Wednesday, August 31, 2005

Kutztown 13

The Kutztown incident is a very good example of "what not to do". Let's
see if I can explain this and why I think that even attempting to impose "community service" might be a bad idea.

The basic situation: the school attempted to press felony charges
against school children for repeatedly bypassing security functions
installed by the school.

The problems:

  • Attempting to become the parent
  • Assuming
    all students are the same
  • Lack of due care and due
  • Other problems

Attempting to become the parent

The parents cannot be held responsible for the actions of their
children because it is the school that acted as "the parent" in this
situation by putting an adult "tool" into the hands of a minor. Use of
an adult tool, be it car, gun, or communications device requires a
specific level of adult judgement. This is something that most minors
do not have and it is also something that is not easily replaced by
software, especially software purchased via a least-bidder contract.

The responsible adult(s) in this situation are still the school board
and the teachers (those that gave the adult tools to the minors). Most
parents do not understand computer technology/security or the related
federal laws. Thus, the school became (and remains) the responsible
party by being the knowledgeable "enabler" by putting an adult "tool"
into the hands of minors and then not providing constant adult

Although the parents probably signed a permission slip, it's probable
that they didn't understand the implications of that permission. I'm
willing to bet even a poor lawyer could break the supposed contract in
that permission slip.

Assuming that all students are the same

Regardless of the "we're all equal" tripe that is force-fed in most
schools today, students differ. They have different/differing IQ's,
religions, respect for authority, and upbringings. Occasionally (ahem)
you'll have a student that is smart enough and motivated (peer pressure
in high school usually will override ethics and authority) to take
advantage of an opportunity. Peer recognition will usually cause this
"seized opportunity" to be shared.

Believing that the installed
protections were adequate enough to (to use a noun as a verb)
countermeasure all students abilities and motivations, makes the
school eligible for the InfoSec Darwin Awards, if such a thing ever
exists. To maintain "security", your minimum protections must be
sufficient to counter the most talented and badly motivated user, not
the "average" user. 'Nuff said?

Lack of due care and due diligence

AKA "poor judgement". The school displayed poor judgement (lack of
due care) by putting an adult "tool" into the hands of a minor and then
neglecting to provide adequate supervision when the minor
exercised that tool. Even though the school may have believed that it
had practiced "due care" by installing various protections, it obviously
didn't practice "due diligence".

"Due care" equates to taking the necessary precautions to prevent an
incident (an instantiation of a risk). Obviously, the level of security
was not sufficient to prevent an incident. That the incident was as
severe as it was and that it involved so many students is an indication
that there was a difference between perceived and actually required

"Due diligence" is the practice of enforcing those precautions
(countermeasures) and being able to prove their consistent enforcement
over time (auditing, record keeping, etc.). What occurred didn't happen
overnight. Who was reading the firewall/router logs? IM traffic is
easy to detect. The school should have noticed when the first student
started experimenting with his laptop.

"Due care" and "due diligence" also requires adjustment of
countermeasures they reveal an inadequacy. The article indicates that
the situation continued to exist, even after detentions, suspensions and
"other punishments" (what the heck does that mean?). This means
that the school only attempted to correct the situation by external
measures (getting the parents involved). The school obviously failed to
increase required physical, logical and administrative countermeasures.

"Adequate supervision" involves the phrases "consistent (and
constant) supervision" and "adult-quality judgement". Believing that
adult judgement can be replaced with software, especially when "physical
security" is negated by allowing student custody of the laptops, is a
serious mis-judgement.

Use of desktop machines in a formal classroom setting implies a
certain level of integrity provided by constant physical security and
near-constant physical presence of authority. This "advantage" was lost
by issuing portable systems and allowing them to be taken out of the
"secure environment". Even if possession of the laptops were restricted
to the school, you can't assume that the 50 year-old part-time teacher
would be able to recognize improper or illegal activity in study hall.

Other problems

Err... How about overreacting? The "zero tolerance" policy often
quoted by public school officials is often a rationalization to vacate a
school's responsibility/judgement or to hide their own
complicity-due-to-negligence in a situation. In this case, all three
might be involved.

Some of the security "tools" installed by the school may have been
illegal. While it is permissive for a parent to invisibly monitor their
child's online activity, serious questions should be asked when a school
installs the ability to monitor students' activities on an individual
. In other words, generic monitoring (watching proxy or router
logs for suspicious activity) is generally permissible with prior
notice. However, employing a "a remote monitoring function that let
administrators see what students were viewing on their screens
without just cause (and usually a search warrant), is likely to be a
felony in itself. Remember, we are not talking about parent-child or
employer/employee relationships.

Parent-child relationships/responsibilities have created unique legal
conditions which are not easily transferred to institution-child
relationships/responsibilities. In this case, the school can probably
be slapped with a "contributing to the delinquency of a minor" charge
for not providing adequate supervision after facilitating (providing the
tools of) the crime.

That the tools of the crime were provided by the school, that the
object(s) of the crime was also school property, and that the
perpetrators of the crime were school charges has created a very sticky
situation for the school. The school exacerbated the situation by
attempting to charge the students with felonies, thereby drawing the
attention of national media.

Closing comments:

  • this "experiment" obviously has
  • attempting to "save face", as the article puts it, via
    imposed community service, risks yet more embarrassment
  • since
    this is a public school which accepts federal money and keeps digital
    records on its students, do you think FISMA or GLB applies?

Tuesday, August 30, 2005


I've attempted to talk about the following, off-and-on, for the last few
years. Here's yet another attempt...

I'm likely to be completely off
the mark with this but the DNS control argument may become a moot point
(or an even bigger issue) with the adoption of IPv6. The U.S. keeps
control of DNS space solely by the pseudo-rules-of-thumb known as
"possession is nine-tenths of the law" and "majority rule". In other
words, control is maintained solely by inertia and continued support of
majority rule.

IPv6 changes the playing field because of the differing
rates of adoption of the technology. A visit to the current 6bone will
show that the ratio of English to non-English sites is much different
than version 4 IP space. There is a slight risk that current
infrastructure managers might attempt to use "majority rule" to start
their own address infrastructure.

I say slight as such an action would
require cooperation on a massive scale by parties who normally are very
contentious, politically different and motivated by normally-opposing
agendas (profit, control, ideologies, etc.).

I believe the situation
to be quite binary. As long as the forces remain below a certain level,
ICANN is likely to retain "control" (a poor term for it) of the DNS
system. This is the most likely outcome.

However, if the level of
contention goes above a certain point, or if opposing forces change the
turn-over point in the equation by cooperating with each other, we might
see a very fractious DNS system. Fortunately, if this occurs, the
condition won't last long (in geological time) as systems do not
normally support unstable conditions for long. Remember:

  • chaos
    requires complete lack of control
  • oscillation requires a very
    specific form of control (feedback) and a permanently unstable
. Neither of these conditions are tolerated long by
financial or political institutions. Unfortunately for us users, the
corrective controls used by either of these institutions are not
normally that subtle.

This should be quite interesting to watch.
Also, there are probably quite a few "business opportunities" in the
above if you're in the right place at the right time with the right


Monday, August 29, 2005


I've been having a lot of trouble with my BlogRoll of late. Anyone
visiting the site may have noticed (I'm not understating) extremely long
load times. In other words, the page stalls while loading the Infosec

Does anyone have any suggestions for alternate services?
I'd like to keep the same basic information-presentation but, barring
that, I'm willing to try out just about anything.

Sunday, August 28, 2005


I'll echo Richard's recommendation about the NSA's IAM and IEM certifications: if you "do" assessments, the certs are a very-nice-to-have.


If you're going to ToorCon, I recommend Squidly1's talk on alternate
for the PSP. Ask her about using her PSP to find the hidden AP
at SANS.

Saturday, August 27, 2005

Once more into the bitch (err... breach?)

(heh) This time the fire
is over on Dana's blog. Remind me to put "responsible disclosure" on
the list of things never to talk about again?


This is almost a year old but is interesting (for me) in that it references some old work of mine concerning the OpenFuck exploit. Found during some vanity surfing.

Friday, August 26, 2005

Tuesday, August 23, 2005

Porn pirates

You'd think the name "joatblog" would be pretty darn unique, wouldn't you? Another thing that I found out via vanity surfing is that some porn jerks (FG4/DF4) are "borrowing" key names, using them as hostnames within their domain and are hosting porn sites behind them. For those that want to know more, substitute "joatblog" for "MYBLOG" in the following string (keep the underscores) and go search Google for that phrase: "cyberspace_MYBLOG_hopefully".

If this blog were part of a business, I'd have a legal action available. As it is, I can only (legally) remain pissed.

Monday, August 22, 2005

Forensics forms

It struck me as a bit odd that part of the homework (tonight was the
first class) was to search for forms used in collecting digital evidence
(use of the term "computer forensics" has been formally "frowned

After a 15-minute Google search, it's amazing. Everybody,
including their mother and her Bingo friends, has some form of computer
forensics (sorry Rob) book or course. Very few of those sites, other
than law enforcement, provides any tools or support.

The assignment is
actually to find a number of processes used to support the creation and
maintenance of the chain of custody, and discuss them. This could get

Sunday, August 21, 2005


The Penguin Sleuth Kit
(PSK) is a Knoppix-based Linux distro with tools not only for computer
forensics but quite a few network troubleshooting and monitoring tools.

Note: Users of this kit should also read the disclaimers on the site
if the use is intended for legal/LEO purposes.

Saturday, August 20, 2005


For those that missed it (a few days ago), LURHQ has an analysis of the Myfip worm.

Friday, August 19, 2005


is a SANS paper which discusses the simple traffic analysis using

Thursday, August 18, 2005

YMD (Yet More Drama)

I may be reading more into it than I should be but here's more drama over the .xxx situation. I can't help but think that the finger pointing up the hill is meant more to point at someone else's dirty laundry than their (ICANN) own.

Wednesday, August 17, 2005


From class today:

"Firewalls cannot block stupidity." - Dennis Lee


Just a topic that was brought up earlier this week. Standardization of equipment and software across an enterprise allows that organization to operate more smoothly and (usually) more securely. However, many organizations forget that this is a "horizontal" rule but NOT a "vertical" rule. For example, all workstations should use the same make/model computer with the same version/patch level OS and configuration. However, the you should not be using the same hardware/software/configuration on your servers and perimeter equipment. You'd be amazed at the number of people that don't "get" this.

Tuesday, August 16, 2005

Still more problems

Here is more of the ongoing issues involved with the .xxx domain. The author seems to be a bit naive in that he is suprised that objections exist. Not only are the porn site owners objecting (most sites are transient in nature and they don't want to pay $70 per domain per year), various government offices are also objecting.

Monday, August 15, 2005


The media has once again created controversy by overstating a court decision. (this one) The court case was lost not due to the use of MD5, it was lost due to RTA's inability to "find an expert" to prove the pictures were not tampered with after they had been taken. This means one or more of the following conditions occurred:
  • they actually couldn't find anyone (although it's unlikely)
  • they couldn't find anyone that could explain MD5 in simple terms that would indicate that the liklihood that the traffic infraction actually occurred. Hint: think DNA evidence. You will always hear "probabilities" discussed when lawyers discuss DNA. Yes, there are collisions in MD5 number space. The probability of forgery goes down very fast if that "collision" has the same MD5 hash, looks like a picture, of the intersection in question, with the defendant's car passing through it, with the defendant's license plate in view, with the camera's timestamp (and other) data embedded in the picture.
  • the prosecution was unable to display the chain of evidence, in the form of being unable to prove when the MD5 hash was generated. The hash being embedded in the picture may actually cause a problem because it means that the picture was changed after it was taken, by the camera itself. However, this is a procedural problem, not a technical one, and would translate into the prosecution not being able to find anyone willing to take an oath to assert/support the accuracy of the data.

I doubt that MD5 hashing of traffic pictures will cease. Rather, I believe that how they're presented in court will change.

Sunday, August 14, 2005

No op

I'm on the road again this week, in the DC area, Vienna specifically.


Don't know where Rob got it but NetSec has a pointer to a very
good paper on the Enigma machine.

Saturday, August 13, 2005

Wiki update

I've changed the format of the wiki slightly and have moved quite a few
items from my house wiki. I have quite a bit of clean up to do so
please bear with me.

Python tutorials

From NetSec, free, online Python tutorials.

Friday, August 12, 2005

3-button mice

Tony Finch point to this one.
"Where are
all the 3-button mice?
" rings a bell with me.

The only reason
you don't hear incessant whining from me is my secret (okay, now it's no
longer a secret) cache of Logitech 3-button mice. I bought ten of those
suckers when I heard Logitech was discontinuing the line. Also, I have
to thank Hurd for donating a Sun Crossbow (3-button USB) to the
collection, thereby prolonging the canibalism and jury-rigged repairs of
those first ten mice. I wear 'em out fast.

Everything Wireless

InfoSec Writers has a paper which has a pretty good overview of most of the issues involved with using Wi-Fi technologies.

Thursday, August 11, 2005

Richard Bejtlich has a post about a court case that a friend (Dave!) will probably find interesting. It's about a court case that the prosecution lost because they didn't understand current theory about MD5 collisions. In other words, they couldn't prove that a picture hadn't been tampered with after it had been taken.

In the same post, Richard points out a project by Harlan Carvey, who visits here now and then: the Forensic Server Project. His book also has a supporting site: I highly recommend visiting all three.

Responsible non-disclosure

I'm pissed at Michael Lynn throwing a tanker truck of gasoline on the
"responsible disclosure" pyre. It leads to overly politically correct
announcements such as this. Little is
gained from this type of announcement other than eEye getting a bit of
"street cred". Announcements like that damage Microsoft's business by
making organizations leery of server safety without giving them an idea
of what to do to protect themselves.

Personally, I favor full
disclosure but if we cannot live with that, I'd rather not hear about
the vulnerability until such time that the vendor can comfortably talk
about it. Many of the same arguments for "responsible disclosure" (I
really dislike using that term), can be made for "responsible
non-disclosure". Maybe the only way we can get back to the middle is to
push the pendulum further away from center?

Wednesday, August 10, 2005

Tuesday, August 9, 2005

Malicious agents

Here's a paper discussing the evolution of malicious agents (spyware and the like).

Monday, August 8, 2005

I miss the peace and quiet

I guess my spammer decided to sell this URL to some n00b spammers 'cause
I've got a ton of poker spam and Chinese porn spam in the comments
queue. Oh well, the peace and quiet was nice while it lasted.

Crypto latency

InfoSec Writers has a paper which discusses the latency added by using high-end encryption in VPN's.

Sunday, August 7, 2005


We already knew that CWS was bad. Now this:

It looks like the FBI is involved now. If your machine has ever been infected with CWS, consider any valuable information on it as compromised (i.e., at a minimum, change your passwords).

Interesting tools

I've seen some interesting new tools in the past few days:

  • Nepenthes - a
    honeypot tool
  • fwknop - using portknocking
    as an additional security feature

Update: I managed to fat-finger the URL for Nepenthes. Thanks goes to Gaetano Zappulla for correcting it. He also suggests taking a look at kojoney, SSH honeypot written in Python using the Twisted Conch libraries.

Saturday, August 6, 2005

Friday, August 5, 2005

Thursday, August 4, 2005


The Network Security and Architecture Lab (thought this was going to be about the other NSA, didn't you?) has a post about the Georgia Tech Honeynet Report which has some interesting screenshots of a homemade visualization tool. I often get quite frustrated with these topics as very few people are willing to share their visualization tools. Interesting screenshots though.

Wednesday, August 3, 2005

New semester starting

This fall's class centers on computer (and possibly network?) forensics
so expect a good number of forensic-related posts. Rob is also
attempting to provoke me into teaching an IPv6 class.

The Ten Commandments

Brian Warshawsky has a piece on the Ten Commandments of System
Administration. He posted the tenth one, of which I'm a firm believer,
on June 27. I wrote a SANS paper for log reduction based on this
commandment. Entertaining and rules-to-live-by at the same time.

Tuesday, August 2, 2005

Henning Schulzrinne

If you dig a little at Henning Schulzrinne's (Professor and Chair,
Columbia's Dept. of Computer Science) Internet Technical
page, you come across some valuable listings of
network tools.

Monday, August 1, 2005

Gergely Erdelyi

Gergely Erdelyi has written a number of papers. He has the following
available here:
  • Cleaning up the
    Mess - Time to redefine disinfection?
  • Chasing Ghosts? - Return
    of the Stealth Malware
  • Hide 'n Seek - Anatomy of Stealth
  • Digital Genome Mapping - Advanced Binary Malware

Podcast list

Finally got around to compiling the list of podcasts that people listen
to. See it here (in the
Wiki). If you want to add to the list, e-mail 'em to me.