock. It also didn't help that she was having 'computer issues' which didn't let her see all of the information. At the end of the call the best she was able to say was that by Monday the store should have some units since the past two shipments none came.
It's Monday! At noon I gave a call to the local store and was given the same response I'd been accustomed to: 'Sorry, it didn't come in on this shipment'. I called up the main customer service line of HH Gregg again. After about 5 minutes on hold a friendly guy did his best to help. He also searched warehouses and nearby stores to see if shipment had come through. He was able to find one unit but there was two issues: First, the unit was an open box item. Second, the unit was roughly 30 minutes away. As I thought about it the guy said he would give me till Wednesday to decide if I wanted that unit or if I wanted to wait for a sealed unit. I really do appreciate what he did to help but while sitting at my desk I started to think about it.
"Right now, the best they can do is offer me an open box tablet at full price after I make a 30 minute drive to pick it up myself. That is like buying an openbox item online but then deciding to drive to a UPS depot to pick up a shipment. Heck, I could have gotten the unit already if I would have ordered it online!"
Monday evening I started to look online to see if any online or local stores had any tablets in stock. If I could find one nearby I would go get it ASAP and tell HH Gregg to refund my money. Google Shopper told me that 2 stores locally had stock! Excellent! The first was Toys R Us so I decided to give them a call to confirm.
I went through the silly automated system to get to a person so they could answer my question. I told the lady who picked up I wanted to check to see if they had a tablet in stock. She asked me to hold and I waited for about a minute and a half to two minutes. I was then transfered to guy who asked why I was calling. I explained that I wanted to check to see if they had a tablet in stock. He asked me to hold and I waited another minute and a half to two minutes. A different lady picked up and the same thing happened again. And then it happened one last time where the lady said she was trying to get 'electronics' to pick up. This time when she transfered me I made it to electronics. Mind you this was roughly 6-8 minutes into a call to check if they had one item in stock. The guy in electronics listened and said he didn't think they had it in stock but would go check. I spent three minutes or so on hold before I was accidentally hung up on. At this point I decided to not call back as I didn't want to give them my money. What if the product was defective? If they could not figure out how to use phones how can they handle a return? I decided to try the other store which Google shopper said had the product: Walmart.
I called up the Walmart which Google said had stock and was greeted right away by a friendly lady. I told her why I was calling and she transfered me to electronics. Which rang about 25 times and then transfered me back to her. I told her again why I was calling and she transfered me back to electronics where it rang another 25 times before transferring back. This time when the lady picked up again she said (with some frustration) please hold. I then spent 3 minutes with nothing but dead air. I hung up and called back and told her I had just called and we were disconnected. She seemed frustrated (not at me) and transfered me again to electronics. This time someone picked up and they said that they don't carry such a product.
At this point I gave up. I figure that any American brick and mortar shop will give me the same terrible service. In all honesty none of them are worthy of the sale. I figure I'll think a little bit more on the open box item and then decide as to if I will get a refund and order from an online dealer and know that I'll get a sealed product or go ahead and take the gamble from the retail store. Oh, and if you are traveling from another country in to the US it may be a safer bet to wait till you get home to make electronics purchases ... it would be even more frustrating to not only have to wait for the product you paid for in store but then need to pay international shipping!
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
New Server @ March 12, 2011, 12:53 p.m.
Filed under: Personal Tech Scroll
If you are seeing this the blog has moved to a new server. Things will probably break a bit for a while and the blog ping services may see pings for old posts (sorry!).
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Hello x-wap-profile I Didn't Notice You There @ Aug. 31, 2010, 11:41 p.m.
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
The Business Is A Customer? ... Information Security? @ Aug. 7, 2010, 2:43 p.m.
Filed under: Philosophy Tech
Before I start let me give you this warning: I'm tired, cranky and need a nap. I also badly need a shower. Now enjoy my mad rambling ...
Many companies have implemented or are implementing the ITIL Framework within their organization. That usually is a good thing. If done right it brings a common, repeatable process that can be done and tracked for accuracy. Of course, this also can be done wrong which creates gates and bottlenecks, process for process sake, overhead, confusion and special cases in the name of pragmatism .. but I'm not going to talk about that here. I do want to talk about a common idea that seems to tie back with ITIL in many cases and that is IT is the vendor, the business is the customer.
When one thinks of the business/customer relationship usually one simple aspect of it comes to mind. That one aspect is that the customer gets what the customer wants (aka the customer is always right). If the customer is not happy they will go somewhere else. If the customer can get it cheaper elsewhere they will go elsewhere. Generally this is a good thing. It means that there is competition and the lowest price with the highest quality product or service will keep driving other vendors to match or find related services to enhance their products. But how does this actually fit with Information Security within IT and it's greater Business unit(s)?
The short answer is it does not :-) (surprise!). In some ways ITIL attempts to remedy (no pun intended) this with ITIL Security Management which holds true to the CIA triad and requires that InfoSec have documented policies that the company follows (among other things). ITIL Security Management can work, but what about the customer, do they want this?
Here is where things break down in my opinion. When it comes to purchasing a product or service in the real world the burden and effects are on the customer. For instance, if someone buys a chainsaw it will give them a warnings about how they should use it (and how not to use it). The customer can still cut his leg off, but that is the customers fault, the vendor is not responsible nor is hurt by the action (yes, there are exceptions where legal action is taken against a company who didn't provide a disclaimer or warning ...). Using a service example, if someone takes a taxi, opens the door in transit and falls out it's not the taxis fault ... the customer did the action and suffers the burden and effects of the action. It's easy to look at the examples and say they are simple and don't apply ... everyone knows not to fall out of a moving car or take a chainsaw to the leg. It's common sense not to hurt yourself! One could says the same thing about opening up that PDF from an unknown sender too yet business users do this all of the time. This is where the first issue comes into play: The Customer (aka the business) believes they know how to use the tools properly and safely. Of course some can, but a good many of them can not and fall in the camp of being lucky (or pwned and unlucky enough not to know). So how does a traditional vendor tell their customer they are acting risky? If it is a product vendor they will more than likely send a notice or a fix to the customer to let them know there is an issue. They can use the fix or continue using the problematic product at their own risk. If it is a service vendor then sadly the answer is they don't unless it also puts the vendor at risk. If it does put the vendor at risk the action is to usually cut service or, at the very least, cripple the service in such a way that the customer can not cause any harm to the vendor.I don't know about you but I can't see that conversation going well if it's IT as the vendor and the Business as the customer ... unless it's so painfully obvious that someones great grandfather could understand is an issue the customer will get their way. Even if one takes the product route of things, the customer still must use said fix but in the case of a company failure to use the fix can be disastrous to everyone, not just them.
The second issue is that of process. I'm going to use an ITIL implementation as an example but this can be for any process. Let's say that someone from a large printing companies InfoSec group has found an issue. To make things simple, let's say it's a public issue found in Adobe software (there have been tons of them in the last year or so). The company in question gets PDF's from reporters, advertisers, managers, spammers, etc.. This means the the member of InfoSec needs to put in a change request to get the software updated to a safe patched version. Problem is, this will take some time. In fact, it may never get done as the customer may complain they don't have time for petty upgrades ... they have "real" work to do. Putting aside that "real" work probably means 30-40% of their day surfing Facebook and Twitter, this is obviously a problem. The customer does not want to take the small inconvenience to protect themselves and the company. If this is something that IT can do without the need to involve the users then the change will likely be held up in process while it goes through multiple approval layers by people who don't really understand the issue at hand (either way meaning the fix will be delayed increasing the time of vulnerability), which brings us to the third issue.
The third issue is that of the education of those who make the decisions. A good manager understands what his people do on a day to day basis. They also understand the basics of how they do it and what the results mean. They understand more than just 'this is bad' or 'this is good'. In terms of Information Security, simple concepts like data exfiltration or why cross-site scripting is a problem are a must just like understanding basic economics is needed for a manager of a finance department. The problem lies in that as you go up, the understanding of basic concepts goes down. This is not because the people get dumber as you go up (well, hopefully not :-)) but because they have a larger amount of information they should understand. The natural response is to understand all of it in such a shallow manor that you essential understand none of it. By the time you hit those who are actually approving changes basic concepts may seem like abstract tech talk or, even worse, unintelligible alien language (run far away if this is the case ...). Add in that pressure from the customer and politics at this layer and things get tougher. How can any InfoSec engineer work in a situation like that and be productive? By the time the update is approved there is a good chance there is already one or more updates to the same piece of software that need to be applied. Get ready to go through the explanation process again even if it is the exact same issue.
There are more reasons I'm sure. I've been thinking about this for months trying to find a good way that it could actually work and I'm at a total loss. The only way I can see IT InfoSec and Business Units working in unison is if they work together and not in a vendor/customer or master/slave relationship. It seems I'm not the only one with this thought. For instance, Ivar Jacobson has written about breaking out of Business as the Customer mentality.
The next time the business as the customer asks for this:
and you catch them doing this:
... either cry and plan the funeral or smile and bring dead fish to throw in with them.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Terrified of Qik @ June 29, 2010, 10 p.m.
Filed under: Personal Tech
For those who don't know what qik is, it's a mobile application for taking videos and uploading them to the net as well as a "live" stream service from your phone for people to watch. I put live in quotes as, since one would expect, there is a delay depending on bandwidth, processing and other factors (it seems to be between 10-20 seconds usually). It's quite an interesting idea and seems to work decently well. For many phones this is a downloadable app but for us Evo users it is preloaded an, without hackery, can not be removed. Of course, this is par for course when it comes to bundled apps, but it's still no excuse as to why the practice is still done.
Anyway, I've noticed quite a few odd videos showing up online through qik. Now, a lot of these videos show up in the recent videso section and then disappear off the site 15-60 minutes later. Some you really can't tell WTF is going on (like in this). While others seem like accidental recordings. Take this video for instance. A few seconds of a steering wheel while you drive? Kind of odd. Or this and this ... odd as one usually tries to record something when they record. This is a guy telling someone else how to use it as he reads the instructions on his phone. How about this one which is in someones bag or purse. Then, just for fun, take Monk's sarcastic didn't mean to record video.
While some of the videos are just odd I tend to think a number of them were accidental. Why would you record 15 seconds of your phone moving around in your bag? Why record nothing but a few random words and no image? Why else would the videos have default names such as "A qik snippet of my life"? Have I convinced you at least some portion of these were accidental recordings? Good. We can move to the next step ...
Where do people use their smart phones? At the airport? Yes. Walking down a hall? Of course. At a restaurant? Sure ... but let's think of where else many people use their phones ... the bathroom. Now before you start running off stating that no one does that or you don't do that just think about it. Not much else to do but read or get that phone out and be productive! If you go into (almost) any decently sized company and hang out in the stalls you will end up hearing the beeping, keyboard/feedback clicks and alerts from smart phones (assuming you don't get kicked out for being creepy).
One more thing before we bring this all together. Having a forward facing and a rear facing camera is common on this new generation of phones. Both cameras tend to be at least webcam quality if not much better. For instance, the rear facing camera on my EVO is amazing while the forward facing one is in the better than average similar to iPhone range.
So here it is, why I'm terrified of Qik: With Qik and the ease of accidental recordings it is quite possible that one could record themselves in the bathroom and have it uploaded to the net for everyone to watch without the user realizing it for 15-60 minutes (which is my very unscientific estimate for how long it takes someone to tell someone else they posted a recording they don't think was meant to be posted). This is very close to the dream many people have when younger: going to school naked. Sure, in this case you are not naked, but everyone gets to see you in a bit of a compromising position. To make it worse, there is an automatic "good job" post that happens on some videos as if to encourage you to make more ... if you accidentally posted yourself in the bathroom and were told good job .... yeah.
So I leave you with the closest video to what I've described. No, this person is not in the bathroom but it kind of seems like how the video would end up looking:
EDIT
I lied ... this one is closer (but done on purpose) and kind of creepy:
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Filed under: Personal Tech Frustration
Over the last year I've been keeping a close eye on Android tablets. It hasn't been until this latest round of releases that I really got interested in making a purchase. It took Monk pointing me at the Asus eee Transformer to finally make a decision. After using Google to see if anyone in the area had stock and finding that no one had any listed I decided to wait for a little bit. After a short bit I was told that one of the local HH Greg's was getting a shipment in on a Monday.
"Great!", I thought, "I can run to the store this coming Monday and buy one!". But then something hit me, I should probably call and make sure that they will have a unit available. I gave the store a ring and to my surprise I was told they had two units in stock right then. One unit was the floor model, the other was a unopened unit. I rushed to my car and got over to the store as fast as I could during my lunch break. I went through the whole purchase process and was ready to get my tablet ... and that is where the disappointment began.
The manager couldn't find a new unit. He said that a shipment was coming Monday if I could wait they would give me a call when it came in. I figured that wasn't a bad wait. I had already paid for it and it was better than calling every hour Monday to try to get one of the units before other geeks did. The guy who did the sale was very apologetic about the mix up saying that he really should have checked the back first. I understood how it happened, but it was still frustrating! The guy I spoke to on the phone said there were two and did not physically check. The guy who then helped me when I walked in talked to the first guy, was told there were two and took him at his word. In any case, that was Friday and I spent the weekend looking forward to getting my new tablet Monday.
Monday came and by noon I was getting antsy. I decided to give the store a call and check up. A guy picked up and said he would look up the purchase. I'm not sure if he thought he put me on hold or not but I then heard him say something similar to the following to another employee some distance away: "Hey! I don't know how to do this. What am I supposed to hit?" I kind of chuckled a bit at that being that one of HH Gregg's selling points as a company is that they have 'the best trained associates in the business'. He then told me the truck didn't come in yet and try again later. I thought "OK, I jumped the gun. I'll wait for their call."
By 8pm I was getting antsy again. The store closes at 9pm and here I was without the tablet I purchased. I decided to give a second call. This time a young lady said that the tablet did not show up on the truck. They were expecting the tablets but they did not come. She offered to transfer me to the manager but I instead asked when the next shipment was to arrive. She said that it would be Thursday. I decided to wait till then.
Thursday came and while I was at work I decided to give a call to HH Gregg. Surely they got the unit that I purchased in store almost a week prior in by now! I gave the store a call and was told it still didn't show up. It was time for me to call the main corporate customer service line.
I spoke with a lady who did truly try to help resolve the problem. She looked in the warehouses in the area and other stores and found none in stock. It also didn't help that she was having 'computer issues' which didn't let her see all of the information. At the end of the call the best she was able to say was that by Monday the store should have some units since the past two shipments none came.
It's Monday! At noon I gave a call to the local store and was given the same response I'd been accustomed to: 'Sorry, it didn't come in on this shipment'. I called up the main customer service line of HH Gregg again. After about 5 minutes on hold a friendly guy did his best to help. He also searched warehouses and nearby stores to see if shipment had come through. He was able to find one unit but there was two issues: First, the unit was an open box item. Second, the unit was roughly 30 minutes away. As I thought about it the guy said he would give me till Wednesday to decide if I wanted that unit or if I wanted to wait for a sealed unit. I really do appreciate what he did to help but while sitting at my desk I started to think about it.
"Right now, the best they can do is offer me an open box tablet at full price after I make a 30 minute drive to pick it up myself. That is like buying an openbox item online but then deciding to drive to a UPS depot to pick up a shipment. Heck, I could have gotten the unit already if I would have ordered it online!"
Monday evening I started to look online to see if any online or local stores had any tablets in stock. If I could find one nearby I would go get it ASAP and tell HH Gregg to refund my money. Google Shopper told me that 2 stores locally had stock! Excellent! The first was Toys R Us so I decided to give them a call to confirm.
I went through the silly automated system to get to a person so they could answer my question. I told the lady who picked up I wanted to check to see if they had a tablet in stock. She asked me to hold and I waited for about a minute and a half to two minutes. I was then transfered to guy who asked why I was calling. I explained that I wanted to check to see if they had a tablet in stock. He asked me to hold and I waited another minute and a half to two minutes. A different lady picked up and the same thing happened again. And then it happened one last time where the lady said she was trying to get 'electronics' to pick up. This time when she transfered me I made it to electronics. Mind you this was roughly 6-8 minutes into a call to check if they had one item in stock. The guy in electronics listened and said he didn't think they had it in stock but would go check. I spent three minutes or so on hold before I was accidentally hung up on. At this point I decided to not call back as I didn't want to give them my money. What if the product was defective? If they could not figure out how to use phones how can they handle a return? I decided to try the other store which Google shopper said had the product: Walmart.
I called up the Walmart which Google said had stock and was greeted right away by a friendly lady. I told her why I was calling and she transfered me to electronics. Which rang about 25 times and then transfered me back to her. I told her again why I was calling and she transfered me back to electronics where it rang another 25 times before transferring back. This time when the lady picked up again she said (with some frustration) please hold. I then spent 3 minutes with nothing but dead air. I hung up and called back and told her I had just called and we were disconnected. She seemed frustrated (not at me) and transfered me again to electronics. This time someone picked up and they said that they don't carry such a product.
At this point I gave up. I figure that any American brick and mortar shop will give me the same terrible service. In all honesty none of them are worthy of the sale. I figure I'll think a little bit more on the open box item and then decide as to if I will get a refund and order from an online dealer and know that I'll get a sealed product or go ahead and take the gamble from the retail store. Oh, and if you are traveling from another country in to the US it may be a safer bet to wait till you get home to make electronics purchases ... it would be even more frustrating to not only have to wait for the product you paid for in store but then need to pay international shipping!
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
New Server @ March 12, 2011, 12:53 p.m.
Filed under: Personal Tech Scroll
If you are seeing this the blog has moved to a new server. Things will probably break a bit for a while and the blog ping services may see pings for old posts (sorry!).
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Hello x-wap-profile I Didn't Notice You There @ Aug. 31, 2010, 11:41 p.m.
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
#!/usr/bin/env python
"""
Terrible but works way to find out info about mobile clients.
"""
import re
import sys
import urllib
import yaml
from lxml import etree
rx = re.compile('\{.*\}')
no_tabs = re.compile("[\t\n]*")
no_li = re.compile('li ')
xml = etree.XML(urllib.urlopen(sys.argv[1]).read())
results = {}
prev_key = None
for ele in xml.iter():
if type(ele.tag) is type(""):
tag = rx.sub('', ele.tag)
text = no_tabs.sub('', str(ele.text))
if tag == "Bag":
continue
if tag == "li":
try:
results[prev_key].append(text)
except:
results[prev_key] = []
results[prev_key].append(text)
else:
prev_key = tag
results[tag] = text
print yaml.dump(results, default_flow_style=False)
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
$ python wtf.py http://device.sprintpcs.com/HTC/APA9292KT/latest AcceptDownloadableSoftware: 'Yes' AdvertisingCapable: N/A AntiSpam: 'No' AntiSpamVendor: N/A AntiVirus: 'No' AntiVirusVendor: N/A AudioCodecsForDecoding: - mp3 - aac - aac+ - eaac+ - amr-nb - amr-wb - qcelp - wma - evrc - midi AudioCodecsForEncoding: - AMR-NB - QCELP AudioInputEncoder: - gzip - deflate AudioJack: 3.5mm BitsPerPixel: '16' BrowserName: Android Browser BrowserPortalVersion: '' BrowserVersion: Eclair 2.0 CPU: ARM11 CamcorderResolution: 1280x720 CamcorderZoomCapable: 'Yes' CameraBuiltInFlash: 2x power LED CameraHighestImageResolution: 3624x2488 CameraMegaPixels: 8M CameraZoomCapable: 'Yes' CcppAccept: - application/vnd.oma.drm.rights+xml - application/ogg - application/smil - application/vnd.oma.drm.message - application/vnd.wap.mms-message - application/vnd.wap.multipart.alternative - application/vnd.wap.multipart.mixed - application/vnd.wap.multipart.related - application/vnd.wap.sic - application/vnd.wap.xhtml+xml - application/vnd.oma.dd+xml - application/java-archive - audio/aac - audio/amr - audio/imelody - audio/mid - audio/midi - audio/mp3 - audio/mpeg3 - audio/mpeg - audio/mpg - audio/x-mpeg3 - audio/x-mpeg - audio/x-mpg - audio/x-mid - audio/x-midi - audio/x-mp3 - image/gif - image/jpeg - image/jpg - image/png - image/vnd.wap.wbmp - video/mpeg4 - video/mp4 - text/plain - text/html CcppAccept-Charset: - ISO-10646-UCS-2 - ISO-8859-1 - US-ASCII - UTF-8 CcppAccept-Language: '' ColorCapable: 'Yes' CommerceCapable: N/A ConnectionManagerVendor: N/A ConnectionManagerVersion: N/A DataNetworkTypes: - IS2000 - EVDO - WiMax - WiFi Description: '' DeviceIdentifierType: - MEID DeviceType: Android Touch DiagnosticsClientVendor: CIQ DiagnosticsClientVersion: 3.2.18 DiagnosticsProtocolVersion: 3.2.18 DownStreamBufferSize: None DownloadableBrowserApps: - 'No' DownloadableSoftwareSupport: - application/java-archive EmailCapable: 'Yes' EmbeddedApplicationsCapable: 'Yes' ExternalMemoryMaxSize: 32GB SDHC ExternalMemorySlot: 'Yes' FirmwareVersionWiMAXRadioModule: 4.6.2.1 build22766 FixedVoIPCapable: 'No' FotaClientVendor: SmithMicro FotaClientVersion: '' FotaProtocolVersion: 1.5.1 FramesCapable: 'Yes' GLMSClientVendor: '' GLMSClientVersion: '' GLMSProtocolVersion: '' GPSChipsetModel: '8650' GPSChipsetVendor: Qualcomm GamingCapable: 'Yes' HardwareVersion: '1.0' IMVideoCallingCapable: 'No' IOTAProtocolVersion: N/A ImageCapable: 'Yes' InputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 IntelligentSearchCapable: 'Yes' JVMVersion: - N/A JavaAppletEnabled: 'Yes' JavaEnabled: 'No' JavaPlatform: - N/A JavaScriptEnabled: 'Yes' Keyboard: TouchKeypad LBSCapable: 'Yes' MI-UICapable: '' MI-UIVersion: '' ManufacturerWiMAXRadioModule: SEQUANS MobileOriginatedSmsSupport: 'Yes' MobileTVORVODCapable: 'Yes' Model: '9292' ModelWiMAXRadioModule: SQN1210 MultimediaEncoder: Qualcomm Qcamcorder MultimediaEncoderDisplaySize: - '800x480 ' - '640x480 ' - '320x240 ' - '176x144 ' - 128x96 MultimediaEncodingSupport: '' MultimediaFileFormatForDecoder: - MPEG4 - 3GP - 3G2 - AAC - AMR - MID - MP3 - WMA - WMV MultimediaFileFormatForEncoder: - MPEG4 - 3GP - 3G2 MultimediaMaximumBitRateForEncoding: 5000 kbps MultimediaMaximumBitRateForPlayback: 5000 kps MultimediaMaximumBitRateForStreaming: 1200 kbps MultimediaMaximumFrameRateForEncoding: 24 fps MultimediaMaximumFrameRateForPlayback: 30 fps MultimediaMaximumFrameRateForStreaming: '30 fps ' MultimediaPlaybackSupport: '' MultimediaPlayer: 'Yes' MultimediaStreamingSupport: '' MultimediaVideoDisplaySize: - '800x480 ' NavigationSupport: - Touch Screen NumberOfSoftKeys: '0' OMADMCapable: 'Yes' OMADMVendor: SmithMicro OMADMVersion: '2.0' OSName: Android OSVendor: QUALCOMM OSVersion: QSD8650/Eclair OnDemandCapable: '' OnDemandVersion: '' OutputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 PictureMailSupport: 'Yes' PixelAspectRatio: 1x1 PreferenceForFrames: 'Yes' PssVersion: 3GPP-R6 Push-Accept: - text/plain Push-Accept-AppID: - None - None Push-Accept-Encoding: - base64 Push-MsgSize: '4096' RDF: '' RadioCapable: 'yes' ScreenSize: 480x800 ScreenSizeChar: 25x21 SecuritySupport: - SSL-3.0 - TLS-1.0 Seq: - en-us - es-us SoftwareNumber: 3.26.651.6 SoundOutputCapable: 'Yes' SprintMcdVersion: 3.5.4 StandardFontProportional: 'Yes' SupportedApplications: - Album - Browser - Calculator - Calendar - Camcorder - Camera - Dialer - FlashLite Plug-in for Browser - Footprints - HTC Sync - Lock Screen - Mail - Messages - Microsoft Exchange ActiveSync - Music (integrate with Ringto Trimmer) - OOBE - PDF Viewer - People - Quickoffice - Settings - Social Network - Stocks - Windows Media Streaming Player - Teeter - Voice Recorder - Weather - World Clock - Amazon MP3 - Sprint Navigation - Remote Diagnostic - Sprint TV - NFL - NASCAR - Voice Dialer - Visual Voicemail SupportedBearers: - IS2000/rel0 TablesCapable: 'Yes' TextInputCapable: 'Yes' TotalDeviceFlash: 1GB ROM TotalDeviceMemory: 512MB RAM UpStreamBufferSize: None VOIPAnalogJacks: ZERO Vendor: HTC VideoCodecsForDecoding: - MPEG4 simple profile - H.263 Profile 0 - H.264 Baseline - Motion-JPEG VideoCodecsForEncoding: - MPEG4 - H263 VideoMailSupport: 'Yes' VoiceChatCapable: 'Yes' VoiceInputCapable: 'Yes' WapDeviceClass: C WapVersion: '2.0' WmlDeckSize: '' WmlVersion: - None XhtmlModules: - Mobule-based XHTML W3C Recommendation XhtmlVersion: XHTML-Basic/1.0 component: '' type: None
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
The Business Is A Customer? ... Information Security? @ Aug. 7, 2010, 2:43 p.m.
Filed under: Philosophy Tech
Before I start let me give you this warning: I'm tired, cranky and need a nap. I also badly need a shower. Now enjoy my mad rambling ...
Many companies have implemented or are implementing the ITIL Framework within their organization. That usually is a good thing. If done right it brings a common, repeatable process that can be done and tracked for accuracy. Of course, this also can be done wrong which creates gates and bottlenecks, process for process sake, overhead, confusion and special cases in the name of pragmatism .. but I'm not going to talk about that here. I do want to talk about a common idea that seems to tie back with ITIL in many cases and that is IT is the vendor, the business is the customer.
When one thinks of the business/customer relationship usually one simple aspect of it comes to mind. That one aspect is that the customer gets what the customer wants (aka the customer is always right). If the customer is not happy they will go somewhere else. If the customer can get it cheaper elsewhere they will go elsewhere. Generally this is a good thing. It means that there is competition and the lowest price with the highest quality product or service will keep driving other vendors to match or find related services to enhance their products. But how does this actually fit with Information Security within IT and it's greater Business unit(s)?
The short answer is it does not :-) (surprise!). In some ways ITIL attempts to remedy (no pun intended) this with ITIL Security Management which holds true to the CIA triad and requires that InfoSec have documented policies that the company follows (among other things). ITIL Security Management can work, but what about the customer, do they want this?
Here is where things break down in my opinion. When it comes to purchasing a product or service in the real world the burden and effects are on the customer. For instance, if someone buys a chainsaw it will give them a warnings about how they should use it (and how not to use it). The customer can still cut his leg off, but that is the customers fault, the vendor is not responsible nor is hurt by the action (yes, there are exceptions where legal action is taken against a company who didn't provide a disclaimer or warning ...). Using a service example, if someone takes a taxi, opens the door in transit and falls out it's not the taxis fault ... the customer did the action and suffers the burden and effects of the action. It's easy to look at the examples and say they are simple and don't apply ... everyone knows not to fall out of a moving car or take a chainsaw to the leg. It's common sense not to hurt yourself! One could says the same thing about opening up that PDF from an unknown sender too yet business users do this all of the time. This is where the first issue comes into play: The Customer (aka the business) believes they know how to use the tools properly and safely. Of course some can, but a good many of them can not and fall in the camp of being lucky (or pwned and unlucky enough not to know). So how does a traditional vendor tell their customer they are acting risky? If it is a product vendor they will more than likely send a notice or a fix to the customer to let them know there is an issue. They can use the fix or continue using the problematic product at their own risk. If it is a service vendor then sadly the answer is they don't unless it also puts the vendor at risk. If it does put the vendor at risk the action is to usually cut service or, at the very least, cripple the service in such a way that the customer can not cause any harm to the vendor.I don't know about you but I can't see that conversation going well if it's IT as the vendor and the Business as the customer ... unless it's so painfully obvious that someones great grandfather could understand is an issue the customer will get their way. Even if one takes the product route of things, the customer still must use said fix but in the case of a company failure to use the fix can be disastrous to everyone, not just them.
The second issue is that of process. I'm going to use an ITIL implementation as an example but this can be for any process. Let's say that someone from a large printing companies InfoSec group has found an issue. To make things simple, let's say it's a public issue found in Adobe software (there have been tons of them in the last year or so). The company in question gets PDF's from reporters, advertisers, managers, spammers, etc.. This means the the member of InfoSec needs to put in a change request to get the software updated to a safe patched version. Problem is, this will take some time. In fact, it may never get done as the customer may complain they don't have time for petty upgrades ... they have "real" work to do. Putting aside that "real" work probably means 30-40% of their day surfing Facebook and Twitter, this is obviously a problem. The customer does not want to take the small inconvenience to protect themselves and the company. If this is something that IT can do without the need to involve the users then the change will likely be held up in process while it goes through multiple approval layers by people who don't really understand the issue at hand (either way meaning the fix will be delayed increasing the time of vulnerability), which brings us to the third issue.
The third issue is that of the education of those who make the decisions. A good manager understands what his people do on a day to day basis. They also understand the basics of how they do it and what the results mean. They understand more than just 'this is bad' or 'this is good'. In terms of Information Security, simple concepts like data exfiltration or why cross-site scripting is a problem are a must just like understanding basic economics is needed for a manager of a finance department. The problem lies in that as you go up, the understanding of basic concepts goes down. This is not because the people get dumber as you go up (well, hopefully not :-)) but because they have a larger amount of information they should understand. The natural response is to understand all of it in such a shallow manor that you essential understand none of it. By the time you hit those who are actually approving changes basic concepts may seem like abstract tech talk or, even worse, unintelligible alien language (run far away if this is the case ...). Add in that pressure from the customer and politics at this layer and things get tougher. How can any InfoSec engineer work in a situation like that and be productive? By the time the update is approved there is a good chance there is already one or more updates to the same piece of software that need to be applied. Get ready to go through the explanation process again even if it is the exact same issue.
There are more reasons I'm sure. I've been thinking about this for months trying to find a good way that it could actually work and I'm at a total loss. The only way I can see IT InfoSec and Business Units working in unison is if they work together and not in a vendor/customer or master/slave relationship. It seems I'm not the only one with this thought. For instance, Ivar Jacobson has written about breaking out of Business as the Customer mentality.
The next time the business as the customer asks for this:
and you catch them doing this:
... either cry and plan the funeral or smile and bring dead fish to throw in with them.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Terrified of Qik @ June 29, 2010, 10 p.m.
Filed under: Personal Tech
For those who don't know what qik is, it's a mobile application for taking videos and uploading them to the net as well as a "live" stream service from your phone for people to watch. I put live in quotes as, since one would expect, there is a delay depending on bandwidth, processing and other factors (it seems to be between 10-20 seconds usually). It's quite an interesting idea and seems to work decently well. For many phones this is a downloadable app but for us Evo users it is preloaded an, without hackery, can not be removed. Of course, this is par for course when it comes to bundled apps, but it's still no excuse as to why the practice is still done.
Anyway, I've noticed quite a few odd videos showing up online through qik. Now, a lot of these videos show up in the recent videso section and then disappear off the site 15-60 minutes later. Some you really can't tell WTF is going on (like in this). While others seem like accidental recordings. Take this video for instance. A few seconds of a steering wheel while you drive? Kind of odd. Or this and this ... odd as one usually tries to record something when they record. This is a guy telling someone else how to use it as he reads the instructions on his phone. How about this one which is in someones bag or purse. Then, just for fun, take Monk's sarcastic didn't mean to record video.
While some of the videos are just odd I tend to think a number of them were accidental. Why would you record 15 seconds of your phone moving around in your bag? Why record nothing but a few random words and no image? Why else would the videos have default names such as "A qik snippet of my life"? Have I convinced you at least some portion of these were accidental recordings? Good. We can move to the next step ...
Where do people use their smart phones? At the airport? Yes. Walking down a hall? Of course. At a restaurant? Sure ... but let's think of where else many people use their phones ... the bathroom. Now before you start running off stating that no one does that or you don't do that just think about it. Not much else to do but read or get that phone out and be productive! If you go into (almost) any decently sized company and hang out in the stalls you will end up hearing the beeping, keyboard/feedback clicks and alerts from smart phones (assuming you don't get kicked out for being creepy).
One more thing before we bring this all together. Having a forward facing and a rear facing camera is common on this new generation of phones. Both cameras tend to be at least webcam quality if not much better. For instance, the rear facing camera on my EVO is amazing while the forward facing one is in the better than average similar to iPhone range.
So here it is, why I'm terrified of Qik: With Qik and the ease of accidental recordings it is quite possible that one could record themselves in the bathroom and have it uploaded to the net for everyone to watch without the user realizing it for 15-60 minutes (which is my very unscientific estimate for how long it takes someone to tell someone else they posted a recording they don't think was meant to be posted). This is very close to the dream many people have when younger: going to school naked. Sure, in this case you are not naked, but everyone gets to see you in a bit of a compromising position. To make it worse, there is an automatic "good job" post that happens on some videos as if to encourage you to make more ... if you accidentally posted yourself in the bathroom and were told good job .... yeah.
So I leave you with the closest video to what I've described. No, this person is not in the bathroom but it kind of seems like how the video would end up looking:
EDIT
I lied ... this one is closer (but done on purpose) and kind of creepy:
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
