| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Sun, 31 Dec 2006
|
|
Here is a sample chapter from " Computer Forensics: Incident Response Essentials", entitled " Tracking an Offender". Although the material is five years old, it still applies. To fill in the gaps, here's a few bits: - While the message ID for email is unique, it may or may not be random. It may be worthwhile to know more about the systems handling the mail you're investigating. (Hint: Message ID's generated by Sendmail are based on process number and time of day.)
- In addition to NetBIOS (for Unix systems, use nbtscan), it's likely to be worthwhile to run other tools, like Nmap, to get a better idea of the services running on a machine. This is an act of last resort though as accessing a suspect system may foul any legal proceedings. Then again, if the system is out of your reach...
In any case, it's been five years since the book was published. I expect that it will be updated shortly (I hope). joat: 14:12:12 31 Dec 2006 |
|
|
Sat, 30 Dec 2006
|
|
From Anarchaia, here is a list of tutorials dealing with various statistics-related methods/theories. joat: 12:26:53 30 Dec 2006 |
|
|
|
|
The obvious response to this is to port Vi to the DS too. joat: 12:26:49 30 Dec 2006 |
|
|
Fri, 29 Dec 2006
|
|
I cannot vouch for the accuracy, but here is a list of IP's that I believe to be part of a unique botnet. Reason: an entries in the web server logfile that indicate a scripting error common to all of the IP's. Please be careful in handling the list, there's likely to be innocent bystanders in there also. At the moment, I don't have time to do the research. joat: 20:05:40 29 Dec 2006 |
|
|
Thu, 28 Dec 2006
|
|
|
Just in case anyone's wondering, I'm still around. The change in jobs required a bit of reorganization on my part. That along with the PowerStorm incident has kept me quite busy for a few weeks. I should be back up to speed shortly. joat: 23:55:33 28 Dec 2006 |
|
|
|
|
Is this criminal? Having differences based on shortcomings between browsers is one thing. Intentionally creating artificial differences is another. Any lawyers in the house? joat: 23:44:08 28 Dec 2006 |
|
|
|
|
For some reason I cannot get the video feeds to work but the audio feeds from 22c3 seem to be working fine. joat: 22:47:00 28 Dec 2006 |
|
|
|
|
Umm... Not a good sign. 
joat: 11:27:19 28 Dec 2006 |
|
|
Mon, 25 Dec 2006
|
|
One good thing that came out of the recent spammer floods from PowerStorm is that it forced me to work with the code underneath the blog. Because I'm working with static pages now, I'm able to use a different set of plugins. The latest experiment is with Sensei's Blosxom Plugin, which allows me to use miscellaneous short-hand for links while editing posts. Note: for anyone attempting to download the plugin, the link on the page is incorrect. The code actually resides here. joat: 20:44:29 25 Dec 2006 |
|
|
Sun, 24 Dec 2006
|
|
Associated with the 22 Dec fix for magic quotes is a needed configuration fix for memory issues. Because I don't have admin access to the server, I have to attempt various (sometimes impossible) fixes inside the programs that I use. Associated with this, the index page of the wiki was overly large, especially after I've been adding various extensions. In any case, I was able to figure out how to increase the PHP memory limit for MediaWiki from within the code itself. Wiki entry is here. I've also moved the index to it's own page and have added a couple extensions to the wiki which track changes. See them here. joat: 06:27:47 24 Dec 2006 |
|
|
Fri, 22 Dec 2006
|
|
When the powers that be at 757 upgraded PHP, they turned on various magic_quotes functions so that a program that needed them could be run. The problem with magic_quotes being turned on is that it breaks MediaWiki. The side effect noted here (on an already installed MediaWiki 1.6.8) was the addition of cumulative addition of delimiters ('\' characters) in front of every ' and ". Credit goes to Count at 757 for pointing me to the (for now, tentative) fix of adding the following near the top of LocalSettings.php and index.php: set_magic_quotes_runtime(0); That's it! Please let me know if this doesn't fix it or causes other problems. Wiki entry here. joat: 22:50:22 22 Dec 2006 |
|
|
Thu, 21 Dec 2006
|
|
|
Should I be scared that the Hello Kitty Pez dispenser is right next to the Orange County Choppers Pez dispenser? Is the end near? I was out looking for a USB power supply (a wall wart with a USB slot) and saw those in the check-out line. Yikes! (BTW, this is a test message for my "publish" script. Please ignore.) joat: 23:51:22 21 Dec 2006 |
|
|
Wed, 20 Dec 2006
|
|
In switching to the static pages, I've repaired some of the code in the back-end so that the RSS .91, RSS 1.0, and Atom feeds are updating themselves again. Please yell if you see any problems. It appears that I may have to resort to HaloScan or similar if I want to reinstate commenting... joat: 13:00:00 20 Dec 2006 |
|
|
Mon, 18 Dec 2006
|
|
Thanks to our PowerStorm buddies (the comment spammers), I've been forced to modify the blog. For now, I've turned off the comment system (again) and have switched to static pages. For those using the older CGI-based joatblog, this should be the last visible post. Everyone should update their readers/subscriptions to the following new URLs: I will be generating the blog on my home machine and periodically pushing it out to the server. It'll improve my relations with the other server tennants, allow me to mess with embedded PHP, and the shorter/simpler URLs should make the guys at CyberSpeak happier too. Heck, it needed consolidation anyways. joat: 13:00:00 18 Dec 2006 |
|
|
Sun, 17 Dec 2006
|
|
A long time ago, I experimented with forging domain authority on internal DNS servers as a anti-spam/anti-porn measure. It does work though I don't recommend it as a countermeasure unless you're willing to devote (I'm not kidding) a lot of time to updating the zone files. Over a one year period, I added 21K zones and still could not get ahead of the game. I guess it would help to have an organized project to rely on. Something like Bleeding Edge's black-hole DNS project. Mix in a little policy-based routing (IP and port redirects that are invisible to users) and your troublemakers get quite frustrated. If you manage a network, I recommend looking at this. Side note: what you use as a DNS server will determine how well you can scale the project. Windows DNS handles 21K domains poorly. Linux doesn't fare much better. (They do work but overload easily.) FreeBSD variants a bit better. The one that I recommend as a DNS server for heavy uses is BSDi (the commercial one). Wind River purchased BSDi and discontinued the product some time in 2003. It's still a very stable platform if you have the license. Side note: Wind River has purchased and discontinued at least one other OS. They're also the parent to VxWorks, which is that annoying OS in the newer 54G's. Would it suprise you that they've also been a partner to Redhat? joat: 13:00:00 17 Dec 2006 |
|
|
Fri, 15 Dec 2006
|
|
Unfortunately the SlimServer plugin for SageTV has some Windows specific JARs and won't work with the Linux version of SageTV. I know I might be one of the few Linux SageTV users on the planet but could we ask Chris Koele to fix the plugin? [*sniff*] Still won't prevent me from putting the Squeezebox on my wishlist though. (heh) joat: 13:00:00 15 Dec 2006 |
|
|
Thu, 14 Dec 2006
|
|
I just love it when someone thinks that the rest of the world should change so that their own stuff will work. Do I need to bring up the old story about the MSCE that repeatedly abused 100+ domains because reverse DNS lookups were keeping his outbound mail from being delivered? (Hey, he claimed that his having the MSCE cert qualified him as a DNS expert. I only egged him on.)(And wasn't the first to do so on that very topic.) joat: 13:00:00 14 Dec 2006 |
|
|
Sat, 09 Dec 2006
|
|
I'd noticed the web interface to SageTV awhile ago but didn't have the time to mess with it. Decided to poke at it for an hour or so. It actually took all of five minutes to install. It would have taken less time but I had to figure out where it needed to be installed as all of the directions talked about relative paths. In any case, I now have a very nice web front-end to SageTV with an especially nice (customizeable) show schedule interface. Notes and screenshots here. Next up, I want to play with SlimServer. For some reason they say that it doesn't work with the MediaMVP interface for SageTV, but it's supposed to work with the MVPMC firmware. I have hopes. Mebbe I'll have to come up with a way to select which firmware the MVP loads. I'm off to start dropping hints that I really want a Squeezebox and/or another MediaMVP. The Transporter is definitely a bit out of my budget at $2K. joat: 21:00:00 9 Dec 2006 |
|
|
Fri, 08 Dec 2006
|
|
Everyone please thank the ass spammer at 205.134.172.137 and 138. He was pounding the site so hard that the admins took the server offline and beat me. (A system load of 68?!) Analysis pending. joat: 02:18:29 8 Dec 2006 |
|
|
Thu, 07 Dec 2006
|
|
It's on! (ShmooCon) Pass it on! Say thanks to Mosh76 for pointing it out. joat: 07:10:29 7 Dec 2006 |
|
|
Tue, 05 Dec 2006
|
|
While playing with the MediaMVP box, I discovered DVArchive. I've got no use for it as I don't have a ReplayTV box but it should prove useful for anyone that does. It allows you to pull recordings off of the ReplayTV box and serve them up via an internal UPNP server. As it runs entirely out of Java, it's pretty simple to set up and run. The one thing that is hidden (left out) by the documentation is how to start the program: java -jar DVArchive.jar. joat: 13:00:00 5 Dec 2006 |
|
|
Mon, 04 Dec 2006
|
|
Spent most of my weekend of unemployment (did I mention that I was switching jobs?) poking at the guts of dotProject in an attempt to add e-mail alerts to tasks. It's taking awhile to gain enough understanding to add the appropriate code as, while the database tables are straight forward, the code and database queries in the original program are quite dense. As a break, I got the MediaMVP interface to SageTV up and running via a WRT54G which I configured as a client (notes). It works great. It's even able to grab the dongle.bin file (that file name is not required) via the wireless network. No skips, network dropouts or stutters as yet, even with live TV. My two biggest annoyances with the product so far is: 1) I don't yet have sufficient hard drive space to let it run full time (it can eat up space quickly) and 2) it means that there's yet another remote control to lose in the cushions of my favorite chair. On the other hand, it allows me to take down the video sender and the remote control repeaters that were causing so much interference with the network to begin with. I still plan on playing with MythTV and MVPMC. joat: 13:00:00 4 Dec 2006 |
|
|
Fri, 01 Dec 2006
|
|
Just noticed that there's 30 days to the 23C3. It's been awhile, I'm looking for some fresh con vids. The reason that I'm brining it up now is that it looks like they may also be doing live streams of various talks. joat: 13:00:00 1 Dec 2006 |
|
|
Tue, 28 Nov 2006
|
|
|
Given the response from the pictures (and my own fascination), is anyone interested in building a "photo album" of Wi-Spy shots? If no one's done it yet, I'll donate space on the wiki. joat: 13:00:00 28 Nov 2006 |
|
|
Mon, 27 Nov 2006
|
|
Harold Welte has a gripe about air conditioning turned up too high. He managed to irk me. He asks, "How weak have we become if we can't even tolerate temperatures up to, let's say, 30 centigrade?". My response is it's probably pretty weak if we can't tolerate a little cold, say 21 C? It irks me because I'm from much further north and I'm quite comfortable in a server room kept at 13 C. I'm used to winter in Buffalo (snow depths measured in feet) and Chicago (sub-sub-zero wind chills). I actually suffer at 25 C. My secondary response is to tell Harold to bring a jacket if he ever visits me. I won't visit him as there's only so much clothing I'm allowed (by law) to remove in public. Oh, sorry: here's rough equivalents: 30C ~ 86F, 25C ~ 77F, 13C ~ 55F, 21C ~ 70F. joat: 13:00:00 27 Nov 2006 |
|
|
Sun, 26 Nov 2006
|
|
For those interested, I've posted notes on my getting the Linux version of SageTV (including the MediaMVP module) up and running. joat: 21:30:00 26 Nov 2006 |
|
|
Sat, 25 Nov 2006
|
|
Dave: Here's the bookmarks. Look for the "video" and "streaming" tags in the right-hand column. joat: 20:00:00 25 Nov 2006 |
|
|
|
|
For those that care, I've copied the Wi-Spy screen captures into the wiki. joat: 13:00:00 25 Nov 2006 |
|
|
Fri, 24 Nov 2006
|
|
This latest screenshot from the Wi-Spy is probably useless for everyone else. 
What you're seeing is the traffic generated by my running "iwlist eth1 scanning" on the AP, over and over and over. Doing so revealed that the light noise between channels 10 and 13 isn't actually my neighbor's network. Rather, it's two neighbors' networks on channel 11. There was also another neighbor's network on channel 9 (weird choice). I really need to get outside and map the neighborhood. I especially need figure out how much interference the video sender will cause if I leave it running on channe 4 (around channel 11 for 802.11 traffic). Note to self: copy these pics into the wiki. joat: 13:00:00 24 Nov 2006 |
|
|
Thu, 23 Nov 2006
|
|
Here's another from the Wi-Spy. This one turned out to be quite valuable to me (or at least it explained a lot about some interference issues). 
What you're seeing is a capture of the signals from each of the channels on my Grandtech AVW-1000 Video Sender that I use to send audio/video into the back of the house. The interesting part is channel 1 which obviously fails to conform to FCC interference regs. (It's an old piece of equipment though). The bad news is that I'm going to have to rethink my spectrum management now that I can "see" it. joat: 13:00:00 23 Nov 2006 |
|
|
Wed, 22 Nov 2006
|
|
Here's the second screenshot from the Wi-Spy. 
The red, yellow, green and orange dots are generated by my own access point, running in 802.11g mode on channel 6. The bar between channel 8 and 9 has me intrigued. joat: 13:00:00 22 Nov 2006 |
|
|
Tue, 21 Nov 2006
|
|
Here's the first screen capture from the Wi-Spy. There's not much there as it's a picture of the background noise at my house. 
The light noise scattered between 10 and 13 is actually a wireless network belonging to a neighbor, a few house up the street. I have no idea what that narrow band of signal between channel 8 and 9 is. Josh Wright had pointed out a similar band during a recent talk and indicated that it was a wireless camera. Maybe that's the case here too. joat: 13:00:00 21 Nov 2006 |
|
|
|
|
Just noticed the following... (Click to see photo). (89K) Do you see it? (Hint: look at the body but not the text.) I've got a growing collection of messages in which someone has gone to the trouble of adding little colored threads. It is not a picture as the text is normal. Though the threads are included as part of a graphic, they are inline. If I resize the window, no scrollbars appear (unless there's too much text). This is too weird. Anyone have any ideas on what it is? joat: 11:37:20 21 Nov 2006 |
|
|
|
|
Once again, the Fed Ex delivery was waiting on my porch when I got home (I've already said that we'd asked them not to do that, right?) I'm not unhappy though. It was my Wi-Spy. I've been playing with it for the last half hour after spending the first half hour building the software (didn't really take that long to build but I had to chase down a few libraries) and eating dinner. In any case, over the next few days I'll post snapshots of various types of traffic. joat: 00:00:00 21 Nov 2006 |
|
|
Mon, 20 Nov 2006
|
|
|
For those that care, I've added some work to the wl page in the wiki and have removed the podcast items. The one menu looked horrible in IE. joat: 13:00:00 20 Nov 2006 |
|
|
Sun, 19 Nov 2006
|
|
[*sigh*] Various vaguely-related questions about Mr. Balmer's comments: - Why does this sound oddly familiar? (Okay, it's a leading question.)
- Does this have anything to do with the sudden reversion to that truly horrible TCP/IP stack in the new version?
- Do people yet realize that a covenant means that they won't sue but there's nothing to keep the originator from calling you a pirate, a thief, or worse?
- Does Mr. Ballmer believe that the only way his company can profit is to keep the communities alienated? (There is a not-small population that lives in both. I'm one of them.)
I hereby call for Mr. Ballmer to list the misappropriated intellectual property used in Linux so it can be removed and we can get on with life. (Who needs yet another court case where the claim is that Linus or one of his fanatics stole from so-and-so?) (It's been four years and we still don't know what was stolen from SCO.) Call me a pessimist but I think that PJ and crew are going to have enough material to keep them busy for a decade or more. Oh, and before I get beat up for being anti-MS, remember that I usually don't criticize the OS. Rather, it's the company's marketing tactics that I am vocal about. When does it stop? One pont to keep in mind is that the same tactics used against the open source community are readily adapted to the shareware and freeware programmers on both sides of the fence. Once a company decides that lawsuits are a legitimate (in their view) source of revenue, they will eventually strong-arm anyone they think is profiting (financially or otherwise) without "paying tribute" (MS's phrase, not mine). It might also be called "vig". joat: 13:00:00 19 Nov 2006 |
|
|
Sat, 18 Nov 2006
|
|
Andre Duran blogged about decentralized security and used the following picture. 
The caption reads: "So where do I deploy my firewall now?" My answer is: "You don't. You're screwed." And because each of those entities at the edge are likely to have similar looking networks, you're screwed. En masse. The decentralized border discussion has irked me for years because it makes some very bad assumptions concerning trust. Not trust in people, but in their behavior. Just about anyone that has worked network security for any large firm will tell you that people tend to drift towards practices which require the least activity on their part. In other words, people tend to procrastinate and some are downright lazy. Unless you can guarantee that each of those border entities conform to the letter and intent of your security policies, you're screwed. En masse. Your corporate network should reach farther than you can walk in 15 minutes and should only have users whose connection to your internal network can be terminated without a lawyer. The guy who has the power to hire and fire should also be within a 15 minute walk of your office (his pace, not yours). Decentralized security (the transparent border) has been a rationalization used to spend less money on security and to justify the convenience of teleworking with minimal spending. External people need access to a service or data set? Good. Stick that service in a DMZ and restrict who can access that. Even better, give them a laptop configured so that it is only capable of connecting to your DMZ. Block your internal users from accessing the DMZ too. If you have to supply access from between the internal network and the DMZ, use an application proxy and limit what can go through where, when (yes time limits) and how. The only company whose network diagram should look like the picture above is one who gives away network access for free and doesn't require passwords. (In other words, they have no service or data set, only connectivity.) Yeah, we're going to need identity-based security to be able to use IPv6, but that technology isn't available yet. And don't go pushing NAC at me. That only works when you own the network from end to end (i.e., it's centralized security and won't work with a decentralized network). Gunnary writes that security models must mirror the changes in business and technology or it's going to be broken. I think he's over-simplified the issue. While the company's "mission" may change greatly (moving from selling sneakers to MP3 players), the reason that the network is there changes little (provide word processing and access to the database). Decentralized security only works when your users cannot exert changes in any part of the network or even on their local system. If any one of them can connect their node to any other network then there's going to be trouble (ask CNN to tell the story about their senior management and the Welchia worm). If they can connect to yours and the other at the same time, you're screwed. En masse. Here's a hint: if you have a firewall like what Gunnar describes, with thousands of open ports, then your security domain is too big and your security policy is too generic. They should both be broken into communities of interest and protected as separate entities. Don't believe me? Go interview any Fortune 500 company. I'm willing to bet they partition off specific pieces of the network from their own users, not to mention the rest of the world. joat: 13:00:00 18 Nov 2006 |
|
|
Fri, 17 Nov 2006
Thu, 16 Nov 2006
|
|
Reminder to self: Watch for the next issue of Make Magazine. (It is supposed to have Ethan's truck in it!) Update: It's on the newstands! Ethan's project is on page 151. Ironically, the cover has a pinball machine on the front of it which is what he's toying with now. For those that don't know, Ethan is the one who stood up RockTheSkillCrane.com. joat: 14:00:00 16 Nov 2006 |
|
|
Wed, 15 Nov 2006
|
|
I've finally shelled out the coin for my own Wi-Spy. If I beat the delivery home, my neighbors are likely to be treated to a geeky version of " Lady, where's my spy camera?" joat: 13:30:00 15 Nov 2006 |
|
|
|
|
Here is a paper from Samuel Sotillo which describes some of the security issues associated with IPv6. joat: 13:00:00 15 Nov 2006 |
|
|
Tue, 14 Nov 2006
|
|
The fall issue of the International Journal of Digital Evidence is out (probably has been for awhile as I've not been tracking it). Again, it contains good topics. Topics this time out: memory analysis, SIM card forensics and Google Desktop as a source of evidence. joat: 13:00:00 14 Nov 2006 |
|
|
Mon, 13 Nov 2006
|
|
Here is the paper that appears to have started the battle between a security company and a spamming/malware group. joat: 13:00:00 13 Nov 2006 |
|
|
Sun, 12 Nov 2006
|
|
|
I'm Indian Head this week. On the map, it looks like an awfully small town. What is there to do in Indian Head, MD? joat: 15:56:02 12 Nov 2006 |
|
|
Sat, 11 Nov 2006
|
|
Attention! Would the owner of the system at 12.213.13.12 (in Middletown, NY) please take a look at his/her system? You are infected with a zipped/UPX-packed MyDoom variant and you are annoying the rest of the planet. Also, would Stephanie Micheneau please review the need for response e-mails for detected infections? MyDoom forges source addresses and I do not run networked systems susceptable to W32 viruses. So please stop yelling at me... (heh) joat: 21:30:00 11 Nov 2006 |
|
|
|
|
This has to be the worst week I've ever had with other organizations' customer support. For those that are considering buying the Archos 404 (and possibly their other models), know this: - You're only buying basic capability. The ability to view those Hak5 or Digital Life vidcasts requires the purchase of additional plugins.
- Archos has a really crappy interface for obtaining those downloads. The font on my product key didn't readily indicate the difference in similar characters so I typed in "O" when I should have typed in "0" (see?). The interface isn't written to self correct.
- The interface has some serious logic issues. Using the activation code with a mistyped product key burns the activation code at the same time that it spits back an error code about the product key. In other words, you can't then fix the product key and legitimately use the activiation key with the good product key.
- The interface has no way to fix the above. Customer support's fix for this is to refund your purchase (something that takes a number of business days to occur).
- The interface is a piece of shit because it's just a digital front end to a manual process. I re-ordered the plugin at 1:45 today and they still haven't forwarded the purchase to processing (the site does have a tracking capability). Now that it's after "business hours", I have to wait until Monday to get this fixed. Needless to say, I'm on the road again, starting Sunday.
Really, a $20 purchase shouldn't be this much of a headache. If it's not fixed first thing on Monday, I'm considering siccing my wife on 'em. (heh) joat: 02:00:00 11 Nov 2006 |
|
|
Wed, 08 Nov 2006
|
|
Written last night... One thing about monopolies. You can usually treat your customers as poorly as you can get away with, without the PUC stepping in. However, you can go too far. Point in case... My wife ordered two DVR's from Cox Cable and even offered to pick them up at the local store. No, no, Cox insists on overnight shipping. Three days later they're setting on our porch when we get home from work. One of them is missing it's power cord. After forty-five minutes of being on hold, we determine the other (obviously a refurb) can only display the schedule (no video). One phone call later, we discover that they can't be shipped back, we have to take them in to the local store. This means that I either have to take a day off or burn a Saturday morning to visit the store. Two days later, I'm standing outside the local store, waiting for it to open. Unfortunately, other people knew I was going to be there so they decided that they had to show their solidarity by also standing in line. Ahead of me. Two hours later, I'm at the counter, explaining to the problem with the box to the guy behind the counter. He explains that due to a mix up at the warehouse, he cannot replace my box at this time and asks if I would like to schedule a visit to my house. A few questions later, I discover that I would be charged for this visit. Five minutes later, I leave the store (with a receipt for the box I just turned in) with a promise that we would be called when a new box is available. After a few stops at the local gas station, burger joint and shopping center, I arrive home to realize that I hadn't called my wife (when I left the store) to tell her "How The Cable Company Was Going To Fix Her DVR". Fifteen minutes later, she's extracted a refund for the money paid for the service-so-far, a credit for $20, and a promise that the next available DVR would be shipped to the house. (Have I said that I am in awe of my wife sometimes?) Five minutes later, I realize that the phrase "ship overnight" was used. (Have I mentioned that sometimes I'm a little slow on the uptake?) Of course, three days later we arrive home to find that the delivery guy had left the box on the front porch again (we've asked them not to do that). Ninety seconds later, we place the box on the dining table and open it to discover that the device delivered was a cable converter, not a DVR. A split second later, I'm able to actually see the large capital letters as they pass through my wife's lips:AUGH!! (I think I know where Charles M. Shultz got the idea.) Ten seconds later, my wife has dialed the phone to customer support. After the obligatory waiting period, during which the not-really-soothing hold-music is interrupted a number of times by your-business-is-important-to-us-please-hold messages, my wife has determined that: there are no DVR's available at this time as the ones available are reserved for people already on the list for replacement, there's been another mix up at the warehouse, we still don't want to schedule a visit, there's actually no supervisor on duty in the call center at the moment, the operator is unable to understand why my wife is angry, and, ooh!, a supervisor just walked in. Two minutes later, my wife has a promise that someone will drive out to the house (from the only store in town) to hand deliver the DVR. (Have I said that I sometimes fear my wife?) Whether or not the device actually shows up remains to be seen. I'm not concerned about it though. In situations like this, I never am. It's always handled by my awesome/fearsome/loving wife who used to supervise customer support for a large Japanese conglomerate. I will admit that I find these snafu's funny much, much earlier than she does. (I think that it's funny now.) My advice to Cox: 1) Fire the guy in the warehouse (or the programmer that wrote the excuse generator). 2) Tell the poor schmuck who's delivering the box to smile and back away... 3) ...slowly... 4) ... from my wife. The dog only bites. 5) For lessons learned, write down that there exists an Ol' Girl Network (that didn't come out right but you get the idea), somewhat of a NANOG for current and former supervisors of customer service centers, where members have met at conferences, made friends, and know all of the office phone numbers and some of the home phone numbers of many of the OGN members. I doubt The Kevin Bacon Game works here (there's not that much separation) and, for me, "reach out and touch someone" has taken on a different meaning. Uh, I did indicate that my wife can be scary sometimes? Hint for those that still don't get it: my wife makes our Halloween costumes with a collection of t-shirts, cans of black and red spray paint, and whatever vehicle happens to be parked in the driveway. (We go as "road kill".) (The trick is to spray the tire as the vehicle is rolling.) Update: The box was delivered. I discovered: he has a wife too, there really was a mix up at the warehouse (grain of salt needed here but...), and you can catch cold after getting extremely soggy, standing in the front yard, in the dark, in the rain, talking about your wife. joat: 13:00:00 8 Nov 2006 |
|
|
Tue, 07 Nov 2006
|
|
Discovered last Friday in Cheasapeake: Barnes and Noble now sells Hakin9 from the magazine rack. joat: 13:00:00 7 Nov 2006 |
|
|
Mon, 06 Nov 2006
|
|
Squidly1, a friend, pointed this out a couple weeks ago (I'm only now catching up). Wicrawl is an access point auditor that was relased at Toorcon 2006. It has a "simple and flexible plugin architecture". The current list of plugins can be viewed here. The video of the Toorcon 2006 presentation can be viewed here (hi-res), here (lo-res), or downloaded here (note: slow download). There is a claim that the tool will be included in the next Backtrack CD which, BTW, has a beta of BT 2.0 out. There is also a training site for BT and a demo video for the new disk. joat: 13:00:00 6 Nov 2006 |
|
|
Sun, 05 Nov 2006
|
|
|
I attempted to find a good example of a forged email header, for a short demo that I'm writing, by wading through my quarantine folder. Guess what I've noticed: no one bothers to forge headers anymore. Why bother when you buy zombies for a few pennies per box? joat: 13:00:00 5 Nov 2006 |
|
|
Sat, 04 Nov 2006
|
|
Here is an interesting paper on location sensing in wireless networks. joat: 13:00:00 4 Nov 2006 |
|
|
Fri, 03 Nov 2006
|
|
Learning about WiMAX? Got a wide printer? Here's a poster you might be interested in. joat: 13:00:00 3 Nov 2006 |
|
|
Thu, 02 Nov 2006
|
|
It really doesn't look like a computer security site but it is. The WildList is a site devoted to listing "in the wild" viruses and related information. joat: 13:00:00 2 Nov 2006 |
|
|
Wed, 01 Nov 2006
|
|
|
joat: 13:00:00 1 Nov 2006 |
|
|
Tue, 31 Oct 2006
|
|
If you want to get a good idea of where the technologies are going, you need to read documents like Proceedings of the International Symposium on Advanced Radio Technologies (from March of this year). It contains a number of papers on various radio and spectrum issues. Note: NTIA is to national government as FCC is to general public. The common point between the two is the State Department. joat: 13:00:00 31 Oct 2006 |
|
|
Mon, 30 Oct 2006
|
|
Set up your Tivos. Johnny Long is going to be in a documentary on 1 Nov. (9-11 p.m.) on CNBC called "Big Brother, Big Business". The local Cox schedule shows a replay at midnight. Here's his announcement. joat: 13:30:00 30 Oct 2006 |
|
|
|
|
Here is a paper from Mike Kershaw and Josh Wright (who I saw talk this past week) which discusses attacks on the interface firmware (drivers). joat: 13:00:00 30 Oct 2006 |
|
|
Sun, 29 Oct 2006
|
|
Hopefully things have improved since this analysis of 802.1x but I'm not holding my breath. joat: 13:00:00 29 Oct 2006 |
|
|
|
|
For those interested, I've updated the software behind the wiki. For those affected, please bear with me while I make minor adjustments. joat: 02:33:50 29 Oct 2006 |
|
|
Sat, 28 Oct 2006
|
|
Earlier this month Netflix used a contest to test security on one of their datasets. From the University of Texas comes a paper entitled " How to Break Anonymity of the Netflix Prize Dataset" which describes the analysis performed on the dataset. joat: 12:00:00 28 Oct 2006 |
|
|
Fri, 27 Oct 2006
|
|
At the ISSA meeting last night, one member complained that a company he'd approached for security services (one of those where it is mandatory that they have seecurity services), rationalized that they didn't need commercial services because they'd hired a kid hacker who protects "their stuff". Being my cynical self, I asked, "So did they hire an arsonist to keep the place from burning down?" It's crude but I've never claimed not to be a relative of Loud-Fat-Bloke... Hey, it could happen! Nice slogan though: "Security isn't thin" joat: 12:00:00 27 Oct 2006 |
|
|
Thu, 26 Oct 2006
|
|
Brendan in Australia recently asked for my scripts which ties NBTScan to MySQL which prompted me to start working the wiki entries lost during the crash and move that occurred earlier this year. In any case, here are my notes about the tool and, to start, code to push the info into a MySQL database. Like most of the rest of the wiki, it's unfinished work but it should give at least a couple of you a good place to start from. I'll add more as I redevelop it or re-discover old copies. I guess there can be such a thing as too many backups... joat: 12:00:00 26 Oct 2006 |
|
|
Tue, 24 Oct 2006
|
|
After over 3 years of writing a blog entry for each and every day, I've decided to slow things down a bit (at least for awhile). Finding links and/or writing about enough security or computer-related items to have an entry per day for 1000+ days straight is work. So much so that I no longer enjoy it that much. It also conflicted with the rest of my life and things I was working on for friends. In any case, I'm going to try a slightly different approach. The short version: I will when I feel like it. The slightly longer version: I will blog when I have something to write about. The format will not likely change, I'll still point out interesting things and, on occasion, vent about some boneheaded stunt. I just want it to feel less like work. If someone else wants to join in by adding in their own entries here, give me a yell. We can work something out. (I do have a few guidelines though.) joat: 12:00:00 24 Oct 2006 |
|
|
Thu, 19 Oct 2006
|
|
[*sigh*] Maybe it's my engineering background. Maybe it's having worked 20 years in engineering and 10 in security. Maybe it's hanging out with Rob & company. Most likely it's a combination of all of the above. In any case, for any type of system, general engineering rules apply. The topic of discussion this evening is "consolidation" as it applies to network management. A few newer people tend to believe that the one-ring-to-rule-them-all approach is the final solution. I disagree. Consolidation of resources can be a good thing. It allows for easier management and cheaper operations. However, past a certain point, it can also be a bad (or very bad) thing. Consolidation of resources without taking into account operations like security or unique organizational requirements (e.g., specific data sets) is poor practice. While collections of smaller (and diverse) systems are more expensive to manage, the overall operation is more flexible and much more tolerant of failure. Think of it this way --> over the length of your lifetime, which do you think you'd be more tolerant of: 100 paper cuts or 1 accident with a guillotine? joat: 20:30:00 19 Oct 2006 |
|
|
Wed, 18 Oct 2006
|
|
Wow. I'm amazed that this article, about port scanning being a violation of property rights, actually made it into the magazine, hakin9. It's about using applying auld law against virtual access to new technologies. (This always leads to trouble.) There are a serious number of flaws in the logic and I get the impression that he's paraphrasing to justify his logic. joat: 12:00:00 18 Oct 2006 |
|
|
Tue, 17 Oct 2006
|
|
ZDNet's hardware blog has an article on how the new copy protection prevents DVDs from being played in PC's. I think the movie industry should take a very close look at what they're doing. Some of those DVDs do not play in my 6-month old DVD player either. File this one under "shooting one's self in the foot"... joat: 12:00:00 17 Oct 2006 |
|
|
Mon, 16 Oct 2006
|
|
|
Sorry for the bit of offline inactivity again. I celebrated my birthday by getting a new toy and pulling all of the cables from behind the desks in the office. It's taken this long to rewire the computers, relocate the AP's and the printer and to install an OS compatible with the new toy (the Linux version of SageTV). I haven't had a chance to play with it but will let you know. joat: 12:00:00 16 Oct 2006 |
|
|
Thu, 12 Oct 2006
|
|
The power behind command line *nix is that most of the tools do one job well and they can be chained together. Dan Miessler has a quick tutorial on find and xargs will prove useful in a number of situations. This is one of those really valuable techniques that you have to know if you deal with a lot of text files (think: email, blogs, logs, etc.). joat: 23:12:23 12 Oct 2006 |
|
|
Sat, 07 Oct 2006
Thu, 05 Oct 2006
Wed, 04 Oct 2006
|
|
Note to self: When building a kernel from scratch (this may or may not be unique to dual-core 64-bit systems), the initial reboot crashes but a complete shutdown and restart works fine. Something to investigate at a later date... joat: 12:00:00 4 Oct 2006 |
|
|
Tue, 03 Oct 2006
|
|
For those that missed it, Volume 5 of Uninformed is out. joat: 12:00:00 3 Oct 2006 |
|
|
|
|
Concerning the bill to make it illegal for banks and credit card companies (ccc's) to make payments to online gambling sites: I don't believe that this will fix the problem. It will shift to banks/ccc's making payments to overseas banks making payments to gambling sites. It makes the money trail longer and that much harder to trace. I think more is lost than gained in the passage of this bill. joat: 11:30:00 3 Oct 2006 |
|
|
Mon, 02 Oct 2006
|
|
One rule of thumb: Terrorist attacks succeed because attack occurs where we don't expect it, either at a weak spot in a defense or some place where we don't believe that it would ever happen. So now I'm torn. Is ZDNet's article on suicide hackers completely silly because the attack is so far-fetched (the attacker doesn't get matyrdom because he doesn't die) or is it likely to occur and succedd for the same reasoning? joat: 12:00:00 2 Oct 2006 |
|
|
Sun, 01 Oct 2006
|
|
Various of the presentations from Usenix 15 are available online. (MP3's, notes and slides) joat: 12:00:00 1 Oct 2006 |
|
|
Sat, 30 Sep 2006
|
|
For anyone needing practice at recovering deleted files, you might want to try various file carving challenges. joat: 12:00:00 30 Sep 2006 |
|
|
Fri, 29 Sep 2006
|
|
The CryptoDox site was driven offline by Slashdot so I've added this via a delayed post. CryptoDox has been up for almost a year and has a stated goal of becoming "a free encyclopedia on cryptography and information security." It might be worth keeping an eye on. joat: 12:00:00 29 Sep 2006 |
|
|
Thu, 28 Sep 2006
|
|
Apologies to anyone who's posted comments this past week. I'm in DC this week and can only get online by running Wi-Fi at just under FCC limits. (This message brought to you by Hawking Technology (their amplifier) and a directional antenna of unknown manufacture.) The d*mn connection still drops out periodically but at least I can upload posts and timestamp them quickly. joat: 21:47:38 28 Sep 2006 |
|
|
|
|
The Forensics Wiki appears to picked up quite a bit of content since I last visited it. (Can you guess what class Rob is teaching this semester?) joat: 20:30:00 28 Sep 2006 |
|
|
Wed, 27 Sep 2006
|
|
|
joat: 20:30:00 27 Sep 2006 |
|
|
Tue, 26 Sep 2006
|
|
The remainder of the chapters for Cracking DES have been added to the online site so now the entire book is available. joat: 12:00:00 26 Sep 2006 |
|
|
Mon, 25 Sep 2006
|
|
|
I've managed to download and install the 64-bit version of Vista 5728 in a VM. The inteface looks interesting. I had issues getting it installed but the issues were VMWare related (e.g., network address hijacking) and had nothing to do with Windows. joat: 12:00:00 25 Sep 2006 |
|
|
Sun, 24 Sep 2006
|
|
Yikes! I fell into this one while cleaning out the spam filters in the comment section. Seems that someone was spamming google1.com. It turns out that that's a legitimate domain, owned by Google. Having it show up in comment spam probably means that it's a test message. The interesting part is if you type "whois google" (with or without the trailing ".com"). You get the following return: - GOOGLE.XDNICE.NET
- GOOGLE.WAIKOOL.COM
- GOOGLE.TRENDYMP3.NET
- GOOGLE.TCONV.NET
- GOOGLE.SKGPUBLISHING.COM
- GOOGLE.SITNIK.NET
- GOOGLE.RU286.COM
- GOOGLE.RU
- GOOGLE.PAASEI.NET
- GOOGLE.MOLDOR.COM
- GOOGLE.MELBOURNEIT.COM.AU
- GOOGLE.MARS.ORDERBOX-DNS.COM
- GOOGLE.MADE-IN-NB.COM
- GOOGLE.IFREEBSD.COM
- GOOGLE.IE
- GOOGLE.FUTUREWORKSONLINE.COM
- GOOGLE.FR
- GOOGLE.FI
- GOOGLE.ES
- GOOGLE.EARTH.ORDERBOX-DNS.COM
- GOOGLE.DE
- GOOGLE.CYGRATIS.BE
- GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
- GOOGLE.COM.VN
- GOOGLE.COM.UA
- GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
- GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET
- GOOGLE.COM.MX
- GOOGLE.COM.IS.POWERED.BY.MIKLEFEDOROV.COM
- GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
- GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
- GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
- GOOGLE.COM.BR
- GOOGLE.COM.AU
- GOOGLE.COLORSEE.COM
- GOOGLE.CO.UK
- GOOGLE.CO.JP
- GOOGLE.CNIELIVE.COM
- GOOGLE.CL
- GOOGLE.CHENNAIEXPRESS.COM
- GOOGLE.CH
- GOOGLE.CANT.SET.THEIR.SERVERS.TO.GENERATE.THE.TRAFFIC.LIKE.CRAWLINGCLOUT.COM
- GOOGLE.CA
- GOOGLE.ADRIANP.NET
- GOOGLE.8LEGS.NET
- GOOGLE.51-HELP.COM
- GOOGLE.NET
- GOOGLE.COM
While some of those are legitimate, many are not. I wonder how much trouble Google has defending their trademark. joat: 20:30:00 24 Sep 2006 |
|
|
Sat, 23 Sep 2006
|
|
Wow. The name LURHQ won't be used any more. They've merged with SecureWorks and the new company name will be SecureWorks. In any case, I wish them the best of luck. I first met the LURHQ guys, almost a decade ago, when they were doing remote firewall management for an organization near where I worked. I hope they continue to post their malware analyses. Read about the merger here. joat: 12:00:00 23 Sep 2006 |
|
|
Fri, 22 Sep 2006
|
|
If you're doing a live response or just trying to track down an odd binary on your system, lsof is often an invaluable tool. joat: 12:00:00 22 Sep 2006 |
|
|
Thu, 21 Sep 2006
|
|
|
Would the owner of 210.245.97.8 please check your Liferea client. It's gone berserk again.... (heh) joat: 22:04:05 21 Sep 2006 |
|
|
|
|
SecurityFocus has an analysis of recent brute force attacks on their SSH honeypot. joat: 12:00:00 21 Sep 2006 |
|
|
Wed, 20 Sep 2006
|
|
The recent e360 rumble reminded me that I hadn't visited a few sites in awhile. It's always interesting to watch both ends of the ordeal (if you don't mind waiting)(these things take time). In any case, here's one on the front end: Spamhaus and here's one on the backend: the FTC's Commission Actions for 2006 (look for links with the "FTC v. so-and-so" format. (Their archives are here.) joat: 12:00:00 20 Sep 2006 |
|
|
Tue, 19 Sep 2006
|
|
Oh no! Has another year gone by already? Some of my coworkers really enjoy TLAPDay, others have to have it explained to them. Anyone know if Ricky wore the outfit again? joat: 12:00:00 19 Sep 2006 |
|
|
Mon, 18 Sep 2006
|
|
I'm back online at the house. I spent most of Saturday reinstalling OSs and cleaning out the rats nest (my wife's idea) of cabling behind my desk. Believe it or not, I've recovered two Ethernet cables, six coax cables, a 100 foot phone cord, a 30 foot extension cord, a power strip, and a wall-wart power supply for some unknown device. Admittedly, after reconneting everything it still looks like a rats nest. I had to show my wife what I'd recovered to prove I'd actually accomplished the job. (heh) I spent Sunday re-installing much-needed apps while dodging snipes from my daughter in-law that she needed to be online, "Right now!!" (In other words, her apps rec'd priority.) Side note: for those considering the purchase of a dual-core 64-bit system, now that the prices have come way down, there are a few things to consider (I've learned the hard way): - there's not a lot of 64-bit OSs out yet
- some of your hardware (e.g., Digium TDM400P (rev. J)) won't like your 64 bit OS
- some of your software won't take advantage of the new hardware or the 64 bit OS
The above has lead me to triple boot my system (XP, 64-bit Linux, regular Linux) and consider offloading specific functions to a separate system (e.g., running the house mail and web servces on dedicated NSLU2's). It's also lead me to seriously consider moving some of my day-to-day functions to a dedicated service online (yeah, pay for private email/web services). Given that there are now four adults in my household, three of which use computers heavily (my son shows no interest), is it worthwhile to buy a domain and move our day-to-day needs a private domain on a hosting service? After looking at various offerings, it'd cost us a couple hundred a year and would allow us access to the services from wherever we happen to be. Has anyone else done this? Is it worthwhile? Do you think that there's a niche market for this? joat: 12:00:00 18 Sep 2006 |
|
|
Sun, 17 Sep 2006
|
|
|
Never let it be said that Walmart is slow to make a buck. As of today, (maybe earlier) Walmart has their Christmas decorations on sale. They stocking about 2/3 Halloween and 1/3 Christmas. Used to be you didn't see Christmas decorations until sometime after my birthday (next month). joat: 21:30:00 17 Sep 2006 |
|
|
|
|
Just noticed that GoogleMaps now goes elsewhere. (Hint: zoom out) Question: what is out in the middle of what appears to be a man-made body of water, hidden in some trees, at the end of a finger of land, the entrance of which is blocked by a large, fenced-in building which appears to have had the city limits "adapted" so that the entire design is part of Moscow-proper? I don't speak/read Russian and I'm assuming that's what is indicated by: 
Update: That site appears to be at the end of a railroad spur, complete with station (to the southwest of the building), looks like it has it's own horse-barn (to the northeast of the building), and is at the end of a canal (from the building off to the north-northwest) that goes nowhere (follow it!). Note: Ignore the "Ekeren, Belguim" part. That's an artifact from the original search. joat: 14:00:00 17 Sep 2006 |
|
|
|
|
Hopefully we'll see more from Thorsten Holtz, over at the honeyblog, on "The Economics of Botnets" ( part 1)( part 2). joat: 12:00:00 17 Sep 2006 |
|
|
Sat, 16 Sep 2006
|
|
An incomplete set of thoughts triggered by Gunnar's blog... Gunnar Peterson blogged about Dan Geer's synopsis of MetriCon. On some points, I disagree with Gunnar and Dan both. We do have quite a few security metrics. It's just that they're often disguised as other things: router traffic levels, service load graphs, inventories, trouble ticket systems, personnel management systems, etc. To take of Gunnar's point, "metric" is also a particularly harmful word in that not everyone understands what a metric is. Yes, it is something that is measured over time. (This is where most people's definition stops.) It also includes the processes for interpreting the gathered data. This can be in the form of: overlaying a daily average or an acceptable range, setting trigger points based on sustained levels, setting priorities based on levels of non-compliance, etc. In other words, it's not just the collection of data. It's also how you use that data (e.g., what decisions you base on the data or what do you calculations control). You also have to decide how you're going to federate that data (single-purpose metrics are rare). People get into serious trouble making assumptions about security metrics (i.e., "we need them!") without defining "what the job is". To better design your metrics: - First, determine what decisions need to be made. If they're management level decisions, they should be very broad and generic. If they're technical level decisions, they should be very specific and rigin.
- Next decide what set of questions relates to each of those decisions. Each question should be simple. Examples include: "how many" or "how often").
- Then determine what temporal data sets are available to answer those questions. (Keep in mind that whatever the data is, it needs to be tracked over time.) This step is often the most difficult as the available data is often outside of the local knowledge base (e.g., in someone else's department or organizations) even though it is often readily available.
- Lastly (and most importantly), train people (or hire 'em) to use those metrics. The majority of metrics already available rot on the vine, ignored by the people who most need them. Your high-level metrics will affect the most people and will likely require the most training and tend to support long-term decisions. Your low-level metrics will be the most technical, will be used by the fewest people, will be the least visible, and will tend to support repetitive high-speed (daily, hourly, etc.) decision.
joat: 12:00:00 16 Sep 2006 |
|
|
Fri, 15 Sep 2006
|
|
Wi-Fi Toys has started posting chapters from their book online.
joat: 12:00:00 15 Sep 2006 |
|
|
Thu, 14 Sep 2006
|
|
Apologies for being offline for the better part of a week. I managed to damage the file system on my new desktop system and haven't had the time to rebuild it. Between work and real life, I've had to squeeze in a few hours of sleep and haven't been able to even turn the darn thing on, let alone re-install anything. Oh! And thanks to the MS OEM system install config, I have to install Windows, resize it, add partitions, and then install the other two OS's. So it's going to take most of a morning. Right now, I'm posting from the local college. In any case, I'll play catch-up shortly. joat: 20:30:00 14 Sep 2006 |
|
|
Wed, 13 Sep 2006
|
|
Even with all of the derision and down-your-nose condescension, I still like BIND. It's what I "grew up" with and it's still part of the guts of the Internet (like it or not!). It's one of those nice to know, even if you use something else. So, here is a quick Debuntuhowto for setting up a zone in BIND. joat: 12:00:00 13 Sep 2006 |
|
|
Mon, 11 Sep 2006
|
|
McAfee's Avert Labs has a piece on " preventing EFS-based attacks" which describes a few steps to prevent your data from being held hostage. Basically, it describes the steps for disabling the encrypted file system capability in your Windows box. Side note: McAfee appears to be twisting trackbacks and making them look like comments. joat: 20:30:00 11 Sep 2006 |
|
|
Sun, 10 Sep 2006
|
|
I agree with Dan Kaminsky (and therefore disagree with Paul Mockapetris): Vista will not overload the Internet's DNS architecture. What it may do, is overload your internal DNS architecutre, if your internal architecture is already running near capacity. It all falls back to architecture planning. For those that need to "learn by doing": put four emergency spares (tires) on your car and then get out on the interstate and try to drive 500 miles while maintaining the speed limit. (Hint: I-95 works best. The speed limit is 70 in places and you'll quickly earn the enmity of those drives behind.) joat: 20:30:00 10 Sep 2006 |
|
|
Sat, 09 Sep 2006
|
|
|
Finally got the chance to use a newer version of the Helix disk and noticed that Harlan's First Responder Utility is an option under "Incident Response". It's probably late as heck but: Congrats Harlan! joat: 20:30:00 9 Sep 2006 |
|
|
Fri, 08 Sep 2006
|
|
If anyone has worked with the OpenPGP Card, please let me know. joat: 20:30:00 8 Sep 2006 |
|
|
Thu, 07 Sep 2006
|
|
I know this violates a standard (don't point to other people's posts without adding content) but I'm a bit short on time and still think it's valuable: Dana Epp has pointed out that Slueth Kit is now available for Windows. joat: 12:00:00 7 Sep 2006 |
|
|
Wed, 06 Sep 2006
|
|
Here is a tutorial on hping2 basics. For those that don't know, hping allows you to craft and send packets to perform various functions (yeah, for good or evil) that require standard and non-standard packets. joat: 20:30:00 6 Sep 2006 |
|
|
Tue, 05 Sep 2006
|
|
For those just getting into packet analysis (or those needing practice), PAI might be a good place to start. (Hint: Look in the downloads section.) joat: 20:30:00 5 Sep 2006 |
|
|
Mon, 04 Sep 2006
|
|
Hmmm... Someone has way too much time on his hands. What's the point of defacing blogs like Jody's TryingReallyHard blog? There's no value, it's just mean. joat: 18:00:00 4 Sep 2006 |
|
|
Sun, 03 Sep 2006
|
|
I snagged a Formosa RC107 (pic below) out of the clearance bin this weekend. While I was looking for one with a laser pointer (for presentations), the mark-down on the thing was enough to cause me to grab it. I think that a combination of missing CD, open package and physical size caused whomever was doing the mark-off to label it for $10. (It normally goes for $40 or so.) In any case, the bad news is that it's not supported under lirc. The good news is that Ben Chadwick has a "Linux replacement" (his words) for the remote control app. Even though his pictures are different than what I'm holding (mine uses a PCMCIA card form factor), I have hopes that his program can be adapted quickly if it doesn't work outright. Wish me luck. 
Update: Just for info, this is sold/rebadged under the following names (AFIK): CompUSA, eDio, Formosa, and Trust. Update II: Whoever the actual manufacturer is of this thing, they should give their case designer a pay raise. It has the P/N for the battery embedded in the molded platic battery cover (not something I see much, esp. on Chinese-made electronics). joat: 20:30:00 3 Sep 2006 |
|
|
Sat, 02 Sep 2006
|
|
|
Wow. I can't believe I actually didn't know what was causing the "Symbol version dump Module.syms is missing error". (Hint: this is what happens when you try to compile a module against a kernel that hasn't been compiled.) joat: 20:30:00 2 Sep 2006 |
|
|
Fri, 01 Sep 2006
|
|
Fred Avolio's post about " experts" dredged up old memories and pain. It also triggered the need to vent, so here goes... Building on what Fred listed: - We rarely agree (especially in groups larger than two).
- We love to argue (though most cannot argue without using a whiteboard or scribbling on numerous pieces of paper).
- Many of us are cynics.
- Most of us have a nickname (though many don't know it). Most are along the lines of "Princess of Darkness" (POD, for short), "Network Nazi", or plain old "asshole" (you're the guy that blocks their IM, remember?).
- Most of what we do, others find tedious or consider "anal retentive".
Regardless of what Gartner and the like say, the various rules for firewalls and firewall policy still haven't changed. Rules for choosing a path through your firewall (displaying Fred's bullets that we state the obvious and rehash the same old stuff) (and at the risk of starting yet another religious war with various factions): - Block the port (don't allow it).
- If you can't block it, use an application proxy.
- If you can't use an application proxy, use stateful packet inspection (SPI).
- If you can't use SPI, use a packet filter (or router ACL).
Rules of thumb for firewalls (in no particular order): - Filter/block as high as possible in the OSI model (protocol, then state, then port, then IP). Two or more of those at the same time is better.
- Periodically have someone else review your firewall configuration. (e.g., Dump it to paper, give it to one of the techs for weekend "homework".) Then review it yourself. Any unanswered questions at the end of this process is an indication of a problem.
- Don't "filter and forget". Make sure management realizes that adding exceptions to the firewall also adds monitoring requirements. At a minimum, periodic spot checks via net flow and packet capture.
- Keep a record of any changes to the firewall, who needed them, and who authorized them. (Signatures, dates and justifications are valuable!) In other words, don't make changes without authorization and always document them.
- Read your damn logs! Do so on a daily basis! Firewalls (and routers) (and servers) (and IPS/IDS systems) are not plug and play. Waiting to read your logs until there's an overt problem is plain lazy. Big problems start small and build over time.
- Learn effective log file reduction.
- If you're bored, you're working in the wrong field.
- If you're worried about how other people think of you, you're working in the wrong field.
- If you can't function without a budget, you're working in the wrong field.
If you have time on your hands: - Drag out tcpdump or netflow and take a look at what's crossing your internal network. (Be sure you have permission!) Again, this is another "big problems start small" preventive action.
- Pick a tool and learn the switches. In other words, know your tools. You'd be surprised (or, at least, others will) what you can "glue together" with available tools and a bit of scripting.
- Try and clean your desk. Yeah, you'll never finish the job but some of that stuff has to be thrown out. (Nobody uses ISA NICs any more so why are you keeping them?)
- Write a tool that gathers metrics. Pick a service or node and graph the load on/through that service or node. Learn what "normal" looks like.
- Script the above so that you can display it on a web page in real-time (or near real-time). I've found monitoring the following metrics to be valuable: mail traffic levels, number of viruses captured, traffic levels through specific router interfaces, and web traffic levels.
- Wander through your organization and talk to people. You'd be amazed about the number of problems you can head off via simple conversation. You'd also be amazed on how much PR is generated for "security" if people get to see your face on a daily basis (in semi-social settings) (presentations and company meetings do not count)
Periodically scan your network (again, be sure you have permission) and try to answer one or more of the following: - Do you know how many workstations are on your network?
- Do you know how many servers are on your network?
- Do you know the MAC address of every node in your network, especially the workstations? (It is possible to grab MAC addresses remotely with MS Windows systems.)
- Do you know what ports should be open on each of your servers?
- What about your workstations?
- Are there any open shares in your network?
- Are there any unauthorized services running in your network?
- Are there any unauthorized systems connected to your network?
joat: 20:30:00 1 Sep 2006 |
|
|
Thu, 31 Aug 2006
|
|
|
My apologies to non-Firefox readers. I just got a glimpse of the blog from a school system (not running Firefox). I will move the Bloglines blogroll to a separate page shortly. joat: 20:30:00 31 Aug 2006 |
|
|
Wed, 30 Aug 2006
|
|
|
Things I will not blog about: full disclosure, the accuracy of the Apple hack, Paris Hilton's crimes, or the SCO trial. There's way too many people already blogging about it and I have nothing new to add. joat: 20:30:00 30 Aug 2006 |
|
|
Tue, 29 Aug 2006
|
|
I really find it hard to believe that this joke actually got the mileage that it did. I think Irongeek has discovered a large need for basic network classes. I'm also surprised that a fight didn't ensue... "He's running Ubuntu!" "No he's not! He's got Windows XP!" "You're both idiots! He's got a Mac!" It's funny, even if it turns out to be fake, though I like this version better. joat: 12:00:00 29 Aug 2006 |
|
|
Mon, 28 Aug 2006
|
|
I use wget to download various podcasts (yeah, yeah, real men don't use pod-catchers). Lifehacker has a mini-howto for using wget to do various things. joat: 12:00:00 28 Aug 2006 |
|
|
|
|
I love my ISP! (Uh, that's sarcasm, BTW.) First Cox blocks my e-mail forwarding from the 757 account because someone complained that joat@757.org was in the "From" address. It tooks weeks of arguing with the helpdesk and the abuse desk to get it unblocked. Then they reblock it by turning on their spam filters, which I had expressly asked that they not do. This caused me to have to set up encrypted mail on two sites and I have no option on a third. This on top of the near-constant ARP storms and the period loss of carrier on the cable modem. How much do I pay for this? joat: 11:55:00 28 Aug 2006 |
|
|
Sun, 27 Aug 2006
Sat, 26 Aug 2006
|
|
Here is a very short howto for installing and running Nikto against your web server to check for known vulnerabilities. joat: 12:00:00 26 Aug 2006 |
|
|
Fri, 25 Aug 2006
|
|
Internet Defense is a site set up to combat phishing in near-real-time. joat: 20:30:00 25 Aug 2006 |
|
|
Thu, 24 Aug 2006
|
|
Infosec Writers has a link to a checklist that you can use for penetration testing. Although it does need a bit of work (network footprinting is a bit on the weak side and should be called initial research), it is a good start. joat: 20:30:00 24 Aug 2006 |
|
|
Wed, 23 Aug 2006
|
|
Tony Ruscoe has blogged about how he discovers Google services before they're announced. The techniques he uses are not new, esp. to pentesting. But they are good to know if your work has anything to do with search engines and the like. joat: 12:00:00 23 Aug 2006 |
|
|
Tue, 22 Aug 2006
|
|
The Aug 14 entry for the SANS Handler's Diary talks about using a log book to keep track of issues, maintenance, and incidents. I'd like to add "it's that simple" and "it's not that simple". It's that simple in that, for any business network, you need to do just that: keep a record. It's not that simple in that, for most business networks, it's not mandatory to keep a record. Personally, I don't recommend using a log book as it doesn't allow for the inclusion of external documents. If your company lives by paper record, you should be keeping a set of folders, one for each system. Entries should be made via a set of forms (incident, maintenance, configuration change, etc.) that can be dated and signed by personnel concerned with the specific evolution. For some of the entries, management should sign. If you take the electronic path, I recommend a Wiki or even just a set of folders in a directory on a stand-alone system (not networked!). The same idea for blank form follows: keep a set of templates handy that you can cut-and-paste from. In either case, you want to limit the access to the logs. If they're paper-based, keep them in under lock and key. If they're electronic, restrict access and don't network the system. File or file system encryption might be useful (if not time consuming). Side note: backups are your friend. The entire point of the exercise is to produce a legally useable record. It's a benefit for the company in that it can be used to display due care (compliance). It's a benefit for you in that it becomes a reference for keeping track of who did what to when and when. It is valuable to anyone that follows you after you've moved on, so that they don't have to repeat your mistakes (yes, you should include them too) and it'll minimize having to figure out if you did or didn't perform a specific action on a machine. I used the phrases "mandatory" and "due care" above to denote that there are now a number of laws (GLB, SarBox, FISMA, HIPAA, etc.) in existance that require due diligence (having policy/practices/protections in place) and due care (recording the exercise of due diligence). Most of those laws (if not all) don't care how you perform these functions, just that you have them. If you (as an organization) use a well-recognized set of practices (e.g., ISO 17799), so much the better. You'll use less time having to defend them, should you end up in court. joat: 20:30:00 22 Aug 2006 |
|
|
Mon, 21 Aug 2006
|
|
Here is IronGeek's tutorial on OS fingerprinting using p0f and ettercap. (Uses Macromedia Flash.) joat: 12:30:00 21 Aug 2006 |
|
|
|
|
Thanks to Michael Farnum posting his OPML. Along with that and a few Google searches, I've added a ton of security related blogs to my Bloglines subscription. View the list here or grab the OMPL here. I'm also experimenting with the Bloglines Blogroll for those same feeds. I've tacked it up over on the left and have re-enabled the Blogrolling.com blogroll for comparison. Update: Wow, for the half-hour or so, that was horrible. Adding 348 lines to an already crowded panel caused the new blogroll to stick off of the bottom of the page for a long distance. For now, I'll leave the Blogrolling.com list on the left and the Bloglines list on the right, though it still sticks off the bottom of the page. I promise that it'll get better as I resort the Bloglines subscriptions into folders and limit what folders can be seen. Update: in taking a look at the Bloglines JavaScript, it should be very easy to run the external call through some PHP, strip the JavaScript, format the data and come up with a nicer menuing system. Something for the to do list, I guess. Then again, maybe I'll just move the thing to its own page. That is a lot of links messing up the page. What do you think? joat: 12:00:00 21 Aug 2006 |
|
|
Sun, 20 Aug 2006
Sat, 19 Aug 2006
|
|
To paraphrase Popeye: IAM what I am,
IEM what I am,
and that's both what I am. Official confirmation in a few weeks. List me as "on pins and needles" until then. joat: 11:55:00 19 Aug 2006 |
|
|
|
|
I'm finally back home and caught up. If you left a comment and I deleted it, please submit it again. Unless you're spamming me that is. One thing that I've discovered: the DC area has a serious lack of book stores. I've got to drive into Alexandria from Herndon to find one? Geesh! joat: 00:34:12 19 Aug 2006 |
|
|
Thu, 17 Aug 2006
|
|
Rob pointed out this Wired piece about a recent cyber-security exercise hosted by DHS. The funny part is that at least one speedreader missed the bits about it being an exercise scenario and decided it was politically funded propoganda. I wonder how long it will take before we have to invoke Godwin's Law? The usual precursors are already there in the comments. (heh) BTW, What is the record for shortest thread preceeding Godwin's Law? This one is going to be close. joat: 12:00:00 17 Aug 2006 |
|
|
Wed, 16 Aug 2006
|
|
An article in Monday's USA Today about the new luggage restrictions still has me chuckling. I'll quote the article and you tell me where you've heard the logic before. If you've worked in IT or IA for any period of time, you've heard it. Quote: "It's not a 'right' to fly and carry whatever you like," notes David Gregory, a Dallas-based travel coordinator and former airline employee, in one of nearly 200 posts in response to a recent item on USA Today.com's Today in the Sky blog about the threat to the carry-on culture. "Just think how wonderfully blissful it would be not to have a single carry-on aboard a plane," Gregory adds. "I say ban all carry-on luggage. It's about time! And if you are so important that you cannot be away from your computer for a day, do us a favor and stay at your office." Figure it out yet? How about the system admin who states that he wished there were no users on the network? I bet Mr. Gregory runs a very successful travel business. (heh) joat: 12:00:00 16 Aug 2006 |
|
|
Tue, 15 Aug 2006
|
|
Here's a court case that strikes me as vaguely (but greatly) wrong, but not for any of the reasons stated by the plaintiff, the defendant or the judge. While I would agree that the employee would not have an expectation of privacy (EOP) for any action performed from a company computer, I have serious reservations about the logic that the expectation of privacy remains in "failed" mode if the employer then uses a captured password to access a system not belonging to them. If you read the fine print in just about any TOS or contract, the account is property of the system owner and the user is allowed access to the system at the discretion of the system owner. Account termination usually can occur without warning, justification or appeal. The account (and often any data within) remains the property of the system owner. In this case, eBay. If I were eBay, I'd be investigating the application of "accessing a system without permission" as it relates to the private investigation company. joat: 20:30:00 15 Aug 2006 |
|
|
|
|
|
My apologies for any delay in approving comments or fixing stuff in the blog/wiki. I'm in Herndon this week, taking a course for (hopefully) another cert. Wish me luck! joat: 20:25:00 15 Aug 2006 |
|
|
Mon, 14 Aug 2006
Sun, 13 Aug 2006
Sat, 12 Aug 2006
|
|
I've probably blogged about this before but it doesn't hurt to post it again. Did you know that there's an online version of " Asterisk: The Future of Telephony"? joat: 20:30:00 12 Aug 2006 |
|
|
Fri, 11 Aug 2006
|
|
I haven't been keeping in touch with my friends. This is evidenced by the fact that Rob posted the BlackHat presentations and I learned about it via limitedexposure. Oh, and the DefCon presentations are here. joat: 20:30:00 11 Aug 2006 |
|
|
Thu, 10 Aug 2006
|
|
Tcpreplay 3.0 was released as its 10 th beta this week. It's actually a suite of tools now (I haven't used it in a very long time) including: tcpprep, tcprewrite, tcpreplay, tcpbridge and flowreplay. Read about them here. Hint: scroll down to the bottom to find them, the wiki also talks about Trac, which takes up a lot more space in the wiki. In any case, this is one of those tools that you need to know how to use if you're going to analyze traffic (though I seem to remember it not handling broken packets well). joat: 20:30:00 10 Aug 2006 |
|
|
Wed, 09 Aug 2006
|
|
|
joat: 12:00:00 9 Aug 2006 |
|
|
Tue, 08 Aug 2006
Mon, 07 Aug 2006
|
|
Here is one of Eoghan Casey's articles, entitled " Investigating Sophisticated Security Breaches". joat: 12:00:00 7 Aug 2006 |
|
|
Sun, 06 Aug 2006
|
|
The suggestion that RSS feeds are dangerous is an idea that seems to make the rounds every 3 months or so. Personally, I think that it's more hype than actual danger. People don't normally subscribe to feeds without looking at the site. At least, I hope they don't. Very few sites blindly accept comments. Fewer still allow any sort of embedded code or HTML in comments. As far as dangers go, this doesn't rate high on my list. joat: 20:30:00 6 Aug 2006 |
|
|
Sat, 05 Aug 2006
|
|
An online conversation reminded me of the following site for CISSP quizes: CCCure.org. If you're working on your cert and are taking the practice questions, avoid taking them at the Pro level. That level does not correlate (at all) to the level of the questions on the actual test. Try jumping back and forth between medium and hard. If you can get a high grade in medium or a moderately good grade in hard, you'll likely pass the actual test. joat: 20:30:00 5 Aug 2006 |
|
|
Fri, 04 Aug 2006
|
|
Note to self: watch for the release of their conference videos. joat: 20:30:00 4 Aug 2006 |
|
|
Thu, 03 Aug 2006
|
|
Tony Bradley has posted some info about free training for basic info. It appears to be e-mail based. joat: 12:00:00 3 Aug 2006 |
|
|
Wed, 02 Aug 2006
|
|
Last June, the ARO (Army Research Office), DARPA, DHS and Georgia Tech hosted a special workshop on botnets. The various presentations are attached to the schedule. I also recommend keeping an eye on Georgia Tech's Information Security Center front page. joat: 12:00:00 2 Aug 2006 |
|
|
Tue, 01 Aug 2006
|
|
Hmmm... I'm finding out (the hard way) just how poorly the "wl" command set is documented. For those inclined, you can check my work here. It's not much at the moment but I'll keep working on it. joat: 12:00:00 1 Aug 2006 |
|
|
Mon, 31 Jul 2006
|
|
(Re-edited for the benefit of aggregator readers) On the 15th of this month, I posted about " responsible disclosure" and Microsoft's PR practices. Right in the middle of it, I planted a troll about MS's intability to keep up with the " month of browser bugs". Two reader responses later and it appeared that we were headed deep into religious war territory. While asking why MS can't keep up in the patching process may have been a bit of a troll, it is a legitimate question. (Hint: pointing out that other browsers' patches have contained problems is legitimate only if MS has never released buggy patches for IE. Otherwise, it's poor logic and tends to make the discussion smell of dead horse.) I will attempt to answer the question here though. The answer doesn't lie within the politics of the vulnerability researchers or the "evil intentions" of any of the parties involved. It actually lies within "the process" and the previous coding decisions (e.g., the browser is part of the OS) at MS. Because the code base is much, much larger and because changes within browser code will effect "things" outside of the browser, the distance between "start" and "finish" for MS patches is much longer. Other browsers have more coders, less code, and fewer OS hooks. Thus the patching process occurs quicker. Simple. It's futile for MS to attempt to keep up and counterproductive to make allusions to the motives of vulnerability researchers. The responsible disclosure "discussion" should have gone away years ago. I hereby apologize to IronYuppie for troll-baiting. I do tend to like saying "the emporer has no clothes" when it comes to the marketing and public relations departments at MS. Neither one (IMHO) does the company justice in the long run. joat: 12:00:00 31 Jul 2006 |
|
|
Sun, 30 Jul 2006
|
|
Many of my friends are leaving for, are already at, or are making last minute plans for travel to Vegas, to attend Defcon. The con hasn't started yet but Rob is already posting links. I guess I'll borrow his for the moment (for Jared Demott's presesntation): joat: 12:00:00 30 Jul 2006 |
|
|
|
|
My thanks and apologies to family and friends for any of my social/professional vagaries, committed in the last 8 weeks. I'd managed to sign up for back-to-back classes on Monday and Wednesday nights (never again) and the resulting class load left me tired for most of the rest of the week. (The weird part is I'd get a regular night's sleep on Thursday and be raring to go on Friday, just when everyone else is winding down.) In the two days since the semester's end, I've managed to re-install a content manager and have started work on the "wl" pages in the wiki. I still owe work on the Kismet/Perl pages and a whole slew of stuff for friends. Not to mention a slowly growing collection of wireless toys that I haven't been able to touch in the last 8 weeks. In any case, I rec'd an "A" and an "A-" (blew two questions on the test). I can relax for a few weeks before the process starts over, though I'm likely to scale it back to only 1 class. (I need the sleep!) joat: 11:55:00 30 Jul 2006 |
|
|
Sat, 29 Jul 2006
|
|
The following gives me a very nasty headache. 
The thing is, two of us pointed out the error. I rec'd no response while a friend received a very nasty "mind your own business" style of response. joat: 12:00:00 29 Jul 2006 |
|
|
Thu, 27 Jul 2006
|
|
Contrary to the various actions that MS has performed in public to show that they're now friendly with the rest of the planet, they're still up to their old tricks. Note that the error page wasn't one indicating an error. It was a "host not found" error. Note: it now forwards to the default www.microsoft.com page. Interesting return from "view source" from http://preview.microsoft.com/en/us/default.aspx if anyone cares to look at it. You might want to take a look at the JS files also. It's not an argument that the site only works with IE. If it's AJAX, it should work with other browsers. I wondering if if I unravel that code, will I think exclusion is intentional? Update: This doesn't help the image either. Or this. joat: 20:30:00 27 Jul 2006 |
|
|
Wed, 26 Jul 2006
|
|
Hmm... The public meeting for the privatization of ICANN is today. If this goes through, standby for the lawsuits. This was proposed years ago, for the management of certain TLDs. The operator of the (then alternate) .biz domain says she even went before Congress in an attempt to legitimize the domain under her control. When ICANN finally handed .biz to another registrar, she was left out in the cold. I'm willing to bet that, if the privatization goes through and any of the old crowd retains management, you'll see some interesting cases lining up in the queue. The other thing to keep in mind is privatized means "for profit". joat: 12:00:00 26 Jul 2006 |
|
|
Tue, 25 Jul 2006
Mon, 24 Jul 2006
|
|
Larry Seltzer calls it domain squatting; I call it squatting. In either case, something unsavory is going on. Anyone looking into this? joat: 20:30:00 24 Jul 2006 |
|
|
Sun, 23 Jul 2006
|
|
|
joat: 12:00:00 23 Jul 2006 |
|
|
Sat, 22 Jul 2006
|
|
Just stubled across the Vitalsecurity blog. I recommend it. Hmmm... Maybe it's time for me to go searching for new blogs again? joat: 16:00:00 22 Jul 2006 |
|
|
Fri, 21 Jul 2006
|
|
Just found this one in my in box. Seems that someone has come up with an interesting way to get me to open an attachment. The text of the message reads (my email address has been edited): From: Automatic Email Delivery Software
To: joat@757.org
Subject: [SPAM] ERROR
Date: Fri, 30 Jun 2006 23:28:24 +0300 (16:28 EDT)Your message was undeliverable due to the following reason(s): Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 7 days:
Mail server 117.57.210.242 is not responding. The following recipients did not receive this message:
<joat@757.org> Please reply to postmaster@cox.net
if you feel this message to be in error. Looks normal, right? The "trick" lies in the attachment. It has a "scr" file extension. This prompted me to look at the header. Sure enough, my ISP received the message from 62.103.212.133. Even though the IP claimed to be cox.net (told the SMTP server "helo cox.net"), a reverse lookup on the IP returns "primalch.static.otenet.gr". A whois lookup confirms this. So add the following to things not to do: "Don't open attachments from error messages." I'll look at the attachment this weekend. joat: 12:05:00 21 Jul 2006 |
|
|
|
|
|
Apologies for the lack of updates in the last few days. This week was finals week for me, along with a few other things. For others, finals are next week. As I'm on the road again next week, allowances were made and I had to double up in the next to last week (I'm exhausted). In any case, I'll back fill the last few days shortly. joat: 12:00:00 21 Jul 2006 |
|
|
Thu, 20 Jul 2006
|
|
Given the number of approaches SCO has taken in the case against IBM (see Groklaw) and because they're now claiming that IBM destroyed evidence, how long before SCO considers suing their own lawyers for not being successful in all that they've tried? joat: 20:30:00 20 Jul 2006 |
|
|
Wed, 19 Jul 2006
|
|
This is the first that I've heard of this technique and I find it especially intriguing/annoying. Intriguing in that it's a new (to me) technique. Annoying in that it's yet another way to get unwanted ads in front of you. And ABC wonders why people have a tendancy to skip commercials when they able to. I also worry that this will become yet another vector for infection and exploit. Oh, and shame on you, Vonage, for encouraging the mess by funding it (in part). joat: 20:30:00 19 Jul 2006 |
|
|
Tue, 18 Jul 2006
|
|
For all you law groupies that enjoy reading Groklaw and Mr. Lessig's pennings, I would also recommend Orin Kerr's blog. In the past, he had a mailing list where he would describe various tech-related cases. Thankfully (so I don't have to pull his posts from the spam pool), he's moved on to blogging. joat: 20:30:00 18 Jul 2006 |
|
|
Mon, 17 Jul 2006
|
|
In a totally non-tech-related note, I've grabbed list from The BBQ Report and posted in in the wiki just in case they erase/lose their list of "How long can you store meat in the fridge/freezer?". joat: 20:30:00 17 Jul 2006 |
|
|
Sun, 16 Jul 2006
|
|
Ever notice that in politics and business, anything that one person or organization accuses another of, often also applies to the accuser/name caller? Lest "Strider Search Defender" sound too anti-Blogger/BlogSpot (they're the same organization), let's keep in mind that it happens on any blog/wiki site that allows for unmediated commenting, including MSN sites. As an experiment, visit Spaces.MSN.com and type your favorite comment spam topic in the search box (the Spaces search, not the web search). In short, people who live in glass houses really shouldn't throw rocks. It is a nice project though. More power to the analysts, less power to the marketers! joat: 12:00:00 16 Jul 2006 |
|
|
Sat, 15 Jul 2006
|
|
At the risk of offending the usual parties, let me state that I'm getting tired of a certain vendor trotting out the " we're disappointed in the lack of responsible disclosure" line. What's not said in the article is: the vendors were notified previously, most of the vulnerabilities are not readily "usuable", and the white hats listed in the article are those at MS, not all white hats. The question that people should be asking is: if Firefox and Opera can keep up with applying fixes, why can't IE? For those of us that have to eat antacid while waiting for the vulnerabilities to be patched: for many of the vulnerabilities, the work-around is "turn off ActiveX". joat: 12:00:00 15 Jul 2006 |
|
|
Fri, 14 Jul 2006
|
|
How about the occasional hint for budding admins? Here's one: it's a good idea to keep current by reading a few of the mailing lists listed here. I recommend Incidents, Daily Dave, and Bugtraq. Not listed, but also recommended, are the Snort and NANOG mailing lists. joat: 12:00:00 14 Jul 2006 |
|
|
Thu, 13 Jul 2006
|
|
(heh) I did this with Sendmail, McAfee, SpamAssassin, Perl, and gnuPlot on a BSDi box almost a decade ago. It was web-based, menu-driven for the less talented of the operators, and calculated "normal" based on the previous month's day-of-the-week traffic. McAfee doesn't make a BSDi-based scanner you say? Okay, but they had one for Linux and BSDi had something known as LDP and you only had to import one missing library from Linux. This is one of those things that you need to do to monitor your metrics. Another example would be to stick a Linux box running RRD to the side of your Exchange box to monitor the mail system via its SNMP hooks. If it generates numbers (usually over time), it's probably a good idea to graph it and monitor it. A quick look at a graph will usually tell you much the same thing that an hour or so of log reading will. joat: 12:00:00 13 Jul 2006 |
|
|
Wed, 12 Jul 2006
|
|
Many that have tried to run "smb4k" have run across the error message: smbclient must be installed suid root... If you use "chmod a+s /usr/bin/smbmount", then the system complains that there shouldn't be any binaries suid root. One work-around is to start the program via "sudo smb4k". Of course, you should have already configured sudo to allow your user to execute that command. joat: 12:00:00 12 Jul 2006 |
|
|
Tue, 11 Jul 2006
|
|
Dave Johnson has a pointer to a good nulldigital article on ICMP tunneling. Of course, the first knee-jerk countermeasure for this is "block ICMP". While the majority of that protocol should already be blocked (for other reasons), the obvious countermeasure may not always be the best. In other words, blocking ports/protocols because they can be abused will lead to the firewall blocking everything. A better approach is to configure your firewall for "normal" operation and then monitor what you allow to pass for anomalies. What the article demonstrates is the embedding of one protocol within another. It's the reason why various programs are difficult to block at Layer 3 (IP addresses) or Layer 4 (Ports/Protocols). Some programs (e.g., instant messengers, P2P) are adaptive and can use a number of addresses, ports or transport protocols. While all firewalls (okay, most) filter IP protocols 6 (TCP) and 17 (UDP), they are often configured to pass others. Many will pass at least some subset of protocol 1 (ICMP) and one or more other routing protocols. Most are not useful for covert channels as, if a network is implemented correctly, the protocols are blocked further upstream. Others are. ICMP is often used for tunneling because certain types of ICMP packets will pass through the firewall and the packets can carry a decent sized payload. This is why, contrary to what the firewall and IDS vendors tell you, the job of network security is largely a reactive job. The majority of your problems will be internal and you need to face the fact that a few of your users know more than you, don't believe they'll get caught, and have more "access" than you realize. What you have going for you is human nature (the second option in that last sentence). People who don't believe they'll get caught won't remain "in the background". They'll usually try gradually more daring (and noisier) things. The most effective countermeasure is monitoring your metrics (especially the most boring ones!) for anomalies, reading your log files, and spot-checking content for normal shape, size, and lifespan. The majority of corporate users (if not all of them) are granted the minimal access needed to perform their job. The content they generate should be boring as hell (HTTP on port 80, SMTP on 25, very small ICMP packets, etc.) Your job includes having to watch for the non-standard stuff (odd flags turned on, non-standard packet sizes, "noise" on port 25 or 80, etc.). Oh! And make it a point to track down the small stuff too (though you may not always have the time). They'll often lead to the larger "stuff" and may also indicate other problems (misconfiguration) within the network. joat: 12:00:00 11 Jul 2006 |
|
|
Mon, 10 Jul 2006
|
|
PCWorld has a short piece about a group using Google little-known/used binary search feature to find malicious websites. Although there's not a whole of detail, it is an interesting concept. joat: 12:00:00 10 Jul 2006 |
|
|
Sun, 09 Jul 2006
|
|
In reading up on the WVC54GC, I see a lot of people complaining about the inability to view the output on anything other than Internet Explorer. The answer is quite obvious/simple: look at the source code for the viewing page. The link that you want to point at is http://your_ip_address/img/video.asfOf course, you have to have the proper plugin too (that handles ASF video). Alternately, for Linux users you can just type "mplayer http://your_ip_address/img/video.asf" (without the quotes). It takes a bit for the cache to fill but there's also a switch for that if you care to research it. joat: 12:00:00 9 Jul 2006 |
|
|
|
|
LonerVamp asked that I repost an URL for the 22C3 video torrents. They're here. joat: 01:46:51 9 Jul 2006 |
|
|
Sat, 08 Jul 2006
|
|
Scott Prive asked how my NSLU2 was performing nowadays. Here's a synopsis: - For serving video, the NSLU2 works nicely. However, the current hardware-based media players suck. For playing stuff recorded with the PVR-250, it works nicely if you're careful about the resolution that you're recording at. (The network (wired or wireless) becomes the bottleneck.)
- Other hardware may be the problem. Neither the DLink DSM-320 nor the MediaMVP can play MP4's (something that needs to work as I have a lot of conference videos).
- As a web or IMAP server, I feel the NSLU2 is somewhat marginal as the amount of data that have for both (10+ years of email) is large.
- Using the NSLU2 for more than one purpose is likely to not work well. Employing them as single-purpose servers will probably work best.
If you're asking for a recommendation for a network media server/player, I'd recommend saving your cash or (possibly) buying a Mac Mini. I haven't done the latter (yet) but have hopes for it due to its having a much more powerful processor.
joat: 12:00:00 8 Jul 2006 |
|
|
Fri, 07 Jul 2006
|
|
Although I don't disagree with Araz's logic in " Power Users in Windows are Potential Administrators", I think he misses some of the logic in Jesper's and Mark's posts in that Power Users are a source of three sorts of problems: those of the shot-themselves-in-the-foot type, those of the-rules-don't-apply-to-me-otherwise-they-wouldn't-have-given-me-Power-User-access type, and those of the screw-this-I'm-taking-Admin type. Of the latter two groups, a good percentage have been (or are) Admin elsewhere and will fight you because they "know" a better way than you of "doing things". Yes, life as a common user, after being an admin, sucks. I went from NOC admin to common user in a job switch. What used to take a bit of Perl and 15 minutes now takes days (unless I'm on my home system, that is). Though I'm not happy with the level of access, I am happy with my job and don't need the access. (And I will admit that, even as a common user, I am a pain in the neck to have as a customer (business or home user).) joat: 12:00:00 7 Jul 2006 |
|
|
Thu, 06 Jul 2006
|
|
In continuing the topic of log file analysis (okay, I'm avoiding studying for a test and working on my wife's Things-To-Do-While-I'm-Out-Of-Town list), I've parsed the logs from April 15 to July 4 and have found some intersting bits... - Barring self-referrals and the normal Google traffic, the largest referrer in that 3 month period was an Adam Gaffin comment (25 August 2005) concerning my short post about countermeasures for Skype, specifically "public executions" (my term for publicly prosecuting policy violations in the corporate setting), which may or may not be legal within your organization (check with your legal department). 176 hits by the way.
- The next common referrer below that (barring the normal aggregators) is Yet Another InfoSec Blog (YAISB). Hi Ryan! Interesting site!
- Below that, a friend's site: InfoSec Potpourri. Hi David!
- Below that: Christian Koch's Limited Exposure.
- Followed in quick succession by: Araz Samadi, Troy Jessop, Dana Epp (long time no see!), Dave King, Clint Stotesbery, Benjamin Edelman (very interesting anti-UCA stuff), and Martin McKeay.
- I also found a whole slew of sites that steal other people's content and use it to host sites whose sole purpose appears to be ripping off AdSense.
- I also found a weird AJAX-based aggregator called "ProtoPage. (Try moving the windows around.)
- Did you know that there a sites, such as SecurityArchive that appear to archive your entire content?
- What the heck is a IEAutoDiscovery feed reader? (heh)
- Everybody and their hillbilly "third couzin" has their own feed aggregator/reader.
All in all, some interesting sites to visit/things to play with. I recommend visiting most of the blogs above. joat: 12:00:00 6 Jul 2006 |
|
|
Wed, 05 Jul 2006
|
|
Okay, maybe I have way too much time on my hands this week, (I'm on vacation.) but I'm seeing something really weird in the blog logs: 6/1/2006|2:53:27|210.245.97.8|Liferea/0.9.7b (Linux; en_US.UTF-8; http://liferea.sf.net/)|/~joat/cgi-bin/blosxom.cgi| That's a sample of what's showing up on an average of about once every two seconds, since May 31st. Notables, other than the constant site pull (direct from the cgi, not the XML feed) are that it's a feed aggregator (a client), running on a Linux box, and the IP is an address in Hanoi, South Korea. Research on the IP shows that it belongs to the Corporation for Financing and Promoting Technology, AKA FPT Communications, FPT Telecom and FPT Corp. Google has about 681 matches for that exact string, with a ton of other matches for the Corp's subsidiaries and aliases. In short, one of its functions is it's the local ISP and, apparently, one of their users has a misconfigured feed aggregator. So, if you're in South Korea and you've been using a Linux-based feed aggregator called Liferea for about 2 months now, please check your configuration. This site only changes about once per day and there is no need for the constant checking. Might I suggest an intermediate feed aggregator, such as Bloglines? If you're interested, here is a list of the feeds that I subscribe to (hint: there's an "Export Subscriptions" button at the bottom of the page, if you want the OPML version). Just please stop pounding on the site. joat: 12:00:00 5 Jul 2006 |
|
|
Tue, 04 Jul 2006
|
|
IBM has a nice tutorial which discusses the various things you can do with/to your shell prompt in Bash. joat: 12:00:00 4 Jul 2006 |
|
|
Mon, 03 Jul 2006
|
|
|
Note to self from the not-so-distant past: Dr. Who (the British version) comes out on DVD tomorrow. joat: 12:00:00 3 Jul 2006 |
|
|
Sun, 02 Jul 2006
|
|
Gnu'd beach!! Now that's funny! (Sorry) joat: 20:35:00 2 Jul 2006 |
|
|
|
|
Shouts to Bret, Ovie and Mike at CyberSpeak: Thanks for pointing at this blog (17 June show)! Your reference to the site caught me unawares while I was driving. I almost swerved off the road. (heh) joat: 20:30:00 2 Jul 2006 |
|
|
Sat, 01 Jul 2006
|
|
What was the name of that song? "Numb?" The local shock jocks had a parody of it called "Dumb" in which they sang about the week's idiots. The song ran for the entire summer with new versions every week. The reason it comes to mind is this article about how the Catawba County Schools is suing Google because the Google spider grabbed some documents containing SSN's. Even more painful is the judge allowed the injunction (the judge should have sought expert help prior to issuing the injunction). Why dumb? Because it'll come out in the wash that the School was neglegent in maintaining the security of their web server. Even dumber: the school is now subject to civil damages of up to $3M, (619 students x $5000 x instance), but no one seems to have caught onto that yet. And I'll have to agree with Martin McKeay, "Why is a school still using SS #'s to identify their students?" joat: 20:30:00 1 Jul 2006 |
|
|
Fri, 30 Jun 2006
|
|
InfosecWriters has a pointer to a paper by Sam Sotillo which discusses how Phil Zimmerman's Zfone works. joat: 12:00:00 30 Jun 2006 |
|
|
Thu, 29 Jun 2006
|
|
For those of you that like playing with Google Maps, they've added a few new functions. Here is a tutorial for messing with the API and the new features. joat: 12:00:00 29 Jun 2006 |
|
|
Wed, 28 Jun 2006
|
|
Found during research on business cards: SourceForge has an online copy of " Making TeX Work" by Norman Walsh. joat: 12:00:00 28 Jun 2006 |
|
|
Tue, 27 Jun 2006
|
|
Oooohh! My brain is full! You ever have that feeling that if you crammed one more fact into it, you'd start losing other stuff? That's me. Today. Mid-terms (pursuing another degree). I've learned more about the late Baroque period in the last four weeks than I did during remainder of my life. I rec'd a 98 on today's test. Completely blew one question by scratching out the wrong letter (I actually knew the answer). Problem is I've had the theme song to AskANinja playing in my head all day. It makes thing a bit difficult when you have to name 10 piece when the professor plays "Name That Tune" with Baroque music. Damn you, Neu Tickles!! (heh) joat: 01:27:37 27 Jun 2006 |
|
|
Mon, 26 Jun 2006
|
|
For you crypto and programming types, Wikipedia has a page of algorithms. While it doesn't usually explain the algorithms themselves, it does have pointers to the info you're looking for. joat: 12:00:00 26 Jun 2006 |
|
|
Sun, 25 Jun 2006
|
|
I've been researching a possible project which involves putting various info on business cards and have run across some other people's interesting work. Here's one: a business card for estimating angles and, with a bit of math, distance. joat: 20:30:00 25 Jun 2006 |
|
|
Sat, 24 Jun 2006
|
|
Here is a paper which discusses the D-Link NTP ddos and includes other ddos attacks as historical examples. joat: 20:30:00 24 Jun 2006 |
|
|
Fri, 23 Jun 2006
|
|
Here is a collection of wireless-related links. joat: 20:30:00 23 Jun 2006 |
|
|
Thu, 22 Jun 2006
|
|
The following is mostly for my benefit... I cleaning out various pieces of luggage, I discovered some of my notes from this year's ShmooCon, specifically the Wi-Fi Trickery lecture. Here's some disjointed notes: - raw injection can corrupt a WIDS
- FakeAP is only effective against novice wardrivers (as a defense) and WIDS (inserts bad or junk info into the database)
- FakeAP can be detected by looking at timestamps (usually too low), sequence numbers (often reset or too low), and other misbehaving parameters.
- A good number of frames are not normally analyzed by WIDS (e.g., ACK frames), thereby allowing for the existance of covert channels
The tools/topics discussed in the lecture included: Enhanced FakeAP, GlueAP, MitM attacks and covert channels. joat: 12:00:00 22 Jun 2006 |
|
|
Wed, 21 Jun 2006
Tue, 20 Jun 2006
|
|
NIST has three draft publications for which they're accepting public comment: - The Information Security Handbook: A Guide for Managers
- The Guide to IEEE 802.11i: Robust Security Networks
- PIV Data Model Test Guidelines
Note: the deadline for comment for this last one closes June 22nd. (You'd better hurry!) joat: 12:00:00 20 Jun 2006 |
|
|
Mon, 19 Jun 2006
|
|
Amit Klien has an interesting article which discusses various issues with DNS security at the registrar level. joat: 12:00:00 19 Jun 2006 |
|
|
Sun, 18 Jun 2006
|
|
Philip Su's article talks about the political and emotional abuse that runs rampant inside the company. What's glossed over is the same behavior occuring within the user community (not that it is limited to the Microsoft realm). Many seem to have forgotten the condescending, often pompous, position of the illuminati that Windows was the most secure and best tool for the job. True or not, it was the position marketed and accepted by the general populace. (Apple seems to be repeating the process.) Microsoft has a new chance with the coming release of Vista. Hopefully they realize that with a new product, they've reset the KLOC counter to a high value and will need to work their way back down (again). That the product has several new technologies built into its foundation will cause numerous problems once the outside world (black, white and grey-hat) begins to understand its workings. Hopefully the MS marketing department will be constrained from promoting the new OS as being the most secure on the planet as was done with previous versions. If they don't we'll have to suffer through yet another generation of programmers and admins whose declarations of better security are based solely on party line and the fact that it's the only OS they know. (i.e., those admins who manage systems in multiple worlds have favorites but they're not rabid purists). If they do avoid the used car salesman approach, I believe that, in the long run, Vista will be a much more successful product. joat: 20:30:00 18 Jun 2006 |
|
|
Sat, 17 Jun 2006
|
|
Okay, this is getting out of hand. I was out of town for a week and was able to sift through the comment queue only once (on Tuesday). Since then the comment spammers have dumped a little over 21,000 spams into the queue. Luckily, I'm not limited to manual delete. It is a PITA though. joat: 17:00:00 17 Jun 2006 |
|
|
Fri, 16 Jun 2006
|
|
The article is a bit dated but " Securing MySQL" is still valuable. joat: 12:00:00 16 Jun 2006 |
|
|
Thu, 15 Jun 2006
|
|
Here's Bruce Shneier's posts on last year's NIST Hash Workshop: The pieces are short but they poing to quite a few interesting papers. joat: 12:00:00 15 Jun 2006 |
|
|
Wed, 14 Jun 2006
|
|
I may have blogged this one before but here is an interesting piece on analysis of wireless "discovery" tools (yeah, another of Josh Wright's pieces). One thing to keep in mind is that he's discussing "active" tools. Passive tools are rarely discovered and then mostly by accident. joat: 12:00:00 14 Jun 2006 |
|
|
Tue, 13 Jun 2006
|
|
One of the things that you will eventually do if you work in network security is read the header of a piece of email. Whether it's troubleshooting a problem, backtracking spam, or just trying to figure out where a message has been, you need to be able to interpret what you're reading. " Reading Email Headers" explains the basics. Keep in mind the article may or may not be entirely accurate as each piece of software that handles e-mail has its own "standards" for doing things. An example of this is that MsgID's are valid only on the machines that generated them, especially on firewalls. Assuming that MsgID's are constant from source to destination will quickly get you lost. Also, each mail handler has its own way of generating those ID's. Sendmail's ID's are a combination of timestamp and process number. (Beginners should consult the Bat Book to learn how to decode them.) MS Exchange ID's appear to be totally random. (For years, I've been looking for a source of info for this.) Also, some organizations purposely munge headers in an attempt to "hide" their internal architecture. This sword cuts both ways though as it also complicates troubleshooting. In any case, the article explains the basics of reading headers and basic forgery detection. Count it as a need-to-know. joat: 12:00:00 13 Jun 2006 |
|
|
|
|
Note to anti-virus companies: Please add the feature where if the malware is known to steal, borrow or otherwise forge the source address on an infected email, the code will NOT send an email back to the supposed source. I'm now getting complaints about my non-existent MS mail client in Italian. Grazie! joat: 10:30:00 13 Jun 2006 |
|
|
Mon, 12 Jun 2006
|
|
SecurityFocus has a two-part article on malicious cryptography ( part 1, part 2). You'll probably find the references listed at the end of each part interesting. joat: 12:00:00 12 Jun 2006 |
|
|
Sun, 11 Jun 2006
|
|
Just in case you're wondering how to do it, the DoJ has a page entitled " How to Report Internet-Related Crime". Keep in mind that most cybercrime fails to meet the minimum requirements for law enforcement to act on as there's only so many investigators and there's so much crime. If you can prove a crime (that doesn't meet the damage minimum), you might consider civil prosecution or private investigators. joat: 20:30:00 11 Jun 2006 |
|
|
Sat, 10 Jun 2006
|
|
If you're willing to dig a bit, this class blog might be a good starting point for surfing crypto/security-related reading. joat: 20:30:00 10 Jun 2006 |
|
|
Fri, 09 Jun 2006
Thu, 08 Jun 2006
|
|
NTSecurity has an article which discusses the issues associated with dumping memory for forensic purposes. Not how, but what might complicate the practice. joat: 12:00:00 8 Jun 2006 |
|
|
Wed, 07 Jun 2006
|
|
Here is a SecurityFocus piece entitled " Malware Analysis for Administrators". joat: 12:00:00 7 Jun 2006 |
|
|
Tue, 06 Jun 2006
|
|
|
joat: 12:00:00 6 Jun 2006 |
|
|
Mon, 05 Jun 2006
|
|
Since KFI updated their streaming software, us non-MS users have had issues in listening to the live stream. Mplayer doesn't work because it claims that it's missing a codec and it really doesn't like the multiple forwarders that the web client employs. Try this: - Go here.
- Hit "stop" before the page redirects.
- Right click on "click here" and select "copy link location"
- open a terminal and type mplayer (don't hit return yet)
- paste the link (copied earlier) into the command line and hit enter
Depending on the age of this hint, you should start hearing the KFI feed. joat: 12:00:00 5 Jun 2006 |
|
|
Sun, 04 Jun 2006
|
|
NetSecurity has a piece on how to analyze HijackThis logs. joat: 12:00:00 4 Jun 2006 |
|
|
Sat, 03 Jun 2006
|
|
LURHQ has also posted an analysis of the Cryzip ransomware trojan. joat: 12:00:00 3 Jun 2006 |
|
|
Fri, 02 Jun 2006
|
|
LURHQ has posted an analysis of the Arhiveus ransomware trojan. joat: 20:30:00 2 Jun 2006 |
|
|
Thu, 01 Jun 2006
|
|
Correct me if I'm wrong but neither Google nor Digium had anything to do with the connection, though they both acknowledge it. I'd thought that it was developed by a third party. joat: 23:20:17 1 Jun 2006 |
|
|
Wed, 31 May 2006
|
|
Infosec Writers has a piece about footprinting. Keep in mind that while it's written from the black hat point of view (and is a bit basic), it works the other way too. In other words, the tool and techniques can be used to enforce security also. You can wrap hook NMap to MySQL and cron with a bit of Perl and get e-mail alerts whenever there's an unauthorized system connected to your network. If your policy permits, you can then "prosecute" the system by gathering as much information as possible from the system without breaking into it (make sure your organization's policy allows this and make sure your supervisors know and support this). You'd be amazed what info you can gather with NBTScan, SMBClient, NMBClient, SNMPWalk, and NMap. Note: all of these tools can gather information that a normal MS system offers up by default (withouth authentication). For awhile, the home version of XP not only had default shares, it also had SNMP enabled by default. Between all of those tools, you could determine MAC address, IP address, installed software, logged in users, IM logins, files available via P2P, running software (it's also common that people who disregard the rules concerning unauthorized systems are usually infected with one or more bits of malicious code), misc. keys and serial numbers. Couple that with whatever's available via open shares and it's rare that they can deny that the system was online. As I no longer have that job, I cannot vouch for what's open by default on XP Home or XP Pro systems. Those systems have had a firewall enabled since SP2 but that often doesn't matter as people who take their laptops everywhere tend to have a lot of holes poked through the firewall. It might be a learning experience if turn off your firewall and scan your laptop. (Hint: you not only want to learn what ports are open, you want to discover what services are running on those ports and what info is freely available via those services.) The older an install is, the more info it will usually offer up. joat: 20:30:00 31 May 2006 |
|
|
Tue, 30 May 2006
Mon, 29 May 2006
|
|
Netflow is another of those really-nice-to-have tools for anyone other than NOC admins. For NOC admins, it's a must-have. In any case, O'Reilly has an article on " Monitoring Network Traffic with Netflow". joat: 12:00:00 29 May 2006 |
|
|
Sun, 28 May 2006
|
|
I've been saying it for years: the majority of your problems can be detected by simply reading your log files. Of course, effective log file reduction falls somewhere between a skill and a talent. joat: 12:00:00 28 May 2006 |
|
|
Sat, 27 May 2006
Fri, 26 May 2006
|
|
One of the Unix basics that you need to know is how to schedule tasks. "at" allows you to set up one-time schedules. "cron" allows you to set up repetitive, scheduled tasks. Really Linux has an article on " The Basics of CRON and Linux Automation". joat: 20:30:00 26 May 2006 |
|
|
Thu, 25 May 2006
|
|
|
joat: 20:30:00 25 May 2006 |
|
|
Wed, 24 May 2006
|
|
If you do any sort of shell scripting, you'll eventually run across the need for using dates. RootPrompt has a pointer to an article entitled " Using dates in shell scripts". joat: 20:30:00 24 May 2006 |
|
|
Tue, 23 May 2006
Mon, 22 May 2006
|
|
Just wanted to add my two cents into the ongoing argument over the use of closed source binaries, including modules, under Linux. Me? I'm a mutt power user. I use whatever tool best fits the job. I have Linux running under Windows, Windows running under Linux, and misc. *BSD variants. And that's all on one system at home. I can tweak/fix other peoples' C code but can't write my own well enough that I'd show it in public. While listening to the argument on TLLTS, I disliked the argument that we should wait for drivers to be legally reverse engineered as it keeps the kernel un-tainted. My argument is that I'm still the one that ends up on the short end of the stick. Case in point: my Hauppauge PVR-250 card. I bought the darn thing when it first came out. Paid "handsomely" for it too. Was forced to run it under a crippled (translation: prone to destructive crashing) version of Windows because that was the only software that was available for it at the time. Waited 3+ years for the Linux world to develop decent drivers and software for it. Can you guess what the problem is now? The minimum recommended system requirements for Linux is now greater than the capabilities of my system. If Hauppauge had issued a binary for Linux when the card first came out, I'd still be running whatever version of Linux it required (at least on one partition). It'd be considered ancient by now but I'd have 3+ years of enjoying the use of the hardware. Now it's 3+ years later, I finally have the Linux software to access the 3+ year-old card and the software won't run because my system is too damn slow. Yeah, Mr. Stallman, it's for the good of mankind that we suffer. (Hint: that was sarcasm.) joat: 20:30:00 22 May 2006 |
|
|
Sun, 21 May 2006
|
|
|
joat: 20:30:00 21 May 2006 |
|
|
Sat, 20 May 2006
|
|
|
I'm experimenting with anti-spam code in the comment section again so please tolerate a few mistakes. joat: 12:00:00 20 May 2006 |
|
|
Fri, 19 May 2006
|
|
I know that WinME can't and Linux barely can, can XP do the following at the same time: - transcode 20GB of conference videos
- push 6GB through SSH
- pull another 1.5 GB from HTTP
- pull/share 300MB podcasts with BitTorrent
- view Bloglines with Firefox
- edit a text file (this one) with Vi
- chat in IRC
The above has to occur without serious latency or interaction. Admittedly most of the above are text-based and/or tunable, but I'm wondering if XP can do it too. Yes, there are days when I don't use more than one side of the dual boot and, yes, there are good reasons to use XP. Just don't ask me to list them after 6 p.m. (As I write this, it's 8:30 p.m.) joat: 12:00:00 19 May 2006 |
|
|
Thu, 18 May 2006
Wed, 17 May 2006
|
|
Psst! According to this (look in the upper right corner), the next ShmooCon is March 22-25, 2007. Pass it on!! joat: 20:30:00 17 May 2006 |
|
|
Tue, 16 May 2006
|
|
The presentations from the 2005 HackLu conference are interesting. (Videos are near the bottom.) joat: 12:00:00 16 May 2006 |
|
|
Mon, 15 May 2006
|
|
Not sure if I posted this previously but here are the videos of the presentations at last year's 22C3. For me, it looks like most of a day to download and at least a week to transcode to something the DSM-320 can handle (they're all MP4's). joat: 12:00:00 15 May 2006 |
|
|
Sun, 14 May 2006
|
|
Here is a piece which argues that changing passwords on a periodic basis is no longer effective. I dislike the article not for its position but for the assumptions underlying the author's arguments. Example: He argues that passwords can be quickly cracked by various modern day programs. He assumes that the attacker already has custody of your password file. If that's the case, you have other problems too. With sufficient layered defenses, this wouldn't be the case. It all boils back to deciding on what you need to do to adequately protect (there's no 100% solution) whatever it is you're protecting. joat: 20:30:00 14 May 2006 |
|
|
Sat, 13 May 2006
|
|
For all of you digital forensics types, the Digital Forensic Research Workshop has a File Carving Challenge for you. The object is to extract as many complete files from the 50MB target data set as possible. Deadline for submissions is 17 July. Enjoy! Update: Almost forgot to mention that the organizers are Brian Carrier, Eoghan Casey (a former instructor of mine), and Wietse Venema. If you have to ask who they are, maybe you shouldn't bother entering. (heh) joat: 20:30:00 13 May 2006 |
|
|
Fri, 12 May 2006
|
|
Saw this patent application in Digg. I'd like to dispute it. If you read the "Claims" section, you'd realize that this guy was abducted by aliens (happens to all of us) and they deposited him at a distance down the street calculated from his walking speed at the time of the abduction and the amount of time it took to probe him. All that other stuff about constructing the device is just kruft the aliens implanted in his brain. Seriously, this should have been filtered out of the process early on, not posted on a ".gov" site. I'm starting to agree that the patent process needs a bit of review. joat: 20:30:00 12 May 2006 |
|
|
Thu, 11 May 2006
|
|
A long time ago, I bought a Grandtec AVW-1000 wireless video link to show videos in a class room without having to run cables back to the projector. I no longer have the classroom but I still have the AVW-1000. The problem is that it uses the same frequencies as my wireless network and the cordless phone. Here are my notes on figuring out what channels to use on each device. So far, I've only included the AVW-1000 and 802.11b but it's a start. joat: 12:00:00 11 May 2006 |
|
|
Wed, 10 May 2006
|
|
Hahahahahahahahahahahaha.... Don't get me wrong, I don't hate Microsoft. It's their marketing department that I have issues with. And their shills. One thing that programmers (Linux and Microsoft and others) rarely "get" is that adding complexity rarely improves security. By adding features, they're only rearranging the playing field and making it bigger. Microsoft will do away with the market for antispyware and desktop firewalls? That's about as accurate as the "Nobody's been to the server room in days" commercial. (heh) joat: 12:00:00 10 May 2006 |
|
|
Tue, 09 May 2006
|
|
It's sad to see that some people (who should know better) still can't recognize the difference between "open standard" and "open source". Sadly, for most, it's not an easy distinction because the vendor at the center of it all promotes it as the same thing. (I've sat in on two of their dog and pony shows and the presenters purposely mix the two.) What's not being said was that the RFP for the plug-in was released after the vendor refused to provide it themselves. If you read the RFP, it does not block anyone from participating (open source or proprietary). Now that someone else has provided the plug-in, they're crying foul? I call "Shenanigans! Get your brooms!" Ms. Wyne is either ignorant or a shill. That she works for a company which specializes in computer training, I tend to believe the latter. Update: The ISC organization that Ms. Wyne is associated with isn't the one that we normally associate with that acronyms so I can't accuse her of "knowing better" as much as I'd initially thought. Hey! Isn't that exactly the type of crime that Ms. Wyne is whinging about? I think that it's time that a certain tech organization enforce its trademark (here in the U.S., if you don't actively enforce your trademarks, you lose them). Update 2: In any case, I've asked CompTIA to explain the difference between "open source" and "open standard". I'm not holding my breath for a reply though. joat: 20:30:00 9 May 2006 |
|
|
|
|
Here is a large link page for 802.11 security-related info. joat: 12:00:00 9 May 2006 |
|
|
Mon, 08 May 2006
|
|
Here is an interesting analysis an SNMP attack with a Generic Routing Encapsulation tunnel thrown in for fun. joat: 12:00:00 8 May 2006 |
|
|
Sun, 07 May 2006
|
|
For you history buffs, here's analyses on Stacheldraht and Trinoo. joat: 12:00:00 7 May 2006 |
|
|
Sat, 06 May 2006
|
|
Ever wonder what those programs were, crawling your site and showing up in your logs? I bet The Web Robot Pages helps in your research. joat: 12:00:00 6 May 2006 |
|
|
Fri, 05 May 2006
|
|
Here's Josh Wright's paper on Detecting WLAN MAC Address Spoofing. joat: 12:00:00 5 May 2006 |
|
|
Thu, 04 May 2006
Wed, 03 May 2006
|
|
Here's a paper (about 6 weeks old) on DNS Amplification Attacks. This sort of attack has panicked certain types, causing them to do odd things with their DNS servers (external and internal) including dedicated functions, employing DNSSEC where it is useless, and/or buying more of the usual snake oil. I think part of the panic originates in the (improper) assumption that DNS servers are like home computers, in that they think an most insecure DNS servers will remain insecure. I think that this is incorrect because DNS servers are usually run by trained personnel and are usually located in network segments where bit usage is purchased at a flat rate. While this sort of attack surfaces periodically, it also goes away periodically as the admins catch on and tighten up their servers. I think the problem returns as admins move on/up and are replace by newer personnel who also have to learn the hard way. joat: 12:00:00 3 May 2006 |
|
|
Tue, 02 May 2006
|
|
This one is for my own notes... The Final Nail in WEP's Coffin talks about problems in WEP. Yeah, it's old news but it also talks about fragmentation and it mentions a couple tools that I'm researching. joat: 12:00:00 2 May 2006 |
|
|
Mon, 01 May 2006
|
|
Here is Josh Wright's paper on Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection. joat: 12:00:00 1 May 2006 |
|
|
Sun, 30 Apr 2006
|
|
|
Finals are this week so this means that, for any of Rob's old students, we'll be at our final in the usual place in Portsmouth on Thursday evening. (heh) Please remember their policy concerning charge cards and individual order payment (i.e., bring cash!). The extended forecast says "isolated thunderstorms" so you may want to include an umbrella when you leave for work that morning. joat: 18:00:00 30 Apr 2006 |
|
|
|
|
It took all of 45 seconds for the old/new comment system to receive spam. I'm now up to about a dozen an hour. You don't see it because of the blog's manual review system. In any case, it's prompted the return of the warning label at the bottom of this page. If you plan on using this system for unsolicited advertising, you're required to read the policy as submission of content comprises agreement. joat: 16:00:00 30 Apr 2006 |
|
|
|
|
The " Using Rootkits to Defeat DRM" article is a couple months old but the discussion in the comments is interesting. Some of it relates to what I experienced when I installed the Digium TDM400P card on my computer (the software didn't recognize the card, assumed "evil-by-default" and disabled various licenses for legitimately purchased software. Add a very-difficult-to-locate customer service department to that and I understand a lot of the attitude. Not that I condone it, mind you, but I do understand it. joat: 12:00:00 30 Apr 2006 |
|
|
Sat, 29 Apr 2006
|
|
I did very little today that would be considered productive by most. Geek-wise, I had a busy day, though little of it was security related (no security-related blog post today). I set up a wiki to develop a curriculum for a possible class, coded a prototype Del.icio.us clone (not showable yet), fixed the comment system here, and cleaned up a butt ton of wiki kruft. I still have to work on a class project, rebuild a laptop, tweak DoomCube code, download and burn the week's podcasts to disk, and take a nap. Something's not going to get done... joat: 16:00:00 29 Apr 2006 |
|
|
Fri, 28 Apr 2006
|
|
The problem with the local comment section has been located and I'm working on getting it working again. For the next day or so, there'll be two links for comments at the bottom of each story. Please use the left-hand one if you want to make a comment. I will work on moving the comments from HaloScan to the local system. Thanks for putting up with it. joat: 20:30:00 28 Apr 2006 |
|
|
Thu, 27 Apr 2006
|
|
This page has been up for a very long time but it contains still-valuable information on obfuscating/de-obfuscating URLs. joat: 12:00:00 27 Apr 2006 |
|
|
Wed, 26 Apr 2006
|
|
The site is a bit rarified but a lot of the work by the IETF workign groups is important to "how things work". joat: 12:00:00 26 Apr 2006 |
|
|
Tue, 25 Apr 2006
|
|
It isn't " The Spinning Cube of Potential Doom" but it's somewhat similar. Here's DoomCube. joat: 20:30:00 25 Apr 2006 |
|
|
|
|
Here is an interesting paper from Josh Wright which discusses MAC address spoofing in wireless networks. joat: 12:00:00 25 Apr 2006 |
|
|
Mon, 24 Apr 2006
Sun, 23 Apr 2006
|
|
I was able to fend off the install for almost 4 years but I finally got so frustrated with the ME crashes that I purchased/installed XP. I then installed all of the usual tools (anti-spam, anti-virus, etc.). All this for one lousy game series that I like playing... Consider this Day 1 of the count towards the next file system damaging crash. joat: 20:30:00 23 Apr 2006 |
|
|
Sat, 22 Apr 2006
|
|
Here's the presentation and video from last year's IACR on the "New Collision Search for SHA-1". joat: 20:30:00 22 Apr 2006 |
|
|
Fri, 21 Apr 2006
|
|
I haven't evangelized on the advantages of using Vi in a long time. People who know it well enough cannot cannot function without it. (Though they often curse the people who forced them to learn it.) In any case, here is the U. of H.'s Vi Tutorial. Damn you Bob Acosta! (heh) joat: 20:30:00 21 Apr 2006 |
|
|
Thu, 20 Apr 2006
|
|
Linux Exposed has a good basic description of the time-memory trade-off attack on passwords. joat: 20:30:00 20 Apr 2006 |
|
|
Wed, 19 Apr 2006
|
|
Here is a recent article, entitled " Performance tuning Unix systems" which discusses the use of "nice". joat: 20:30:00 19 Apr 2006 |
|
|
Tue, 18 Apr 2006
|
|
I'm going to have to try this. Serge Mankovski has cooked up a way to hook GoogleTalk to Asterisk and is evening offering a VM of his experiment. The cool thing is that my hardphone will likely work with this also. joat: 12:00:00 18 Apr 2006 |
|
|
Mon, 17 Apr 2006
Sun, 16 Apr 2006
|
|
I'm not sure of the accuracy (or even if it contains problems of its own) but MessenPass looks like it has some value in a first responder/forensic toolkit. It allows you to recover IM passwords of a logged in user (local machine only). joat: 20:30:00 16 Apr 2006 |
|
|
Sat, 15 Apr 2006
|
|
For my own reference (I've needed it before): here is Boing Boing's piece on how spammers get around captcha's with porn. joat: 20:30:00 15 Apr 2006 |
|
|
Fri, 14 Apr 2006
|
|
|
I managed to miss this month's HRSUG meeting so I also missed the chance to ask about how the Snort/Sourcefire people felt about the purchase being blocked. Anyone know? joat: 20:30:00 14 Apr 2006 |
|
|
Thu, 13 Apr 2006
|
|
Milton Mueller has written an article in which he's proud that the ICANN members have voted to protect the "privacy" of domain registrants. What's not said in the article is that the vote was directly beneficial to those voting. In other words, their biggest customers (the spammers that cycle through hundreds if not thousands of domains in a year) are protected. The drawback is that they're also likely to turn themselves into a legal organization as this "advantage" gets exploited to its limits. It will also draw them into a tight relationship with the U.S. Government, the same one that they're now proud to have defeated. This is because only those with enough resources to repeatedly subpoena information from the registrants. In other words, Microsoft and the USG. The rest of us security types are left out in the cold. Unless ICANN starts policing the environment they control, allowing people to hide behind false or hidden identities, I wouldn't be surprised at the type of law suits they'll face in the coming years, especially if the situation gets so bad that government feels the need to step in. This will get quite interesting in the next few years. joat: 12:00:00 13 Apr 2006 |
|
|
Wed, 12 Apr 2006
|
|
This is an explanation of "why TCP over TCP (tunneling) is a bad thing". It's one of those bits of knowledge you need to know when dealing with VPN's, especially if you're using tunnels in tunnels or employing mobile IP in any form. joat: 12:00:00 12 Apr 2006 |
|
|
Tue, 11 Apr 2006
|
|
For my own reference: here is a cheat sheet for makefiles. Actually, it's a howto for writing makefiles but it's helpful in debugging an uncooperative compile. joat: 12:00:00 11 Apr 2006 |
|
|
Mon, 10 Apr 2006
|
|
SecurityFocus has a very good article on web browser forensics. If your job involves investigating suspicious user activity, this is one of the must-knows. (Hint: more should be written on the topic.) joat: 12:00:00 10 Apr 2006 |
|
|
Sun, 09 Apr 2006
|
|
|
joat: 20:30:00 9 Apr 2006 |
|
|
Sat, 08 Apr 2006
|
|
If you're in network management, the following is "a bad thing". If you travel a lot and use a lot of hotel business center computers, it's likely "a good thing". In any case, someone at Wikipedia is maintaining a list of portable applications (stuff you can carry around on your flash drive and run as needed). joat: 20:30:00 8 Apr 2006 |
|
|
Fri, 07 Apr 2006
|
|
|
With all of the crap that I attempted to run on the NSLU2, it was no suprise that the box showed a tendency to lock up after a couple hours run time (though the amount of stuff running to cause that was impressive (Apache, MySQL, Mediawiki, uShare, DNS, screen'd sessions, thttpd, Samba, NFS, not to mention a scripted tcpdump session (an attempt to watch problems that a second-hand network print server was causing)). I've cleaned up the start-up scripts and uninstalled a lot of the ipkg's. Let's see how long it'll hold up unattended now... joat: 20:30:00 7 Apr 2006 |
|
|
Thu, 06 Apr 2006
|
|
|
Apologies for not pushing stories onto the blog this week. I've been very busy, what with it being the first week of the month (evening meetings) and working on a large coding project for class. I will back fill shortly. joat: 20:30:00 6 Apr 2006 |
|
|
Wed, 05 Apr 2006
|
|
Rob: Save a chair for me in the next class for the week you talk about Metasploit (link to H. D. Moore's slide set). joat: 20:30:00 5 Apr 2006 |
|
|
Tue, 04 Apr 2006
|
|
Here is an analysis of one of the ways that the spammers do it (generate income) nowadays. joat: 20:30:00 4 Apr 2006 |
|
|
Mon, 03 Apr 2006
|
|
Ever wonder how some bugs are discovered? Some of them are found via analysis, others are found via a form of brute forcing (with illegal input) called fuzzing. Here is a discussion of fuzzing applied to web browsers. joat: 20:30:00 3 Apr 2006 |
|
|
Sun, 02 Apr 2006
|
|
Note to self: You need more lead time when trying to get an unfamiliar tool (Wand's BSOD) (no not the MS BSOD) up and running. joat: 20:30:00 2 Apr 2006 |
|
|
Sat, 01 Apr 2006
|
|
I was messing around with the NSLU2 again last night. With a bit of Google searching, I was able to find the list of files to load to enable compiling on the NSLU2. After that, I experimented with getting a uPNP Media Server built (so's I can watch various podcasts/vidcasts in the living room via a DLink media converter). MediaTomb failed early, complaining that the environment couldn't compile C++ programs. uShare did compile with a bit of tweaking. I've put my notes here. I can now watch my ShmooCon vids in the living room, on a decent-sized screen. If you use my notes to build your own, please let me know. If you figure out how to add capabilities, also please let me know. joat: 17:00:00 1 Apr 2006 |
|
|
Fri, 31 Mar 2006
|
|
Looking for something to read? Try digging here. joat: 13:00:00 31 Mar 2006 |
|
|
Thu, 30 Mar 2006
|
|
root-tail is one of those tools that remains valuable, even though it was written years ago. It allows you to tail multiple log files at the same time. joat: 13:00:00 30 Mar 2006 |
|
|
Wed, 29 Mar 2006
|
|
(*sigh*) It's getting crowded around here. Used to be it was just Retch and my network 'round here. (heh) joat: 13:30:00 29 Mar 2006 |
|
|
|
|
Bluetooth is one of those services that highlights the fact that people are willing to give up security for convenience. Last night I realized just how convenient it is. This is my first phone with a Bluetooth headset. It also has voice dial which I've gotten into the habit of using. I parked in front of a store and called my wife while I walked in. It wasn't until I was in the dairy section that the call dropped out and I realized that my phone was still in the car. (heh) In any case, here is a large link page for Bluetooth-related info. joat: |
| |
