Sunday, February 25, 2007

OpenSSL and FIPS

As pointed out by Ben Laurie, the FIPS cert for OpenSSL is enabled again. Unfortunately, there are a number of large companies with financial interest in seeing this fail yet again. Conversely, there are number of large and small companies that'd like the FIPS cert to remain "alive".

All in all, I think it's a piss-poor process where testing and results (not just at NIST) can be swayed or delayed just because a external objection was submitted. If I was NIST (or the Wi-Fi Alliance), I'd be writing rules about spurious objections into the charter.

CompUSA closing?

It may be a bit morbid but I enjoy closings like CompUSA shuttering 100 stores. If you're in the right place at the right time, you can pick up a lot of interesting stuff, dirt cheap.

Radio Shack went through a similar down-sizing last year. I lucked out in that the local store that was closing was kept open the longest so that the other stores' un-sellables could be sold at our location (at %70+ off). The one clerk's joke was that if we're still open, the discount has increased. I was able to pick up a handful of X-10 interfaces, some handtools, a Vonage box, rechargeable batteries, a really nice soldering iron, a video sender, and a Skype phone, all for less than $60.

Saturday, February 24, 2007

Wiki comments

For those interested, the wiki now has a comments function, thanks to Haloscan and kekePower's work on "getting Haloscan to work in MediaWiki" (I did not use the template though).

It'll take a bit, but I'll add the comments function to each of the pages in the wiki (a set of tags needs to be added to the bottom of each page or section).

Update: I've posted my version of adding Haloscan comments to the wiki.

fetchmail timeouts

Before I left for work this morning, I tried to get to one of my webmail accounts. Suprisingly, my Cox connection was down (okay, that was sarcasm). When I got home from work, my MediaMVP playback was so sluggish it was unusable. In troubleshooting, I noticed that the server load was well hovering around 4.0 (for this system 1.0 is considered loaded). In tracing that, I found three instances of fetchmail's rsync subsystem that gets used to support IMAPS. For some reason, those three instances (originating 10 minutes apart) never connected, even after the network connection came back.

Remembering that fetchmail doesn't timeout unless you tell it, I set about trying to add the timeout to .fetchmailrc. Would you believe that after about 20 minutes and a healthy number of Google searches, I still hadn't discovered the proper syntax for adding the timeout? (I'd guess that it doesn't get used much.) Finally, I stumbled across the following syntax:


poll [popserver]
timeout 120
protocol pop3
username [popuser] there is [localuser] here
password [pass]
fetchall

Thank you to "init0" in the #mutt channel on Freenode IRC!! (The pastebin says the paste was about a week old.)

Comment system back on

For want of a better system (now that I'm generating static pages and pushing the updates to the site), I've returned to using Haloscan for the comments. Unless someone can suggest something better, I'll stick with Haloscan.

It's also interesting that they now support comments for MediaWiki. I'll have to experiment with that.

Friday, February 23, 2007

Think safety

(heh) There are people that recommend that you don't take your laptop to a hacker con or use your credit card anywhere near it. There's probably some truth to it. Before you think it silly, consider that: manufacturers' stated ranges do not count, various things about you get posted whether you like it or not (hint: click the links); if you didn't field-strip your laptop before the con, it may embarass you; pictures are taken (we see you Joe) ; various hacks are traded (on and off of the stage), people are caught doing strange things, etc. Let's also not forget that there's been groups of people there with differing levels of ethics (i.e., EARE and Britt). Mix those with quantities of alcohol and it's usually safer to leave the technology at home. It's easy enough to embarass yourself as it is. Though the room stuffing contest (Doug, we see you!) was fun.

Tuesday, February 20, 2007

Speed

(heh) If you ever want to a demonstration of how good your bandwidth is, fire up BitTorrent and download a copy of Fedora. 689KB/s down, 94 KB/s up, 475 peers and a swarm speed of 1.7 MB/s. Yikes! (I remember being able to read the content as it was downloaded.) It is odd though, of the three top download rates, only one is U.S. I seem to have better throughput to Denmark and Britian.

Monday, February 19, 2007

Free BlackHat Tickets

Martin has already blogged about them but it's still worth pointing out that Help Net Security has some complimentary tickets to BlackHat DC 2007.

Shmoo Topics

...and for those that haven't been paying attention (myself included), some of the Shmoocon speakers have been listed. While it's a bit sparse on wireless (my current concern), there are still topics that are considered don't-miss.

It appears that the Potter triplets (Ray, Al, and Bruce) are not appearing together this year so Jeff W. will have to throw straight-lines from the back at more than one talk. (You're our hero, Jeff!) Then again, the topic is similar so maybe Renderman and Russ Housley will be stepping in for Ray and Bruce. If they're doing the other topic that is mentioned repeatedly in the Bios, Jeff and I will probably be there to lob straight-line questions and Shmoo balls.

Richard Beijtlich and Simple Nomad are also return speakers. All in all, it looks to be an interesting conference shaping up (ignoring the lynch mob facing whomever gets to do the "Own the Con" talk).

Update: it looks like they took the advice from last year's "Own the Con" and are starting the Sunday talks an hour later.

Shmoo Bar-foo

Keep an eye on your inbox kids. The ShmooCon barcodes arrive tonight at noon!

Update: Deja vu! Anyone else get a bad bar code (corrupted file?).

Sunday, February 18, 2007

SageTV upgrade

Wish me luck! I'm off to upgrade to a beta version of SageTV. The most recent version that I've been running worked nicely but had an issue with scanning directories for new files (frustrating when you watch/listen to a ton of podcasts). The shiny-pretty feature in this upgrade is an interface to YouTube (in addition to the existing one for GoogleVideo)

Oh! It's also nice to see that the hardware community is starting to work on getting WinTV PRV USB-2 running under Linux.

Update: The upgrade went off without a hitch. The shows I had recorded under the previous version showed up in the imported videos folder (not sure how that happened). The YouTube feature stutters a bit more than the Google Video feature did but that may be caused by the current Internet issues. I discovered a feature that wasn't in the previous version: network encoding. SageTV is now a true network application in that the server can run on different systems than the tuners and/or the clients. It is also capable to working with the Roku PhotoBridge. Cool!

Friday, February 16, 2007

Wiki page counts

The page count for the Linux and SageTV page has passed all other pages except for the glossary and is slowly gaining on that. Initially the page count for the glossary was a bit of a suprise but, after thinking about it, probably remains in the lead because when I first built the glossary, I included a number of job-related terms describing the various sexual fetishes. Believe me, when your any of your bosses are women, it's much less embarassing to provide a link to a clinical description than it is to try and explain the term in person.

In short, sex is #1 with television a rapidly closing second. (heh)

(IN)SECURE #10

Heads up. Issue #10 of (IN)SECURE Magazine is out.

File Carving Challenge 2007

For any of you forensics types that like contests, the 2007 File Carving Challenge is open. It's the one run by Carrier, Casey and Venema.

Thursday, February 15, 2007

Another wave

Speaking of crypto advancements, did anyone catch (or miss) the story about Intel coming out with an 80-core chipset? That'll use less power than my porch light? You think the crypto-geeks have problems now? Wait until multi-Tflop systems can be purchased via the average credit card. Keep in mind that many current crypto systems are considered trustworthy because of the amount of computing time required to break a specific key. A lot of the low-end algorithms will "disappear". The math field should be quite interesting to watch in the next decade.

It'll affect a lot of other markets too. Grass-roots media (you guys in the garage) will be able to homebrew clusters for animation that are more powerful than what exists in big iron or animation cluster farms now. Coupled with high-def and other technologies, wired life is going to get weird. Fast.

Tuesday, February 13, 2007

600 mW

Wow. The 600 mW card is out. (Note: I don't think that 3 dbi antennas are legal with that.) How long until they give up and just release the 1 W card? (heh)

Last word

My final comment on DRM (I'll drop it) (unless of course something really stupid is done with it or crypto advancements affect it)...

DRM protects you from nothing, other than your ethically challenged self. If you're an honest person, you'll never see it (unless it's implemented poorly). If you're a professional criminal, it'll add steps to your process but won't stop you.

Q: So, who is it aimed at? A: You, the guy who attempts to save 99 cents by listening to music that someone else puts online. 400 million 99 cent thefts gets attention. I find it odd that the same industry is willing to spend almost as much to run out "copying music is stealing" advertisements.

Q: So who does it effect? A: Everyone. (I did mention poor implementations, right?) Someone has decided that it's an all or nothing thing, demanding that the OS with 95% market share implement it. This means that 3rd party manufacturers will have to add DRM to their products or not have a market. This will drive up the price for everything computer related. Costs go up, production goes down, markets get squeezed and prices for lower level components go up, driving costs for all electronics up. It took a very long time for the market to get to the point where you can buy $300 systems. (It got there because of very little innovation other than chip speed for an extended period of time.) Computer systems are more or less static in design, having become ubiquitous enough that most consider it an appliance rather than a tool. This action of mandatory DRM will destablize that market. You'll see prices shoot up faster than gasoline.

Q: How I feel about it? A: I actually hope that it works. After a short period of time, the entity driving the bus won't be the one that demanded that MS implement DRM in the first place. Yeah, MS will be a LOT more richer, but at some point, they'll have control of the market. Remember, not only is MS putting DRM in computers, they're also involved in content, either selling it to you directly or behind the scenes (Walmart's music uses MS's copy protection).

Also, innovation seems to occur when markets are squeezed. Inventors are usually frustrated people, looking for new or better ways do do something. Five years ago, who'd have thought that podcasting has gone where it has.

The scary part of all this is that DRM is built into hardware. Like it or not, the evil types will eventually learn the ins and outs of the system. Like I've always opined: adding technology to any system, while often improving performance, adds complexity to that system (more ways for it to break down) and makes the system more rigid (less tolerant to failure). Increased complexity plus increased rigidity equals greater catastropic failures.

MS can barely keep up with patching vulnerabilities now. You think Blaster was bad. Wait until a worm gets into the DRM system. (Remember, it now has control over your monitor, speakers and harddrive.)

How about a patch involves a firmware or hardware replacement? The market will likely tolerate one but two, a few months apart, will cause riots in Congress. The point to keep in mind that (to date) no bugless program has ever been commercially marketed (i.e., all programs have bugs). Put that on top of a system built by the lowest bidder. End result, DRM will be (or already has been) broken. Only a few will know about it at first. Once the number of machines containing the new feature are out there, it will become a target. Then someone will demonstrate how obscenely easy it is to compromise or abuse. Then you get the worms. Want see a "flash" policital movement? It'll come into existance a few days after the MP3/MP4-eating DRM mega-worm does.

I may not like it but I look forward to it. This is the pendulum that has spent a long time on our end ($300 systems). Market forces (DRM and a return to higher priced systems) will cause it to swing away but it'll come back.

With apologies for the rambling...

Sunday, February 11, 2007

When were-sme's collide

(With apologies to Logan Whitehurst for the theft and paraphrasing of his song title) Bruce Schneier likes to talk about "security theater". You'll hear me expound about security (or computer) church now and then. Neither is very productive and both are made up of much the same people (and there's more of them than most think).

Example: this post from 360 Security. Mr. Malm seems to be self-justified in "taking a swipe" at Mr. Thompson because Mr. Thompson "took a swipe" at Microsoft. I call it "security church" because it appears that Mr. Malm's "faith" has been offended, triggering a self-righteous attack on Mr. Thompson (calling him by his first name, implying lack of expertise, belittling his company, etc.) without supporting any of his arguments.

"Security church" is just as dangerous as "security theater" in that it is a collection of unjustified human reactions (bowdlerization (not a real word but an eponym), pillory, apocryphy (my attempt to turn a noun into a verb), censorship and outright anathema) used against anyone who has the courage to be contrary. (I'm sure that Adi Shamir didn't win any points at the conference with his prediction of security in the future.) It is both the institutional inertia that is resistant to change and the fickle flightiness of chasing "the new paradigm".

Behind it all is the tendency to take the shortest path (i.e., it is easier to scorn someone that argue a point). That these acts are usually easy to recognize and almost impossible to combat is the really sad part.

(Side-sarcasm: did they really say "security should be built-in, not added on?" Please! I don't want that 1996 flashback.) (See? It's easy.)

Comments coming back

A couple of you have been after me to get the comments section back online. I'll try and get something working this weekend but won't promise anything. Anyone know of anything better than Haloscan? (email me)

Friday, February 9, 2007

DRM

A couple of the recent TWIT podcasts discussed Vista's new DRM and how life will suck/be better with/without it. I'd like to point out that there's one thing that everyone is missing: user recourse. The way that all current DRM technologies are designed (Vista included) is based on the idea that all unknowns are considered bad.

Example: Electronics Arts games do not run on home systems where a Digium TDM400P card is installed. Even though the card provides an interface to the telephone system for a *BSD or *nix system, on the Windows side it is an unknown and, therefore, must be some sort of hacker tool for defeating copy protection. The end result: your EA Games game is disabled by its DRM and you, as the end-user, have no recourse other than to remove the phone card or stop playing the game.

Can we hope that Windows DRM will be any different? It isn't Microsoft's intellectual property that the Vista DRM is protecting. (At least I hope not. That'd involve a large set of really nasty anti-competition court cases that I hope no one wants to get involved in.) Those IP owners that the DRM is actually protecting care little about whether or not your systems work properly.

OS and hardware vendors are in for a very bumpy ride because legions of frustrated innocent bystanders (such as in the above example) will be left with no recourse other than to "conform" with the masses and stop using their systems to do anything other than play games and buy content.

(Yeah, I excluded Office apps. I did this because we already know that documents have unique IDs embedded in them. How long until Vista's DRM is used to disable licenses of controversial content authors? With Vista's DRM, the only thing keeping this from happening is: morals/ethics/ignorance of the ability.)

Tuesday, February 6, 2007

DnD

I guess the security industry is no better than the clothing industry when it comes to fashion (what's in and/or what's out). Those of us that ran *nix-based firewalls, back when Microsoft firewalls were just emerging, were told that we were aging morons when we said there was an advantage in running diverse systems in your boundaries (e.g., if you're user population used Windows, run Sun-based firealls). All of a sudden, 15 years later, we get "Defense in Depth is Dead! Long live Defense in Diversity!"

[*sigh*] For Tim Keanini's sake, let's turn the clock back a few years and look at some of the other paradigms that passed by on the carouseli (and are likely to come around again on the fashion wheel):

  • Use defense in depth. Use a variety of known tools to provide a layered protection where the weakness in one tool is protected by a strength in another tool (e.g., a virus scanner in conjunction with a firewall).
  • Use diversity. Using a Sun or BSDi-based firewall to protect your Windows-based network will prevent your boundary systems from being infected by the user who manages to bring on in on his laptop.
  • Trust but verify. Scan/examine everything before it gets plugged into your network.
  • It's not "if" but "when". Attackers' techniques are not static. Network security will always lag behind the ability to compromise.
  • Responsible disclosure. I have no comment other than we've come full circle on the argument set and seem to be going around for another orbit.
  • Intrusion detection is dead, long live intrusion prevention. We've all learned that each has its best use in specific situations.
  • Deep packet inspection is just as good as application proxying. Yeah, right. Again, it depends on what you're trying to do and what you're trying to protect against.

To the rest of you old farts out there: what've I missed?

Please pass this on

Consider this to be a chain-post (ask your friends to post it too): To anti-virus authors, please stop sending emails back to the apparent source of infected emails. Given the current virus environment, it's a safe bet that the source addresses are stolen from address books and the response messages do nothing better than waste bandwidth and annoy other people.

Sunday, February 4, 2007

Working conditions

I got a little spun up over this short post in Don Parker's blog. It comes across as a stereo-typical view of SAs from management. That Don considers the condition to be an "unacceptable excuse" is a sign that he may not understand what the majority of SAs have to work under.

SAs are considered an operating expense, falling into the category of "minimize whenever possible" so that profit margins are maintained. A typical SA operates under a constant backlog of work, suffers from periodic "priority re-org" from multiple management contacts, and has a budget that couldn't support an off-brand keyboard purchase from the clearance bin at Walmart. (Hint: the time and paperwork used to justify the $10 purchase often amounts to more than $10.)

Don, go back and look at those companies again. That the SA did not have the time or initiative, to view vendor sites, may be a symptom rather than a cause.

Friday, February 2, 2007

Damn Vulnerable Linux

Something for me to look at later: Came across an interesting site that Rob might like to use for one of his classes: Damn Vulnerable Linux. At first glance, it looks like it's partially commercial in that it gives you the disk and some basic material to work with. They want you to pay for extra content and videos.

Thursday, February 1, 2007

Wi-Spy Price Going Up

If you live on the east coast, you have about 2 hours and 15 minutes left to buy the Wi-Spy before the price goes up $100. If you do anything with security or network engineering, I recommend getting one at either price.

Another blog

Another security blog to watch: "cat mind | grep understanding". Courtesy of dmiessler.