Monday, July 31, 2006

Responsible Disclosure (continued)

(Re-edited for the benefit of aggregator readers) On the 15th of this month, I posted about "responsible disclosure" and Microsoft's PR practices. Right in the middle of it, I planted a troll about MS's intability to keep up with the "month of browser bugs".

Two reader responses later and it appeared that we were headed deep into religious war territory. While asking why MS can't keep up in the patching process may have been a bit of a troll, it is a legitimate question. (Hint: pointing out that other browsers' patches have contained problems is legitimate only if MS has never released buggy patches for IE. Otherwise, it's poor logic and tends to make the discussion smell of dead horse.)

I will attempt to answer the question here though.

The answer doesn't lie within the politics of the vulnerability researchers or the "evil intentions" of any of the parties involved. It actually lies within "the process" and the previous coding decisions (e.g., the browser is part of the OS) at MS. Because the code base is much, much larger and because changes within browser code will effect "things" outside of the browser, the distance between "start" and "finish" for MS patches is much longer.

Other browsers have more coders, less code, and fewer OS hooks. Thus the patching process occurs quicker. Simple. It's futile for MS to attempt to keep up and counterproductive to make allusions to the motives of vulnerability researchers. The responsible disclosure "discussion" should have gone away years ago.

I hereby apologize to IronYuppie for troll-baiting. I do tend to like saying "the emporer has no clothes" when it comes to the marketing and public relations departments at MS. Neither one (IMHO) does the company justice in the long run.

Sunday, July 30, 2006


Many of my friends are leaving for, are already at, or are making last minute plans for travel to Vegas, to attend Defcon. The con hasn't started yet but Rob is already posting links. I guess I'll borrow his for the moment (for Jared Demott's presesntation):


My thanks and apologies to family and friends for any of my social/professional vagaries, committed in the last 8 weeks. I'd managed to sign up for back-to-back classes on Monday and Wednesday nights (never again) and the resulting class load left me tired for most of the rest of the week. (The weird part is I'd get a regular night's sleep on Thursday and be raring to go on Friday, just when everyone else is winding down.)

In the two days since the semester's end, I've managed to re-install a content manager and have started work on the "wl" pages in the wiki. I still owe work on the Kismet/Perl pages and a whole slew of stuff for friends. Not to mention a slowly growing collection of wireless toys that I haven't been able to touch in the last 8 weeks.

In any case, I rec'd an "A" and an "A-" (blew two questions on the test). I can relax for a few weeks before the process starts over, though I'm likely to scale it back to only 1 class. (I need the sleep!)

Saturday, July 29, 2006


The following gives me a very nasty headache.

The thing is, two of us pointed out the error. I rec'd no response while a friend received a very nasty "mind your own business" style of response.

Thursday, July 27, 2006

Old tricks

Contrary to the various actions that MS has performed in public to show that they're now friendly with the rest of the planet, they're still up to their old tricks. Note that the error page wasn't one indicating an error. It was a "host not found" error.

Note: it now forwards to the default page.

Interesting return from "view source" from if anyone cares to look at it. You might want to take a look at the JS files also.

It's not an argument that the site only works with IE. If it's AJAX, it should work with other browsers. I wondering if if I unravel that code, will I think exclusion is intentional?

Update: This doesn't help the image either. Or this.

Wednesday, July 26, 2006

BOHICA - DNS style

Hmm... The public meeting for the privatization of ICANN is today. If this goes through, standby for the lawsuits. This was proposed years ago, for the management of certain TLDs. The operator of the (then alternate) .biz domain says she even went before Congress in an attempt to legitimize the domain under her control. When ICANN finally handed .biz to another registrar, she was left out in the cold. I'm willing to bet that, if the privatization goes through and any of the old crowd retains management, you'll see some interesting cases lining up in the queue.

The other thing to keep in mind is privatized means "for profit".

Monday, July 24, 2006

Domain squatting

Larry Seltzer calls it domain squatting; I call it squatting. In either case, something unsavory is going on. Anyone looking into this?

Saturday, July 22, 2006


Just stubled across the Vitalsecurity blog. I recommend it.

Hmmm... Maybe it's time for me to go searching for new blogs again?

Friday, July 21, 2006


Just found this one in my in box. Seems that someone has come up with an interesting way to get me to open an attachment. The text of the message reads (my email address has been edited):

From: Automatic Email Delivery Software
Subject: [SPAM] ERROR
Date: Fri, 30 Jun 2006 23:28:24 +0300 (16:28 EDT)

Your message was undeliverable due to the following reason(s):

Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.

Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your message was not delivered within 7 days:
Mail server is not responding.

The following recipients did not receive this message:

Please reply to
if you feel this message to be in error.

Looks normal, right? The "trick" lies in the attachment. It has a "scr" file extension.

This prompted me to look at the header. Sure enough, my ISP received the message from Even though the IP claimed to be (told the SMTP server "helo"), a reverse lookup on the IP returns "". A whois lookup confirms this.

So add the following to things not to do: "Don't open attachments from error messages." I'll look at the attachment this weekend.


Apologies for the lack of updates in the last few days. This week was finals week for me, along with a few other things. For others, finals are next week. As I'm on the road again next week, allowances were made and I had to double up in the next to last week (I'm exhausted). In any case, I'll back fill the last few days shortly.

Thursday, July 20, 2006


Given the number of approaches SCO has taken in the case against IBM (see Groklaw) and because they're now claiming that IBM destroyed evidence, how long before SCO considers suing their own lawyers for not being successful in all that they've tried?

Wednesday, July 19, 2006

Spam Injection?

This is the first that I've heard of this technique and I find it especially intriguing/annoying. Intriguing in that it's a new (to me) technique. Annoying in that it's yet another way to get unwanted ads in front of you.

And ABC wonders why people have a tendancy to skip commercials when they able to.

I also worry that this will become yet another vector for infection and exploit. Oh, and shame on you, Vonage, for encouraging the mess by funding it (in part).

Tuesday, July 18, 2006


For all you law groupies that enjoy reading Groklaw and Mr. Lessig's pennings, I would also recommend Orin Kerr's blog. In the past, he had a mailing list where he would describe various tech-related cases. Thankfully (so I don't have to pull his posts from the spam pool), he's moved on to blogging.

Monday, July 17, 2006


In a totally non-tech-related note, I've grabbed list from The BBQ Report and posted in in the wiki just in case they erase/lose their list of "How long can you store meat in the fridge/freezer?".

Sunday, July 16, 2006

Business as usual

Ever notice that in politics and business, anything that one person or organization accuses another of, often also applies to the accuser/name caller?

Lest "Strider Search Defender" sound too anti-Blogger/BlogSpot (they're the same organization), let's keep in mind that it happens on any blog/wiki site that allows for unmediated commenting, including MSN sites. As an experiment, visit and type your favorite comment spam topic in the search box (the Spaces search, not the web search).

In short, people who live in glass houses really shouldn't throw rocks. It is a nice project though. More power to the analysts, less power to the marketers!

Saturday, July 15, 2006

Responsible disclosure

At the risk of offending the usual parties, let me state that I'm getting tired of a certain vendor trotting out the "we're disappointed in the lack of responsible disclosure" line. What's not said in the article is: the vendors were notified previously, most of the vulnerabilities are not readily "usuable", and the white hats listed in the article are those at MS, not all white hats.

The question that people should be asking is: if Firefox and Opera can keep up with applying fixes, why can't IE?

For those of us that have to eat antacid while waiting for the vulnerabilities to be patched: for many of the vulnerabilities, the work-around is "turn off ActiveX".

Friday, July 14, 2006

Admin hints

How about the occasional hint for budding admins?

Here's one: it's a good idea to keep current by reading a few of the mailing lists listed here. I recommend Incidents, Daily Dave, and Bugtraq. Not listed, but also recommended, are the Snort and NANOG mailing lists.

Thursday, July 13, 2006

Mail metrics

(heh) I did this with Sendmail, McAfee, SpamAssassin, Perl, and gnuPlot on a BSDi box almost a decade ago. It was web-based, menu-driven for the less talented of the operators, and calculated "normal" based on the previous month's day-of-the-week traffic.

McAfee doesn't make a BSDi-based scanner you say? Okay, but they had one for Linux and BSDi had something known as LDP and you only had to import one missing library from Linux.

This is one of those things that you need to do to monitor your metrics. Another example would be to stick a Linux box running RRD to the side of your Exchange box to monitor the mail system via its SNMP hooks. If it generates numbers (usually over time), it's probably a good idea to graph it and monitor it. A quick look at a graph will usually tell you much the same thing that an hour or so of log reading will.

Wednesday, July 12, 2006


Many that have tried to run "smb4k" have run across the error message:

   smbclient must be installed suid root...

If you use "chmod a+s /usr/bin/smbmount", then the system complains that there shouldn't be any binaries suid root.

One work-around is to start the program via "sudo smb4k". Of course, you should have already configured sudo to allow your user to execute that command.

Tuesday, July 11, 2006

ICMP Tunneling

Dave Johnson has a pointer to a good nulldigital article on ICMP tunneling.

Of course, the first knee-jerk countermeasure for this is "block ICMP". While the majority of that protocol should already be blocked (for other reasons), the obvious countermeasure may not always be the best. In other words, blocking ports/protocols because they can be abused will lead to the firewall blocking everything. A better approach is to configure your firewall for "normal" operation and then monitor what you allow to pass for anomalies.

What the article demonstrates is the embedding of one protocol within another. It's the reason why various programs are difficult to block at Layer 3 (IP addresses) or Layer 4 (Ports/Protocols).

Some programs (e.g., instant messengers, P2P) are adaptive and can use a number of addresses, ports or transport protocols.

While all firewalls (okay, most) filter IP protocols 6 (TCP) and 17 (UDP), they are often configured to pass others. Many will pass at least some subset of protocol 1 (ICMP) and one or more other routing protocols. Most are not useful for covert channels as, if a network is implemented correctly, the protocols are blocked further upstream. Others are. ICMP is often used for tunneling because certain types of ICMP packets will pass through the firewall and the packets can carry a decent sized payload.

This is why, contrary to what the firewall and IDS vendors tell you, the job of network security is largely a reactive job. The majority of your problems will be internal and you need to face the fact that a few of your users know more than you, don't believe they'll get caught, and have more "access" than you realize.

What you have going for you is human nature (the second option in that last sentence). People who don't believe they'll get caught won't remain "in the background". They'll usually try gradually more daring (and noisier) things.

The most effective countermeasure is monitoring your metrics (especially the most boring ones!) for anomalies, reading your log files, and spot-checking content for normal shape, size, and lifespan. The majority of corporate users (if not all of them) are granted the minimal access needed to perform their job. The content they generate should be boring as hell (HTTP on port 80, SMTP on 25, very small ICMP packets, etc.) Your job includes having to watch for the non-standard stuff (odd flags turned on, non-standard packet sizes, "noise" on port 25 or 80, etc.).

Oh! And make it a point to track down the small stuff too (though you may not always have the time). They'll often lead to the larger "stuff" and may also indicate other problems (misconfiguration) within the network.

Monday, July 10, 2006

Using Google to find bad sites

PCWorld has a short piece about a group using Google little-known/used binary search feature to find malicious websites. Although there's not a whole of detail, it is an interesting concept.

Sunday, July 9, 2006

WVC54GC and non-IE browsers

In reading up on the WVC54GC, I see a lot of people complaining about the inability to view the output on anything other than Internet Explorer. The answer is quite obvious/simple: look at the source code for the viewing page. The link that you want to point at is http://your_ip_address/img/video.asf

Of course, you have to have the proper plugin too (that handles ASF video). Alternately, for Linux users you can just type "mplayer http://your_ip_address/img/video.asf" (without the quotes). It takes a bit for the cache to fill but there's also a switch for that if you care to research it.

For LonerVamp

LonerVamp asked that I repost an URL for the 22C3 video torrents. They're here.

Saturday, July 8, 2006

NSLU2 update2

Scott Prive asked how my NSLU2 was performing nowadays. Here's a synopsis:
  • For serving video, the NSLU2 works nicely. However, the current hardware-based media players suck. For playing stuff recorded with the PVR-250, it works nicely if you're careful about the resolution that you're recording at. (The network (wired or wireless) becomes the bottleneck.)
  • Other hardware may be the problem. Neither the DLink DSM-320 nor the MediaMVP can play MP4's (something that needs to work as I have a lot of conference videos).
  • As a web or IMAP server, I feel the NSLU2 is somewhat marginal as the amount of data that have for both (10+ years of email) is large.
  • Using the NSLU2 for more than one purpose is likely to not work well. Employing them as single-purpose servers will probably work best.
  • If you're asking for a recommendation for a network media server/player, I'd recommend saving your cash or (possibly) buying a Mac Mini. I haven't done the latter (yet) but have hopes for it due to its having a much more powerful processor.

Friday, July 7, 2006

Power Users

Although I don't disagree with Araz's logic in "Power Users in Windows are Potential Administrators", I think he misses some of the logic in Jesper's and Mark's posts in that Power Users are a source of three sorts of problems: those of the shot-themselves-in-the-foot type, those of the-rules-don't-apply-to-me-otherwise-they-wouldn't-have-given-me-Power-User-access type, and those of the screw-this-I'm-taking-Admin type. Of the latter two groups, a good percentage have been (or are) Admin elsewhere and will fight you because they "know" a better way than you of "doing things".

Yes, life as a common user, after being an admin, sucks. I went from NOC admin to common user in a job switch. What used to take a bit of Perl and 15 minutes now takes days (unless I'm on my home system, that is). Though I'm not happy with the level of access, I am happy with my job and don't need the access. (And I will admit that, even as a common user, I am a pain in the neck to have as a customer (business or home user).)

Thursday, July 6, 2006


In continuing the topic of log file analysis (okay, I'm avoiding studying for a test and working on my wife's Things-To-Do-While-I'm-Out-Of-Town list), I've parsed the logs from April 15 to July 4 and have found some intersting bits...
  • Barring self-referrals and the normal Google traffic, the largest referrer in that 3 month period was an Adam Gaffin comment (25 August 2005) concerning my short post about countermeasures for Skype, specifically "public executions" (my term for publicly prosecuting policy violations in the corporate setting), which may or may not be legal within your organization (check with your legal department). 176 hits by the way.
  • The next common referrer below that (barring the normal aggregators) is Yet Another InfoSec Blog (YAISB). Hi Ryan! Interesting site!
  • Below that, a friend's site: InfoSec Potpourri. Hi David!
  • Below that: Christian Koch's Limited Exposure.
  • Followed in quick succession by: Araz Samadi, Troy Jessop, Dana Epp (long time no see!), Dave King, Clint Stotesbery, Benjamin Edelman (very interesting anti-UCA stuff), and Martin McKeay.
  • I also found a whole slew of sites that steal other people's content and use it to host sites whose sole purpose appears to be ripping off AdSense.
  • I also found a weird AJAX-based aggregator called "ProtoPage. (Try moving the windows around.)
  • Did you know that there a sites, such as SecurityArchive that appear to archive your entire content?
  • What the heck is a IEAutoDiscovery feed reader? (heh)
  • Everybody and their hillbilly "third couzin" has their own feed aggregator/reader.

All in all, some interesting sites to visit/things to play with. I recommend visiting most of the blogs above.

Wednesday, July 5, 2006

Things I'm doing on vacation

Okay, maybe I have way too much time on my hands this week, (I'm on vacation.) but I'm seeing something really weird in the blog logs:

6/1/2006|2:53:27||Liferea/0.9.7b (Linux; en_US.UTF-8;|/~joat/cgi-bin/blosxom.cgi|

That's a sample of what's showing up on an average of about once every two seconds, since May 31st. Notables, other than the constant site pull (direct from the cgi, not the XML feed) are that it's a feed aggregator (a client), running on a Linux box, and the IP is an address in Hanoi, South Korea.

Research on the IP shows that it belongs to the Corporation for Financing and Promoting Technology, AKA FPT Communications, FPT Telecom and FPT Corp. Google has about 681 matches for that exact string, with a ton of other matches for the Corp's subsidiaries and aliases. In short, one of its functions is it's the local ISP and, apparently, one of their users has a misconfigured feed aggregator.

So, if you're in South Korea and you've been using a Linux-based feed aggregator called Liferea for about 2 months now, please check your configuration. This site only changes about once per day and there is no need for the constant checking. Might I suggest an intermediate feed aggregator, such as Bloglines? If you're interested, here is a list of the feeds that I subscribe to (hint: there's an "Export Subscriptions" button at the bottom of the page, if you want the OPML version).

Just please stop pounding on the site.

Tuesday, July 4, 2006

Bash prompt

IBM has a nice tutorial which discusses the various things you can do with/to your shell prompt in Bash.

Monday, July 3, 2006

Dr. Who

Note to self from the not-so-distant past: Dr. Who (the British version) comes out on DVD tomorrow.

Sunday, July 2, 2006

Oh wait! I get it!

Gnu'd beach!! Now that's funny! (Sorry)


Shouts to Bret, Ovie and Mike at CyberSpeak: Thanks for pointing at this blog (17 June show)! Your reference to the site caught me unawares while I was driving. I almost swerved off the road. (heh)

Saturday, July 1, 2006


What was the name of that song? "Numb?" The local shock jocks had a parody of it called "Dumb" in which they sang about the week's idiots. The song ran for the entire summer with new versions every week.

The reason it comes to mind is this article about how the Catawba County Schools is suing Google because the Google spider grabbed some documents containing SSN's. Even more painful is the judge allowed the injunction (the judge should have sought expert help prior to issuing the injunction).

Why dumb? Because it'll come out in the wash that the School was neglegent in maintaining the security of their web server. Even dumber: the school is now subject to civil damages of up to $3M, (619 students x $5000 x instance), but no one seems to have caught onto that yet.

And I'll have to agree with Martin McKeay, "Why is a school still using SS #'s to identify their students?"