In my last Buildin’ the Blog article, I wrote about how I cleaned up my comments controller by moving all of the processing to the model. In this follow-up article, I’m going to write about how to access properties that aren’t part of your model object (aka table).

Take for example, a simple comments database table. It might look like this:

As you can see this is pretty straightforward, a single comment is comprised of a full_name, email_address, and the body. These attributes can easily be checked and processed in our comment model. Here comes the tricky part.

Take for instance my comment form below:

Name, email address, URL, and the body of the comment can all be mapped to database table fields. Unfortunately, Remember Me and Subscribe Via Email cannot and should not.

A beginner in Rails might write something like the following in their controller code:

if params[:subscribe]
#create a subscription record here
end

This code works but it leaves a lot of logic in the controller. The controller should be fairly lightweight, “I accept input from the user pass it to the model and then I pass it back to the browser/user.”

In order to get non-database bound fields to the model we use Ruby’s attr_accessor declaration (we could use attr_writer too to only write attributes and not read them).

For example:

class Comment < ActiveRecord::Base
  attr_accessor :subscribe
end

This allows me to create a form like the following:

  <% form_for @comment do |f| %>
  <%= f.text_field :full_name %>
  ...snip...
 <%= f.check_box :subscribe %>
 <%= f.submit %>

Once this is done, I can check what the value of the checkbox was set to in the model in a callback (let’s say either a before_save or an after_save):

  def before_save
    if self.subscribe == 1
      #create a subscription record here
    end
  end

It’s that simple. Now all of my logic can be done in the model.

With that out of the way, here is something to watch out for. Let’s say that you have a comments table that looks like this:

Obviously, the is_admin attribute should be set by the application and not by the user but unless you protect your model, the user can set any attribute he wants. Let’s say that you have a simple comments form with full_name, email_address, url, and body. The is_admin attribute is not displayed as a form field.

A malicious user could come by and change the form by adding the following or by submitting to the comment form using cURL. Here is an example:

  <input type="checkbox" name="comment[is_admin] checked="checked" />

By crafting this form and sending it, the user automatically becomes an admin!

One way to protect your application from this type of malicious activity is by protecting fields that should never be set by the user behind the attr_protected declaration. For example:

class Comment < ActiveRecord::Base
  attr_protected :is_admin
end

This will stop malicious users from trying to set attributes that should never be set by the user.

Computerworld is running yet another article on a company losing their backup tapes.

This case caught my eye immediately because it has happened in “my own backyard.” According to the article a set of disks and tapes was stolen from the car of a Providence employee while the car was at his home in Portland, Oregon.

A spokesman for Providence said that the data on the tapes was encrypted but the data on the disks was not. Walker, the spokesman, mentioned however that the data on the disks was is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it.“

This is another black eye for IT departments everywhere and a call to review their offsite tape policies.

If you are concerned that your information might be at risk, you should read the ”http://www.providence.org/oregon/hcs/newsrelease.htm">Providence press release and if necessary call their hotline number at 1-888-284-8997.

I installed Google’s Secure Access VPN client and I’ve made some observations.

I’m not sure if the setup program created it or if the the client
itself created it but there is a new network connection in the Network
Connections control panel. This seems to be your standard PPTP VPN
connector.

Opening the connector is see that the username is listed as 0633492659
(seems to be a randomly generated number by the client as the second
time I connected I was assigned this number: 2466407433)
and there is no password saved. I’m assuming that the Secure Access
Client fills in the password, but that’s just an assumption.

Looking at the properties, I see that the connector is connecting to
vpn.google.com, and there are several advanced security settings
specified. According to the connector, the server requires encryption
(disconnects if the server declines) and the following options are
checked under Allow these protocols:

• Challenge Handshake Authentication Protocol (CHAP)


• Microsoft CHAP (MS-CHAP)


• Microsoft CHAP Version 2 (MS-CHAP v2)

All of the other options are unchecked.

Once I opt to connect the Secure Access Client, it starts the VPN
connector and automatically connects me. The following information is
listed in the Details section of the VPN connector:

• Authentication: MS CHAP V2


• Encryption: MPPE 128


• Compression: (none)


• PPP multilink framing: Off


• Server IP address: 192.168.230.1


• Client IP address: 192.231.7
  

Doing a quick Ethereal packet capture from my laptop, it looks like the
Secure Client makes some SSL calls to vpn.google.com before connecting the VPN network connection; it probably does
this to get the username and the password to connect to the VPN.

This summer, I took a vacation to south Florida and in doing so, I
spent a significant time waiting in the airport. Most modern airports
have free wireless Internet access after the security check in points
and the airports that I’ve frequented (Portland, Phoenix, Houston, Ft.
Lauderdale) were no exception.

Most Wi-Fi networks in the airports follow a recurring motif; an open
AP (access point) that allows you to access the Internet. It’s really
convenient and easy to use but unfortunately, the problem with this is
that your communication to and from the Internet is not encrypted
whatsoever.

I don’t usually worry about this lack of encryption though. I have
access to a VPN server at work and at home so what I usually end up
doing is using the Wi-Fi at the airport then making a VPN connection to
my home network and then remote controlling and browsing, emailing, and
IM’ing from the remote controlled machine. Naturally, this is all
encrypted and I feel warm, safe, and fuzzy.

That safe feeling lasted until I couldn’t establish a VPN connection
from the Ft. Lauderdale airport. I instantly felt naked, as if my
thoughts were open to everyone and anyone. I still connected though but
I just used IM and didn’t read any of my email (corporate or home).

This got me thinking, there are probably a lot of business types out
there that use the free wireless at the airports, Starbucks, etc.
without thinking about the security of the information that they are
sending throughout the air. That thought, spawned another thought; I
envisioned a VPN service that people could use to encrypt their
wireless sessions to and from the Internet using OpenVPN. Since OpenVPN
is a TLS/SSL based VPN, it’s doubtful that someone would block the
outgoing port.

As luck (and laziness) would have it, I sat on the idea. Tonight
(morning) I opened up digg, and found this headline, “Google to offer
secure WiFi VPN.” Sound familiar? Yeah the premise is the same.
Luckily, I didn’t get into that game because Google would have crushed
me.

In order to use the service, you have to download a Windows application. Before you use it, familiarize yourself with the FAQ and the Privacy Policy.

One thing that always disturbed me about starting a service like that
was the potential to provide haxx0rs with “a free ride” to the
Internet. Think about it, now you can roll up to someone’s unsecured
wireless network in the ’burbs, start up your Google Secure Access and
start hacking away using an encrypted session.

A friend of mine recently decided to get Comcast’s high speed Internet
access in her home. I should probably redefine what I mean by
“decided”, since it wasn’t really much of a choice. Because she is too
far from her central telephone office (CO), she can’t get any form of
reliable DSL, so she “decided” to get Comcast’s service.

Right off the bat, it was a battle with Comcast as they said that they
wouldn’t be able to provision her service without her having a computer
on site. Normally, this is not a big deal, but her only computer (a
laptop) only has a wireless network card and not a wired network card.
In order to be able to provision the modem, they wanted to charge her
to setup a wireless network instead of having me setup all that up
later.

This is all really absurd. When I moved into my new apartment a few
years ago, I called Comcast and the tech came out to provision my
modem. I had nothing in my apartment besides myself, air and some
sunlight. I did not have my computer with me at the time and he was still able to provision it.

I called Comcast in behalf of my friend and they were dead set on
having a PC with a network card ready to roll at the time of
installation. When I told them my story about not having my PC, the
support representative explained that it was a new registration
procedure and that it was necessary. Instead of fighting with Comcast,
I decided to meet the Comcast installer at her house with my laptop.

The day of the install, the technician was scheduled to show up between
2 and 4 PM. We waited and waited and he finally showed up at 4:40 PM.
The guy shows up without a cable modem (although another installer did
bring a modem 10 minutes later) and tells us that the registration
system is down so he isn’t really able to provision the modem (register the modem to communicate on their network). I was
astounded, he shows up nearly an hour late without a cable modem and to
tell us what? “No Internet for you today, folks.” To his credit, he did
call my friend on her cell phone in the morning because apparently he
had some time to do the install then. To his disservice, he failed to
leave a message then, didn’t call us to tell us that he wasn’t showing
up on time because the registration system was down, showed up without
a cable modem, and had such a blase attitude that I thought he might
slip into a coma from boredom. An example of this? At one point she
asked him about the installation charge so that she could write a
check. When asked to confirm the amount, he responded, “Something like
that.” I told her to make the check out for 25 bucks and if he said
something, just tell him, “Well, you did say something like that.”

During the long wait for the installer, my friend told me that in her
experience, this type of poor customer service is a normal thing with
Comcast. I’ve heard others say the same thing about DSL, and telecom
providers (Qwest comes to mind). Are we so conditioned to poor service
from these types of companies that we think that this is normal?

I hate it when the little guy gets trampled by the “Big Corporation”.
Companies should step up to the plate and admit when things go wrong
and offer to make amends with their customers. I love to fight with
companies to see if they step up and do something, so after the
installer left, I called Comcast and complained about everything. I
managed to get her installation fee waived (as it should have been).

There were other problems with Comcast, but I’ll let my other post (soon to be written explain what those are).

Not too long ago my company was seeking an industry specific security certification. Some of it covered physical security but a lot of it covered infosec. Information Security is not a goal, it’s a process. During the process of certification, I ran across the book Inside Network Perimeter Security (Second Edition) by Stephen Northcutt (and other authors).

This book rocks. I wish I had this book before we started this process, I think it would have made it a lot easier. If you work with information security in any way you owe it to yourself to get this book and read it. Packet filtering, stateful firewalls, proxies, VPN, policies, IDS/IPS, it’s all in here.

When I own a home, I’m going install cameras inside and out so that I can see what’s going on when I’m not there. Call me paranoid or whatever, but after you’ve worked for a security company you know that audible alarms aren’t enough. With the advent of wireless cameras, I’ve been thinking about what it would take to setup a home camera security system. That’s where this article comes in. Apparently this guy (Joe Barr) installed a Home Camera Security System for his neighbor using wireless enabled cameras from D-Link and some open source software called ZoneMinder. It’s definitely a good read for those security buffs out there.

Now I’m just trying to find ouy why the author went through all the trouble to install this system and put in a steel reinforced door for his neighbor Susan. I guess he subscribes to the “love thy neighbor” theory.

UPDATE: Apparently if SQL Server considers you to be dbo on the msdb database the IF (ISNULL, 0) <> 1) function will return false. It was happening to my users, so instead of using the role that I created (db_ChangeDTSOwner) I used the domain group that the user was in using this notation: “domaindomain_group”.

So the code below would read “IF (ISNULL, 0) <> 1)”. If you do not have a domain, then I would make sure that the user(s) are not part of the dbo group and they remain part of the db_ChangeDTSOwner role in the msdb database.

The simple way to do this in SQL Server 2000 is to add the user or group to the System Administrators Server Role but that breaks one of the major security tenets out there; only give a user the tools to do their job and nothing more. So I had to find another alternative. Here is what I came up with:

1. Create a role in the msdb database called db_ChangeDTSOwner and add the users or groups that you want to this role.

Security, especially computer and network security, is something that most people don’t understand very well. In fact, I find that there are 2 camps of people when it comes to computer security. The first camp knows that security is necessary but in the overall scheme of things, it is just a hindrance. Something that network administrators/system administrators use to make their lives harder. I have found out that this group is the same one that yells the loudest once security is compromised or fails in some way. The other camp knows that security is necessary and works with the changes offering constructive criticsm where it is needed.


Security, much like other things, is a process not a goal. It’s not something that can be “achieved” and then never looked at again. It is something that continually needs time and attention. Hopefully, people will come to understand that computer security/network security is just as necessary as the locks on your doors and windows.