Feed aggregator

The Illusion of Control in Web Design

A list Apart development site - Thu, 04/26/2018 - 09:02

We all want to build robust and engaging web experiences. We scrutinize every detail of an interaction. We spend hours getting the animation swing just right. We refactor our JavaScript to shave tiny fractions of a second off load times. We control absolutely everything we can, but the harsh reality is that we control less than we think.

Last week, two events reminded us, yet again, of how right Douglas Crockford was when he declared the web “the most hostile software engineering environment imaginable.” Both were serious enough to take down an entire site—actually hundreds of entire sites, as it turned out. And both were avoidable.

In understanding what we control (and what we don’t), we will build resilient, engaging products for our users.

What happened?

The first of these incidents involved the launch of Chrome 66. With that release, Google implemented a security patch with serious implications for folks who weren’t paying attention. You might recall that quite a few questionable SSL certificates issued by Symantec Corporation’s PKI began to surface early last year. Apparently, Symantec had subcontracted the creation of certificates without providing a whole lot of oversight. Long story short, the Chrome team decided the best course of action with respect to these potentially bogus (and security-threatening) SSL certificates was to set an “end of life” for accepting them as secure. They set Chrome 66 as the cutoff.

So, when Chrome 66 rolled out (an automatic, transparent update for pretty much everyone), suddenly any site running HTTPS on one of these certificates would no longer be considered secure. That’s a major problem if the certificate in question is for our primary domain, but it’s also a problem it’s for a CDN we’re using. You see, my server may be running on a valid SSL certificate, but if I have my assets—images, CSS, JavaScript—hosted on a CDN that is not secure, browsers will block those resources. It’s like CSS Naked Day all over again.

To be completely honest, I wasn’t really paying attention to this until Michael Spellacy looped me in on Twitter. Two hundred of his employer’s sites were instantly reduced to plain old semantic HTML. No CSS. No images. No JavaScript.

The second incident was actually quite similar in that it also involved SSL, and specifically the expiration of an SSL certificate being used by jQuery’s CDN. If a site relied on that CDN to serve an HTTPS-hosted version of jQuery, their users wouldn’t have received it. And if that site was dependent on jQuery to be usable … well, ouch!

For what it’s worth, this isn’t the first time incidents like these have occurred. Only a few short years ago, Sky Broadband’s parental filter dramatically miscategorized the jQuery CDN as a source of malware. With that designation in place, they spent the better part of a day blocking all requests for resources on that domain, affecting nearly all of their customers.

It can be easy to shrug off news like this. Surely we’d make smarter implementation decisions if we were in charge. We’d certainly have included a local copy of jQuery like the good Boilerplate tells us to. The thing is, even with that extra bit of protection in place, we’re falling for one of the most attractive fallacies when it comes to building for the web: that we have control.

Lost in transit?

There are some things we do control on the web, but they may be fewer than you think. As a solo dev or team lead, we have considerable control over the HTML, CSS, and JavaScript code that ultimately constructs our sites. Same goes for the tools we use and the hosting solutions we’ve chosen. Of course, that control lessens on large teams or when others are calling the shots, though in those situations we still have an awareness of the coding conventions, tooling, and hosting environment we’re working with. Once our carefully-crafted code leaves our servers, however, all bets are off.

First off, we don’t—at least in the vast majority of cases—control the network our code traverses to reach our users. Ideally our code takes an optimized path so that it reaches its destination quickly, yet any one of the servers along that path can read and manipulate the code. If you’ve heard of “man-in-the-middle” attacks, this is how they happen.

For example, certain providers have no qualms about injecting their own advertising into your pages. Gross, right? HTTPS is one way to stop this from happening (and to prevent servers from being able to snoop on our traffic), but some providers have even found a way around that. Sigh.

Lost in translation?

Assuming no one touches our code in transit, the next thing standing between our users and our code is the browser. These applications are the gateways to (and gatekeepers of) the experiences we build on the web. And, even though the last decade has seen browser vendors coalesce around web standards, there are still differences to consider. Those differences are yet another factor that will make or break the experience our users have.

While every browser vendor supports the idea and ongoing development of standards, they do so at their own pace and very much in relation to their business interests. They prioritize features that help them meet their own goals and can sometimes be reluctant or slow to implement new features. Occasionally, as happened with CSS Grid, everyone gets on board rather quickly, and we can see a new spec go from draft to implementation within a single calendar year. Others, like Service Worker, can take hold quickly in a handful of browsers but take longer to roll out in others. Still others, like Pointer Events, might get implemented widely, only to be undermined by one browser’s indifference.

All of this is to say that the browser landscape is much like the Great Plains of the American Midwest: from afar it looks very even, but walking through it we’re bound to stumble into a prairie dog burrow or two. And to successfully navigate the challenges posed by the browser environment, it pays to get familiar with where those burrows lie so we don’t lose our footing. Object detection … font stacks … media queries … feature detection … these tools (and more) help us ensure our work doesn’t fall over in less-than-ideal situations.

Beyond standards support, it’s important to recognize that some browsers include optimizations that can affect the delivery of your code. Opera Mini and Amazon’s Silk are examples of the class of browser often referred to as proxy browsers. Proxy browsers, as their name implies, position their own proxy servers in between our domains and the end user. They use these servers to do things like optimize images, simplify markup, and jettison unsupported JavaScript in the interest of slimming the download size of our pages. Proxy browsers can be a tremendous help for users paying for downloads by the bit, especially given our penchant for increasing web page sizes year upon year.

If we don’t consider how these browsers can affect our pages, our site may simply collapse and splay its feet in the air like a fainting goat. Consider this JavaScript taken from an example I threw up on Codepen:

document.body.innerHTML += '<p>Can I count to four?</p>'; for (let i=1; i<=4; i++) { document.body.innerHTML += '<p>' + i + '</p>'; } document.body.innerHTML += '<p>Success!</p>';

This code is designed to insert several paragraphs into the current document and, when executed, produces this:

Can I count to four? 1 2 3 4 Success!

Simple enough, right? Well, yes and no. You see, this code makes use of the let keyword, which was introduced in ECMAScript 2015 (a.k.a. ES6) to enable block-level variable scoping. It will work a treat in browsers that understand let. However, any browsers that don’t understand let will have no idea what to make of it and won’t execute any of the JavaScript—not even the parts they do understand—because they don’t know how to interpret the program. Users of Opera Mini, Internet Explorer 10, QQ, and Safari 9 would get nothing.

This is a relatively simplistic example, but it underscores the fragility of JavaScript. The UK’s GDS ran a study to determine how many of their users didn’t get JavaScript enhancements and discovered that 0.9% of their users who should have received them—in other words, their browser supported JavaScript and they had not turned it off—didn’t for some reason. Add in the 0.2% of users whose browsers did not support JavaScript or who had turned it off, and the total non-JavaScript constituency was 1.1%, or 1 in every 93 people who visit their site.

It’s worth keeping in mind that browsers must understand the entirety of our JavaScript before they can execute it. This may not be a big deal if we write all of our own JavaScript (though we all occasionally make mistakes), but it becomes a big deal when we include third-party code like JavaScript libraries, advertising code, or social media buttons. Errors in any of those codebases can cause problems for our users.

Browser plugins are another form of third-party code that can negatively affect our sites. And they’re ones we don’t often consider. Back in the early ’00s, I remember spending hours trying to diagnose a site issue reported by one of my clients, only to discover it only occurred when using a particular plugin. Anger and self-doubt were wreaking havoc on me as I failed time and time again to reproduce the error my client was experiencing. It took me traveling the two hours to her office and sitting down at her desk to discover the difference between her setup and mine: a third-party browser toolbar.

We don’t have the luxury of traveling to our users’ homes and offices to determine if and when a browser plugin is hobbling our creations. Instead, the best defense against the unknowns of the browsing environment is to always design our sites with a universally usable baseline.

Lost in interpretation?

Regardless of everything discussed so far, when our carefully crafted website finally reaches its destination, it has one more potential barrier to success: us. Specifically, our users. More broadly, people. Unless our product is created solely for the consumption of some other life form or machine, we’ve got to consider the ultimate loss of control when we cede it to someone else.

Over the course of my twenty years of building websites for customers, I’ve always had the plaintive voice of Clerks’ Randal Graves in the back of my head: “This job would be great if it wasn’t for the f—ing customers.” I’m not happy about that. It’s an arrogant position (surely), yet an easy one to lapse into.

People are so needy. Wouldn’t it be great if we could just focus on ourselves?

No, that wouldn’t be good at all.

When we design and build for people like us, we exclude everyone who isn’t like us. And that’s most people. I’m going to put on my business hat here—Fedora? Bowler? Top hat?—and say that artificially limiting our customer base is probably not in our company’s best interest. Not only will it limit our potential revenue growth, it could actually reduce our income if we become the target of a legal complaint by an excluded party.

Our efforts to build robust experiences on the web must account for the actual people that use them (or may want to use them). That means ensuring our sites work for people who experience motor impairments, vision impairments, hearing impairments, vestibular disorders, and other things we aggregate under the heading of “accessibility.” It also means ensuring our sites work well for users in a variety of contexts: on large screens, small screens, even in-between screens. Via mouse, keyboard, stylus, finger, and even voice. In dark, windowless offices, glass-walled conference rooms, and out in the midday sun. Over blazingly fast fiber and painfully slow cellular networks. Wherever people are, however they access the web, whatever special considerations need to be made to accommodate them … we should build our products to support them.

That may seem like a tall order, but consider this: removing access barriers for one group has a far-reaching ripple effect that benefits others. The roadside curb cut is an example we often cite. It was originally designed for wheelchair access, but stroller-pushing parents, children on bicycles, and even that UPS delivery person hauling a tower of Amazon boxes down Seventh Avenue all benefit from that rather simple consideration.

Maybe you’re more of a numbers person. If so, consider designing your interface such that it’s easier to use by someone who only has use of one arm. Every year, about 26,000 people in the U.S. permanently lose the use of an upper extremity. That’s a drop in the bucket compared to an overall population of nearly 326 million people. But that’s a permanent impairment. There are two other forms of impairment to consider: temporary and situational. Breaking your arm can mean you lose use of that hand—maybe your dominant one—for a few weeks. About 13 million Americans suffer an arm injury like this every year. Holding a baby is a situational impairment in that you can put it down and regain use of your arm, but the feasibility of that may depend greatly on the baby’s temperament and sleep schedule. About 8 million Americans welcome this kind of impairment—sweet and cute as it may be—into their home each year, and this particular impairment can last for over a year. All of this is to say that designing an interface that’s usable with one hand (or via voice) can help over 21 million more Americans (about 6% of the population) effectively use your service.

Finally, and in many ways coming full circle, there’s the copy we employ. Clear, well-written, and appropriate copy is the bedrock of great experiences on the web. When we draft copy, we should do so with a good sense of how our users talk to one another. That doesn’t mean we should pepper our legalese with slang, but it does mean we should author copy that is easily understood. It should be written at an appropriate reading level, devoid of unnecessary jargon and idioms, and approachable to both native and non-native speakers alike. Nestled in the gentle embrace of our (hopefully) semantic, server-rendered HTML, the copy we write is one of the only experiences of our sites we can pretty much guarantee our users will have.

Old advice, still relevant

Recognizing all of the ways our carefully-crafted experiences can be rendered unusable can be more than a little disheartening. No one likes to spend their time thinking about failure. So don’t. Don’t focus on all of the bad things you can’t control. Focus on what you can control.

Start simply. Code defensively. User-test the heck out of it. Recognize the chaos. Embrace it. And build resilient web experiences that will work no matter what the internet throws at them.

Categories: Technology

IBM Spectrum Scale Best Practices for Genomics Medicine Workloads

IBM Redbooks Site - Wed, 04/25/2018 - 09:30
Redpaper, published: Wed, 25 Apr 2018

Advancing the science of medicine by targeting a disease more precisely with treatment specific to each patient relies on access to that patient's genomics information and the ability to process massive amounts of genomics data quickly.

Categories: Technology

Quick access to your most important notes

iPhone J.D. - Tue, 04/24/2018 - 23:07

Apple's built-in Notes app on the iPhone and iPad is a powerful and well-designed app.  It works great as a quick place to jot down a note that you may only refer to once in the future, but it also works well as a place to store important information that you need to refer to from time to time.  For example, I have a note with the file numbers for all of the cases that I'm working on, a note of the items that I frequently pack when I take a trip (so that I can review the list and make sure I'm not forgetting anything whenever I prepare to travel), a note listing the team members on my daughter's soccer team, a note to keep track of the James Bond movies I'm watching with my kids (next on our list is Goldeneye from 1995), and many more.  Here are two tips which make it faster and easier to bring up specific notes that you want to access the most often.

Pinned Notes

In the Settings app, you can choose to sort notes by the date edited, date created, or title.  I have mine set to the date edited, which usually makes the most sense for me.  Chose whatever method you think will make it easiest for you to find your notes.

 

Sorting by date is often helpful for me, but there are some notes that I don't edit very often (so they are not near the top) but which I am most likely to want to view.  Apple has a solution for this called Pinned Notes.  When you are looking at your list of notes, if you swipe from left to right on a note, you will see a pin icon.  Keep dragging to the right to turn on the pin.  That will move the note to the very top of your list of Notes.

 

The same left-to-right swipe can be used to remove a pin.  Pinning notes is a useful way to keep your most important notes at the top of your list, regardless of the sort order that you selected in Settings.

Jump directly to a note

If you want to get a little more sophisticated, you can use one of the iPhone apps that have an automation feature to create a shortcut to jump to a specific note, no matter where it is in your list.  I briefly mentioned this tip on April 13, 2018 when I linked to an article by Federico Viticci of MacStories, and today I'm providing more details on how it works.  In this example, I'm using the Launch Center Pro app, a $4.99 app which I last reviewed back in 2012.  (The app has improved a lot since then, but that old post will still give you a general idea of what the app does.)

First, you need to get an iCloud URL for your specific note.  To get that, look at a note and tap the share button at the top right of the screen — the icon with a circle around a generic person with a plus sign.

The next screen says Add People.  Tap on the icon near the bottom that says Copy Link.  Then on the next screen, tap Copy Link at the top right, and then you can tap Cancel because you are not going to actually email that link to anyone.

 

Open the Launch Center Pro app, tap the pencil at the top right to enter Edit mode, and then tap the plus sign in any empty location and create a new Action.  In the next screen, type whatever title you want in the Name field, and then paste into the URL field the contents of your clipboard, which will be the iCloud.com URL for your specific note.  The default icon is the Safari icon, but feel free to change it to something more meaningful to you if you want.


That's it.  Now, whenever you want to access your specific note, you can open the Launch Center Pro app and tap the icon for your note.  That will cause the Notes app to open, and then your specific note will come up, no matter where it is located in your list of notes.

If you want an even faster way to launch your specific note, use Quick Actions.  In the Launch Center Pro app, tap the gear at the top left to open up the app settings.  Then tap Quick Actions and add the shortcut you just created to the QUICK ACTION WIDGET setting.  As long as it is in the first row of icons, in the future, you can 3D Touch on the Launch Center Pro icon on your home screen, and then select the icon for your note.  This will jump you directly to your note without even having to fully open the Launch Center Pro app.

The Notes app is a useful place to store tons of different notes.  With these two tips, you can directly access your most important notes quickly and easily.

Categories: iPhone Web Sites

IBM Spectrum Scale Functionality to Support GDPR Requirements

IBM Redbooks Site - Tue, 04/24/2018 - 09:30
Redpaper, published: Tue, 24 Apr 2018

The role of the IT solutions is to enforce the correct handling of personal data using processes developed by the establishment.

Categories: Technology

Networking Design for HPC and AI on IBM Power Systems

IBM Redbooks Site - Fri, 04/20/2018 - 09:30
Draft Redpaper, last updated: Fri, 20 Apr 2018

This publication provides information about networking design for IBM® High Performance Computing (HPC) and AI for Power Systems™.

Categories: Technology

In the news

iPhone J.D. - Thu, 04/19/2018 - 23:35

Earlier this week, I discussed the new GrayKey device which can supposedly unlock an iPhone even without the password, given enough time.  In an article for Motherboard, Lorenzo Franceschi-Bicchierai and Joseph Cox note that Apple has a feature in beta which frustrates GrayKey because a police officer must plug in an iPhone to the GrayKey device within one week of the iPhone last being unlocked.  Of course, it would be easier for law enforcement if they could just compel a suspect to unlock his iPhone.  In an article for The Volokh Conspiracy, USC Law Professor Orin Kerr discusses two recent opinions on this topic from federal magistrate judges.  Additionally, Former FBI Director James Comey has a new book out this week, in case you have been living under a rock and haven't heard yet.  Obviously, the parts concerning President Trump are getting the most attention, but Ben Lovejoy of 9to5Mac notes that the book also offers Comey's perspective on the FBI's efforts to force Apple to unlock iPhones.  iPhone security and privacy is a big issue that is going to remain in the news for a long time.  And now, the other news of note from the past week:

  • The Drafts app was updated to version 5 this week.  California attorney David Sparks is a big fan, and he explains why in this article and even includes some videos showing how to use the app.  Tim Nahumck of MacStories also wrote a comprehensive review of Drafts 5.  Given the enthusiasm that many have for this app, I downloaded it and I'm starting to try it out.  So far, I'm not really seeing how this app fits into my life, but I'll keep trying it and I haven't given up on it yet.
  • Cult of Mac has started a series of articles to recommend 50 essential iOS apps.  The first two apps recommended — Deliveries (my reviews:  1, 2) and Dark Sky Weather are excellent, so I look forward to the future installments in this series.
  • Andrew Orr of the Mac Observer offers some good advice for what to do if your iPhone is stolen.  Read the article now while you are calm and collected, and hopefully you will remember these steps should misfortune shine upon you.
  • In an article in Macworld, security expert Glenn Fleishman offers advice for how to recover your iCloud account if you have two-factor authentication turned on (which I recommend) and one of your authentication methods goes missing.  Read this article now while you are calm and collected ... you know the rest.
  • Andrew O'Hara of AppleInsider reviews the CordDock iPhone dock by ElevationLab, and he notes that it is different from most other docks.
  • Ed Hardy of Cult of Mac notes that the Dropbox app has been updated to work better on the iPad.
  • If you find yourself at a McDonald's today (or next Friday), you can pay with Apple Pay and get a free Medium order of fries.  Mitchel Broussard of MacRumors has the details; for example, you have to order using the McDonald's app.
  • To make up for eating at McDonald's today, on Sunday you can do a 30 minute workout with your Apple Watch and earn the Earth Day Challenge badge.  Once again, Mitchel Broussard of MacRumors has the details.  And then, after all of that working out, you can relax on Sunday night by doing what I will be doing:  watching the new season of Westworld on HBO, which Lee Hutchinson of Ars Technica writes about in this spoiler-free review of Season 2.
  • And finally, Serenity Caldwell of iMore prepared a review of the 2018 version of the 9.7" iPad.  But instead of preparing a written review like I would do, or preparing a traditional video review, she decided to show off what this iPad can do by filming the screen while she walked through various tasks.  She even created the soundtrack in Garage Band on the iPad, and managed to incorporate a few seconds of video of her as a young girl using a Mac.  Combine all of this work with the fact that she is a talented artist, and the final product is impressive.  Here is her video:

Categories: iPhone Web Sites

Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege

Google Project Zero - Wed, 04/18/2018 - 13:54
Posted by James Forshaw, Project Zero
Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update (RS4) the abuse of mount points to link to files as I exploited in the previous blog post has been remediated. This is an example of a long term security benefit from detailing how vulnerabilities might be exploited, giving a developer an incentive to find ways of mitigating the exploitation vector.
Keeping with that spirit in this blog post I’ll introduce a novel technique to exploit the more common case of arbitrary file writes on Windows 10. Perhaps once again Microsoft might be able to harden the OS to make it more difficult to exploit these types of vulnerabilities. I’ll demonstrate exploitation by describing in detail the recently fixed issue that Project Zero reported to Microsoft (issue 1428).
An arbitrary file write vulnerability is where a user can create or modify a file in a location they could not normally access. This might be due to a privileged service incorrectly sanitizing information passed by the user or due to a symbolic link planting attack where the user can write a link into a location which is subsequently used by the privileged service. The ideal vulnerability is one where the attacking user not only controls the location of the file being written but also the entire contents. This is the type of vulnerability we’ll consider in this blog post. A common way of exploiting arbitrary file writes is to perform DLL hijacking. When a Windows executable begins executing the initial loader in NTDLL will attempt to find all imported DLLs. The locations that the loader checks for imported DLLs are more complex than you’d expect but for our purposes can be summarized as follows:

  1. Check Known DLLs, which is a pre-cached list of DLLs which are known to the OS. If found, the DLL is mapped into memory from a pre-loaded section object.
  2. Check the application’s directory, for example if importing TEST.DLL and the application is in C:\APP then it will check C:\APP\TEST.DLL.
  3. Check the system locations, such as C:\WINDOWS\SYSTEM32 and C:\WINDOWS.
  4. If all else fails search the current environment PATH.

The aim of the DLL hijack is to find an executable which runs at a high privilege which will load a DLL from a location that the vulnerability allows us to write to. The hijack only succeeds if the DLL hasn’t already been found in a location checked earlier.
There are two problems which make DLL hijacking annoying:
  1. You typically need to create a new instance of a privileged process as the majority of DLL imports are resolved when the process is first executed.
  2. Most system binaries, executables and DLLs that will run as a privileged user will be installed into SYSTEM32.

The second problem means that in steps 2 and 3 the loader will always look for DLLs in SYSTEM32. Assuming that overwriting a DLL isn’t likely to be an option (at the least if the DLL is already loaded you can’t write to the file), that makes it harder to find a suitable DLL to hijack. A typical way around these problems is to pick an executable that is not located in SYSTEM32 and which can be easily activated, such as by loading a COM server or running a scheduled task.
Even if you find a suitable target executable to DLL hijack the implementation can be quite ugly. Sometimes you need to implement stub exports for the original DLL, otherwise the loading of the DLL will fail. In other cases the best place to run code is during DllMain, which introduces other problems such as running code inside the loader lock. What would be nice is a privileged service that will just load an arbitrary DLL for us, no hijacking, no needing to spawn the “correct” privileged process. The question is, does such a service exist?
It turns out yes one does, and the service itself has been abused at least twice previously, once by Lokihardt for a sandbox escape, and once by me for user to system EoP. This service goes by the name “Microsoft (R) Diagnostics Hub Standard Collector Service,” but we’ll call it DiagHub for short.
The DiagHub service was introduced in Windows 10, although there’s a service that performs a similar task called IE ETW Collector in Windows 7 and 8.1. The purpose of the service is to collect diagnostic information using Event Tracing for Windows (ETW) on behalf of sandboxed applications, specifically Edge and Internet Explorer. One of its interesting features is that it can be configured to load an arbitrary DLL from the SYSTEM32 directory, which is the exact feature that Lokihardt and I exploited to gain elevated privileges. All the functionality for the service is exposed over a registered DCOM object, so in order to load our DLL we’ll need to work out how to call methods on that DCOM object. At this point you can skip to the end but if you want to understand how I would go about finding how the DCOM object is implemented, the next section might be of interest.Reverse Engineering a DCOM ObjectLet’s go through the steps I would take to try and find what interfaces an unknown DCOM object supports and find the implementation so we can reverse engineer them. There are two approaches I will typically take, go straight for RE in IDA Pro or similar, or do some on-system inspection first to narrow down the areas we have to investigate. Here we’ll go for the second approach as it’s more informative. I can’t say how Lokihardt found his issue; I’m going to opt for magic.
For this approach we’ll need some tools, specifically my OleViewDotNet v1.4+ (OVDN) tool from github as well as an installation of WinDBG from the SDK. The first step is to find the registration information for the DCOM object and discover what interfaces are accessible. We know that the DCOM object is hosted in a service so once you’ve loaded OVDN go to the menu Registry ⇒ Local Services and the tool will load a list of registered system services which expose COM objects. If you now find the  “Microsoft (R) Diagnostics Hub Standard Collector Service” service (applying a filter here is helpful) you should find the entry in the list. If you open the service tree node you’ll see a child, “Diagnostics Hub Standard Collector Service,” which is the hosted DCOM object. If you open that tree node the tool will create the object, then query for all remotely accessible COM interfaces to give you a list of interfaces the object supports. I’ve shown this in the screenshot below:

While we’re here it’s useful to inspect what security is required to access the DCOM object. If you right click the class treenode you can select View Access Permissions or View Launch Permissions and you’ll get a window that shows the permissions. In this case it shows that this DCOM object will be accessible from IE Protected Mode as well as Edge’s AppContainer sandbox, including LPAC.

Of the list of interfaces shown we only really care about the standard interfaces. Sometimes there are interesting interfaces in the factory but in this case there aren’t. Of these standard interfaces there are two we care about, the IStandardCollectorAuthorizationService and IStandardCollectorService. Just to cheat slightly I already know that it’s the IStandardCollectorService service we’re interested in, but as the following process is going to be the same for each of the interfaces it doesn’t matter which one we pick first. If you right click the interface treenode and select Properties you can see a bit of information about the registered interface.

There’s not much more information that will help us here, other than we can see there are 8 methods on this interface. As with a lot of COM registration information, this value might be missing or erroneous, but in this case we’ll assume it’s correct. To understand what the methods are we’ll need to track down the implementation of IStandardCollectorService inside the COM server. This knowledge will allow us to target our RE efforts to the correct binary and the correct methods. Doing this for an in-process COM object is relatively easy as we can query for an object’s VTable pointer directly by dereferencing a few pointers. However, for out-of-process it’s more involved. This is because the actual in-process object you’d call is really a proxy for the remote object, as shown in the following diagram:

All is not lost, however; we can still find the the VTable of the OOP object by extracting the information stored about the object in the server process. Start by right clicking the “Diagnostics Hub Standard Collector Service” object tree node and select Create Instance. This will create a new instance of the COM object as shown below:

The instance gives you basic information such as the CLSID for the object which we’ll need later (in this case {42CBFAA7-A4A7-47BB-B422-BD10E9D02700}) as well as the list of supported interfaces. Now we need to ensure we have a connection to the interface we’re interested in. For that select the IStandardCollectorService interface in the lower list, then in the Operations menu at the bottom select Marshal ⇒ View Properties. If successful you’ll now see the following new view:

There’s a lot of information in this view but the two pieces of most interest are the Process ID of the hosting service and the Interface Pointer Identifier (IPID). In this case the Process ID should be obvious as the service is running in its own process, but this isn’t always the case—sometimes when you create a COM object you’ve no idea which process is actually hosting the COM server so this information is invaluable. The IPID is the unique identifier in the hosting process for the server end of the DCOM object; we can use the Process ID and the IPID in combination to find this server and from that find out the location of the actual VTable implementing the COM methods. It’s worth noting that the maximum Process ID size from the IPID is 16 bits; however, modern versions of Windows can have much larger PIDs so there’s a chance that you’ll have to find the process manually or restart the service multiple times until you get a suitable PID.
Now we’ll use a feature of OVDN which allows us to reach into the memory of the server process and find the IPID information. You can access information about all processes through the main menu Object ⇒ Processes but as we know which process we’re interested in just click the View button next to the Process ID in the marshal view. You do need to be running OVDN as an administrator otherwise you’ll not be able to open the service process. If you’ve not done so already the tool will ask you to configure symbol support as OVDN needs public symbols to find the correct locations in the COM DLLs to parse. You’ll want to use the version of DBGHELP.DLL which comes with WinDBG as that supports remote symbol servers. Configure the symbols similar to the following dialog:

If everything is correctly configured and you’re an administrator you should now see more details about the IPID, as shown below:

The two most useful pieces of information here are the Interface pointer, which is the location of the heap allocated object (in case you want to inspect its state), and the VTable pointer for the interface. The VTable address gives us information for where exactly the COM server implementation is located. As we can see here the VTable is located in a different module (DiagnosticsHub.StandardCollector.Runtime) from the main executable (DiagnosticsHub.StandardCollector.Server). We can verify the VTable address is correct by attaching to the service process using WinDBG and dumping the symbols at the VTable address. We also know from before we’re expecting 8 methods so we can take that into account by using the command:
dqs DiagnosticsHub_StandardCollector_Runtime+0x36C78 L8
Note that WinDBG converts periods in a module name to underscores. If successful you’ll see the something similar to the following screenshot:

Extracting out that information we now get the name of the methods (shown below) as well as the address in the binary. We could set breakpoints and see what gets called during normal operation, or take this information and start the RE process.
ATL::CComObject<StandardCollectorService>::QueryInterfaceATL::CComObjectCached<StandardCollectorService>::AddRefATL::CComObjectCached<StandardCollectorService>::ReleaseStandardCollectorService::CreateSessionStandardCollectorService::GetSessionStandardCollectorService::DestroySessionStandardCollectorService::DestroySessionAsyncStandardCollectorService::AddLifetimeMonitorProcessIdForSession
The list of methods looks correct: they start with the 3 standard methods for a COM object, which in this case are implemented by the ATL library. Following those methods are five implemented by the StandardCollectorService class. Being public symbols, this doesn’t tell us what parameters we expect to pass to the COM server. Due to C++ names containing some type information, IDA Pro might be able to extract that information for you, however that won’t necessarily tell you the format of any structures which might be passed to the function. Fortunately due to how COM proxies are implemented using the Network Data Representation (NDR) interpreter to perform marshalling, it’s possible to reverse the NDR bytecode back into a format we can understand. In this case go back to the original service information, right click the IStandardCollectorService treenode and select View Proxy Definition. This will get OVDN to parse the NDR proxy information and display a new view as shown below.

Viewing the proxy definition will also parse out any other interfaces which that proxy library implements. This is likely to be useful for further RE work. The decompiled proxy definition is shown in a C# like pseudo code but it should be easy to convert into working C# or C++ as necessary. Notice that the proxy definition doesn’t contain the names of the methods but we’ve already extracted those out. So applying a bit of cleanup and the method names we get a definition which looks like the following:
[uuid("0d8af6b7-efd5-4f6d-a834-314740ab8caa")]
struct IStandardCollectorService : IUnknown {
   HRESULT CreateSession(_In_ struct Struct_24* p0,
                         _In_ IStandardCollectorClientDelegate* p1,
                         _Out_ ICollectionSession** p2);
   HRESULT GetSession(_In_ GUID* p0, _Out_ ICollectionSession** p1);
   HRESULT DestroySession(_In_ GUID* p0);
   HRESULT DestroySessionAsync(_In_ GUID* p0);
   HRESULT AddLifetimeMonitorProcessIdForSession(_In_ GUID* p0, [In] int p1);
}
There’s one last piece missing; we don’t know the definition of the Struct_24 structure. It’s possible to extract this from the RE process but fortunately in this case we don’t have to. The NDR bytecode must know how to marshal this structure across so OVDN just extracts the structure definition out for us automatically: select the Structures tab and find Struct_24.

As you go through the RE process you can repeat this process as necessary until you understand how everything works. Now let’s get to actually exploiting the DiagHub service and demonstrating its use with a real world exploit.Example ExploitSo after our efforts of reverse engineering, we’ll discover that in order to to load a DLL from SYSTEM32 we need to do the following steps:
  1. Create a new Diagnostics Session using IStandardCollectorService::CreateSession.
  2. Call the ICollectionSession::AddAgent method on the new session, passing the name of the DLL to load (without any path information).

The simplified loading code for ICollectionSession::AddAgent is as follows:
void EtwCollectionSession::AddAgent(LPWCSTR dll_path,
                                   REFGUID guid) {
 WCHAR valid_path[MAX_PATH];
 if ( !GetValidAgentPath(dll_path, valid_path)) {
   return E_INVALID_AGENT_PATH;
 HMODULE mod = LoadLibraryExW(valid_path,
       nullptr, LOAD_WITH_ALTERED_SEARCH_PATH);
 dll_get_class_obj = GetProcAddress(hModule, "DllGetClassObject");
 return dll_get_class_obj(guid);
}
We can see that it checks that the agent path is valid and returns a full path (this is where the previous EoP bugs existed, insufficient checks). This path is loading using LoadLibraryEx, then the DLL is queried for the exported method DllGetClassObject which is then called. Therefore to easily get code execution all we need is to implement that method and drop the file into SYSTEM32. The implemented DllGetClassObject will be called outside the loader lock so we can do anything we want. The following code (error handling removed) will be sufficient to load a DLL called dummy.dll.
IStandardCollectorService* service;
CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service));

SessionConfiguration config = {};
config.version = 1;
config.monitor_pid = ::GetCurrentProcessId();
CoCreateGuid(&config.guid);
config.path = ::SysAllocString(L"C:\Dummy");
ICollectionSession* session;
service->CreateSession(&config, nullptr, &session);

GUID agent_guid;
CoCreateGuid(&agent_guid);
session->AddAgent(L"dummy.dll", agent_guid);
All we need now is the arbitrary file write so that we can drop a DLL into SYSTEM32, load it and elevate our privileges. For this I’ll demonstrate using a vulnerability I found in the SvcMoveFileInheritSecurity RPC method in the system Storage Service. This function caught my attention due to its use in an exploit for a vulnerability in ALPC discovered and presented by Clément Rouault & Thomas Imbert at PACSEC 2017. While this method was just a useful exploit primitive for the vulnerability I realized it has not one, but two actual vulnerabilities lurking in it (at least from a normal user privilege). The code prior to any fixes for SvcMoveFileInheritSecurity looked like the following:
void SvcMoveFileInheritSecurity(LPCWSTR lpExistingFileName,
                               LPCWSTR lpNewFileName,
                               DWORD dwFlags) {
 PACL pAcl;
 if (!RpcImpersonateClient()) {
   // Move file while impersonating.
   if (MoveFileEx(lpExistingFileName, lpNewFileName, dwFlags)) {
     RpcRevertToSelf();
     // Copy inherited DACL while not.
     InitializeAcl(&pAcl, 8, ACL_REVISION);
     DWORD status = SetNamedSecurityInfo(lpNewFileName, SE_FILE_OBJECT,
         UNPROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
         nullptr, nullptr, &pAcl, nullptr);
       if (status != ERROR_SUCCESS)
         MoveFileEx(lpNewFileName, lpExistingFileName, dwFlags);
   }
   else {
     // Copy file instead...
     RpcRevertToSelf();
   }
 }
}
The purpose of this method seems to be to move a file then apply any inherited ACE’s to the DACL from the new directory location. This would be necessary as when a file is moved on the same volume, the old filename is unlinked and the file is linked to the new location. However, the new file will maintain the security assigned from its original location. Inherited ACEs are only applied when a new file is created in a directory, or as in this case, the ACEs are explicitly applied by calling a function such as SetNamedSecurityInfo.
To ensure this method doesn’t allow anyone to move an arbitrary file while running as the service’s user, which in this case is Local System, the RPC caller is impersonated. The trouble starts immediately after the first call to MoveFileEx, the impersonation is reverted and SetNamedSecurityInfo is called. If that call fails then the code calls MoveFileEx again to try and revert the original move operation. This is the first vulnerability; it’s possible that the original filename location now points somewhere else, such as through the abuse of symbolic links. It’s pretty easy to cause SetNamedSecurityInfo to fail, just add a Deny ACL for Local System to the file’s ACE for WRITE_DAC and it’ll return an error which causes the revert and you get an arbitrary file creation. This was reported as issue 1427.
This is not in fact the vulnerability we’ll be exploiting, as that would be too easy. Instead we’ll exploit a second vulnerability in the same code: the fact that we can get the service to call SetNamedSecurityInfo on any file we like while running as Local System. This can be achieved either by abusing the impersonated device map to redirect the local drive letter (such as C:) when doing the initial MoveFileEx, which then results in lpNewFileName pointing to an arbitrary location, or more interestingly abusing hard links. This was reported as issue 1428. We can exploit this using hard links as follows:

  1. Create a hard link to a target file in SYSTEM32 that we want to overwrite. We can do this as you don’t need to have write privileges to a file to create a hard link to it, at least outside of a sandbox.
  2. Create a new directory location that has an inheritable ACE for a group such as Everyone or Authenticated Users to allow for modification of any new file. You don’t even typically need to do this explicitly; for example, any new directory created in the root of the C: drive has an inherited ACE for Authenticated Users. Then a request can be made to the RPC service to move the hardlinked file to the new directory location. The move succeeds under impersonation as long as we have FILE_DELETE_CHILD access to the original location and FILE_ADD_FILE in the new location, which we can arrange.
  3. The service will now call SetNamedSecurityInfo on the moved hardlink file. SetNamedSecurityInfo will pick up the inherited ACEs from the new directory location and apply them to the hardlinked file. The reason the ACEs are applied to the hardlinked file is from the perspective of SetNamedSecurityInfo the hardlinked file is in the new location, even though the original target file we linked to was in SYSTEM32.

By exploiting this we can modify the security of any file that Local System can access for WRITE_DAC access. Therefore we can modify a file in SYSTEM32, then use the DiagHub service to load it. There is a slight problem, however. The majority of files in SYSTEM32 are actually owned by the TrustedInstaller group and so cannot be modified, even by Local System. We need to find a file we can write to which isn’t owned by TrustedInstaller. Also we’d want to pick a file that won’t cause the OS install to become corrupt. We don’t care about the file’s extension as AddAgent only checks that the file exists and loads it with LoadLibraryEx. There are a number of ways we can find a suitable file, such as using the SysInternals AccessChk utility, but to be 100% certain that the Storage Service’s token can modify the file we’ll use my NtObjectManager PowerShell module (specifically its Get-AccessibleFile cmdlet, which accepts a process to do the access check from). While the module was designed for checking accessible files from a sandbox, it also works to check for files accessible by privileged services. If you run the following script as an administrator with the module installed the $files variable will contain a list of files that the Storage Service has WRITE_DAC access to.
Import-Module NtObjectManager

Start-Service -Name "StorSvc"
Set-NtTokenPrivilege SeDebugPrivilege | Out-Null
$files = Use-NtObject($p = Get-NtProcess -ServiceName "StorSvc") {
   Get-AccessibleFile -Win32Path C:\Windows\system32 -Recurse `
    -MaxDepth 1 -FormatWin32Path -AccessRights WriteDac -CheckMode FilesOnly
}
Looking through the list of files I decided to pick on the file license.rtf, which contains a short license statement for Windows. The advantage of this file is it’s very likely to be not be critical to the operation of the system and so overwriting it shouldn’t cause the installation to become corrupted.
So putting it all together:
  1. Use the Storage Service vulnerability to change the security of the license.rtf file inside SYSTEM32.
  2. Copy a DLL, which implements DllGetClassObject over the license.rtf file.
  3. Use the DiagHub service to load our modified license file as a DLL, get code execution as Local System and do whatever we want.

If you’re interested in seeing a fully working example, I’ve uploaded a full exploit to the original issue on the tracker.Wrapping UpIn this blog post I’ve described a useful exploit primitive for Windows 10, which you can even use from some sandboxed environments such as Edge LPAC. Finding these sorts of primitives makes exploitation much simpler and less error-prone. Also I’ve given you a taste of how you can go about finding your own bugs in similar DCOM implementations.
Categories: Security

IBM z/OS Management Facility V2R3

IBM Redbooks Site - Wed, 04/18/2018 - 09:30
Redbook, published: Wed, 18 Apr 2018

This IBM® Redbooks® publication helps you install, configure, and use the IBM z/OS® Management Facility (z/OSMF).

Categories: Technology

Consider a longer iPhone passcode

iPhone J.D. - Wed, 04/18/2018 - 01:40

When Apple released iOS 9 in 2015, it changed the default length of the passcode needed to unlock the device from 4 to 6 digits for all devices with a Touch ID sensor.  This increased the odds of guessing a passcode from 1 in 10,000 to 1 in 1,000,000.  And while some folks groaned at having to remember two additional numbers, hopefully most attorneys using iPhones realized that if you are going to keep confidential and privileged information on an iPhone, you need to take reasonable steps to keep that device secure.

This week I saw a link by John Gruber of Daring Fireball to an article posted last month by Thomas Reed of the security firm Malwarebytes Labs.  The article describes a device called GrayKey, a small box with two lightning cables coming out of the front of it which can supposedly crack the passcode of an iOS device.  Apparently, the box is only sold to law enforcement.  If someone tries to hack your passcode on an iPhone itself, there is a delay after the wrong passcode is entered.  You have probably encountered this delay yourself at some point.  But it seems that GrayKey has a way around this and can quickly try multiple passcodes.  And according to an article by Lorenzo Franceschi-Bicchierai of Motherboard, the only thing slowing down the hack is the length of your passcode.  He quotes statistics from Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute.  Green says that a 4 digit passcode can be cracked in 13 minutes or less, a 6 digit passcode can be cracked in 22.2 hours or less, an 8 digit passcode can be cracked in 92.5 days or less, and a 10 digit passcode can be cracked in 9,259 days or less.

Obviously, then, you can improve the security of your passcode by using more digits.  You can also improve the security of your passcode by making the characters more complicated by using letters and/or symbols in addition to numbers.  Open the Settings app, go to Touch ID & Passcode or Face ID & Passcode (depending upon what device you are using), tap Change Passcode, and then on the next screen tap Passcode Options.  Here, you have the option to change to a custom numeric passcode (more than 6 digits) or a custom alphanumeric code (letters, symbols, and/or digits).

 
Using a longer passcode is less convenient.  First, it takes longer to enter the passcode, and the additional length increases the chance that you will make a mistake while typing.  If you use Touch ID or Face ID, that limits the number of times that you have to type the passcode, but you still need to type it from time to time.

Second, it is harder to remember a longer passcode, especially because the strongest passcodes are long and don't use words that are in a dictionary.  There are some tricks you can use to help you remember more secure passcodes.  For example, you can remove the vowels from words to create something that you can remember but which would be hard to guess.  "Drew Brees #9 Saints" becomes DrwBrs#9Snts, a 12-character passcode lacking words found in a dictionary, and which would take a ridiculously long time to crack using current technology.  Or you can use letters from the first words of a memorable line from a song or poem or other saying.  "The hills are alive with the Sound of Music" becomes ThaawtSoM, a nine-character passcode lacking dictionary words.

Hopefully, it won't be a problem for you that some police officers now have the ability to use a device like the GrayKey.  But what worries me is that if the police have it, perhaps certain bad actors have access to similar devices — criminals who might have a reason to try to access the confidential information that you have on your device about your clients.

Apple is constantly improving the security of its devices, and that's why I encourage all attorneys to update their iPhones and iPads when Apple comes out.  A GrayKey-type device that works today may not work after the next iOS update.  But Apple has been improving iPhone security ever since the first iPhone was released in 2007, and for over a decade now, clever folks have found new ways to circumvent security measures.

Do you need to change your six digit passcode to something stronger?  Well, that's up to you.  Hopefully, the chance that your device will ever be connected to something like GrayKey is extremely remote.  But for what its worth, I'm currently using 12-character passcodes on my iPhone and iPad.  After about a week, I got used to the longer passcodes.  And while I am entering the passcode, I think to myself "take that you evil hackers!" which, if nothing else, helps to fill up some of that extra time that it takes to type 12 characters instead of 6 numbers.

Categories: iPhone Web Sites

Working with External User Researchers: Part II

A list Apart development site - Tue, 04/17/2018 - 09:10

In the first installment of the Working with External User Researchers series, we explored the reasons why you might hire a user researcher on contract and helpful things to consider in choosing one. This time, we talk about getting the actual work done.

You’ve hired a user researcher for your project. Congrats! On paper, this person (or team of people) has everything you need and more. You might think the hardest part of your project is complete and that you can be more hands off at this point. But the real work hasn’t started yet. Hiring the researcher is just the beginning of your journey.

Let’s recap what we mean by an external user researcher. Hiring a contract external user researcher means that a person or team is brought on for the duration of a contract to conduct research.

This situation is most commonly found in:

  • organizations without researchers on staff;
  • organizations whose research staff is maxed out;
  • and organizations that need special expertise.

In other words, external user researchers exist to help you gain the insight from your users when hiring one full-time is not an option. Check out Part I to learn more about how to find external user researchers, the types of projects that will get you the most value for your money, writing a request for proposal, and finally, negotiating payment.

Working together Remember why you hired an external researcher

No project or work relationship is perfect. Before we delve into more specific guidelines on how to work well together, remember the reasons why you decided to hire an external researcher (and this specific one) for your project. Keeping them in mind as you work together will help you keep your priorities straight.

External researchers are great for bringing in a fresh, objective perspective

You could ask your full-time designer who also has research skills to wear the research hat. This isn’t uncommon. But a designer won’t have the same depth and breadth of expertise as a dedicated researcher. In addition, they will probably end up researching their own design work, which will make it very difficult for them to remain unbiased.

Product managers sometimes like to be proactive and conduct some form of guerrilla user research themselves, but this is an even riskier idea. They usually aren’t trained on how to ask non-leading questions, for example, so they tend to only hear feedback that validates their ideas.

It isn’t a secret—but it’s well worth remembering—that research participants tend to be more comfortable sharing critical feedback with someone who doesn’t work for the product that is being tested.

The real work begins

In our experience the most important work starts once a researcher is hired. Here are some key considerations in setting them and your own project team up for success.

Be smart about the initial brain dump

Do share background materials that provide important context and prevent redundant work from being done. It’s likely that some insight is already known on a topic that will be researched, so it’s important to share this knowledge with your researcher so they can focus on new areas of inquiry. Provide things such as report templates to ensure that the researcher presents their learnings in a way that’s consistent with your organization’s unique culture. While you’re at it, consider showing them where to find documentation or tutorials about your product, or specific industry jargon.

Make sure people know who they are

Conduct a project kick-off meeting with the external researcher and your internal stakeholders. Influence is often partially a factor of trust and relationships, and for this reason it’s sometimes easy for internal stakeholders to question or brush aside projects conducted by research consultants, especially if they disagree with research insights and recommendations. (Who is this person I don’t know trying to tell me what is best for my product?)

Conduct a kick-off meeting with the broader team

A great way to prevent this potential pushback is to conduct a project kick-off meeting with the external researcher and important internal stakeholders or consumers of the research. Such a meeting might include activities such as:

  • Team introductions.
  • A discussion about the research questions, including an exercise for prioritizing the questions. Especially with contracted-out projects, it’s common for project teams to be tempted to add more questions—question creep—which is why it’s important to have clear priorities from the start.
  • A summary of what’s out of scope for the research. This is another important task in setting firm boundaries around project priorities from the start so the project is completed on time and within budget.
  • A summary of any incoming hypotheses the project team might have—in other words, what they think the answers to the research questions are. This can be an especially impactful exercise to remind stakeholders how their initial thinking changed in response to study findings upon the study being completed.
  • A review of the project phases and timeline, and any threats that could get in the way of the project being completed on time.
  • A review of prior research and what’s already known, if available. This is important for both the external researcher and the most important internal consumers of the research, as it’s often the case that the broader project team might not be aware of prior research and why certain questions already answered aren’t being addressed in the project at hand.
Use a buddy system

Appoint an internal resource who can answer questions that will no doubt arise during the project. This might include questions on how to use an internal lab, questions about whom to invite to a critical meeting, or clarifying questions regarding project priorities. This is also another opportunity to build trust and rapport between your project team and external researcher.

Conducting the research

While an external researcher or agency can help plan and conduct a study for you, don’t expect them to be experts on your product and company culture. It’s like hiring an architect to build your house or a designer to furnish a room: you need to provide guidance early and often, or the end result may not be what you expected. Here are some things to consider to make the engagement more effective.

Be available

A good research contractor will ask lots of questions to make sure they’re understanding important details, such as your priorities and research questions, and to collect feedback on the study plan and research report. While it can sometimes feel more efficient to handle most of these types of questions over email, email can often result in misinterpretations. Sometimes it’s faster to speak to questions that require lots of detail and context rather than type a response. Consider establishing weekly remote or in-person status checks to discuss open questions and action items.

Be present

If moderated sessions are part of the research, plan on observing as many of these as possible. While you should expect the research agency to provide you with a final report, you should not expect them to know which insights are most impactful to your project. They don’t have the background from internal meetings, prior decisions, and discussions about future product directions that an internal stakeholder has. Many of the most insightful findings come from conversations that happen immediately after a session with a research participant. The research moderator and client contact can share their perspectives on what the participant just did and said during their session.

Be proactive

Before the researcher drafts their final report, set up a meeting between them and your internal stakeholders to brainstorm over the main research findings. This will help the researcher identify more insights and opportunities that reflect internal priorities and limitations. It also helps stakeholders build trust in the research findings.

In other words, it’s a waste of everyone’s time if a final report is delivered and basic questions arise from stakeholders that could have been addressed by involving them earlier. This is also a good opportunity to get feedback from stakeholders’ stakeholders, who may have a different (but just as important) influence on the project’s success.

Be reasonable

Don’t treat an external contractor like a PowerPoint jockey. Changing fonts and colors to your liking is fine, but only to a point. Your researcher should provide you with a polished report free from errors and in a professional format, but minute changes are not a constructive use of time and money. Focus more on decisions and recommendations than the aesthetics of the deliverables. You can prevent this kind of situation by providing any templates you want used in your initial brain dump, so the findings don’t have to be replicated in the “right” format for presenting.

When it’s all said and done

Just because the project has been completed and all the agreed deliverables have been received doesn’t mean you should close the door on any additional learning opportunities for both the client and researcher. At the end of the project, identify what worked, and find ways to increase buy-in for their recommendations.

Tell them what happened

Try to identify a check-in point in the future (such as two weeks or months) to let the researcher know what happened because of the research: what decisions were made, what problems were fixed, or other design changes. While you shouldn’t expect your researcher to be perpetually available, if you encounter problems with buy-in, they might be able to provide a quick recommendation.

Maintain a relationship

While it’s typical for vendors to treat their clients to dinner or drinks, don’t be afraid to invite your external researcher to your own happy hour or event with your staff. The success of your next project may rely on getting the right researcher, and you’ll want them to be excited to make themselves available to help you when you need them again.

Categories: Technology

Consolidation Planning Workbook Practical Migration from x86 to IBM LinuxOne

IBM Redbooks Site - Mon, 04/16/2018 - 09:30
Redpaper, published: Mon, 16 Apr 2018

IBM LinuxONE™ is a portfolio of hardware, software, and solutions for an enterprise-grade Linux environment.

Categories: Technology

Review: iPhone Field Guide by David Sparks -- great tips for getting the most out of your iPhone

iPhone J.D. - Sun, 04/15/2018 - 23:11

It's always nice when you have an opportunity to talk to someone who has great suggestions on a topic that you are interested in.  You are about to travel to Paris?  Here's someone who lived there for the past year and who has fabulous recommendations on all of the things that you should do and see.  You are looking for some great new TV shows to watch?  Here is someone who has excellent recommendations for binge-worthy shows on HBO, Showtime, Netflix, Amazon Prime, etc.  I have an interest in the iPhone (I know — big surprise to you, right?) so I always love talking to other folks about how they are using their iPhones.  With millions of apps in the App Store, and countless hardware accessories sold by Apple and third parties, I enjoy learning about the things that I haven't heard of before, or learning about how others are using apps or accessories in different ways. 

I first met California attorney David Sparks a number of years ago at an ABA TECHSHOW conference, but I have been following him for much longer than that through his MacSparky website and the Mac Power Users podcast he does with Florida attorney Katie Floyd.  David has deep knowledge of the iPhone and the iPad, and I always love talking to him about all things iOS for his perspective on how to get more out of these devices.  And because he often writes posts about these topics on his website, I find myself linking to an article on MacSparky almost every Friday when I write my In the news roundup.

Wouldn't it be great if you could ask that friend who knows about Paris, or TV shows, or the iPhone, to just write down everything that they know and share it with you?  That is the idea behind the latest electronic book by David Sparks called the iPhone Field Guide.  David has taken just about everything in his brain concerning how you can get more out of an iPhone and poured it into this book, which you can read on the iPad and the iPhone.  And because the iBooks system makes it possible to embed video into a page, this book also includes over two hours of videos in which David shows off how he uses his iPhone.  It's almost like David was sitting next to you and showing you his iPhone, saying "let me show you what this cool app can do."

David sent me a promotional code so that I could download a free copy to review it for iPhone J.D., and I enjoyed reading all 452 pages of it this past weekend.  This is a great book, and I highly recommend it to anyone who owns an iPhone and is interested in doing more with it — which should cover just about every person who reads iPhone J.D., except perhaps for the occasional Android owner who ends up here by accident.

The book contains 45 chapters and covers just about all of the topics that relate to using an iPhone.  (One notable exception — although David is an attorney, this book doesn't include recommendations of apps that are specific to lawyers or other types of professionals.)  Chapters include, just to pick a few examples, Photography, Calendar Apps, Security, Habit Trackers, Travel, Document Scanners, Mind Mapping, Outlining, Creating Video, and there is even a chapter on the Apple Watch because it is such a perfect iPhone companion.

For each topic, David gives you his recommendations.  This is not an in-depth guide on how to use every little part of every app, and thus there is no chapter that exhaustively goes through every sub-menu of the Settings app.  Instead, he picks a topic and tells you his top recommendations on that topic. 

As an example, here is a page from the chapter on Mind Mapping in which David recommends MindNode for folks just getting started.  As you can see, the page includes a description of the app, a two minute video in which David explains why this is his favorite app and shows off how the app works, and a link to download the app in the App Store.  This is page 308, but if you flip to page 309 where David finishes his discussion of the app, he includes a link to a series of videos he did for the developer of MindNode in which he spends about an hour explaining in detail how to use the app.

For another example, in the Creating Video chapter, David starts with a few pages giving you some general tips on shooting video with an iPhone.  Next, he discusses apps, limiting himself to his best recommendations.  He explains why the built-in Camera app is great for taking video because most features are automatic, but then explains why you should consider the FiLMic Pro app if you want manual controls for everything.  Then he discusses editing video, starting with an overview of Apple's free iMovie app, and then he recommends a single third-party app for more powerful editing called LumaFusion.  When describing that app, he states:  "I tried just about every video editing app available while doing research for this book, and LumaFusion stands about them all.  If you want more than the basic iPhone video editing tools, buy LumaFusion."

Those two sentences really sum up what this book is all about.  There are lots of websites that have posts with titles like "the best time management apps" but then when you read the article, it is just a list of ten apps in the category with virtually no explanation on why one is better than the other.  This book is the opposite of that.  If you were to bump into David and say that you were interested in topic X and what would he recommend for that, he would say something like what I quoted above — this first app is the one most folks would want to use for that task, and here is a second app which is the best one to get if you want something more powerful.

There is something in this book for everyone who uses an iPhone.  Even though I consider myself a power user and I know about a lot of different apps, I learned a bunch reading this book and I downloaded quite a few apps this past weekend while reading the book.  I also learned some new things.  For example, there is a chapter on Siri commands that is more comprehensive than anything that I have ever seen on the subject.  Many times as I was reading through that chapter, I stopped myself to say "can Siri really do that?" and then I tried the command and saw that it worked.

I think that the best way to read this book is on an iPad.  That's how the book is laid out.  But David also takes advantage of the way that iBooks works so that you can also enter a scrolling view on the iPhone, a view in which you can scroll through the text, pictures, and videos (much like you might scroll through a web page in Safari) and you can change the font size to whatever you prefer.  So if you want to start reading this book on the iPad, but then a read a chapter or two on your iPhone while you find yourself with a little down time, you can definitely do that.  Here is an example of how a page looks on my iPad Pro, and then how the same page looks on the iPhone both before and after I turn on scrolling view.

 

For a limited time during the introductory period of this new book, David is offering this book for $20.  At some point in the future, the price will go up.  The book is packed with useful information and recommendations, and perhaps thanks to his long career as a lawyer, David is a very good writer and this book is enjoyable to read.  I enthusiastically recommend the iPhone Field Guide to all iPhone J.D. readers.

Click here to get the iPhone Field Guide by David Sparks ($19.99): 

Categories: iPhone Web Sites

In the news

iPhone J.D. - Thu, 04/12/2018 - 23:56

Federici Viticci of MacStories has a good list of tips for getting work done on an iPad.  The first tip, creating a launcher for a specific note, works on the iPhone too, and it is very useful if you use the Notes app because this tip gives you a way to open a specific note, which I prefer to opening up the Notes app and then finding the note and then opening that note.  For example, I have a note containing the file numbers for my most frequent matters, and it is nice to have a quick way to launch that specific note when I need a file number.  To accomplish this tip, you need to use a launcher app such as Launch Center Pro.  I see that I haven't reviewed that app since 2012, but it has been updated many times since then and it remains on my first iPhone home screen because I use it every day.  And indeed, after a recent update to Launch Center Pro, you can now hold down the app icon and the pop-up menu can give you six Quick Actions instead of four, a neat trick that I haven't seen any other app do yet.  Click here to get Launch Center Pro ($4.99):    I'll admit that apps like Launch Center Pro and Workflows which can be configured to accomplish complicated tasks are not for everyone.  The apps let you be more productive, but they come with a learning curve.  However, if you consider yourself a power user of the iPhone and iPad, these types of apps are great.  And now, the news of note from the past week:

  • California attorney David Sparks discusses the new 2018 version of the 9.7" iPad.  He says that for most users, it is a fine choice
  • In the latest episode of the Apps in Law podcast, Brett Burney interviews South Carolina attorney Michael Polk to discuss Focus Keeper and HabitBull apps which he uses to stay n task throughout the day using the Pomodoro Technique.
  • Jason Snell of Six Colors reviews the new iPad.
  • Ryan Christoffel of MacStories explains that after a recent update to the Microsoft Word app, it now works better with the built-in Files app.
  • Mark Sullivan of Fast Company wrote an interesting story explaining how Apple now runs on 100% green energy, such as solar. 
  • Jonny Evans of Computerworld has a good list of useful iPhone tips.  Here's one that I didn't know that you could do:  "Hey Siri, call [contact] on speakerphone.”
  • Leif Johnson of Macworld wrote a good article on his favorite note-taking apps for the iPad and Apple Pencil.  I really like GoodNotes 4, which is one of his picks.  Johnson points out that one advantage of Notability is that it can record audio as you take notes.  For my law practice I don't consider that an avantage; I virtually never take notes in an environment in which it would be wise to create an audio recording (and for the times that I take note in court, I'm quite sure that an audio recording would be prohibited).  But it is nice to have quite a few strong apps in this field.
  • Glenn Fleishmann of Macworld reviews Apple's latest version of the Numbers app for iOS.  It has a few new features, including a much improved interface for importing data.
  • Michael Potuck explains how to clean AirPods and the AirPods charging case in an article for 9to5Mac.
  • If you use an iPhone X, because of its OLED screen, it uses less battery life to display black instead of other colors.  AppleInsider did a test and found that YouTube's new dark theme can save you battery life on an iPhone X.  I think that this mode would look even better on the OLED screen if it were a pure black theme instead of a dark grey.
  • And finally, this week Apple came out with a (PRODUCT)RED version of the iPhone 8.  It is otherwise identical to the iPhone 7 released last year, but the new color does look nice, and a portion of the proceeds go to support HIV/AIDS programs.  You can see some nice pictures of the new red iPhone on Apple's website, where Apple notes that it has raised over $160 million for (RED) over the past 11 years.  If you want to see a short video of what the new red iPhone 8 looks like, Rene Ritchie of iMore prepared this video for his Vector podcast:

Categories: iPhone Web Sites

IBM DS8880 and z/OS DFSMS: Transparent Cloud Tiering

IBM Redbooks Site - Thu, 04/12/2018 - 09:30
Redbook, published: Thu, 12 Apr 2018

This IBM® Redbooks® publication gives a broad understanding of storage clouds and the initial functionality that was introduced for mainframes to have Transparent Cloud Tiering.

Categories: Technology

Implementing IBM FlashSystem V9000 AE3

IBM Redbooks Site - Thu, 04/12/2018 - 09:30
Redbook, published: Thu, 12 Apr 2018

The success or failure of businesses often depends on how well organizations use their data assets for competitive advantage.

Categories: Technology

Enhancing the IBM Power Systems Platform with IBM Watson Services

IBM Redbooks Site - Thu, 04/12/2018 - 09:30
Redbook, published: Thu, 12 Apr 2018

This IBM® Redbooks® publication provides an introduction to the IBM POWER® processor architecture.

Categories: Technology

[Sponsor] iTimeKeep -- time entry built for attorneys

iPhone J.D. - Tue, 04/10/2018 - 21:47

Thank you to Bellefield Systems, the creator of iTimeKeep, for sponsoring iPhone J.D. this month.  iTimeKeep has been around for seven years, and I remember first seeing a demo of the app at ABA TECHSHOW many years ago.  The premise of the app is brilliant:  make time entry so simple and accessible that you can easily enter your time no matter when you are working, and thus you don't forget to record your time entries.  You may talk to a client over the weekend, spend time working on a brief at night after you put the kids to bed, or handle something in a courthouse because you happen to be there on another matter.  Forgetting to record a few 0.1 or 0.2 time entries may not seem like a big deal, but over weeks and months it can really add up.  This time that would have otherwise been lost is what Bellefield refers to as invisible time. With the iTimeKeep app on your iPhone — which is likely with you all the time — you can enter your time contemporaneously and before you forget about it.  As soon as you enter time, the app quickly talks to your firm's time management system so that the activity is officially recorded.  By using your iPhone to record your time entries at the time that you do the work, you don't have to worry about losing time that you forgot about as you try to reconstruct your activities at a later time.

iTimeKeep works with law firms of any size, integrating with several time and billing systems:  Aderant, Elite, Omega, PC Law, TimeMatters, and many, many more which are listed here.

I started using this app in my own law practice last year, and I posted a comprehensive review in August.  I have used this app on more occasions that I can remember to record my time when I am out of the office, time that I might have otherwise forgotten about.  Thus, the app has helped me to get paid for the work that I am actually doing, plus it ensures that my timesheets accurately reflect all of the work that I am doing for my clients.

 

iTimeKeep validates your time against client billing guidelines, so you don't have to worry about forgetting to add a needed issue or task code for a file, or entering time in 0.1 increments when the client requires 0.25 entries.  And you can use built-in timers to keep track of precisely how long you spend working on a task.

What surprised me about iTimeKeep is that it isn't just a tool for avoiding missed time entries.  It is also a fantastic tool for recording all of your time.  The time entry software that we use at my law firm has a web-based interface, and after using it for many years, I consider myself fairly efficient in entering my time.  But the iTimeKeep interface is so incredibly well-designed and fast to use that I often prefer using iTimeKeep over my time entry software.  And fortunately, it doesn't matter which one I use — time that I enter in iTimeKeep shows up on my firm system, and time that I enter in my firm's system shows up in iTimeKeep if I have to go back and edit an entry.

I cannot type on an iPhone as fast as I can type on a computer keyboard.  However, I can often enter time just as quickly using iTimeKeep on my iPhone.  Sometimes I use Siri dictation to speak a time entry, which is fast and easy.  Other times I use the iPhone's keyboard shortcut feature to speed up time entry.  (In the Settings app, go to General -> Keyboard -> Text Replacement.)  For example, if I type "tcw" on my iPhone, it automatically changes that to "Telephone conference with " so I just need to type the name and the "re" information.

But iTimeKeep is not just a product for your iPhone (and iPad and Apple Watch, and even Android).  You can also use iTimeKeep on your computer via a secure website interface.  Whether I am entering time in the office on my PC or at home on my Mac, I frequently use the desktop version of iTimeKeep to type my time entries in the clean and efficient interface.

No attorney enjoys time entry, but it is a necessary part of the practice of law for most of us.  With iTimeKeep, you significantly reduce the friction associated with entering your time, especially when you record it contemporaneous with performing the work for your client.  Thank you to Bellefield for sponsoring iPhone J.D. this month, and thank you for creating this perfect example of an iPhone app that greatly improves the practice of law for attorneys.

Don't waste anymore time.  Try iTimeKeep today.

Categories: iPhone Web Sites

IBM Z Functional Matrix

IBM Redbooks Site - Tue, 04/10/2018 - 09:30
Redpaper, published: Tue, 10 Apr 2018

This IBM® Redpaper™ publication provides a list of features and functions that are supported on IBM Z, including the IBM z14(z14) - Machine types 3906 and 3907, IBM z13TM(z13®), IBM z13s™(z13s), IBM zEnterprise® EC12 (zEC12), and IBM zEnterprise BC12 (zBC12).

Categories: Technology

IBM z14 Model ZR1 Technical Introduction

IBM Redbooks Site - Tue, 04/10/2018 - 09:30
Redbook, published: Tue, 10 Apr 2018

This IBM® Redbooks® publication introduces the latest member of the IBM Z platform, the IBM z14 Model ZR1 (Machine Type 3907).

Categories: Technology

IBM Z Connectivity Handbook

IBM Redbooks Site - Tue, 04/10/2018 - 09:30
Redbook, published: Tue, 10 Apr 2018

This IBM Redbooks publication describes the connectivity options that are available for use within and beyond the data center for the IBM Z family of mainframes, which includes these systems:

  • IBM z14®
  • IBM z14 Model ZR1
  • IBM z13®
  • IBM z13s™
  • IBM zEnterprise® EC12 (zEC12)
  • IBM zEnterprise BC12 (zBC12)
This book highlights the hardware and software components, functions, typical uses, coexistence, and relative merits of these connectivity features.
Categories: Technology

Pages

Subscribe to www.hdgonline.net aggregator