Thursday, March 31, 2005

Hash function attacks

Bruce Schneier points out a paper on finding MD5 collisions and starts a long conversation (in the comments).

Wednesday, March 30, 2005

D'oh!

Here's a surprise... Those two at the RSA conference that had that
"amateur" study that MS was more secure were actually funded by MS. They now claim innocence but the original story used sentences like "A Linux Latest News about Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded..." and "The pair said that they lacked the funding to test other operating
systems...
" which doesn't help their claim any. It all made the "test" sound like an honest (although amateur) contest.

How much funding do you need to buy/borrow/rent a PowerBook and watch it for 30 days? Hell, you could have built a Plan 9 box out of junk and watched it for 30 days
(for free). Heck, QNX's trial period IS thirty days. How about
FreeBSD? Or OpenBSD? Or Windows 3.1? Or FreeDOS? Or RxDOS? Or Beos?
Does Sun still give away trial versions of Solaris?

How much money
was the grant? If it was more than the $20 that one of the
testers pocketed, I'd lean towards using the phrase "<a title="You'll
have to use a search engine for this one">sock puppet".

And to
avoid getting into that argument (and at the risk of irking both
"churches"), either of those OSs can be a floating turd if it's not
managed properly.

Huh?

It's obvious but a lot of people experimenting with honeypots forget to
do things like minimizing <a href="http://www.wormulon.net/2005/03/26/web-security-tip-1-remove-
wget/">what can be abused.

Tuesday, March 29, 2005

FTimes

<a href="http://ftimes.sourceforge.net/FTimes/FTimes+in
+Action/IntrusionAnalysis.shtml">FTimes is a forensics tool for
working with alternate data streams (ADS). It's drawback is that it
depends on the local OS. In other words, if the kernel is compromised,
it may not see certain ADSs.

Monday, March 28, 2005

More on Leo

I neglected to talk about how to listen to Leo on the radio. The flash
applet from the radio station that's supposed to play the stream didn't
work for me. Instead, I used Kaffeine to play it (I installed it from
the Penguin Liberation Front's RPMs)(search Google for "easy urpmi").
At the command line, type "kaffeine
http://ccdig.liquidviewer.com/kfi
". It'll open the "mmsh" stream
and will even display the Liquid Audio graphics.

802.11 Layer 2 Analysis

Here's
Joshua Wright's GIAC GCIH paper which discusses Layer 2 analysis of the
footprints left by wireless tools in the Stumbler family (those that
actually communicate with a wireless LAN as it "detects" them).

Unicode

The topic has some milage on it but there's some good discussion in the
comments of Bruce Shneier's post on IDN attacks.

Sunday, March 27, 2005

Saturday, March 26, 2005

ATA-186 + SIP

<a href="http://blog.tmcnet.com/blog/tom-keating/voip/voip-blog/cisco-
ata186-firmware-and-other-voip-stuff.asp">Here's a post about
getting SIP wedged onto an ATA-186.

Friday, March 25, 2005

Asterisk + ATA-186

<a href="http://www.loligo.com/asterisk/cisco/ATA-186-
guide.v20030628.txt">Here's a guide for using a Cisco ATA-186 with
Asterisk. (You'll need to turn word-wrap on in your browser if you have
it. If not, view source.)

I'd seen some negative comments about using
ATA-186's with Asterisk but thought that the document might be
worthwhile regardless. Anyone care to comment on it?

Returning

Are they still on the endangered list? It's nice to see them numerous
enough that they consider nesting near where I grew up. From the local newspaper:


(Lynn Brennan) A bald eagle watches cars pass through the snow while resting on a tree limb at
the Almond Dam Wednesday morning. There appears to be a nesting pair at
the site, adding to others reported throughout the area, especially
along the Canisteo River.

Thursday, March 24, 2005

Wednesday, March 23, 2005

Where's Leo?

I liked the ScreenSavers prior to G4 and can't stand it now. Ever
wonder what happened to Leo? He's here doing a weekend talk
show about the same ol', same ol'. You can either listen to the stream
on the weekend or download it as a podcast. A cool twist is that the show notes are on a wiki (you can edit/add to the show notes!).

Tuesday, March 22, 2005

Smarter worms

A little while ago, the wormblog
pointed
out
<a href="http://tennis.ecs.umass.edu/~czou/research/routingWorm-
techreport.pdf">this interesting paper.

Monday, March 21, 2005

No op

My apologies. Postings will be a bit thin this week as I've spent most
of the weekend at the hospital. I normally write most of the posts for
the week on the previous weekend. This weekend, I was offline,
mostly.

When my son has a cold at this time of year it can combine
with the weather and his asthma. The result is he ends up on oxygen and
steroids. Nothing to worry about though unless, of course, you have
something to do with supporting my grocery bill while he's on steroids
or if you're one of his nurses (he's 20 but acts like a bored 2-year old
when he doesn't feel well).

DNS Stuff

Here's another good online tool.

Sunday, March 20, 2005

Saturday, March 19, 2005

Botnets

Here's an interesting
paper
from the Honeynet Project entitled "Know Your Enemy:
Tracking Botnets
". The subtitle reads "Using honeynets to learn
more about Bots
".

Friday, March 18, 2005

Make Mag.

Hey telmnstr! The magazine is on
the streets! Here's a review of it.

Blacklight

FYI: F-Secure's <a href="http://www.f-
secure.com/blacklight/try.shtml">Blacklight Beta still has about 6
weeks to it. <a href="http://www.f-
secure.com/blacklight/">Blacklight is a "running rootkit" detector.
(See the site for a better explanation.)

Thursday, March 17, 2005

So now they're called "business models"?

I've disagreed with CircleID
authors before. You can chalk this one up as yet another
disagreement.

I'm not sure if James Seng was being sarcastic or not
(I'm quite dense when exposed to subtleties) but just about everything
that he describes as a "business model" in this article, I
find offensive and wrong as the underlying methods employed are usually
illegal, unethical, or just plain offensive.

What methods are these?
Let's see...

  • blog comments spamming
  • wiki
    spamming
  • domain hijacking
  • domain
    squatting
  • dishonest or unethical registrars

Have I
missed anything?

Wednesday, March 16, 2005

Earthquakes

I was surprised when I stumbled across this (via its RSS feed actually).
The U.S. Geological Service maintains a page of latest quakes and
even provides the data in an RSS
feed
.

TEMPEST

Just for info, here is "The Complete,
Unofficial TEMPEST Information Page
".

Tuesday, March 15, 2005

Class action suit

If you've ever bought something from CompUSA, you might be eligible for
rebates
that you never received.

Monday, March 14, 2005

Google/Yahoo VoIP

In leiu of this article,
it may be a good idea to brush up on your VoIP. (heh) Okay, I'll drop
it. For now.

Sunday, March 13, 2005

OpenSSH

OpenSSH v4.0 is out. Although I'm
a bit wary of new versions, it might be worth a try. Here's a list of
feature
changes
.

Illustrated Guide to Hashes

<a href="http://unixwiz.net/techtips/iguide-crypto-
hashes.html">Here's Steve Friedl's An Illustrated Guide to
Cryptographic Hashes
. He states that he wrote the article because
of the recent discovered weaknesses and to explain to the general public
what hashes are and what they're used for. Sort of a "the sky is not
falling, only a piece of it" article?

Saturday, March 12, 2005

He's baack!

My comment spammer is back. I was getting worried. Maybe he'd slipped
in the shower and hit his head. Maybe tripped and fell off the curb and
fell in front of a bus. Or was struck by lightning. Hey, I was
really worried.

Once again, he can be traced back through Gandi. What
a wonderful service.

Huh?

This has got to be THE most stupid thing I've ever heard. So MS is going to offer patches to the gov't one month prior to anyone else? I have a few questions:
  • Do they become classified information for that period of time?
  • If so, do they think the practice will last any longer than the first due-dilligence lawsuit?
  • Is this an early shot at April 1st?

Asterisk again

Being a n00b does have it's perks, at least when dealing with Asterisk:
everything is new! I finally had time to play with it again, got Kphone
to connect to the server and caused the server to connect to the Digium
site. (Documented here)

Next
up, I have to figure out how to get inbound calls across the NAT box (if
anyone wants to send pointers, keep in mind that it's OpenWRT and not a
standard firmware load). Maybe loading Asterisk on it and just having
it forward all calls to the internal box?

I'm driving my wife
absolutely nuts playing with this thing!

Spam art

<a href="http://secureme.blogspot.com/2005/03/interesting-spam-old-
school-ascii-art.html">higB talks about a new twist to spam: the
addition of ASCII art as yet another mututation to try to slip past
scanners. I find it interesting as I was first exposed ASCII art in
college.

Actually, it was ASCII porn and it was before personal
computers had graphics displays (yeah, I'm old enough to have learned
assembly on a cutting-edge 8080A). The running joke was that if you
left your terminal open, someone would cause a set of jobs dump to the
line printer and get charged to your account. Needless to say, the
computing center went through a minor fortune in tractor paper.

LambdaMOO?

LambdaMOO is <a href="http://www.cuddletech.com/blog/pivot/entry.php?
id=106">still around? (I left just after the virtual rape article.)
Actually, it isn't the original PARC LambdaMOO. The source code and a
chunk of the original database was made available to anyone who wanted
it and I think that this is one of those instances. It's one of the
virtual reality success stories, text-based or whatever.

Friday, March 11, 2005

Podcasting

/usr/bin/geek has a post
describing the basics of podcasting (for the listener). He's had to
explain it repeatedly so he's entitled it "The Dummies* Guide To
Podcasting
".

Home Automation

Here's
N. Cherry's home automation links page. It's huge! I'll be digging
through this one for weeks.

Thursday, March 10, 2005

Brazilian Honeypots Alliance

Some of us/you find the Brazilian Honeypots Alliance Daily
Statistics
page interesting.

No spam?

Odd. There's no spam in the comment queue this morning. Did the
spammer(s) forget to reset/reload a script last night? (heh)

Tuesday, March 8, 2005

Loss of anonymity?

In response to this, I'll
add:
  1. YOU GAIN the a better chance at tracking down
    spammers and domain thieves
  2. YOU GAIN a better ability to
    contact owners of misbehaving network systems
  3. YOU GAIN a
    little peace of mind by forcing domain owners to cut back on their own
    abuse.

Personally, I don't like how it was done but I do
like the fact that "something is being done". The current situation
which allows certain spammer-oriented Registrars to operate makes
running even a simple blog like this (on someone else's site) a constant
battle with jerks and assholes trying to earn off of your volunteered
work.

The author of that article needs to take a few civics lessons
too. There is no right to operate a website anonymously. Anonymity is
something you might gain by making traceback difficult but it is not a
Constitutional right.

Neither does the First Amendment guarantee the
right to speak anonymously. The First Amendment prevents the government
from censuring your speech. It does not prevent the government from
holding you responsible for what you say, nor does provide any guarantee
of anonymity that would allow you to avoid that responsibility.

In all
9 of the authors examples, he claims that anonymity is lost. What
actually occurred was a return to responsibility. The anonymity that
"you" are losing was a temporary side effect of the relaxing rules. For
those of us that used Registrars that kept to the rules, our info was
posted and is readily available. Spam and malicious code has reached
record levels and unless we (as a society) start tightening the rules,
the problems are only going to get worse. We're about to move to a
different network protocol (IPv6). How about we leave some of the
problems behind?

Apologies for the rant. I'm tired of tracing crap
back through Gandi and similar.

HITB Vids

HERT has a post which indicates that the
HITB '04 videos are available via BitTorrent.

Monday, March 7, 2005

Asterisk

I've added an Asterisk page to the wiki to keep
notes on my experiments with the PBX software and to (hopefully) help
anyone else experimenting with it.

Sunday, March 6, 2005

Saturday, March 5, 2005

SixXS

I don't know how valuable this is but SixXS does a little bit more than
provide IPv4-to-IPv6 tunnels. If you just want to visit a website on
the "other side" (without setting a tunnel up) just add
".ipv6.sixxs.org" to the hostname.

From IPv4

 
 http://www.ipv6.phreak.org.ipv4.sixxs.org

will take you to the
IPv6 site for the Digital Information Society. It also works in the
other direction. If all you have is IPv6 connectivity

   
http://www.google.com.ipv6.sixxs.org

will take you to Google.

Traceback

Here's a paper from @Stake which discusses two theoretical approaches to traceback.

Malware trail

I've been remiss in not pointing out that "Follow the Bouncing
Malware
" actually had four installments.

Friday, March 4, 2005

Reverse Engineering Malware

Here's Lenny
Zeltser's paper on reverse engineering malware, parts of which he used
for his GCIH cert requirements.

Thursday, March 3, 2005

Forensics

Here's a couple PowerPoint presentations from Steve Abrams:

ReadPST

For anyone that needs to read Outlook PST's in a *nix environment, I
recommend readpst
(part of the libpst tarball). I wasn't able to pull/push files directly
into my IMAPS server but I was able to generate a local MBOX file, mount
that, and then push the messages onto the IMAPS server via a local mail
client.

Wednesday, March 2, 2005

Have I been hacked?

<a href="http://www.bleepingcomputer.com/forums/index.php?
showtutorial=24">Here's BleepingComputer's quick tutorial for
Windows entitled "Have I Been Hacked?". It's gives a quick what-
to-check for the suddenly paranoid.

DNS Attacks

Linux Exposed has a quick
article on "<a href="http://www.linuxexposed.com/Articles/Security/DNS-Common-
Abuses-4.html">DNS Common Abuses
".

Tuesday, March 1, 2005

Wormblog

Here's a blog devoted to issues
related to combating worms.

Say it again

(heh) Here's the algorithm related to <a href="http://www.groklaw.net/article.php?
story=20050225155855922">this:



if($self eq "MS purist") {
$a=1;
until ($a<0) {
say "We will bury you!";
pound_shoe_on_podium();
stand_in_front_of_flag();
say "It's Un-American!";
say "It's an Axis of Evil!";
launch_3rd_party_FUD_campaing();
$a--;
if($a <1) {
$a=3;
}
}
if(all_else_fails()==1) {
click_heels_three_times();
chant_repeatedly("There's no place like home");
}
}

The unending barrage of FUD (from both sides) gets a bit
tiring. There are specific strengths and weaknesses in all operating
systems which brings about the situation "the best tool for a specific
task". Well-run hybrid networks are more secure than well-run
monolithic networks (Before you want to restart that argument: a
single vulnerability won't damage the entire infrastructure.)

For now
the argument has dropped back into the "The End is Nigh" entertainment
category but I do wish that the left and the right would get over it so
the rest of us can get on with our lives.