Tuesday, January 30, 2007


For some, the ICQ interview with the trojan author may be interesting. I agree with Mikko in that this guy will eventually be caught (probably via follow-the-money).

Sunday, January 28, 2007


I think that I burned myself out on Thursday night. The previous week I had suffered from a bout of Bill Gates syndrome in that the demo I had set up absolutely refused to work. I spent the rest of the evening trying to get it to work again. This required that Andrea (the other half of the tag-team teaching team) talk for the entire class.

The end result of all this was that I had to teach all last Thursday night. The topic for the evening was RF theory. While I did have enough slides to cover three hours (and I did speak for that time), towards the end I realized that the topic is best taken in small chunks. Going from "this is a sine wave" to explaining the advantages of combining phase shift keying and amplitude modulation obviously was quite painful.

The good news is that we're now through that. The bad news is that it becomes quite important (later) when we start talking about 802.16.

Oh! Why do I feel like I burned myself out. Answer: Because I have the typical symptoms: a strong aversion to sitting at a keyboard, wanting to sleep through Saturday, and coming up with excuses not to work on my wife's computer (crappy sound). I think the burnout was caused by putting in 6 hours for slide creation and then talking about them for 3 hours, all in the same day.


Monday, January 22, 2007

Hotel points

The Wardman Park Marriot isn't winning any points with its Shmoocon reservations at the moment. The discount code that they provided to the Shmoo's isn't working and the link the hotel provided is for a three night stay (only needed by those participating in Shmoocon Labs. The rest of us, for whom the Con starts at 3 p.m. on the 23rd, really won't want to spend the extra $170. I'm supposed to be teaching on the 22nd, in any case.)

Customer service, at the hotel (or at their web host), is really screwing this one up.

Update: I've been told that this issue will be addressed shortly (I gotta stop jumping into the deep end...). The "SHMO" discount code actually works but is for call-ins only.

Old script offline

The dynamic site is officially down. Visitors to the old link will see some semi-polite text about it being gone. Apologies to anyone who's taken more than 7 weeks to notice the change. "Grr's" and "N'yah's" to any of the spambots that are still trying to push comment spam onto the link.

Sunday, January 21, 2007


[*grumble.. grumble..*] I just spent 2+ hours upgrading XP Home on a 5-year old Sony laptop. All's I wanted was the capability to employ WPA2 (I don't care about any other protections as I don't use it for anything other than wireless demo's). First I had to install WGA. Then 7 hot fixes w/ reboot. Then 17 hotfixes w/ reboot. Then I couldn't convince it that I didn't want to install IE7, so I had to install that. Then (finally) it let me run the WPA2 installer, complete with reboot, just so's I could find out that the Centrino chipset in the damn thing doesn't support WPA at all.

Yeah, you can say that I'm a bit grumpy at this point.

LJ index

Ran across the following while looking for a mserv howto: the TOC for issues of Linux Journal (issues from March 1994 through August 2006).

Thursday, January 18, 2007


Reasons to get a Mac Book Pro (I need to enumerate now so I can convince my wife later):
  • the awesome interface for WiSpy
  • the SageTV placeshifter client
  • Slimserver and players
  • Keynote (actually the #1 reason)
  • Parallels

What else?


Here it is January and I've finally had more than 30 minutes free time to play with the upgrade to my birthday present: SageTV. I'd gotten version 5 in October and the upgrade rolled out about 4 weeks later. Luckily, SageTV allows anyone that purchased v5 a free upgrade to v6. The upgrade adds a few nice features, such as thumbnails for videos, the ability to grab weather forecast data, and a few interfaces to Google Video.

The Linux version is still considered OEM, which means the vendor won't help you install it but there's enough of a community that you can get it up and running with little or no trouble. (Heck, even I've dumped a bunch of notes into the wiki.) It's not to say that there aren't snags. The lastest update to V6 caused MP3s to not play via the Media MVP box. Luckily, I found this short thread which described how to fix the problem (turns out it was a missing library).

In any case, I will recommend getting SageTV to anyone who has more than a passing familiarity with Linux. If you can install the Hauppauge PVR-250 and the IVTV firmware, you'll love SageTV. Another notable thing about SageTV is that, unlike other similar commercial products, it's user modifiable. Heck, the $70 (or so) that I paid for it more than covers the amount of time (months!) that I would have spent pounding on MythTV to get it into the same shape. It doesn't hurt that SageTV now has a Mac client either. (One more reason I'm looking at getting a MBP once I can afford it.)(Sometime this year, I think.)

Tuesday, January 16, 2007


Here's a thought. Now that 1TB drives are out (and larger ones are on the way), it is now possible for one system to hold the entire keyspace generated for multiple Rainbow tables. For users of certain applications (the pre-shared key (PSK) versions of WPA and WPA2), this is going to be bad news.

Expect to see a slight change in the "rules", like: actually treating your PSK like a password and periodically changing it (preferably the periodicity of change is less than theoretical amount of time it takes to generate the keyspace for that length of a key).

Spam detector?

Spammers attacked another user's site here at 757 recently and it got me to thinking. Carrier ISP's usually have no clue what their customers use their connections for unless people start complaining about abuse. One of the problems is that no one has attacked the problem of detecting the abuse while it occurs.

I may be on the wrong track but here's my thoughts:

  • People who buy big pipes are expected to have large amounts of traffic (why else pay such a large chunk of money)
  • However, the difference between a lot of people visiting a site and a site spamming a lot of blogs/wikis/guest books is the direction of the traffic.
  • This difference in direction can be detected via the TCP handshake. In other words, the SYN, SYN/ACK, ACK sequence.
  • Thousands (millions?) of SYN packets towards a web site (with unique IPs) means one of two things: lots of visitors or a possible botnet attack (which we're not discussing at the moment).
  • Thousands (millions?) of SYN (no ACK) packets from a site, to hundreds or thousands of packets to other web sites)(unique IPs not requried) means that the ISP's customer is either Google or is doing something worth investigating further.

Detecting this sort of thing should be relatively easy. Has anyone tried this? Willing to try it?

Sunday, January 14, 2007

God's Gift or Devil Incarnate?

This article praises Bill Joy for writing Vi. As far as I'm concerned, I think it's a dubious honor.

I periodically curse one Mr. Acosta for forcing me to learn it and there's at least two other people on the planet who curse me for forcing them. That's not to say that we don't use it constantly though. (heh)

Thursday, January 11, 2007


Things to do in your spare time:

Come on. They're fsckin' tools. Most of us understand those terms either way. If you go to NYC and order a sub, grinder, or hero, most will places will put a large sandwich in front of you. It's only the assholes that get upset.

Disclaimer: this message brought to you by an caffeine-deficient grump who's reading DMiessler too early in the morning.

Going up

Just rec'd an email from Metageek. Seems that the $99 price for Wi-Spy was an introductory one. Starting February 1st, the price goes up to $199. They've also got a new beta for Chanalyzer 2.0 for MS and MAC.

I recommend getting one now.


Thought for the day: Jumping to a conclusion doesn't necessarily mean you were inaccurate.

Wednesday, January 10, 2007


Is it me or are there a lot of self-referential advisories for career paths on blogs and forums lately? Is it that time of year? I'm really tired of hearing you should get this cert or that cert, this education or that education, blah blah blah...

My advice: get a good general knowledge and then find a specialty that you find interesting. If you're "in it" for the money, you (and the money) won't last long. The IT field is self-correcting that way. It's why you can't swing a dead CAT-5 cable without hitting an MCSE nowadays. Those that are "in it" for the money often come in large mobs. High-paying jobs exist because there's a very small talent pool to draw from. The crowds see those high-paying jobs and jump in the pool, en masse. Next thing you know, you're laid off from your high paying job because there's a college graduate willing to do your work for half your pay.

When it comes to technology, there's a lot of uncharted area out there. The crowds stick to "what's known". You should stick to "what can I discover?" or "how far can I push this?". The whole point is that it should be something that you enjoy doing. You'll have fun, go further and you're likely to make good money doing it. If there's not much money in it, you're likely to, at least, enjoy your job. Ask around, a job that you love is rare and is often better than more money.

Saturday, January 6, 2007

Wiki down

The wiki is down while a bit of troubleshooting occurs on the db behind it. Sorry for the inconvenience.

Outlook Express error codes

I seem to remember that Microsoft no longer distributes Outlook Express but the tool is still out there. For forensic purposes (and just in case the original source disappears), I've added the listing of OE error codes to the wiki.

Wednesday, January 3, 2007

Account suspended

This morning, I received the following (in email):

Dear user of 757.org,

Your account was used to send a huge amount of spam messages during this week. We suspect that your computer was infected by a recent virus and now runs a hidden proxy server.

We recommend that you follow instructions in the attached file in order to keep your computer safe.

Best wishes,
The 757.org support team.

(heh) The "owners" would never be that polite. Care to bet what the capabilities in the "message.zip" attachment does? A quick Google search of a couple of the strings from the .PIF file brings up only one site: nabble.com. Why am I not impressed/surprised?

MS Message ID's

In my ongoing search to try to discover just how message ID's are generated by Microsoft mail handling software, I've discovered that Microsoft actually turned off the "proper" generation of the ID (at the source), forcing any intermediary system to add generate and add the ID.

The justification for such an action appears to be security-thru-obscurity, a practice that rarely works, especially in these times of deep-packet inspection. It's an ineffective measure in that the same data can be "discovered" via malformed or misaddressed email back to the source domain. Yes, it requires an additional step to "discover" the missing data, but the systems involved are configured to give it up in any case (i.e., delivery failure messages).

If you read the comment section of Terry Frazier's post, you'll see the usual RFC's-use-the-word-'should'-which-means-you-can-deviate-and-still-remain-compliant argument. In other words, the usual perversion of embrace-and-extend. Not that it matters that the rest of the world has to work around it (anyone else remember the method involved in MS's web accelerator?).

I still haven't found out if MS-generated message ID's are random or not, but the discovery of this bit of info wasn't exactly encouraging.

Keep in mind that, at one point, MS didn't comply with the "unique ID" guidance either. These are the sort of vaguaries that are valuable when you need to trace/discuss evidence as one side or the other, in a court case, will have an "expert" that claims that all message ID's are unique to the message in question.

Monday, January 1, 2007

Broken WM

Yikes again! It seems that I've managed to break my window manager yet again (a sign that a quarter has gone by). Somehow I've caused VMWare to "disappear". It's still running as I can still connect to its IP address. It's just not accessable via the gui or the window list.

New Year's resolution: stop messing with the libraries.

Shmoocon tickets

Okay, it's January 1st and the Shmoocon tickets aren't on sale. Admittedly, 2007 is only a little over 30 minutes old but advertising is advertising.

This year, when Beetle asks how the con can be improved, I'm willing to bet that there's a loud answer waiting for him.

I'm more than willing to pay the $99 for a tcicket, as I did for Shmoocon #1. However, I can't afford much more than that. $300 for a ticket, $300 for two nights in a used-to-be-5-star hotel, and $22/day parking (not to mention food/drink) is much more than I can afford.

Heidi, please knock Bruce's/Don's heads together for doing this.

Update: tickets went on sale a little after noon today. The hotel appears to have raised their discount rate ($169 this year). It may be worthwhile to check out their other vacation packages to see if they have anything cheaper or more attractive. Last year, Derez (I think) got a room under the Spy Museum package at the same rate as Shmoocon and also got a waiver for parking and a free ticket for the Museum.

Update II: Talk about being in the right place at the right time. I called a friend right after I'd bought a $75 ticket to remind him that they were on sale. He got in and there were no more $75 tickets left... Heidi posted the following on the site:

2007-01-01 17:11:55

The $75 tickets sold out in, oh, 3 minutes.

Good luck guys. See you in March!

- Heidi

Yikes! I'd been dozing in my chair all morning (stayed up late to try to get the tickets at midnight) and had only tried again (at roughly 12:06) after waking up for some unknown reason. I still don't like the new scheme.