Saturday, December 31, 2005
Friday, December 30, 2005
- Now why would you want to do that?
- I seem to remember that your IP is commonly included in the headers of traffic originating from the large webmail services.
- Why become a "person of interest" just so's you can be funny for two seconds?
It's not that funny of a joke.
Wednesday, December 28, 2005
Tuesday, December 27, 2005
Monday, December 26, 2005
So far, I think I've burned up all the spouse points that I earned earlier in the year. I've added a cheap 900MHz handset to act as the console phone and have driven my wife nuts with the phone (and the laptop) ringing. More stuff to add to The List of Unfinished Projects:
- figure out how to stream live audio to the phone
- "adapt" the NSLU2 (saving up for a USB2 HD)
- learn more about the ivtv modules and MythTV
- get ready for next semester's classes
- get ready for ShmooCon (19 shopping days left!!)
Add that to the stuff already on the list and I'll be busy for at least 6 months.
Sunday, December 25, 2005
What am I referring to? How about the fracturing of the Internet?
Call me a sadistic pessimist but this topic is going to be "interesting" (Chinese curse version) to watch and has a high entertainment potential. This sort of thing has been tried before and has taken some intriguing turns. (Hint: the proposed managers of the .XXX domain are the same people that used to sell you the domain under ALTERNIC, for less money.)
You'll need popcorn and some soda for this one folks! (I predict a lot of nasty politics, both external and internal.)
Update: Still think I'm kidding? How about this: the site recommends that DNS owners replace their hints file with one from UR. A quick look at the file reveals none of the normal DNS root servers are included. Yep, that's right, rather than the cooperation the web site touts, they want you to trust them implicitly. This should get interesting quickly.
Friday, December 23, 2005
Thursday, December 22, 2005
Wednesday, December 21, 2005
Tracing to shmoocon.org[a] via 184.108.40.206, maximum of 3 retries
|\___ TLD3.ULTRADNS.org [org] (220.127.116.11)
| |\___ ns0.directnic.com [shmoocon.org] (18.104.22.168) Got authoritative answer
| \___ ns1.directnic.com [shmoocon.org] (22.214.171.124) Got authoritative answer
|\___ TLD2.ULTRADNS.NET [org] (126.96.36.199)
| |\___ ns0.directnic.com [shmoocon.org] (188.8.131.52) (cached)
| \___ ns1.directnic.com [shmoocon.org] (184.108.40.206) (cached)
|\___ TLD1.ULTRADNS.NET [org] (220.127.116.11)
| |\___ ns0.directnic.com [shmoocon.org] (18.104.22.168) (cached)
| \___ ns1.directnic.com [shmoocon.org] (22.214.171.124) (cached)
|\___ TLD1.ULTRADNS.NET [org] (2001:0502:d399:0000:0000:0000:0000:0001) send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
|\___ TLD6.ULTRADNS.CO.UK [org] (126.96.36.199)
| |\___ ns0.directnic.com [shmoocon.org] (188.8.131.52) (cached)
| \___ ns1.directnic.com [shmoocon.org] (184.108.40.206) (cached)
|\___ TLD5.ULTRADNS.INFO [org] (220.127.116.11)
| |\___ ns0.directnic.com [shmoocon.org] (18.104.22.168) (cached)
| \___ ns1.directnic.com [shmoocon.org] (22.214.171.124) (cached)
\___ TLD4.ULTRADNS.org [org] (126.96.36.199)
|\___ ns0.directnic.com [shmoocon.org] (188.8.131.52) (cached)
\___ ns1.directnic.com [shmoocon.org] (184.108.40.206) (cached)
While it shows that there may be a problem with TLD1 (this is likely to be a problem with the tool's ability to handle IPv6 data rather than the server), you can see that the tool queries all of the DNS servers that are known to have the data. (220.127.116.11 is the IP of a DNS server local to me). This tool also has the ability to detect lame DNS servers (those that are supposed to know the answer but don't)(think misconfigured or damaged secondaries).
If anyone is really proficient with this tool, please contact me. I'd like to know if it is useful in detecting record poisoning.
Tuesday, December 20, 2005
Monday, December 19, 2005
Sunday, December 18, 2005
Saturday, December 17, 2005
Babak, if you read this, I think the ads are getting into your blog via your webstats4u logo/link. Read this post at JNode and the following excerpts from the WebStats4U Terms of Service:
- WMS entitles users to access to a variety of on-line and interactive on-line services (the "Products and Services"). Some of the Products and Services are supported by advertising, enabling WMS to provide them to you at no cost. When you use these free services, you agree to allow WMS to display advertising, including third party advertising, through the Products and Services.
- With the installation of WebStats4U on the site it is accepted that WMS has the right to place advertisements on the site in any format or through any channel, including but not limited to e-mail, layer ads, pops, banners and other usual formats without any forewarning and it is furthermore accepted that WMS takes no responsibility for the advertising content and that WMS shall not be liable for any losses incurred regarding this advertising.
I find anything more obtrusive than Google Ads to be offensive. Google Ads are passive and easily ignored. I'll probably resubscribe at a future date but only after the WebStats4U thingy goes away.
Friday, December 16, 2005
Thursday, December 15, 2005
Dr. Carrigan believes that the Internet is wide open to infection from alien (as in off-world) computer viruses. I have problems with a number of his anthropomorphised assumptions:
- Where'd they get the 8086-series chips? Dr. Carrigan seems to assume that silicon and the various doping elements are as plentiful there as they are here.
- Are they running Microsoft Windows? If so, how are they getting their updates? I assume they'd be easy to track on Patch Tuesday. Also, I believe Bill would like a word with them about licensing. Actually, taking into account the speed of light, it means that Windows was in use decades (if not centuries or millenia) before it's availability here on Earth. We may need to talk to Bill about his patents and licensing practices.
- Infection by off-planet source would happen in one of two ways: either intentionally or accidentally. If intentional, it means they know we're here and network infection is likely to be the least of our problems. (Somebody call Tom Cruise!!) If unintentional, we need to prompt the anti-virus industry that they need to start including sub-routines to counteract alien worms and viruses.
- If there is a risk of infection from exterrestial sources, what risk do we pose to the galactic community with the problems that we have in our networks? Could that be why no one has contacted us yet? (All claims by the UFO community aside.)
In any case, I hereby nominate Dr. Carrigan to be the recipient of a Reynolds Wrap hat. Shiny side out, dude!
Update: the above is a bit dated and lived in my slush pile for a bit but is still amusing.
Wednesday, December 14, 2005
To those that are Britney's age or younger (or those who've never heard of Login Whitehurst), TMBG is short for "They Might Be Giants". Where else can you hear a band sing in the style of Yes, Rocky Horror, the Beatles, and Leon Redbone?
Then again, trying getting through the day with Birdhouse in Your Soul and Happy Noodle doing battle in your head.
Tuesday, December 13, 2005
Monday, December 12, 2005
Turns out that I was wrong. I'd forgotten about the print server I had picked up a few months ago (my wife is the only one that uses it). I'm not sure if it's permanently damaged yet but the network came back when I unplugged it.
In any case, I'm relieved and my wife is pissed. (Keep in mind there's only one print server and two spare AP's.)
I'm in trouble!
Sunday, December 11, 2005
Saturday, December 10, 2005
Friday, December 9, 2005
Thursday, December 8, 2005
Wednesday, December 7, 2005
Tuesday, December 6, 2005
Monday, December 5, 2005
Sunday, December 4, 2005
Saturday, December 3, 2005
Friday, December 2, 2005
Thursday, December 1, 2005
Note: this isn't a new development. Chalk it up to my not noticing.
Wednesday, November 30, 2005
Tuesday, November 29, 2005
Sunday, November 27, 2005
Would someone in Denver please ring up Tom and tell him the problems with his logic? Stuff like:
- iPods are not x86 or Windows-based. Ask him to name one ARM or MIPS based virus that's capable of self-replication.
- Podcasts are normally delivered from static, one-way sources. For a podcast to become infected, it (theoretically) would require malicious action on the part of the podcast author. There's no two-way data feeds involved.
- RSS feeds are not like e-mail. They don't mysteriously show up on your iTunes list. You have to subscribe to them. In other words, there's a certain amount of reputation and trust involved with podcast sources.
In short, there are too many things missing from the environment that would support malicious code. "In ain't gonna happen." Instead, Mr. Martino should be ranting about virus scanners for our cars. There are models out there that run versions of MS Windows.
In a recent discussion, I took the stance that "risk = threat X vulnerability X asset replacement cost" is not a good formula for sound business decisions.
I will admit to having "poked fun" at their belief that the above is a "security formula". It isn't. It's a business formula, used to decide how much money is safe to throw at a department with no ROI.
I took the stance that the formula is usually a rationalization used to support a business decision that's already been made. That the formula comes from a "recognized" organization of security "professionals", makes it that much more of a problem. My argument follows...
Let's get "threat" and "vulnerability" out of the way. Both are binary in nature or, at least, that was the original intent. You either have the vulnerability or you don't. If you have the vulnerability, it's either exposed or it isn't. The formula becomes "risk = (1 or 0) X (1 or 0) X asset replacement cost".
You can state that "threat" and "vulnerability" are quantitative values ("1" or "0") unless you attempt to put a "degree" on it. If the terms "degree" or "percentage" are applied to either value, that value becomes subjective and I no longer have to argue the point. Unfortunately, you'll usually hear "degree of exposure" or threat described as a percentage (i.e., "how much of a threat is it?").
The real trouble lies within "asset replacement cost". It's an oversimplification and a subjective value hiding behind a number. (i.e., it isn't quantitative!) Don't think so? Try this:
- The basic "asset replacement cost" works best with a standalone system. If it's connected to any other asset, networked or not, the value quickly becomes a WAG (nice version: Wild Assumed Guess) (not-so-nice: drop "um" from the middle word and add a hypen between the first two words)
- The basic "asset replacement cost" works best with a dedicated system. In other words, it's not used for anything else. If the system is used for any additional function, "asset value" gets complicated and other systems may be dragged into the equation. If the equation is artificially limited to the system under discussion, the value loses it's integrity.
- "Asset replacement cost" is only valid when applied to hardware or programs. It fails horribly when applied to data. Normal business types will attempt to say that data replacement cost is nil ("we have a backup, don't we?"). I've yet to see any organization, outside of federal, that will attempt to actually recover "lost" data. Oh, and a law suit does not meet the definition of "recovery". At best, an organization might take into account penalties for lack of due care and/or due dilligence.
The end result is that the formula usually ends up being "risk = estimate X guess X stubbornly narrow error", losing it's security "value" entirely and becoming a rationalization for a business action that might not improve security at all.
In any case, I enjoyed the argument, though it would have been better demonstrated if a white-board was involved. I also won't deny that I enjoyed tormenting two people who actually needed it. Many people who obtain certifications often "stop" once they get them. If a person stops thinking about (and practicing) security, the certification becomes little more than a badge to hang on the wall.
Saturday, November 26, 2005
Friday, November 25, 2005
Thursday, November 24, 2005
However, I could have gone without the marketing approach that the Redmond Dog & Pony Show used. They seem to have taken a page from the Presidential Race strategy guide, where you say little about what you can do and verbally deride all of your competitors.
The part that struck me as a bit odd was about interoperability, a point which they stress repeatedly when talking about the Office 12 product. It's taken me almost a month, but I think that I've finally figured out what they meant by the term: they're not talking about platform interoperability, they're talking about interoperability between Office 12 products! [*sarcasm on*] Now there's something new. [*sarcasm off*]
Just call me "slow" this month.
Microsoft almost "gets it". They've said that they're going to allow others to "use" their document format via a free license. The only restriction appears to be "with attribution to Microsoft". What "attribution" means may be a sticky point in the future. I need to find a copy of the EULA and license agreements they're using.
Update: Is this a case of schizophrenia? How can something be patented and open source at the same time? Seems that the open source format has been submitted for patent in certain countries... This will be interesting to watch as it unfolds.
Wednesday, November 23, 2005
Tuesday, November 22, 2005
issue of "<a href="http://www.sleuthkit.org/informer/sleuthkit-
informer-21.html">The Sleuth Kit Informer", a newsletter he writes in
conjunction with the Sleuth Kit. This issue talks about the new license
for the Sleuth Kit and about changes to the ils tool.
Monday, November 21, 2005
Measurement: Extracting Insight from Spurious Traffic for
whatever award you'd give for using-evil-for-good ideas. The paper
discusses the shortcomings in current network visibility techniques and
suggests extracting data from the noise generated by infections, spam,
and denial of service attacks.
Sunday, November 20, 2005
It's what amplifies the effects of malicious code to the point where it
can have devastating effects.
Here is another
paper from last year's WORM, this one describing a method called
synthetic diversity as a method for combating malicious code.
interesting read but I disagree with most of it for a number of
- Synthetic diversity within a program can only go so far.
While the techniques may reduce the number of attack points within a
program, it won't remove them entirely. Add millions of users to that
situation and diversity within a program that does the same function,
time after time, becomes a bit shallow.
- As always, adding
complexity isn't a good response to lessen vulnerabilities. The KISS
principle is better.
- Diversity can only be provided via a small
number of methods. It wouldn't take long for the "bad guys" to adapt.
Even if more methods were developed, it would lead to an already
familiar type of arms race.
Anyone care to argue for or
Saturday, November 19, 2005
Friday, November 18, 2005
The good news is that I did find some new security and tech-related casts to listen to (for a list, see my Bloglines subscriptions link at the top of this page).
Thursday, November 17, 2005
Wednesday, November 16, 2005
Tuesday, November 15, 2005
Monday, November 14, 2005
Sunday, November 13, 2005
story=20051112154004597">Nothing joke". The joke has been stretched
so far that when it does fail, Nothing will be funny.
sacred. According to the theory of relativity: Nothing travels faster
than light, Nothing existed before the Big Bang and Nothing can have
negative mass. In the real world, Nothing is perfectly symmetrical and,
for most of the time, Nothing changes.
When you're sick: Nothing
tastes good, Nothing is interesting and Nothing really matters. Then
again, Nothing is better than sleep to help you get better.
A lot of
parents end up sending their kids to college to learn Nothing. Many of
those students think that Nothing is harder to learn than Calculus. If
those students learn Nothing, their parents tell them that they're good
That's about it for the puns. (I'm hiding Nothing.)
Please contribute Nothing to further the joke.
SCO: you started this!
and roughly nine weeks until ShmooCon. I have more shopping done for
the latter than for the former.
(If you're married, ignore the rest
of this. You already know the futility of the thought(s).) How can
it be my fault though? She still hasn't filled out her wish list!
Saturday, November 12, 2005
Friday, November 11, 2005
think that I'm anti-MS: it's the marketing aspect that I like to poke
fun at, not the tech.
Example: the ongoing OpenDocument bickering.
The marketing department would like you to think that Massachusetts is
going to require Linux and OpenOffice. I doubt anyone who reads this
blog is confused but just in case, THEY'RE NOT THE SAME!!
OpenDocument is a document format, not a program. MS Office
could save files in OpenDocument format with no more difficulty than
saving in .RTF or .TXT formats. If MS doesn't adopt the format, we'll probably see it as a third party plug-in.
So what's the controversy? Why the
smoke and mirrors from Redmund? How about the "free
flow of data in and out"? With the OpenDocument format, MS no
longer owns any part of your documents, rather than the current
proprietary format where they own the font, the metadata format, and the file storage format.
MS's risk in adopting the OpenDocument format?
Loss of user "lock in" (many companies initially adopt MS Office because
it's considered the "industry standard"), loss of font "lock in" (many
fonts are proprietary to MS Office), loss of feature "lock in" (a common
format is just that: common, and people will come to prefer
interoperability over proprietary features)(will anyone miss fighting
I've had to explain this issue multiple times
this week. Hopefully those in the State Government can recognize the
difference. Unfortunately, it's entirely possible that one or more of
those people can be hired to influence the rest.
Update: Here's yet another view and reason for "the stink".
Thursday, November 10, 2005
Wednesday, November 9, 2005
Tuesday, November 8, 2005
other 49 states but Virginia has lived through a very nasty election
campaign for Governor. Nothing but negative ads during prime time. I
swear, if the independent had bought one commercial last night and did one
"clean" commercial, he'd probably be Governor Elect tomorrow.
Monday, November 7, 2005
Sunday, November 6, 2005
Einstein quotes that I'm enamoured of:
- Any intelligent fool
can make things bigger and more complex... It takes a touch of genius -
and a lot of courage to move in the opposite
- Anyone who has never made a mistake has never
tried anything new.
- Problems cannot be solved by the same
level of thinking that created them.
Saturday, November 5, 2005
Hey Cox! WTF?
Friday, November 4, 2005
Thursday, November 3, 2005
I contributed by providing a little bit of content and a whole lot of argument. (My name is on page 6!) Those that know me want the subtitle "Loudly & At-Length: Yet More Evidence That Tim (err.. joat) Likes to Argue"
Wednesday, November 2, 2005
Tuesday, November 1, 2005
I still have some of the scripts laying around here. If anyone wants 'em, let me know. The majority of them are just wrappers for the tools named above, most of 'em aren't pretty.
Monday, October 31, 2005
Sunday, October 30, 2005
Saturday, October 29, 2005
Friday, October 28, 2005
Please read the announcement (link is above) for more info.
Thursday, October 27, 2005
As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates.
Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck.
My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)
Wednesday, October 26, 2005
In any case, notes are in the Wiki.
Tuesday, October 25, 2005
Monday, October 24, 2005
Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely.
Sunday, October 23, 2005
Saturday, October 22, 2005
Friday, October 21, 2005
The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site.
Thursday, October 20, 2005
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)
Wednesday, October 19, 2005
guess I'll vent again...
What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on
Tuesday, October 18, 2005
Monday, October 17, 2005
- tag properly) that caused the crappy looking entry.
Heads up MS, that's standard HTML that your browser isn't recognizing!
Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow!
Update: Here they are... The one on the left is Firefox. The one on the right is IE.
About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together.
- First be sure that your
internal DNS server can handle a heavier load. I recommend running a
dedicated server using BSDi (even an older version) because the load
that BIND puts on BSDi is barely noticeable.
- Turn on querylog.
It'll generate log entries like:
Oct 15 09:18:37 desk named: client 127.0.0.1#33023: query:
www.google.com IN A +
Oct 15 09:18:56 desk named: client 192.168.2.5#1301: query:
www.cisco.com IN A +
- Obviously, Perl is perfect to extract data from these log
entries. Write a script to parse each line and insert the data from the
line into a MySQL or Postgres database.
- Then use Perl, PHP,
Ruby, or [insert your favorite language here] to extract the data in
different "views", such as total-queries-by-client,
total-queries-by-network-per-minute (or hour or day),
- To go along
with these data "view", it's usually helpful to graph the generated
metrics for simple crayon-understanding graphics. To be useful, you'll
want graphs for the last hour, the last day, the last week and the last
month, along with a user-configurable graph generation script, so that
you (or someone else) can make quick interpretations and make
comparisons to previously collected data.
- Finally, you'll want a
script to periodically clean up the log file, either archiving it or
deleting it. Running querylog full-time with generate massive log
files. It may also be a good idea to write scripts to aggregate the
data in the database server, keeping only generic statistical totals for
data past a certain age.
Collecting/analyzing metrics such
as these are well within the talents of the average network admin (and
is usually free). I'm amazed that companies are willing to shell out
big $$$ for something as simple as this.
If you have anything to do
with network adminstration, this is something that you should be able to
do. If you "own" a network, this is something that you want at least
one of your network admin or security types to do. (Think of it as
being able to gather and analyze data for troubleshooting.)
Sunday, October 16, 2005
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
Saturday, October 15, 2005
Friday, October 14, 2005
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.
Thursday, October 13, 2005
Wednesday, October 12, 2005
looking at the page stats. What's odd is the #1 entry:
- Main Page (3078 views)
- Anonymous Proxies
- Asterisk (1735 views)
- Looking Up UPC Codes
- Looking Up Vehicle ID Numbers (VINs) (1094
- Perl - MSN IM Sniffer (1092 views)
- IPv6 on the
WRT54G via OpenWRT (864 views)
- The Firewall Toolkit (FWTK) (818
- IPod Stuff (807 views)
Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:
#/bin/mkdir -p /var/log/
ntpclient -h pool.ntp.org -l -s &
# set up the IPv6 tunnel
MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \ -f 6- `
echo $MYIPADDR > /etc/myipaddr
#echo $MYSCND > /etc/my2ipaddr
ip tunnel add he.net mode sit remote 18.104.22.168 local $MYIPADDR ttl 255
ip link set he.net up
ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
ip route add ::/0 dev he.net
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
dnsmasq -i eth1
Tuesday, October 11, 2005
Monday, October 10, 2005
Sunday, October 9, 2005
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly
Saturday, October 8, 2005
Friday, October 7, 2005
Thursday, October 6, 2005
Wednesday, October 5, 2005
The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit.
The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it.
Tuesday, October 4, 2005
Monday, October 3, 2005
Sunday, October 2, 2005
I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security.
The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision.
Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?)
One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs.
Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people?
If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.)
If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough.
If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate.
On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size.
It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists.
Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts?
Saturday, October 1, 2005
Friday, September 30, 2005
are going onto my wish list:
Anyone know of any reason why I shouldn't?
I didn't add the VPT1000 to the list because it's a corded (USB) phone, something I'm not looking for at this time.
Thursday, September 29, 2005
Wednesday, September 28, 2005
Tuesday, September 27, 2005
Monday, September 26, 2005
I've just watched the DVD
for Hitchhiker's Guide and the previews were a menu option, not a
required series of bits that you passed through on the way to the movie.
Heck, after watching the movie, I went back and watched the two previews
that interested me.
Sunday, September 25, 2005
Saturday, September 24, 2005
Friday, September 23, 2005
case, for the Kismet::Client wiki entry) and search engine searches
return your own work-in-progress. Arg! (heh)
I've finished sorting
out the Kismet tags and I'm trying to fill out the descriptions of each.
Thursday, September 22, 2005
class that I could not attend. Needless to say, the audio was extremely
poor. I've managed to clean up the audio by running it through a few of
the filters in Audacity but I'm still not that happy with it.
able to find this list
of tools available for Linux but it's obvious that I have no clue about
where to start. Anyone have any good how-to's or a list of recommended
books? It appears that this is going to become more and more important
for me as the topic of recording lectures has come up quite often
Wednesday, September 21, 2005
Tuesday, September 20, 2005
Monday, September 19, 2005
In any case, for you tin-foil hat people, here's a list of countermeasures so the black helicopters don't get you:
- Never use the same computer for more than 15 minutes
- never use that computer in the same location
- construct a "glove box", with sound dampening material, to contain the keyboard (helps block those evil shoulder surfers too!)
- Intersperse a significant amount of random letters in your text and then go back and remove them with the mouse
- purposely mispell your "Letters to the Editor" to throw off the statistical analysis (it won't change the Editor's opinion of you any)
Can anyone else think of any? (heh)
That is, unless you're worried about who's listening via the microphone that you're absolutely sure is in the smoke detector, along with the radioactive source the government put there to slowly kill you.
Sunday, September 18, 2005
Saturday, September 17, 2005
animated text version of Star Wars by telnet'ing to
It appears to be full-length but I didn't have
the time to watch it all the way through (got as far as Luke meets Obi-
Wan). Is the story line that bad without the special effects?
Oh, it's safe to ignore the IPv6 comments. It'll still play.
Friday, September 16, 2005
Wednesday, September 14, 2005
Uh, could someone take a handful of clues and slap David Coursey with them? I was just pointed to DC's June article where he promotes what amounts to censorship, though he claims it's not.
Originally, I wrote a long, rambling vent about how ignorant DC is. Thanks to the recent outage, I've reconsidered my thoughts and have slightly more PC recommendations: David, go take a civics class (to find out how government works) and then take a criminal justice class (to find out how law & law enforcement work).
For any law students reading this, here's a quiz: what were the errors in his article? (5 points each) Answers later.
Tuesday, September 13, 2005
I agree with "Default Permit", "Penetrate and Patch" and "Action is Better Than Inaction". I could do without the Sun Tzu reference, regardless of what he did or did not say. That reference gives the impression that your management isn't to be trusted. (See "user" reference below.)
I had to read all of "Enumerating Badness" before agreeing with it. It's AKA "log file reduction".
I slightly disagree with his position in "Hacking is Cool", only for the factor that the only available alternative (currently) amounts to "ignorance is bliss".
I have issue with his "Educating Users" section as it comes across as "don't trust your users" and the need to "protect people from themselves". However, I'm not saying that I disagree with him. I just don't like how he stated the issue.
"The Minor Dumbs" are mostly spot-on, though the root of the problem (IMO) is the security vendors that promote those ideas in the first place. Every single "minor dumb" originates in the marketing fluff that management reads on a regular basis.
Monday, September 12, 2005
Sunday, September 11, 2005
Saturday, September 10, 2005
- I plan on adding memory to the cantankerous antique of a machine that I call my desktop system
- the powers-that-be at 757 have said that the current system has a very nasty wobble and that we should migrate to another server
Please bear with me/them.
Update: OMG! I should have added that memory years ago. It probably would have saved me the cost of the two hard drives that I wore out (from almost incessant page swapping). I actually like Windows boot-up speed for once (it's that noticeable)!
Update II: In performing clean-up for the move, I've taken a lot of older non-joat content offline, such as the files from last year's ShmooCon. If something's listed-but-offline, ask.
Thursday, September 8, 2005
Wednesday, September 7, 2005
Tuesday, September 6, 2005
valuable article almost a year ago that will probably be applicable for
a very long time: Nine
questions to ask when evaluating a security threat.
keep in mind when asking yourself these questions: the underlying
assumptions are not static and other "forces" may change the questions.
To be able to answer the questions effectively, you need to have
intimate knowledge of your infrastructure (well-maintained documention)
and you need to know what "normal" traffic looks like (well-monitored
Monday, September 5, 2005
My thought is that this will lead to physical vandalism of a number of vending machines, due to the short transmission ranges involved. In other words, rabid "no spam" types may assault the local soda machine because they receive unwanted "Drink Pepsi" ads every time they walk by it.
This could lead to some interesting developments. I can see just about every type of spam (porn and "your system is insecure" included) being transmitted in public places.
Sunday, September 4, 2005
Saturday, September 3, 2005
Friday, September 2, 2005
after taking a certification test two weeks ago. Except for a few
posts, you've been reading from my backlog. The test was so rough that
it put me "off my feed" for the better part of two weeks. Tonight is
the first time that I've typed (non-work-related) for more than 5
The test was horribly convoluted, the questions poorly
worded, and overly rationalized. I got the feeling that they were
testing more for the ability to pick the question apart rather than for
problem solving or knowledge.
And, yes, I did pass. Just don't ask me
to say anything nice about the course or the certification. I don't
feel that anyone, having passed the exam, has accomplished anything.
It's ironic that the certification is promoted as one of the leading
accomplishments in the field. The course and test bank strongly needs
accreditation by an external entity.
Note: this is not the
certification that I talked about last weekend.
Thursday, September 1, 2005
Hmm... Mebbe if I use a hammer on the only house phone?
Wednesday, August 31, 2005
see if I can explain this and why I think that even attempting to impose "community service" might be a bad idea.
The basic situation: the school attempted to press felony charges
against school children for repeatedly bypassing security functions
installed by the school.
- Attempting to become the parent
all students are the same
- Lack of due care and due
- Other problems
Attempting to become the parent
The parents cannot be held responsible for the actions of their
children because it is the school that acted as "the parent" in this
situation by putting an adult "tool" into the hands of a minor. Use of
an adult tool, be it car, gun, or communications device requires a
specific level of adult judgement. This is something that most minors
do not have and it is also something that is not easily replaced by
software, especially software purchased via a least-bidder contract.
The responsible adult(s) in this situation are still the school board
and the teachers (those that gave the adult tools to the minors). Most
parents do not understand computer technology/security or the related
federal laws. Thus, the school became (and remains) the responsible
party by being the knowledgeable "enabler" by putting an adult "tool"
into the hands of minors and then not providing constant adult
Although the parents probably signed a permission slip, it's probable
that they didn't understand the implications of that permission. I'm
willing to bet even a poor lawyer could break the supposed contract in
that permission slip.
Assuming that all students are the same
Regardless of the "we're all equal" tripe that is force-fed in most
schools today, students differ. They have different/differing IQ's,
religions, respect for authority, and upbringings. Occasionally (ahem)
you'll have a student that is smart enough and motivated (peer pressure
in high school usually will override ethics and authority) to take
advantage of an opportunity. Peer recognition will usually cause this
"seized opportunity" to be shared.
Believing that the installed
protections were adequate enough to (to use a noun as a verb)
countermeasure all students abilities and motivations, makes the
school eligible for the InfoSec Darwin Awards, if such a thing ever
exists. To maintain "security", your minimum protections must be
sufficient to counter the most talented and badly motivated user, not
the "average" user. 'Nuff said?
Lack of due care and due diligence
AKA "poor judgement". The school displayed poor judgement (lack of
due care) by putting an adult "tool" into the hands of a minor and then
neglecting to provide adequate supervision when the minor
exercised that tool. Even though the school may have believed that it
had practiced "due care" by installing various protections, it obviously
didn't practice "due diligence".
"Due care" equates to taking the necessary precautions to prevent an
incident (an instantiation of a risk). Obviously, the level of security
was not sufficient to prevent an incident. That the incident was as
severe as it was and that it involved so many students is an indication
that there was a difference between perceived and actually required
"Due diligence" is the practice of enforcing those precautions
(countermeasures) and being able to prove their consistent enforcement
over time (auditing, record keeping, etc.). What occurred didn't happen
overnight. Who was reading the firewall/router logs? IM traffic is
easy to detect. The school should have noticed when the first student
started experimenting with his laptop.
"Due care" and "due diligence" also requires adjustment of
countermeasures they reveal an inadequacy. The article indicates that
the situation continued to exist, even after detentions, suspensions and
"other punishments" (what the heck does that mean?). This means
that the school only attempted to correct the situation by external
measures (getting the parents involved). The school obviously failed to
increase required physical, logical and administrative countermeasures.
"Adequate supervision" involves the phrases "consistent (and
constant) supervision" and "adult-quality judgement". Believing that
adult judgement can be replaced with software, especially when "physical
security" is negated by allowing student custody of the laptops, is a
Use of desktop machines in a formal classroom setting implies a
certain level of integrity provided by constant physical security and
near-constant physical presence of authority. This "advantage" was lost
by issuing portable systems and allowing them to be taken out of the
"secure environment". Even if possession of the laptops were restricted
to the school, you can't assume that the 50 year-old part-time teacher
would be able to recognize improper or illegal activity in study hall.
Err... How about overreacting? The "zero tolerance" policy often
quoted by public school officials is often a rationalization to vacate a
school's responsibility/judgement or to hide their own
complicity-due-to-negligence in a situation. In this case, all three
might be involved.
Some of the security "tools" installed by the school may have been
illegal. While it is permissive for a parent to invisibly monitor their
child's online activity, serious questions should be asked when a school
installs the ability to monitor students' activities on an individual
basis. In other words, generic monitoring (watching proxy or router
logs for suspicious activity) is generally permissible with prior
notice. However, employing a "a remote monitoring function that let
administrators see what students were viewing on their screens,"
without just cause (and usually a search warrant), is likely to be a
felony in itself. Remember, we are not talking about parent-child or
Parent-child relationships/responsibilities have created unique legal
conditions which are not easily transferred to institution-child
relationships/responsibilities. In this case, the school can probably
be slapped with a "contributing to the delinquency of a minor" charge
for not providing adequate supervision after facilitating (providing the
tools of) the crime.
That the tools of the crime were provided by the school, that the
object(s) of the crime was also school property, and that the
perpetrators of the crime were school charges has created a very sticky
situation for the school. The school exacerbated the situation by
attempting to charge the students with felonies, thereby drawing the
attention of national media.
- this "experiment" obviously has
- attempting to "save face", as the article puts it, via
imposed community service, risks yet more embarrassment
this is a public school which accepts federal money and keeps digital
records on its students, do you think FISMA or GLB applies?
Tuesday, August 30, 2005
years. Here's yet another attempt...
I'm likely to be completely off
the mark with this but the DNS control argument may become a moot point
(or an even bigger issue) with the adoption of IPv6. The U.S. keeps
control of DNS space solely by the pseudo-rules-of-thumb known as
"possession is nine-tenths of the law" and "majority rule". In other
words, control is maintained solely by inertia and continued support of
IPv6 changes the playing field because of the differing
rates of adoption of the technology. A visit to the current 6bone will
show that the ratio of English to non-English sites is much different
than version 4 IP space. There is a slight risk that current
infrastructure managers might attempt to use "majority rule" to start
their own address infrastructure.
I say slight as such an action would
require cooperation on a massive scale by parties who normally are very
contentious, politically different and motivated by normally-opposing
agendas (profit, control, ideologies, etc.).
I believe the situation
to be quite binary. As long as the forces remain below a certain level,
ICANN is likely to retain "control" (a poor term for it) of the DNS
system. This is the most likely outcome.
However, if the level of
contention goes above a certain point, or if opposing forces change the
turn-over point in the equation by cooperating with each other, we might
see a very fractious DNS system. Fortunately, if this occurs, the
condition won't last long (in geological time) as systems do not
normally support unstable conditions for long. Remember:
requires complete lack of control
- oscillation requires a very
specific form of control (feedback) and a permanently unstable
financial or political institutions. Unfortunately for us users, the
corrective controls used by either of these institutions are not
normally that subtle.
This should be quite interesting to watch.
Also, there are probably quite a few "business opportunities" in the
above if you're in the right place at the right time with the right
Monday, August 29, 2005
visiting the site may have noticed (I'm not understating) extremely long
load times. In other words, the page stalls while loading the Infosec
Does anyone have any suggestions for alternate services?
I'd like to keep the same basic information-presentation but, barring
that, I'm willing to try out just about anything.
Sunday, August 28, 2005
Saturday, August 27, 2005
Friday, August 26, 2005
Thursday, August 25, 2005
Wednesday, August 24, 2005
Tuesday, August 23, 2005
If this blog were part of a business, I'd have a legal action available. As it is, I can only (legally) remain pissed.
Monday, August 22, 2005
first class) was to search for forms used in collecting digital evidence
(use of the term "computer forensics" has been formally "frowned
After a 15-minute Google search, it's amazing. Everybody,
including their mother and her Bingo friends, has some form of computer
forensics (sorry Rob) book or course. Very few of those sites, other
than law enforcement, provides any tools or support.
The assignment is
actually to find a number of processes used to support the creation and
maintenance of the chain of custody, and discuss them. This could get
Sunday, August 21, 2005
(PSK) is a Knoppix-based Linux distro with tools not only for computer
forensics but quite a few network troubleshooting and monitoring tools.
Note: Users of this kit should also read the disclaimers on the site
if the use is intended for legal/LEO purposes.
Saturday, August 20, 2005
Friday, August 19, 2005
Thursday, August 18, 2005
Wednesday, August 17, 2005
Tuesday, August 16, 2005
Monday, August 15, 2005
- they actually couldn't find anyone (although it's unlikely)
- they couldn't find anyone that could explain MD5 in simple terms that would indicate that the liklihood that the traffic infraction actually occurred. Hint: think DNA evidence. You will always hear "probabilities" discussed when lawyers discuss DNA. Yes, there are collisions in MD5 number space. The probability of forgery goes down very fast if that "collision" has the same MD5 hash, looks like a picture, of the intersection in question, with the defendant's car passing through it, with the defendant's license plate in view, with the camera's timestamp (and other) data embedded in the picture.
- the prosecution was unable to display the chain of evidence, in the form of being unable to prove when the MD5 hash was generated. The hash being embedded in the picture may actually cause a problem because it means that the picture was changed after it was taken, by the camera itself. However, this is a procedural problem, not a technical one, and would translate into the prosecution not being able to find anyone willing to take an oath to assert/support the accuracy of the data.
I doubt that MD5 hashing of traffic pictures will cease. Rather, I believe that how they're presented in court will change.
Sunday, August 14, 2005
Saturday, August 13, 2005
Friday, August 12, 2005
all the 3-button mice?" rings a bell with me.
The only reason
you don't hear incessant whining from me is my secret (okay, now it's no
longer a secret) cache of Logitech 3-button mice. I bought ten of those
suckers when I heard Logitech was discontinuing the line. Also, I have
to thank Hurd for donating a Sun Crossbow (3-button USB) to the
collection, thereby prolonging the canibalism and jury-rigged repairs of
those first ten mice. I wear 'em out fast.
Thursday, August 11, 2005
In the same post, Richard points out a project by Harlan Carvey, who visits here now and then: the Forensic Server Project. His book also has a supporting site: http://www.windows-ir.com. I highly recommend visiting all three.
"responsible disclosure" pyre. It leads to overly politically correct
announcements such as this. Little is
gained from this type of announcement other than eEye getting a bit of
"street cred". Announcements like that damage Microsoft's business by
making organizations leery of server safety without giving them an idea
of what to do to protect themselves.
Personally, I favor full
disclosure but if we cannot live with that, I'd rather not hear about
the vulnerability until such time that the vendor can comfortably talk
about it. Many of the same arguments for "responsible disclosure" (I
really dislike using that term), can be made for "responsible
non-disclosure". Maybe the only way we can get back to the middle is to
push the pendulum further away from center?
Wednesday, August 10, 2005
Tuesday, August 9, 2005
Monday, August 8, 2005
Sunday, August 7, 2005
It looks like the FBI is involved now. If your machine has ever been infected with CWS, consider any valuable information on it as compromised (i.e., at a minimum, change your passwords).
Update: I managed to fat-finger the URL for Nepenthes. Thanks goes to Gaetano Zappulla for correcting it. He also suggests taking a look at kojoney, SSH honeypot written in Python using the Twisted Conch libraries.
Saturday, August 6, 2005
Friday, August 5, 2005
Thursday, August 4, 2005
Wednesday, August 3, 2005
Administration. He posted the tenth one, of which I'm a firm believer,
on June 27. I wrote a SANS paper for log reduction based on this
commandment. Entertaining and rules-to-live-by at the same time.
Tuesday, August 2, 2005
Monday, August 1, 2005
- Cleaning up the
Mess - Time to redefine disinfection?
- Chasing Ghosts? - Return
of the Stealth Malware
- Hide 'n Seek - Anatomy of Stealth
- Digital Genome Mapping - Advanced Binary Malware
Sunday, July 31, 2005
Long version follows...
Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:
actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible
Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
procedures" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
Puppy, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.
Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".