Merry Christmas y'all! (Yeah, I'm from that part of the country.)
I'm thankful that I still have both sets of parents, a number of siblings, my wife, my kids, and a number of friends and still-welcome strays (shouts to the Garage Troll) who've passed through our lives in the past year. Here's hoping that you have good fortune and quiet lives in the coming year.
I'm offline for a couple days, rebuilding my home system with a commercial version. If that doesn't work well, I'll temporarily switch to Ubuntu. Primary need is a real-time kernel and ability to compile Zaptel.
Of course! We buy our son a laptop, with 1GB of memory, for Christmas/moving out and industry announces that it's increasing the standard to 4GB. Augh!!
Joined the VOIP Users' Conference Call this morning. The was the first chance I've had to join in since I discovered it a few weeks ago. A lot of polite people. Thanks for putting up with me guys.
For those that aren't familiar with the VUCC, it's a Talkshoe-based conference call held every Friday at noon (EST). I've added the badge for it to the left.
I'd guess that what amounts to the Port-Sec (PSec? Portsmouth-Sec) dinner occurred tonight. Those of us that attend (or teach) the series of network security classes (instigated by Rob) at the local college get together twice a year to eat German food and enjoy each other's conversation. Because we're all geeks (Erika, if you deny it, we'll just call you geek-by-association), the conversation tends to center around computers, networks, and security. Thus my claim to the Port-Sec monicker.
The cool thing about this is that we've been holding these dinners for much longer than the whole Bean-Sec/Chi-Sec thing has been going on. This evening's dinner was much more enjoyable because it was a much smaller group. We didn't invite many of the first-year students so the group was able to eat at one large table and we were all able to hear each other (a first!).
The only drawback to the entire evening was the food. Since "Mama" at the Biergarden (in Portsmouth) doesn't "drive" the kitchen any more, the quality of the food has slipped to the point where it's recognizeable that it's German food cooked by someone who's not familiar with it. Authentic German food (that is, good food) has a taste that is based not only on its ingredients, but also how the pans are handled, how the stove is operated, and how the prep surfaces are cleaned. All that I can say is that the Biergarden in Portsmouth, VA is now in dire need of a good German cook. If they don't get one, they risk losing a good-sized chunk of their clientelle. (For anyone that has a German grandmother, here's a hint: I didn't have seconds, not even of the spaetzle.)
For those that didn't attend tonight, you missed a good time (food not withstanding). Hopefully you'll be able to attend in the Spring.
One of the things that has always annoyed me concerning those really nice VoIP interfaces for Outlook was that most of them are limited to Outlook. Because I normally use a number of operating systems, many of them non-Windows, my ears tend to perk up when something like AbbeyPhone comes along.
It appears to be a SIP-based plugin for Firefox and Thunderbird, capable of running on Windows, Mac, and Linux. It also isn't tied to any one service provider like so many other VoIP tools nowadays.
Sooo... It looks like I'll be playing with it in the near future, seeing how well it works with Linux. I'll keep you posted.
If you want to connect to a TalkShoe conference via Asterisk, I've worked out a number of ways you can authenticate to TalkShoe from the dial plan. Notes are in the wiki.
The older I get, the more I realize that the things you say/write will either have unintended side-effects or will show up in some very interesting places. And, as such, you should be very careful in your choice of words (I was) when someone asks your opinion (even in forums like public Requests for Comment (RFCs)). Hopefully, this blog doesn't count because you receive my opinion without asking for it.
A friend's recent vanity search, which turned up some unexpected responses, prompted me to do one of my own (it's been awhile). The short version of this story is that I may not yet have visited Congress, but my words have. Yikes!
Okay, it was a RFC dealing with constraints on how a specific organization should make its data publicly available. Nothing major but what happens to your words, after they leave your head, can be quite interesting.
Had a bit of time to play with the code and added another conference room to the manager and the ability to push calls between the two. The code needs to be cleaned up a bit but you can get an idea of what it does with the below pic. My wife says it's an ugly interface but I'm not one to argue; we both agreed that I have no sense of style/aesthetics about 15 years back.
I admit it. I do horrendous things to my Linux systems, often breaking them, sometimes so horribly that the only way to repair them is to reinstall. Such is the case this week. My Mandriva 2007 has suffered a number of "upgrades" and "tweakes" over the past year, so much so that certain services were getting to be a bit unstable.
As I'd been planning to experiment with the Jackd Audio Distro (JAD) and Ubuntu Studio, I downloaded and installed them first. In short, there are a number of tools in those distros that I'd like to have running. However, JAD is FC6-based and Unbuntu Studio is a version or two behind. In other words, there are a number of "known" issues that more recent distros have fixed and that I'm not willing to live with.
For me, the remaining choices were FC8 and Mandriva 2008. I've been hearing good things about FC8 and decided to try that first. Sadly, it's still a bit short in detecting hardware, specifically my stock (built-in) NVidia 6xxx video card. It still has the invisible mouse issue and still requires that the NVidia drivers be installed manually, including a number of prerequisites that the beginning user would find near-impossible to install.
So it's back to Mandriva. It detects the video card properly at install and autoloads the kernel modules for it. The Easy Urpmi service is also available which covers for a number of missing packages in the "free" Mandriva distro.
The one shortcoming in Mandriva that I have to work around is a number of odd RPM dependencies, due to the number of RPM authors who maybe didn't do as much due diligence as they should. My work-around: use Easy Urpmi for installing languages and their dependencies. Everything else, build from scratch. For some of the more cutting-edge stuff (e.g., stuff still in development), you have to build from source anyways.
So here I am blogging, while texlive-texmf (a _really_ big bundle) installs via Easy Urpmi and miscellaneous OCaml libraries are compiling from source. This should take most of the morning.....
One of the difficulties in using Asterisk is that danged reliance on mpg123 to play MP3's and/or streams. In other words, mpg123 is used to transcode "on the fly". The drawback is that this tool doesn't always work as expected. Audio can, and will, drop out without notice and come back minutes later, also without warning.
In response to an exceedingly bad week of trying to get mpg123 to tolerate some high-end netcasts, I've decided to document alternatives to mpg123.
Hmmm.. I'm the 10,000th visitor to Digg in 2007? (Yay!) Why don't I feel safe clicking on that link? (Somebody should check on where they're getting their ads from!)
I'm having a lot of fun with the Asterisk Manager Interface (AMI). Where I previously relied on .call scripts to start stream the conversation in the conference room, I now have a button on the conf. mgr. interface (pic below).
The Kick and Mute/Unmute buttons are kinda obvious. The "Muzak" button starts playing music into the conference room. The stream button starts streaming the conference room to a local Icecast server. The "trick" behind these last two buttons is the "Originate" function call in the AMI.
Next up: being able to edit the caller's name and their topic (can you guess where I'm going with this?) and being able to push callers back and forth between queues and conference rooms. Maybe a bridge between conference rooms?
As of 2 p.m. today, I've recert'd GSEC and have picked up GCIH. I'm also quite brain dead and a bit computer-adverse at the moment. What a way to spend a Sunday afternoon!
Sparks lent a hand in testing out the setup (screen capture below). That's an inbound Icecast stream (muted so we could talk), an outbound Icecast stream (for podcasting), two cell phones and two Skype clients. There was a little bit of echo but I think that was cross-over due to the proximity of the handsets.
It's surprising to see that IPKall and FWD allows more than one concurrent inbound call. I'll need to do a bit more research to figure out what the limits are, both remote and on my system (what with all the other daemons that are running).
Before anyone uses the code for ACM, let me spit out a few disclaimers:
The code is GPL'd by the original author. The usual terms apply.
The original author's disclaimers, and those for the Asterisk Manager Interface (AMI), where the security of this program primarily relies on your ability to limit access to it, still exist.
The program is written in PHP and AJAX (or what passes for it). I suck at PHP and AJAX. Keep in mind that the program is little more than a page scraper for the AMI. What this means is that the code is likely to be very version-dependant. (I'm running Asterisk 1.4.x.) It works but you can't hold any of the coders responsible for maintaining it. Any changes/updates to the underlying platform will likely break ACM's functions.
Running this service keeps an open connection on your web server. Firefox and/or IE are likely to be poor choices for browser interfaces for this program. Both are memory hogs and eat up a chunk of memory. I run a lot of crap on the same machine as this one. Heavy use of the underlying web server, with Firefox, does generate audio artifacts. Your mileage will vary.
In any case, please let me know if you find it useful or want to suggest changes.
I've been playing with Asterisk for awhile now. In hooking it to Icecast and Liquidsoap, I needed to come up with some sort of management system for the conference calls.
Meetme Manager really didn't fit the bill. I liked the available controls but hated that you had to click on something to update the page. This meant either a local GUI or an Ajax-driven web interface.
Luckily, John at Asterikast had played with an Ajax (I think it's Ajax) interface which maintains a connection to the Asterisk Management Interface (AMI). The drawback to John's script is that it hasn't seen an update since he posted the code last March. I did like the baseline code though, so I've made a few changes.
The major revisions are in the output.php file. There seemed to be a lot of code to perform just a few functions. I've heavily edited that so that it now recognizes local connections and miscellaneous SIP connections that didn't meet the original filter constraints.
John's original code only allowed for kicking users. I've added mute/unmute controls. Currently, it's been demonstrated to handle local internal connections (.call connections for MOH), SIP calls from the local network, and IAX2 calls via IPKall and FWD (Yeah, I call Washington State to connect to my own machine in Virginia Beach. What the heck, it doesn't cost extra...).
The new code is here. I plan on adding color coding for muted/unmuted callers and to experiment with much more of the AMI features.
For giggles, here's a screenshot. That's my son dialed in via a SIP hardware phone, me dialed in via SkypeOut (via IPKall and FWD), while .call scripts pull in a Liquidsoap-generated stream from Icecast and push the resulting conference stream back to the same Icecast server.
Apologies for the dearth of posts. I'm in the middle of a certification marathon, facing a number of self-imposed deadlines. I've finished re-cert'ing GSEC and have two more to go by the 1st of the month. (Note to self: celebrate having started this blog prior to obtaining the cert in the first place.)
Hopefully, I should have everything done this coming weekend.
I've put the notes for the piTivo installation in the wiki. For those that don't know what piTivo does, it allows you to push content back onto your TiVo, all without having to hack the dang thing.
This is really not good. If you want an idea of how bad it is, try visiting the NIST Vendor list and picking out all of the Microsoft products. Then remember that Microsoft tends to re-use code as much as possible, making the possibility that the problem exists in XP and Vista very likely. Then go back and pick out all of the products which employ Microsoft's libraries.
While this sort of paper doesn't cause problems directly, it is the sort of thing that others build upon, often ending with "nice" additions to security toolkits. I wonder how long it'll be before NIST responds....
Update: the paper is here if you don't want to wade through Slashdot.
Someone did a nose count and figured out that there's at least 30 people from the Virginia Beach area going to Shmoocon (and there's two more sessions of ticket sales to go). I guess we'll be the big ugly mob in the lobby bar at 2 a.m. (heh)
Telmnstr is campaigning for a Hack or Halo project. Any thoughts? I've got a collection of junk box kruft that I'm willing to donate as parts or prizes.
Before you take it upon yourself to jam someone else's phone calls, just because you can only hear one half of the conversation, please consider the following:
What's your justification?
Are you jealous that you're not part of the conversation?
Before you get into the "invasion of your space" argument, answer the question: "Where am I?" I'm willing to bet that you're in a public place and your personal space doesn't involve a cone of silence.
Do you come from one of those broken homes where "silence at the dinner table" was a rule? If so, then I'm sad for you. I come from an active family that the earliest we'd see each other as a group was dinner time. Aside from a few spats when we were younger, it was a time for communication.
Are you that much of a control freak?
When you press that button realize:
You're breaking a Federal law each time you push that button, risking fines up to $11,000 ($10,000 for jamming, the rest for possession and use of contraband)
You're also risking a civil suit from anyone who's conversation you interrupted (think doctor's talking to emergency room). Jammers are rarely directional, especially the cheap ones. A thirty foot range means sixty feet by sixty feet (i.e., everyone in the restaurant, and then some).
Yeah, there are a few places where cell phone use can be seen as inappropriate, such as church, a movie theater, or class. However, let me point out that it is not you, with your butt in the chair, that has the right to enforce any such rule. It is the responsibility of the paster/priest, theater owner, or instructor to make and enforce the rule. Anything that you do, including saying "Hang up that phone!" is beyond your jurisdication and may be construed as a form of assault (look that one up). It falls under "The management reserves the right to refuse service..."
You want silence, go sit somewhere where the business owner prohibits the use of cell phones (it's his jurisdiction, not yours). If it's a public place, you're S.O.L.
You cell phone users. If it's a place where quiet is the norm, it's okay to answer your phone, just take the conversation outside as soon as possible. It's the polite thing to do and it'll help keep the etiquette nazis off of the rest of our backs.
Me? I'm using another entirely legal device. If you use a jammer in plain view, I'm taking a picture and hoping it's good enough to convict you. If you're yelling into the phone in a place where quiet is the rule, I'll take a series of pictures (hey, you're acting strange in public), choose the best one, and submit it to the Craption Contest.
Remember that diagram that I made of my home network, about a week ago? Scratch that. I've added a few more lines to it. In cleaning out some of the kruft that has backed up in my Bloglines subscriptions, I came across a PVR Wire post about pyTivo. (I can't post the link to the original article 'cause it isn't there anymore. Bloglines remembered it though.)
In any case, pyTivo allows me to push media from my computer (vidcasts, podcasts, SageTV recordings, etc.) back through the TiVo.
The bad news is that the program actually has to load the media onto the TiVo. The good news is that you can start playing it a few seconds after the transfer starts (good for large vids!).
I did have to monkey with the config file just a bit. I had to enable the beacon and change it to the broadcast address for my network (vice 255.255.255.255). Note: the Cheetah Namemapper warning supposedly can be safely ignored.
In any case, I can now watch vidcasts on my TV without having to use the funky podcast client built into the TiVo interface. Even though I can play music through there, I don't have a decent sound system connected to that TV so I probably won't use that one much. Also, lets not forget the ability to pull files off of the TiVo with the web interface (backups!).
Got my ticket for Shmoocon. Not a whole lot posted about it yet, except for discussion of ticket sales. The Shmoocon Roommates mailing list appears to still be alive (though inactive).
I'm writing a web front-end to Liquidsoap, a scripting language that easily builds and transmits audio streams (live or from files) to Icecast and Shoutcast servers or to local hardware. The script is basically a juke box for the various network-enabled audio devices in my house. I'm keeping development notes (and the code) in the wiki for anyone that wants to follow along.
Some geeks like showing off their geek pr0n. Some like showing off network diagrams of their home setup. Me, I like function diagrams. Below is a depiction of what I've been playing with in the past year.
At some point, I've tested each part. Most of it is still connected and available on demand (from inside the network). About the only part that I've disabled is the IDJC piece (it generated too many audio "artifacts").
The parts in red are record functions. The piece in green is Asterisk passing CallerID info to SageTV. The rectangles are hardware. The circles are not.
Pieces that play MP3 files from the library:
Asterisk
Icecast
IDJC
Liquidsoap
SageTV
Slimserver
Pieces that accept input from Icecast/Shoutcast streams:
Asterisk
Cidero
Icecast (via relay)
Liquidsoap
MediaMVP
MPD
Slimserver
Pieces that output Icecast/Shoutcast streams:
Asterisk
Icecast
IDJC
Liquidsoap
MPD
Slimserver
Web interfaces include:
Asterisk
Icecast
Liquidsoap
MPD
SageTV
Slimserver
TiVO
Asterisk, Icecast, Liquidsoap, and Slimserver are the audio powerhouses here, being able to both accept and generate network streams. Because they have inputs and outputs which are accepted "standards", they can be connected in just about any manner.
For video, my favorite is SageTV. It records scheduled and timed video, has a "hackable" web interface, allows all sorts of plugins for additional features, and can stream to hardware and software clients in the local network. It generates RSS feeds for recent recordings and the upcoming recording schedule. For those that aren't familiar with SageTV, think MythTV with a lot more polish and a lot less set-up work.
Note: this is all Linux-based but there are Windows versions of just about all of the programs. The amazing part is that I rarely see my dual core system get below 95% idle.
Wishlist (things I want to experiment with in the next year): X-10 interface, home automation, some sort of podcatcher, IAX to a friend's Asterisk box, a hardware-based phone, motion detection with cameras, hosting and/or recording a live conference call, amateur radio.
Disclaimer: I do nothing illegal with this set up, though the capability is definitely there. Diagram courtesy of GraphViz's dot program.
Wow! I'd forgotten just how horrible pre-Internet technology was...
If you know of anyone pining for the old days, especially if they're obnoxiously spouting off how cool Fidonet was and such, you can point them (telnet) to bbs.hak5.org. There, the Hak5 bunch has set up a BBS so that people can be reminded just how spare the interface was.
A few things missing from the experience:
the text should be printing at 300 baud (about the speed that the average fourth-grader can keep up with)
the connection should drop out periodically (think of it as beind randomly logged off against your will)
For the benefit of anyone in Rob's class that's attempting to recreate what was done on the big display tonight --> when you're grabbing/compiling/running kmod-ptrace.c on the target machine, pay close attention to the details:
use gcc, not make or cc
when you run the program what is displayed?
can you do anything (hint: type ls or whoami)
if you hit Ctrl-C and run "ls -l", what do you see?
re-run the program and try to answer these questions again
Note: success may be specific to the version of the OS being run on the target machine. Your mileage will vary depending on a number of things (hint: the classroom lab is a controlled environment (i.e., each target is exactly the same)).
Enjoy! But you should probably get your homework done first. You may spend more time than you should getting the exploits to work in your home labs. If you're frustrated, please note that Rob usually isn't adverse to you coming in when there isn't a class in the lab. Just check in with one of the techs in the fishbowl.
Note(s) to self: upgrading the kernel on a home theater PC is not a good idea unless you really need a new feature. Swapping out kernels will break IVTV and, by extension, whatever sits on top of it. If you're building production machines, it's a good idea to stick with whatever you're currently using and save kernel upgrades for the next model.
Note to all: if you're going to use any of the Hak5 bumpers, it may be worth the time to edit the ID3 tags if you're doing anything like using them in a playlist.
I think I have the telnet interface to LiquidSoap figured out and have a simple web interface to it coded up. I'll post the code once I've got it cleaned up and add a few more functions to it.
From the give-me-$5-for-the-song-playing-in-your-head department...
There's a case in the UK where a car repair business is being sued for copyright infringement because their mechanics are playing music loud enough that it can be overheard by others. Silly, no?
Even sillier, it's not the employees of the business that are being sued for the actual sharing of the music (by turning their radios on). Rather, it is the business being sued for facilitating that sharing. (Never mind that broadcast radio has already paid for the broadcasted content and that it is able to be heard by anyone with enough skill to operate a tuning dial or button.) Or will the employees be sued at a later date, once it can be determined whose radio played what song when?
What's next? Having to pay a service fee for riding the elevator because muzak was playing while you rode? Of course, the elevator company would have to record the number of riders and the distance (in floors) that each rider traveled.
I've got an Icecast server set up on a Linksys NSLU2 server so I can experiment with various audio tools without annoying the Hak5Radio bunch. I've stuck the notes for "installing OpenWRT on the NSLU2" and "Icecast on the NSLU2" in the wiki.
I moved the NSLU2 back next to the computer because it wasn't seeing much use in the bedroom. It also lets me continue to crash the desktop without having to worry about losing the audio stream. I'm currently working on a demo to show off LiquidSoap (yeah, I tend to fixate on new tools) to the local users' group.
Problem is that I'll need to use the current NSLU2 (with the audio interface) and another with Icecast running on it. I running the risk of more people (at the meeting) being fascinated with the NSLU2's than the LS scripts I'm trying to show off. (Notes will be in the wiki shortly.)
I'm starting to think that LiquidSoap is to audio as Perl is to text. I had a bit of fun annoying the extremely early morning listeners on Hak5Radio with misc. Creative Commons music, while reading up on some of the syntax. In addition to being able to stream to Ice/Shout/Peercast servers, it can also stream directly to your hardware (i.e., your soundcard).
I can attest that chaining Sky.FM-->SlimServer-->LiquidSoap-as-a-player works very nicely. Even the metadata being passed across from Sky.FM is handled properly, and neither processor got below 95% idle on the dual core, even with all of the other crap I run on the box (SageTV, fetchmail, etc.). That's saying a lot as it appears that both Slimserver and (possibly) LiquidSoap are doing a bit of transcoding on the fly. The one drawback to this so far is SlimServer's built-in delay (5 or so seconds). I'll need to read up on that.
It's obvious that simulcasting (rebroadcasting/redirecting) a stream is going to be simple. I need to play with the mixing features now (think "periodic jingles" mixed into an open conference call). If I can come up with an interface to Asterisk, you can consider me as having thrown IDJC in the round file.
Oh! If anyone's interested (and for my own notes), the syntax is
I've had a "really horrible experience" in getting IDJC up and running. No matter what I've tried to do, anything that I stream contains a quantity of very annoying sound artifacts (at one point, it could have been a helicopter outside of my window).
In attempting to troubleshoot IDJC, I discovered a new streaming tool called "LiquidSoap". To quote the website, it is basically a "general purpose audio streaming tool, designed as a script language, which allows you to build complex webradios".
While the toolset is still considered to be in development, I was able to get streams going via a local radio site (okay, hak5radio) in 30 minutes of installation/reading, vice the 2 months of on and off frustration with IDJC.
In reading some of the docs, there's quite a few interesting features: on-the-fly transcoding/normalization, misc. scheduling features, drop-on-live-input, an IRC bot interface (with input!), and even a (in-development) touchsreen interface. Definitely something for the home theater enthusiast that likes to tweak his/her own stuff!
Self-referentialism (similar to existentialism): the depressing condition within Internet-based research where you repeatedly (only?) find your own work. Following is a semi-example where 9 people on the Del.icio.us have noted the same article about LiquidSoap. The "just posted" indicator is an indication of my having saved the link. The picture indicates that I then Googled for the term and was brought back to Del.icio.us. (Arg!!)
Dave and I managed to get a version of ZoneMinder up and running by grabbing a copy of the Blue Cherry Live CD from the BlueCherry.net web site and trying a number of different cameras. We discovered that one of the obstacles that we were facing involved the hardware (an older Dell box) that we were using as a platform. We ran into everything from not enough memory to realizing that the USB ports were only version 1.x. Dave had a very nice USB2 camera going, with the Live CD, going on his laptop. We ended up installing the Live CD (it's Ubuntu-based) to cure some of the memory issues.
Uh, yeah... While I concur that wireless is being used inappropriately in some areas (see my comment on his page), that statement didn't help Dale's argument much. (heh)
Tate Hansen, over on Clearnet Security has a post about getting the customer to provide input as part of a penetration test. It surprised me for two reasons: 1) I didn't know that it wasn't done and 2) it's so obvious an issue.
I'm not saying that I don't believe that the condition exists. People (and therefore organizations) tend to take the path of least resistance, so if the penetration testers don't ask, the customer is not going to offer up the information.
My surprise is that the question just doesn't come up. It may be because I'm the type to take a packet sniffer to a CTF contest. (Yeah, one of those that thinks that CTF is a spectator sport.)(I have Don M. at ODU and S-14 (hiya Pete!) to thank for that "bad habit".) To me, the "What did you see?" question is just so obvious that it's a "must ask".
I can also see how organizations fall into the practice of not participating in their own penetration testing. It may have something to do with that other form of security testing called the vulnerability scan. It's usually performed more often and requires no input from the customer, except during the remediation phase, and that is usually an internal process (e.g., the CIO may have some "'splaining to do" to the CIO).
The Hansen/Ranum/McGraw reference to the "badness-o-meter" is a good one. If your pen-testers have anything other than "we don't know" at the top end of the scale, the data they're providing about your level of security may be suspect. Pen-testing is an inverted business-model. The best you can hope for is: "We don't know. We failed." A few things to keep in mind:
This doesn't mean that someone else doesn't already know
It also doesn't mean that they won't know tomorrow or the day after
To quote a semi-cliche: "Security is a process, not an end state." (Dr. M. E. Kabay, 1998)
By extension, a pen-test is a snapshot of that process, not of an end state
My initial thought was "somebody is selling something". Upon reading the article (follow it to the daily blog to see the link), I discovered that I wasn't wrong. The reason for the articles existence was to make you overly paranoid about your users and get you to buy something to counteract the threat. If that purchase just happened to be the product mentioned in the article, so much the better!
My second thought was that this was another in a long line of "security by fashion statement" (bowel) movements. Think about it. We have a number of firms where "analysts" (those that aren't practitioners but are somehow (mysteriously) more knowledgeable) declare that one security method is "auld schoole" and there are much better, more modern, methods of performing such and such a function.
It's quite annoying. In the past five years, we've been told:
IDS's are dead, IPSs are better (thank you Gartner)
Anomaly detection is better than IDS/IPS
the firewall is dead
the perimeter is dead
SSL are the best VPN's
stateful inspection is better than application proxies
deep packet inspection is better than application proxies
application proxies are better than stateful inspection, packet filters, and deep packet inspection (What? You missed the resurrection of proxies by Gartner?)
And now you need to be so paranoid that your users' every key stroke needs to be monitored and analyzed for intent (yeah, that works well), to the degree that you must come up with "termination plans"? Oh and, by the way, we just happen to have this nice product that'll automate this process and make your life much easier.
A much better approach would be to have a realistic security policy and to use the tools you already have, especially the one behind your eyeballs. Most "insider threat" incidents are considered corporate embarrassments not because the incident occurred but rather because they weren't detected until after the fact. The majority of insider abuse is readily apparent, either in the virtual world (in log files) or out in the real world (people tend to talk about what so-and-so is getting away with).
Attempting to totally automate the process, in either the virtual or real worlds, is just a way of abstracting yourself further away from the problem. Network monitoring and management of people have at least one thing in common, they "automate" poorly in that an automated process can only handle "known" issues. Unique issues can always crash automated processes. (It's why we have web-based time sheets but still have entire HR departments.)
You want to properly deal with the "insider threat"? It's easy. Show "trust" in your users. It's okay to "verify" but a certain degree of monitoring but it has to be at a level that your users are comfortable with.
Also, use the tools that you already have. Automated log file reduction is fine, but you still need human review of the remaining entries.
The firewall, the IDS, and security boundaries are still valuable. So's enforceable policies, deep packet inspection, stateful firewalls, and anomaly analysis. They each have their place in your toolset.
Companies such as Gartner like to bank on the fact that you've forgotten that none of these technologies are mutually exclusive. While "layered defenses" may be an offensive term to some, the existence of multiple protections which co-support an overall security policy is still a good idea. Just don't take the human factor out of it.
I've got news for you: If you run a totalitarian environment (AKA micro-manged, micro-monitored), every single one of your users will be evil and you'll end up wondering why your organization has such a high turn-over rate.
Save your cash. Also, keep in mind that the less flexible a system is (the degree of tolerance it has), the more brittle it is and the more spectacular the failure will be when it does go. This goes for machine systems as well as for people.
For the better part of this year, I've stuck with the commercial version of Mandriva 2007 because it was one of the few distros that automatically recognizes my video card and monitor. For those that know me, this is an extremely long time for me to stick with one distro.
Not any more. I've needed to install Fedora for a few toolsets that I've wanted to play with and finally had the time (I took a day off) to install Fedora and figure out how to get the video configured properly (usually it'd come up with bars on the side and no mouse cursor).
Fixing both of those problems was pretty straight forward. The mouse involved turning off the hardware driven cursor. The video involved trashing the Fedora drivers and grabbing the binary off of NVidia's site and letting it compile new modules.
Thanks to Mubix, I've added WHOIS.sc, CentralOps.net, ServerSniff.net, and Maltego (formerly Evolution) to the network forensics wiki page. The last three are intriguing in that they provide a number of other functions. I'm especially interested in Maltego as it supposedly does some basic relationship linking and has both a GUI and a web interface.
Step 1: Announce date of con (done) Step 2: Annouce CFP (in progress) Step 3: Devise ticket sales scheme that (hopefully) won't anger the natives (TBD)
.
