Lesotho 4×4 trip..

Posted by Ginger Ninja on May 11, 2012
Posted in: 4x4. Leave a Comment

Last weekend we had some commitments near Durban (wedding), and we decided a while back that we would return via the fabled Sani Pass through Lesotho. Once the wedding was done, we would travel from Eston through Howick and on to Underberg and then Himeville. We booked the night at St James Lodge in Lesotho, a mere 70km from Himeville in Kzn.

This 70km was something to behold…the 50km from the top of Sani Pass to the lodge took us the better part of 2.5hrs to drive. Yes the roads were that bad. The pass itself was not nearly as bad as we thought, and with some careful driving we had no problems but in Lesotho itself at some stage I could smell the heat of the oil in the transfer case as it worked overtime trying to send power to the correct wheels.

Once we got to the lodge, the pictures vs what actually greeted us were a bit different. Not quite the tranquil setting, with the local village supporting a soccer match. Luckily as the sun set it quietened down and we could enjoy the evening making a potjie and drinking some Old Brown Sherry.

The next morning we were up, packing and getting ready for some more nasty roads ahead. We were headed to the town of Butha-Buthe and the Caledonspoort border post. The route map we had told us it would take about 2.5hrs but the local caretaker of the lodge said more like 4 hours. With this in mind we set off for the border, road bumping and shaking us around in the Pajero.

We stopped at the diamond mine to look at the vast scale of the operation, and moved on to the highest mountain pass in Southern Africa, the Mahlasela Pass. From there the road got marginally better and eventually we got to the Moteng Pass. This magnificent piece of road needs to be experienced in a sports car, not a lumbering 4×4 with mud-terrain tyres loaded to the brim. We dropped down the pass from a altitude of 2800m down to 1700m and words can’t describe absolute beauty of it.

Once in Butha-Buthe we turned to the Caledon’s Poort border post, where within a few minutes we were through on both sides. From there it was off to Fouriesberg for petrol, food, and then the long trip home. Once its tank was full again, the Pajero was happy to run home, with the family asleep and Bruce Springsteen on the radio, with only the beat of the V6 as additional music in the background to keep me occupied.

It was a short visit to Lesotho. The trip showed me the beauty and isolation of this isolated country. The people who live in abject poverty, getting by with subsistence farming. Friendly people, most of them smiling and waving as you drive by with only two or three instances of begging encountered in our stay. I just wish we could have made the trip a few days longer, since I would have loved to visit Katse dam and some other areas. That said, it’s a beautiful country and I would encourage anyone to see it should the opportunity arise…

Is our industry really broken?

Posted by Ginger Ninja on April 12, 2012
Posted in: Infosec. 1 comment

It’s with interest that I read Haroon’s article “Infosec needs an injection of honesty“, since it echo’s quite a bit what’s been going on in the blogosphere and twittersphere lately. I disagree though, our industry doesn’t need as much an injection of honesty, as business needs an injection of honesty.

There, I’m disagreeing with Haroon (who I do think is one of the single smartest people I know). In some circles, to use an example, anti-virus vendors have almost been labelled worse than the child molester in the Santa suit handing out sweets outside a school. It’s true though, some of the vendors are terrible, but they should not take the brunt for the problem. Business should, and this is why.

In my previous employment I worked for a large retailer as a ISO for 11 years. We had a AV product, and the product was terrible. We went through the process of doing POC’s on new AV software, trialled it for weeks, even months, and when the time came to sign on the dotted line for the purchase order, we were simply told we are renewing the old licences.

The question then begs, who is to blame in such a situation? The bad AV vendor for making a bad product in the beginning? The good vendor for not selling his product well enough? Or the $CIO for not making the right decision? This situation repeated itself ad-infinitum during POC’s for products that would actually really secure the business, or in scenarios where business processes needed to change, or or or… Sure, you can blame the ISO for not being able to convince the CIO that the product needs changing, you can blame the project manager for not convincing the CIO that there is enough time and resources to make the change, or you can blame the business analyst for not convincing the CIO of the benefits of the change on the business. Ultimately, if all those people did their jobs, and the CIO still makes the decision not to change, it’s a business decision.

The company (which shall remain unnamed for this article) launched a loyalty card / program, with a huge infrastructure back-end etc, and the first time ‘security’ was made aware of the program was at the launch. When asking the enterprise architect if a pentest or other security initiatives had been done, the answer was “no, and before you do we need to fix one or two things”. Is this the infosec area’s fault, or is this the fault of business that wanted to launch a campaign in secret without considering the impact of over four million users details being leaked should there be a breach? How can security make the business aware, when it has been excluded from the process completely?

The point I’m trying to make is that, infosec as a industry might have some problems, but I don’t believe we’re to blame. Business is to blame for the situation it finds itself in. As a consultant (luckily not too green), I see many organisations where the problem isn’t a lack of will to secure the systems, the problems are political minefields where budgets and ego’s play a far bigger role in choosing bad designs and products. Business should not be allowed to choose products and services based on what happens on a gholf course. Hell, most info-sec guys I know don’t even know how to play gholf! Then again, no-one ever got fired for buying IBM or SAP.

Luckily at Performanta, we offer consulting, services and products that I will stand by. Our consultants actually have a clue, our services guys actually know what measurable metrics are, and our products are some of the best in the industry.

#evilMsc

Posted by Ginger Ninja on March 15, 2012
Posted in: Infosec, Msc. Leave a Comment

To quote the other party in our unsuccessful attempts at getting our mark for one module adjusted:

…while I have once again had my lack of faith in the performance standards of some academics confirmed, one has to chose one’s battles, and this, for me, is not it..anymore…

I know this, a UCT former lecturer with a M, a Harvard MBA and myself got it wrong.. Best practice is shit, sweeping statements, snide remarks and personal comments in assignments are what is needed to score high..

Oh dear, more #evilMsc help required

Posted by Ginger Ninja on March 4, 2012
Posted in: Infosec, Msc. Leave a Comment

So, to those who actually read this blog, I’m asking for a bit more help re my data gathering for #evilMsc.

Currently I’m grabbing around 200 URL’s a day from Google’s top trends. The output file changed due to changes Google made, but I was able to strip the offending text from the file using ‘sed‘ with the help of someone who knows more regex than me.

The problem I’m facing now is that I need to run the url’s through some repositories to test for malicious content. Search Engine Poisoning should kick in 24 to 48hrs after a trend like Whitney Houston’s death, hence I can ‘cron‘ what I want to run when fairly easily. At the moment ‘jsunpack’ is not picking up anything, and after a month of testing url’s this does not bode well for the thesis. No bad url’s means no data to write about..

My lack of Python skills rules out tying in with the https://www.virustotal.com/documentation/public-api/ API.

Ideally I would like to run all the urls I collect through http://www.urlvoid.com/ since URL Void ties in with 21 different databases including Phistank and Spamhaus. Alas they seem to have some sort of protection in place so I can’t use ‘curl‘. Anyone have any ideas how I can do this? Please?

Which brings me to the next problem.

http://onlinelinkscan.com/ does not seem to have any restrictions in place, but when I try a ‘ for d in $(cat 20120304.txt); do curl -d “link=http://$d/” http://onlinelinkscan.com/ > /research/suspicious/linkscan$(date +%Y%m%d).txt; done‘ it complains about user agent etc. Any way I can make this work. It’s 11:28pm and I’m tired so can’t think straight any  more.

Anyone have ideas on where I could send all the URL’s I collect to for analysis? Examples welcomed :)

Time to play (again)

Posted by Ginger Ninja on February 6, 2012
Posted in: 4x4. Leave a Comment

During our little outing at De Wildt 4×4, the bug bit quite badly, and we were scouring the Junkmail and Gumtree etc for a affordable 4×4. I didn’t want to spend nearly R300 000 or more on something like a Toyota Fortuner, Landrover etc, since I would have been too upset if something broke, or it got damaged.. but luck was with us and we found this little gem. A 1997 short wheel-base Mitsubishi Pajero 3litre V6 petrol with only 168 000km’s for R68 000. It had a bunch of extras, including IPF spotlights, Warn winch, rocksliders and a dual battery system. We bought it and went to play this weekend with some of the other 4×4 forum members.

It is a awesome little vehicle to play with, even if the juice cost is a bit rough. That 3L V6 motor is thirsty!

We found a few problems, mainly that the nose is a bit low and that I really needed rear diff-lock like I have in the bakkie, and not the central lock this one has. Some other changes can help like fitting a better set of shock absorbers and giving it a 40mm lift, to help the axle articulation, and fitting slightly bigger tyres. This will have to wait a bit, since it all does cost money.

Now, if you were to look at this picture, you would think “what in the world…how can anyone fsck up a vehicle like that? The simple truth is that the person doing that to the vehicle probably knows how to drive his vehicle better than you. These guys were also the ones that came to help me when I got the Pajero properly stuck. They hauled out a bag of goodies including properly rated shackles, used a vehicle with proper recovery points, and I learned a valuable trick (opening the bonnet to protect the windscreen and driver) in case of a cable snapping.

Also, the equipment on the vehicles is not cheap! A proper suspension setup is easily R12 000, tyres anything from R2000 upwards, and the list goes on. So, while you might call them ‘knuckledragging oafs without refinement”, I’m sure the day your car breaks down, or you have a puncture you will be quite glad when one of these oafs pulls over to help :) Me, I’m enjoying the knuckledragging scene, it’s a lot of fun and a great way to spend a day outside going something different!

(in-ep-toc’-ra-cy)

Posted by Ginger Ninja on January 24, 2012
Posted in: Uncategorized. Leave a Comment

Found this gem in a comments section on a news site, so can’t claim credit for producing it, but it’s still awesome!

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers

The day I lost my keys

Posted by Ginger Ninja on January 16, 2012
Posted in: 4x4, General. Leave a Comment

When we moved from Cape Town up to Gauteng towards the end of last year, both me and the fiance realised it would not be easy, but we needed to try. In this spirit, we’ve been actively looking for different things to do on the weekends, trying to get out to actually enjoy a different area of the country. Much as we South Africans lament the current ruling political party governing it in to the ground, we stay here because it is genuinely one of the most beautiful countries in the world.

During the last few weeks I have been spending increased time working on the truck to get it ready for the camping trips we plan to take as the year goes on, ultimately preparing us for the trip to Botswana end of August. I’ve been lurking and posting once a while on a 4×4 forum called the http://www.4x4community.co.za in the hope of seeing how to do different things, from building packing systems to what tyres are good and bad.

This last weekend, there was a bit of a gathering out at De Wild 4×4 track, and we decided that we would go with. With only 4×2 and diff-lock, I was told the vehicle would be fine for the grading 1 to 3 obstacles. We met up with another member in Centurion, and went off to meet a Audi Q7 and its driver before going to the facility. Once we arrived it took about an hour for everyone to arrive, including a older Mercedes Benz ML who would be competing with his future father in law’s Fortuner 4×4..

Once the convoy set off we hit the first obstacle of the day, a axle twister that the ML just managed to do, but it broke a front bumper and popped out a spotlight. For the rest of the vehicles including my Colt Clubcab it was less of s struggle, though I did have the advantage of a very experienced co-driver showing me the lines (this after he did it effortlessly in a V8 Land Rover Discovery 2).

The ML going up the hill

We did another climb and then stopped for a stunning viewpoint, at which turn I asked my fiance if she would like a turn to drive. We then asked Philip (who turned out to be a 4×4 instructor) to drive with her, while I was a passenger in the aforementioned Discovery 2. Little did I know that at this point it would turn in to the day that I lost my keys…

The route takes you through several different types of obstacles, and some we could just not do with the 4×2, like the infamous ‘Gert se Klip’, but I managed to experience it as the passenger of the Discovery 2. Every obstacle that could be done was attempted by the future-wife in the Colt with her co-driver. He patiently walked her through every obstacle, showing her which lines to pick and then driving with her as she attempted it.

The Colt approaching a axle-twister.

The only obstacles she missed on recommendation of the instructor were the mudholes, due to potential damage it can cause to rubber seals, radiator etc.

Alex in a heavily modified 4.7L V8 Range Rover

In the meantime I saw in the passenger seat of the Discovery 2 with Althea in the back seat watching Pieter do the magic with his vehicle. He went through all the mud etc, seeing as he does all the work on his vehicle himself and thus isn’t too worried about damage.

Althea enjoying the idea of playing in the mud

There was a few places that I watched the truck go and thought ‘How is she going to get it out of there?’ but under the watchful eye of a competent instructor she managed fine and didn’t bump, scratch or damage the vehicle in any way (except it’s now dirty as hell again).

The missus being advised by her instructor on which line to take down the donga.

The same donga from the passenger seat of a Land Rover Discovery 2

Roaring out of another ditch.. Might need to wash it now :(

At the end of the day we reached the mud pit and spotted some drunk guys trying to ride up a embankment and doing nothing but damaging the vehicles and their ego’s. The one thing about the forum members, they were very strict about alcohol consumption on the route. No drinking and driving. Once everyone was back at the rest area and the vehicles parked it was fine to have a beer, but not on the course. Eventually I got my keys back as the day wound down, with future-wife smiling from ear to ear having had way too much fun with my car.

We got home around 3:30pm and promptly slept for 3 hours before attempting anything else for the evening. In the end we realised that the move to Gauteng is what we make of it. It’s taking the opportunities that present itself and using them :)

** Due to the theme I use, some pictures are cut off, click on them for the full pic.