Sunday, July 31, 2005

New record

Wi-Fi Toys has a post
about the new unamplified Wi-Fi distance record being set.


Short version: I think that Cisco is overreacting and is being a bully.
Long version follows...

Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:

actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible

Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure
. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety
) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
is released.

So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
dirty laundry?

Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.

Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".

Saturday, July 30, 2005

Shmoo Redo

Errr... I missed the announcement of this one too: ShmooCon 2006. Current price $75.
For those that don't know: the price goes up as it gets closer to con


Read this
(from the Register).

My first thought: this will add a whole new side
to the phrase "when hackers attack".

My second thought: Johnny Long is
going to need a new category on his site.

Friday, July 29, 2005

Michael Lynn

has a good piece going on the Cisco flop-and-twitch. I
consider the whole incident to be yet another go-round in the religious
war called "responsible disclosure". You've heard the arguments from
both sides. You'll hear 'em again.

My personal view (at least of this
incident) is that this isn't something that M. Lynn "invented", it's
something that he heard of elsewhere which caused him to do a bit of
research. Some of "the bad guys" already have the info. It's nice to
know that some of "the good guys" now also have it. However, M. Lynn is
probably going to suffer in multiple ways and this incident has a strong
possibility to set a very nasty precedent. Watch for the legal pendulum
to very quickly to one side or the other.

Thursday, July 28, 2005

Hands-on Honeypot slides

Maximillian Dornself has posted links to the BlackHat Hands-on Honeypot
class, that he and Thorsten Holz presented, here.

BH Schedule

Just in case you don't have it, here's the schedule for the presentations at BH.

(Yeah, I know. This is fluff, but it won't survive the transition to the other box.)


The blog will be offline for a few days while the server gods pick up
all of the 757 bloggers by their ears and move 'em to the new box.

Wednesday, July 27, 2005

RSS Malware

I'm tired of hearing every tech journalist pontificating about how the
flavor of the hour could be used as a channel for worms/viruses/hacking.
Here's a good example.

Yes, RSS could be a vector for malware but it's not a likely one. It's not like we constantly wander the Internet in search of new feeds. For the majority of people, their feed sources remain constant. Barring a web server compromise at one of those sites or the author does something really boneheaded, there isn't much risk of worms or spyware sneaking in via the RSS feed.

Of course, if the author embeds crap like advertising in his/her feed, then it's another story.

Tuesday, July 26, 2005

New TaoFeed

If you subscribe to Richard's feed at TaoSecurity, do him a favor and
move your subscription to, especially if you've seen the "site owner reaching his/her limit" warning.

TV over IP

Personally, I think that, while there's probably a legitimate argument
in there somewhere, this
is extremely silly. Someone is pissed off that someone else
wants to push television over IP. I think it's silly because I "get my
IP" over the same pipe that I get my TV.

The fight is actually an
industry trying to "protect" their income stream and resisting the
economic force created by technological innovation. The situation is
not one that it easily resolved either. "Convergence" involves the
television, telephone, cell phone, wireless ISP, and even the power
companies. Future involvement will probably include the entertainment
industries, various hardware manufacturers and various

With the move to wireless and IPv6, expect those
industries to spend more and more money on legal support and
advertisements. The industry or industries that come out on top will
probably be the one that offers the most to the customer for the cost.
(This usually translates to the company with the deepest pockets.)

problem in the logic in the article is that Verizon and SBC assume that
consumers will want their IP-over-TV from a local "central office".
What they're currently missing is fledging Internet-based TV shows that
already exist and even have an existing distribution infrastructure
(BitTorrent). However, I skeptical enough that I expect at least one
attempt to <a title="Kill it via the courts, then take it over and turn
it into an income stream">Napsterize BitTorrent.

So call me a

Monday, July 25, 2005

Eddy-current detector

Alex Perry has an interesting use for Linux. He built his own probe to
use as an eddy-current detector.

Saturday, July 23, 2005

No op

Please excuse the look of the blog while I monkey with the templates
(time for a change).

SpamAssassin Wiki

About 5 minutes ago, I discovered the SpamAssassin Wiki. (via
Dan Kohn's post about training SA via an
IMAP folder

Thursday, July 21, 2005


I must be on someone's list again (yet another spammer that can
Google-hack?) because the garbage is showing up in the comments que
again. This one appears to be using someone else's box on a Verizon DSL

no op

Apologies for the pause in posting. The last two weeks have been very
busy. The good news is that I've back filled the missing days. The bad
news is that the breaks in posting will probably occur again in the
coming month. I've got a new cert coming up and I have to requalify on
an old one.

Galleon III

I wonder if the recent foobar was the reason why I couldn't get Galleon to work properly. I'll have to try it again this weekend.

Wednesday, July 20, 2005

Monday, July 18, 2005

IBM Freebie

IBM is offering a SDK delvelopment toolkit
containing DB2, Lotus, Rational, Tivoli and Websphere in the hopes that
you develop something for the community. Note: Windows or Linux

Sunday, July 17, 2005

Get out your tinfoil hats

I'm a bit behind on my work so here's a quick bit of entertainment for you "conspiracy theorists": take a look at the backgrounds of the people that make up the managing board for the .XXX domain and answer the following questions:
  1. Who's worked with each other at a previous comany
  2. Who's worked at other registrar's and what did they do?
  3. Who managed a .XXX domain in a previous light?
  4. How does the old registrar feel about this?
  5. Who left under "undisclosed" reasons?
  6. Who's also participated in ICANN?

Galleon II

I managed to make some headway into getting Galleon up and running. My
notes are posted here. I've got it to the point where the software runs but my TiVO still doesn't "see" it. Also, it doesn't use the same ports as my previous install of JavaHMO did. Anyone have any ideas?

Paper Enigma

It's a commercial product but it's interesting and you can print your
own: here's the paper version of the Enigma machine.

Saturday, July 16, 2005


Has anyone successfully installed Galleon (not the browser) under Linux or any other *nix? I have a working version of the older JavaHMO but cannot get the newer Galleon installed properly.

Howto needed!

Secure RSS

I found Joe Gergorio's article
during a lecture that I wasn't paying attention to (I was playing with instead).

The article
talks about a method for securing RSS feeds with encryption rather than
password protecting the site. I like the idea but I believe that Joe
did not take it far enough. The idea that should be on the end of his
train of thought is "public key encryption".

Friday, July 15, 2005

ICMP errors

If anyone asks you to list the problems in IPv4 that still need to be
fixed for IPv6, you can say "ICMP". That link discusses
Fernando Gont's proposed changes to the protocol to protect against
long-known attacks (mostly DoS) with ICMP.

Thursday, July 14, 2005


Here's a long discussion on Smurfing, a denial of service attack that has lived much longer than it should have.

Wednesday, July 13, 2005

Help wanted

More torrent users are needed so users can get the free geodata

Monday, July 11, 2005

Malicous Insiders

Corporations don't only worry about attacks from the outside. Here's a paper entitled "Analysis and Detection of Malicious Insiders", with 14 authors?

Sunday, July 10, 2005

Bloom filters has a good Bloom
, something I learned just this past week. In a nutshell,
Bloom filters are useful in dealing with gawd-awfully-large databases.
A Bloom filter will quickly tell you, accurately, if what you're looking
for is not in the database or, less accurately, if what you're
looking for might be in the database. Shorter version: it's a
way to avoid having to search massive databases for every query that a
user throws at a program.

Saturday, July 9, 2005

Google Earth

I appears that Google Earth
downloads are available
. So many people went absolutely nuts with this free toy, when
they first released it, that they had to block downloads of the software.
I'm willing to bet that the total man-hours of productivity lost to
Google Earth rivals opening day of one of the Star Wars films.

course, people have gotten organized so that they can
spend even more time site-seeing vicariously. Some are even excited
enough about it that they'll post Flickr photos about where they haven't been. What's that? A faux-moblog (fo-mo-blog)?



I'm not in here but a
neighbor, a block or so over, is. Are you?

BBC podcast

The BBC is experimenting with podcasting.


Here are some of the
papers from the 2005 ReCon.

Friday, July 8, 2005

Core Security stuff

Dig around in here (Core Security's Open Brainstormings). I'm willing to bet you find something interesting to read.

Thursday, July 7, 2005


You might find Jonathan's Westhues's
circuit board grinder and/or his proximity card stuff interesting.

Wednesday, July 6, 2005

More reason

Yet more reason to tie down your wireless networks, read your logs, and
periodically test your own site(s): stuff like this gets taught at conferences. It's a presentation on "doing evil" involving wireless, search engines, and various tools (not necessarily together) entitled "Wizard searching: reversing the commercial web for fun and knowledge".


I hereby donate my "Bonehead" sign (remember the one that I promised to
wear all weekend) to the asshole that's DoS'ing my service provider.

Tuesday, July 5, 2005

Driving backwards

Weirdness for my own benefit, embedding someone else's RSS feed in your
wiki page:

Monday, July 4, 2005

Dark Lord Cruise?

I still haven't seen the new Star Wars movie so I don't know who the
Emporer actually is. After seeing this, could it be Tom Cruise?

Thanks to Ben Saunders via FurryGoat.


All the more reason to move away from WEP and start using WPA2 and 802.11i. It's a paper from Recon 2005 which discusses the current state of wireless injection attacks.

Sunday, July 3, 2005

DNS root

The following needs a bit of polish but you'll get the idea:

disagreeing with Paul Vixie?!?
I guess so. There are justifiable reasons for implementing private DNS
domains, the main one being "community". Or should I say "different
community" or "private community". There are those that like the idea
of not having to play by the rules imposed on them by others.

Vixie makes a good point for against his own argument when he says "So
what? Everybody wants something. I want a pony. Get over it." I bet
your initial response is to think: "Geez! What an asshole!"

be fair, he said that to just make a point. (I hope.) But it's one of
the major reasons that people set up their own communities and practices.
An example of this: fanatical "don't top post" crusaders have caused
mail list/forum splits more than once. Otherwise, there would be one
Perl list (with Tom in it), one security site (with Richard in it), one
political forum (dissenters will be shot!), one operating system (you'd
not be able to add functions either), and one movie list (we'll tell you
what you'll watch).

Yes, another is "money", but you don't have to
play if you don't want to. In fact, those schemes are doomed to fail,
either due to lack of participation or by actions of the-powers-that-be.
(A local here managed the ".biz" domain two years before the powers that
be declared the ".biz" domain to be theirs. She even went before
Congress over the issue. The result: the "official" domain was assigned
to an "official" registrar and the ensuing "switch" caused a lot of
confusion, not to mention emotional responses.

I also take issue with
the "coherency" and the "there can only be one" arguments. Coherency
has never been a basic assumption in the design of the DNS system.
"Trust", yes. "Coherency", no.

The "There can only be one" argument
is fine for those sitting at the top. For those of us near the bottom,
there are good reasons to modify "the rules". For 50K+ users and a
small IT budget, filtering of porn, UCE or malicious code can only be
performed via DNS poisoning (declaring your server as authoritative for
those domains your users shouldn't be going)(or blocking
spyware/malicious code sources).

There also may be a need to set up
private communities. Corporations can (and do) practice "security by
obscurity" by setting up private DNS roots and attaching vhosts to them.
While "security by obscurity" by itself is not a good thing, as an added
layer in "defense in depth", it increases overall security. (Think a
vhost attached to a private domain where the default page responds with
a 404 error. In other words, you have to know about the pseudo root
page to join the community. With added configuration, you have to be
part of the community to "see" the page.)

A non-corporate example of
modifying DNS service for a private community is the UCE-fighting
community's blacklists. As an example, a response to a look up on
"" means that it's listed as a problem
source. While this service is run within the ".org" domain, it could
just as easily be run under the ".bob" domain. As long as people know
how to configure their DNS services to include ".bob", the service would
be just as employable.

This technique is also used to distribute
public encryption keys, host databases (think phone or address books),
keep track of hardware/software/books, and just about anything else a
private community might need. It's only when that community tries to
"go global" that they run up against "you can't have it, get over it"

Paul's response is not necessarily a "bad thing" either. It's
creates an environment for innovation. Invention is not done by "fat &
happy". It's usually performed by someone hungry, curious, frustrated,
seriously bored or even paranoid.

So Paul, with or without your
approval (or help) it's being done. Get over it.


Added the following feeds to the Bloglines


SynAckLabs has announced the
first-ever honeyclient tool (presentation here). Basically, it's a tool to detect/monitor malicious sites (web, for now).

I think the author has a lot of interesting work ahead of him. I don't think it'll make him too popular amongst the spyware crowd either.


F-Secure has another Beta for their Blacklight anti-rootkit software.
This one runs
until 01 October. If anyone uses it, please let the rest of us know
what you think about it.

Saturday, July 2, 2005


It's old news to those that pay attention to their blogrolls and keep
their links up to date (I'm not in that group, though I occasionally try
to be) but: Liudvikas Bukys has moved his blog to here. He sent me an email prompt over a
week ago and I'm only now getting around to it.


In a fit of very early morning experimentation, I tried out the
ndiswrapper that's built into Mandrake 10.2. The WPC54G card worked the
first time. I put the list of steps here.


Friday, July 1, 2005

Bash Tips

Here is Simon Myers' paper which discusses various valauble Bash tips and tricks. Worth reading if only for the history tip.