Wednesday, March 19, 2014

Hidden Toppings Pizza

I love cooking, almost as much as I love eating.  And very occasionally I will even come up with something new in the kitchen.  For example, this pizza.
Most pizzas are made in the exact same way.  Put down the dough, spread sauce on top of that, followed by cheese, then toppings.  This recipe came about because I got out of order when making a pizza and I put the toppings down right on top of the sauce before I put on the cheese.  And I decided that's not wrong.
Rolling in dough

Sanitize Everyth- no that's my other series

That's a joke from my Febrewary homebrewing series where the first step in homebrewing is to SANITIZE EVERYTHING!  We're just cooking here but you should at least wash your hands.
Getting sauced


Here I've used a commercially available premade crust and sauce but I add extra spices like crushed red pepper flakes to the sauce before I spread it around.  That distributes the flavor nicely across the pizza.  
Top of the pops

Top it off

Now I add the large solid toppings like the pepperoni slices, olives, onion, pineapple, etc.
All covered with cheese

Hide the pepperoni

Now I add my cheese on top of the toppings.  Two cups of pizza cheese mix does a good job covering everything up.


Follow the remainder of your recipe to cook the crust and melt the cheese.  The cheese itself forms a solid cap over the works like an Arctic ice floe.  And the best part is you can hide anything under the cheese.  Anchovies, sliced jalepenos, it's all fair game now.  

Friday, February 14, 2014

Hack Stack

Retail giant Target was hacked late last year in a blow to holiday shoppers across the country.  Security investigators found out that the intrusion started with an HVAC contractor.  A reasonable computer user, denied access to others' secure systems, could ask themselves what an outside company would be doing with access like this.  Let's talk a bit about how large corporate systems are set up and how an attack can cascade like this through a supply chain.

Inter, Intra, and Extra

Most large companies' computer networks are set up in multiple zones.  The Internet zone holds customer-facing systems like company webpages, online shopping, and contact information.  These systems should only deal with low security issues like presenting product information or mailing addresses.  The Intranet zone is for internal use by employees.  A company's trouble ticketing system or employee computer-based training terminals are connected to this zone.  Extranet is the most complicated zone to manage and secure.  This is where partner companies connect to your systems for more access than the internet zone can provide without having employee level access on an intranet user.

Extra, Extra, Extra

In Target's case, Fazio Mechanical Services had access credentials to Target's systems to support billing and work contracts when Fazio was hired to perform work on the HVAC systems at Target stores in the Mid-Atlantic region. 
And, no, as user of Target's extranet, Fazio's credentials should not have enabled them to upload to or in any way make contact with any part of Target's point of sale terminals. 
Payment Card Industry (PCI) standards now come into play.  Companies which submit credit card payments are not required to build a separate network for payment and non-payment activities.  But outside users like contractors and vendors are required to use two-factor authentication to access a company's network. 

Tuesday, February 11, 2014

The Day We Fight Back

Wednesday, February 5, 2014


So I was trolling my own blog, as every good blogger should, and I discovered a dead link. I'll give you a hint: the embedded video had been taken down by a copyright (copywrong) claim. Yes, some litigious asshole gave my blog a dead link. Fortunately, I found it and was able to get a valid link so the affected post was not affected. So, reader challenge because I secretly hate you, find the post that was edited to fix the broken link. And here's where I have to give grudging credit to Vevo. While they take down many linked videos they, at least, upload a legitimate video for bloggers to link to.

Saturday, February 1, 2014

Rack 'em Up

Let's kick off this year's Febrewary with a quick post about a new technique you can add to your brewing process called racking.
The concept is pretty simple.  After fermentation has run for a couple weeks and the yeast has settled, you move the product into another sterilized fermenter for an additional couple of weeks before bottling.  The point is to separate out the lees, the tired yeast, the fruit bits, and whatever other solid waste is left in the primary fermenter.  This improves the clarity a lot so it's a good technique to learn if you make wines and meads. 

You will need

Since you've been brewing for a year you should already have most of the things you will need to take up racking.  If you bought a starter kit like the one I linked to in Gathering Supplies you should only need to buy another fermenter and another threaded stopper and airlock to go with it.  Keep an eye out for "buy this, get an extra fermenter" deals.  They come out every so often from most of the brewer supply houses.

Sanitize... yeah, you know this step

Run up a batch of sanitizing solution and wash and sanitize your new fermenter, threaded stopper, and airlock, along with your auto-siphon and transfer hose.  If you're using a smaller fermenter, you could just sanitize a funnel instead of all the transfer gear and just pick it up and pour from one container to the other.  Use a coffee filter inside the funnel to catch the lees.  

Rack 'em, Stack 'em, Rinse and Repeat

Presumably, since the previous brewing stage was successful enough to add a racking stage, the location you keep your fermenter is good for yeast biology.  After you've got the brewing product into the new fermenter, install the airlock according to its instructions and place the new one where the old one was.  Then let it do its thing.  
Be sure to wash out the old fermenter.  That muck in the bottom is still perfect growth medium for all sorts of microbial mischief.  But hang on to it; lees are great green for your compost.  
You can rack again back into the original fermenter to further improve the clarity of your product.  Wait at least a week for things in the brew to settle down and remember to sanitize all your equipment before you transfer.

Adding this new technique into your brewing stages will give your product better clarity and a smoother texture you and your friends will enjoy.  Slainte! 

Trademarks are the property of their respective owners.  Products featured or linked here are used as examples only, without endorsement or commercial consideration.  Please drink responsibly. 

Friday, January 31, 2014


Everyone is well aware of retail runner up Target and their recent hacking.  And this event couldn't have come at a worse time for them.  Their systems were compromised over Thanksgiving weekend, the traditional start of the holiday shopping season, and stayed pwned for several weeks.  Fortunately, they've plugged the holes and were able to continue on with their holiday sales season.
Meanwhile, banks around the country are taking steps to protect their customers' banking details.  Apparently, in light of lessons learned from major breaches like Heartland Payment Systems, many found it less expensive to just reissue thousands to millions of new cards to any customers who may or even might not be affected.  A major credit union here in Arizona is issuing new cards and numbers for 877 potentially compromised accounts.
While the stolen credit card information has already been put up for sale, Target insists that at least the PINs associated with debit cards were securely encrypted, specifically with Triple DES, or more properly, the Triple Data Encryption Algorithm, TDEA.
Triple DES is a block cipher, which means it encrypts blocks of data, 64 bits at a time, and does so in three passes, each with a different key based on the keying option used.  Data Encryption Standard (DES), with only a 56 bit key, is too weak to protect data against brute force attacks by modern hardware and has been removed as a standard.  Triple DES itself, by stacking up on the encryption with multiple keys, is considered secure enough against any practical attacks.  It has, however, been replaced in most applications with Advanced Encryption Standard (AES).
Target wasn't specific as to which keying option of Triple DES was being used, though they made it clear that they never had any of the keys.  Knowing which keying option was being employed could direct an attacker to a method of exploit.  Since Triple DES encrypts with key one, decrypts with key two, and then encrypts again with key three, the most secure option is that all three keys are different.  That usually isn't the way it's done in practice; typically the first and third key are the same.  Obviously, if there's only a single key being used three times, the encryption simplifies to a single round of DES and that compatibility is, in fact, why Triple DES does encrypt-decrypt-encrypt instead of three rounds of encrypt.
So what attacks are available?  Essentially a rainbow table attack.  We can only hope that the payment processor who held the keys held more that one.  Single key Triple DES is only DES and that could be broken in less that a day ten years ago.  That's a trivial brute force attack today.  Option two is the most commonly used method of implementing Triple DES and it's the one that encrypts with the first key, decrypts with a second key, then encrypts once more with the first key again.  The issue is that the plaintext being encrypted, all those PINs, is such a small domain.  PINs for debit cards are typically only four digits long.  At best, 32 bits or half a block.  Even worse, the Feistel algorithm that underpins DES and thus Triple DES operates on only a half block at a time.  The fluff and random bits that fill out the block might be irrelevant when decrypting stolen debit card PINs.  With such a limited domain, chosen plaintext and known plaintext attacks become available.  Insanely resource intensive, but available.
As a shout-out, my cryptography professor at the University of Maryland, Lawrence C Washington, along with Wade Trappe, also a Maryland professor at the time, literally wrote the book on cryptography.  I have the first edition.  Maybe I should've gotten it signed by the authors; I hear signed first editions are valuable.  Anyway, it's good to be a terrapin.  Let's Go Maryland!  Rah!  Rah!  Ra-ra-rah!