Saturday, July 31, 2004

Shared stuff

Not sure how I got to these sites, I think it started with a /. or
rootsecure post, but it's interesting what people share, documents, photos, etc.


I'll have time later today to fix the wiki (actually, I'm considering
changing it). I managed to break it awhile back while messing with the

Metasploit rant

Personally, I think anyone that writes network-aware programs should learn
about MetaSploit and fuzzing first. Kinda like learning "duck and
cover" prior to the ICBM warning. In any case, if you take care of any
network server, this is good theory/experience to have in your head.

MyDoom.M Analysis

LURHQ has posted an analysis of the MyDoom.M worm.

IE Universal Exploit

Some people wish for code that runs on multiple systesm. Be careful
what you wish for! K-otic has
posted a "Universal" IE exploit that supposedly runs on Windows and Linux and gives you a reverse shell via IE.

Advice? Keep your patches up-to-date and configure your firewalls to only allow what you need to do on the Internet. In other words, limit browsing to high-port to port 80. It's not a perfect solution, but it will cut back on exploits like the above.

Friday, July 30, 2004

Web Attack Taxonomy

It may be a good idea to come up with a taxonomy but I distrust
any effort that copyrights that same taxonomy.

Windows Process Listing Sites

FurryGoat has a pointer to some sites which help you figure out what all those Windows background process are.


Linux Exposed has a howto
article explain the use of chroot jail daemons and system processes.

How things jump up and bite you in the *ss

Lately, blogging has received some degree of "respectability" by being
used by politicians and mainstream media. It wasn't that long ago that
we saw mainstream articles which described blogging as self-referential
rantings of socially misfit narcissists. I think/hope we may see a
similar "occurrence" with the Wikipedia.

The Register seems to have
taken a dislike to the Wikipedia, calling it a children's encyclopedia (one of the nice comments).

Warning to The Register: what you're not seeing is: distributed collaboration on distributed servers. Given that "it" includes current events and internal commentary, this has the potential to sneak past mainstream notice and become the next "big it". Especially if someone can figure out a way to "specialize" and come up with something similar to topics (like blogging has "flavors").

Having contributed to the Hitchhiker's Guide (back in the Usenet News days), I like the idea of having the Wikipedia (although I haven't been involved much).


Tomorrow is System
Administrator Appreciation Day

Me? I've got class.

You? You
should at least treat him/her to a slice and a soda.

Thursday, July 29, 2004

Anti-spyware utility analysis

I've probably blogged about this before about fake spyware software/sites, but it deserves repeating.


HNS has an article which
discusses the possible future of "phishing".

Give it back

To paraphrase ICP, I want my ....

I like reading items like this from
Jeremy's blog. Don't know
if it's true or not but it's still entertaining.

Digital Signatures and XML

LinuxExposed has an article explaining the basics behind digital signatures and how to use them with XML.


There seems to be some (karmic?) balance in the news today.

The insanity
concerning the INDUCE Act seems to be balanced by what appears to be
careful consideration at the FCC concerning swapping
WiFi antennas.

Sorry for the use of /. links, it was the
quickest way to post this.

Wednesday, July 28, 2004

OpenSSH for WinCE

eBCVG has an article about an
OpenSSH for the PocketPC.

Tips for better networks has an article entitled
"The Top Ten Tips to Make Attackers Lives Hell" which helps move your network away from the low-hanging-fruit category. The tips are pretty basic but it's amazing how often they're not used.

IDS Ellusion

has pointed out a SecNet paper on Eluding
Network Intrusion Detection

NWF Links

It may be a good idea to visit Network
World Fusion's
Resource link page
. It has many more links to valuable and/or
entertaining security-related sources/stories since I last visited (a
long time ago).

I'm not just recommending it because I'm listed there
too. (heh)

Picked up feeds for ATAC and OhBrian this time.

Tuesday, July 27, 2004

DES on its way out

NIST has proposed the
withdrawal of DES as an approved algorithm.

Reducing Human-Factor Mistakes

I really enjoyed reading this
article, especially "The Top 5 Company Executive Mistakes". It
nails the organization that replaced me at a previous job.

For those
that know me personally, you know who I mean. The article is almost
uncanny while remaining generic, isn't it?

Intro to Malicious Code

InfoSec Writers has a paper
entitled "Virus &
" which is supposed to be an introductory guide for security
awareness, describing the basic theory behind malicious code.

TaoSecurity's Book List

TaoSecurity has a list of books that he
(Richard Bejtlich) has contributed to. Included in the list is his
The Tao of Network Security Monitoring: Beyond Intrusion
which appears to be a worthwhile book to have (see his and
the publisher's sites for sample chapters).

Monday, July 26, 2004

Sunday, July 25, 2004

If you gotta do it...

If you have to disclose, at least do it this way,
include a properly written Snort sig so the rest of us can watch out for
your code should the script kiddies take a liking to it.


Added trackbacks to the site using this, this and this.

Don't know if the install has any bugs yet. I'll keep an eye on it.

GPS Coke X-Ray

is so dumb, it's almost funny. (Slashdot also posted about it.) Seems
that "security people all over the country" think it looks like a bomb.
I've got news for you, small transistor devices like PDA's and iPod's
look a bit like that too. Makes me wonder who those "security people"
are. It's probably that security "concern" is interpreted by the media
as "security panic", instead of equating to "need to inform/be

I'm not saying that there shouldn't be "concern" if someone
travels commercially with one of the cans in their luggage. It's just
that they should "declare" it as part of the check-in process. There's
a reason why the TSA people require you to remove your laptops from
luggage. I've gotten into the practice of also pulling out any other
"dense" electronics. It saves time. (via
WiFi Toys)


TaoSecurity has a quick
review of Netwox, a menu-based collection of network testing tools.

Intro To's

Here's a
pointer to Tony Bradley's "Introduction To" articles. Subjects include
vulnerability scanning, packet sniffing, firewalls and intrusion

Saturday, July 24, 2004

Too d**n hot

My son and his girlfriend think I'm weird because I like to keep the
house at a freezing (to them) 70 degrees. (My wife understands though.
She's from Buffalo.) I'll admit that, for southeast Virginia, that's
colder than most people's houses.

What brought this on? I stumbled
across the weather forecast for where my parents live: Today - Hi: 73, Lo: 49. (Hint: the hi there for today is the lo here for the week.)

In other words, I grew up where you wear shorts in the low 60's and sweat heavily in the low 70's. If it wasn't for air conditioning, I probably wouldn't live below 1,000 feet above sea level or south of Pennsylvania.

Follow the Bouncing Malware

Tom Liston, today's
on-duty handler at the Internet Storm
has posted part one of
analysis of malware he contracted by pretending to be "Joe Average" with
a common XP configuration. Intersting to follow.

Blogger Code Decoder

Go here to
decode the stuff from yesterday's Blogger Code post.

Remove from Google

Here's the "howto" for
getting your private info removed from Google's search engine.

Distributed Metastasis

(from NetSec) Here's a paper
entitled "Distributed Metastatis: Network Attack Methodology. I disagree that it's a new method of network attack as the methods it uses have already been seen in some form or other. However, it is an interesting read and even hints at the dangers of monoculture.

Friday, July 23, 2004

Blogger code

This bit of
silliness has been around for a bit. Oh, and

B6 d- t++ k s u- f+
i+ o- x- e- l- c--

Packet Crafting for Audits

(via RootSecure) Security Focus has posted the
second part of a two-part article discussing crafting packets for audits
of firewalls and intrusion detection systems.

(Part 1)(Part 2)

Google Hacking

Infosec Writers has a pointer to a good paper on hacking via Google. Network security types should consider running the listed searches against Google to see if there are any unexpected exposures of their organizations.

Thursday, July 22, 2004

Submithook Analysis

LURHQ has posted an analysis of the
SubmitHook BHO which injects URLs for porn sites when the unwitting user
fills out a form.


Call me skeptical, but how long do you think BugMeNot will be allowed to operate?

I really like the idea of the service as I've used various addresses in a domain to test if my data was actually protected by those that claimed that they wouldn't sell it or release it without my permission. For the majority of those sites, the addresses I used quickly made it into spammers address books.

But back to the question... Call it a prediction if you want, but I can forsee at least a token effort to get a law passed to make this sort of thing illegal. Or you can just call me skeptical.

Referrer Tweaks

I spent 30 or so minutes playing with the referrer code and data. I've
changed some of the URL's to site names and have added the various
search engines to the "skip" list.

So as to not anger Hormel, I
won't refer to two sites as "spammers". Instead, just feel free to not
click on "ADV" in the referrers list.

The ADV's and the search engines
should disappear from the list shortly as the database updates.

Cybercrime Cases

Orin Kerr has a mailing
to which he posts various crime and court cases. If you like
Groklaw, you'll like this mailing

Wednesday, July 21, 2004

Windows Forensics

Once again, "Yeah, what Dana

Dana's posted a pointer to the
tutorial for a basic (but effective) forensics methodology for determining if you've been hacked and how to clean it up. The assumption is that this process will detect the majority of the compromises due to most of them being "done" in bulk and not in a "clean" manner.


is a matching module for "dealing with" the more popular P2P tools.

Scammer busted

Not sure if i blogged this before but it's a story about a 419'er being caught red-handed.

Tuesday, July 20, 2004

Security Thru Obscurity

InfoSec Writers has a pointer to a good article on steganography. The format of the article is a bit weird (for newspaper?) but the basics are there.


An interesting view. Now it's our fault?

Policies and Procedures

NetworkWorld Fusion has a quick article discussing how policies and procedures are part of the foundation for your CERT.

Advanced IPTables

This is
especially valuable information. I've seen it used to create emergency
filters for content filtering (think initial worm attack). This
knowledge comes in valuable if you tie Snort into the mess and have it
write IPTables filters on-the-fly.

Monday, July 19, 2004

Quick Quiz

What's not said here?
Extra points if you include support for your arguments. (Hint: the problem
is not just missing information.)

MetaSploit basics

Security Focus
has an article describing the basic theory behind the MetaSploit Framework.

Symmetric/Asymmetric Encryption

HNS has a MP3 of a discussion
about encryption, including the difference between symmetric and
asymmetric encryption.

Sunday, July 18, 2004

Saturday, July 17, 2004

IdleRPG Plugin for Blosxom

Heh. For all you 757'ers and anyone else, here's v0.1 of a Blosxom
plugin for the 757 IRC game IdleRPG.

Future plugin

I've updated the "future" plugin (see bottom of right-hand column here)
to include a day of the week display (single letter). Get the new code

A bit soggy

This past week saw a freak storm park over a roughly 4-square mile area
which my house sits in the middle of. It stayed there and dumped just
under a foot of rain in a two hour period.
The following pictures were
taken hours later. I missed the storm as I was at work and my wife says
the water level was much higher. Keep in mind that the street drains
were operating normally. The police report that 3 blocks over, the
water was 3 feet deep.
Oh and no, I don't live near any bodies of
water that would overflow like this. This all came from the sky at 2
p.m. and it was all gone by 7 p.m.

Neighbor's bush, mailbox, and car

Further down the street, apologies for the fuzziness

The two kids on the left are on the sidewalk.

Virtual Honeynet

Here's a pointer to the "Virtual
Honeynet: Deploying Honeywall using VMware" project.

Having someone join your church: priceless!

a BBC article about a 419 scam baiter towing the scammer far enough to
send him a birthday card, $80, and a picture of his chest spray painted
as proof that he had joined the scam baiters "church".

This is

Quick Reference Cards

The Furrygoat Experience pointed
out this side: It's a
site with free refcards for various languages and utilities.

Friday, July 16, 2004

My first plugin

So many others have said it: "I've written my first Blosxom plugin!"

Don't know how useful it'll be. The intended audience is those who use some form of procmail recipe to reroute e-mail messages into their blogs. The plugin populates $future::count with the count of messages waiting with timestamps set in the future. (See the bottom of the right-hand column here.)

Grab the plugin here.

Metasploit Part 2

Here's the second article in the series on how the Metasploit Framework works.

Senators catching up

Senator Leahy (VT) has introduced legislation called "The Anti-phishing Act of 2004".

It's about time. My spam intake is starting to include a lot of messages from previously unknown banks requiring me to update my accounts.

Anyone else find it interesting that the Senator has used a "technical" term (phishing) in his legislation?


Don't know how far it will get, but here's some info about the Internet
Annoyance Logging Protocol (IALP).

Bruce Schneier on Cryptography

Bruce Schneier has a very good
essay entitled "Why
Cryptography Is Harder Than It Looks
which describes many of
the strengths and weaknesses of today's encryption schemes.

Thursday, July 15, 2004

A new algorithm!

This is
amusing. Anyone blow up their algorithm yet?

Biometric myths

HNS has an intereting article
discussing six
myths of biometrics

Bleeding edge Snort rules

Bleeding Edge is a site with
last minute Snort signatures. Most of them have small use or are
development only. In the site's words, they "are prone to false
positives and sometimes not work as expected". However, it is a good
site to keep up with the latest sigs (and problems) and can give you a
few good ideas of your own.

There's a difference

Nick, you're missing a good part of the
. Yes, both IE and Mozilla (on Windows) have "shell"
problems. What makes the IE issue worse is that IE is tied into the
desktop and the operating system. In other words, Mozilla rides on top
of the OS, IE is in the OS.

Wednesday, July 14, 2004

Where have I been?

I didn't notice that new versions of Hydra and Kismac have been out for five
weeks already.

k-otik RSS feeds

Was monkeying around, backtracing referers and discovered that k-otik
has RSS feeds!

How long is it going to stay open

FCC Chairman Powell has started a blog to get feedback on various issues
that the FCC is handling. Unfortunately, everyone with an agenda has
responded to his first post.

How long will Mr. Powell be able to stand the usually-off-topic nattering before he closes commenting? From the looks of the replies, not long. There's a little bit of just about every movement and cause in there and a couple nut cases, too. Some of it's even FCC-related!

Local access

Here's a short piece on passwords being ineffective if the attacker has local access to the system. Includes links to samdump and pwdump2.

Aside: with "local access", you have to heavily depend on the honor system.

Employee abuse?

I'm not sure which definition of that I mean, yet. InfoSec Writers has an article which describes company losses due to employee abuse of corporate information resources. The article talks about controls and policy but I don't feel that it's taken everything into account.

Policy controls and monitoring are good for security, up to a point. If the controls and monitoring are so overbearing it can have a degrading effect on corporate productivity and security as, past a certain point, it will be held in general contempt by all, including management.

Your security policies have to be enforceable and, above all, realistic. Allowing some personal use of e-mail and some surfing during break or lunch time improves the situation a great deal.

Tuesday, July 13, 2004

Open Source creates jobs!

Bill says that Open Source kills jobs. I beg to differ. Instead of giving money to someone who is already hoarding a large portion of the national wealth, a company can spend the money (which would have been spent on multiple instances of IIS, Exchange, and MS DNS servers and multiple user licenses) on an extra employee or two. The situation leans that much further over towards open source when you start talking about MS's plan to sell license subscriptions.

Bill also hinted that not using MS products reduces tax income for governments. Which do you think brings in more taxes: a one time sales tax or ongoing income tax? Better to spend that money on SA training (no matter what OS you use) or assistant SA's.

And before we have another Blue Monday incident, I'm not griping about the OS. I'm griping about the marketing practice!

Viruses for sale!?

Interfax is reporting that hackers
are now offering custom viruses for a
. It seems to be more of the bleed-over we've been hearing
about: the relationship between hackers and spammers.

Wardriving article

ComputerWorld has a pretty
accurate article about the issues involved with wardriving, entitled "Confessions of a War Driver".


Network Associates ate up a lot of other companies on its path to become
just McAfee again. Good things (Gauntlet) disappeared, other good
things survived. Here's an article about the comeback that PGP is seeing due to the recent troubles with e-mail.

Monday, July 12, 2004

I did not send you a virus!

Here's a good explanation of address spoofing by malicious code.

Anyone know of a good open source version I can use as a pre-formated response to complaints?

PKI & Certificates

Courtesy of HNS, a MP3
presentation of PKI and digital
certificate theory

IRC Searches

While wandering around Matthew Lange's blog, I got off on a tangent and ended up doing a Google search on non-standard search engines.

It's amazing the amount of stuff that gets indexed by various search engines. Following is a list of non-standard search engines (IRC users, IRC channels, BT files, etc.) that security types might be interested in:

IRCSpy - IRC file search
SearchIRC - IRC channels, users, networks
ISOHunt - BitTorrent file search
PacketNews - IRC file search
NetSplit - IRC channel search
XDCCSpy - IRC file search

Warning: Some sites listed cause browser crashes.

DNS Snooping

This falls into the intelligence gathering category more than anything else, but it's still an interesting read. The short version is that if a company uses a public available or accessible DNS server, an attacker could gather intel about the company by keeping an eye on what answers the DNS server is providing to company users.

MT blog gone

I took the final step this evening and deleted the old MT-based blog. The comment spam was getting out of hand. This past week saw some especially nasty pr0n spam.

Now we just have to wait for the search engines to catch up.

Sunday, July 11, 2004

Message count

I've rec'd a few questions about the box on the bottom right. Because
the blog is running without a web input, I wrote a bit of code to count
the messages pending in the near future and stuck it in an i-frame.

Let me know if anyone has problems with it or wants the code. It's a
hack, not an acutal plug-in, though I probably should rewrite it into

Free anti-virus

(From Tejas Patel) eTrust is still giving away copies of their anti-virus and firewall package. The "free" is good for a year, after which they hope you liked their product well enough to become a paying customer.

If you think, they will do it

Awhile back, someone came up with a method for brute-forcing hashes
using a time-memory tradeoff. Basically, for certain types of
algorithms, results of hashes can be pre-calculated and stored.
Unhashing a hash becomes the result of performing a lookup in a giant

Well, someone has done come up with online MD5 cracking. (via /.)


As cool as Bluemonger
sounds (or may actually be), I don't think tying yet another infection
vector to the Internet or your home computer is that good of an idea.

Phishing has an article
which discusses various phishing attacks.

Saturday, July 10, 2004

F-Secure Blog

F-Secure, the SSH and anti-virus people, have their own weblog and RSS feed.

419 Horror story

Another 419

Wireless not secure just yet

Tim Greene has a point. 802.11i may or may not be the cure for wireless's ills. Nothing 11i-compliant is out yet. The first certified products will probably be available early next year. Until then, you still want to protect your networks with (OSI model) layer 2 encryption/protection such as AirFortress, Cranite, or 3eTI.


Don't forget your wireless IDS's either.

It's scary to see that "experts" in the business world are still recommending WEP.

URL Obfuscation

How it's done....

Friday, July 9, 2004

SEO Contest

Here's the results of the Search Engine Optimization Contest that I was so doom-and-gloom about, earlier in the week. Seems that it wasn't a "bad guy" that won.

Clueless users should be jailed?

You've heard me rant about this one before. Prentice Hall's
Professional Technical Reference has an article which discusses the author's point of view where each and every user on the Internet should be held legally responsible for their hacked systems flooding the planet with spam.

Again, I don't believe you can hold my grandmother responsible for someone hacking her Tivo.

A. Lizard likes to say things like "due diligence" but ignores the fact he may only be able to sue for those instructions in the booklet that came with the device. After he can prove that everyone consistently reads all of the directions in those multi-language documents.

Why share source?

I can only think of one reason why a worm would include its own source code and that's to make it harder for law enforcement to prove who's the author of the code.

Can y'all think of any other reason(s)?

Session Hijacking Explained

HNS has a downloadable MP3 of
a presentation explaining session

Thursday, July 8, 2004

Got aholda them socks?

K-Otik has posted a
good one
. Hopefully Snort sigs to follow soon.

Stop using NTLM

Stop using NTLM passwords now. If this
has any truth , using NTLM authentication has just become that much more
of a security problem.

The problem is if the database exists. We already knew that this would
be a problem eventually.

Link Prefetching

While it improves life for the majority, I somehow think that link prefetching contains the possibility to be seriously abused by unsavory webmasters.

UTF-8 Shellcoding

HERT has a pointer to a paper on UTF-8 Compatible Shellcoding.

Notepad pop-ups

This is almost a year old. From the looks of the replies, it's still a problem for "stock" users.


Prentice Hall's Professional Technical Reference has a book
which discusses TCPDump.

Wednesday, July 7, 2004

SEH Exploits

HERT has a pointer to a THC paper on
exploitation of structured
exception handlers

The Fine Print

Prentice Hall's Professional Technical Reference has an interesting article which discusses the fine print in Privacy

Tuesday, July 6, 2004

New Attack on RSA-based SSL/TLS Protocols

This type of attack is (currently) quite noisy/easy to detect but doesn't bode well for SSL-based web sites. Fortunately, OpenSSL (the library used by Apache) has been patched against this. Can anyone make comment on the MS side of the house?

Building OpenSSH

Prentice Hall's Professional Technical Reference has an article entitled
OpenSSH - Tools and Tradeoffs
" which discusses theory and
installation of OpenSSH 3.7.1p2.

Steg Forensics

Gary Kessler has posted
(actually last February) a paper entitled "Steganography for the Computer Forensics Examiner"
which discusses theory and various detection tools.

Monday, July 5, 2004


Got a bit bored this afternoon, decided to read logs generated by the
new code in the last two days.

What have I learned? Three things: 1)
a lot more people visit here than make comments, 2) someone in Japan
blogged something about my site (I cannot read/speak Japanese all that
well), and 3) I should consider switching the "make a comment" HTML link
over to a bit of JavaScript "onClick" code. Seems MSN's and Google's
spiders follow the "make a comment" link, even if there's no comments on
the far end. Using the alternate code might avoid the extra network
bits and might cause a few less useless pages to be stored in search


It's obvious that no one in this go 'round "gets
". It's not which OS is better, it's which one is used and
protected properly.

Considering some of the recent news articles about
both sites, in this case it's neither. And it'll only get nasty. If
the IIS box gets hacked, the OSS purists get on the news with a "told
you so". If it's the Apache box, the MS purists start ranting about
"lack of support".

Neither group is correct. Both groups are
correct. Mostly it's the people hired to run the servers. And given
the reason for the servers existances, it's not a question of "if" but

Exploiting Google

The Search Engine Optimization Contest is not a game. It's a contest
but, in the long run, it damages Google. Basically, it's a contest to
see who can get a page up to #1 and keep it there. Some consider "by
any means possible" as justifiable.

The contest finishes
day-after-tomorrow. Read more about it here and here.

Packet Crafting for Audits

Security Focus
has an article entitled Packet
Crafting for Firewall & IDS Audits
. This is part one of two and
discusses hping and tcpdump use. Network admins should know this!

Security bible quote?

It's a cliche about systems administrators' attitudes, but it's also a
good guideline for security: "Trust not
your users, for they will lead you into darkness.

Lies, Damn Lies, and Statistics

Yet another my-OS-is-better-than-yours rant. Feel free to join in at
the chorus.

has an article discussing the number of vulnerabilities discovered last year for each of the major OS's. Unfortunately, this kind of statistic fails to clear up anything.

MS had 46, Suse had 48, Sun had 60, etc.

You should notice that they gave you numbers but didn't enumerate the vulnerabilities. What's normally done is limit MS products to just those in the default install (usually just those that MS wrote). However, Linux and Sun includes other peoples programs on their disks. See the problem?

(Chorus)It's not which one is better, it's which one is managed worse!

If you're going to compare products, do it on a case-by-case basis. Mail client vs mail client. Browser vs. browser. Core OS vs. core OS. Exploit which takes the Internet down vs. Exploit which takes the Internet down. Ad nausium.

Any report which just spouts numbers makes me think that the source of the report suddenly has additional funding from somewhere, as we've seen this before.

Sunday, July 4, 2004

More Blaster

It's a couple months old but commentary about Blaster continues.

How to use cryptography in computer security

The ITManagers Journal
has a good manager-level aritcle discussing basic "theory" (uses?) of cryptography.

Thumpa Thumpa shh!

This is a
neat trick. I can appreciate it because I live just down the street
from a group of just-got-our-own-car teenagers. Up until now, I'd
considered HERF but that'd also cook the electronics in the rest of the
immediate neighborhood.

Saturday, July 3, 2004

Counter plugin

Thanks to Allen Hutchison
for his counter plugin.

Update: Allen is also responsible for pointing out the proper plugin (and giving enough hints) to allow me to put comments back on the main page.

Security Planet

In tracking down some interesting referrers, I came across Barry Irwin's
sub-blog and from there, his Security Planet, a
good pseudo-aggregator. (I use "pseudo" only because it's not the
reader that adds/deletes feeds. Barry does that.) Good site though.

No op

I've added the redirect from the old blog so everyone should be ending
up here. Next on the list: fix pings.

Spammers tied to

The old blog software is still installed and running. What that means
is that the comment spammers are still adding junk to the old blog. The
traffic level seems to have dropped off a bit though. Could it be
related to the fact that I no longer post via MT and therefore no longer
"ping" the usual sites to indicate that the MT blog has been

Hmm... Wonder if it would be worth leaving MT running and
doing an analysis of the traffic after a month or so?

Badly worded laws

Heads up to DC drivers. As of the day before yesterday, there's a new
law on the books that prohibits you from holding a cell phone up to your head while driving. While it's intended to regulate those distracted idiots doing 40 in a 55 while talking long distance with their mom, I have "issues" with the law:

  • cell phone use is sixth,
    or first depending on who you ask. "First" is usually based on surveys
    of common opinion rather than actual studies. The government studies
    usually indicate cell phones having less cause than adjusting the
    radio/internal temperature, eating, and yelling at the kids.

  • the law is too broad as it allows for fines for ANY distraction

  • the law is vaguely worded (can apply to any driver with a two-way
    radio with a button-operated microphone, GPS, or radar device)(i.e., law
    enforcement, cab drivers, delivery personnel, firemen, utility workers,
    etc.) ("electronic device" is generic and, by definition, means just
    about anything in the car)

  • the law adds yet another requirement on law enforcement (must search
    for the presence of cell phones at each accident) and government
    (database tracking, reporting, and training). Unless the legistlators
    intend on providing additional funding for yet another requirement on
    law enforcement and lower government, this just adds another stress on
    an already limited budget.

Unfortunately, it's one more low level law that is too expensive to
fight and will probably be ignored in the long run. In the security
world, your policies have to be realistic and enforceable for them to be
effective. Too many "silly rules" and the entire system is held in
contempt by the average user.

I've been rear ended seven times. Four of them while stopped at a
light, two while slowing for a light, and one in a parking lot. Each
and every time the driver was distracted (by sunlight, a road sign,
another person, etc.). That is, unless one or more of them did it
intentionally (road rage?).

Accidents will continue to happen, regardless of what drivers are
doing, especially inside of, or on, 495 after 3 p.m. on a workday. (too
damned many cars in narrow lanes on not enough pavement)(ignoring the
amount road construction that occurs during rush hour in DC).

We'd save more lives by making cars single person vehicles, with a
top speed of 35 mph, without radios or temperature controls and tearing
down every sign along the highway.

Reverse Engineering Backdoored Binaries

Infosec Writers has an
article entitled "Reverse
Engineering Backdoored Binaries
" by ChrisR.

Good things to come

From /. comes news that nVidia has
released Linux
for their chipsets. Hopefully we'll start seeing these in
the next distros.

Tracking by GPS

SmartMobs has a short piece on new
case law in which "tracking by GPS device" is still being "settled".

Should be interesting to keep track of.

Friday, July 2, 2004

HMO for Tivo

If anyone has any comments about JavaHMO, please let
me know. It took a bit to get Java up and running (hint: copy the JRE
folder to /usr/local/) but JavaHMO is installed and start-able. I'll be
playing with it over the next few days.

Spam Host Countries

The Register has a list of the host countries where 99% of the Internet's spam originates from. No, the U.S. is not #1, but it's in the top five. Read more about it here. More on the subject from Infoworld.

Sombria Honeypot

The Honeyposts mailing list has a pointer to the Sombria Honeypot and an analysis of a Brazilian hacker group.

(via Dana Epp's blog) Computer Forensics, Cybercrime, and Steganography Resources page.

Infection by Search Engine

We've discussed infection via search engine at work, mostly related to the recent Scob compromises. Can anyone at Yahoo or Google talk about this?

Your efforts may not be appreciated

This proves two things.

One, you need support from management to do ANYTHING security-related.

Two, it's next to impossible to get a gov't worker fired for waste and abuse. (Hey, the guy that did get fired probably violated a security policy about installing unauthorized software. The boss was only wasting time.)

Thursday, July 1, 2004

Scob Source Code

Security Protocols has a piece about the Scob Trojan which supposedly includes the source code.

Parents Guide to Linux Web Filtering

/. has a pointer to A parent's guide to Linux Web filtering. While not that scalable for large enterprises, this technique works wonderfully for small offices and homes, especially if your surfers know that their activities are being logged and they can be held responsible for their actions.

Misc. No Op

One nice thing about using Blosxom is that I can write these posts ahead of time and Blosxom won't display them until the timestamp is less than the current time. Work for this weekend: a way to display comments on the main page.

MS-CHAPv2 Cryptanalysis

This analysis has odd timing. In the past few days, as part of a "argument" for wireless L2 encryption, I viewed a demo of a MiTM attack on PPTP from a wireless client. Note to all: you need integrity checking at the L2 level. ARP-based attacks are still possible for wireless, IPSec/PPTP/other L3 tunnels absolutely suck for wireless! (via NetSec)


SecurityDocs looks like another good site to keep an eye on for reading material.

Service providers can read your e-mail?

I think that this is a really bad decision. While systems/network administrators should be able to access certain types of e-mail (for troubleshooting or policy violations), allowing a service provider to read other peoples' e-mail (without their permission) so that he can gain a competetive advantage, has serious implications. This is another of those slippery slopes. Wired also has an article about it.

G on a chip

(From WiFiNetNews) Broadcom has announced 802.11g on a chip.

Hmmm.. Be the first on your block to have your toilet paper dispenser on the Internet! Seriously, if this becomes available to the garage hardware hacker, we'll probably see some interesting projects. More here.