Google has Public DNS available.  http://code.google.com/speed/public-dns/index.html 

Yawn.  In other news, scientists around the world predict that the sun will come up tomorrow.

Usually Google does great things, but this time I'd say their efforts were next to useless.  Or, maybe Google doesn't google, and they aren't aware of what is already available on the Internet as far as DNS service providers go?

I highly recommend OpenDNS for all of your DNS needs.  They do filtering of bad sites (NSFW), anti Phishing and Malware site protection, as well as blocking of time wasters.  And much more, I can't do their service justice here!  Here's the overview of OpenDNS services.

Compared to the Google DNS, I would pay for using OpenDNS.  Google DNS –  I'm still not sure I understand why you would bother to use their service.  If you want secure DNS then run your own DNS server.  It's not that hard to setup, really!  Why would someone that attacks DNS go after individually run, low volume DNS servers?  They would attack something bigger, and something worth their while.

Ok, now I will admit, Google Public DNS is hundreds of times better then the DNS services provided by some ISPs, namely Verizon.  Verizon likes to 'help you', and instead of returning NXDOMAIN like DNS is supposed to for missing domains, it directs you their catchall website.  Google Public DNS currently reports NXDOMAIN, so you won't get useless screens of advertisements for what they think you wanted.  So Goggle did get at least part of DNS service right.  But how long before Google wants to also 'help you' by directing you to their own search page?

It is always nice when I get a chance to sit down and read a book I bought over year ago.  Finally!  I’ve been enjoying the book, and what I’ve enjoyed so far is the evolutionary process between attacks and web servers.

For example, Microsoft IIS was exploitable with long URLs.  Microsoft fixes that, but attackers learn that they can just keep running the attacks anyway, and eventually the server dies anyway when it runs out of disk space from logging all those long URLs.  Microsoft fixes that by reducing the length of information stored in the logs.  Attackers still continue to use long URLs, because their complete attempts won’t be logged.  You’ll know someone tried something with IIS, but you won’t know exactly what.  It is an interesting technology arms race.

The other thing that I’ve enjoyed so far about the book is the real stories about how systems have been audited, and how they find silly security flaws in the system.  Example:  Being able to view, edit, or become other accounts in the web application.

WebScarab is quite a useful tool to see what is going on between web browser and server.  And the ability to save all of the complete conversations within a browsing session is fantastic.  It is certainly going to be useful when I have to interface into websites that insist on using javascript for authentication and browsing.

I guess Microsoft is hoping that we will all forget how fast computers run Windows 2000 and XP, and just hope we will all upgrade to Vista or even the over-hyped Windows 7.

I've got a much better idea.  How about a version of Windows just for business?  You know, one that isn't bogged down with Digital Rights Management, because in business we're more interested in getting work done, rather then watching HD movies.  And drop the high end graphics card requirements too.  Really!  You can do more with much less.

So do I really think that Microsoft is suddenly going to start producing products that businesses actually NEED?  No!

That's why I highly recommend that you give CrossOver Office a try!  Not only do you get Windows 2000 and XP support for your Windows applications, but you get great things called wine bottles.

Wine bottles allow you to have complete windows Applications isolated from each other.  Easy to archive, easy to restore.  One can be configured as Windows 2000, another Windows XP. 

On the CodeWeavers website they have many listings of Windows applications along with the current status of how the application runs.  Why give up your applications that work?

Windows 7 XP Mode Review — And here’s a review showing why you need CrossOver!

Yes, I did experience the Red Ring Of Death — How'd you guess?

After a little under 2 months of very light usage, my XBOX 360 died.  I was impressed with Gamestop — despite being over their 30 day warranty, they switched it out!

So now I have another XBOX 360, and I'm finding it hard to really enjoy it now.

Is it going to die again while in the middle of Rock Band 2?

Will I have to send it off next time and wait forever for it to be fixed — hopefully for good?

Or will I turn to the WII and Playstation 2, that I've put hours and hours on already, the tried, true, and tested game consoles that don't let me down when I want to play?  I do know most of the games there already by heart, but they don't have a family history of dying.

"The day that Microsoft Products STOP SUCKING, will be the day that Microsoft starts selling vacuums."

I see now why they dropped the prices on the XBOX 360, but who buys a game console and doesn't plan to play it to death?

While reading the SANS Internet Storm Center’s RSS feed, I found an interesting article on SQL Injections. http://isc.sans.org/diary.html?storyid=5416

The intriguing part was doing injections without the use of quote or semicolons.  Which allowed me to do some injections of my own on a production server!

It really is very important to treat any data coming from the Internet as ‘tainted’, and sanitize it.  If you think it can’t be ‘tainted’, download a copy of Opera.  Visit the web page with Opera.  Use View Source, and edit away!  Change all the default values you expect to unsafe data.  Click the Apply Changes button.  Use your altered form to inject with.

Notes from my experience:

1. Remove debugging messages that show the final SQL statement.  Showing the statement allows the attacker to see what they need to change in their input to cause the SQL to behave badly.  Note:  Showing "SQL error" is just as bad!  Better to say, "No records found".
2. Log SQL errors.  Any form input in production should never generate a SQL error.
3. Test, test, and retest.  Once you know what to look for, share what you have found with the rest of your development team.  Security is paramount in this day and age.
4. Code review.  Look for code that doesn’t sanitize input.
5. Add these checks into your routine testing process.
6. Try not to laugh when using PHP and security in the same sentence.  It can be done, really!  And secure PHP code can be written, really!

Yet another painless WordPress upgrade.  

I have abandoned my email address stevet@red-green.com thanks to spam.
I do look forward to the day where there is no spam.  Yes, indeed, that day is coming!

1. That can't happen.
2. That doesn't happen on my machine.
3. That shouldn't happen.
4. Why is that happening?
5. Oh, I see.
6. How did that ever work?

A more complete solution to distributed generation of rainbow tables can be found at Free Rainbow Tables.  Once a rainbow table is completed by the project, it is freely available for download over turrent.

I found that, and many more interesting projects listed at distributed computing.