Archive for June, 2009
Unable to create directory-parent directory writable? wordpress 2.7

I was having uploading images on one of my WordPress 2.7 & 2.8 blogs. It gave me the following error:
Unable to create directory /home/username/server/wp-content/uploads/20XX/MM/ Is it parent directory writable by the server?

After a long time searching I found this solution from http://www.cyriac.me

Step 1: Log into your admin panel

Step 2: Go to Settings>>Miscellaneous

You will see two options,

Store uploads in this folder
Full URL path to files
Most probably you will see

/home/.boogee/XXXXX/XXXXXXX/wp-content/uploads

in the first field.

Step 3: Edit that to just

wp-contents/uploads

Some people were suggesting that you solve the problem my making the folders permissions 777, meaning anyone can do anything to that particular folder. As a security guy, I knew this was a bad idea (and it also did work for me 🙂 ). I kept searching and ran into that solution.

Worked like a charm! thanks cyriac for putting solution on the blog.

DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1

DIACAP/AFCAP Day 1.
This is the second installment of the DIACAP Essentials journal.

In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP :).

There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

Jeff Moss + DHS = Super Security

“Godfather of Hackers” Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was sworn in as one of the new members of the Department of Homeland Security’s Advisory Council (HSAC). And we think it’s a shrewd and thoughtful move. Obama seems to be getting serious about cyber security now by hiring “Dark Tangent.”

on gizmodo

Jeff Moss is not only a celebrity in the world of hacking, he is also a powerbroker. He is a respected force to be reckoned with. I am not going to say that I think he is some sort of cyber mafia boss but I will say that he could destroy just about anyone with a 100 word post on a forum. Getting “street cred” in the hacker world is something that must be truly earned usually by technical expertise proven by hundreds or even thousands of your hacker peers validated by published technical papers, famous/infamous system infiltrations, the discovery of 0-day exploits that make major corporations take notice, or some combination of these.

Jeff has his finger on the pulse of the entire spectrum of hacking.

Jeff is now going to advise the president.

Now that is good judgement.

DIACAP Essentials + IA Control Validation Training (part 1)

UPDAT: 2014 – Risk Management Framework for DOD IT released.

I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth – 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

Subject: GET BACK TO ME AT YOUR EARLIEST CONVINIENCE *scam*

OFFICE OF THE NATIONAL SECURITY ADVISE
TO THE PRESIDENT FEDERAL REPUBLIC OF NIGERIA
GET BACK TO ME AT YOUR EARLIEST CONVINIENCE

Dear Sir/Madam,

I am Lt. Gen. Peter Olu, National Security Adviser to the President Umar Musa Yar’ Adua Federal Republic of Nigeria. I decided to contact you because of the prevailing security report reaching my office and the intense nature of policy in Nigeria. This is to inform you about our plan to send your fund to you via cash delivery. This system will be easier for you and for us. We are going to send your contract part payment of US$4.1 Million to you via diplomatic courier service.

Note: The money is coming on two security proof boxes. The boxes are sealed with synthetic nylon seal and padded with machine. This fund was brought to us from America; it was meant for our Local AFEM market. But since the money was not used, I will use my position as the National Security Adviser to the President to send this fund to you.

The boxes are coming with a Diplomatic agent who will accompany the boxes to your house address in your country. All you need to do now is to send to me

Your full name
Your house address
Your age
Your marital statue
Your identity such as, international passport or driver license
Your contact phone and fax numbers,

The Diplomatic attached will travel with it. He will call you immediately he arrives your country’s airport. I hope you understand me.

I will let you know by the special grace of God when the boxes are airlifted.

Note: The diplomatic does not know the original contents of the boxes. What l declared to them as the contents is Sensitive Photographic Film Material. I did not declare money to them please. If they call you and ask you the contents please tell them the same thing Ok, i will let you know how far I have gone with the arrangement. I will secure the Diplomatic immunity clearance certificate that will be tagged on the boxes to make it stand as a diplomatic consignment.

This clearance will make it pass every custom checkpoint all over the world without hitch. Confirm the receipt of this message and send the requirements to me immediately you receive this message. If you need more information about this, I will give you the contact of the diplomatic agents for more information on how to carry out the plan.

Please I need urgent reply because the boxes are schedule to leave as soon as we hear from you. Reply me immediately you receive this message via my private E-mail :(generalpeterolu2029@yahoo.com.hk) Call me on my direct phone : (234-7026905160) or Fax: (234-8029402741)

Best Regards,

Lt. Gen. Peter Olu,
National Security Adviser to the President
Federal Republic of Nigeria

I always feel like GOOGLE is watching meeee

If Google was woman I would make sweet passionate love to her. And she’d be a psycho-stalker.

I love Google, but it conflicts with my finely honed skill of not trusting. I use Google for just about everything knowing they have a dangerous amount of information about me and everything else readily available in a search friendly little package.

Google showed up as the most conspicuous tracker on third-party sites. Google Analytics, a free product that allows online publishers to gather statistics about visitors to their sites, was used on 81 of the top 100 sites. Cookies from the advertising company DoubleClick, which is owned by Google, were present on 70 of those sites. When combining trackers from those two services, Google had a presence on 92 of the top 100 sites. Others weren’t far behind. Cookies from Atlas, Microsoft’s DoubleClick rival, appeared on 60 sites, and trackers from two other analytics companies, Quantcast and Omniture, showed up on 54 sites.

Ny time

I still love Google and I still believe, perhaps foolishly, that they are not evil. Even so, one day I think Google will turn evil, not unlike any empire that has become too powerful. The culture of the company will change in a generation and a new dynasty will reign using personal information as a weapon rather than a useful tool for making better searching. I hope I am very, very wrong.