Welcome - Jabawok Industries

Welcome to my digital home! There are lots of articles you might find helpful buried in this site on topics such as modifying an Alfa Romeo 159, rebuilding a Lotus 7 (Robin Hood 2B), not to mention a ton of stuff on technology in general. It’s all here somewhere, so use the search function or navigate using the menu structure. if you want to talk, reach out via the contact function, I usually do answer!

Random Post Selection

Why you dont need a firewall

InfoSecI have seen some comments of late about the PSN hack being due to Sony having no firewalls in place and out of date Apache instances. A brief amount of research defuncts this assertion, however, I was genuinely surprised at the level and voracity of the comments around it. Most of which related to people essentially “living and dieing” by their firewalls. This position is ludicrous to say the least, as a firewall is but one control, not the be all and end all of security, and in my own personal experience, sometimes, they are simply not up to the task and you need to think outside the box. So here is the problem…… You are designing/running a global gaming platform that is highly latency sensitive, your planning on having all the worlds gamers use your platform and push it to its limits. If you even drop one packet, you could frag someone in game and cause the most heinous flaming you have ever experienced resulting in lost customers for the company, but, it needs to be secure. What next? Believe it or not, I have personally been in this scenario during my time at EA. I had to design, build and deploy the EMEA Online Web & Game Platform, as well as co-develop the global gaming platforms for the wider business. What I can share with you is that firewalls, no matter how big/good/expensive they are suffer 2 problems…. 1) They are a bottle neck into your environment that when you scale up to millions of users, is a problem, and 2) they introduce latency by doing their job. So what are the options? Well on the one hand, you could design around the problem, spend a large amount of cash on the “biggest and best” firewalls money can buy, create smaller firewalled segments and multi-layer your network to cope with the limits of the firewalls perhaps? True, yes you could, but this additional complexity introduces more routing hops and more kit for the packets to flow through, which increases latency & degrades the overall experience for the players. Another option is to not use firewalls….. So what do you do, when you cant put a firewall in place? easy 🙂 All a firewall is doing is a) controlling the flow of IP using an Access Control List & b) looking at the packet for something malicious in it (please note, I am specifically talking about a basic statefull inspection firewall (L3) and not anything extra in the UTM (L7) space, as these add way too much latency to packets for gaming consideration). Given that the firewall is performing these two simple tasks, all you need to do is replicate them elsewhere. Firstly, all your existing network infrastructure can handle the ACL function, easier and faster, and given the packets are already going through this kit, it doesn’t add any latency to the path. Next, its all about understanding the attack and being vigilant….. Essentially, if your gonna break into a computer system, you need a few basic components: A Threat Agent (Bad guy with motivation, we will call him Fred) An Attack Vector (Something Bad he cooked up, like an SQL Injection) An Attack Surface (Your infrastructure, applications etc) A Vulnerability (Something you missed that matches Fred’s attack) So, if Fred needs all these things to line up before he can achieve success, its all about making sure that you minimise your attack surface, and keep it vulnerability free.This is going to mean that you design your environment to be simple and easy to manage, and that you have some solid, well executed vulnerability management programmes in place, typically including real time (or near real time) monitoring of services for vulnerabilities, and excellent patching programmes, fully automated. Essentially, you want one system to identify a vulnerability in one of your web services, and tell the other system to patch it. It is possible to do and works well, but your gonna have to clean up the odd system failure, so make sure your system is highly resilient (by definition of the type of environment, it would be anyway). Now, I appreciate that a 0Day is going to pwn you, but guess what, it still would even with the firewall, so don’t get all upset about it, just have your CSIRT ready to go and make sure it is well oiled! On that subject, this is one of the key controls you should have anyway, but wont. Your ability to respond to an issue, and appropriately deal with it is what people will observe. It doesn’t matter how good you are, how well you have designed something, at some point its all going to hit the fan. The other key control your going to need is monitoring, so you know when you need the CSIRT! You will need to implement full monitoring and alerting for the environment, from availability and security perspectives. You need to know everything, every device is doing at all times, because correlating this information can help you identify attacks in progress before they get anywhere near success. All your kit is already logging issues silently to itself, so your not going to add any extra burden on the environment, and typically, you would create a separate network to handle management traffic to keep it off your primary network anyway, so its not going to impact service delivery. Also, when your talking about the gaming industry, typically, aside from the usual raft of web services running, your talking about very specific, proprietary services running on random ports to facilitate multi player gaming, so your “Threat Agents” are a limited pool of elite gamers, who’s typical motivation is not to pwn your systems and steal your data, but is usually limited to 1) administrative control of the game so they can kick who they don’t like out, and b) the ability to alter scores and leader board positions! I would like to finish my brief rant/educational spout on a simple truth, firewalls don’t make you secure, they make you lazy.Related Images: [...]

Video Interview – UK CsC Cyber Camp 2012

InfoSecThis is a brief interview about my role and the assessment process designed for the challengers playing the UK Cyber Security Challenge while at the Cyber Camp 2012: Related Images: [...]

Open for Business?

InfoSecI recently was asked by Bloomberg to comment on the raft of Android malware recently discovered. During that interview I mentioned some concepts around the open vs closed models and wanted to expand on this thinking a little further. As you may know the Google Android platform has been open source since 2008, and as such has a healthy following of developers and an open list of problems that anyone can view and contribute fixes for. Contrary to this, Apple IOS has, and most likely always will be closed and the intellectual property of Apple, and therefore is managed by an army of developers working directly for Apple. Other than these two business models being the polar opposites of each other, the devices themselves do share some common ground, an example of which is they are both based on a *nix base and both allow anyone to develop an application for their platform. So which is better, open or closed? Both have equal merits and demerits, but for me the key one we need to consider is the security of the applications. Given a smartphone platform is ultimately a portable computer in your hand that you can transition a significant amount of daily communications to, in any corporate environment you need to be thinking about how you maintain the security of that device. For the purposes of this article I am going to discount all the other major security problems with both platforms and specifically look at the apps. To this end I want to create the abstraction between the platforms and the application environments as people seem to confuse these two and blur the lines, and forget that we aren’t talking “open-source” as both platforms are in fact “open-shop”. If your app store is 100% open, as we have seen with Android, anyone can release any app into it without any form of quality control or security audit. This, as we saw, resulted in a number of applications having more functions that the user subscribed to, and left the devices open to abuse from those individuals that would make money from negative actions. In a corporate environment this means that you have got to control what apps get put on the phone, and create a whitelist and policy enforcement system, which as we all know, we cause the end user to get upset as their freedom of choice is restricted. For the general consumer this means that they, at some stage, will likely end up getting literally robbed blind by their smartphone, because, in an open model, there is no one controlling what gets onto their device for them. The other end of the spectrum is of course where we are with Apple. Onerous quality assurance, technical and security checks and numerous caveats to adhere to, before your app even gets into the store. But this conversely reduces the risk to business and the consumer equally. In this model, Apple takes control and responsibility for securing the applications on their platform, and minimising the risk to the user. I of course, still would recommend in any corporate environment the use of policy enforcement and approved applications, but you’re at least starting for a better place, and don’t need to do a full source code review of every app your planning to use just to make sure it’s not a Trojan of some kind! So which model is right? To be honest, both have their merits and both have their flaws, but I still, personally, favour Apples approach, to err on the side of caution and ensure that the apps they release are 100% up to the task. Let’s face it, developers are known for cutting corners where they can to save a few lines of code, so someone cracking the whip on quality and security can’t be all bad now, can it. Related Images: [...]

RH2B – Bonnet Fix

RH2B Build DiaryThe bonnet on the hoody is metal, in two sections, and was bolted together on a centre flange. This left a seam that was filled with filler and then a vinyl stripe laid over the top. Now this would have been fine except for the fact that the builder then installed a long pneumatic ram (the type that opens a boot on a hatchback) to hold up the bonnet when you lift it. Great for convenience but done in such a way as to cause a long term issue. Essentially, as the weight of the bonnet and nose cone were pivoting on an M8 bolt attached to the centre flange (2 x 1mm steel), the flange had twisted, bent and caused the bonnet to deform above. This in turn caused the filler to crack and separate from the bonnet, which then caused the vinyl to crack leaving an unsightly jagged line down the centre of the bonnet. Bonnet damage after removing the vinyl and cracked filler. Rather than just filling it and applying another vinyl sticker to it, knowing it would just do the same again, I set about designing and printing a better solution to the mounting of the jack point to the bonnet and also reinforcing the flange with several additional M8 bolts! A few iterations in Fusion 360 and 3 test prints in PLA, I had a final design that met the profile of the bonnet, bolted through the flange, spread the load of the bonnet more evenly and provided a solid anchor point for the jack. Design iterations The final design is pretty cool. It spreads the load exactly as I wanted and prevents the centre of the bonnet where the filler is being pushed up. It has also added rigidity to the panel as a side effect. Finished mount Once the mount was installed all that was left to do was fill the resulting gap with a flexible filler that wont crack and fall out, sand it smooth(sh) and the re-apply the vinyl. What I learned from this experience is something I was already pretty cognizant of. I cannot do bodywork!!! I dont have the patience for it at all! Finished article. Its by no means perfect but will do for now! Related Images: [...]

Press Coverage – April 2009

InfoSecOpen post to see coverage: computing.co.uk – April 2009 – Malware computing.co.uk – April 2009 – Risk in the recession pcauthority.com.au – April 2009 – Microsoft computing.co.uk – April 2009 – Microsoft crn.com.au – April 2009 – Risk in the recession whatpc.co.uk – April 2009 – Security computing.co.uk – April 2009 – Malware Searchsecurity.co.uk – April 2009 – Conficker & Patching Related Images: [...]

Which MP3 Solution?

GeneralHere is the Dilema. Do you want performance, versitility or cheap? I go with performace, and let skill do the versitility bit. Here are some of the ones I have seen and a couple I have used: Stanton Final Scratch Not available these days unless its second hand, I had a Mk1 version, USB connectivity and the Software was only stable on a MAC, even then, a little tempremental! Serato SCRATCH Recentley borrowed one of these of a mate, and I have to say I was impressed, easy to use, stable, even on Vista! and quick response from the USB hardware. Native Instruments AUDIO8 DJ I am itchin to get hold of one of these, it looks pretty impressive and ticks all the boxes in terms of functionality, Firewire interface so it should be spot on for scratchin, and based on the latest version of Tractor FS, so again, proven technology. Related Images: [...]

Euphoric Hard House 16/02/2001

LiveMixesOldschool Hard House from the archives https://jabawoki.com/wp-content/mp3/Jabawoki_16022001_Euphoric_Hard_House.mp3 Podcast: Play in new window | Download Related Images: [...]

RH2B – Intake Fix

RH2B Build DiaryThe first job on the agenda for the Hoody was to fix some rather terrible intake trumpets! The independent Throttle Bodies that were installed onto the engine are, well, how do I say this….. a bit shit. While there is a long term plan around changing these I needed a better short term solution to a specific problem. The trumpets kept falling off! Reading the original build diary there is a sentence that reads “Modified Maplin Speaker trumpets as air intakes”. That should be enough to make you shudder, it did me! So first things first was to fire up Fusion 360 and get to work with the vernier calipers! After several iterations I found a design that worked. It has sufficient grip inside the intake to hold itself steady and a small ridge around the outside to stabilize itself. There was of course no where to bolt or secure an intake trumpet to as these ITB’s were once a dellorto carburetor and twice as long. (The builder literally cut them in half!) I had to design two types of intake as one of the 4 had to accommodate an air temperature sensor, but it was a simple enough modification once I had a good base design. 4 3d printed trumpets ready for installation. Several printed iterations, as well as some R&D into the right type of material to print the final versions in was necessary. In the end I opted for an engineering Grade Carbon Fiber infused Nylon composite from Novamid. This material boasted a very high heat deflection temperature, extreme strength and nearly zero shrinkage whcih was ideal for my situation. It wasn’t cheap stuff though! All in all the project took a while due to 1) me learning new skills in Fusion, 2) learning how to print composite materials and 3) modifying my printer to cope with the composites. That said, it was thoroughly enjoyable! Related Images: [...]

How to make an Xponent Great

GeneralThe Problem: Ok, so anyone who has worked with sound equipment before would have been greatly disappointed shortly after taking the M-Audio Xponent out of the box. Essentially, it’s a bit crap. The main bug-bears are the faders, often referred to as being made by “Fisher Price”.They are loose, and generally feel nothing like a proper mixer, so anyone used to using pro audio equipment is going to feel short changed (I know I did!). That said, once you get over them, and there are some tricks you can apply to make them feel less annoying, the other primary bug-bear is Torq. This software can only be described as an epic fail! I gave it a shot, I persevered with it for a long time, and have come to the conclusion that its beat detection engine was programmed using chaos theory. I have mixed on many different platforms, decks (belt and DD), CDJ’s (from first gen to modern) and midi software from TraktorScratch V1.0 through to the usual suspects of today. What all of these platforms allow you to do is beat match with little effort if you’ve got a good ear. Torq on the other hand, seems to want to fight this process and in my own experience, creates a clinical/harsh environment to align beats without getting nasty overlay (beat on beat cancelation). If you persevere I am sure you can personally compensate for this and actually become good at “mixing with Torq” but IMO I don’t think it appropriate to change my mixing style after 20 years just to accommodate crap software. This problem brings us to the solution I have discovered. I don’t take credit for pulling this together, many people better than me have toiled long and hard to make this work and have done some excellent work on the subject. All I wanted to do was have a rant, show you how easy it is to make the Xponent better and then credit those who did the work. The Solution: Native Instruments have invested a lot of time and energy into refining the Traktor product to what it is today. I have used different iterations of it since Scratch v1.0 (the first ever version) and it just keeps improving! The most recent version is Traktor Pro V1.x, I am using 1.2.4 and it is truly phenomenal. I won’t go into it in too much detail, but will say this much, its intuitive, just like it should be, has some amazing effects available out of the box and “just works perfectly” What more could you ask for? Of course, Despite the Xponent being a Midi Control Surface and a Sound Card, it’s been locked into Torq to proliferate the spread of the evil program, but, there is a way you can break out of this and turn your midi control surface back into a programmable 2-way midi surface like any other. It’s actually quite simple: While you switch the device on, press and hold the number 2 Queue button + the Lock Button on the left deck. It’s that simple, hold them till it’s all booted up, and to check its worked, press any button, if it lights up then fades away, it’s not worked and you need to power off and try again. If it does not light up, you’re in business and you have a midi control surface ready to use with any Digital DJ software you want! At this stage you have a couple of options, start mapping the buttons yourself or grab a map that has already been put together. Personally, I like to short-cut things, so I would grab a predesigned map. After a good look around and a few failed starts, I found a mapping from HolyCT based on the work of DJ Kad listed in the NI Forums. It is amazing! It has all the mappings you would want, full documentation and even a browser mode so you can use the jog wheels to browse your track lists without the keyboard and mouse! It makes use of the X/Y Pad and is IMO a very well put together map for the Xponent. Bringing the good features from the Xponent to a well written and user friendly piece of software like Traktor Pro, is a marriage made in heaven! I am truly blown away with the usability and playability of the combination, and it has convinced me to stick with my Xponent for the time being. It may not be the best controller in its class, but it has some cool features and once you get used to the faders, it’s not all bad! Related Images: [...]

Hard House Happiness 02/12/2000

LiveMixesOldschool Hard House from the archives https://dev.jabawoki.com/mp3/Jabawok_02122000_Hard_House.mp3 Podcast: Play in new window | Download Related Images: [...]