| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Sat, 31 Dec 2005
|
|
Here's another good source of basic info on wirless: Microsoft's How 802.11 Wireless Works. Please ignore the part that talks about Zero Conf because, as with any auto-config technology, it has some safety issues. joat: 13:00:00 31 Dec 2005 |
|
|
Fri, 30 Dec 2005
|
|
The Full Disclosure Mailing List is discussing Richard Smith's suggestion on how to draw the attention of the NSA. A few thoughts: - Now why would you want to do that?
- I seem to remember that your IP is commonly included in the headers of traffic originating from the large webmail services.
- Why become a "person of interest" just so's you can be funny for two seconds?
It's not that funny of a joke. joat: 13:30:00 30 Dec 2005 |
|
|
|
|
Interlink Networks has a paper on " Wireless Detection and Tracking" that talks about some of the low level stuff, including packet analysis and what amounts to "heat maps". Some of it is a bit dated (WPA, WEP) but it's interesting nonetheless.
joat: 13:00:00 30 Dec 2005 |
|
|
Wed, 28 Dec 2005
|
|
|
Please note that the comment-related functions are offline while the system is tweaked. Be nice, those that are working on the system are not being paid to do it. joat: 23:10:31 28 Dec 2005 |
|
|
|
|
Bruce Perens is working with Prentice Hall to produce a series of books by various authors called the Open Source Series. A nifty additional feature is that the book becomes available online, for free, a few months after it hits the shelves. joat: 21:30:00 28 Dec 2005 |
|
|
Tue, 27 Dec 2005
|
|
|
While Sean has been tweaking the server, I've been digging around in the odd corners of the site. It seems that, in the 2 or so years the wiki has been up, roughly 96 accounts have been added to the wiki in an attempt to spam/hack it. The wiki adds the account, logs the time and IP and promptly refuses any attempt to change it. (heh) joat: 21:30:00 27 Dec 2005 |
|
|
Mon, 26 Dec 2005
|
|
Okay, I'm having too much fun. Worked last night and this morning to get the Digium TDM400P card and the Asterisk software installed and running. In the process, I also figured out where my problem was in installing the IVTV software. (It had to do with the build version in the Makefile for the kernel.) So far, I think I've burned up all the spouse points that I earned earlier in the year. I've added a cheap 900MHz handset to act as the console phone and have driven my wife nuts with the phone (and the laptop) ringing. More stuff to add to The List of Unfinished Projects: - figure out how to stream live audio to the phone
- "adapt" the NSLU2 (saving up for a USB2 HD)
- learn more about the ivtv modules and MythTV
- get ready for next semester's classes
- get ready for ShmooCon (19 shopping days left!!)
Add that to the stuff already on the list and I'll be busy for at least 6 months. joat: 17:00:00 26 Dec 2005 |
|
|
Sun, 25 Dec 2005
|
|
Stand still and watch. You'll see the leading edge of the crack pass by you very quickly. What am I referring to? How about the fracturing of the Internet? InfoWorld has an article about a Dutch company (UnifiedRoot) standing up their own dns infrastructure, with the intent to run it in parallel to the ICANN managed namespace. Call me a sadistic pessimist but this topic is going to be "interesting" (Chinese curse version) to watch and has a high entertainment potential. This sort of thing has been tried before and has taken some intriguing turns. (Hint: the proposed managers of the .XXX domain are the same people that used to sell you the domain under ALTERNIC, for less money.) You'll need popcorn and some soda for this one folks! (I predict a lot of nasty politics, both external and internal.) Update: Still think I'm kidding? How about this: the site recommends that DNS owners replace their hints file with one from UR. A quick look at the file reveals none of the normal DNS root servers are included. Yep, that's right, rather than the cooperation the web site touts, they want you to trust them implicitly. This should get interesting quickly. joat: 13:30:00 25 Dec 2005 |
|
|
|
|
|
Please standby. The powers-that-be (again, mostly Sean) are working to get the system back up and running. Some of the custom code (mine) has to wait on final system tweaks before I attack it. joat: 04:10:22 25 Dec 2005 |
|
|
Fri, 23 Dec 2005
|
|
|
The site will be offline today. I'll backfill this day's post(s) later. joat: 17:00:00 23 Dec 2005 |
|
|
Thu, 22 Dec 2005
|
|
|
While we're on the subject of DNS tools, dnstop may be a useful tool if you manage a network. It's a bit simple but will keep track of which host is doing how many DNS lookups. For home networks, it's a bit useless as it needs to listen to a gateway feed. You may find it interesting in any case. joat: 21:30:00 22 Dec 2005 |
|
|
Wed, 21 Dec 2005
|
|
dnstracer is an interesting tool. It traces information from DNS back to its source. It does this by using non-recursive queries. In other words, if you tell it to trace "shmoocon.org", it'll return the following interesting data:
Tracing to shmoocon.org[a] via 68.10.16.25, maximum of 3 retries
68.10.16.25 (68.10.16.25)
|\___ TLD3.ULTRADNS.org [org] (199.7.66.1)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) Got authoritative answer
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) Got authoritative answer
|\___ TLD2.ULTRADNS.NET [org] (204.74.113.1)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
|\___ TLD1.ULTRADNS.NET [org] (204.74.112.1)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
|\___ TLD1.ULTRADNS.NET [org] (2001:0502:d399:0000:0000:0000:0000:0001) send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
*
|\___ TLD6.ULTRADNS.CO.UK [org] (198.133.199.11)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
|\___ TLD5.ULTRADNS.INFO [org] (192.100.59.11)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
\___ TLD4.ULTRADNS.org [org] (199.7.67.1)
|\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
\___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
While it shows that there may be a problem with TLD1 (this is likely to be a problem with the tool's ability to handle IPv6 data rather than the server), you can see that the tool queries all of the DNS servers that are known to have the data. (68.10.16.25 is the IP of a DNS server local to me). This tool also has the ability to detect lame DNS servers (those that are supposed to know the answer but don't)(think misconfigured or damaged secondaries). If anyone is really proficient with this tool, please contact me. I'd like to know if it is useful in detecting record poisoning. joat: 21:30:00 21 Dec 2005 |
|
|
Tue, 20 Dec 2005
|
|
|
If PJ (at Groklaw) ever gets around to writing a book on the SCO v. The World cases and I fail to notice it, will y'all let me know? If she can sort out the mess, I'd enjoy reading about it. In any case, more hand-waving and finger-waggling is slated for 22 Dec. Anyone know if I how much it is to buy just one stock (currently at $4.01) and have it framed? joat: 13:00:00 20 Dec 2005 |
|
|
Mon, 19 Dec 2005
|
|
The Worm Blog has some initial comments on the Dasher worm. There's also some comment about Dasher.C. joat: 21:30:00 19 Dec 2005 |
|
|
Sun, 18 Dec 2005
|
|
Offensive Computing may be a site to keep an eye on. Their stated purpose is to improve computer/network security via analysis of malware. joat: 21:30:00 18 Dec 2005 |
|
|
Sat, 17 Dec 2005
|
|
|
"The powers that be" (Sean mostly) have stated that the server swap will occur this week. While the wiki shouldn't be affected as I already maintain it on the new server, there may be some glitches in the rest of the site. Please excuse any vagaries. joat: 21:35:00 17 Dec 2005 |
|
|
|
|
|
Just spent the last hour removing spam from the queue for the blog. I feel another spam hunt coming on. Every single one of the incest and beastiality ads pointed at web servers in the continental U.S. joat: 21:30:00 17 Dec 2005 |
|
|
|
|
I've just altered my Bloglines subscriptions to remove the Geek Style feed. Visiting that site causes pop advertisements (even in a Linux-based Firefox install). I don't know about anyone else but I feel that I read are either geek-related or personal. With Geek Style, it's the usual low-grade crap in the pop-ups. Example: The usual "Your system is infected with spyware. Click here to scan for it." message. (Hint: I'm not running Windows on this laptop.) Babak, if you read this, I think the ads are getting into your blog via your webstats4u logo/link. Read this post at JNode and the following excerpts from the WebStats4U Terms of Service: - WMS entitles users to access to a variety of on-line and interactive on-line services (the "Products and Services"). Some of the Products and Services are supported by advertising, enabling WMS to provide them to you at no cost. When you use these free services, you agree to allow WMS to display advertising, including third party advertising, through the Products and Services.
- With the installation of WebStats4U on the site it is accepted that WMS has the right to place advertisements on the site in any format or through any channel, including but not limited to e-mail, layer ads, pops, banners and other usual formats without any forewarning and it is furthermore accepted that WMS takes no responsibility for the advertising content and that WMS shall not be liable for any losses incurred regarding this advertising.
I find anything more obtrusive than Google Ads to be offensive. Google Ads are passive and easily ignored. I'll probably resubscribe at a future date but only after the WebStats4U thingy goes away. joat: 21:30:00 17 Dec 2005 |
|
|
Fri, 16 Dec 2005
Thu, 15 Dec 2005
|
|
Is there any way we can strip a Doctorate from someone absolutely clueless? Dr. Carrigan believes that the Internet is wide open to infection from alien (as in off-world) computer viruses. I have problems with a number of his anthropomorphised assumptions: - Where'd they get the 8086-series chips? Dr. Carrigan seems to assume that silicon and the various doping elements are as plentiful there as they are here.
- Are they running Microsoft Windows? If so, how are they getting their updates? I assume they'd be easy to track on Patch Tuesday. Also, I believe Bill would like a word with them about licensing. Actually, taking into account the speed of light, it means that Windows was in use decades (if not centuries or millenia) before it's availability here on Earth. We may need to talk to Bill about his patents and licensing practices.
- Infection by off-planet source would happen in one of two ways: either intentionally or accidentally. If intentional, it means they know we're here and network infection is likely to be the least of our problems. (Somebody call Tom Cruise!!) If unintentional, we need to prompt the anti-virus industry that they need to start including sub-routines to counteract alien worms and viruses.
- If there is a risk of infection from exterrestial sources, what risk do we pose to the galactic community with the problems that we have in our networks? Could that be why no one has contacted us yet? (All claims by the UFO community aside.)
In any case, I hereby nominate Dr. Carrigan to be the recipient of a Reynolds Wrap hat. Shiny side out, dude! Update: the above is a bit dated and lived in my slush pile for a bit but is still amusing. joat: 21:30:00 15 Dec 2005 |
|
|
Wed, 14 Dec 2005
|
|
This will a hint to tell how old I am (at a minimum): I'm excited about discovering the TMBG podcast feed. To those that are Britney's age or younger (or those who've never heard of Login Whitehurst), TMBG is short for "They Might Be Giants". Where else can you hear a band sing in the style of Yes, Rocky Horror, the Beatles, and Leon Redbone? Then again, trying getting through the day with Birdhouse in Your Soul and Happy Noodle doing battle in your head. joat: 13:00:00 14 Dec 2005 |
|
|
Tue, 13 Dec 2005
|
|
Here is an analysis of MP3.com's Beam-It protocol which is used to verify that a user actually owns the CD they want to stream. Something I never really understood: why employ a lower quality stream when you already have the CD? joat: 13:00:00 13 Dec 2005 |
|
|
Mon, 12 Dec 2005
|
|
Took a power hit this weekend. Lost a stereo and my home network has been acting funny every since. I thought that I'd lost the router that acts as my IPv4/IPv6 gateway because it'd only work for a few minutes at a time. Turns out that I was wrong. I'd forgotten about the print server I had picked up a few months ago (my wife is the only one that uses it). I'm not sure if it's permanently damaged yet but the network came back when I unplugged it. In any case, I'm relieved and my wife is pissed. (Keep in mind there's only one print server and two spare AP's.) I'm in trouble! joat: 21:35:00 12 Dec 2005 |
|
|
Sun, 11 Dec 2005
|
|
|
Not that it's new but I received one from a friendly Mytob worm that I hadn't seen yet. It was from veeby@fbi.gov and said "Here are your bank documents." So, if you're IP is 202.177.156.97 (India), please take a look at your system. It's infected. joat: 13:00:00 11 Dec 2005 |
|
|
Sat, 10 Dec 2005
|
|
I'm searching for stuff to listen to for an upcoming trip to DC. If anyone has any sources for non-music content, please forward 'em. Hint: stuff from recent cons and the usual podcasts, I already have. joat: 14:14:37 10 Dec 2005 |
|
|
Fri, 09 Dec 2005
|
|
|
It's old news (2 days) now but 802.16e has been ratified. It's important to wireless because it provides extensions to 802.16 that improves mobility (hand-offs between cells) and streaming media. Between this, podcasting and BPL (at least the noise generated by it), we may see some damage to the AM radio business. joat: 21:30:00 9 Dec 2005 |
|
|
Thu, 08 Dec 2005
|
|
|
No post today, I'm taking the evening off to attend "finals", also known as the class party at the Biergarden in Portsmouth. They have a highly addictive form of potato soup that has beef chunks and spaetzle in it and I'm planning on at least two bowls. joat: 21:30:00 8 Dec 2005 |
|
|
Wed, 07 Dec 2005
Tue, 06 Dec 2005
Mon, 05 Dec 2005
|
|
I'm a bit nervous when the term Information Warfare is used in relation to a website as the Information Warfare Mailing List suffers from bouts of tangential politics but the IWS appears to be a good site to read. It has a lot of good documents for communications security and InfoSec basics. joat: 21:30:00 5 Dec 2005 |
|
|
Sun, 04 Dec 2005
|
|
It's a bit trivial but it's knowing more about your root servers is a good-to-know. joat: 21:30:00 4 Dec 2005 |
|
|
Sat, 03 Dec 2005
|
|
Linux.com has a "CLI Series" piece on netcat. This is yet another good-to-know tool in the netadmin/sysadmin/power user toolkit, especially for the beginner. joat: 13:07:05 3 Dec 2005 |
|
|
Fri, 02 Dec 2005
|
|
Can RSS hijacking really be that much of a threat? If it is, I'll modify previous statements about RSS being a viable vector for malicious code. It still wouldn't be a good vector for the spread of malicious code but it might be a usuable vector for the introduction of malicious code. joat: 21:30:00 2 Dec 2005 |
|
|
Thu, 01 Dec 2005
|
|
My entire exercise in getting CounterPath's (XTEN) X-Lite softphone to run under Wine (as logged in the wiki) has been rendered a moot point. I've discovered that they also have versions for Mac and Linux via their download site. Note: this isn't a new development. Chalk it up to my not noticing. joat: 21:30:00 1 Dec 2005 |
|
|
Wed, 30 Nov 2005
Tue, 29 Nov 2005
|
|
I've re-org'd the Asterisk page and have added a bit of work to the " sip.conf" setting descriptions. Think of it as yet another of my (ongoing) unfinished projects. Hopefully it'll help someone. Let me know if it does? joat: 21:30:00 29 Nov 2005 |
|
|
Mon, 28 Nov 2005
|
|
|
joat: 13:00:00 28 Nov 2005 |
|
|
Sun, 27 Nov 2005
|
|
While we're on the clueless security rant, here's one that I heard on the radio tonight. A syndicated personality, known as " Troubleshooter Tom Martino", has a consumer-centered talk show. As I was driving back from the grocery store this evening, Mr. Martino was ranting that iPods are susceptible to viruses via podcasting and stating that "we need anti-virus software for our iPods". Would someone in Denver please ring up Tom and tell him the problems with his logic? Stuff like: - iPods are not x86 or Windows-based. Ask him to name one ARM or MIPS based virus that's capable of self-replication.
- Podcasts are normally delivered from static, one-way sources. For a podcast to become infected, it (theoretically) would require malicious action on the part of the podcast author. There's no two-way data feeds involved.
- RSS feeds are not like e-mail. They don't mysteriously show up on your iTunes list. You have to subscribe to them. In other words, there's a certain amount of reputation and trust involved with podcast sources.
In short, there are too many things missing from the environment that would support malicious code. "In ain't gonna happen." Instead, Mr. Martino should be ranting about virus scanners for our cars. There are models out there that run versions of MS Windows. joat: 23:00:00 27 Nov 2005 |
|
|
|
|
I fear that I may have angered some fellow CISSP's. If I haven't said it before, I like to argue. I'm even willing to take positions that I don't necessarily believe in. However, this isn't one of those cases. In a recent discussion, I took the stance that "risk = threat X vulnerability X asset replacement cost" is not a good formula for sound business decisions. I will admit to having "poked fun" at their belief that the above is a "security formula". It isn't. It's a business formula, used to decide how much money is safe to throw at a department with no ROI. I took the stance that the formula is usually a rationalization used to support a business decision that's already been made. That the formula comes from a "recognized" organization of security "professionals", makes it that much more of a problem. My argument follows... Let's get "threat" and "vulnerability" out of the way. Both are binary in nature or, at least, that was the original intent. You either have the vulnerability or you don't. If you have the vulnerability, it's either exposed or it isn't. The formula becomes "risk = (1 or 0) X (1 or 0) X asset replacement cost". You can state that "threat" and "vulnerability" are quantitative values ("1" or "0") unless you attempt to put a "degree" on it. If the terms "degree" or "percentage" are applied to either value, that value becomes subjective and I no longer have to argue the point. Unfortunately, you'll usually hear "degree of exposure" or threat described as a percentage (i.e., "how much of a threat is it?"). The real trouble lies within "asset replacement cost". It's an oversimplification and a subjective value hiding behind a number. (i.e., it isn't quantitative!) Don't think so? Try this: - The basic "asset replacement cost" works best with a standalone system. If it's connected to any other asset, networked or not, the value quickly becomes a WAG (nice version: Wild Assumed Guess) (not-so-nice: drop "um" from the middle word and add a hypen between the first two words)
- The basic "asset replacement cost" works best with a dedicated system. In other words, it's not used for anything else. If the system is used for any additional function, "asset value" gets complicated and other systems may be dragged into the equation. If the equation is artificially limited to the system under discussion, the value loses it's integrity.
- "Asset replacement cost" is only valid when applied to hardware or programs. It fails horribly when applied to data. Normal business types will attempt to say that data replacement cost is nil ("we have a backup, don't we?"). I've yet to see any organization, outside of federal, that will attempt to actually recover "lost" data. Oh, and a law suit does not meet the definition of "recovery". At best, an organization might take into account penalties for lack of due care and/or due dilligence.
The end result is that the formula usually ends up being "risk = estimate X guess X stubbornly narrow error", losing it's security "value" entirely and becoming a rationalization for a business action that might not improve security at all. In any case, I enjoyed the argument, though it would have been better demonstrated if a white-board was involved. I also won't deny that I enjoyed tormenting two people who actually needed it. Many people who obtain certifications often "stop" once they get them. If a person stops thinking about (and practicing) security, the certification becomes little more than a badge to hang on the wall. Thoughts? joat: 17:00:00 27 Nov 2005 |
|
|
Sat, 26 Nov 2005
|
|
What comes out of the " First Responder Standard" should be interesting to watch. Various groups have attempted this. The main stumbling block is the lack of a common infrastructure (e.g., radio frequencies, communications protocols, etc.). joat: 21:30:00 26 Nov 2005 |
|
|
Fri, 25 Nov 2005
|
|
|
I highly recommend O'Reilly's book, "Switching to VoIP" by Ted Wallingford. If you're messing around with Asterisk, it's a good book to have. While there's not a whole lot on setting up Asterisk, it is a good reference for theory and troubleshooting. joat: 21:30:00 25 Nov 2005 |
|
|
Thu, 24 Nov 2005
|
|
|
Happy Birthday to son Jonathan! Happy Bird-Day to everyone! joat: 21:30:00 24 Nov 2005 |
|
|
|
|
Microsoft's Office 12 product looks like it's going to be a pretty slick product. After a "first look", I like it. However, I could have gone without the marketing approach that the Redmond Dog & Pony Show used. They seem to have taken a page from the Presidential Race strategy guide, where you say little about what you can do and verbally deride all of your competitors. The part that struck me as a bit odd was about interoperability, a point which they stress repeatedly when talking about the Office 12 product. It's taken me almost a month, but I think that I've finally figured out what they meant by the term: they're not talking about platform interoperability, they're talking about interoperability between Office 12 products! [*sarcasm on*] Now there's something new. [*sarcasm off*] Just call me "slow" this month. Microsoft almost "gets it". They've said that they're going to allow others to "use" their document format via a free license. The only restriction appears to be "with attribution to Microsoft". What "attribution" means may be a sticky point in the future. I need to find a copy of the EULA and license agreements they're using. Update: Is this a case of schizophrenia? How can something be patented and open source at the same time? Seems that the open source format has been submitted for patent in certain countries... This will be interesting to watch as it unfolds. joat: 15:17:40 24 Nov 2005 |
|
|
Wed, 23 Nov 2005
Tue, 22 Nov 2005
|
|
It happened almost a week ago but... Brian Carrier has posted a new
issue of " The Sleuth Kit Informer", a newsletter he writes in
conjunction with the Sleuth Kit. This issue talks about the new license
for the Sleuth Kit and about changes to the ils tool.
joat: 13:00:00 22 Nov 2005 |
|
|
Mon, 21 Nov 2005
Sun, 20 Nov 2005
|
|
Monoculture is a recognized problem when discussing malicious code.
It's what amplifies the effects of malicious code to the point where it
can have devastating effects. Here is another
paper from last year's WORM, this one describing a method called
synthetic diversity as a method for combating malicious code. It's an
interesting read but I disagree with most of it for a number of
reasons: - Synthetic diversity within a program can only go so far.
While the techniques may reduce the number of attack points within a
program, it won't remove them entirely. Add millions of users to that
situation and diversity within a program that does the same function,
time after time, becomes a bit shallow.
- As always, adding
complexity isn't a good response to lessen vulnerabilities. The KISS
principle is better.
- Diversity can only be provided via a small
number of methods. It wouldn't take long for the "bad guys" to adapt.
Even if more methods were developed, it would lead to an already
familiar type of arms race.
Anyone care to argue for or
against?
joat: 13:00:00 20 Nov 2005 |
|
|
Sat, 19 Nov 2005
Fri, 18 Nov 2005
|
|
I hereby declare the novelty of podcasting as officially dead and that the technology is now mainstream. While searching for additional content to listen to during this week's commutes, I noticed that the "ususal suspects" also have their own podcasts. The "usual suspects" include the panorama of pseudo-science, fake grass-roots sock puppet, conspiracy theorist, and hate types. The good news is that I did find some new security and tech-related casts to listen to (for a list, see my Bloglines subscriptions link at the top of this page). joat: 13:30:00 18 Nov 2005 |
|
|
|
|
Here is a collection of
notes that relate to network operations.
joat: 13:00:00 18 Nov 2005 |
|
|
Thu, 17 Nov 2005
|
|
AWK is one of those "things" that you very quickly (you wouldn't believe
how quickly) forget if you don't use it continuously. It's also a very
powerful tool to have. Here is a tutorial for
it.
joat: 13:00:00 17 Nov 2005 |
|
|
Wed, 16 Nov 2005
|
|
I've loved Zyxel modems for many years. However, they've lost points
with me for thinking that undocumented
or hidden equates to secure. What's that old line about repeating
history? [*sigh*]
joat: 22:30:00 16 Nov 2005 |
|
|
|
|
O'Reilly has a quick
tutorial for GraphViz. This is valuable if you draw a lot of flow
charts or relationship drawings.
joat: 13:00:00 16 Nov 2005 |
|
|
Tue, 15 Nov 2005
|
|
It's a bit dated but SANS has a good piece on
DNS poisoning. It describes some of the issues and lists a few
mitigations.
joat: 13:00:00 15 Nov 2005 |
|
|
Mon, 14 Nov 2005
|
|
Too much time on your hands? Why not entertain yourself by watching the headers of the sites that you visit and see what sort of extra kruft is included?
joat: 13:00:00 14 Nov 2005 |
|
|
Sun, 13 Nov 2005
|
|
Everyone should steer clear of the " Nothing joke". The joke has been stretched
so far that when it does fail, Nothing will be funny. Nothing is
sacred. According to the theory of relativity: Nothing travels faster
than light, Nothing existed before the Big Bang and Nothing can have
negative mass. In the real world, Nothing is perfectly symmetrical and,
for most of the time, Nothing changes. When you're sick: Nothing
tastes good, Nothing is interesting and Nothing really matters. Then
again, Nothing is better than sleep to help you get better. A lot of
parents end up sending their kids to college to learn Nothing. Many of
those students think that Nothing is harder to learn than Calculus. If
those students learn Nothing, their parents tell them that they're good
for Nothing. That's about it for the puns. (I'm hiding Nothing.)
Please contribute Nothing to further the joke. SCO: you started this!
joat: 16:00:00 13 Nov 2005 |
|
|
|
|
Hmm... I may be in trouble here: It's roughly six weeks until Christmas
and roughly nine weeks until ShmooCon. I have more shopping done for
the latter than for the former. (If you're married, ignore the rest
of this. You already know the futility of the thought(s).) How can
it be my fault though? She still hasn't filled out her wish list!
joat: 13:30:00 13 Nov 2005 |
|
|
|
|
Some of it is vendor-centered but this site has a lot of
good hardware info.
joat: 13:00:00 13 Nov 2005 |
|
|
Sat, 12 Nov 2005
|
|
|
I've disabled the blogroll provided by Blogrolling.com as issues with
their server(s) were preventing this page from loading. If things don't
clear up soon, I'll probably move to a static list.
joat: 21:30:00 12 Nov 2005 |
|
|
|
|
OpenRCE has a pointer to a quick
binary analysis of Skype. Short but very interesting.
joat: 13:00:00 12 Nov 2005 |
|
|
Fri, 11 Nov 2005
|
|
Let's see if I can re-explain it (without shouting) for those that still
think that I'm anti-MS: it's the marketing aspect that I like to poke
fun at, not the tech. Example: the ongoing OpenDocument bickering.
The marketing department would like you to think that Massachusetts is
going to require Linux and OpenOffice. I doubt anyone who reads this
blog is confused but just in case, THEY'RE NOT THE SAME!!
(sorry) OpenDocument is a document format, not a program. MS Office
could save files in OpenDocument format with no more difficulty than
saving in .RTF or .TXT formats. If MS doesn't adopt the format, we'll probably see it as a third party plug-in. So what's the controversy? Why the
smoke and mirrors from Redmund? How about the "free
flow of data in and out"? With the OpenDocument format, MS no
longer owns any part of your documents, rather than the current
proprietary format where they own the font, the metadata format, and the file storage format. MS's risk in adopting the OpenDocument format?
Loss of user "lock in" (many companies initially adopt MS Office because
it's considered the "industry standard"), loss of font "lock in" (many
fonts are proprietary to MS Office), loss of feature "lock in" (a common
format is just that: common, and people will come to prefer
interoperability over proprietary features)(will anyone miss fighting
Words auto-formatter?). I've had to explain this issue multiple times
this week. Hopefully those in the State Government can recognize the
difference. Unfortunately, it's entirely possible that one or more of
those people can be hired to influence the rest. Update: Here's yet another view and reason for "the stink".
joat: 14:30:22 11 Nov 2005 |
|
|
Thu, 10 Nov 2005
|
|
Here's an in-depth
analysis of BitTorrent.
joat: 21:30:00 10 Nov 2005 |
|
|
Wed, 09 Nov 2005
|
|
Not a whole lot of time to post this week. Was playing with the logs
offline. Odd thing: out of the 800 or so Google referrals in the last
month, over half of them were queries about dsniff. Okay, what are
y'all up to?
joat: 21:30:00 9 Nov 2005 |
|
|
Tue, 08 Nov 2005
|
|
|
If not, stop reading this and get out there. I don't know about the
other 49 states but Virginia has lived through a very nasty election
campaign for Governor. Nothing but negative ads during prime time. I
swear, if the independent had bought one commercial last night and did one
"clean" commercial, he'd probably be Governor Elect tomorrow.
joat: 17:30:00 8 Nov 2005 |
|
|
Mon, 07 Nov 2005
|
|
|
I'm looking for a technical reference that explains just how the message
ID for an e-mail passing through an Exchange box is created. Is it
entirely random or is at least part of it "readable" in a manner similar
to those generated by Sendmail?
joat: 13:00:00 7 Nov 2005 |
|
|
Sun, 06 Nov 2005
|
|
Jim's Pond has a set of
Einstein quotes that I'm enamoured of: - Any intelligent fool
can make things bigger and more complex... It takes a touch of genius -
and a lot of courage to move in the opposite
direction.
- Anyone who has never made a mistake has never
tried anything new.
- Problems cannot be solved by the same
level of thinking that created them.
joat: 13:00:00 6 Nov 2005 |
|
|
Sat, 05 Nov 2005
|
|
This is getting really, really old. All along, I've had to put up with stupid-big levels of arp storms. For the last 2 months, I've had to live with periodic outages (6-7 times per day). I'm not the only one. Three other Cox users at the local user group meeting are also noticing it. And it must be wider spread than I thought as Leo Laporte is having to answer questions about it. Hey Cox! WTF? joat: 19:17:50 5 Nov 2005 |
|
|
Fri, 04 Nov 2005
|
|
Because Arthur asked, I'm adding my scripts for tracking Windows systems
to the wiki. The scripts are short and sweet, describing them is a bit
involved. Keep tabs on my work here.
joat: 21:30:00 4 Nov 2005 |
|
|
Thu, 03 Nov 2005
|
|
Cool. The VoIP Threat Taxonomy document is on the streets. I contributed by providing a little bit of content and a whole lot of argument. (My name is on page 6!) Those that know me want the subtitle "Loudly & At-Length: Yet More Evidence That Tim (err.. joat) Likes to Argue" (heh) joat: 22:30:00 3 Nov 2005 |
|
|
Wed, 02 Nov 2005
|
|
[*sigh*] How many times must we see this happen? Sony should be ashamed of themselves. Sorry, it's probably already blogged to death, but I couldn't resist. Is there any sort of EULA embedded in the packaging or can we sue Sony for doing what two people were sent to jail for last month?
joat: 22:30:00 2 Nov 2005 |
|
|
Tue, 01 Nov 2005
|
|
InfoSec Writers has part
two on their article about cookies. (Part 1 was blogged last Saturday.)
joat: 13:00:00 1 Nov 2005 |
|
|
|
|
Iron Geek has an article about finding rogue shares within your network. The idea is aimed more at the corporate network rather than the home network. IG used Windows-based tools but you can gain similar capabilities with *nix-based tools. With a bit of Perl, you can tie MySQL to nbtscan, nmblookup, and smbclient to get (and maintain) a pretty good picture of your network. With a bit more Perl coding, you can watch for unauthorized systems being plugged into your network and, depending on the OS employed, you can even grab MAC addresses remotely (yes, from outside of the local network segment). I still have some of the scripts laying around here. If anyone wants 'em, let me know. The majority of them are just wrappers for the tools named above, most of 'em aren't pretty.
joat: 13:00:00 1 Nov 2005 |
|
|
Mon, 31 Oct 2005
Sun, 30 Oct 2005
|
|
HackerPort is a project intended to design a USB I/O interface. Something to keep an eye on. joat: 13:00:00 30 Oct 2005 |
|
|
Sat, 29 Oct 2005
|
|
|
joat: 14:00:00 29 Oct 2005 |
|
|
Fri, 28 Oct 2005
|
|
Tripped across this
listing of free operating systems while checking up on BeOS. Count
how many you've heard of. I've heard of 16 of them and used 6.
joat: 12:00:00 28 Oct 2005 |
|
|
|
|
David Bianco, a
friend and former SANS mentor of mine has announce the formation of the Hampton Roads Snort
Users Group. The first meeting is slated for 7 p.m., Dec.
1 st at the Williamsburg Regional Library, 515 Scotland
Street, in Williamsburg, VA. The speaker will be Jason Brvenik from
Sourcefire. Please read the announcement (link is above) for more
info.
joat: 12:00:00 28 Oct 2005 |
|
|
Thu, 27 Oct 2005
|
|
The Register has an article which describes Microsoft's plan dump SSLv2 for TLSv1 in IE7. While they're intentions are good, it's the following that piques my funny bone: As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates. Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck. My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)
joat: 12:00:00 27 Oct 2005 |
|
|
Wed, 26 Oct 2005
|
|
Just spent a half-hour or so playing around with the X-Lite soft phone, getting it to run under Wine. The good news is that it works. The bad news is you may be limited to running it under KDE. It works under AfterStep but sometimes the menus don't pop up properly and it attempts to use a couple "hooks" in AfterStep that aren't there. It works under KDE but KDE isn't exactly my favorite WM. In any case, notes are in the Wiki. joat: 12:00:00 26 Oct 2005 |
|
|
Tue, 25 Oct 2005
|
|
Here's a Ballmer quote (about Vista): " Most people will trust it from day one on their home computer..." I reserve the option to make further comment at a later date. joat: 12:00:00 25 Oct 2005 |
|
|
Mon, 24 Oct 2005
|
|
Whitedust has an article which discusses the maintenance of your network's security by being familiar with what "normal" is. Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely. joat: 12:00:00 24 Oct 2005 |
|
|
Sun, 23 Oct 2005
|
|
A friend was recently concerned about the high number of inbound port 22 (SSH) connections he was getting. Another TWUUG'er suggested using iptables to slow down the brute force attacks (it uses the "recent" module). I've added the config to the wiki. joat: 12:00:00 23 Oct 2005 |
|
|
Sat, 22 Oct 2005
|
|
I was looking for info on 802.11i and came across this site. I'm sorry but, regardless of the quality of the information available via the site, I won't use sites like that. (Notice that actual content on the site takes up less than a 1/3rd of the page. The rest is Google Ads.) joat: 14:07:16 22 Oct 2005 |
|
|
|
|
Here's a site that discusses the effectiveness of various Captcha schemes. joat: 12:30:00 22 Oct 2005 |
|
|
Fri, 21 Oct 2005
|
|
Bloglines have some small-but-important modifications to their site. One includes mapping navigation keys to the page, so that you can navigate through articles or folders without having to use the mouse. The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site. joat: 12:00:00 21 Oct 2005 |
|
|
Thu, 20 Oct 2005
|
|
Well, the lack of controls on the USB interface is finally being exploited. The BlackDog product runs Linux on a USB device and pops up windows on Windows (no reboots needed). The device can even (supposedly) access any network that the host computer has access to. If you "do" security, this should scare the crap out of you. The video of the demo and the FAQ are interesting. joat: 22:53:46 20 Oct 2005 |
|
|
|
|
|
Adding memory to my old junker improved things so well that my wife
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)
joat: 20:30:00 20 Oct 2005 |
|
|
Wed, 19 Oct 2005
|
|
|
The comments function should be fixed, for now. The disk is still short on space so it may pop up again. joat: 12:30:00 19 Oct 2005 |
|
|
|
|
I checked today and I still have a lot of extra gas in my spleen so I
guess I'll vent again... What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on
"Shutdown". Grr...
joat: 12:00:00 19 Oct 2005 |
|
|
Tue, 18 Oct 2005
|
|
The Worm Radar site might be
valuable during the next major outbreak.
joat: 12:00:00 18 Oct 2005 |
|
|
Mon, 17 Oct 2005
|
|
For those not paying close attention, the Shmoo Group has chose some of the topics for the Spring Con. joat: 21:45:00 17 Oct 2005 |
|
|
|
|
I panicked, earlier, when I checked this morning's post and saw that each of the enumerated items all started with "1.". Chalking it up to too-many-hours-typing-into-a-Wiki, I'd intended to fix it from class this evening. Now that I have a non-IE browser pointing at it, I realize that I hadn't hosed the post. Rather, it was IE's lack of standards compliance (it didn't recognize the <ol> tag properly) that caused the crappy looking entry. Heads up MS, that's standard HTML that your browser isn't recognizing! Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow! Update: Here they are... The one on the left is Firefox. The one on the right is IE. 'Nuff said? joat: 21:40:00 17 Oct 2005 |
|
|
|
|
Consider this as another of my you-need-to-know-what-normal-is
rants. About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
infected systems. Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together. - First be sure that your
internal DNS server can handle a heavier load. I recommend running a
dedicated server using BSDi (even an older version) because the load
that BIND puts on BSDi is barely noticeable.
- Turn on querylog.
It'll generate log entries like:
Oct 15 09:18:37 desk named[13556]: client 127.0.0.1#33023: query:
www.google.com IN A +
Oct 15 09:18:56 desk named[13556]: client 192.168.2.5#1301: query:
www.cisco.com IN A +
- Obviously, Perl is perfect to extract data from these log
entries. Write a script to parse each line and insert the data from the
line into a MySQL or Postgres database.
- Then use Perl, PHP,
Ruby, or [insert your favorite language here] to extract the data in
different "views", such as total-queries-by-client,
total-queries-by-network-per-minute (or hour or day),
total-individual-queries-per-minute-by-target, etc.
- To go along
with these data "view", it's usually helpful to graph the generated
metrics for simple crayon-understanding graphics. To be useful, you'll
want graphs for the last hour, the last day, the last week and the last
month, along with a user-configurable graph generation script, so that
you (or someone else) can make quick interpretations and make
comparisons to previously collected data.
- Finally, you'll want a
script to periodically clean up the log file, either archiving it or
deleting it. Running querylog full-time with generate massive log
files. It may also be a good idea to write scripts to aggregate the
data in the database server, keeping only generic statistical totals for
data past a certain age.
Collecting/analyzing metrics such
as these are well within the talents of the average network admin (and
is usually free). I'm amazed that companies are willing to shell out
big $$$ for something as simple as this. If you have anything to do
with network adminstration, this is something that you should be able to
do. If you "own" a network, this is something that you want at least
one of your network admin or security types to do. (Think of it as
being able to gather and analyze data for troubleshooting.)
joat: 12:00:00 17 Oct 2005 |
|
|
Sun, 16 Oct 2005
|
|
Click here for
the zipped version of "Asterisk: The Future of Telephony", published
under the Creative Commons license by O'Reilly. Thanks to Asterisk Docs
for pointing it out.
joat: 12:00:00 16 Oct 2005 |
|
|
|
|
|
One more thought about hash collisions: before you throw out the baby
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
astronomical possibility.
joat: 12:00:00 16 Oct 2005 |
|
|
Sat, 15 Oct 2005
|
|
This is supposedly from the author
of the recent MySpace worm, with a link to the technical explanation and
code. It's interesting in the same way the WoW virtual blood plaque
was.
joat: 21:40:00 15 Oct 2005 |
|
|
|
|
Arachnid has a quick piece on the recent Zotob worm.
joat: 21:00:00 15 Oct 2005 |
|
|
|
|
Linux.com has an article discussing a benign use for p0f, gathering information about what's running the site's that you're visiting. The data that you gather might be complete useless or you might find a use for it or it might provide a bit of entertainment. I think the major benefit is that you gain experience when you perform experiments such as this.
joat: 20:30:00 15 Oct 2005 |
|
|
Fri, 14 Oct 2005
|
|
Dana Epp has some comments
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.
joat: 20:30:00 14 Oct 2005 |
|
|
Thu, 13 Oct 2005
|
|
Infosec Writers has an
article that explains the basic
theory of salted (seeded) hashes, including SHA-1 and MD5.
joat: 20:30:00 13 Oct 2005 |
|
|
Wed, 12 Oct 2005
|
|
In cleaning up the orphaned pages in the wiki on the new server, got to
looking at the page stats. What's odd is the #1 entry: - Glossary
(5550 views)
- Main Page (3078 views)
- Anonymous Proxies
(2067 views)
- Asterisk (1735 views)
- Looking Up UPC Codes
(1228 views)
- Looking Up Vehicle ID Numbers (VINs) (1094
views)
- Perl - MSN IM Sniffer (1092 views)
- IPv6 on the
WRT54G via OpenWRT (864 views)
- The Firewall Toolkit (FWTK) (818
views)
- IPod Stuff (807 views)
Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)
joat: 20:45:00 12 Oct 2005 |
|
|
|
|
Don't you just love catching yourself doing something stupid? I managed
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:
#!/bin/sh
#/bin/mkdir -p /var/log/
ntpclient -h pool.ntp.org -l -s &
# set up the IPv6 tunnel
MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \ -f 6- `
echo $MYIPADDR > /etc/myipaddr
#MYSCND=`cat /etc/myipaddr`
#echo $MYSCND > /etc/my2ipaddr
echo $MYIPADDR
ip tunnel add he.net mode sit remote 64.71.128.82 local $MYIPADDR ttl 255
ip link set he.net up
ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
ip route add ::/0 dev he.net
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd
sleep 15
killall dnsmasq
dnsmasq -i eth1
joat: 20:30:00 12 Oct 2005 |
|
|
Tue, 11 Oct 2005
|
|
I think I have my next toy targeted: the Linksys NSLU2 (Network Storage Link of USB-2). The local TWUUG'ers have pointed out the existance of custom firmware. Hey Santa: hint, hint!
joat: 12:00:00 11 Oct 2005 |
|
|
Mon, 10 Oct 2005
|
|
There's some interesting projects over on Crazy Hacks. There's also evidence that somebody has way too much time on their hands: why in the world would you want to write Perl programs in Latin? joat: 12:00:00 10 Oct 2005 |
|
|
Sun, 09 Oct 2005
|
|
|
Until such time that the site moves to the new server (or the old one
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly
(joat@guess.where).
joat: 20:30:00 9 Oct 2005 |
|
|
|
|
Looks intriguing. Anyone know if it conflicts with similar protection schemes running at the same time? joat: 12:00:00 9 Oct 2005 |
|
|
Sat, 08 Oct 2005
|
|
The link to the Nepenthes database (yesterday's post) led through Aachen University's malware database. I have high hopes for this. joat: 20:30:00 8 Oct 2005 |
|
|
Fri, 07 Oct 2005
|
|
While following a link in Antlab, I came across the malicous code visualization published by the Nepenthes people. joat: 20:30:00 7 Oct 2005 |
|
|
Thu, 06 Oct 2005
|
|
Heads up! 802.11e (aka QoS for Wireless) is on the streets. joat: 12:00:00 6 Oct 2005 |
|
|
Wed, 05 Oct 2005
|
|
Trivia question: When does 2000 1k (or less) blog entries eat up more disk space than 30 100K pictures? The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit. The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it. joat: 07:39:16 5 Oct 2005 |
|
|
Tue, 04 Oct 2005
|
|
|
joat: 12:00:00 4 Oct 2005 |
|
|
Mon, 03 Oct 2005
|
|
Here's NIST's guide for PDA forensics. joat: 12:00:00 3 Oct 2005 |
|
|
Sun, 02 Oct 2005
|
|
Another rambling post... I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security. The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision. Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?) One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs. Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people? If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.) If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough. If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate. On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size. It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists. Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts? joat: 12:00:00 2 Oct 2005 |
|
|
Sat, 01 Oct 2005
|
|
|
Heads up! Today is the last day to get your $75 ShmooCon tickets (got
mine last night). Tomorrow they're $150 each. joat: 12:00:00 1 Oct 2005 |
|
|
Fri, 30 Sep 2005
|
|
The following from PCPhoneLine
are going onto my wish list: Anyone know of any reason why I shouldn't? I didn't add the VPT1000 to the list because it's a corded (USB) phone, something I'm not looking for at this time.
joat: 12:00:00 30 Sep 2005 |
|
|
Thu, 29 Sep 2005
|
|
You may find it useful (I don't): Rob (NetSec) has a Excel spreadsheet of well-known trojan ports. I don't like it because it's just a spreadsheet of ports and names; it contains no extra data.
joat: 12:00:00 29 Sep 2005 |
|
|
Wed, 28 Sep 2005
Tue, 27 Sep 2005
|
|
Unix Review has an article about extending Nagios, a good tool for monitoring metrics and various statuses within your network.
joat: 12:00:00 27 Sep 2005 |
|
|
Mon, 26 Sep 2005
|
|
Could it be that Touchstone Pics "gets" it? I've just watched the DVD
for Hitchhiker's Guide and the previews were a menu option, not a
required series of bits that you passed through on the way to the movie.
Heck, after watching the movie, I went back and watched the two previews
that interested me.
joat: 12:00:00 26 Sep 2005 |
|
|
Sun, 25 Sep 2005
|
|
... or, at least, get
e-mail from them. Why am I not surprised?
joat: 12:00:00 25 Sep 2005 |
|
|
Sat, 24 Sep 2005
|
|
(from adminfoo) Microsoft has a listing of registry keys. It's a bit blind for third party software but is a good resource for Microsoft keys. joat: 20:30:00 24 Sep 2005 |
|
|
Fri, 23 Sep 2005
|
|
It's interesting and frustrating when you're doing research (in this
case, for the Kismet::Client wiki entry) and search engine searches
return your own work-in-progress. Arg! (heh) I've finished sorting
out the Kismet tags and I'm trying to fill out the descriptions of each.
joat: 20:30:00 23 Sep 2005 |
|
|
Thu, 22 Sep 2005
|
|
A classmate recently used my iPod and a iPod microphone to record a
class that I could not attend. Needless to say, the audio was extremely
poor. I've managed to clean up the audio by running it through a few of
the filters in Audacity but I'm still not that happy with it. I was
able to find this list
of tools available for Linux but it's obvious that I have no clue about
where to start. Anyone have any good how-to's or a list of recommended
books? It appears that this is going to become more and more important
for me as the topic of recording lectures has come up quite often
lately.
joat: 12:00:00 22 Sep 2005 |
|
|
Wed, 21 Sep 2005
|
|
NIST:
NIST is planning on hosting a Hash Function Workshop to solicit public
input in how best to respond to the issues arising from Wang, Yin, and
Yu's paper on SHA-1 collisions.
joat: 12:00:00 21 Sep 2005 |
|
|
Tue, 20 Sep 2005
Mon, 19 Sep 2005
|
|
Well the spaceship failed to appear on time and rescue me. I'm faced
with having to experience yet another Talk-Like-A-Pirate Day
(today). Arrr! p.s., Anyone know if you-know-who dressed-the-part
again?
joat: 12:30:00 19 Sep 2005 |
|
|
|
|
Are some people are entirely too paranoid? I find the idea that eavesdroppers can figure out what you're typing after 15 minutes of eavesdropping, while technically possible, just a bit over the top. Things like this, while feasible in the lab, tend to be impractical in real life. In any case, for you tin-foil hat people, here's a list of countermeasures so the black helicopters don't get you: - Never use the same computer for more than 15 minutes
- never use that computer in the same location
- construct a "glove box", with sound dampening material, to contain the keyboard (helps block those evil shoulder surfers too!)
- Intersperse a significant amount of random letters in your text and then go back and remove them with the mouse
- purposely mispell your "Letters to the Editor" to throw off the statistical analysis (it won't change the Editor's opinion of you any)
Can anyone else think of any? (heh) joat: 12:00:00 19 Sep 2005 |
|
|
|
|
(This is a repeat but...) Rob and I are going to have to talk about this tonight. Very few of use should be concerned about password (or other text) capture via audio analysis. <sarcasm>That is, unless you're worried about who's listening via the microphone that you're absolutely sure is in the smoke detector, along with the radioactive source the government put there to slowly kill you.</sarcasm>
joat: 12:00:00 19 Sep 2005 |
|
|
Sun, 18 Sep 2005
|
|
|
joat: 12:00:00 18 Sep 2005 |
|
|
|
|
The joatWiki has been moved to the new server. Although the
host name may be transitional, that is where the data is located. I
will start deleting information on the old server shortly.
joat: 12:00:00 18 Sep 2005 |
|
|
Sat, 17 Sep 2005
|
|
From the too-much-time-on-their-hands category: You can view the
animated text version of Star Wars by telnet'ing to
towel.blinkenlights.nl It appears to be full-length but I didn't have
the time to watch it all the way through (got as far as Luke meets Obi-
Wan). Is the story line that bad without the special effects?
Oh, it's safe to ignore the IPv6 comments. It'll still play.
joat: 12:00:00 17 Sep 2005 |
|
|
Fri, 16 Sep 2005
|
|
...you hear (or find yourself saying) this or
"Put the hammer down and let go of the cat!" or "That's not what that's
for!" and you don't even bother to look up.
joat: 21:30:00 16 Sep 2005 |
|
|
Thu, 15 Sep 2005
|
|
|
joat: 12:00:00 15 Sep 2005 |
|
|
Wed, 14 Sep 2005
|
|
Still more fun with Kismet::Client in the Wiki. Experiments in determining the Perl-accessible variables in Kismet.
joat: 12:30:00 14 Sep 2005 |
|
|
|
|
As a counter-weight to Marcus Ranum (yesterday's post), here's an example of what Marcus was talking about... Uh, could someone take a handful of clues and slap David Coursey with them? I was just pointed to DC's June article where he promotes what amounts to censorship, though he claims it's not. Originally, I wrote a long, rambling vent about how ignorant DC is. Thanks to the recent outage, I've reconsidered my thoughts and have slightly more PC recommendations: David, go take a civics class (to find out how government works) and then take a criminal justice class (to find out how law & law enforcement work). For any law students reading this, here's a quiz: what were the errors in his article? (5 points each) Answers later. joat: 12:00:00 14 Sep 2005 |
|
|
Tue, 13 Sep 2005
|
|
Marcus Ranum has an interesting article on " The Six Dumbest Ideas in Computer Security". I agree with "Default Permit", "Penetrate and Patch" and "Action is Better Than Inaction". I could do without the Sun Tzu reference, regardless of what he did or did not say. That reference gives the impression that your management isn't to be trusted. (See "user" reference below.) I had to read all of "Enumerating Badness" before agreeing with it. It's AKA "log file reduction". I slightly disagree with his position in "Hacking is Cool", only for the factor that the only available alternative (currently) amounts to "ignorance is bliss". I have issue with his "Educating Users" section as it comes across as "don't trust your users" and the need to "protect people from themselves". However, I'm not saying that I disagree with him. I just don't like how he stated the issue. "The Minor Dumbs" are mostly spot-on, though the root of the problem (IMO) is the security vendors that promote those ideas in the first place. Every single "minor dumb" originates in the marketing fluff that management reads on a regular basis. joat: 12:00:00 13 Sep 2005 |
|
|
Mon, 12 Sep 2005
|
|
My apologies. I ran afoul of an experiment with group quotas. The powers-that-be have fixed the issues (thanks Count!). Update: I've reposted the missing posts. Anyone who'd left comments between 9 Sep and 12 Sep, please repost them. joat: 21:30:00 12 Sep 2005 |
|
|
Sun, 11 Sep 2005
|
|
I've put some more work into the "Kismet & Perl" wiki page. (Still more to come.) Take a look at it here. joat: 12:00:00 11 Sep 2005 |
|
|
Sat, 10 Sep 2005
|
|
The blog may be a bit dodgy this month for a couple of reasons: - I plan on adding memory to the cantankerous antique of a machine that I call my desktop system
- the powers-that-be at 757 have said that the current system has a very nasty wobble and that we should migrate to another server
Please bear with me/them. Update: OMG! I should have added that memory years ago. It probably would have saved me the cost of the two hard drives that I wore out (from almost incessant page swapping). I actually like Windows boot-up speed for once (it's that noticeable)! Update II: In performing clean-up for the move, I've taken a lot of older non-joat content offline, such as the files from last year's ShmooCon. If something's listed-but-offline, ask. joat: 12:00:00 10 Sep 2005 |
|
|
Fri, 09 Sep 2005
|
|
|
joat: 12:00:00 9 Sep 2005 |
|
|
Thu, 08 Sep 2005
|
|
It's basic but it's good to know: TCPWrappers. If you have a *nix system, you should be using this in conjunction with some sort of packet filtering software (IPTables, BPF, IPFS, IPFW, etc.), even if it's an internal system.
joat: 12:00:00 8 Sep 2005 |
|
|
Wed, 07 Sep 2005
|
|
If you administer a system/site for anyone, even for family members,
it's a good idea to be familiar with the topics described in David
Loundy's E-Law4.
joat: 12:00:00 7 Sep 2005 |
|
|
Tue, 06 Sep 2005
|
|
ComputerWorld published a
valuable article almost a year ago that will probably be applicable for
a very long time: Nine
questions to ask when evaluating a security threat. Things to
keep in mind when asking yourself these questions: the underlying
assumptions are not static and other "forces" may change the questions.
To be able to answer the questions effectively, you need to have
intimate knowledge of your infrastructure (well-maintained documention)
and you need to know what "normal" traffic looks like (well-monitored
metrics).
joat: 12:00:00 6 Sep 2005 |
|
|
Mon, 05 Sep 2005
|
|
I managed to find some of my original notes on using Perl with Kismet.
There were a lot of errors so I'm redoing all of the work while I'm
adding it into the Wiki. Take a look ( here)
at what I've got so far.
joat: 21:00:00 5 Sep 2005 |
|
|
|
|
Bluetooth spam is coming into existence. Bruce Schneier has talked about some of it. My thought is that this will lead to physical vandalism of a number of vending machines, due to the short transmission ranges involved. In other words, rabid "no spam" types may assault the local soda machine because they receive unwanted "Drink Pepsi" ads every time they walk by it. This could lead to some interesting developments. I can see just about every type of spam (porn and "your system is insecure" included) being transmitted in public places.
joat: 12:00:00 5 Sep 2005 |
|
|
Sun, 04 Sep 2005
Sat, 03 Sep 2005
|
|
Pete Lindstrom hit it right on the funny bone. Mebbe he should included a comment about [the author's agenda to change something] or how the author released the worm because he/she [verbs|has a secret verb] for [person|place|thing]?
joat: 12:00:00 3 Sep 2005 |
|
|
Fri, 02 Sep 2005
|
|
Nothing much to talk about today. I'm just getting back up to speed
after taking a certification test two weeks ago. Except for a few
posts, you've been reading from my backlog. The test was so rough that
it put me "off my feed" for the better part of two weeks. Tonight is
the first time that I've typed (non-work-related) for more than 5
minutes. The test was horribly convoluted, the questions poorly
worded, and overly rationalized. I got the feeling that they were
testing more for the ability to pick the question apart rather than for
problem solving or knowledge. And, yes, I did pass. Just don't ask me
to say anything nice about the course or the certification. I don't
feel that anyone, having passed the exam, has accomplished anything.
It's ironic that the certification is promoted as one of the leading
accomplishments in the field. The course and test bank strongly needs
accreditation by an external entity. Note: this is not the
certification that I talked about last weekend.
joat: 21:30:00 2 Sep 2005 |
|
|
Thu, 01 Sep 2005
|
|
Anyone know of a short-haul star freighter in the area that can get me off of the planet by the evening of September 18th? Why? Because September 19th is " Talk Like A Pirate Day"! Something I can't avoid even by staying in bed that day. Hmm... Mebbe if I use a hammer on the only house phone? joat: 12:00:00 1 Sep 2005 |
|
|
Wed, 31 Aug 2005
|
|
The Kutztown incident is a very good example of "what not to do". Let's
see if I can explain this and why I think that even attempting to impose "community service" might be a bad idea.
The basic situation: the school attempted to press felony charges
against school children for repeatedly bypassing security functions
installed by the school.
The problems: - Attempting to become the parent
- Assuming
all students are the same
- Lack of due care and due
diligence
- Other problems
Attempting to become the parent
The parents cannot be held responsible for the actions of their
children because it is the school that acted as "the parent" in this
situation by putting an adult "tool" into the hands of a minor. Use of
an adult tool, be it car, gun, or communications device requires a
specific level of adult judgement. This is something that most minors
do not have and it is also something that is not easily replaced by
software, especially software purchased via a least-bidder contract.
The responsible adult(s) in this situation are still the school board
and the teachers (those that gave the adult tools to the minors). Most
parents do not understand computer technology/security or the related
federal laws. Thus, the school became (and remains) the responsible
party by being the knowledgeable "enabler" by putting an adult "tool"
into the hands of minors and then not providing constant adult
supervision.
Although the parents probably signed a permission slip, it's probable
that they didn't understand the implications of that permission. I'm
willing to bet even a poor lawyer could break the supposed contract in
that permission slip.
Assuming that all students are the same
Regardless of the "we're all equal" tripe that is force-fed in most
schools today, students differ. They have different/differing IQ's,
religions, respect for authority, and upbringings. Occasionally (ahem)
you'll have a student that is smart enough and motivated (peer pressure
in high school usually will override ethics and authority) to take
advantage of an opportunity. Peer recognition will usually cause this
"seized opportunity" to be shared. Believing that the installed
protections were adequate enough to (to use a noun as a verb)
countermeasure all students abilities and motivations, makes the
school eligible for the InfoSec Darwin Awards, if such a thing ever
exists. To maintain "security", your minimum protections must be
sufficient to counter the most talented and badly motivated user, not
the "average" user. 'Nuff said?
Lack of due care and due diligence
AKA "poor judgement". The school displayed poor judgement (lack of
due care) by putting an adult "tool" into the hands of a minor and then
neglecting to provide adequate supervision when the minor
exercised that tool. Even though the school may have believed that it
had practiced "due care" by installing various protections, it obviously
didn't practice "due diligence".
"Due care" equates to taking the necessary precautions to prevent an
incident (an instantiation of a risk). Obviously, the level of security
was not sufficient to prevent an incident. That the incident was as
severe as it was and that it involved so many students is an indication
that there was a difference between perceived and actually required
protections.
"Due diligence" is the practice of enforcing those precautions
(countermeasures) and being able to prove their consistent enforcement
over time (auditing, record keeping, etc.). What occurred didn't happen
overnight. Who was reading the firewall/router logs? IM traffic is
easy to detect. The school should have noticed when the first student
started experimenting with his laptop.
"Due care" and "due diligence" also requires adjustment of
countermeasures they reveal an inadequacy. The article indicates that
the situation continued to exist, even after detentions, suspensions and
"other punishments" (what the heck does that mean?). This means
that the school only attempted to correct the situation by external
measures (getting the parents involved). The school obviously failed to
increase required physical, logical and administrative countermeasures.
"Adequate supervision" involves the phrases "consistent (and
constant) supervision" and "adult-quality judgement". Believing that
adult judgement can be replaced with software, especially when "physical
security" is negated by allowing student custody of the laptops, is a
serious mis-judgement.
Use of desktop machines in a formal classroom setting implies a
certain level of integrity provided by constant physical security and
near-constant physical presence of authority. This "advantage" was lost
by issuing portable systems and allowing them to be taken out of the
"secure environment". Even if possession of the laptops were restricted
to the school, you can't assume that the 50 year-old part-time teacher
would be able to recognize improper or illegal activity in study hall.
Other problems
Err... How about overreacting? The "zero tolerance" policy often
quoted by public school officials is often a rationalization to vacate a
school's responsibility/judgement or to hide their own
complicity-due-to-negligence in a situation. In this case, all three
might be involved.
Some of the security "tools" installed by the school may have been
illegal. While it is permissive for a parent to invisibly monitor their
child's online activity, serious questions should be asked when a school
installs the ability to monitor students' activities on an individual
basis. In other words, generic monitoring (watching proxy or router
logs for suspicious activity) is generally permissible with prior
notice. However, employing a "a remote monitoring function that let
administrators see what students were viewing on their screens,"
without just cause (and usually a search warrant), is likely to be a
felony in itself. Remember, we are not talking about parent-child or
employer/employee relationships.
Parent-child relationships/responsibilities have created unique legal
conditions which are not easily transferred to institution-child
relationships/responsibilities. In this case, the school can probably
be slapped with a "contributing to the delinquency of a minor" charge
for not providing adequate supervision after facilitating (providing the
tools of) the crime.
That the tools of the crime were provided by the school, that the
object(s) of the crime was also school property, and that the
perpetrators of the crime were school charges has created a very sticky
situation for the school. The school exacerbated the situation by
attempting to charge the students with felonies, thereby drawing the
attention of national media.
Closing comments: - this "experiment" obviously has
failed
- attempting to "save face", as the article puts it, via
imposed community service, risks yet more embarrassment
- since
this is a public school which accepts federal money and keeps digital
records on its students, do you think FISMA or GLB applies?
joat: 12:00:00 31 Aug 2005 |
|
|
Tue, 30 Aug 2005
|
|
I've attempted to talk about the following, off-and-on, for the last few
years. Here's yet another attempt... I'm likely to be completely off
the mark with this but the DNS control argument may become a moot point
(or an even bigger issue) with the adoption of IPv6. The U.S. keeps
control of DNS space solely by the pseudo-rules-of-thumb known as
"possession is nine-tenths of the law" and "majority rule". In other
words, control is maintained solely by inertia and continued support of
majority rule. IPv6 changes the playing field because of the differing
rates of adoption of the technology. A visit to the current 6bone will
show that the ratio of English to non-English sites is much different
than version 4 IP space. There is a slight risk that current
infrastructure managers might attempt to use "majority rule" to start
their own address infrastructure. I say slight as such an action would
require cooperation on a massive scale by parties who normally are very
contentious, politically different and motivated by normally-opposing
agendas (profit, control, ideologies, etc.). I believe the situation
to be quite binary. As long as the forces remain below a certain level,
ICANN is likely to retain "control" (a poor term for it) of the DNS
system. This is the most likely outcome. However, if the level of
contention goes above a certain point, or if opposing forces change the
turn-over point in the equation by cooperating with each other, we might
see a very fractious DNS system. Fortunately, if this occurs, the
condition won't last long (in geological time) as systems do not
normally support unstable conditions for long. Remember: - chaos
requires complete lack of control
- oscillation requires a very
specific form of control (feedback) and a permanently unstable
condition
. Neither of these conditions are tolerated long by
financial or political institutions. Unfortunately for us users, the
corrective controls used by either of these institutions are not
normally that subtle. This should be quite interesting to watch.
Also, there are probably quite a few "business opportunities" in the
above if you're in the right place at the right time with the right
tools. Thoughts?
joat: 12:00:00 30 Aug 2005 |
|
|
Mon, 29 Aug 2005
|
|
I've been having a lot of trouble with my BlogRoll of late. Anyone
visiting the site may have noticed (I'm not understating) extremely long
load times. In other words, the page stalls while loading the Infosec
blogroll. Does anyone have any suggestions for alternate services?
I'd like to keep the same basic information-presentation but, barring
that, I'm willing to try out just about anything.
joat: 12:00:00 29 Aug 2005 |
|
|
Sun, 28 Aug 2005
|
|
If you're going to ToorCon, I recommend Squidly1's talk on alternate
uses for the PSP. Ask her about using her PSP to find the hidden AP
at SANS.
joat: 12:00:00 28 Aug 2005 |
|
|
|
|
I'll echo Richard's recommendation about the NSA's IAM and IEM certifications: if you "do" assessments, the certs are a very-nice-to-have.
joat: 12:00:00 28 Aug 2005 |
|
|
Sat, 27 Aug 2005
|
|
(heh) This time the fire
is over on Dana's blog. Remind me to put "responsible disclosure" on
the list of things never to talk about again?
joat: 21:30:00 27 Aug 2005 |
|
|
|
|
This is almost a year old but is interesting (for me) in that it references some old work of mine concerning the OpenFuck exploit. Found during some vanity surfing. joat: 12:00:00 27 Aug 2005 |
|
|
Fri, 26 Aug 2005
|
|
SANS has a paper
discussing a man-in-the-middle attack on DNS.
joat: 12:00:00 26 Aug 2005 |
|
|
Thu, 25 Aug 2005
|
|
|
joat: 20:30:00 25 Aug 2005 |
|
|
Wed, 24 Aug 2005
Tue, 23 Aug 2005
|
|
You'd think the name "joatblog" would be pretty darn unique, wouldn't you? Another thing that I found out via vanity surfing is that some porn jerks (FG4/DF4) are "borrowing" key names, using them as hostnames within their domain and are hosting porn sites behind them. For those that want to know more, substitute "joatblog" for "MYBLOG" in the following string (keep the underscores) and go search Google for that phrase: "cyberspace_MYBLOG_hopefully". If this blog were part of a business, I'd have a legal action available. As it is, I can only (legally) remain pissed. joat: 12:00:00 23 Aug 2005 |
|
|
Mon, 22 Aug 2005
|
|
It struck me as a bit odd that part of the homework (tonight was the
first class) was to search for forms used in collecting digital evidence
(use of the term "computer forensics" has been formally "frowned
upon"). After a 15-minute Google search, it's amazing. Everybody,
including their mother and her Bingo friends, has some form of computer
forensics (sorry Rob) book or course. Very few of those sites, other
than law enforcement, provides any tools or support. The assignment is
actually to find a number of processes used to support the creation and
maintenance of the chain of custody, and discuss them. This could get
interesting.
joat: 21:30:00 22 Aug 2005 |
|
|
Sun, 21 Aug 2005
|
|
The Penguin Sleuth Kit
(PSK) is a Knoppix-based Linux distro with tools not only for computer
forensics but quite a few network troubleshooting and monitoring tools.
Note: Users of this kit should also read the disclaimers on the site
if the use is intended for legal/LEO purposes.
joat: 12:00:00 21 Aug 2005 |
|
|
Sat, 20 Aug 2005
|
|
For those that missed it (a few days ago), LURHQ has an analysis of the Myfip worm. joat: 12:00:00 20 Aug 2005 |
|
|
Fri, 19 Aug 2005
|
|
Here
is a SANS paper which discusses the simple traffic analysis using
Ethereal.
joat: 12:00:00 19 Aug 2005 |
|
|
Thu, 18 Aug 2005
|
|
I may be reading more into it than I should be but here's more drama over the .xxx situation. I can't help but think that the finger pointing up the hill is meant more to point at someone else's dirty laundry than their (ICANN) own. joat: 20:30:00 18 Aug 2005 |
|
|
Wed, 17 Aug 2005
|
|
From class today: "Firewalls cannot block stupidity." - Dennis Lee joat: 16:40:02 17 Aug 2005 |
|
|
|
|
|
Just a topic that was brought up earlier this week. Standardization of equipment and software across an enterprise allows that organization to operate more smoothly and (usually) more securely. However, many organizations forget that this is a "horizontal" rule but NOT a "vertical" rule. For example, all workstations should use the same make/model computer with the same version/patch level OS and configuration. However, the you should not be using the same hardware/software/configuration on your servers and perimeter equipment. You'd be amazed at the number of people that don't "get" this. joat: 12:00:00 17 Aug 2005 |
|
|
Tue, 16 Aug 2005
|
|
Here is more of the ongoing issues involved with the .xxx domain. The author seems to be a bit naive in that he is suprised that objections exist. Not only are the porn site owners objecting (most sites are transient in nature and they don't want to pay $70 per domain per year), various government offices are also objecting. joat: 22:29:06 16 Aug 2005 |
|
|
Mon, 15 Aug 2005
|
|
The media has once again created controversy by overstating a court decision. ( this one) The court case was lost not due to the use of MD5, it was lost due to RTA's inability to "find an expert" to prove the pictures were not tampered with after they had been taken. This means one or more of the following conditions occurred: - they actually couldn't find anyone (although it's unlikely)
- they couldn't find anyone that could explain MD5 in simple terms that would indicate that the liklihood that the traffic infraction actually occurred. Hint: think DNA evidence. You will always hear "probabilities" discussed when lawyers discuss DNA. Yes, there are collisions in MD5 number space. The probability of forgery goes down very fast if that "collision" has the same MD5 hash, looks like a picture, of the intersection in question, with the defendant's car passing through it, with the defendant's license plate in view, with the camera's timestamp (and other) data embedded in the picture.
- the prosecution was unable to display the chain of evidence, in the form of being unable to prove when the MD5 hash was generated. The hash being embedded in the picture may actually cause a problem because it means that the picture was changed after it was taken, by the camera itself. However, this is a procedural problem, not a technical one, and would translate into the prosecution not being able to find anyone willing to take an oath to assert/support the accuracy of the data.
I doubt that MD5 hashing of traffic pictures will cease. Rather, I believe that how they're presented in court will change. joat: 18:06:22 15 Aug 2005 |
|
|
Sun, 14 Aug 2005
|
|
|
I'm on the road again this week, in the DC area, Vienna specifically.
joat: 14:00:00 14 Aug 2005 |
|
|
|
|
Don't know where Rob got it but NetSec has a pointer to a very
good paper on the Enigma machine.
joat: 12:00:00 14 Aug 2005 |
|
|
Sat, 13 Aug 2005
|
|
|
I've changed the format of the wiki slightly and have moved quite a few
items from my house wiki. I have quite a bit of clean up to do so
please bear with me.
joat: 14:00:00 13 Aug 2005 |
|
|
|
|
|
joat: 12:00:00 13 Aug 2005 |
|
|
Fri, 12 Aug 2005
|
|
Tony Finch point to this one.
" Where are
all the 3-button mice?" rings a bell with me. The only reason
you don't hear incessant whining from me is my secret (okay, now it's no
longer a secret) cache of Logitech 3-button mice. I bought ten of those
suckers when I heard Logitech was discontinuing the line. Also, I have
to thank Hurd for donating a Sun Crossbow (3-button USB) to the
collection, thereby prolonging the canibalism and jury-rigged repairs of
those first ten mice. I wear 'em out fast.
joat: 12:30:00 12 Aug 2005 |
|
|
|
|
InfoSec Writers has a paper which has a pretty good overview of most of the issues involved with using Wi-Fi technologies.
joat: 12:00:00 12 Aug 2005 |
|
|
Thu, 11 Aug 2005
|
|
Richard Bejtlich has a post about a court case that a friend (Dave!) will probably find interesting. It's about a court case that the prosecution lost because they didn't understand current theory about MD5 collisions. In other words, they couldn't prove that a picture hadn't been tampered with after it had been taken. In the same post, Richard points out a project by Harlan Carvey, who visits here now and then: the Forensic Server Project. His book also has a supporting site: http://www.windows-ir.com. I highly recommend visiting all three.
joat: 20:30:00 11 Aug 2005 |
|
|
|
|
I'm pissed at Michael Lynn throwing a tanker truck of gasoline on the
"responsible disclosure" pyre. It leads to overly politically correct
announcements such as this. Little is
gained from this type of announcement other than eEye getting a bit of
"street cred". Announcements like that damage Microsoft's business by
making organizations leery of server safety without giving them an idea
of what to do to protect themselves. Personally, I favor full
disclosure but if we cannot live with that, I'd rather not hear about
the vulnerability until such time that the vendor can comfortably talk
about it. Many of the same arguments for "responsible disclosure" (I
really dislike using that term), can be made for "responsible
non-disclosure". Maybe the only way we can get back to the middle is to
push the pendulum further away from center?
joat: 12:00:00 11 Aug 2005 |
|
|
Wed, 10 Aug 2005
|
|
SANS has a paper on
port-knocking which provides a bit more detail.
joat: 12:00:00 10 Aug 2005 |
|
|
Tue, 09 Aug 2005
|
|
Here's a paper discussing the evolution of malicious agents (spyware and the like).
joat: 12:00:00 9 Aug 2005 |
|
|
Mon, 08 Aug 2005
|
|
|
I guess my spammer decided to sell this URL to some n00b spammers 'cause
I've got a ton of poker spam and Chinese porn spam in the comments
queue. Oh well, the peace and quiet was nice while it lasted.
joat: 21:30:00 8 Aug 2005 |
|
|
|
|
InfoSec Writers has a paper which discusses the latency added by using high-end encryption in VPN's.
joat: 12:00:00 8 Aug 2005 |
|
|
Sun, 07 Aug 2005
|
|
I've seen some interesting new tools in the past few days:
- Nepenthes - a
honeypot tool
- fwknop - using portknocking
as an additional security feature
Update: I managed to fat-finger the URL for Nepenthes. Thanks goes to Gaetano Zappulla for correcting it. He also suggests taking a look at kojoney, SSH honeypot written in Python using the Twisted Conch libraries.
joat: 12:00:00 7 Aug 2005 |
|
|
|
|
We already knew that CWS was bad. Now this: It looks like the FBI is involved now. If your machine has ever been infected with CWS, consider any valuable information on it as compromised (i.e., at a minimum, change your passwords).
joat: 12:00:00 7 Aug 2005 |
|
|
Sat, 06 Aug 2005
|
|
For those that use it, a new version of WinPCAP was announced yesterday.
joat: 19:30:00 6 Aug 2005 |
|
|
Fri, 05 Aug 2005
|
|
RUXCON (1-2 Oct) has a list of
pending presentations. Looks like it'll be interesting.
joat: 20:30:00 5 Aug 2005 |
|
|
Thu, 04 Aug 2005
|
|
The Network Security and Architecture Lab (thought this was going to be about the other NSA, didn't you?) has a post about the Georgia Tech Honeynet Report which has some interesting screenshots of a homemade visualization tool. I often get quite frustrated with these topics as very few people are willing to share their visualization tools. Interesting screenshots though.
joat: 12:00:00 4 Aug 2005 |
|
|
Wed, 03 Aug 2005
|
|
|
This fall's class centers on computer (and possibly network?) forensics
so expect a good number of forensic-related posts. Rob is also
attempting to provoke me into teaching an IPv6 class.
joat: 12:30:00 3 Aug 2005 |
|
|
|
|
|
Brian Warshawsky has a piece on the Ten Commandments of System
Administration. He posted the tenth one, of which I'm a firm believer,
on June 27. I wrote a SANS paper for log reduction based on this
commandment. Entertaining and rules-to-live-by at the same time.
joat: 12:00:00 3 Aug 2005 |
|
|
Tue, 02 Aug 2005
|
|
If you dig a little at Henning Schulzrinne's (Professor and Chair,
Columbia's Dept. of Computer Science) Internet Technical
Resources page, you come across some valuable listings of
network tools.
joat: 12:00:00 2 Aug 2005 |
|
|
Mon, 01 Aug 2005
|
|
Gergely Erdelyi has written a number of papers. He has the following
available here: - Cleaning up the
Mess - Time to redefine disinfection?
- Chasing Ghosts? - Return
of the Stealth Malware
- Hide 'n Seek - Anatomy of Stealth
Malware
- Digital Genome Mapping - Advanced Binary Malware
Analysis
joat: 12:00:00 1 Aug 2005 |
|
|
|
|
Finally got around to compiling the list of podcasts that people listen
to. See it here (in the
Wiki). If you want to add to the list, e-mail 'em to me.
joat: 12:00:00 1 Aug 2005 |
|
|
Sun, 31 Jul 2005
|
|
Wi-Fi Toys has a post
about the new unamplified Wi-Fi distance record being set.
joat: 15:45:00 31 Jul 2005 |
|
|
|
|
Short version: I think that Cisco is overreacting and is being a bully.
Long version follows... Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following: Cisco's
actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible
disclosure. Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
procedures" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
Puppy, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
is released. So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
dirty laundry? Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top. Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".
joat: 12:00:00 31 Jul 2005 |
|
|
Sat, 30 Jul 2005
|
|
Errr... I missed the announcement of this one too: ShmooCon 2006. Current price $75.
For those that don't know: the price goes up as it gets closer to con
time.
joat: 16:00:00 30 Jul 2005 |
|
|
|
|
Read this
(from the Register). My first thought: this will add a whole new side
to the phrase "when hackers attack". My second thought: Johnny Long is
going to need a new category on his site.
joat: 12:00:00 30 Jul 2005 |
|
|
Fri, 29 Jul 2005
|
|
Tom's
Networking has a good piece going on the Cisco flop-and-twitch. I
consider the whole incident to be yet another go-round in the religious
war called "responsible disclosure". You've heard the arguments from
both sides. You'll hear 'em again. My personal view (at least of this
incident) is that this isn't something that M. Lynn "invented", it's
something that he heard of elsewhere which caused him to do a bit of
research. Some of "the bad guys" already have the info. It's nice to
know that some of "the good guys" now also have it. However, M. Lynn is
probably going to suffer in multiple ways and this incident has a strong
possibility to set a very nasty precedent. Watch for the legal pendulum
to very quickly to one side or the other.
joat: 12:00:00 29 Jul 2005 |
|
|
Thu, 28 Jul 2005
|
|
Maximillian Dornself has posted links to the BlackHat Hands-on Honeypot
class, that he and Thorsten Holz presented, here.
joat: 21:30:00 28 Jul 2005 |
|
|
|
|
Just in case you don't have it, here's the schedule for the presentations at BH. (Yeah, I know. This is fluff, but it won't survive the transition to the other box.)
joat: 12:00:00 28 Jul 2005 |
|
|
|
|
|
The blog will be offline for a few days while the server gods pick up
all of the 757 bloggers by their ears and move 'em to the new box.
joat: 01:42:08 28 Jul 2005 |
|
|
Wed, 27 Jul 2005
|
|
I'm tired of hearing every tech journalist pontificating about how the
flavor of the hour could be used as a channel for worms/viruses/hacking.
Here's a good example. Yes, RSS could be a vector for malware but it's not a likely one. It's not like we constantly wander the Internet in search of new feeds. For the majority of people, their feed sources remain constant. Barring a web server compromise at one of those sites or the author does something really boneheaded, there isn't much risk of worms or spyware sneaking in via the RSS feed. Of course, if the author embeds crap like advertising in his/her feed, then it's another story.
joat: 12:00:00 27 Jul 2005 |
|
|
Tue, 26 Jul 2005
|
|
If you subscribe to Richard's feed at TaoSecurity, do him a favor and
move your subscription to http://feeds.feedburner.com/Taosecurity, especially if you've seen the "site owner reaching his/her limit" warning.
joat: 21:30:00 26 Jul 2005 |
|
|
|
|
Personally, I think that, while there's probably a legitimate argument
in there somewhere, this
fight is extremely silly. Someone is pissed off that someone else
wants to push television over IP. I think it's silly because I "get my
IP" over the same pipe that I get my TV. The fight is actually an
industry trying to "protect" their income stream and resisting the
economic force created by technological innovation. The situation is
not one that it easily resolved either. "Convergence" involves the
television, telephone, cell phone, wireless ISP, and even the power
companies. Future involvement will probably include the entertainment
industries, various hardware manufacturers and various
governments. With the move to wireless and IPv6, expect those
industries to spend more and more money on legal support and
advertisements. The industry or industries that come out on top will
probably be the one that offers the most to the customer for the cost.
(This usually translates to the company with the deepest pockets.) The
problem in the logic in the article is that Verizon and SBC assume that
consumers will want their IP-over-TV from a local "central office".
What they're currently missing is fledging Internet-based TV shows that
already exist and even have an existing distribution infrastructure
(BitTorrent). However, I skeptical enough that I expect at least one
attempt to Napsterize BitTorrent. So call me a
pessimist.
joat: 12:00:00 26 Jul 2005 |
|
|
Mon, 25 Jul 2005
|
|
Alex Perry has an interesting use for Linux. He built his own probe to
use as an eddy-current detector.
joat: 12:00:00 25 Jul 2005 |
|
|
Sun, 24 Jul 2005
Sat, 23 Jul 2005
|
|
|
Please excuse the look of the blog while I monkey with the templates
(time for a change).
joat: 14:30:00 23 Jul 2005 |
|
|
Fri, 22 Jul 2005
|
|
|
joat: 21:30:00 22 Jul 2005 |
|
|
Thu, 21 Jul 2005
|
|
|
I must be on someone's list again (yet another spammer that can
Google-hack?) because the garbage is showing up in the comments que
again. This one appears to be using someone else's box on a Verizon DSL
connection.
joat: 21:30:00 21 Jul 2005 |
|
|
|
|
|
Apologies for the pause in posting. The last two weeks have been very
busy. The good news is that I've back filled the missing days. The bad
news is that the breaks in posting will probably occur again in the
coming month. I've got a new cert coming up and I have to requalify on
an old one.
joat: 12:10:00 21 Jul 2005 |
|
|
|
|
I wonder if the recent foobar was the reason why I couldn't get Galleon to work properly. I'll have to try it again this weekend.
joat: 12:00:00 21 Jul 2005 |
|
|
Wed, 20 Jul 2005
|
|
This is just silly! Try scrolling
into the highest resolution.
joat: 12:00:00 20 Jul 2005 |
|
|
Tue, 19 Jul 2005
Mon, 18 Jul 2005
|
|
IBM is offering a SDK delvelopment toolkit
containing DB2, Lotus, Rational, Tivoli and Websphere in the hopes that
you develop something for the community. Note: Windows or Linux
versions.
joat: 12:00:00 18 Jul 2005 |
|
|
Sun, 17 Jul 2005
|
|
I'm a bit behind on my work so here's a quick bit of entertainment for you "conspiracy theorists": take a look at the backgrounds of the people that make up the managing board for the .XXX domain and answer the following questions: - Who's worked with each other at a previous comany
- Who's worked at other registrar's and what did they do?
- Who managed a .XXX domain in a previous light?
- How does the old registrar feel about this?
- Who left under "undisclosed" reasons?
- Who's also participated in ICANN?
joat: 22:30:00 17 Jul 2005 |
|
|
|
|
I managed to make some headway into getting Galleon up and running. My
notes are posted here. I've got it to the point where the software runs but my TiVO still doesn't "see" it. Also, it doesn't use the same ports as my previous install of JavaHMO did. Anyone have any ideas?
joat: 12:00:00 17 Jul 2005 |
|
|
|
|
It's a commercial product but it's interesting and you can print your
own: here's the paper version of the Enigma machine.
joat: 12:00:00 17 Jul 2005 |
|
|
Sat, 16 Jul 2005
|
|
Has anyone successfully installed Galleon (not the browser) under Linux or any other *nix? I have a working version of the older JavaHMO but cannot get the newer Galleon installed properly. Howto needed!
joat: 21:30:00 16 Jul 2005 |
|
|
|
|
I found Joe Gergorio's article
during a lecture that I wasn't paying attention to (I was playing with
del.icio.us instead). The article
talks about a method for securing RSS feeds with encryption rather than
password protecting the site. I like the idea but I believe that Joe
did not take it far enough. The idea that should be on the end of his
train of thought is "public key encryption".
joat: 16:00:00 16 Jul 2005 |
|
|
Fri, 15 Jul 2005
|
|
If anyone asks you to list the problems in IPv4 that still need to be
fixed for IPv6, you can say " ICMP". That link discusses
Fernando Gont's proposed changes to the protocol to protect against
long-known attacks (mostly DoS) with ICMP.
joat: 12:00:00 15 Jul 2005 |
|
|
Thu, 14 Jul 2005
|
|
Here's a long discussion on Smurfing, a denial of service attack that has lived much longer than it should have.
joat: 12:00:00 14 Jul 2005 |
|
|
Wed, 13 Jul 2005
|
|
More torrent users are needed so Mappinghacks.com users can get the free geodata
quicker!
joat: 12:00:00 13 Jul 2005 |
|
|
Tue, 12 Jul 2005
|
|
Here's another
analysis of the Witty worm.
joat: 12:00:00 12 Jul 2005 |
|
|
Mon, 11 Jul 2005
|
|
Corporations don't only worry about attacks from the outside. Here's a paper entitled " Analysis and Detection of Malicious Insiders", with 14 authors?
joat: 12:00:00 11 Jul 2005 |
|
|
Sun, 10 Jul 2005
|
|
Perl.com has a good Bloom
filters, something I learned just this past week. In a nutshell,
Bloom filters are useful in dealing with gawd-awfully-large databases.
A Bloom filter will quickly tell you, accurately, if what you're looking
for is not in the database or, less accurately, if what you're
looking for might be in the database. Shorter version: it's a
way to avoid having to search massive databases for every query that a
user throws at a program.
joat: 12:00:00 10 Jul 2005 |
|
|
Sat, 09 Jul 2005
|
|
I appears that Google Earth
downloads are available
again. So many people went absolutely nuts with this free toy, when
they first released it, that they had to block downloads of the software.
I'm willing to bet that the total man-hours of productivity lost to
Google Earth rivals opening day of one of the Star Wars films. Of
course, people have gotten organized so that they can
spend even more time site-seeing vicariously. Some are even excited
enough about it that they'll post Flickr photos about where they haven't been. What's that? A faux-moblog (fo-mo-blog)? (heh)
joat: 14:30:00 9 Jul 2005 |
|
|
|
|
I'm not in here but a
neighbor, a block or so over, is. Are you?
joat: 14:00:00 9 Jul 2005 |
|
|
|
|
The BBC is experimenting with podcasting.
joat: 13:45:00 9 Jul 2005 |
|
|
|
|
Here are some of the
papers from the 2005 ReCon.
joat: 12:00:00 9 Jul 2005 |
|
|
Fri, 08 Jul 2005
|
|
Dig around in here (Core Security's Open Brainstormings). I'm willing to bet you find something interesting to read.
joat: 12:00:00 8 Jul 2005 |
|
|
Thu, 07 Jul 2005
|
|
You might find Jonathan's Westhues's
circuit board grinder and/or his proximity card stuff interesting.
joat: 12:00:00 7 Jul 2005 |
|
|
Wed, 06 Jul 2005
|
|
Yet more reason to tie down your wireless networks, read your logs, and
periodically test your own site(s): stuff like this gets taught at conferences. It's a presentation on "doing evil" involving wireless, search engines, and various tools (not necessarily together) entitled " Wizard searching: reversing the commercial web for fun and knowledge".
joat: 12:00:00 6 Jul 2005 |
|
|
|
|
|
I hereby donate my "Bonehead" sign (remember the one that I promised to
wear all weekend) to the asshole that's DoS'ing my service provider.
joat: 02:00:00 6 Jul 2005 |
|
|
Tue, 05 Jul 2005
|
|
Weirdness for my own benefit, embedding someone else's RSS feed in your
wiki page:
joat: 12:00:00 5 Jul 2005 |
|
|
Mon, 04 Jul 2005
|
|
I still haven't seen the new Star Wars movie so I don't know who the
Emporer actually is. After seeing this, could it be Tom Cruise? Thanks to Ben Saunders via FurryGoat.
joat: 12:30:00 4 Jul 2005 |
|
|
|
|
All the more reason to move away from WEP and start using WPA2 and 802.11i. It's a paper from Recon 2005 which discusses the current state of wireless injection attacks.
joat: 12:00:00 4 Jul 2005 |
|
|
Sun, 03 Jul 2005
|
|
The following needs a bit of polish but you'll get the idea: Me
disagreeing with Paul Vixie?!?
I guess so. There are justifiable reasons for implementing private DNS
domains, the main one being "community". Or should I say "different
community" or "private community". There are those that like the idea
of not having to play by the rules imposed on them by others. Paul
Vixie makes a good point for against his own argument when he says "So
what? Everybody wants something. I want a pony. Get over it." I bet
your initial response is to think: "Geez! What an asshole!" To
be fair, he said that to just make a point. (I hope.) But it's one of
the major reasons that people set up their own communities and practices.
An example of this: fanatical "don't top post" crusaders have caused
mail list/forum splits more than once. Otherwise, there would be one
Perl list (with Tom in it), one security site (with Richard in it), one
political forum (dissenters will be shot!), one operating system (you'd
not be able to add functions either), and one movie list (we'll tell you
what you'll watch). Yes, another is "money", but you don't have to
play if you don't want to. In fact, those schemes are doomed to fail,
either due to lack of participation or by actions of the-powers-that-be.
(A local here managed the ".biz" domain two years before the powers that
be declared the ".biz" domain to be theirs. She even went before
Congress over the issue. The result: the "official" domain was assigned
to an "official" registrar and the ensuing "switch" caused a lot of
confusion, not to mention emotional responses. I also take issue with
the "coherency" and the "there can only be one" arguments. Coherency
has never been a basic assumption in the design of the DNS system.
"Trust", yes. "Coherency", no. The "There can only be one" argument
is fine for those sitting at the top. For those of us near the bottom,
there are good reasons to modify "the rules". For 50K+ users and a
small IT budget, filtering of porn, UCE or malicious code can only be
performed via DNS poisoning (declaring your server as authoritative for
those domains your users shouldn't be going)(or blocking
spyware/malicious code sources). There also may be a need to set up
private communities. Corporations can (and do) practice "security by
obscurity" by setting up private DNS roots and attaching vhosts to them.
While "security by obscurity" by itself is not a good thing, as an added
layer in "defense in depth", it increases overall security. (Think a
vhost attached to a private domain where the default page responds with
a 404 error. In other words, you have to know about the pseudo root
page to join the community. With added configuration, you have to be
part of the community to "see" the page.) A non-corporate example of
modifying DNS service for a private community is the UCE-fighting
community's blacklists. As an example, a response to a look up on
"40.30.20.10.relays.mail-abuse.org" means that it's listed as a problem
source. While this service is run within the ".org" domain, it could
just as easily be run under the ".bob" domain. As long as people know
how to configure their DNS services to include ".bob", the service would
be just as employable. This technique is also used to distribute
public encryption keys, host databases (think phone or address books),
keep track of hardware/software/books, and just about anything else a
private community might need. It's only when that community tries to
"go global" that they run up against "you can't have it, get over it"
crowd. Paul's response is not necessarily a "bad thing" either. It's
creates an environment for innovation. Invention is not done by "fat &
happy". It's usually performed by someone hungry, curious, frustrated,
seriously bored or even paranoid. So Paul, with or without your
approval (or help) it's being done. Get over it.
joat: 18:00:00 3 Jul 2005 |
|
|
|
|
Added the following feeds to the Bloglines
subscriptions: - http://cutlass.info/
- http://www.synacklabs.net/
http://www.honeyclient.org/- http://blogs.msdn.com/brianjo/archive/category/2082.aspx
joat: 16:45:00 3 Jul 2005 |
|
|
|
|
SynAckLabs has announced the
first-ever honeyclient tool (presentation here). Basically, it's a tool to detect/monitor malicious sites (web, for now). I think the author has a lot of interesting work ahead of him. I don't think it'll make him too popular amongst the spyware crowd either.
joat: 14:00:00 3 Jul 2005 |
|
|
|
|
F-Secure has another Beta for their Blacklight anti-rootkit software.
This one runs
until 01 October. If anyone uses it, please let the rest of us know
what you think about it.
joat: 12:00:00 3 Jul 2005 |
|
|
Sat, 02 Jul 2005
|
|
It's old news to those that pay attention to their blogrolls and keep
their links up to date (I'm not in that group, though I occasionally try
to be) but: Liudvikas Bukys has moved his blog to here. He sent me an email prompt over a
week ago and I'm only now getting around to it.
joat: 13:30:00 2 Jul 2005 |
|
|
|
|
In a fit of very early morning experimentation, I tried out the
ndiswrapper that's built into Mandrake 10.2. The WPC54G card worked the
first time. I put the list of steps here. Enjoy!
joat: 12:00:00 2 Jul 2005 |
|
|
Fri, 01 Jul 2005
|
|
Here is Simon Myers' paper which discusses various valauble Bash tips and tricks. Worth reading if only for the history tip.
joat: 12:00:00 1 Jul 2005 |
|
|
Thu, 30 Jun 2005
|
|
Here's Core Security's analysis of the Slapper worm.
joat: 12:00:00 30 Jun 2005 |
|
|
Wed, 29 Jun 2005
|
|
I've gotten rusty. I spent two hours troubleshooting software that I
hadn't touched in two years. What should have taken me 5 minutes to
trace took me 2 hours. You can consider me as wearing the "bonehead"
sign around my neck, at least, thru the weekend. D'oh!
joat: 12:00:00 29 Jun 2005 |
|
|
Tue, 28 Jun 2005
|
|
The author of this WatchGuard really admires Skype's ability to evade firewall controls and thereby void security policy. While Skype might be hard to block, it is easy to detect and the author seems to have forgotten the most effective countermeasure for preventing the use of any tool: public executions. If all of the network's users are aware of the consequences of violating policy (and know it's being enforced), incidents won't occur that often. As a former network hitman, I've seen this one in action. No matter what you think of it, it's a method that does work.
joat: 12:00:00 28 Jun 2005 |
|
|
Mon, 27 Jun 2005
|
|
I won a Shuffle in a drawing at a recent conference and have been using
it to listen to various Podcast (hate the name) shows. I also burn a
lot of those shows to disk and listen to them during my one hour+
commute to/from work. I'm interested in maintaining a list (in the
wiki) of good geek/tech shows. Here's my favorites: - any of the
Leo Laporte shows (TLR, TWIT, the KFI shows)
- /bin/rev (although
I don't like Stank's personality, he does have a good
show)
- Slashdot review
- Geek News Central
- Chris
Pirillo
Others I've been monitoring (haven't decided if I
like yet) include: - Infonomicon
- Linux Link Tech
Show
- Mondays
- LQ
- Linux Link Tech
Show
- most of the stuff in HackerMedia
Leave a
comment and I'll add the sources to the wiki.
joat: 12:00:00 27 Jun 2005 |
|
|
Sun, 26 Jun 2005
|
|
Just got done watching Troops
and I.M.P.S.. Good stuff.
I.M.P.S. is a bit more subtle (for humour) but both are good. Love the
references to MST3K and Predator.
joat: 17:00:00 26 Jun 2005 |
|
|
|
|
One thing that Kismet demo's don't often include is GPSDrive, a program
that will detect Kismet and add additional capability to the surveyor's
toolkit. Here is Anthony Stone's presentation on the topic. I especially like the slide showing the relationship between the OSI and TCP/IP models (though it doesn't have much to do with wireless).
joat: 12:00:00 26 Jun 2005 |
|
|
Sat, 25 Jun 2005
|
|
|
joat: 16:00:00 25 Jun 2005 |
|
|
|
|
Slashdot's already been there but here's the paper on HTTP Request Smuggling by Klein, Orrin, Heled & Linhart.
joat: 12:00:00 25 Jun 2005 |
|
|
Fri, 24 Jun 2005
|
|
Here's an article from Core Security discussing analysis of shellcode.
joat: 12:00:00 24 Jun 2005 |
|
|
Thu, 23 Jun 2005
|
|
Here's the North
American IPv6 Task Force's list of "Articles of Interest".
joat: 20:00:00 23 Jun 2005 |
|
|
Wed, 22 Jun 2005
|
|
Say that it'll
take $2K to build something, someone will take it as a challenge and
probably come up with something just as effective for $50, which
somebody else will mass produce for $20. Something to keep an eye on,
both the bad guy tech and what the manufacturers are going to do to
counter the problem.
joat: 12:00:00 22 Jun 2005 |
|
|
Tue, 21 Jun 2005
|
|
Here is William Bellamy's SANS/GSEC paper on HTTP Header Exploitation. Note: it has nothing to do with the recent exploits which I'll blog about later in the week.
joat: 12:00:00 21 Jun 2005 |
|
|
Mon, 20 Jun 2005
|
|
Here's another article on the .xxx domain. If you read the article, certain alarms should be ringing in your head. It's probably not comprehensive, but here's what irks me: - ICM will charge $60-$70 dollars, $10 of which would fund someone else's agenda (ICANN also gets a cut)
- the "non-profit" will be comprised of what appears to be groups that will be most biased in the first place: adult material perveyors, privacy advocates, and "child-advocacy concerns" (what are those, exactly?).
- the sentence "Even if it's voluntary, supporters say, adult sites will have incentives to use .xxx.". What incentives might that be? It's certainly not monitary in nature! I think the only other remotely available incentives in existence are moral and penal. Since adult web sites are already considered to be against community morals, the only other incentive is going to be fines/jail time.
- the phrase "required to follow yet-to-be-written 'best practice' guidelines, such as prohibitions" is a triple negative. "Required to follow best practice" sounds like a law. "Prohibitions" does nothing to lessen the impression. Beside, spamming and malicious scripts (code) is already illegal.
- domain managers have had a very spotty history of assigning domains based on qualifications. Outside of the ".mil" and ".gov" domains, chaos prevails. Now we're supposed to believe that an organization made up of members with conflicting agendas is going to be different?
Let me repeat myself: I'm quite skeptical that this situation lead to anything good. joat: 12:00:00 20 Jun 2005 |
|
|
Sun, 19 Jun 2005
|
|
I still haven't decided if this is a new fad, an overblown art project, or someone attempting to astroturf a fad so they can collect e-mail addresses (or worse).
joat: 12:00:00 19 Jun 2005 |
|
|
Sat, 18 Jun 2005
|
|
Here's an article which discusses the tech that has many security officers banning iPods in the workplace. Personally, I think it's a bit over the top and entirely for the wrong reason. If you're worried about corporate data leaving the workplace (or programs being brought in), you should also worry about those thumb drives that the company signs out, all of the e-mail and web traffic, CD burners, hard copy, what's in employees' heads... (do I need to go on?) You should worry about iPods (or any other USB device) that have alternate OSs because of the DMA issues but banning them because they're temporary storage (without banning all other forms of temporary storage) is prejudicial in nature and basically ignorant.
joat: 12:00:00 18 Jun 2005 |
|
|
Fri, 17 Jun 2005
|
|
Note to self: when dhclient responds with: /sbin/dhclient-script:
configuration for eth3 not found take a look in
/etc/sysconfig/network-scripts and make sure that ifcfg-eth3
exists. I'm such a bonehead at times. This caused a situation where a
friend's windows laptop would connect to the network just fine but my
kluge-box wouldn't. Nothing was getting logged. I didn't notice until
I started running all of the commands manually. Based on the number of
times this shows up in Google, this is a common problem.
joat: 12:00:00 17 Jun 2005 |
|
|
Thu, 16 Jun 2005
|
|
In wandering around the net, I tripped over the NIST Virtual Library.
Most of the articles are over my head but I do understand a few of them.
Enjoy!
joat: 12:00:00 16 Jun 2005 |
|
|
Wed, 15 Jun 2005
|
|
Here's a site
that gives the basic theory behind most of the crypto systems in use.
joat: 12:00:00 15 Jun 2005 |
|
|
Tue, 14 Jun 2005
|
|
I was in Raliegh-Durham today for the VMWare demo (so call me a swag whore 'cause I like free copies of commercial software). Two things that could have made the demo a bit better: 1) GIVE BETTER directions to the place. The RD Hilton is at the east end of Page Road. However, the only thing on Page Road signifying the existance of the Hilton is a tiny 6" x 8" sign that appears to be pointing to the Sleep Inn parking lot. I missed this sign the first time through and spent the next hour exploring every inch of Page Road (and it's only a few miles long). Thanks to the manager at the Days Inn for pointing the way. 2) If you're going to present to a roomful of geeks, give 'em tables to work on. Just stuffing a small room with chairs makes the entire experience uncomfortable for everyone, especially when there's a full house. To give them credit, the presentation was interesting. The title is "lost" because, as usual, I got lost on my way to where I was going. It's something that I've learned to live with, and my wife has learned to tolerate (our first date, we aimed at a restaurant in the next city... ended up in the next state). This time I did end up at the proper place (after asking directions twice) but I did get to see an ominous crime scene, complete with the population from 6 police cruisers and 3 news vans. Also on scene was 100+ feet of yellow police tape and what looked like a black bicycle laying on the ground. Anyone know what it was? joat: 21:30:00 14 Jun 2005 |
|
|
Mon, 13 Jun 2005
|
|
For you Jason Scott fans, here's an article on the problems with (and reasons for) archiving the Internet. It's interesting that the average lifespan of a web page is 44 days. It's annoying that some consider it illegal to archive public content.
joat: 12:00:00 13 Jun 2005 |
|
|
Sun, 12 Jun 2005
|
|
The media is getting some pretty decent mileage on "Is IPSec on borrowed
time?". What hasn't been said is that each has its own advantages,
disadvantages and best use. The values that (can) differ with both
implementations include: the layer(s) where encryption occurs,
authentication mechanisms, the layer(s) where encapsulation occurs, and
situations where it's best employed. I think what we'll see is
peaceful co-existance, in the toolbox.
joat: 12:00:00 12 Jun 2005 |
|
|
Sat, 11 Jun 2005
|
|
Webroot is predicting that spyware will be embedded in RSS feeds by the end of the year. While it's possible, I think that the limitation is that it requires compromise of the feed source.
joat: 12:00:00 11 Jun 2005 |
|
|
Fri, 10 Jun 2005
|
|
CircleID has another view from a different author on the upcoming XXX domains.
Mr. Javed has come up with a couple points that I hadn't thought of.
joat: 12:00:00 10 Jun 2005 |
|
|
Thu, 09 Jun 2005
|
|
|
Weird, the comment spammers must have taken me off of their list. I
haven't received any (and I'm not asking for it!!) in a couple weeks.
joat: 12:30:00 9 Jun 2005 |
|
|
|
|
|
Those of you that actually visit the site have probably noticed that I'm
cleaning up some of the code on the site. Experiments and anti-spammer
tweaks have left the back end in a horrible mess. Between that and
work, I haven't had much time to research entries for the site. Please
bare with me for a bit longer and I apologize for the current font set.
joat: 12:00:00 9 Jun 2005 |
|
|
Wed, 08 Jun 2005
|
|
HigB did something that we're all prone to do in the long run: shot himself in the foot. However, he caught it in
time and did an quick analysis of the trojan.
joat: 12:00:00 8 Jun 2005 |
|
|
Tue, 07 Jun 2005
|
|
There is something more painful that being a level III Unix admin and
being forced to watch level I training CBT's. It's being forced to
watch level I training CBT's that were produced in the mid-1990's! Ow!
Brain hertz!
joat: 12:00:00 7 Jun 2005 |
|
|
Mon, 06 Jun 2005
|
|
I often complain about the four networks that I can "see" from my chair in the front room. Wormulon seems to have it much worse than I do. And before you comment, yes, I do have to run one of those APs unencrypted. The device on the other end cannot "do" any form of encryption. Not even WEP which, if it's all you have, you should still be using. My neighbor thinks I'm hacking his systems because I know the names of his machines. He is a heavy MS user (including SMB) and doesn't understand that when he turns off his AP (for security reasons) his machines will join any other wireless network. My network monitors are full of entries about "MoonGodess". I guess it could be worse. joat: 12:00:00 6 Jun 2005 |
|
|
Sun, 05 Jun 2005
|
|
Bob Cromwell maintains a link farm of
security-related sites. It's worth exploring, there's some "doozies" in
there (try the "Privacy" or "Downright Scary Threats" links).
joat: 12:00:00 5 Jun 2005 |
|
|
Sat, 04 Jun 2005
|
|
Here are a couple ComputerWorld and CBC articles about the new .xxx domains coming into being. This topic has been discussed on this blog and other forums previously. Expect this domain adoption to lead to an extended excercise in frustration, polictics, censorship and name-calling. ICANN is making the TLD available (for $75 per domain) so that porn sites can move in. What's not being said is that most porn sites probably won't move there because it makes censorship of their site(s) extremely simple. An good example of this is "www.whitehouse.com". The site uses that domain for two reasons: notariety and to attract fat-fingered surfers. What happens when ICANN figures out that very few web sites are buying their $75 .xxx domains and are sticking with their $5 .com/.net domains? It's likely to involve parental controls, loud proclamations of "we're doing it to protect the children", and attempts to force migration to the .xxx realm. It'll only get nastier after that. Because I periodically write about things that are unpleasant to some (and sometimes include the word "fuck"), does this site deserve an adult rating? Who gets to categorize the site? How long before people realize that the Internet is an adult tool, not a child's playground? Hopefully, the .xxx domain will exist to hold only those sites that want to be there but (feel free to call me a pessimist) I don't believe it'll exist more than 6 months before either the legislative branch or the media calls out the lynch mob. joat: 12:00:00 4 Jun 2005 |
|
|
Fri, 03 Jun 2005
|
|
Here is a short paper on the issues involved with collecting forensic evidence in a distributed environment, (i.e., the typical corporate network). joat: 12:00:00 3 Jun 2005 |
|
|
Thu, 02 Jun 2005
|
|
I'm not sure where I found it but here's a sample test for CISSP.
joat: 12:00:00 2 Jun 2005 |
|
|
Wed, 01 Jun 2005
|
|
To go along with the recent GoogleMaps content, here is a site with a lot of GPS and map links. What happens when we get broadband connectivity in our cars? Tieing gpsd to GoogleMaps isn't that difficult. joat: 12:00:00 1 Jun 2005 |
|
|
Tue, 31 May 2005
|
|
|
Please excuse the interruption in blogging. I'm on yet another trip, this time to Baltimore. I'll get back to posting shortly. joat: 20:00:00 31 May 2005 |
|
|
Mon, 30 May 2005
|
|
(via Blackhat.info and ZDNet) CipherTrust has used some of
the data gathered from their mail filtering appliances to produce the ZombieMeter.
joat: 12:00:00 30 May 2005 |
|
|
Sun, 29 May 2005
|
|
|
joat: 12:00:00 29 May 2005 |
|
|
Sat, 28 May 2005
|
|
I've finally "got" Del.icio.us. You can see my bookmarks here. The RSS feed for it is here.
joat: 12:00:00 28 May 2005 |
|
|
Fri, 27 May 2005
|
|
Keep an eye on what comes out of the Recon.
joat: 12:00:00 27 May 2005 |
|
|
Thu, 26 May 2005
|
|
Unless you work with the data, you never know when you'll need odd
sources of data so, for my benefit, here is a site that lists the tax rates of all 50 states.
joat: 12:00:00 26 May 2005 |
|
|
Wed, 25 May 2005
|
|
Here's a website
mostly devoted to a tool that builds AutoRun files but has other AutoRun
info.
joat: 12:00:00 25 May 2005 |
|
|
Tue, 24 May 2005
|
|
One of the problems with being on the road for two weeks out of a month
is that I don't get to do the usual amount of research, so I have to
rely on my backlog for source material. In any case... Here's a site
with a collections of papers related to "Mining Alarming Incidents in
Data Streams" (MAIDS). (No, not the NT file system.)
joat: 12:00:00 24 May 2005 |
|
|
Mon, 23 May 2005
|
|
It's a bit from the mutual-appreciation-society but it's more about
tracing the spammers (from awhile ago). Ann Elisabeth has
performed a lot more research and has gotten a lot farther than I did.
She also took advantage of a server crash.
joat: 12:00:00 23 May 2005 |
|
|
Sun, 22 May 2005
|
|
|
Please bear with the site for a bit. I'm doing a bit of spring cleaning
and some things may not work properly for a short while.
joat: 20:00:00 22 May 2005 |
|
|
|
|
LinuxElectrons has an article about XTen soft phones being available for Linux. They're a bit of overkill for my setup but I'll probably "grow into them". Worth taking a look at.
joat: 12:00:00 22 May 2005 |
|
|
Sat, 21 May 2005
|
|
|
Any truth to the rumor that AirJack is being updated to the 2.6 kernel?
joat: 15:00:00 21 May 2005 |
|
| |
