Does Technology Solve Our Problems?

Real issues are not going to be solved bY any of those known internet applications!

Currently it does not but technology could solve our problems if two factors considered: 

  • Definition of ‘Problem’
  • Justifying practical ‘Application’

The former seems so obvious but that is actually the root cause of why technology is not able to solve our problems. You see how major aspects of technology are focused on ‘things’ that are neither a problem, nor an issue, or even a basic consideration. 

Internet does it really justified to solve our problems? The answer is no because first we are misleading ourselves with unreal problems and things that are more wanted than needed, and more a matter of convenience than a matter of reasonable living.

Community-Scale Composting Systems: A Comprehensive Practical Guide for Closing the Food System Loop and Solving Our Waste Crisis
Composting at scales large enough to capture and recycle the organic wastes…

As an example, transportation, social media, advertising… even fast communication are not real issue. Comparing to other side of same stories like fossil fuel, introversion and lack of communication. When you do not have transportation, focusing on Uber and Lyft is more insulting than funny. When people are getting more and more introvert, talking about your virtual friends is ridiculous. When delivery of an important message to appropriate people is being distracted by many political and ethical issues, focusing so much on advertising is like ignoring the entire word of ‘humanity’. 

internet does not really justified to solve our problems

Real problems are not part of, or addressed by Google, facebook or instagram. Real issues that all of us facing are not going to be solved by Amazon, because shopping online is not the real deal that we want to focus on right before Christmas eve. Cyber Monday should not be a concern and first thing in the morning when you turn your radio on. Apple latest iPhone is not going to be a tiny positive factor in any aspect of real life. And we are not going to die if Paypal decides to change its privacy policy, or Twitter decides to delete out tweet.

You see that definition does matter because if the problem was really how you could faster load facebook pages, or how to have a video with more viewers on YouTube, then yes, all those internet trends and application would frankly be toward solving our issues. But the real deal is different, and that’s why most of internet applications are going wrong direction. 

Real problems are food, drinking water, population, education, diseases…but not how many restaurants have online vitrines, or how fast and convenient you could order pizza online, or millions of recipes in a PDF…the problem is providing enough resources for a billion of people in lack of basic life resources. 

Enough food for one in nine people on earth just to make sure that they can function. Fighting against global water and waste crisis. Eliminating the risk of malaria to half of the world’s population. Taking care of millions of people with at least one sort of dangerous addiction. You can name it. 

After you believe in real problems of today’s human on the earth, you’ll see how technology is far from helping us to solve those issues. Thousands of scientists all over the world are committed to solve our real issues, but that number is way less than hundreds of millions of people focusing on unreal aspect of life. 

The Water Paradox: Overcoming the Global Crisis in Water Management
Water is essential to life, yet humankind’s relationship with water is complex…

Conquering space for search of what we call inevitable for life, H2O, while we do not have the basic water treatment and culture of consuming drinkable water sounds very naive. Every day we make thousands of chemicals and medications for weight loss while a billion of people do not have enough food to function. We develop all sort of online applications but it’s like all of us are blind and deaf, we can’t see, we can’t hear what is going on before our eyes.

Technology is actually so capable of resolving our real issues. Let’s define and review and digest today’s issues and force technology to handle them for us. Not a cybersecurity professional, or a programmer, but as a human, that is my career to help technology solve human real problems with practical cheap solutions.  

Tools vs. Techniques

Operations fail by focusing on tool rather than technique!

In context of information technology, with all primary operations like system administration, patching and updating, backup and replication, malware protection…and all related sub-tasks, focus on Tools is an enemy of the process!

Defining, developing or choosing a technique in advance is crucial to an IT operation. Then finding a tool to do whatever the technique is dictating, not vice versa. Techniques are also backed up and rationalize by objectives and policies but that is out of scope of this article.

Techniques → Tools

The Stable Framework™: Operational Excellence for IT Operations, Implementation, DevOps, and Development
Combine Agile, Lean, Quality Management, and Operational Excellence…

That is the right flow chart: reaching device, gadget, program, software, application, script…or anything like that  only after knowing the method or routine. In other words, we need to define the way we want to do something (process) and what is required (features) and then go after shopping or writing a code to handle that.

Many IT operations fail due to doing this simply in reverse direction: finding a tool just by searching the Subject and then refine the “forced” process based on what tool is dictating, not what we were expecting. Well, sometimes there is no expectation at the first place which is sign of a immature IT practice but that is also behind this short article.

Manage Numerous IT Projects With No Resource Constraints

IT resource management is crucial in chaotic environments where multiple projects collide… 

The most obvious challenge of IT managers is to make sure they meet deadlines and projects deliverables in a timely manner. This is more tangible in environments where tons of big and small projects overlap in shared resources. That is a sign of resource constraint. By resource, I mean IT staff and personnel. 

Regardless of why an IT team faces unexpected projects and ends up with a messy environment, or how IT manager job description and responsibilities are important at the first place, let’s focus on how to address IT project management disordering, and how to reach a smooth flow of projects mixed with daily IT tasks. 

One of the simplest techniques to handle resource allocation is aliening expected assignment(s) with factual capacity of resource; when and how a resource is free and what and when to assign them with, but there are many ways to do this. I prefer mapping the current state of resources (main aspects or features of them), plus identifying projects and their specifications and finally justify these together via any simple tool. 

Information Technology Project Management
Gain a strong understanding of IT project management as you learn to apply today’s most effective project management tools and techniques…

Once you master this very basic and easy technique, no matter what is your tool, you will be able to manage IT projects even in a very disordered and out-of-control department. That is one of the reasons why I do not believe in phrase “lack of resources”! The more we blame shortage of human resources, the more we put ourselves in a situation that is irreversible. A situation where it does not matter how many staff you add to your team, still you will not be able to meet deadline, and more important, have reasonable quality for you IT operations. 

Information Technology Project Management: Providing Measurable Organizational Value
how to create measurable organizational value through IT projects…

Back to the technique, list your resources and calculate their availability and capacity at a certain time. What are the factors in equation? It really depends on your very particular environment but universal factors are known to any project manager. Then list you projects and identify their specifications in detail. If you do not have time to do these basic steps then you better put more time and reputation on fixing a broken IT department and a dozen of overdue deadlines and unhappy c-suite. Allocation of resources is going to be so strait forward if you complete the 1st and 2nd step precisely. 

There are bunch of tools to execute such a simple idea, but some of them like Microsoft Project requires a dedicated trained professional just to use the tool and set it with right information. That is too complicated and is not reasonable where the task of project management is not the goal. In other words, tools like MS Project are good for those that are project managers and they do this for thousands of clients. 

I developed a simple smart Excel spreadsheet to handle this crucial task of managing IT projects with real scenarios. As simple as 123. Based on size of your staff and project, you might be eligible to use free of charge. 

Does JavaScript Pose A Security Risk?

Javascript is a silent threat!

Professional JavaScript for Web Developers
essential guide to next-level JavaScript development…

I no longer am able to imagine the current structure of the web without JavaScript. This is about online applications in form of traditional websites, otherwise traditional web interfaces won’t be able to handle the applications and web would collapse without JS!

That does not mean I am a fan of JavaScript in terms of security even though I am a JS coder myself. Because with all that sandboxing and native security countermeasures, the way we use it today is risky. What level of risk and threat model? It depends on what type of internet user we are dealing with.

As user with limited internet browsing scope, whether home user or a corporate user with restrict and secure corporate policies, risk is very low. Assuming user has a limited number of trusted sources to browse so exposure is only to the known codes and applications.

Javascript threat is completely out of scope of general endpoint protection solution

How JavaScript Works
Most of our languages are deeply rooted in the paradigm that produced FORTRAN…

As a user with wide range of random and unknown sites and applications, home or corporate, the possibility of facing a malicious Javascript is so high. This is either directly from malicious codes like browser extensions and add-ons or indirectly from malicious Ads and other type of metadata. Let’s list some of the common scenarios:

    null
  • Malicious Javascript in a browser extension records everything you do online
  • Malicious Javascript in a hijacked Ad redirects to any malicious destination
  • Malicious Javascript within a page mimics joining by Google, facebook, or Microsoft account and steals credentials
  • Malicious Javascript renders the content and mislead the visitor

The possibilities are endless when it comes to creative malicious content. But again, how can you even thinking about Not using most reputable Net applications by disabling Javascript?

JavaScript: JavaScript Programming.A Step-by-Step Guide for Absolute Beginners
some of the best resources to learn JavaScript from scratch…

The beauty of JS from a hacker POV is that, it does not matter what type of protection you have: a basic anti-virus or the most sophisticated EDR; none our capable of handling many types of malicious Javascript code. That means the threats are totally out of scope of general endpoint protection and all those solutions which majority of technology currently relying on.

About SECURETARGET

Once Upon A Time . . .

first logo SECURE TARGET

SECURE TARGET was one of the first independent group of professional freelancers in field of IT security, founded 1996 in Islamic Republic of Iran, when even using Internet in the country was a dream!

The freelance group directed by its founder, Kaveh Mofidi and initially named ‘Iran Security Consulting Group’, the first and the last mission of those cybersecurity entrepreneurs was delivering the right and accurate knowledge of computer security towards having a safe and secure CyberSpace. That objective made the foundation to disclosing security vulnerabilities through intensive research and active discovery. The result was compiling numerous hands-on training courses on ethical hacking by the motto “Security through hacking”, from internet portal security, to system, application and network security and hacking essentials. This strategy was replaced later by a new approach as non-disclosure or traditional “Security through obscurity” policy when group found out knowledge could be easily end up in hands of malicious users.

logo SECURETARGET

Members with decades of experience in principles of computer security and as a rare collection of IT professionals who worked so hard and relied on constant learning to enhance the quality of service, finally departed from the group due to lack of financial support; the effect of a extremely depressed economy at the top of technological sanctions on Iran which forced IT industry into its struggling mode, particularly and severely “Security” as an IT luxury.

Microsoft Windows Huge Text Processing Instability

SECURE TARGET (Security Advisory October 17, 2004)

Topic: Microsoft Windows Huge Text Processing Instability
Discovery Date: October 14, 2004
Original Advisory
External Links: VULDB, Full-Disclosure, BugTraq, SICHERHEITSLüCKEN, Addict3d, Ls, Der Keiler, Seifried, NetSys, Mail Archive, SecLists, Neohapsis, Checksum, Network Security, Virus, DoddsNet, ReadList, Mega Security, Security Trap, Virovvch, DevArchives

Affected applications and platforms:
Notepad, NotePad2 and MetaPad (Seems like all Text Processing Apps) / Microsoft Windows (All Versions)

Introduction:
It is not important, the limitation of opening large text file with “notepad” or similar products like NotePad2 (http://www.flos-freeware.ch) and MetaPad (http://liquidninja.com/metapad/); the point is just the way these tiny text processing apps open and handle large text files (talking about over the 200MB).
The way they handle huge text files, it is near possible for a fast modern PC to be completely unstable. This Instability may path to process injection because you cannot even kill the processes of these apps and they will remain “up and running” even when you logged off. So, it’s possible for a unprivileged user to simply hook to the remaining process of a privilege user and this lead to information disclosure (simply reading the content of the memory before swapping a large file which happens time after time, based on the file size) but may even lead to running privileged tasks based on the app they used for processing text.

Exploit:
It is different to exploit based on the application you choose for text processing; for windows default notepad.exe, it’ll be some like a huge DoS but for NotePad2.exe and MetaPad.exe it is possible to doing process injection (information disclosure and/or running privileged tasks).

Workaround:
The best way to work around this situation is just not to open large text files in windows! or wait a long time for completion of task.

Tested on:
Microsoft Windows XP SP1/SP2RC2/SP2 on Intel P4 2.4 with 1GB of RAM

Feedback:
Kaveh Mofidi [ Admin (at) SecureTarget [dot] net ]
Head of Secure Target Network

PerfectNav Crashes IE

Secure Target Network (Security Advisory February 25, 2004)

Topic: PerfectNav Crashes IE
Discovery Date: February 24, 2004
Original Advisory
External: Full-Disclosure, BugTraq, Security Tracker, xforce, SANS

Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1 and older versions

Introduction:
PerfectNav is designed to redirect your URL typing errors to PerfectNav’s web page. Bundled with the Free Ad Supported version of Kazaa Media Desktop 2.6. Likely to be found in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com. Likely to slow performance of Internet Explorer. Can download and execute arbitrary code as directed by its controlling server, as an update feature.
All of us knew about Hijackers/Browser Helper Objects; some of them may hijack your sessions but do you care crashing your web browser by a single blink?
When you use PerfectNav it is easy to crash your Internet Explorer (iexplore.exe) by any malformed URL like any thing you like: ? /? …
Run “iexplore.exe ?” or type “?” in your IE address bar and simply get the error message:
“An error has occurred in Internet Explorer. Internet Explorer will now close. If you continue to experience problems, please restart your computer.”

Exploit:
Easier to exploit than this bug? Just point out any malformed URL on your target and it will be crashing her/his IE.

Workaround:
The easiest way to work around this vulnerability is just removing PerfectNav from your computer. For information that may help you prevent this problem from reoccurring, click on the link below.
http://www.pestpatrol.com/msperfectnavsupport.asp
If the problem persists, please contact eUniverse.com Inc. and alert them of the problem.
Note: To have PestPatrol automatically detect and remove PerfectNav and its components from your computer, you have to buy PestPatrol!

Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) on Windows XP Service Pack 1a

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net)
Secure Target Network (Security Consulting/Training Group)

New IE Thread crashes by WU

Secure Target Network (Security Advisory December 31, 2003)

Topic: New IE Thread crashes by WU
Discovery Date: December 30, 2003
Original Advisory
External: Full-Disclosure

Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1

Introduction:
Any time you open your Windows Update (WU / wupdmgr.exe) and go to “Scan for Updates”; it takes a couple of minutes (based on your system and Net performances) for Microsoft scripting tasks to gather information from your fixing/patching data on your machine.
A security bug exist because when you are in the period which WU scanning your host, you cannot open any New IE windows from some applications and opening this new window just takes time, as long as WU ending its scanning, and it means hanging.
First, it is a security bug because it faces with availability of a component on a windows box. Second, it happens when you open a new IE window from these two situations below:
1. Opening a new IE window by clicking on a hyper link in OE.
2. Opening a new IE window by clicking on a hyper link in IE.
Remember that for facing with this issue, you shouldn’t have an old IE Thread opened from OE or IE before.

Exploit:
This bug may not provide an opportunity to threat a windows box machine with attacks and exposures but it may cause DoS anyway.

Workaround:
The easiest way to work around this vulnerability is just let WU finishing its scanning and then work with IE and OE as usual.

Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) and Outlook Express 6.00.2800.1123 on Windows XP Service Pack 1

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
Secure Target Network (Security Consulting/Training Group

Microsoft Outlook PST Exposure

Secure Target Network (Security Advisory August 31, 2003)

Topic: Microsoft Outlook PST Exposure
Discovery Date: August 28, 2003
Original Advisory
External: Zone-h, Security Tracker, openwall, Full-Disclosure
Affected applications and platforms:
All versions of Outlook on any Windows platform

Introduction:
everyone work with .pst files, storing and managing his/her Outlook Data transparently under Microsoft Outlook. A default folder takes care of these data files at:
%windrive%\Documents and Settings\User Profile\Local Settings\Application Data\Microsoft\outlook
And all of your data may encrypt and maintain as outlook.pst (or archive.pst when you just archive your old data).
When you add something to your outlook items (appointments & meetings, tasks, notes, …), your data file probably increases in size but when you delete some items (any size, large or small piece of data), the data do lost from your eyes but usually, does not erase from .pst files.

Exploit:
As you can probably see, this may effect in a wide range of exposure attacks; no escalation of privileges or any other system compromise directly happen. So, anybody with physical access to your computer would be the reader of your Outlook Items (any task, appointment and …) and any private information there.
By the way, this may lead to a worth situation, when you just restore a backed up copy of these .pst files and try to recover your lost data, but there is something different in backups, because you didn’t copy a refreshed one.

Workaround:
the easiest way to work around this vulnerability is physical security countermeasures but for your backups, try to “compact” items before backing up:
1. Fileàfolderàproperties of “your desired folder with data files”àGeneral tabàAdvancedàCompact Now
2. FileàData File ManagementàsettingsàCompact Now

Tested on:
Outlook 2000 SP3 (9.0.0.6627) on Windows 2000 SP4
Outlook 2002 (10.2627.2625) on Windows XP Professional SP1

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research


Affected applications and platforms:
All versions of Outlook on any Windows platform

Introduction:
everyone work with .pst files, storing and managing his/her Outlook Data transparently under Microsoft Outlook. A default folder takes care of these data files at:
%windrive%\Documents and Settings\User Profile\Local Settings\Application Data\Microsoft\outlook
And all of your data may encrypt and maintain as outlook.pst (or archive.pst when you just archive your old data).
When you add something to your outlook items (appointments & meetings, tasks, notes, …), your data file probably increases in size but when you delete some items (any size, large or small piece of data), the data do lost from your eyes but usually, does not erase from .pst files.

Exploit:
As you can probably see, this may effect in a wide range of exposure attacks; no escalation of privileges or any other system compromise directly happen. So, anybody with physical access to your computer would be the reader of your Outlook Items (any task, appointment and …) and any private information there.
By the way, this may lead to a worth situation, when you just restore a backed up copy of these .pst files and try to recover your lost data, but there is something different in backups, because you didn’t copy a refreshed one.

Workaround:
the easiest way to work around this vulnerability is physical security countermeasures but for your backups, try to “compact” items before backing up:
1. Fileàfolderàproperties of “your desired folder with data files”àGeneral tabàAdvancedàCompact Now
2. FileàData File ManagementàsettingsàCompact Now

Tested on:
Outlook 2000 SP3 (9.0.0.6627) on Windows 2000 SP4
Outlook 2002 (10.2627.2625) on Windows XP Professional SP1

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research