[SecurityRatty] tag: recipe

Twisted Coronas

Sat, 02 Aug 2008 13:33:51 +0000

Okay it's Saturday, so let me share something completely nontechnical and fun.

What you need to make these cocktails:

Six pack of Corona Extra
Bottle of Bacardi Limon
Lime
Coctail stirrer (a chopstick works fine)

Pop a slice of lime into a Corona and hand to a friend. Have them drink the neck, then refill with Bacardi Limon (putting the lime in first seems to reduce fizzing). Stir and hand back to them so they can drink it down as it fizzes up a bit.

Mixing rum and beer may sound nasty, but this actually results in a very smooth, tasty drink. It's our favorite accompaniment when we are playing Rock Band.

We took this recipe and applied it to one of our other favorite beers as well: Honey Moon Summer Ale (also works with Blue Moon, or any other typically orange-flavored beer). Just use Barcardi O instead of Limon.

Enjoy!

Indiana State University professor's laptop is stolen

Thu, 17 Jul 2008 05:29:35 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Indiana State University

Contractor/Consultant/Branch:
None

Victims:
"students who took economics classes from 1997 through the spring semester 2008"

Number Affected:
"more than 2,500"

Types of Data:
"names, grades, e-mail addresses and student identification numbers"*

*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.

Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."

Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune

Report Credit:
Indiana State University

Response:
From the online sources cited above:

A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.

While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.

The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.

If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.

The information includes names, grades, e-mail addresses and student identification numbers.

Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.

The theft occurred Saturday while the professor was traveling in southern Indiana

the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.

The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.

The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.

The extent of the information contained on the computer was not determined until Monday night.

Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?

In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).

Approximately 500 ISU faculty members have laptop computers.

The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs

From the FAQs:

Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.

Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.

Past Breaches:
Unknown

NISTS FISMA Pase IIWho Certifies Those who Certify the Certifiers?

Tue, 17 Jun 2008 17:22:09 +0000

Check out this slideshow and this workshop paper from 2006 on some ideas that NIST and a fairly large advisory panel have put together about certification of C&A service providers. I’ve heard about this for several years now, and it’s been fairly much on a hiatus since 2006, but it’s starting to get some eartime lately.

The interesting thing to me is the big question of certifying companies v/s individuals. I think the endgame will involve doing both because you certify companies for methodology and you certify people for skills.

This is the problem with certification and accreditation services as I see it today:

Security staffing shortage means lower priority: If you are an agency CISO and have 2 skilled people, where are you going to put them? Odds are, architecture, engineering, or some other high-payoff activity, meaning that C&A services are candidates for entry-level security staff.
Centralized v/s project-specific funding: Some agencies have a “stable” of C&A staff, if it’s done wrong, you end up with standardization and complete compliance but not real risk management. The opposite of this is where all the C&A activities are done on a per-project basis and huge repetition of effort ensues. Basic management technique is to blend the 2 approaches.
Crossover of personnel from “risk-avoidance” cultures: Taking people from compliance-centric roles such as legal and accounting and putting them into a risk-based culture is a sure recipe for failure, overspending, and frustration.
Accreditation is somewhat broken: Not a new concept–teaching business owners about IT security risk is always hard to do, even more so when they have to sign off on the risk.
C&A services are a commodity market: I covered this last week. This is pivotal, remember it for later.
Misinformation abounds: Because the NIST Risk Management Framework evolves so rapidly, what’s valid today is not the same that will be valid in 2 years.

So what we’re looking at with this blog post is how would a program to certify the C&A service providers look like. NIST has 3 viable options:

Use Existing Certs: Require basic certification levels for role descriptions. DoD 8570.1M follows this approach. Individual-level certification would be CAP, CISSP, CG.*, CISA, etc. The company-level certification would be something like ITIL or CMMI.
Second-Party Credentialing: The industry creates a new certification program to satisfy NIST’s need without any input from NIST. Part of this has already happened with some of the certifications like CAP.
NIST-Sponsored Certification: NIST becomes the “owner” of the certification and commissions organizations to test each other.

Now just like DoD 8570.1M, I’m torn on this issue. On one hand, it means that you’ll get a higher caliber of person performing services because they have to meet some kind of minimum standard. On the other hand, introducing scarcity means that there will be even less people available to do the job. But the big problem that I have is that if you introduce higher requirements on commodity services, you’re squeezing the market severely: costs as a customer go up for basic services, vendors get even less of a margin on services, more charlatans show up because you’ve tipped over into higher-priced boutique services, and mayhem ensues.

Guys, I’m not really a rocket scientist on this, but really after all this effort, it seems to me that the #1 problem that the Government has is a lack of skilled people. Yes, certifying people is a good thing because it helps weed out the dirtballs with a very rough sieve, but I get the feeling that maybe what we should be doing instead is trying to create more people with the skills we need. Alas, that’s a future blog post….

However, the last thing that I want to see happen is a meta-game of what’s going on with certifications right now–who certifies those who certify? I think it’s a vicious cycle of cross-certification that will end up with the entire Government security industry becoming one huge self-licking ice cream cone. =)

Bookmark to:

Loving customers frustrate security firms too

Fri, 13 Jun 2008 15:45:37 +0000

Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples:

1. Making renewals a manual process with those annoying phone trees. I agree, when I hear the press 1 for this and press 2 for this, my blood starts to boil. There is no reason that this just can't be built into the product to renew over the web. Security or no, any software vendor not doing it this is just plain crazy.

2. Calling into a company with a sales inquiry and the sales guy never calls back. This one just kills me. When doing due diligence on potential acquisitions at a prior company I would call in or email with a sales inquiry and wait to see how long it would take for them to get back to me. It was a good indication of how well the sales organization and company functioned.

3. Killing the deal with one sided, overly legal and burdensome terms. Another one that I battle all the time. The CFO has to be able to recognize revenue so needs specific T&Cs. The lawyers want to protect the vendor against all eventualities and is doing his job. You want to make as few warranties and representations as possible to limit your liability. The result, the customer gets one sided, unfair document with fine print on maintenance pricing, renewals, SLAs, etc. Most customers don't even read the EULA. Take a lot at some of the ones with software you have bought. It may surprise you.

But in my best Fox News voice, lets be fair and balanced. So in that vein, let me give you 3 specific examples of how loving customers frustrate security firms:

1. The guys who picked the product leave and the new guy comes in and doesn't have a clue. This happens all the time, especially in the government. One guy or team buys the product for a specific reason and has all of the expertise. The new folks come in and even if they know your product is there, they don't know why or how to use it. They may feel they inherited this product and have their own favorite product in this category. They can't wait to replace you and either don't use the product at all or blame the problems of the world on it.

2. Buying the product and than "other priorities" delay implementation. A surefire recipe for shelfware. When I see this happening I tell our folks better to be a pain in the butt and force them to use the product they bought than to sit around watching the license expire on the shelf. The longer the product sits, the more it becomes a nice to have, rather than a must have, that drove the sale. Now sure, one can say that what does the vendor care, the customer paid. If he doesn't use it, less support costs. But you don't get renewals, you don't get upsells or referrals without customers using product.

3. Using the product in unintended ways. Another favorite heartburn of mine. Customers figure just because the application runs Linux underneath, why can"t I run (You Name It). We recently had a customer that was chewing up support hours like the dial at a gas pump today. It turns out the problems we all due to the all of the other software that he had put on the box, not to mention editing .conf files, database tables, etc. It is hard enough supporting the software we developed. It is a whole another story supporting software that you have written.

So Roger, yes the customer is always right and security vendors have to get their act together if they want to survive, let alone compete in these tough economic times. But customers certainly don't make the job any easier with some of the shenanigans they pull.

Technical glitch blamed in The Princeton Tower Club breach

Tue, 13 May 2008 05:20:10 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really? A technical glitch? These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again". We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person. It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)? I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant. I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business. The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off. Identity thieves are not all stupid. Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point. Have you ever thought of all the times you have given out your Social Security number? All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number. The same number used for identification and authentication. A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations. It seems like they just didn't know any better. It sometimes makes me nervous.

Past Breaches:
Unknown

Injecting IFRAMEs by Abusing Input Validation

Fri, 07 Mar 2008 12:53:50 +0000

More news coverage follows regarding the now fixed, injection of IFRAMEs at high page rank-ed sites owned by CNET Networks, in fact Symantec's Internet Threat Meter monitor for web activities rated it medium risk, and urged extra caution :

"On March 4, 2008, reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script-injection issue, which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site that attempts to install a rogue ActiveX control. On March 6, 2008, the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com, and MySimon.com are also affected by a similar issue."

At 19:45 (EET) all of the sites have their input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good.

How was the IFRAME injection possible at the first place? OWASP lists input validation as one of the top 10 injection flaws for 2007, which in a combination with a site's SEO practice of caching pages with the injected input in the form of a keyword and the IFRAME, is what we've been seeing during the week :

"Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level. Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development."

And since I've already established the RBN connection, it would be perhaps the perfect moment to demonstrate the abuse of input validation by injecting the Russian Business Network's Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected at the first place. The bottom line - even with the input validation flaw accepting and loading the IFRAME, this attack wouldn't have been successful if it wasn't executed in a combination with the sites' keywords caching function.

Third Parties Controlling Information

Wed, 27 Feb 2008 02:46:46 +0000

Wine Therapy is a web bulletin board for serious wine geeks. It's been active since 2000, and its database of back posts and comments is a wealth of information: tasting notes, restaurant recommendations, stories and so on. Late last year someone hacked the board software, got administrative privileges and deleted the database. There was no backup.

Of course the board's owner should have been making backups all along, but he has been very sick for the past year and wasn't able to. And the Internet Archive has been only somewhat helpful.

More and more, information we rely on -- either created by us or by others -- is out of our control. It's out there on the internet, on someone else's website and being cared for by someone else. We use those websites, sometimes daily, and don't even think about their reliability.

Bits and pieces of the web disappear all the time. It's called "link rot," and we're all used to it. A friend saved 65 links in 1999 when he planned a trip to Tuscany; only half of them still work today. In my own blog, essays and news articles and websites that I link to regularly disappear -- sometimes within a few days of my linking to them.

It may be because of a site's policies -- some newspapers only have a couple of weeks on their website -- or it may be more random: Position papers disappear off a politician's website after he changes his mind on an issue, corporate literature disappears from the company's website after an embarrassment, etc. The ultimate link rot is "site death," where entire websites disappear: Olympic and World Cup events after the games are over, political candidates' websites after the elections are over, corporate websites after the funding runs out and so on.

Mostly, we ignore the issue. Sometimes I save a copy of a good recipe I find, or an article relevant to my research, but mostly I trust that whatever I want will be there next time. Were I planning a trip to Tuscany, I would rather search for relevant articles today than rely on a nine-year-old list anyway. Most of the time, link rot and site death aren't really a problem.

This is changing in a Web 2.0 world, with websites that are less about information and more about community. We help build these sites, with our posts or our comments. We visit them regularly and get to know others who also visit regularly. They become part of our socialization on the internet and the loss of them affects us differently, as Greatest Journal users discovered in January when their site href="http://barry095.vox.com/library/post/greatest-journal-death.html">died.

Few, if any, of the people who made Wine Therapy their home kept backup copies of their own posts and comments. I'm sure they didn't even think of it. I don't think of it, when I post to the various boards and blogs and forums I frequent. Of course I know better, but I think of these forums as extensions of my own computer -- until they disappear.

As we rely on others to maintain our writings and our relationships, we lose control over their availability. Of course, we also lose control over their security, as MySpace users learned last month when a 17-GB file of half a million supposedly private photos was uploaded to a BitTorrent site.

In the early days of the web, I remember feeling giddy over the wealth of information out there and how easy it was to get to. "The internet is my hard drive," I told newbies. It's even more true today; I don't think I could write without so much information so easily accessible. But it's a pretty damned unreliable hard drive.

The internet is my hard drive, but only if my needs are immediate and my requirements can be satisfied inexactly. It was easy for me to search for information about the MySpace photo hack. And it will be easy to look up, and respond to, comments to this essay, both on Wired.com and on my own blog. Wired.com is a commercial venture, so there is advertising value in keeping everything accessible. My site is not at all commercial, but there is personal value in keeping everything accessible. By that analysis, all sites should be up on the internet forever, although that's certainly not true. What is true is that there's no way to predict what will disappear when.

Unfortunately, there's not much we can do about it. The security measures largely aren't in our hands. We can save copies of important web pages locally, and copies of anything important we post. The Internet Archive is remarkably valuable in saving bits and pieces of the internet. And recently, we've started seeing tools for archiving information and pages from social networking sites. But what's really important is the whole community, and we don't know which bits we want until they're no longer there.

And about Wine Therapy, I think it started in 2000. It might have been 2001. I can't check, because someone erased the archives.

This essay originally appeared on Wired.com.

Laptop stolen from Cross Country Staffing employee

Tue, 12 Feb 2008 09:27:55 +0000

Technorati Tag: Security Breach

Date Reported:
2/8/08

Organization:
Cross Country Staffing

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
Unknown*

*According to the breach notification "Approximately 45 New Hampshire residents were affected by this incident"

Types of Data:
Names, Social Security numbers, and addresses.

Breach Description:
A laptop was stolen from the car of an employee working for Cross Country Staffing on February 1st, 2008. The laptop contained sensitive personal information belonging to employees of the company.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

we write to inform you of an information security breach concerning our employees' personal data

On February 1, 2008, a laptop computer was stolen from a corporate employee's car.
[Evan] An unencrypted and unattended laptop containing personal information is a recipe for disaster

The computer contained confidential information about some Cross Country employees, including their names, Social Security numbers and addresses

The stolen computer was password protected, but not encrypted
[Evan] Ugh! There really isn't any excuse for not encrypting laptops that have confidential information on them.

Our corporate employee immediately reported the incident to the local police

We have no evidence that the information stored on the laptop has been accessed or misused
[Evan] The incident happened on February 1 and the letter to the New Hampshire Attorney General is dated February 8. I am not surprised that that there is no evidence that the information had been accessed as it has only been a week. Kudos to Cross Country Staffing for the quick response however.

we are notifying all affected individuals of the possible information security breach via written letter to each affected individual through first class mail, postage prepaid. Mailing will begin on February 8, 2008

We deeply regret this incident

We are reviewing our current policies and procedures with respect to such information and are committed to fully protecting all of the information that is entrusted to us
[Evan] How about not allowing confidential information on laptops and other mobile media or at the very least enforce encryption?

If you have any additional questions about this incident, please contact us tollfree at the following helpline number: 866-372-334

Commentary:
Cross Country Staffing did a fine job by informing affected employees within a week. There was no mention of what controls are in place to prevent a similar breach from occurring again, or what specifically they plan to change. If nothing changes, it will only be a matter of time before it happens again.

ENCRYPT confidential data at rest on mobile devices (with pre-boot authentication and secure key management).

Affected persons are being offered a complimentary 12-month credit monitoring product subscription for what its worth.

Other Cross Country Staffing brands (it is unknown if any are affected):

Past Breaches:
Unknown

Gourmet Recipe Manager

Wed, 30 Jan 2008 18:02:00 +0000

I managed to get this recipe manager installed last night. The instructions for Windows users are pretty old and out of date (the primary audience for this software is in the linux world). But I managed to get it installed and running nevertheless, and if you're reasonably technical, you should be able to do it as well. Once I got the app running for the first time, it immediately appeared to download a boatload of data, which I think was a database of nutritional information for ingredients as well as ingredient/category mappings, and probably other stuff that I've not figured out yet.

From the little I've seen of this app, it looks pretty impressive. I'll keep experimenting and post my findings here.

Here are some hopefully helpful hints if you want to give it a try along with me. I installed all of the items on the "Required Packages" list:

I already had Python 2.5 installed.
The Glade runtime environment was trivial to install.
PyGTK was a little more complicated. Since these instructions were written, it looks like the project was split into three parts, and I think you need all three (which are trivial to install). I installed the latest versions of each for Python 2.5. Once you get all three installed, add the bin/ directory from the GTK into your path and bring up a python command shell (just run python.exe to do this) then type 'import gtk' and if you don't get any errors, you're probably good.

PyCairo
PyGObject
PyGTK

PyWin32 install was trivial.
PIL was also trivial.
PyRTF is python sources, which you'll need to install. Copy the directory to a drive somewhere, then bring up a command shell and CD into the directory you just created. You should find a setup.py file there. Run 'python setup.py install' to install. This is what I'll call a "python install" from now on.
ReportLab also requires a "python install", so do the same thing.
PySqlite2 - the website is down as I write this, so I don't recall what type of install it requires, but I don't remember having trouble with it...
Metakit - this one I couldn't quite figure out how to install, but it appears to be an optional thing.

Once you've installed all of the prerequisites, it's easy to install Gourmet Recipe Manager. It's also a python install, and once you've run the setup.py script, you can launch the program as described in section 3 of the instructions.

Gourmet Recipe Manager

Wed, 30 Jan 2008 18:02:00 +0000

From the little I've seen of this app, it looks pretty impressive. I'll keep experimenting and post my findings here.

Here are some hopefully helpful hints if you want to give it a try along with me. I installed all of the items on the "Required Packages" list:

I already had Python 2.5 installed.
The Glade runtime environment was trivial to install.
PyGTK was a little more complicated. Since these instructions were written, it looks like the project was split into three parts, and I think you need all three (which are trivial to install). I installed the latest versions of each for Python 2.5. Once you get all three installed, add the bin/ directory from the GTK into your path and bring up a python command shell (just run python.exe to do this) then type 'import gtk' and if you don't get any errors, you're probably good.

PyCairo
PyGObject
PyGTK

PyWin32 install was trivial.
PIL was also trivial.
PyRTF is python sources, which you'll need to install. Copy the directory to a drive somewhere, then bring up a command shell and CD into the directory you just created. You should find a setup.py file there. Run 'python setup.py install' to install. This is what I'll call a "python install" from now on.
ReportLab also requires a "python install", so do the same thing.
PySqlite2 - the website is down as I write this, so I don't recall what type of install it requires, but I don't remember having trouble with it...
Metakit - this one I couldn't quite figure out how to install, but it appears to be an optional thing.