Sunday, July 31, 2005
Weasel-wording
Long version follows...
Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:
Cisco's
actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible
disclosure.
Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
procedures" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
Puppy, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
is released.
So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
dirty laundry?
Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.
Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".
Saturday, July 30, 2005
Shmoo Redo
For those that don't know: the price goes up as it gets closer to con
time.
Friday, July 29, 2005
Michael Lynn
Networking has a good piece going on the Cisco flop-and-twitch. I
consider the whole incident to be yet another go-round in the religious
war called "responsible disclosure". You've heard the arguments from
both sides. You'll hear 'em again.
My personal view (at least of this
incident) is that this isn't something that M. Lynn "invented", it's
something that he heard of elsewhere which caused him to do a bit of
research. Some of "the bad guys" already have the info. It's nice to
know that some of "the good guys" now also have it. However, M. Lynn is
probably going to suffer in multiple ways and this incident has a strong
possibility to set a very nasty precedent. Watch for the legal pendulum
to very quickly to one side or the other.
Thursday, July 28, 2005
Hands-on Honeypot slides
class, that he and Thorsten Holz presented, here.
BH Schedule
(Yeah, I know. This is fluff, but it won't survive the transition to the other box.)
Uhoh
all of the 757 bloggers by their ears and move 'em to the new box.
Wednesday, July 27, 2005
RSS Malware
flavor of the hour could be used as a channel for worms/viruses/hacking.
Here's a good example.
Yes, RSS could be a vector for malware but it's not a likely one. It's not like we constantly wander the Internet in search of new feeds. For the majority of people, their feed sources remain constant. Barring a web server compromise at one of those sites or the author does something really boneheaded, there isn't much risk of worms or spyware sneaking in via the RSS feed.
Of course, if the author embeds crap like advertising in his/her feed, then it's another story.
Tuesday, July 26, 2005
New TaoFeed
move your subscription to http://feeds.feedburner.com/Taosecurity, especially if you've seen the "site owner reaching his/her limit" warning.
TV over IP
in there somewhere, this
fight is extremely silly. Someone is pissed off that someone else
wants to push television over IP. I think it's silly because I "get my
IP" over the same pipe that I get my TV.
The fight is actually an
industry trying to "protect" their income stream and resisting the
economic force created by technological innovation. The situation is
not one that it easily resolved either. "Convergence" involves the
television, telephone, cell phone, wireless ISP, and even the power
companies. Future involvement will probably include the entertainment
industries, various hardware manufacturers and various
governments.
With the move to wireless and IPv6, expect those
industries to spend more and more money on legal support and
advertisements. The industry or industries that come out on top will
probably be the one that offers the most to the customer for the cost.
(This usually translates to the company with the deepest pockets.)
The
problem in the logic in the article is that Verizon and SBC assume that
consumers will want their IP-over-TV from a local "central office".
What they're currently missing is fledging Internet-based TV shows that
already exist and even have an existing distribution infrastructure
(BitTorrent). However, I skeptical enough that I expect at least one
attempt to <a title="Kill it via the courts, then take it over and turn
it into an income stream">Napsterize BitTorrent.
So call me a
pessimist.
Monday, July 25, 2005
Eddy-current detector
use as an eddy-current detector.
Sunday, July 24, 2005
Saturday, July 23, 2005
SpamAssassin Wiki
Dan Kohn's post about training SA via an
IMAP folder.
Friday, July 22, 2005
Thursday, July 21, 2005
Spammers
Google-hack?) because the garbage is showing up in the comments que
again. This one appears to be using someone else's box on a Verizon DSL
connection.
no op
busy. The good news is that I've back filled the missing days. The bad
news is that the breaks in posting will probably occur again in the
coming month. I've got a new cert coming up and I have to requalify on
an old one.
Galleon III
Tuesday, July 19, 2005
Monday, July 18, 2005
IBM Freebie
containing DB2, Lotus, Rational, Tivoli and Websphere in the hopes that
you develop something for the community. Note: Windows or Linux
versions.
Sunday, July 17, 2005
Get out your tinfoil hats
- Who's worked with each other at a previous comany
- Who's worked at other registrar's and what did they do?
- Who managed a .XXX domain in a previous light?
- How does the old registrar feel about this?
- Who left under "undisclosed" reasons?
- Who's also participated in ICANN?
Galleon II
notes are posted here. I've got it to the point where the software runs but my TiVO still doesn't "see" it. Also, it doesn't use the same ports as my previous install of JavaHMO did. Anyone have any ideas?
Paper Enigma
own: here's the paper version of the Enigma machine.
Saturday, July 16, 2005
Secure RSS
during a lecture that I wasn't paying attention to (I was playing with
del.icio.us instead).
The article
talks about a method for securing RSS feeds with encryption rather than
password protecting the site. I like the idea but I believe that Joe
did not take it far enough. The idea that should be on the end of his
train of thought is "public key encryption".
Friday, July 15, 2005
ICMP errors
fixed for IPv6, you can say "ICMP". That link discusses
Fernando Gont's proposed changes to the protocol to protect against
long-known attacks (mostly DoS) with ICMP.
Thursday, July 14, 2005
Smurfing
Wednesday, July 13, 2005
Help wanted
quicker!
Tuesday, July 12, 2005
Monday, July 11, 2005
Malicous Insiders
Sunday, July 10, 2005
Bloom filters
filters, something I learned just this past week. In a nutshell,
Bloom filters are useful in dealing with gawd-awfully-large databases.
A Bloom filter will quickly tell you, accurately, if what you're looking
for is not in the database or, less accurately, if what you're
looking for might be in the database. Shorter version: it's a
way to avoid having to search massive databases for every query that a
user throws at a program.
Saturday, July 9, 2005
Google Earth
downloads are available
again. So many people went absolutely nuts with this free toy, when
they first released it, that they had to block downloads of the software.
I'm willing to bet that the total man-hours of productivity lost to
Google Earth rivals opening day of one of the Star Wars films.
Of
course, people have gotten organized so that they can
spend even more time site-seeing vicariously. Some are even excited
enough about it that they'll post Flickr photos about where they haven't been. What's that? A faux-moblog (fo-mo-blog)?
(heh)
Friday, July 8, 2005
Core Security stuff
Thursday, July 7, 2005
DIY
circuit board grinder and/or his proximity card stuff interesting.
Wednesday, July 6, 2005
More reason
periodically test your own site(s): stuff like this gets taught at conferences. It's a presentation on "doing evil" involving wireless, search engines, and various tools (not necessarily together) entitled "Wizard searching: reversing the commercial web for fun and knowledge".
Hand-off
wear all weekend) to the asshole that's DoS'ing my service provider.
Tuesday, July 5, 2005
Monday, July 4, 2005
Dark Lord Cruise?
Emporer actually is. After seeing this, could it be Tom Cruise?
Thanks to Ben Saunders via FurryGoat.
Scapy
Sunday, July 3, 2005
DNS root
Me
disagreeing with Paul Vixie?!?
I guess so. There are justifiable reasons for implementing private DNS
domains, the main one being "community". Or should I say "different
community" or "private community". There are those that like the idea
of not having to play by the rules imposed on them by others.
Paul
Vixie makes a good point for against his own argument when he says "So
what? Everybody wants something. I want a pony. Get over it." I bet
your initial response is to think: "Geez! What an asshole!"
To
be fair, he said that to just make a point. (I hope.) But it's one of
the major reasons that people set up their own communities and practices.
An example of this: fanatical "don't top post" crusaders have caused
mail list/forum splits more than once. Otherwise, there would be one
Perl list (with Tom in it), one security site (with Richard in it), one
political forum (dissenters will be shot!), one operating system (you'd
not be able to add functions either), and one movie list (we'll tell you
what you'll watch).
Yes, another is "money", but you don't have to
play if you don't want to. In fact, those schemes are doomed to fail,
either due to lack of participation or by actions of the-powers-that-be.
(A local here managed the ".biz" domain two years before the powers that
be declared the ".biz" domain to be theirs. She even went before
Congress over the issue. The result: the "official" domain was assigned
to an "official" registrar and the ensuing "switch" caused a lot of
confusion, not to mention emotional responses.
I also take issue with
the "coherency" and the "there can only be one" arguments. Coherency
has never been a basic assumption in the design of the DNS system.
"Trust", yes. "Coherency", no.
The "There can only be one" argument
is fine for those sitting at the top. For those of us near the bottom,
there are good reasons to modify "the rules". For 50K+ users and a
small IT budget, filtering of porn, UCE or malicious code can only be
performed via DNS poisoning (declaring your server as authoritative for
those domains your users shouldn't be going)(or blocking
spyware/malicious code sources).
There also may be a need to set up
private communities. Corporations can (and do) practice "security by
obscurity" by setting up private DNS roots and attaching vhosts to them.
While "security by obscurity" by itself is not a good thing, as an added
layer in "defense in depth", it increases overall security. (Think a
vhost attached to a private domain where the default page responds with
a 404 error. In other words, you have to know about the pseudo root
page to join the community. With added configuration, you have to be
part of the community to "see" the page.)
A non-corporate example of
modifying DNS service for a private community is the UCE-fighting
community's blacklists. As an example, a response to a look up on
"40.30.20.10.relays.mail-abuse.org" means that it's listed as a problem
source. While this service is run within the ".org" domain, it could
just as easily be run under the ".bob" domain. As long as people know
how to configure their DNS services to include ".bob", the service would
be just as employable.
This technique is also used to distribute
public encryption keys, host databases (think phone or address books),
keep track of hardware/software/books, and just about anything else a
private community might need. It's only when that community tries to
"go global" that they run up against "you can't have it, get over it"
crowd.
Paul's response is not necessarily a "bad thing" either. It's
creates an environment for innovation. Invention is not done by "fat &
happy". It's usually performed by someone hungry, curious, frustrated,
seriously bored or even paranoid.
So Paul, with or without your
approval (or help) it's being done. Get over it.
Blogs
subscriptions:
- http://cutlass.info/
- http://www.synacklabs.net/ http://www.honeyclient.org/
- http://blogs.msdn.com/brianjo/archive/category/2082.aspx
Honeyclient
first-ever honeyclient tool (presentation here). Basically, it's a tool to detect/monitor malicious sites (web, for now).
I think the author has a lot of interesting work ahead of him. I don't think it'll make him too popular amongst the spyware crowd either.
Blacklight
This one runs
until 01 October. If anyone uses it, please let the rest of us know
what you think about it.