Welcome - Jabawok Industries

Welcome to my digital home! There are lots of articles you might find helpful buried in this site on topics such as modifying an Alfa Romeo 159, rebuilding a Lotus 7 (Robin Hood 2B), not to mention a ton of stuff on technology in general. It's all here somewhere, so use the search function or navigate using the menu structure. if you want to talk, reach out via the contact function, I usually do answer!

Random Post Selection

Kneber – Another sign of the times

InfoSecSo here we are again, a few months on, and just when so many were licking their wounds after the last infection, along comes another. Guess what, if you had your eyes shut my sympathy is not going to be that forthcoming! malware has come along way since its anarchistic pre-pubescent beginnings, and is now a fully fledged teenager, displaying all the fire, passion and unpredictability you would expect from one. Once upon a time, you could be sure your malware was simple in its intention, written by an unorganised person or persons, with the typical agenda of notoriety or malicious damage. Although bad, quite easy to deal with. Modern malware however is a whole new ball game. Written to order, with a menu of “features” available from stealing data to placing a sleeper inside the system, all with standard issue mass infection mechanisms anti malware detection programming, the latest in self defence techniques and with the underlying drive of a typically well organised or at least very motivated source. Yet despite this significant step change in what we are seeing as the attack, as a world of experts I am still not seeing a change in the controls, strategies or defence tactics of many organisations. This I find astounding. How anyone who is considered a responsible person in an organisation can sleep at night thinking that a firewall and a few layers of anti-virus is going to cut it as the total form of protection is seriously miss-informed. Equally, those companies out there pedalling the silver bullets of the security world ” ultimate anti-malware solution (TM)” are doing nothing but compound a problem that will continue to evolve and get more sophisticated. The simple fact is that ANY malware solution on the planet today from any vendor works on the same detection methods. They look for something they have seen before or something that looks like something they have seen before and block it, It's that simple. And for that reason alone, you cannot rely on that control alone as the only form of defence. Equally, the firewall and all that other perimeter based paraphernalia you invested in, don't get me wrong, all well and good, but its not going to stop this stuff. Why? Web 2.0, Social Networking, Unified Communications, Chat, Mail, you name it. Any medium of communication that can facilitate the transfer of a file, and that includes just good old browsing of the web, will bring malware to your door, invited in so to speak, through all that perimeter protection, and straight to the desktop. The truth is, the only way to protect yourself against this stuff is to stop thinking it's “the good old days” and get with the times. The only way you're going to stand a chance of surviving one of these incidents is by thinking about the entire control landscape and how they interact with each other. A good model for this is Defence in Depth as that provides a very good method of visualising the controls at each layer of your environment and allows you to map attacks through the controls to see if they would be successful or not. This simple visualisation strategy can bring value beyond your wildest dreams, giving you the opportunity to stop, think and adjust what you're doing, justify investment, demonstrate control and rationalise spend. All very important concepts for the times. There is a world of products, vendors control choices and equipment with pretty flashing LED's on it. The only way to figure out which ones will help you is to understand what you have, what you need and why.Related Images: [...]

RH2B – Basic Tune & Lambda

RH2B Build DiaryAnother big issue with the hoody was the tune. It was all over the shop. really rough and just a bit shit. This was an easy fix though, I just needed to add a 14point7 Spartan 2 Lambda to the Megasquirt ECU and get some help! Lambda ready to go in! The main issue with the current engine setup is the horrific ITB's (f you can actually call them that). They are difficult to balance and will eventually be replaced with a whole new setup I am building on a new engine. That said, they needed to work for this summer so I called up a guy called Shaun who runs MS2 Tuning and knew the car from its previous owner. Shaun is awesome. A really friendly guy that gave me, a total stranger, support and advice over the phone and then came over to help me to a basic setup tune on the car for beer money. You dont get much better than that in this game. After about 3 hours playing, diagnosing and fixing some earthing issues, we had the ITB's balanced, the AFR dialled in, and the engine was purring. This was exactly what I had hoped for and the potential I knew was in the car when I bought it. I do love an underdog! Related Images: [...]

RH2B – Steering Fix

RH2B Build DiarySo after installing my lovely new OMP race wheel it was apparent that all was not well with the steering column! In fact, this was an understatement as there was a good 1-2″ of play side to side on the column whcih was just not going to do. a quick investigation identified the issue. A 30+ year old bush that had given up the ghost! Sierra Steering Column bush from the donor car! probably 83-90 so quite old now! After a bit of time on google I established that this was a standard Sierra steering column bush, and also that Kit Spares held them in stock (probably should have started there 🙂 ) £20 including shipping and a couple of days later it was time to pull the column apart and figure out how this all hangs together. Fortunately, its as easy as you would expect. The column is hung on the original mount points at the top and passes through a 3mm steel holder at the bottom, so all that was needed was to loosen the joiner in the engine bay, remove the bolts off the column top and slide the whole thing out. Once out the old bush litter ally fell out into the foot well! installing the new bush was a little more fiddly as it actually fitted snugly and needed some fettering with fairy liquid and some random tools. Once in, the column could be slid back into place and I could set about bolting the top half back in. When i removed the top half I was less than impressed with the mounting solution. What is becoming a trend with this vehicle is the original builders approach to solving technical problems was, lets say, a bit garden shed; and I wanted to be a little more professional about it! So where the Sierra steering column mounts were 18mm open voids that clearly took a bush of some kind once upon a time, and instead had been friction mounted with an M10 and a large washer, I decided to pop along to my favourite hardware supplier, Stirling Nut and Bolt. This is heaven for fasteners of any kind. They literally have everything you could ever want and at trade prices so you don't spend an arm and a leg! A quick tour of the warehouse and 15 minutes later I had 2 x M10.9×50 High tensile bolts, 2 x M10x50 washers, 20x 18mm M10 spacer washers and an assortment of other similar things to work with just in case. A whole £7 later…… (i'll let you stew on that), I was back home and assembling my newly acquired parts into an M10 spacer bolt arrangement that went, M10 Bolt, 50mm washer, 6 x 18mm spacer washers inside of the column mount, then the frame mount point, then a nylock high tensile nut. This solution made the column extremely rigid and removed flex at the lower end where the bush took up the remaining pivot movement and the column was firm, central and more aligned that its previous installation! Under side of steering column Come the winter this is all coming apart again as part of the big rebuild, but for now, I have a safe, secure steering solution for this summers fun! Related Images: [...]

The GCHQ Cipher Story you don't know.

InfoSecSo much has been said, good and bad, about GCHQ's recent release of a cipher to the community. Simply a publicity stunt or well designed honey-pot? No one will ever really know, but what you don't know is that this was an example of seeing a good idea and then totally cocking it up. Let me start by saying these are my own words and thoughts and in no way reflect the opinion of my employer, or those organisations I am associated with. A year or so ago, I got involved with the UK cyber security Challenge, which, as far as I am concerned is a good organisation, doing the right thing for the industry and those that want to be a part of it. I put a lot of my own personal time and resources into it for free, and make my employer give even more time, resources and money to the cause as well. Since I got involved with the ukcsc I have been providing them with simple on-line code breaking challenges, though my own devious thought processes and those of the many experts far better than me, that I have the pleasure of employing. We do these little challenges, typically on a quarterly basis, as well as to “support suitable and worthwhile endeavours”. One such endeavour happened recently, specifically, the London Conference on Cyberspace, hosted by the FCO. As was the usual manner for these things, I got a phone call from one of the UKCSC directors on a Friday evening asking if we could pull together a cipher for the event the following week, of course, I said we would be able to and engaged the collective grey matter of a couple of my team. The caveat to this request was that the cipher needed to somehow include GCHQ, the FCO, the UKCSC and of course my own companies brand. As such, I devised a simple 2 stage approach that would allow me to sufficiently bring together the brands and get the exposure each organisation wanted. The cipher itself was a union jack (in keeping with the event) hosted on the FCO conference site, with a series of logos on the flag itself. It was uploaded as a PNG file and had a binary string in the middle of the flag. The binary string easily translated to a goog.le shortlink that took you to a holding page on one of my sites that had each of the organisations logo's and a message saying thanks for playing. What was less obvious and in fact the real challenge, was that the flag actually had two binary strings embedded onto each other in such a way that if you played with the colours you would see a series of 0's that were in fact 1's and vice versa 🙂 This decoded to a different goog.le link that took you to a random page on a paste bin style site, where there was an ascii art pumpkin with some cipher text in it. The cipher text required a key to decrypt, and the key was hidden as a html comment in the other page that you went to if you only found the first shortlink, so to complete the entire task you had to visit both short links, and pull it all together. It was a simple little cipher that around 100 or so people played and 3 people got right. I put the low turn out down to the last minute nature of the engagement and lack of major press coverage, but, it was still a lot of fun to pull together, and if you cant have fun in your work, what's the point? So, what does all this have to do with the GCHQ Cipher I hear you ask? Simple… When my team and I developed this cipher for the event I was liaising with the guys at GCHQ careers to ensure they were happy with what we had done and that we had hit the relevant targets for them. In short, they “absolutely loved the cipher” and “thought it was a brilliant idea”. …a few weeks later, they had their own. Now, don't get me wrong, I am aware I don't own the rights to developing cipher/code breaking challenges to identify talent in the community, but I have been doing it long enough to know that you have to get the “pitching” absolutely perfect to the targets. By this I mean, there is no point in creating a cipher/challenge that would tax the most senior pen tester in the market when your using it to find talent to fill a job that pays £20K or so, in fact, this is the reason the ciphers we develop for the UKCSC are not that difficult. What these challenges do/should do is require the player to demonstrate some core requirements such as R&D/basic scripting/coding potentially, ability to think creatively etc, and then entice them in through layers of difficulty to a point where they are genuinely interested and engaged. This approach lets us target the college/university/entry to employment band of the industry and find the real talent in it to bring on board and then develop. So, in summary, GCHQ, nice try but don't give up your day jobs, and next time you want some help finding talent to help protect the nation, just ask, we are always happy to help. Related Images: [...]

Awesome Sounds

GeneralWell, its been a while, but after nearly a full year of ownership I thought I would share my thoughts…….. I bought a pair of rokit rp6g2 Limited Edition (Yellow) speakers nearly a year ago now and after a lot of use I can confirm they are truly an awesome sounding set of speakers. The honesty of the reproduction is not sacrificed to provide a “decent” sound from multiple digital sources. In fact, they sound just as good playing an Mp3 encoded at 192Kbps as they do outputting a raw track from ableton, yet do not loose the accuracy or quality required to pick out the levels and sound scape….. truly an accomplishment. The acoustics of your room is of course a variable…. I had them initially in a small room and that increased the low frequency response ten fold, vs now, when I have them in a much larger room, where the bass is sacrificed somewhat, but not to the extent that its a problem I might add. If money was no object (and they are on my Christmas list), the icing on the cake for these speakers is clearly a krk 10S and the acclaimed ERGO system. The addition of these items would make the overall sound from this configuration truly something to be reckoned with. Related Images: [...]

Uplifting Trance Vibes – 10/02/2011

LiveMixesIn celebration of my birthday I thought I would take a trip back to my roots and put out a big room trance mix for you all. Enjoy! Track listing: 1 ALEX M.O.R.P.H. feat. Michael – Wanna Be (Album Extended Vocal Mix) 2 Cosmic Gate feat. Emma Hewitt – Not Enough Time (Extended Mix) 3 Dash Berlin feat. Emma Hewitt – Waiting (original Mix) 4 Fabio XB & Andrea Mazza – Light To Lies (Gareth Emery Mix) 5 John OCallaghan feat. Audrey Gallaher – Big Sky (Markus Schulz AX remix) 6 Rex Mundi feat. Susana – Nothing At All (Original Mix) 7 torcycle – As The Rush Comes (Daniel Kandi & Anton Firtich Divine Remix) 8 Myon & Shane 54 feat. Aruna – Helpless (Monster Mix) 9 Roger Shah & Tenishia feat. Lorilee – Im Not God (Roger Shah Mix) 10 Medina – You And I (Dash Berlin Mix) 11 Marco V – Unprepared (Extended Mix) https://jabawoki.com/wp-content/mp3/Jabawoki_Uplifting_Trance_Vibes_10022011.mp3 Podcast: Play in new window | Download Related Images: [...]

159 Custom Bass Project – Stage 5 Wiring

Alfa 159The final stage was putting all the wiring in place. I opted for 4 gauge cable from the battery up front and a 4 gauge earth in the rear, both connected back to brass 4 way distribution blocks so I could pull 8 gauge runs to amps and the line converter. This also left me the easy upgrade route for adding additional amps to run upgraded mids & tweeters in the cabin, but that's another project!! ” order_by=”sortorder” order_direction=”ASC” returns=”included” maximum_entity_count=”500″] Related Images: [...]

Do Credentials equal Credibility?

InfoSecThis is a debate I regularly get into with my team. Personally, I think that yes, credentials can bring credibility with an audience, or with a prospective employer. Lets look at how this works: C|EH (Certified ethical hacker). Anyone who has been in that area of work for a number of years will state that the C|EH is rubbish, and, of course, they are right. Having done the qualification, I can vouch for the fact that it is a tools based approach to hacking, with a heavy slant towards using windows as your attacking platform (which is wrong for so many reasons). It does however, give you the basics, and teaches you about basic methodologies etc. …..So, you might ask, why do I say I am a C|EH, if I know its pointless? Simple. To a purist hacker, its a waste of time, but commercially it has value as it is recognised by clients and companies alike as the de facto standard for hacking. This difference in perception is a prime example of how a qualification can bring credibility with the audience you want. All of my team are C|EH, because, when I write a proposal for a client, I can say, all my team are “Certified Ethical hackers”. They of course understand this and as a bonus, the first two words add a level of “comfort” to what sounds like a venture into the dark side! Now, let's look at another qualification (CISSP) “Certified Information Systems security Professional”. This is about the best baseline security qualification in play today. It is very broad in it's syllabus and well maintained through its CPE “Continual Professional Education” requirement. This qualification really does work on both sides of the fence. Clients like it and so do the professionals What it doesn't do is guarantee that the holder of the qualification is a deep specialist in a given area, but what it does very well, is mandate a baseline of knowledge with real width in the subject of security. Here are my views on how they pin together: Some example credentials that mean something to your peers: GIAC's (Any of them!) CITP OSCP Some example credentials That mean something to your clients or employers: ITiL PRINCE2 C|EH CCNA Some example credentials that mean something to everyone: CISSP CCNP This is not the most exhaustive list, but is a start. The underlying piece of advice here is, when your picking a credential to study for and invest in, think how it will add value to you and your situation, and see if there is a better option available. Knowledge can be learned for free, credentials have to be bought! Related Images: [...]

Snort Rocks!

InfoSecOk, its been ages since I actually had snort up and running, so long in fact that the last time I used it, ACID was still the best way to deal with the alerts! Well after a couple of days (well a couple of hours here and there at least) I have a fully functional set of snort sensors in place on public and private segments of my networks, all feeding to a centralised database with “BASE” handling the analysis! woohoo. small victories are the best! I can definatley say its come a long way. It was much easier to install, and only took a small amount of syntax debugging to figure out the configs. During my research / re-learning curve though it would seem that version 2.8 with the stream5 processor is not as good as version 2.4 with the flow processor at detecting portscans. This was certainley the concensus of the community, and after a bit of playing I can agree. However, I now have sfPortscan running with stream5 and its seems pretty accurate to me, so I am certainly happy with the results. BASE is also a welcome move onwards from what used to be a very clunky interface. It seems light and intuitive, with decent features. I think it could do with the addition of some basic graphs, rather than having to use the graph engine to define your graphs each time, but on the whole i think it is certainly a good alternative to spending a large amount of money on a commercial product. Certainly the ability to abstract the managemnet interface, data storage and sensors from each other gives you a highly scaleable model to use a basis for a large scale deployment. Of course, if you don't fancy the pain of compiling code from scratch, or your just dam lazy, check out EasyIDS for a complete “IDS in a box” that gives you everything I just said with none of the hastle! ….You just can't ingore the momentum that opensource has gained 😉 Related Images: [...]

Press Coverage – March 2009

InfoSecOpen post to see coverage: Insurance Times – March 2009 – Data Loss Issues Related Images: [...]