How to remotely crash Lotus Notes

Here is a fun little vulnerability that lets you remotely crash Lotus Notes on demand.

  1. Set your Sametime status to a REALLY, REALLY long value without any white space in it (this should work).
  2. Message the person whose Lotus Notes instance you would like to crash
  3. DONE!

Now this does not really crash Lotus Notes, rather it puts Lotus Notes in an infinite loop making it unusable until it is restarted.  My present theory is that Lotus Notes is trying to figure out how to word wrap the super long status and is looking to replace space characters with newline character.  As it can’t find any spaces to replace it just keeps trying forever.  (But this is only my theory.)

Site Security

One of the major disadvantages to using a popular CMS like Joomla or WordPress is that the popularity of the platform means that it is also a popular target for black hat hackers. Until recently I was using Joomla to manage all the content on my website during this 5+ year time period my site was hacked twice. The first time the site was defaced by an attacker who used an SQL injection attack against the Joomla password reset page to deface the site. This was far from a targeted attack against my site rather the attacker seems to had a script that searched for any site running Joomla and attacked it. My site fell to this attack a mere 14hrs after Joomla published an updated to close the hole. The second time my site was hacked it was also done via a non targeted attack. This time it was a worm which had been infecting WordPress sites and Joomla sites. I am not sure what vulnerability the worm used to get into my site, but once in it injected every php file in the user account that the site was running under. The following are things which I learned from both attacks to help prevent and make cleaning up a future attack easier

Read the full post »

New Site

I finally decided to put my old site to rest (mostly because it was defaced thanks to yet another security hole in Joomla), please bare with me as I move all the content over.  I apologize in advance for any broken links.

Bruce Schneier Quotes

A couple good quotes from a great article from Bruce Schneier.

“Security is a mindset, and looking for vulnerabilities nurtures that mindset. Deny practitioners this vital learning tool, and security suffers accordingly.”

“Anyone can design a security system that he cannot break. So when someone announces, “Here’s my security system, and I can’t break it,” your first reaction should be, “Who are you?” If he’s someone who has broken dozens of similar systems, his system is worth looking at. If he’s never broken anything, the chance is zero that it will be any good.”

http://www.schneier.com/blog/archives/2008/05/the_ethics_of_v.html

Ostrich Based Security

Security, it is one of those hot button issues. Lots of companies like to pretend they are security conscious. One particularly troubling trend is the suppression of vulnerabilities which are discovered during development. It is a nice story for a company to be able to go to be able to say to potential users, “We have no known vulnerabilities.” This statement is actually meaningless:

Cheating Linq

A couple days ago I had a fun idea running through my head. What if one could take the standard linq function Concat() and have it “consume” its own output as the input which created the output, a paradoxical call if you will. This can be represented with the following F# like pseudo-code:

Let y be 1…100
Let x be y.Concat(x)

Read the full post »

Airborne Mouse

Airborne Mouse is an Android application designed to work with the Logitech Touch Mouse Server. Letting you control your computer with your Android phone. Airborne Mouse is unique in that it allows users to install a single piece of software on their computer and control it with either an iPhone/iTouch/iPad or an Android phone.

Read the full post »

NotNull sounded good, but was not

A couple weeks back I published Jmaxxz.Deet, a software library which brought reference types to the C# language which were guaranteed never to be null. While I maintain that null references are an indication of poor design and should be avoided at all cost, I am forced to admit that Jmaxxz.Deet is not the answer. Over the course of the week following its release I adopted into all my code. I found that the syntactical complexity it added significantly reduced the readability of my code. This added a certain level of cost to maintaining any code written using Deet.  In my estimation this cost is not worth the benefit of formal declarations of the nonnull state of reference types. The only way something like Deet become a reasonable solution is if it has first class compiler support, or through the use of a tool like PostSharp to add it in as a post compile step so as not to pollute the code-base with noisy declarations.

Jmaxxz.Deet 98.9% null proof

I am happy to introduce Jmaxxz Deet.  The Deet assembly contains a single struct, NotNull. This struct provides a mechanism to formally specify that a reference can NEVER be null. This ability is present in both Spec# and Sing#. However, for those of us still making use of VB, C#, F# and other traditional .Net languages still do not have a mechanism to do so. NotNull brings this capability to all of those languages.

Read the full post »

Null is Evil

Most of this article was lost in the move to my new site :'( Google cache does not have it either.

public interface IPerson
{
   TimeSpan Age {get;}
   string FirstName {get;}
   string LastName {get;}
   IBuilding House {get;}
}

 

public Party
{
    private IPerson host;
    public void GetDirections(IPerson Guest)
}

public static FamilyUtils
{
    public static LivesWith(this IPerson person, IPerson possibleCohabitant)
    {
         return person.House.Equals(possibleCohabitant);
    }
}