Terrence’s Blog

Square Enix and PlayOnline are the makers and facility that hose Final Fantasy Online.  And this is the saga of how horrible a company they are.

So, I picked up a Final Fantasy Dsik for $2 at Game Stop one day because I was bored and wanted to play something over the weekend.

Well, I tried the game, which required me to sign up for a trial.  So I did as I was instructed.

I played the game for about 30 minutes and stopped, it was probably the worst designed game I’ve ever played.  It was just horrible.

So, I forgot about it, and then I started looking at my banking statement and saw that I was being charge by the company.  So I find out who they are and call to cancel and this is how it goes.

1. There is no way to cancel the account online through their membership management pages.  This is to FORCE you to go through this ridiculous process so that the horrible game they’ve created won’t lose customers.

2. They told me they can not cancel any accounts on the 1st of the month.  I told them that I was requesting that they stop charging my card immediately or I would report them to my bank.

3. They told me I had to call back tomorrow or my account would not be canceled.

4. I called back the next day only to have to wait 30 minutes to be answered by some pion who made me answer 6!!! Questions about myself and my account.  I work in security and that’s just RIDICULOUS and it’s only a ploy to keep customers because if they can’t answer the questions they can’t cancel the account.

5. So finally they canceled my account only to tell me they were going to keep my credit card information in their systems.  I told them to immediately delete all of my information from their systems; which they are required to do.

So, months ago I request they cancel my account via their support page.  Well they refused to service my account in that manner and refused to contact me to rectify the situation.

Never signup for anything this company sells, it’s the worst scam out there.  If you like their games, please find alternatives; there are many.

I am reporting them to my Bank as not complying with my request to stop billing on my account for months.

Ok, I can completely understand the trials and tribulations with writing and publishing a work of fiction.  But seriously, I’m not going to pay $25.00 bucks for your new hard cover novel; no matter how much I’d really like to read it.

The way I see it is that you’re losing a customer and potentially my interest in your line of novels when you play this game.  I can go through a 500 page novel in about a day and a half, so if I break that down to 12 hours of reading, that’s like 2 bucks an hour.  Nope, just can’t justify that kind of investment.

Now I’m even finding it hard to pay the $7-8 for a novel.  It’s just out of control.

I suppose I can suegue into buying the Kindle… but dear lord, that’s like $350 and the books are still $5 a piece.  So I’d have to buy 175 books to pay for the damn thing.  I doubt I’ll make that committment.  I think I’ll wait until the price comes down significantly or until there is competition.  I use to read books on my old cell phone.  My new cell phone is crap now though, so I have to wait until I upgrade.

So… here’s the breakdown:

1. Buy Kindle

2. Upgrade Cell Phone

3. Stop Reading (I doubt that will fly.)

Really, the cell phone upgrade will pay for itself in the long run.  I get many many uses from one product instead of one use.

I will let you know how this pans out.

I just had a great meet and greet with the guys from Immunity Inc., makers of Canvas and other pen testing products.

I met with Alex and Dave (the owner) and they were really down to earth and fun folks to chat with.  We had an amazing meal at Ray’s In The City, which I later found out was a really great restaurant and highly rated.  I hadn’t heard of it before.

We purchased Canvas about a month ago and we’ve been happy.  There are definite cosmetic and reporting improvements, but the functionality is sound and it’s built on an extensible framework.  I’m excited to be working with the product and having the ability to reach out and “touch” the folks there.

If you haven’t heard of them check out their site: http://www.immunityinc.com (Makers of Canvas)

I’ve been thinking about this for a while now.  There are websites out there that have a lot of my PCI information in them.  I haven’t used many of these sites for years, but that information just sits there.

It should definitely be a requirement that if the PCI information has not been used for a given period of time you are required to purge it from your systems.

We might possibly make exceptions for financial institutions, but other than that I can see no reason to keep that information on hand.  The user can enter it again if need be.  It’s much safer this way.

I’m am as of 11am today a GIAC Certified Penetration Tester.

For those of you who don’t know what that is.  I am certified by one of the world’s premiere security training organizations to go into a company and assess their network and computer security by breaking into systems and validating vulnerability findings.

I then report my findings to the company so that they can then fix all of the findings.

Well, I was just driving in during a snow/ice storm from a little outside of Atlanta.  I live in the heart of Atlanta, but I’m about to move out to the burbs.  The interesting thing is that the snow/ice on the road out there (15miles from the city), was much worse than the snow and ice on the roads in the city.  I think it’s due to something a colleague termed the Heat Dome effect.  Where a city create a heat dome from the asphalt, lack of vegetation, cars, and many other factors that create a sort of heat dome.  I’ve always noticed that in the city I wouldn’t get hardly the amount of rain or storms as those that live outside of the city.

It’s something to keep in mind… heat pollution.

Dear sweet lord!

This is no easy task.  I’ve got the images over, but now I don’t have comments or anything else.  So I’m working on getting my plugins and comments back.  We’ll see how it goes.

1. Get Posts Over – Done
2. Get Images Over – Done
3. Get Comments Back – Working on it!
4. Get Categoirs Back – Working on it!
5. Get Plugins all back – Working on it!

I’m thinking a day or two.

I recently took a the SANS SEC560 Course and wanted to document all the links and tools that were mentioned or learned, that way they are all in one place for me… and as a consequence, you too.
BCWipe - Tool for wiping the disk, was mentioned as one of the best.

This next bit will write random data to the hard drive, then it will zero out all of the bits.

dd if=/dev/random of=/dev/hda
dd if=/dev/zero of=/dev/hda


fgdump - Describes as a better tool than pwdump. It will attempt to dump the SAM table of any computer that it’s execute on by various methods. It could cause damage to older computers though. I crashed the Win2k box a few times.

BiLE – A tool from Sensepost that will run through various discovery methods, searches, dns, reverse dns, etc. to find more resources to exploit.

NMAP – Of course this is the best scanner available and one of the most versatile. We used it not only for port scanning and OS detection, but for some vulnerability assessment. Using NMAP’s newly developed Scripting Engine, NMAP is able to do something interesting analysis.

TCPDUMP – We used tcpdump quite extensively. Jim Shewmaker discussed setting tcpdump to dump to files on a seperate HD and to rotate those files every 100MB or so and have a script that ran periodically to clean out the oldest files if the HD was at about 5-10% disk space left. I will develop something similar and post it because I think that’s great for a pen test.

HPING3 – Was mentioned as a packet crafting/sweep/traceroute tool. You can configure destination port, originator, etc. Pretty neat to see if you can break anything.

Layer Four Traceroute (LFT) – This tool will use arbitrary ports or common ports to try to get through network protection devices to see how many hops away an HTTP server, or other device is.

THC Hydra – A flexible password-guessing tool.

BiDiBLAH – A tool that tries to simplify the scanning/assessment process.

user2sid and sid2user – Used to identify through null smb sessions who the admin or other users are on the system.

MetaSploit – With this tool we actually built some executable to shovel a shell back to use. We also used the exploits, but that is fairly simple.

Notes:
Some folks and things mentioned:
- Tobias Klein
- Crack Proofing
- Greg Hoglan
- IDA Pro Book
- Disable all non-essential services on all boxes.

I will keep adding to this list as I find new sites, I’ll bump the post up as I do so.

Zero Day: http://blogs.zdnet.com/security/?feed=rss2
Cisco IntelliShield Risk Report: http://tools.cisco.com/security/center/cyberRiskReport_20.xml
Cisco IntelliShield Event Responses: http://tools.cisco.com/security/center/eventResponses_20.xml
Cisco IPS Update Bulletins: http://tools.cisco.com/security/center/activeUpdateBulletin_20.xml
Cisco Applied Mitigation Bulletins: http://tools.cisco.com/security/center/mitigationBulletinReport_20.xml
US-CERT Cyber Alert System: http://www.us-cert.gov/channels/cas.rdf
US-CERT Current Activity: http://www.us-cert.gov/current/index.atom
TaoSecurity: http://taosecurity.blogspot.com/feeds/posts/default?alt=rss

Well, I just completed training for the Certified Ethical Hacker cert. It was very slow the first two days, but it got increasingly more interesting as we progressed through the last 3 days of class. I learned how to chain applications so that execute in a particular order and how to hide things, etc.

The material wasn’t difficult, but this will be an additional certification that will help me in my career.

Also, I’m a bit nervous about a project I have at work. In good conscious I had to suggest a switch in antivirus providers. It is a good decision which they should do, but we’ll see what happens at work.

Anywho, I’m happy and my relationship is going quite well. Vu is great, he’s got the biggest heart that I’ve encountered. I think he’s doing what he thinks is right, I just worry about him, that’s my nature. I want everyone I know to be safe and happy.

Well, enough for now, time to hack some shiznit in my lab.