I have been an Awana Commander for 4 years, and involved in Awana much longer. In that time I have learned to expect the unexpected. Cars that break down right before club. Flooding rains. Leaders facing depression / illness / lost jobs / family strife. The constant tension between sports and church activities. Our adversary does not like seeing God at work amongst youth, and so he tirelessly attacks those leading vibrant ministry.
Nothing could have prepared me for last week however. About 2 hours before church I learned that one of my leaders had been arrested for a series of armed bank robberies spanning 6 months. Wow. Talk about getting blindsided.
The first night was a flurry of activity such that I didn't really have time to digest what had happened. His role had to be filled on short notice – and naturally most of our standby “in a pinch” volunteers were out of town or otherwise occupied. I talked with a couple of key individuals that needed to know, but otherwise kept an eye on the news to determine when to address it publicly (I did not feel it was my place to “break the news,” so to speak). Church staff reviewed his background check to make sure we had not overlooked anything (if you run a children’s ministry, you do screen your volunteers for a criminal history, right?). I was too stunned and too numb to do more than simply get through the night.
A week has now passed. The initial shock has worn off. Many of the kids know what happened, and some of them are asking difficult questions. Questions such as, how can a Christian do such a thing? How can someone we trusted do this crime? How can I trust other leaders?
Throughout the Bible I read of God-fearing men and women that failed miserably at one point or another. Abraham twice said his wife was his sister, fearing a king would harm him to take her. Samson allowed his wife to compromise his Nazarite vow. David couldn't keep his hands off his soldier’s wife, and then had the man killed to cover it up. Peter denied knowing Christ mere hours after saying he would never deny Him. Romans 3:23 is pretty clear – all have sinned. Not most, not some, not just the “bad people” – all. Isaiah 53:6 says that we all have strayed from the Lord. Romans 6:23 leaves no room for doubt – the penalty for that sin is spiritual death (in other words, Hell). Not the penalty for murder, not the penalty for robbery, not the penalty for adultery, the penalty for sin. For all sin. Whether I take a piece of candy without permission, or I commit the most heinous crime imaginable, by God’s accounting the final consequence is the same. There may be significantly different consequences today (prison for one, a scolding for the other), but in both cases I will give an accounting before God in the end and if left to my own merit will face eternal judgment.
Thankfully I am not left to my own merit. When Christ died on the cross, He covered the sins of every believer. His sacrifice was enough to cover every sin – if I trust in Him for that salvation. Because of Christ, I don’t have to trust in my own self. I don’t put my trust in my pastor, or my friends, or my parents, or my teachers. I rely on them for guidance and teaching, and most of the time they will be honorable, but they are fallen sinners just like me. If my hope is in anyone besides Christ, I am bound to be disappointed eventually. That is the point I hope to teach the clubbers under my care: put your hope in Christ and in Christ alone. Only in Him will their trust never be broken.
As 2 Corinthians 9:15 says, “Thanks be to God for His indescribable gift.”
Wednesday, October 9, 2013
Wednesday, October 2, 2013
Online Safety For Kids - Courtesy of McAfee
At the elementary level, the goal is to get kids thinking about the Internet as more than just a vague concept - to think of it as a street or city with many doors (web sites, apps). Some of the doors are generally safe - libraries, the mall, a restaurant. Other doors might be appropriate in certain settings but not in others (a college anatomy class might be suitable for an adult but not for a child; as one child brought up, a wanted fugitive's house might be an appropriate place for a sheriff but not for a child). Still other doors are distinctly dangerous (a drug dealer, a stranger's front door). Each of these has parallels in the online world.
Thursday, September 5, 2013
How Big a Risk are Geotagged Photos?
A friend showed me a video from a Missouri news station
(from a newscast almost 3 years ago, mind you). In the video, the reporters
discuss a "new threat" with "new technology." While the video engages in the usual FUD
(fear, uncertainty, and doubt) to oversell the risk, there is a nugget of truth
that bears repeating.
Smartphones, tablets, and many standalone digital cameras
have a GPS built-in, and can "geo-tag" photos with the location at
which they were taken. This can make it easy to group photos by location (as
in, group all my photos from the Grand Canyon, or from Disney World, or from
Jamaica ... assuming I had vacationed at any of these places). But it makes it
equally easy for someone else to do the same.
Friday, August 9, 2013
Turning a NAS into a Halfway Decent Media Server
A while back, I bought a Seagate “FreeAgent GoFlex Home” network-attached storage (NAS) device - essentially a hard drive with a network port that does not need to be connected to a computer. I had two goals in mind: my digital music collection had outgrown the old PC I use for that purpose, and backups of my various home PCs were a haphazard mess. I could have spent several hundred dollars on a new computer to serve this purpose, but I thought I'd try something new and try my luck with a ~$150 NAS device.
Friday, July 26, 2013
A Note for Code Developers
Today's post is very simple: if you are going to write code, don't embed privileged usernames and passwords in the code. And if you must hard-code a password, for crying out loud, don't store the code with passwords on a public code repository!
https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code
Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?
Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.
https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code
Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?
Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.
Tuesday, July 23, 2013
Disguised links
One comment from a reader was, can you tell if a link is safe by examining the URL? To some degree, yes you can tell by the actual URL whether the link is safe or not. When you hover over a link, typically the actual URL is displayed on the browser's status bar at the bottom of the screen. If the URL is myrealbank.com, it may be safe; if the URL is myevilproxy.com?site=myrealbank.com, that's a dead giveaway. Shortened URLs (t.co, bit.ly, etc) make this a bit more challenging, because the short URL masks a much longer string, and it's a bit inconvenient to check each long-form URL before following the link (though there are browser plug-ins that will expand the URL and show you the full link).
Friday, July 12, 2013
Pwnxy and Phishable - awesome tools with scary abusability
Penetration testing answers the question "can someone penetrate your defenses" before a hacker does the same. In other words, when you put up a door on the Internet, someone somewhere is going to see if they can crawl in through an unlocked window instead of using the door as you intend. Pen testing searches for that window, or back door, or subterranean tunnel, with the intention of finding and closing vulnerable surfaces before an attacker does it for you.
One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window. A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.
One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window. A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.
Subscribe to:
Posts (Atom)