Saturday, December 31, 2005

Microsoft Wireless

Here's another good source of basic info on wirless: Microsoft's How 802.11 Wireless Works. Please ignore the part that talks about Zero Conf because, as with any auto-config technology, it has some safety issues.

Friday, December 30, 2005

Shoot self?

The Full Disclosure Mailing List is discussing Richard Smith's suggestion on how to draw the attention of the NSA. A few thoughts:
  • Now why would you want to do that?
  • I seem to remember that your IP is commonly included in the headers of traffic originating from the large webmail services.
  • Why become a "person of interest" just so's you can be funny for two seconds?

It's not that funny of a joke.

Wireless Detection and Tracking

Interlink Networks has a paper on "Wireless Detection and Tracking" that talks about some of the low level stuff, including packet analysis and what amounts to "heat maps". Some of it is a bit dated (WPA, WEP) but it's interesting nonetheless.

Wednesday, December 28, 2005

Comments offline

Please note that the comment-related functions are offline while the system is tweaked. Be nice, those that are working on the system are not being paid to do it.

More free books

Bruce Perens is working with Prentice Hall to produce a series of books by various authors called the Open Source Series. A nifty additional feature is that the book becomes available online, for free, a few months after it hits the shelves.

Tuesday, December 27, 2005

Wiki hackers

While Sean has been tweaking the server, I've been digging around in the odd corners of the site. It seems that, in the 2 or so years the wiki has been up, roughly 96 accounts have been added to the wiki in an attempt to spam/hack it. The wiki adds the account, logs the time and IP and promptly refuses any attempt to change it. (heh)

Monday, December 26, 2005


Okay, I'm having too much fun. Worked last night and this morning to get the Digium TDM400P card and the Asterisk software installed and running. In the process, I also figured out where my problem was in installing the IVTV software. (It had to do with the build version in the Makefile for the kernel.)

So far, I think I've burned up all the spouse points that I earned earlier in the year. I've added a cheap 900MHz handset to act as the console phone and have driven my wife nuts with the phone (and the laptop) ringing. More stuff to add to The List of Unfinished Projects:

  • figure out how to stream live audio to the phone
  • "adapt" the NSLU2 (saving up for a USB2 HD)
  • learn more about the ivtv modules and MythTV
  • get ready for next semester's classes
  • get ready for ShmooCon (19 shopping days left!!)

Add that to the stuff already on the list and I'll be busy for at least 6 months.

Sunday, December 25, 2005


Stand still and watch. You'll see the leading edge of the crack pass by you very quickly.

What am I referring to? How about the fracturing of the Internet?

InfoWorld has an article about a Dutch company (UnifiedRoot) standing up their own dns infrastructure, with the intent to run it in parallel to the ICANN managed namespace.

Call me a sadistic pessimist but this topic is going to be "interesting" (Chinese curse version) to watch and has a high entertainment potential. This sort of thing has been tried before and has taken some intriguing turns. (Hint: the proposed managers of the .XXX domain are the same people that used to sell you the domain under ALTERNIC, for less money.)

You'll need popcorn and some soda for this one folks! (I predict a lot of nasty politics, both external and internal.)

Update: Still think I'm kidding? How about this: the site recommends that DNS owners replace their hints file with one from UR. A quick look at the file reveals none of the normal DNS root servers are included. Yep, that's right, rather than the cooperation the web site touts, they want you to trust them implicitly. This should get interesting quickly.


Please standby. The powers-that-be (again, mostly Sean) are working to get the system back up and running. Some of the custom code (mine) has to wait on final system tweaks before I attack it.

Friday, December 23, 2005

No entry

The site will be offline today. I'll backfill this day's post(s) later.

Thursday, December 22, 2005


While we're on the subject of DNS tools, dnstop may be a useful tool if you manage a network. It's a bit simple but will keep track of which host is doing how many DNS lookups. For home networks, it's a bit useless as it needs to listen to a gateway feed. You may find it interesting in any case.

Wednesday, December 21, 2005


dnstracer is an interesting tool. It traces information from DNS back to its source. It does this by using non-recursive queries. In other words, if you tell it to trace "", it'll return the following interesting data:

Tracing to[a] via, maximum of 3 retries (
|\___ [org] (
| |\___ [] ( Got authoritative answer
| \___ [] ( Got authoritative answer
|\___ TLD2.ULTRADNS.NET [org] (
| |\___ [] ( (cached)
| \___ [] ( (cached)
|\___ TLD1.ULTRADNS.NET [org] (
| |\___ [] ( (cached)
| \___ [] ( (cached)
|\___ TLD1.ULTRADNS.NET [org] (2001:0502:d399:0000:0000:0000:0000:0001) send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
|\___ TLD6.ULTRADNS.CO.UK [org] (
| |\___ [] ( (cached)
| \___ [] ( (cached)
|\___ TLD5.ULTRADNS.INFO [org] (
| |\___ [] ( (cached)
| \___ [] ( (cached)
\___ [org] (
|\___ [] ( (cached)
\___ [] ( (cached)

While it shows that there may be a problem with TLD1 (this is likely to be a problem with the tool's ability to handle IPv6 data rather than the server), you can see that the tool queries all of the DNS servers that are known to have the data. ( is the IP of a DNS server local to me). This tool also has the ability to detect lame DNS servers (those that are supposed to know the answer but don't)(think misconfigured or damaged secondaries).

If anyone is really proficient with this tool, please contact me. I'd like to know if it is useful in detecting record poisoning.

Tuesday, December 20, 2005

Help wanted

If PJ (at Groklaw) ever gets around to writing a book on the SCO v. The World cases and I fail to notice it, will y'all let me know? If she can sort out the mess, I'd enjoy reading about it. In any case, more hand-waving and finger-waggling is slated for 22 Dec. Anyone know if I how much it is to buy just one stock (currently at $4.01) and have it framed?

Monday, December 19, 2005


The Worm Blog has some initial comments on the Dasher worm. There's also some comment about Dasher.C.

Sunday, December 18, 2005

Offensive Computing

Offensive Computing may be a site to keep an eye on. Their stated purpose is to improve computer/network security via analysis of malware.

Saturday, December 17, 2005

Heads up

"The powers that be" (Sean mostly) have stated that the server swap will occur this week. While the wiki shouldn't be affected as I already maintain it on the new server, there may be some glitches in the rest of the site. Please excuse any vagaries.

Spam Hunt

Just spent the last hour removing spam from the queue for the blog. I feel another spam hunt coming on. Every single one of the incest and beastiality ads pointed at web servers in the continental U.S.

Geek Style

I've just altered my Bloglines subscriptions to remove the Geek Style feed. Visiting that site causes pop advertisements (even in a Linux-based Firefox install). I don't know about anyone else but I feel that I read are either geek-related or personal. With Geek Style, it's the usual low-grade crap in the pop-ups. Example: The usual "Your system is infected with spyware. Click here to scan for it." message. (Hint: I'm not running Windows on this laptop.)

Babak, if you read this, I think the ads are getting into your blog via your webstats4u logo/link. Read this post at JNode and the following excerpts from the WebStats4U Terms of Service:

  • WMS entitles users to access to a variety of on-line and interactive on-line services (the "Products and Services"). Some of the Products and Services are supported by advertising, enabling WMS to provide them to you at no cost. When you use these free services, you agree to allow WMS to display advertising, including third party advertising, through the Products and Services.
  • With the installation of WebStats4U on the site it is accepted that WMS has the right to place advertisements on the site in any format or through any channel, including but not limited to e-mail, layer ads, pops, banners and other usual formats without any forewarning and it is furthermore accepted that WMS takes no responsibility for the advertising content and that WMS shall not be liable for any losses incurred regarding this advertising.

I find anything more obtrusive than Google Ads to be offensive. Google Ads are passive and easily ignored. I'll probably resubscribe at a future date but only after the WebStats4U thingy goes away.

Friday, December 16, 2005


My apologies. I've been offline for a few days while on a short-notice trip out of town. I've back-filled the last few days.

On a tech-related note, I "helped" pick out a couple of my Christmas presents for this year: the Asterisk Developer's Kit (with TDM400P) and a Linksys NSLU2.

You think that it will keep me busy for a few days? To say nothing about the TDM400P.

Thursday, December 15, 2005

Alien viruses

Is there any way we can strip a Doctorate from someone absolutely clueless?

Dr. Carrigan believes that the Internet is wide open to infection from alien (as in off-world) computer viruses. I have problems with a number of his anthropomorphised assumptions:

  • Where'd they get the 8086-series chips? Dr. Carrigan seems to assume that silicon and the various doping elements are as plentiful there as they are here.
  • Are they running Microsoft Windows? If so, how are they getting their updates? I assume they'd be easy to track on Patch Tuesday. Also, I believe Bill would like a word with them about licensing. Actually, taking into account the speed of light, it means that Windows was in use decades (if not centuries or millenia) before it's availability here on Earth. We may need to talk to Bill about his patents and licensing practices.
  • Infection by off-planet source would happen in one of two ways: either intentionally or accidentally. If intentional, it means they know we're here and network infection is likely to be the least of our problems. (Somebody call Tom Cruise!!) If unintentional, we need to prompt the anti-virus industry that they need to start including sub-routines to counteract alien worms and viruses.
  • If there is a risk of infection from exterrestial sources, what risk do we pose to the galactic community with the problems that we have in our networks? Could that be why no one has contacted us yet? (All claims by the UFO community aside.)

In any case, I hereby nominate Dr. Carrigan to be the recipient of a Reynolds Wrap hat. Shiny side out, dude!

Update: the above is a bit dated and lived in my slush pile for a bit but is still amusing.

Wednesday, December 14, 2005


This will a hint to tell how old I am (at a minimum): I'm excited about discovering the TMBG podcast feed.

To those that are Britney's age or younger (or those who've never heard of Login Whitehurst), TMBG is short for "They Might Be Giants". Where else can you hear a band sing in the style of Yes, Rocky Horror, the Beatles, and Leon Redbone?

Then again, trying getting through the day with Birdhouse in Your Soul and Happy Noodle doing battle in your head.

Tuesday, December 13, 2005

MyMP3 and Beam-It

Here is an analysis of's Beam-It protocol which is used to verify that a user actually owns the CD they want to stream.

Something I never really understood: why employ a lower quality stream when you already have the CD?

Monday, December 12, 2005


Took a power hit this weekend. Lost a stereo and my home network has been acting funny every since. I thought that I'd lost the router that acts as my IPv4/IPv6 gateway because it'd only work for a few minutes at a time.

Turns out that I was wrong. I'd forgotten about the print server I had picked up a few months ago (my wife is the only one that uses it). I'm not sure if it's permanently damaged yet but the network came back when I unplugged it.

In any case, I'm relieved and my wife is pissed. (Keep in mind there's only one print server and two spare AP's.)

I'm in trouble!

Wireless calculators

Tuanis Technology has various online calculators for use with wireless technologies.

Sunday, December 11, 2005


Not that it's new but I received one from a friendly Mytob worm that I hadn't seen yet. It was from and said "Here are your bank documents." So, if you're IP is (India), please take a look at your system. It's infected.

Saturday, December 10, 2005

Help wanted

I'm searching for stuff to listen to for an upcoming trip to DC. If anyone has any sources for non-music content, please forward 'em.

Hint: stuff from recent cons and the usual podcasts, I already have.

Automated fingerprinting

CCIED has a paper entitled "Automated
Worm Fingerprinting
" that attempts to deal with 0day worms.

Friday, December 9, 2005


It's old news (2 days) now but 802.16e has been ratified. It's important to wireless because it provides extensions to 802.16 that improves mobility (hand-offs between cells) and streaming media. Between this, podcasting and BPL (at least the noise generated by it), we may see some damage to the AM radio business.

Thursday, December 8, 2005


No post today, I'm taking the evening off to attend "finals", also known as the class party at the Biergarden in Portsmouth. They have a highly addictive form of potato soup that has beef chunks and spaetzle in it and I'm planning on at least two bowls.

Tuesday, December 6, 2005


Wandered across the Wireless Vulnerabilities & Exploits site this morning. Looks like it'll be valuable in the long run.

Monday, December 5, 2005


I'm a bit nervous when the term Information Warfare is used in relation to a website as the Information Warfare Mailing List suffers from bouts of tangential politics but the IWS appears to be a good site to read. It has a lot of good documents for communications security and InfoSec basics.

Sunday, December 4, 2005

Root servers

It's a bit trivial but it's knowing more about your root servers is a good-to-know.

Saturday, December 3, 2005

Basics: Netcat has a "CLI Series" piece on netcat. This is yet another good-to-know tool in the netadmin/sysadmin/power user toolkit, especially for the beginner.

Friday, December 2, 2005

This plane is going to Cleveland?

Can RSS hijacking really be that much of a threat? If it is, I'll modify previous statements about RSS being a viable vector for malicious code. It still wouldn't be a good vector for the spread of malicious code but it might be a usuable vector for the introduction of malicious code.

Thursday, December 1, 2005

X-Lite Softphone

My entire exercise in getting CounterPath's (XTEN) X-Lite softphone to run under Wine (as logged in the wiki) has been rendered a moot point. I've discovered that they also have versions for Mac and Linux via their download site.

Note: this isn't a new development. Chalk it up to my not noticing.

Tuesday, November 29, 2005

More typing

I've re-org'd the Asterisk page and have added a bit of work to the "sip.conf" setting descriptions. Think of it as yet another of my (ongoing) unfinished projects.

Hopefully it'll help someone. Let me know if it does?

Sunday, November 27, 2005

Needs a dash of clue

While we're on the clueless security rant, here's one that I heard on the radio tonight. A syndicated personality, known as "Troubleshooter Tom Martino", has a consumer-centered talk show. As I was driving back from the grocery store this evening, Mr. Martino was ranting that iPods are susceptible to viruses via podcasting and stating that "we need anti-virus software for our iPods".

Would someone in Denver please ring up Tom and tell him the problems with his logic? Stuff like:

  • iPods are not x86 or Windows-based. Ask him to name one ARM or MIPS based virus that's capable of self-replication.
  • Podcasts are normally delivered from static, one-way sources. For a podcast to become infected, it (theoretically) would require malicious action on the part of the podcast author. There's no two-way data feeds involved.
  • RSS feeds are not like e-mail. They don't mysteriously show up on your iTunes list. You have to subscribe to them. In other words, there's a certain amount of reputation and trust involved with podcast sources.

In short, there are too many things missing from the environment that would support malicious code. "In ain't gonna happen." Instead, Mr. Martino should be ranting about virus scanners for our cars. There are models out there that run versions of MS Windows.


I fear that I may have angered some fellow CISSP's. If I haven't said it before, I like to argue. I'm even willing to take positions that I don't necessarily believe in. However, this isn't one of those cases.

In a recent discussion, I took the stance that "risk = threat X vulnerability X asset replacement cost" is not a good formula for sound business decisions.

I will admit to having "poked fun" at their belief that the above is a "security formula". It isn't. It's a business formula, used to decide how much money is safe to throw at a department with no ROI.

I took the stance that the formula is usually a rationalization used to support a business decision that's already been made. That the formula comes from a "recognized" organization of security "professionals", makes it that much more of a problem. My argument follows...

Let's get "threat" and "vulnerability" out of the way. Both are binary in nature or, at least, that was the original intent. You either have the vulnerability or you don't. If you have the vulnerability, it's either exposed or it isn't. The formula becomes "risk = (1 or 0) X (1 or 0) X asset replacement cost".

You can state that "threat" and "vulnerability" are quantitative values ("1" or "0") unless you attempt to put a "degree" on it. If the terms "degree" or "percentage" are applied to either value, that value becomes subjective and I no longer have to argue the point. Unfortunately, you'll usually hear "degree of exposure" or threat described as a percentage (i.e., "how much of a threat is it?").

The real trouble lies within "asset replacement cost". It's an oversimplification and a subjective value hiding behind a number. (i.e., it isn't quantitative!) Don't think so? Try this:

  • The basic "asset replacement cost" works best with a standalone system. If it's connected to any other asset, networked or not, the value quickly becomes a WAG (nice version: Wild Assumed Guess) (not-so-nice: drop "um" from the middle word and add a hypen between the first two words)
  • The basic "asset replacement cost" works best with a dedicated system. In other words, it's not used for anything else. If the system is used for any additional function, "asset value" gets complicated and other systems may be dragged into the equation. If the equation is artificially limited to the system under discussion, the value loses it's integrity.
  • "Asset replacement cost" is only valid when applied to hardware or programs. It fails horribly when applied to data. Normal business types will attempt to say that data replacement cost is nil ("we have a backup, don't we?"). I've yet to see any organization, outside of federal, that will attempt to actually recover "lost" data. Oh, and a law suit does not meet the definition of "recovery". At best, an organization might take into account penalties for lack of due care and/or due dilligence.

The end result is that the formula usually ends up being "risk = estimate X guess X stubbornly narrow error", losing it's security "value" entirely and becoming a rationalization for a business action that might not improve security at all.

In any case, I enjoyed the argument, though it would have been better demonstrated if a white-board was involved. I also won't deny that I enjoyed tormenting two people who actually needed it. Many people who obtain certifications often "stop" once they get them. If a person stops thinking about (and practicing) security, the certification becomes little more than a badge to hang on the wall.


Saturday, November 26, 2005

1st Responder Std.

What comes out of the "First Responder Standard" should be interesting to watch. Various groups have attempted this. The main stumbling block is the lack of a common infrastructure (e.g., radio frequencies, communications protocols, etc.).

Friday, November 25, 2005


I highly recommend O'Reilly's book, "Switching to VoIP" by Ted Wallingford. If you're messing around with Asterisk, it's a good book to have. While there's not a whole lot on setting up Asterisk, it is a good reference for theory and troubleshooting.

Thursday, November 24, 2005

Happy B-Day!

Happy Birthday to son Jonathan! Happy Bird-Day to everyone!

I finally get it!

Microsoft's Office 12 product looks like it's going to be a pretty slick product. After a "first look", I like it.

However, I could have gone without the marketing approach that the Redmond Dog & Pony Show used. They seem to have taken a page from the Presidential Race strategy guide, where you say little about what you can do and verbally deride all of your competitors.

The part that struck me as a bit odd was about interoperability, a point which they stress repeatedly when talking about the Office 12 product. It's taken me almost a month, but I think that I've finally figured out what they meant by the term: they're not talking about platform interoperability, they're talking about interoperability between Office 12 products! [*sarcasm on*] Now there's something new. [*sarcasm off*]

Just call me "slow" this month.

Microsoft almost "gets it". They've said that they're going to allow others to "use" their document format via a free license. The only restriction appears to be "with attribution to Microsoft". What "attribution" means may be a sticky point in the future. I need to find a copy of the EULA and license agreements they're using.

Update: Is this a case of schizophrenia? How can something be patented and open source at the same time? Seems that the open source format has been submitted for patent in certain countries... This will be interesting to watch as it unfolds.

Wednesday, November 23, 2005

Tuesday, November 22, 2005

Sleuth Kit Informer

It happened almost a week ago but... Brian Carrier has posted a new
issue of "<a href="
informer-21.html">The Sleuth Kit Informer", a newsletter he writes in
conjunction with the Sleuth Kit. This issue talks about the new license
for the Sleuth Kit and about changes to the ils tool.

Monday, November 21, 2005

Getting good from evil

I hereby nominate the five authors of Opportunistic
Measurement: Extracting Insight from Spurious Traffic
whatever award you'd give for using-evil-for-good ideas. The paper
discusses the shortcomings in current network visibility techniques and
suggests extracting data from the noise generated by infections, spam,
and denial of service attacks.

Sunday, November 20, 2005

Synthetic Diversity

Monoculture is a recognized problem when discussing malicious code.
It's what amplifies the effects of malicious code to the point where it
can have devastating effects.

Here is another
paper from last year's WORM, this one describing a method called
synthetic diversity as a method for combating malicious code.

It's an
interesting read but I disagree with most of it for a number of

  • Synthetic diversity within a program can only go so far.
    While the techniques may reduce the number of attack points within a
    program, it won't remove them entirely. Add millions of users to that
    situation and diversity within a program that does the same function,
    time after time, becomes a bit shallow.
  • As always, adding
    complexity isn't a good response to lessen vulnerabilities. The KISS
    principle is better.
  • Diversity can only be provided via a small
    number of methods. It wouldn't take long for the "bad guys" to adapt.
    Even if more methods were developed, it would lead to an already
    familiar type of arms race.

Anyone care to argue for or

Saturday, November 19, 2005

Friday, November 18, 2005

It's over

I hereby declare the novelty of podcasting as officially dead and that the technology is now mainstream. While searching for additional content to listen to during this week's commutes, I noticed that the "ususal suspects" also have their own podcasts. The "usual suspects" include the panorama of pseudo-science, fake grass-roots sock puppet, conspiracy theorist, and hate types.

The good news is that I did find some new security and tech-related casts to listen to (for a list, see my Bloglines subscriptions link at the top of this page).

NOC Notes

Here is a collection of
notes that relate to network operations.

Thursday, November 17, 2005


AWK is one of those "things" that you very quickly (you wouldn't believe
how quickly) forget if you don't use it continuously. It's also a very
powerful tool to have. Here is a tutorial for

Wednesday, November 16, 2005

It ain't getting any better

I've loved Zyxel modems for many years. However, they've lost points
with me for thinking that undocumented

or hidden equates to secure. What's that old line about repeating
history? [*sigh*]


O'Reilly has a quick
for GraphViz. This is valuable if you draw a lot of flow
charts or relationship drawings.

Tuesday, November 15, 2005

DNS poisoning

It's a bit dated but SANS has a good piece on
DNS poisoning. It describes some of the issues and lists a few

Monday, November 14, 2005

Watch your head

Too much time on your hands? Why not entertain yourself by watching the headers of the sites that you visit and see what sort of extra kruft is included?

Sunday, November 13, 2005

Dangerous Jokes

Everyone should steer clear of the "<a href="
story=20051112154004597">Nothing joke". The joke has been stretched
so far that when it does fail, Nothing will be funny.

Nothing is
sacred. According to the theory of relativity: Nothing travels faster
than light, Nothing existed before the Big Bang and Nothing can have
negative mass. In the real world, Nothing is perfectly symmetrical and,
for most of the time, Nothing changes.

When you're sick: Nothing
tastes good, Nothing is interesting and Nothing really matters. Then
again, Nothing is better than sleep to help you get better.

A lot of
parents end up sending their kids to college to learn Nothing. Many of
those students think that Nothing is harder to learn than Calculus. If
those students learn Nothing, their parents tell them that they're good
for Nothing.

That's about it for the puns. (I'm hiding Nothing.)
Please contribute Nothing to further the joke.

SCO: you started this!


Hmm... I may be in trouble here: It's roughly six weeks until Christmas
and roughly nine weeks until ShmooCon. I have more shopping done for
the latter than for the former.

(If you're married, ignore the rest
of this. You already know the futility of the thought(s).
) How can
it be my fault though? She still hasn't filled out her wish list!

Cables and stuff

Some of it is vendor-centered but this site has a lot of
good hardware info.

Saturday, November 12, 2005


I've disabled the blogroll provided by as issues with
their server(s) were preventing this page from loading. If things don't
clear up soon, I'll probably move to a static list.


OpenRCE has a pointer to a quick
binary analysis of Skype. Short but very interesting.

Friday, November 11, 2005


Let's see if I can re-explain it (without shouting) for those that still
think that I'm anti-MS: it's the marketing aspect that I like to poke
fun at, not the tech.

Example: the ongoing OpenDocument bickering.
The marketing department would like you to think that Massachusetts is
going to require Linux and OpenOffice. I doubt anyone who reads this
blog is confused but just in case, THEY'RE NOT THE SAME!!

OpenDocument is a document format, not a program. MS Office
could save files in OpenDocument format with no more difficulty than
saving in .RTF or .TXT formats. If MS doesn't adopt the format, we'll probably see it as a third party plug-in.

So what's the controversy? Why the
smoke and mirrors from Redmund? How about the "free
flow of data in and out
"? With the OpenDocument format, MS no
longer owns any part of your documents, rather than the current
proprietary format where they own the font, the metadata format, and the file storage format.

MS's risk in adopting the OpenDocument format?
Loss of user "lock in" (many companies initially adopt MS Office because
it's considered the "industry standard"), loss of font "lock in" (many
fonts are proprietary to MS Office), loss of feature "lock in" (a common
format is just that: common, and people will come to prefer
interoperability over proprietary features)(will anyone miss fighting
Words auto-formatter?).

I've had to explain this issue multiple times
this week. Hopefully those in the State Government can recognize the
difference. Unfortunately, it's entirely possible that one or more of
those people can be hired to influence the rest.

Update: Here's yet another view and reason for "the stink".

Thursday, November 10, 2005

Wednesday, November 9, 2005

Google searches

Not a whole lot of time to post this week.

Was playing with the logs
offline. Odd thing: out of the 800 or so Google referrals in the last
month, over half of them were queries about dsniff.

Okay, what are
y'all up to?

Tuesday, November 8, 2005

Have you voted today?

If not, stop reading this and get out there. I don't know about the
other 49 states but Virginia has lived through a very nasty election
campaign for Governor. Nothing but negative ads during prime time. I
swear, if the independent had bought one commercial last night and did one
"clean" commercial, he'd probably be Governor Elect tomorrow.

Monday, November 7, 2005

Exchange Msg IDs

I'm looking for a technical reference that explains just how the message
ID for an e-mail passing through an Exchange box is created. Is it
entirely random or is at least part of it "readable" in a manner similar
to those generated by Sendmail?

Sunday, November 6, 2005

Einstein quotes

Jim's Pond has a set of
Einstein quotes that I'm enamoured of:
  • Any intelligent fool
    can make things bigger and more complex... It takes a touch of genius -
    and a lot of courage to move in the opposite
  • Anyone who has never made a mistake has never
    tried anything new.
  • Problems cannot be solved by the same
    level of thinking that created them.

Saturday, November 5, 2005


This is getting really, really old. All along, I've had to put up with stupid-big levels of arp storms. For the last 2 months, I've had to live with periodic outages (6-7 times per day). I'm not the only one. Three other Cox users at the local user group meeting are also noticing it. And it must be wider spread than I thought as Leo Laporte is having to answer questions about it.

Hey Cox! WTF?

Friday, November 4, 2005

Tracking MS systems

Because Arthur asked, I'm adding my scripts for tracking Windows systems
to the wiki. The scripts are short and sweet, describing them is a bit
involved. Keep tabs on my work here.

Thursday, November 3, 2005

VoIP Threat Taxonomy

Cool. The VoIP Threat Taxonomy document is on the streets.

I contributed by providing a little bit of content and a whole lot of argument. (My name is on page 6!) Those that know me want the subtitle "Loudly & At-Length: Yet More Evidence That Tim (err.. joat) Likes to Argue"


Wednesday, November 2, 2005


[*sigh*] How many times must we see this happen? Sony should be ashamed of themselves. Sorry, it's probably already blogged to death, but I couldn't resist. Is there any sort of EULA embedded in the packaging or can we sue Sony for doing what two people were sent to jail for last month?

Tuesday, November 1, 2005

More cookies

InfoSec Writers has part
two on their article about cookies. (Part 1 was blogged last Saturday.)

Find Rogue Shares

Iron Geek has an article about finding rogue shares within your network. The idea is aimed more at the corporate network rather than the home network. IG used Windows-based tools but you can gain similar capabilities with *nix-based tools. With a bit of Perl, you can tie MySQL to nbtscan, nmblookup, and smbclient to get (and maintain) a pretty good picture of your network. With a bit more Perl coding, you can watch for unauthorized systems being plugged into your network and, depending on the OS employed, you can even grab MAC addresses remotely (yes, from outside of the local network segment).

I still have some of the scripts laying around here. If anyone wants 'em, let me know. The majority of them are just wrappers for the tools named above, most of 'em aren't pretty.

Sunday, October 30, 2005


HackerPort is a project intended to design a USB I/O interface. Something to keep an eye on.

Friday, October 28, 2005


David Bianco, a friend and former SANS mentor of mine has announce the formation of the Hampton Roads Snort Users Group. The first meeting is slated for 7 p.m., Dec. 1st at the Williamsburg Regional Library, 515 Scotland Street, in Williamsburg, VA. The speaker will be Jason Brvenik from Sourcefire.
Please read the announcement (link is above) for more info.

Free OS's

Tripped across this listing of free operating systems while checking up on BeOS. Count how many you've heard of. I've heard of 16 of them and used 6.

Thursday, October 27, 2005

Stand by to shoot yourself in the foot

The Register has an article which describes Microsoft's plan dump SSLv2 for TLSv1 in IE7. While they're intentions are good, it's the following that piques my funny bone:

As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates.

Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck.

My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)

Wednesday, October 26, 2005

X-Lite and Wine

Just spent a half-hour or so playing around with the X-Lite soft phone, getting it to run under Wine. The good news is that it works. The bad news is you may be limited to running it under KDE. It works under AfterStep but sometimes the menus don't pop up properly and it attempts to use a couple "hooks" in AfterStep that aren't there. It works under KDE but KDE isn't exactly my favorite WM.

In any case, notes are in the Wiki.

Tuesday, October 25, 2005

Now that's funny

Here's a Ballmer quote (about Vista): "Most people will trust it from day one on their home computer..." I reserve the option to make further comment at a later date.

Monday, October 24, 2005

Securing Your Network

Whitedust has an article which discusses the maintenance of your network's security by being familiar with what "normal" is.

Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely.

Sunday, October 23, 2005

Slowing down scans

A friend was recently concerned about the high number of inbound port 22 (SSH) connections he was getting. Another TWUUG'er suggested using iptables to slow down the brute force attacks (it uses the "recent" module). I've added the config to the wiki.

Saturday, October 22, 2005

Too many ads

I was looking for info on 802.11i and came across this site. I'm sorry but, regardless of the quality of the information available via the site, I won't use sites like that. (Notice that actual content on the site takes up less than a 1/3rd of the page. The rest is Google Ads.)


Here's a site that discusses the effectiveness of various Captcha schemes.

Friday, October 21, 2005


Bloglines have some small-but-important modifications to their site. One includes mapping navigation keys to the page, so that you can navigate through articles or folders without having to use the mouse.

The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site.

Thursday, October 20, 2005


Well, the lack of controls on the USB interface is finally being exploited. The BlackDog product runs Linux on a USB device and pops up windows on Windows (no reboots needed). The device can even (supposedly) access any network that the host computer has access to. If you "do" security, this should scare the crap out of you. The video of the demo and the FAQ are interesting.

More memory

Adding memory to my old junker improved things so well that my wife
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)

Wednesday, October 19, 2005


The comments function should be fixed, for now. The disk is still short on space so it may pop up again.

XP Shutdown

I checked today and I still have a lot of extra gas in my spleen so I
guess I'll vent again...

What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on


Tuesday, October 18, 2005

Monday, October 17, 2005

Shmoo topics posted

For those not paying close attention, the Shmoo Group has chose some of the topics for the Spring Con.

Standards! Standards!! Standards!!!

I panicked, earlier, when I checked this morning's post and saw that each of the enumerated items all started with "1.". Chalking it up to too-many-hours-typing-into-a-Wiki, I'd intended to fix it from class this evening. Now that I have a non-IE browser pointing at it, I realize that I hadn't hosed the post. Rather, it was IE's lack of standards compliance (it didn't recognize the
    tag properly) that caused the crappy looking entry.

    Heads up MS, that's standard HTML that your browser isn't recognizing!

    Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow!

    Update: Here they are... The one on the left is Firefox. The one on the right is IE.

    'Nuff said?

Detecting infected clients via DNS

Consider this as another of my you-need-to-know-what-normal-is

About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
infected systems.

Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together.

  1. First be sure that your
    internal DNS server can handle a heavier load. I recommend running a
    dedicated server using BSDi (even an older version) because the load
    that BIND puts on BSDi is barely noticeable.
  2. Turn on querylog.
    It'll generate log entries like:

    Oct 15 09:18:37 desk named[13556]: client query: IN A +
    Oct 15 09:18:56 desk named[13556]: client query: IN A +
  3. Obviously, Perl is perfect to extract data from these log
    entries. Write a script to parse each line and insert the data from the
    line into a MySQL or Postgres database.
  4. Then use Perl, PHP,
    Ruby, or [insert your favorite language here] to extract the data in
    different "views", such as total-queries-by-client,
    total-queries-by-network-per-minute (or hour or day),
    total-individual-queries-per-minute-by-target, etc.
  5. To go along
    with these data "view", it's usually helpful to graph the generated
    metrics for simple crayon-understanding graphics. To be useful, you'll
    want graphs for the last hour, the last day, the last week and the last
    month, along with a user-configurable graph generation script, so that
    you (or someone else) can make quick interpretations and make
    comparisons to previously collected data.
  6. Finally, you'll want a
    script to periodically clean up the log file, either archiving it or
    deleting it. Running querylog full-time with generate massive log
    files. It may also be a good idea to write scripts to aggregate the
    data in the database server, keeping only generic statistical totals for
    data past a certain age.
  7. Collecting/analyzing metrics such
    as these are well within the talents of the average network admin (and
    is usually free). I'm amazed that companies are willing to shell out
    big $$$ for something as simple as this.

    If you have anything to do
    with network adminstration, this is something that you should be able to
    do. If you "own" a network, this is something that you want at least
    one of your network admin or security types to do. (Think of it as
    being able to gather and analyze data for troubleshooting.)

Sunday, October 16, 2005

One more thing...

One more thought about hash collisions: before you throw out the baby
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
astronomical possibility.

Asterisk book

Click here for
the zipped version of "Asterisk: The Future of Telephony", published
under the Creative Commons license by O'Reilly. Thanks to Asterisk Docs
for pointing it out.

Saturday, October 15, 2005

I'm popular

This is supposedly from the author
of the recent MySpace worm, with a link to the technical explanation and
code. It's interesting in the same way the WoW virtual blood plaque


Arachnid has a quick piece on the recent Zotob worm.

p0f has an article discussing a benign use for p0f, gathering information about what's running the site's that you're visiting. The data that you gather might be complete useless or you might find a use for it or it might provide a bit of entertainment. I think the major benefit is that you gain experience when you perform experiments such as this.

Friday, October 14, 2005


Dana Epp has some comments
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.

Thursday, October 13, 2005

Salted Hashes

Infosec Writers has an
article that explains the basic
of salted (seeded) hashes, including SHA-1 and MD5.

Wednesday, October 12, 2005

Wiki stats

In cleaning up the orphaned pages in the wiki on the new server, got to
looking at the page stats. What's odd is the #1 entry:
  1. Glossary
  2. Main Page (3078 views)
  3. Anonymous Proxies
  4. Asterisk (1735 views)
  5. Looking Up UPC Codes
  6. Looking Up Vehicle ID Numbers (VINs) (1094
  7. Perl - MSN IM Sniffer (1092 views)
  8. IPv6 on the
    WRT54G via OpenWRT (864 views)
  9. The Firewall Toolkit (FWTK) (818
  10. IPod Stuff (807 views)

Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)


Don't you just love catching yourself doing something stupid? I managed
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:


#/bin/mkdir -p /var/log/
ntpclient -h -l -s &

# set up the IPv6 tunnel
MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \ -f 6- `
echo $MYIPADDR > /etc/myipaddr
#MYSCND=`cat /etc/myipaddr`
#echo $MYSCND > /etc/my2ipaddr
ip tunnel add mode sit remote local $MYIPADDR ttl 255
ip link set up
ip addr add 2001:470:1F00:FFFF::657/127 dev
ip route add ::/0 dev
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
sleep 15
killall dnsmasq
dnsmasq -i eth1

Tuesday, October 11, 2005


I think I have my next toy targeted: the Linksys NSLU2 (Network Storage Link of USB-2). The local TWUUG'ers have pointed out the existance of custom firmware. Hey Santa: hint, hint!

Monday, October 10, 2005

Crazy Hacks

There's some interesting projects over on Crazy Hacks. There's also evidence that somebody has way too much time on their hands: why in the world would you want to write Perl programs in Latin?

Sunday, October 9, 2005

Comments off

Until such time that the site moves to the new server (or the old one
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly


Looks intriguing. Anyone know if it conflicts with similar protection schemes running at the same time?

Saturday, October 8, 2005

Malware database

The link to the Nepenthes database (yesterday's post) led through Aachen University's malware database. I have high hopes for this.

Friday, October 7, 2005

Malicious Code Visualization

While following a link in Antlab, I came across the malicous code visualization published by the Nepenthes people.

Thursday, October 6, 2005

Wednesday, October 5, 2005


Trivia question: When does 2000 1k (or less) blog entries eat up more disk space than 30 100K pictures?

The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit.

The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it.

Sunday, October 2, 2005


Another rambling post...

I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security.

The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision.

Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?)

One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs.

Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people?

If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.)

If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough.

If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate.

On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size.

It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists.

Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts?

Saturday, October 1, 2005


Heads up! Today is the last day to get your $75 ShmooCon tickets (got
mine last night). Tomorrow they're $150 each.

Friday, September 30, 2005

Wish list

The following from PCPhoneLine
are going onto my wish list:

Anyone know of any reason why I shouldn't?

I didn't add the VPT1000 to the list because it's a corded (USB) phone, something I'm not looking for at this time.

Thursday, September 29, 2005

Trojan ports

You may find it useful (I don't): Rob (NetSec) has a Excel spreadsheet of well-known trojan ports. I don't like it because it's just a spreadsheet of ports and names; it contains no extra data.

Wednesday, September 28, 2005


Open ITWorld has an article
entitled "Finding Text in Context" which talks about using grep. This is another one of those good-to-knows.

Tuesday, September 27, 2005

Extending Nagios

Unix Review has an article about extending Nagios, a good tool for monitoring metrics and various statuses within your network.

Monday, September 26, 2005


Could it be that Touchstone Pics "gets" it?

I've just watched the DVD
for Hitchhiker's Guide and the previews were a menu option, not a
required series of bits that you passed through on the way to the movie.
Heck, after watching the movie, I went back and watched the two previews
that interested me.

Sunday, September 25, 2005

Saturday, September 24, 2005

Registry Listing

(from adminfoo) Microsoft has a listing of registry keys. It's a bit blind for third party software but is a good resource for Microsoft keys.

Friday, September 23, 2005


It's interesting and frustrating when you're doing research (in this
case, for the Kismet::Client wiki entry) and search engine searches
return your own work-in-progress. Arg! (heh)

I've finished sorting
out the Kismet tags and I'm trying to fill out the descriptions of each.

Thursday, September 22, 2005

Audio Processing

A classmate recently used my iPod and a iPod microphone to record a
class that I could not attend. Needless to say, the audio was extremely
poor. I've managed to clean up the audio by running it through a few of
the filters in Audacity but I'm still not that happy with it.

I was
able to find this list
of tools available for Linux but it's obvious that I have no clue about
where to start. Anyone have any good how-to's or a list of recommended
books? It appears that this is going to become more and more important
for me as the topic of recording lectures has come up quite often

Wednesday, September 21, 2005

Hash Function Workshop

NIST is planning on hosting a Hash Function Workshop to solicit public
input in how best to respond to the issues arising from Wang, Yin, and
Yu's paper on SHA-1 collisions.

Tuesday, September 20, 2005

Monday, September 19, 2005


Well the spaceship failed to appear on time and rescue me. I'm faced
with having to experience yet another Talk-Like-A-Pirate Day


p.s., Anyone know if you-know-who dressed-the-part


Are some people are entirely too paranoid? I find the idea that eavesdroppers can figure out what you're typing after 15 minutes of eavesdropping, while technically possible, just a bit over the top. Things like this, while feasible in the lab, tend to be impractical in real life.

In any case, for you tin-foil hat people, here's a list of countermeasures so the black helicopters don't get you:

  • Never use the same computer for more than 15 minutes
  • never use that computer in the same location
  • construct a "glove box", with sound dampening material, to contain the keyboard (helps block those evil shoulder surfers too!)
  • Intersperse a significant amount of random letters in your text and then go back and remove them with the mouse
  • purposely mispell your "Letters to the Editor" to throw off the statistical analysis (it won't change the Editor's opinion of you any)

Can anyone else think of any? (heh)

Audio Analysis

(This is a repeat but...) Rob and I are going to have to talk about this tonight. Very few of use should be concerned about password (or other text) capture via audio analysis.

That is, unless you're worried about who's listening via the microphone that you're absolutely sure is in the smoke detector, along with the radioactive source the government put there to slowly kill you.

Sunday, September 18, 2005


The joatWiki has been moved to the new server. Although the
host name may be transitional, that is where the data is located. I
will start deleting information on the old server shortly.

The Side Channel Cryptanalysis Lounge

Via NetSec: here is the Side
Channel Cryptanalysis Lounge

Saturday, September 17, 2005

Star Wars

From the too-much-time-on-their-hands category: You can view the
animated text version of Star Wars by telnet'ing to

It appears to be full-length but I didn't have
the time to watch it all the way through (got as far as Luke meets Obi-
Wan). Is the story line that bad without the special effects?

Oh, it's safe to ignore the IPv6 comments. It'll still play.

Friday, September 16, 2005

You know you're a dad when... hear (or find yourself saying) this or
"Put the hammer down and let go of the cat!" or "That's not what that's
for!" and you don't even bother to look up.

Wednesday, September 14, 2005


Still more fun with Kismet::Client in the Wiki. Experiments in determining the Perl-accessible variables in Kismet.


As a counter-weight to Marcus Ranum (yesterday's post), here's an example of what Marcus was talking about...

Uh, could someone take a handful of clues and slap David Coursey with them? I was just pointed to DC's June article where he promotes what amounts to censorship, though he claims it's not.

Originally, I wrote a long, rambling vent about how ignorant DC is. Thanks to the recent outage, I've reconsidered my thoughts and have slightly more PC recommendations: David, go take a civics class (to find out how government works) and then take a criminal justice class (to find out how law & law enforcement work).

For any law students reading this, here's a quiz: what were the errors in his article? (5 points each) Answers later.

Tuesday, September 13, 2005

6 Dumb Ideas

Marcus Ranum has an interesting article on "The Six Dumbest Ideas in Computer Security".

I agree with "Default Permit", "Penetrate and Patch" and "Action is Better Than Inaction". I could do without the Sun Tzu reference, regardless of what he did or did not say. That reference gives the impression that your management isn't to be trusted. (See "user" reference below.)

I had to read all of "Enumerating Badness" before agreeing with it. It's AKA "log file reduction".

I slightly disagree with his position in "Hacking is Cool", only for the factor that the only available alternative (currently) amounts to "ignorance is bliss".

I have issue with his "Educating Users" section as it comes across as "don't trust your users" and the need to "protect people from themselves". However, I'm not saying that I disagree with him. I just don't like how he stated the issue.

"The Minor Dumbs" are mostly spot-on, though the root of the problem (IMO) is the security vendors that promote those ideas in the first place. Every single "minor dumb" originates in the marketing fluff that management reads on a regular basis.

Monday, September 12, 2005


My apologies. I ran afoul of an experiment with group quotas. The powers-that-be have fixed the issues (thanks Count!).

Update: I've reposted the missing posts. Anyone who'd left comments between 9 Sep and 12 Sep, please repost them.

Sunday, September 11, 2005

Wiki - Kismet

I've put some more work into the "Kismet & Perl" wiki page. (Still more to come.) Take a look at it here.

Saturday, September 10, 2005


The blog may be a bit dodgy this month for a couple of reasons:
  • I plan on adding memory to the cantankerous antique of a machine that I call my desktop system
  • the powers-that-be at 757 have said that the current system has a very nasty wobble and that we should migrate to another server

Please bear with me/them.

Update: OMG! I should have added that memory years ago. It probably would have saved me the cost of the two hard drives that I wore out (from almost incessant page swapping). I actually like Windows boot-up speed for once (it's that noticeable)!

Update II: In performing clean-up for the move, I've taken a lot of older non-joat content offline, such as the files from last year's ShmooCon. If something's listed-but-offline, ask.

Thursday, September 8, 2005


It's basic but it's good to know: TCPWrappers.

If you have a *nix system, you should be using this in conjunction with some sort of packet filtering software (IPTables, BPF, IPFS, IPFW, etc.), even if it's an internal system.

Wednesday, September 7, 2005

Sysadm Law

If you administer a system/site for anyone, even for family members,
it's a good idea to be familiar with the topics described in David
Loundy's E-Law4.

Tuesday, September 6, 2005

9 Questions

ComputerWorld published a
valuable article almost a year ago that will probably be applicable for
a very long time: Nine
questions to ask when evaluating a security threat

Things to
keep in mind when asking yourself these questions: the underlying
assumptions are not static and other "forces" may change the questions.
To be able to answer the questions effectively, you need to have
intimate knowledge of your infrastructure (well-maintained documention)
and you need to know what "normal" traffic looks like (well-monitored

Monday, September 5, 2005

Kismet and Perl

I managed to find some of my original notes on using Perl with Kismet.
There were a lot of errors so I'm redoing all of the work while I'm
adding it into the Wiki. Take a look (here)
at what I've got so far.

Bluetooth spam

Bluetooth spam is coming into existence. Bruce Schneier has talked about some of it.

My thought is that this will lead to physical vandalism of a number of vending machines, due to the short transmission ranges involved. In other words, rabid "no spam" types may assault the local soda machine because they receive unwanted "Drink Pepsi" ads every time they walk by it.

This could lead to some interesting developments. I can see just about every type of spam (porn and "your system is insecure" included) being transmitted in public places.

Saturday, September 3, 2005

Worm invades!

Pete Lindstrom hit it right on the funny bone. Mebbe he should included a comment about [the author's agenda to change something] or how the author released the worm because he/she [verbs|has a secret verb] for [person|place|thing]?

Friday, September 2, 2005

No op

Nothing much to talk about today. I'm just getting back up to speed
after taking a certification test two weeks ago. Except for a few
posts, you've been reading from my backlog. The test was so rough that
it put me "off my feed" for the better part of two weeks. Tonight is
the first time that I've typed (non-work-related) for more than 5

The test was horribly convoluted, the questions poorly
worded, and overly rationalized. I got the feeling that they were
testing more for the ability to pick the question apart rather than for
problem solving or knowledge.

And, yes, I did pass. Just don't ask me
to say anything nice about the course or the certification. I don't
feel that anyone, having passed the exam, has accomplished anything.
It's ironic that the certification is promoted as one of the leading
accomplishments in the field. The course and test bank strongly needs
accreditation by an external entity.

Note: this is not the
certification that I talked about last weekend.

Thursday, September 1, 2005


Anyone know of a short-haul star freighter in the area that can get me off of the planet by the evening of September 18th? Why? Because September 19th is "Talk Like A Pirate Day"! Something I can't avoid even by staying in bed that day.

Hmm... Mebbe if I use a hammer on the only house phone?

Wednesday, August 31, 2005

Kutztown 13

The Kutztown incident is a very good example of "what not to do". Let's
see if I can explain this and why I think that even attempting to impose "community service" might be a bad idea.

The basic situation: the school attempted to press felony charges
against school children for repeatedly bypassing security functions
installed by the school.

The problems:

  • Attempting to become the parent
  • Assuming
    all students are the same
  • Lack of due care and due
  • Other problems

Attempting to become the parent

The parents cannot be held responsible for the actions of their
children because it is the school that acted as "the parent" in this
situation by putting an adult "tool" into the hands of a minor. Use of
an adult tool, be it car, gun, or communications device requires a
specific level of adult judgement. This is something that most minors
do not have and it is also something that is not easily replaced by
software, especially software purchased via a least-bidder contract.

The responsible adult(s) in this situation are still the school board
and the teachers (those that gave the adult tools to the minors). Most
parents do not understand computer technology/security or the related
federal laws. Thus, the school became (and remains) the responsible
party by being the knowledgeable "enabler" by putting an adult "tool"
into the hands of minors and then not providing constant adult

Although the parents probably signed a permission slip, it's probable
that they didn't understand the implications of that permission. I'm
willing to bet even a poor lawyer could break the supposed contract in
that permission slip.

Assuming that all students are the same

Regardless of the "we're all equal" tripe that is force-fed in most
schools today, students differ. They have different/differing IQ's,
religions, respect for authority, and upbringings. Occasionally (ahem)
you'll have a student that is smart enough and motivated (peer pressure
in high school usually will override ethics and authority) to take
advantage of an opportunity. Peer recognition will usually cause this
"seized opportunity" to be shared.

Believing that the installed
protections were adequate enough to (to use a noun as a verb)
countermeasure all students abilities and motivations, makes the
school eligible for the InfoSec Darwin Awards, if such a thing ever
exists. To maintain "security", your minimum protections must be
sufficient to counter the most talented and badly motivated user, not
the "average" user. 'Nuff said?

Lack of due care and due diligence

AKA "poor judgement". The school displayed poor judgement (lack of
due care) by putting an adult "tool" into the hands of a minor and then
neglecting to provide adequate supervision when the minor
exercised that tool. Even though the school may have believed that it
had practiced "due care" by installing various protections, it obviously
didn't practice "due diligence".

"Due care" equates to taking the necessary precautions to prevent an
incident (an instantiation of a risk). Obviously, the level of security
was not sufficient to prevent an incident. That the incident was as
severe as it was and that it involved so many students is an indication
that there was a difference between perceived and actually required

"Due diligence" is the practice of enforcing those precautions
(countermeasures) and being able to prove their consistent enforcement
over time (auditing, record keeping, etc.). What occurred didn't happen
overnight. Who was reading the firewall/router logs? IM traffic is
easy to detect. The school should have noticed when the first student
started experimenting with his laptop.

"Due care" and "due diligence" also requires adjustment of
countermeasures they reveal an inadequacy. The article indicates that
the situation continued to exist, even after detentions, suspensions and
"other punishments" (what the heck does that mean?). This means
that the school only attempted to correct the situation by external
measures (getting the parents involved). The school obviously failed to
increase required physical, logical and administrative countermeasures.

"Adequate supervision" involves the phrases "consistent (and
constant) supervision" and "adult-quality judgement". Believing that
adult judgement can be replaced with software, especially when "physical
security" is negated by allowing student custody of the laptops, is a
serious mis-judgement.

Use of desktop machines in a formal classroom setting implies a
certain level of integrity provided by constant physical security and
near-constant physical presence of authority. This "advantage" was lost
by issuing portable systems and allowing them to be taken out of the
"secure environment". Even if possession of the laptops were restricted
to the school, you can't assume that the 50 year-old part-time teacher
would be able to recognize improper or illegal activity in study hall.

Other problems

Err... How about overreacting? The "zero tolerance" policy often
quoted by public school officials is often a rationalization to vacate a
school's responsibility/judgement or to hide their own
complicity-due-to-negligence in a situation. In this case, all three
might be involved.

Some of the security "tools" installed by the school may have been
illegal. While it is permissive for a parent to invisibly monitor their
child's online activity, serious questions should be asked when a school
installs the ability to monitor students' activities on an individual
. In other words, generic monitoring (watching proxy or router
logs for suspicious activity) is generally permissible with prior
notice. However, employing a "a remote monitoring function that let
administrators see what students were viewing on their screens
without just cause (and usually a search warrant), is likely to be a
felony in itself. Remember, we are not talking about parent-child or
employer/employee relationships.

Parent-child relationships/responsibilities have created unique legal
conditions which are not easily transferred to institution-child
relationships/responsibilities. In this case, the school can probably
be slapped with a "contributing to the delinquency of a minor" charge
for not providing adequate supervision after facilitating (providing the
tools of) the crime.

That the tools of the crime were provided by the school, that the
object(s) of the crime was also school property, and that the
perpetrators of the crime were school charges has created a very sticky
situation for the school. The school exacerbated the situation by
attempting to charge the students with felonies, thereby drawing the
attention of national media.

Closing comments:

  • this "experiment" obviously has
  • attempting to "save face", as the article puts it, via
    imposed community service, risks yet more embarrassment
  • since
    this is a public school which accepts federal money and keeps digital
    records on its students, do you think FISMA or GLB applies?

Tuesday, August 30, 2005


I've attempted to talk about the following, off-and-on, for the last few
years. Here's yet another attempt...

I'm likely to be completely off
the mark with this but the DNS control argument may become a moot point
(or an even bigger issue) with the adoption of IPv6. The U.S. keeps
control of DNS space solely by the pseudo-rules-of-thumb known as
"possession is nine-tenths of the law" and "majority rule". In other
words, control is maintained solely by inertia and continued support of
majority rule.

IPv6 changes the playing field because of the differing
rates of adoption of the technology. A visit to the current 6bone will
show that the ratio of English to non-English sites is much different
than version 4 IP space. There is a slight risk that current
infrastructure managers might attempt to use "majority rule" to start
their own address infrastructure.

I say slight as such an action would
require cooperation on a massive scale by parties who normally are very
contentious, politically different and motivated by normally-opposing
agendas (profit, control, ideologies, etc.).

I believe the situation
to be quite binary. As long as the forces remain below a certain level,
ICANN is likely to retain "control" (a poor term for it) of the DNS
system. This is the most likely outcome.

However, if the level of
contention goes above a certain point, or if opposing forces change the
turn-over point in the equation by cooperating with each other, we might
see a very fractious DNS system. Fortunately, if this occurs, the
condition won't last long (in geological time) as systems do not
normally support unstable conditions for long. Remember:

  • chaos
    requires complete lack of control
  • oscillation requires a very
    specific form of control (feedback) and a permanently unstable
. Neither of these conditions are tolerated long by
financial or political institutions. Unfortunately for us users, the
corrective controls used by either of these institutions are not
normally that subtle.

This should be quite interesting to watch.
Also, there are probably quite a few "business opportunities" in the
above if you're in the right place at the right time with the right


Monday, August 29, 2005


I've been having a lot of trouble with my BlogRoll of late. Anyone
visiting the site may have noticed (I'm not understating) extremely long
load times. In other words, the page stalls while loading the Infosec

Does anyone have any suggestions for alternate services?
I'd like to keep the same basic information-presentation but, barring
that, I'm willing to try out just about anything.

Sunday, August 28, 2005


I'll echo Richard's recommendation about the NSA's IAM and IEM certifications: if you "do" assessments, the certs are a very-nice-to-have.


If you're going to ToorCon, I recommend Squidly1's talk on alternate
for the PSP. Ask her about using her PSP to find the hidden AP
at SANS.

Saturday, August 27, 2005

Once more into the bitch (err... breach?)

(heh) This time the fire
is over on Dana's blog. Remind me to put "responsible disclosure" on
the list of things never to talk about again?


This is almost a year old but is interesting (for me) in that it references some old work of mine concerning the OpenFuck exploit. Found during some vanity surfing.

Friday, August 26, 2005

Tuesday, August 23, 2005

Porn pirates

You'd think the name "joatblog" would be pretty darn unique, wouldn't you? Another thing that I found out via vanity surfing is that some porn jerks (FG4/DF4) are "borrowing" key names, using them as hostnames within their domain and are hosting porn sites behind them. For those that want to know more, substitute "joatblog" for "MYBLOG" in the following string (keep the underscores) and go search Google for that phrase: "cyberspace_MYBLOG_hopefully".

If this blog were part of a business, I'd have a legal action available. As it is, I can only (legally) remain pissed.

Monday, August 22, 2005

Forensics forms

It struck me as a bit odd that part of the homework (tonight was the
first class) was to search for forms used in collecting digital evidence
(use of the term "computer forensics" has been formally "frowned

After a 15-minute Google search, it's amazing. Everybody,
including their mother and her Bingo friends, has some form of computer
forensics (sorry Rob) book or course. Very few of those sites, other
than law enforcement, provides any tools or support.

The assignment is
actually to find a number of processes used to support the creation and
maintenance of the chain of custody, and discuss them. This could get

Sunday, August 21, 2005


The Penguin Sleuth Kit
(PSK) is a Knoppix-based Linux distro with tools not only for computer
forensics but quite a few network troubleshooting and monitoring tools.

Note: Users of this kit should also read the disclaimers on the site
if the use is intended for legal/LEO purposes.

Saturday, August 20, 2005


For those that missed it (a few days ago), LURHQ has an analysis of the Myfip worm.

Friday, August 19, 2005


is a SANS paper which discusses the simple traffic analysis using

Thursday, August 18, 2005

YMD (Yet More Drama)

I may be reading more into it than I should be but here's more drama over the .xxx situation. I can't help but think that the finger pointing up the hill is meant more to point at someone else's dirty laundry than their (ICANN) own.

Wednesday, August 17, 2005


From class today:

"Firewalls cannot block stupidity." - Dennis Lee


Just a topic that was brought up earlier this week. Standardization of equipment and software across an enterprise allows that organization to operate more smoothly and (usually) more securely. However, many organizations forget that this is a "horizontal" rule but NOT a "vertical" rule. For example, all workstations should use the same make/model computer with the same version/patch level OS and configuration. However, the you should not be using the same hardware/software/configuration on your servers and perimeter equipment. You'd be amazed at the number of people that don't "get" this.

Tuesday, August 16, 2005

Still more problems

Here is more of the ongoing issues involved with the .xxx domain. The author seems to be a bit naive in that he is suprised that objections exist. Not only are the porn site owners objecting (most sites are transient in nature and they don't want to pay $70 per domain per year), various government offices are also objecting.

Monday, August 15, 2005


The media has once again created controversy by overstating a court decision. (this one) The court case was lost not due to the use of MD5, it was lost due to RTA's inability to "find an expert" to prove the pictures were not tampered with after they had been taken. This means one or more of the following conditions occurred:
  • they actually couldn't find anyone (although it's unlikely)
  • they couldn't find anyone that could explain MD5 in simple terms that would indicate that the liklihood that the traffic infraction actually occurred. Hint: think DNA evidence. You will always hear "probabilities" discussed when lawyers discuss DNA. Yes, there are collisions in MD5 number space. The probability of forgery goes down very fast if that "collision" has the same MD5 hash, looks like a picture, of the intersection in question, with the defendant's car passing through it, with the defendant's license plate in view, with the camera's timestamp (and other) data embedded in the picture.
  • the prosecution was unable to display the chain of evidence, in the form of being unable to prove when the MD5 hash was generated. The hash being embedded in the picture may actually cause a problem because it means that the picture was changed after it was taken, by the camera itself. However, this is a procedural problem, not a technical one, and would translate into the prosecution not being able to find anyone willing to take an oath to assert/support the accuracy of the data.

I doubt that MD5 hashing of traffic pictures will cease. Rather, I believe that how they're presented in court will change.

Sunday, August 14, 2005

No op

I'm on the road again this week, in the DC area, Vienna specifically.


Don't know where Rob got it but NetSec has a pointer to a very
good paper on the Enigma machine.

Saturday, August 13, 2005

Wiki update

I've changed the format of the wiki slightly and have moved quite a few
items from my house wiki. I have quite a bit of clean up to do so
please bear with me.

Python tutorials

From NetSec, free, online Python tutorials.

Friday, August 12, 2005

3-button mice

Tony Finch point to this one.
"Where are
all the 3-button mice?
" rings a bell with me.

The only reason
you don't hear incessant whining from me is my secret (okay, now it's no
longer a secret) cache of Logitech 3-button mice. I bought ten of those
suckers when I heard Logitech was discontinuing the line. Also, I have
to thank Hurd for donating a Sun Crossbow (3-button USB) to the
collection, thereby prolonging the canibalism and jury-rigged repairs of
those first ten mice. I wear 'em out fast.

Everything Wireless

InfoSec Writers has a paper which has a pretty good overview of most of the issues involved with using Wi-Fi technologies.

Thursday, August 11, 2005

Richard Bejtlich has a post about a court case that a friend (Dave!) will probably find interesting. It's about a court case that the prosecution lost because they didn't understand current theory about MD5 collisions. In other words, they couldn't prove that a picture hadn't been tampered with after it had been taken.

In the same post, Richard points out a project by Harlan Carvey, who visits here now and then: the Forensic Server Project. His book also has a supporting site: I highly recommend visiting all three.

Responsible non-disclosure

I'm pissed at Michael Lynn throwing a tanker truck of gasoline on the
"responsible disclosure" pyre. It leads to overly politically correct
announcements such as this. Little is
gained from this type of announcement other than eEye getting a bit of
"street cred". Announcements like that damage Microsoft's business by
making organizations leery of server safety without giving them an idea
of what to do to protect themselves.

Personally, I favor full
disclosure but if we cannot live with that, I'd rather not hear about
the vulnerability until such time that the vendor can comfortably talk
about it. Many of the same arguments for "responsible disclosure" (I
really dislike using that term), can be made for "responsible
non-disclosure". Maybe the only way we can get back to the middle is to
push the pendulum further away from center?

Wednesday, August 10, 2005

Tuesday, August 9, 2005

Malicious agents

Here's a paper discussing the evolution of malicious agents (spyware and the like).

Monday, August 8, 2005

I miss the peace and quiet

I guess my spammer decided to sell this URL to some n00b spammers 'cause
I've got a ton of poker spam and Chinese porn spam in the comments
queue. Oh well, the peace and quiet was nice while it lasted.

Crypto latency

InfoSec Writers has a paper which discusses the latency added by using high-end encryption in VPN's.

Sunday, August 7, 2005


We already knew that CWS was bad. Now this:

It looks like the FBI is involved now. If your machine has ever been infected with CWS, consider any valuable information on it as compromised (i.e., at a minimum, change your passwords).

Interesting tools

I've seen some interesting new tools in the past few days:

  • Nepenthes - a
    honeypot tool
  • fwknop - using portknocking
    as an additional security feature

Update: I managed to fat-finger the URL for Nepenthes. Thanks goes to Gaetano Zappulla for correcting it. He also suggests taking a look at kojoney, SSH honeypot written in Python using the Twisted Conch libraries.

Saturday, August 6, 2005

Friday, August 5, 2005

Thursday, August 4, 2005


The Network Security and Architecture Lab (thought this was going to be about the other NSA, didn't you?) has a post about the Georgia Tech Honeynet Report which has some interesting screenshots of a homemade visualization tool. I often get quite frustrated with these topics as very few people are willing to share their visualization tools. Interesting screenshots though.

Wednesday, August 3, 2005

New semester starting

This fall's class centers on computer (and possibly network?) forensics
so expect a good number of forensic-related posts. Rob is also
attempting to provoke me into teaching an IPv6 class.

The Ten Commandments

Brian Warshawsky has a piece on the Ten Commandments of System
Administration. He posted the tenth one, of which I'm a firm believer,
on June 27. I wrote a SANS paper for log reduction based on this
commandment. Entertaining and rules-to-live-by at the same time.

Tuesday, August 2, 2005

Henning Schulzrinne

If you dig a little at Henning Schulzrinne's (Professor and Chair,
Columbia's Dept. of Computer Science) Internet Technical
page, you come across some valuable listings of
network tools.

Monday, August 1, 2005

Gergely Erdelyi

Gergely Erdelyi has written a number of papers. He has the following
available here:
  • Cleaning up the
    Mess - Time to redefine disinfection?
  • Chasing Ghosts? - Return
    of the Stealth Malware
  • Hide 'n Seek - Anatomy of Stealth
  • Digital Genome Mapping - Advanced Binary Malware

Podcast list

Finally got around to compiling the list of podcasts that people listen
to. See it here (in the
Wiki). If you want to add to the list, e-mail 'em to me.

Sunday, July 31, 2005

New record

Wi-Fi Toys has a post
about the new unamplified Wi-Fi distance record being set.


Short version: I think that Cisco is overreacting and is being a bully.
Long version follows...

Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:

actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible

Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure
. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety
) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
is released.

So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
dirty laundry?

Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.

Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".

Saturday, July 30, 2005

Shmoo Redo

Errr... I missed the announcement of this one too: ShmooCon 2006. Current price $75.
For those that don't know: the price goes up as it gets closer to con