Mono, Linux and MySQL. Getting everything working nicely.

So, you’re a Linux guy who wants to make cool stuff with the Mono version of the .Net framework and MySQL?  Cool story bro. Sadly, there’s no ‘out of the box’ support for MySQL with Mono. That said, it’s reasonably easy to get it working. This blog post will run you through installing the MySQL DLLs so you can start hacking away.

Prerequisites

  • A brain.
  • Hands.
  • 20 minutes
  • A MySQL Server.

Got those? Awesome.

So, first off open up a terminal and download MonoDevelop. This will also download any and all dependencies, including Mono itself. In Ubuntu, it’s sudo apt-get install monodevelop. Depending on what distro you are using, you may be using a different package manager and you’ll use a somewhat different command.

Now go here and download the latest version of the MySQL .Net connector. Make sure you select the Mono version and not the Microsoft Windows one. Once you’ve got that, you’ll probably want to unzip it. Navigate to the directory where you downloaded the zip file and run unzip <name of file>. You’ll now have two folders called “V2” and “V4”. These contain all the libraries you’re going to have to put into your GAC (Global Assembly Cache).

Now, unfortunately you’re going to have to rename each library. Seriously. Whoever uploaded them didn’t exactly realize that this sort of thing is case sensitive. So, go ahead and rename them to the correct naming convention.

mv mysql.data.cf.dll MySql.Data.Cf.dll

As you can see, you’re changing “mysql” to “MySQL” with every other part of the filename that isn’t “.dll” having the first character uppercase. Makes sense? Good.

Right, now copy everything from “V2” into /usr/lib/mono/2.0 and everything from “V4” into /usr/lib/mono/4.0. Done? Cool. You’re almost finished. Now you get to put it into your Global Assembly Cache. This is handled by a rather nice utility called gacutil which should have been installed when you downloaded MonoDevelop.

Syntax is fairly simple here. It’s just gacutil -i <filename>. Do that for each DLL, and you’re sorted. Seriously, there’s nothing more to do now. Promise. Now, reward yourself by making something cool with MySQL and C#.

Breakerfaire Liverpool – 21/08/2012

The next Breakerfaire will be held at 7pm next Tuesday at DoesLiverpool. This is located on the fourth floor of the Gostins building on Hanover Street. There will be a talk followed by networking and socializing at a nearby pub.

We hope to see you there.

Why is my blog selling boner pills? – Ian Williams

A question that is asked far too much these days. Ian will be exploring the dark side of web applications and demonstrating the mistakes that are often made by developers when setting up web sites. Set from a beginners perspective Ian will show what tools are available to us to learn about common web application security problems and practice these offensive techniques against live sites, all without being sent to prison for hacking!
tl;dr Update your WordPress.
Ian Williams was an Information Security Analyst for RWE IT UK, the IT provider for RWEnpower and one of the largest utilities in the UK but is currently transitioning to work as a Pen Tester, Researcher and QSA at Xiphos Research Labs. Ian is rather new to the security field having moved into it from a career in Wintel server support and software packaging and distribution. Always being one to have a tinker with things security had become a natural fit with Ian obtaining GIAC certifications GCIH, GAWN and GPEN in the 5 years since he started in the industry. Ian is a passionate supporter of the UK information security community and is working to pay back all of the support he has gained in the last 5 years by organising local security meetings such as OWASP and 2600 and speaking as a new commer to the industry, in the hope it will encourage more of the IT tinkerers to come over to the dark side!
Ian Williams GCIH GAWN GPEN
OWASP Birmingham Board Member

Twitter         @fishermansenemy
Blog            http://fishermansenemy.com

Why You SHOULD Bother With Security Training, Why It Matters, and What We Can Do About It.

Dave Aitel of Immunity Inc stirred up a bit of controversy (to put it incredibly mildly) a week or so ago when he write a blog post for CSO Online called “Why you shouldn’t train employees for security awareness“. His post can be summed up as follows:

  • Security training is hard.
  • It’s not always effective.
  • Harden your infrastructure instead.

All valid points, and if you want to read a rebuttal, you’re in luck. Here’s three, by Boris Sverdlik (@jadedsecurity) , Scot Terban(@krypt3ia) and Iftach Ian Amit (@iiamit). They’re also all rather nice people and you should follow them on Twitter.

Now, let’s address the first two points:

  • Security Training is hard.

I’m not going to argue here. I was once in the position of having to write security awareness training manuals for an organization of 5000 people, the entirety of which were non-technical. It sucks. It’s hard to get people to care about these sorts of things if they aren’t pre-disposed to having a coronary attack whenever they see a suspicious log item on Splunk. It’s not easy.

Another huge issue is the massive gulf of perspective when it comes to security issues. We see a social engineer; They see someone who they can help and make have a better day. We see an essential security update; They see an inconvenience which will disrupt their workflow. We see a laughably insecure password; They see one that’s easy to remember. Until we address this massive dissonance in perspective, we’re not going to get anywhere.

In the 90’s, Will Smith was always banging on about how parents don’t understand. Well, in security, it’s like that, except with everyone else. Scary, isn’t it?

However, with that said, there’s something we can do about it… Read on for more information.

  •  It’s not always effective.

I’m not sure if I agree or disagree here. I honestly think it depends on the quality of the training material and who gives the training. I’ve seen some pretty terrible security training before. Trainers who chose to scare, rather than educate*. I’ve seen people leave seminars and training sessions scared of security breaches, but with no palpable tools or methodologies to prevent attacks. That is insanity. It’s also counter productive.

It’s also useful to remember that your training is only going to be as effective as it is fit for purpose. If your material is dry, boring and not relevant, people are going to immediately forget it. It won’t sink in, and people will continue using insecure practices.

That said, if your security training rocks, then yeah. I imagine it’ll be pretty effective. Barclays Bank have some great security awareness manuals where they try to teach people about infosec concepts through poetry, short stories, comedy and art. Now, isn’t that actually awesome? Seriously. It’s called ‘Consequences’ and you can read about it here. I have a copy, and I can vouch for how awesome it is.

So, here’s a question for you? How can we make security training engaging, entertaining and effective?  How can we make it so that it sinks in, and we don’t have to get our message across by clumsily relying on fear.

In recent years, we’ve had this revolution in how we teach. We’re no longer confined to the old paradigms, which was limited to dull, drab textbooks which had to be memorized. We now know that there are better ways. We now know that people learn best vicariously through storytelling**. We now know that gamification is a great way to teach, and ensure that people remain motivated and committed to learning. Gamification has been used by companies like DuoLingo and CodeAcademy to teach languages and software development. And you know what? It works.

So, why on earth aren’t we utilizing these techniques in all our training material? It makes absolutely no sense. So, let’s fix that.

I want to create a training manual that is entertaining. That is accessible. That is effective. That can be translated into any language and be deployed into any environment. And I want you to help me make it.

I’ve created a github project. It’s a clean slate. There’s nothing there. You have absolute creativity. Want to write a short allegory about password security? Go nuts. Want to write a poem about flash drive encryption? Do it! Want to make a comic about social engineering? Sure! The aim is to have something that once completed can be compiled and shared freely, and deployed within organizations at no cost to them.

Got a question? Email me. Or tweet me. I’m not fussy.

* Incidentally, the clown I’m referring to described ‘PHP’ as a hacker tool used to steal personal information. I’m not even kidding.
** Want proof? Read the first chapter of Harry Potter. What’s the road that the Dursleys live on? What’s their son called? Who does Mr Dursley work for? I bet you got at least two of these right. Likewise, try reading the first chapter of the PostgreSQL reference manual. How much do you remember? Exactly.

Breakerfaire – Community Driven Security Event in Liverpool

Breakerfaire – Noun – Singular

  • A shameless pun on Makerfaire which will undoubtedly result in me being sent a cease and desist for blatant trademark infringement.
  • A community driven security conference in Liverpool, England, held monthly at DoesLiverpool.

So, yeah. I’ve decided to run a regular security meetup, and the chaps at DoesLiverpool have been foolish kind enough to host it. Now, you may be wondering why you should bother when you have OWASP  Leeds and OWASP Birmingham within spitting distance*. Well, here’s a good few reasons why.

  • DoesLiverpool is full of genuinely nice, smart people.
  • It’ll have some amazing talks from members of the community, as well as respected security professionals who are at the top of their game.
  • The venue is as central as you can possibly be, and within walkiing distance of some of the best bars, pubs, clubs and restaurants Liverpool has to offer.
  • The venue has lasers. Does OWASP have lasers? No. Enough said.
  • Talks will be about the entire spectrum of security, from secure development, to web application hacking to network security.
  • Dude. Lasers!

If you’re convinced, the inaugural session is at 7pm on the 17th of July, and will be held on the third tuesday of each month. Any questions, just pop me an email or send me a tweet.

* Spitting distance provided that you are able to project saliva with the force of an artillery cannon.

Hercules Hilarity in Mainframe Land – Part 2 – Interview with a COBOL Developer

Timeless Prototype (clearly not his real name) is a smart guy. He’s done development. He’s done security. He’s clocked up more years experience coding than I have experience breathing. He’s also someone I have a huge amount of respect for. So, needless to say  I was pretty enthusiastic when he said he’d sit down and tell me about his time developing on the same kind of machines that were resposible for the RBS stuff-up a few weeks back and his thoughts on the whole saga.

Continue reading