I did some video editing for a client. They provided me with several videos shot on-location without the use of a tripod. We went through found all of the cuts we were looking for and edited the video to make something really pretty cool and authentic looking. After adding all of the proper titles and fly-ins to the video I rendered the video down so it could be uploaded to YouTube. YouTube will not accept a 40gb raw file.
So I get a call today saying "The type in the video is going all over the place." I quickly opened all of the videos I provided the client to check, and they all appeared as expected. So I go onto YouTube and something crazy is happening with the video. I know all about JPEG and MPEG compression and what that does when you start increasing the compression level, but this was altogether different and wildly amusing (yet scary). They type was crawling across the screen and climbing into areas where I was sure there was no type. I looked at the formats I used to make sure I hadn't selected some hybrid in After Effects that used vector layers by chance (they're always upgrading things) and found no issue with the raster-only formats I was using.
YouTube has some excellent features and this one is supremely impressive. My client upon uploading the video decided to select the option to "Stabilize Video" in the video editor section of the YouTube Video Manager for their channel. The video shakiness was remastered to make the video look completely stable (like a professional videographer shot the footage). If you watched the off-camera areas in the shots they appeared a little strange having been cloned from shots where they existed prior and post. The type however was everywhere, so it made it look like a bad editing job. I mean really bad. It was super distracting. Luckily there's a way to tell YouTube to revert to the original video (you have to dig for it in the video editor settings). Upon selecting the "revert to original," after some time the original non-corrected/non-stabilized video *should* be in place. If this doesn't work you can always delete the video and re-upload the original.
Leave it to Google / YouTube and their new features and upgrades to really ramp up your learning curve. Luckily this time however the crisis was averted.
I'm a hacker working in marketing and advertising, and this is some of my perspective on the world.
Monday, December 10, 2012
Friday, December 7, 2012
'Project Mayhem' Hacks Accounting Software - A Rebuttal
The more I read Dark Reading, the more and more I'm starting to notice certain aspects of the new market for hackers. In a recent post on the site - 'Project Mayhem' Hacks Accounting Software, No exploit required for defrauding Microsoft and other accounting systems, researchers at Black Hat Abu Dhabi reveal - they go into detail about this elaborate scheme to create a fake billing transaction in a database.
In my comment about this possible "threat" I mention:
Microsoft should probably use SSL between the client machines and the database and lock down the database so only clients with the appropriate credentials (IP addresses, SSL Keys, and login credentials) would be allowed to make database queries and injections. They might also look at splitting up the database logins, so you have one login for queries and one login for inserts. The tables per client should be named according to the actual company so they're not standardized within Microsoft Dynamics Great Plains across the board. Also the database itself needs to be encrypted (I'm not familiar with the Great Plains system myself) so it couldn't be updated somewhere else and replaced (after the end of business). (One of the things that used to be sort of a standard practice in the 90s was make a copy, hack it offsite, then return it to the system at a later date... so there is no trail.) They might also limit access to the terminal that is authorized to only being allow to make transactions during business hours (like banker's hours for the machine itself).
There are probably hundreds of ways to secure this particular issue. Also from an IT standpoint you would require that all communications to the accounting database come from an accounting computer on the network subnet.
It sounds more like a fail on the Information Technology or Information Systems department's part (or something they wouldn't consider as a possibility).
The problem is more of a human issue. The IT department thinks to themselves that the company only hires qualified people who don't have bad backgrounds. The admins are busy (probably under staffed or better yet outsourced) so they either aren't familiar with the system themselves, don't need to be familiar with the system, or don't have the time to think about all of the possible injections. The idea someone could gain access to the network, have a machine with the necessary tools to actually perform an attack, not have that attack be logged, and do this consistently is a little far-fetched?
Stepping back I see that it makes a great story, but it's just a company trying to get creative with ways of saying "There is no need for our services, but we can prove to you that you need us because we can show you a world of possibilities that are highly improbable, but capable given an enormous amount of funding, interest, and time in the realm of distant possibility."
Another thing, is the people who would have this skill set, the ability to pull off the job, and the ability to collectively network with other individuals and collaborate on something this illegal probably would only ever do this just to say it could be done as a proof of concept. It's unlikely these highly skilled professionals would be unemployed and outspoken enough to say to their other unemployed colleague, "I have a way we could make some money." A little too Hollywood for the real world.
I have a larger thought brewing about these particular "issues" and if given enough time will probably write more about it here and possible in some sort of thesis... unfortunately it's back to my day job for now. Just think, if I had gone to college someone might actually take me seriously.
Until later.
In my comment about this possible "threat" I mention:
Microsoft should probably use SSL between the client machines and the database and lock down the database so only clients with the appropriate credentials (IP addresses, SSL Keys, and login credentials) would be allowed to make database queries and injections. They might also look at splitting up the database logins, so you have one login for queries and one login for inserts. The tables per client should be named according to the actual company so they're not standardized within Microsoft Dynamics Great Plains across the board. Also the database itself needs to be encrypted (I'm not familiar with the Great Plains system myself) so it couldn't be updated somewhere else and replaced (after the end of business). (One of the things that used to be sort of a standard practice in the 90s was make a copy, hack it offsite, then return it to the system at a later date... so there is no trail.) They might also limit access to the terminal that is authorized to only being allow to make transactions during business hours (like banker's hours for the machine itself).
There are probably hundreds of ways to secure this particular issue. Also from an IT standpoint you would require that all communications to the accounting database come from an accounting computer on the network subnet.
It sounds more like a fail on the Information Technology or Information Systems department's part (or something they wouldn't consider as a possibility).
The problem is more of a human issue. The IT department thinks to themselves that the company only hires qualified people who don't have bad backgrounds. The admins are busy (probably under staffed or better yet outsourced) so they either aren't familiar with the system themselves, don't need to be familiar with the system, or don't have the time to think about all of the possible injections. The idea someone could gain access to the network, have a machine with the necessary tools to actually perform an attack, not have that attack be logged, and do this consistently is a little far-fetched?
Stepping back I see that it makes a great story, but it's just a company trying to get creative with ways of saying "There is no need for our services, but we can prove to you that you need us because we can show you a world of possibilities that are highly improbable, but capable given an enormous amount of funding, interest, and time in the realm of distant possibility."
Another thing, is the people who would have this skill set, the ability to pull off the job, and the ability to collectively network with other individuals and collaborate on something this illegal probably would only ever do this just to say it could be done as a proof of concept. It's unlikely these highly skilled professionals would be unemployed and outspoken enough to say to their other unemployed colleague, "I have a way we could make some money." A little too Hollywood for the real world.
I have a larger thought brewing about these particular "issues" and if given enough time will probably write more about it here and possible in some sort of thesis... unfortunately it's back to my day job for now. Just think, if I had gone to college someone might actually take me seriously.
Until later.
Labels:
Dark Reading,
Great Plains,
Hack,
Hackers,
Hacking,
Hacks,
IT Security,
Microsoft Dynamics,
Network Administration,
Network Security,
Project Mayhem,
Rebuttal,
SQL Injection,
SSL
Thursday, December 6, 2012
Beware of Bad Holiday Scheming
Okay, so I've had my eye on an iPad Mini since they came out. Smaller device, new form factor, I just want to check them out, and could use one for testing purposes. So I've noticed that on the Apple website when you try to make a purchase during the holidays around Black Friday that the really cool *new* items aren't on sale at all. They're at their regular prices.
So a couple of years ago I found a couple of ways around this. I've bought a few refurbished items from the Apple site at a considerable discount over the regular priced items. The idea of a second-hand, handheld device like an iPad, anything with a keyboard, and even Smart Phones skeeves me out, but luckily when Apple refurbishes an iPad or iPod they actually replace all of the pieces that you would touch with new parts (meaning you're not going to get a scratched touch-screen). This is cool because I can't bring myself to pay full-price for something I don't feel is worth it, and I'm sorry Apple, they're cool devices, but you're paying substandard wages to the people who make them, and they're imported so I shall not reward you. So that's one way to beat Apple at their own game (they still make the money, but not as much from me).
Another way is to check out Best Buy because when they have a Black Friday sale they DO put the Apple items on sale with the other items. This is great for things that aren't yet available as a refurbished item on the Apple store and for things like Apple's horrible excuse for a non-laptop, the Macbook Air (more about that at some other time), that WOULD be nasty to get as a refurbished item if they don't replace the keyboard. Having worked as a network administrator I can truly say YUCK!
So this brings me to the reasoning for this write-up today. Working in advertising and marketing for much of my career (my day job) I've developed a quick eye for bad math and tricks of the trade. Today I received and email that says "Save $25 on your Next Purchase when you use Store Pickup for an Order of $250 or More" at Best Buy. Here's the image from their email:
Seems like a good deal. I can save $25 on that not-yet-refurbished iPad Mini, which amounts to a little less than local sales tax, but it's a savings of sorts... right?
Wrong again.
Apparently the people at Best Buy don't understand the meaning of the word "NEXT."
According to their site:
So yes, you're not saving anything AT ALL on your actual NEXT purchase because you have to make a purchase of $250 or more NOW before they take their sweet time to send you your savings code. Then you get a coupon or discount code (I would hope in the form of a $25 gift card but probably not) only AFTER you've made your purchase for the full price. I guess this is what happens when you don't have a marketing budget.
Hey Best Buy give me a call if you need any help understanding English or possibly want to hire someone who isn't out to trick people.
Until later keep an eye out for trickery.
So a couple of years ago I found a couple of ways around this. I've bought a few refurbished items from the Apple site at a considerable discount over the regular priced items. The idea of a second-hand, handheld device like an iPad, anything with a keyboard, and even Smart Phones skeeves me out, but luckily when Apple refurbishes an iPad or iPod they actually replace all of the pieces that you would touch with new parts (meaning you're not going to get a scratched touch-screen). This is cool because I can't bring myself to pay full-price for something I don't feel is worth it, and I'm sorry Apple, they're cool devices, but you're paying substandard wages to the people who make them, and they're imported so I shall not reward you. So that's one way to beat Apple at their own game (they still make the money, but not as much from me).
Another way is to check out Best Buy because when they have a Black Friday sale they DO put the Apple items on sale with the other items. This is great for things that aren't yet available as a refurbished item on the Apple store and for things like Apple's horrible excuse for a non-laptop, the Macbook Air (more about that at some other time), that WOULD be nasty to get as a refurbished item if they don't replace the keyboard. Having worked as a network administrator I can truly say YUCK!
So this brings me to the reasoning for this write-up today. Working in advertising and marketing for much of my career (my day job) I've developed a quick eye for bad math and tricks of the trade. Today I received and email that says "Save $25 on your Next Purchase when you use Store Pickup for an Order of $250 or More" at Best Buy. Here's the image from their email:
Seems like a good deal. I can save $25 on that not-yet-refurbished iPad Mini, which amounts to a little less than local sales tax, but it's a savings of sorts... right?
Wrong again.
Apparently the people at Best Buy don't understand the meaning of the word "NEXT."
According to their site:
"Here's how it works
- Place an order of $250 or more on BestBuy.com on Wednesday, December 5 through Saturday, December 8.
- During checkout, choose Store Pickup and select your store.
- The savings code will be e-mailed to you FOUR TO SEVEN DAYS AFTER your order has been picked up in store.
- Redeem your savings code in store or online on YOUR NEXT PURCHASE.
- Note: not all products are available for Store Pickup."
So yes, you're not saving anything AT ALL on your actual NEXT purchase because you have to make a purchase of $250 or more NOW before they take their sweet time to send you your savings code. Then you get a coupon or discount code (I would hope in the form of a $25 gift card but probably not) only AFTER you've made your purchase for the full price. I guess this is what happens when you don't have a marketing budget.
Hey Best Buy give me a call if you need any help understanding English or possibly want to hire someone who isn't out to trick people.
Until later keep an eye out for trickery.
Subscribe to:
Posts (Atom)