.: May 2008 Archives
Every other post Hoff makes is packed with information that is way over my head, oftentimes making me lightheaded. But he continues to have great posts in between the bleeding-edge ones. I took two points from a recent post of his on the conflict between virtualization and PCI compliance
(2.2.1 which wants single roles for a server may fail all host servers that "serve" multiple guests of various purposes, although I *might* argue the host serves the single purpose of hosting virtual servers).
1. Auditors and checklists will always be behind new technology.
2. Auditors need to know what the crap they're talking about.
If they make certain observations on their audits, they know they need to field questions that may be as obvious as "how do we secure or satisfy this virtualization piece you dinged us on?" If auditors can't answer questions like that, I wouldn't be surprised if they decide to fluff through and try not to touch it, further miring checklists behind technology, and further not providing much real security. It all comes down to training and hands-on exposure to technology.
This is a chicken-egg scenario. Can you implement and mature new technology or do you have to wait until compliance, which may mean needing to implement and mature it to learn it...
This is made futher painful because this contradicts what I consider a rule of IT and security: Technology moves forward.
There is no holding it back, putting on the brakes, or waving the yellow flag of security. It inevitably moves forward. (Fine, we can hold some things back a bit, but eventually it simply will happen.) This is especially true if new technology is economically beneficial. Companies don't need to think bleeding-edge, but they can't afford to be lagging badly behind the curve.
by michael 05.01.08 at 1:01 PM in /general
Last week I finished putting everything together for my 2008 gaming machine. It's been about 6 years since my last gaming machine, so I was due for an upgrade. The parts list is saved
on my wiki. Special props to NewEgg
, my hardware supplier for many, many years. And I added PetrasTechShop.com
as my water cooling parts supplier. Excellent service at both, and absolutely no bad parts this go-around! My source of most information comes from the HardForum.
Total cost is probably somewhere around $1100-1300 (not including monitors), with probably the largest chunk being all the water cooling parts. Six years ago, I saved a lot by putting the system together myself, but these days gaming boutiques and other computer outlets have pretty damn good pricing, and I likely didn't save all that much off a comparably performing pre-built system. But few of them do water cooling at all without a premium cost. So to get silence with water, I did save a bundle.
The system is running on WinXP 32-bit right now. I know, I lose some performance, but I didn't want to spend any huge time (getting everything to work and run) or money (a real, honest license [damn Microsoft]), until I hear more details on when Windows 7 will be out and how long Windows XP will be extended. If they start to overlap, I'm just going to skip Vista like I skipped ME. (DirectX 10 support/availability may make a difference when Starcraft II comes out.)
Everything works great. Wow sits at 60 fps no matter what I do (including fraps recording), and isn't taxing the system at all. Temperatures stay barely above room temp, even after hours of gaming, so I'm very happy with the water cooling.
I ended up water cooling my GPU as well. When powering up system components the first time, I was terribly disappointed with the noise from my HD-3870 fan. With that gone, the system hums away unnoticed.
What would I do differently with my setup if I knew what I know now:
Bigger case. It took a lot of experimenting to get everything in a good position in the midtower case I got. I lucked out with the top fan (didn't have to drill more holes to mount the top radiator), but I got screwed with the hard drive cage and other crap in the lower right corner of the case. I moved what I could, but the pump still is at a non-optimal angle. Also, I wouldn't mind making a bigger hole on the top and mounting the radiator on the inside of the top of the case rather than the outside. Alas, not a huge deal.
Bought all the water cooling parts at once. Since this was my first time parting water cooling out, I did it in very small orders. I think 6 total! I would have planned a bit better too: gotten a flow indicator somewhere in the line, better fill setup (currently the only thing still in progress) so I don't even have to open the case to add liquid (not that I will need to very often), and maybe a drain port if I ever upgrade stuff and need to remove parts. As it is, I'll need to turn the case upside down and around to fully drain it.
by michael 05.02.08 at 9:07 AM in /terminal23
It might seem like there is an epidemic of information disclosures in recent years. I maintain there is a companion epidemic: one of silence about the reason for these intrusions and disclosures. This prevents anyone from really learning how to improve by any other means beyond having a finger waggled at us/them or a painful ruler smacked across our cheek. (I sometimes wonder if we're going to be stuck in a silo no matter what our efforts...)
The Daily Camera has a story about the disclosure of data on 9,500 persons from the University of Colorado
(dig the off-beat green-tinted site).
Hilliard said three computers [one laptop, two desktops] in the Division of Continuing Education and Professional Studies were compromised by a "very complicated hack" that was discovered Thursday afternoon.
One man's "complicated hack" is another man's obviously gaping hole. Useless information.
"We think they were compromised by digital intrusion with some sort of hack," Hilliard said, noting there is "no direct evidence the data has been taken and used for nefarious purposes."
I'm done being nice about these things. No shit you don't have any direct evidence of wrong-doing. If someone breaks into my house and steals my gun, I can cover my eyes and say "I have no proof a crime is being committed with it!" By the way, no kidding, "some sort of hack..." amazing.
According to Hilliard, none of the computers was [sic] supposed to have personal information stored on it, following a policy change CU implemented last fall after someone hacked into a computer issued to the College of Arts and Sciences' Academic Advising Center.
Policies don't actually stop anything, just like education. Both are necessary, but neither will guarantee anything. Kinda like that 35 mph sign on the road that I always drive past at 42 mph.
by michael 05.07.08 at 9:26 AM in /general
PCI is a beast, and continues to blot out the sun with its harpy wings, wheeling in the desert sky, slowly waiting to pounce on the weak. Between concerns over requirement 6.6, code reviews, WAFs, and so on...where will this lead us? Let me play annoying Devil's Advocate a bit.
Well, if you're a web development shop, why go through all the friggin trouble? Rather than process and store any payment information, hire out to someone like PayPal. When you're ready to check out, click the PayPal button which transfers you over to the PayPal site along with whatever transaction information you need. User logs in there, performs transaction there, and completes it there. Let the PayPal-type sites deal with PCI.
This way, every web dev shop won't need a WAF or layers of security or code reviews. Not that I think they should all ditch such efforts, I just feel such efforts are too idealistic for our economic world. I know I've yet to hear a developer or developer manager who has any interest in spending effort, time, or money on an SDLC beyond what it takes to roll out product faster and with higher quality (quality not being defined in terms of security other than the most basic stuff like SSL support).
Of course, this means that while web shops won't process your credit information or store it, they can and likely will store everything else about you. But, hey, that doesn't fall under PCI!
by michael 05.07.08 at 1:52 PM in /general
Anton Chuvakin throws down a doozy in discussing "Reverse Compliance or 'Logs as Proof of Incompetence?'"
Granted, he was inspired elsewhere, but he's the first I read on this.
What if you keep so few logs that no one can prove you've been negligent beyond just not keeping logs? What if so few logs are kept, you don't even need to know you've been hacked 2 years ago? We don't know where these White House emails have gone, it must be our incompetence. Slap our wrists and let's please move on...
by michael 05.07.08 at 2:00 PM in /general
Matasano has updated their link to their Blackbag tool
. Yes, their link has been down for quite a while..hehe. More details on what it actually does can be found on an older post
by michael 05.08.08 at 10:49 AM in /general
I am cannibalizing some sections of my wiki to place as entries on this site simply to reorganize some stuff. Here are some links to information about network printer hacking.
has a very thorough and well-written series of walk-throughs on playing with networked printers.
Phenoelit [old link]
has done some impressive work in the past, which includes their excellent HiJetter tool.
Coincidentally, this same topic just came up on the pen-test mailing list
on SecuityFocus. Perhaps some links there will someday be useful.
by michael 05.08.08 at 1:39 PM in /general
Continuing my wiki cleanup is this list of LiveCDs with a security twist. Some of these are evolved (Auditor) while some are simply gone (Phlack). I even missed adding a few from earlier this year (Russix, Deft...)
is a Knoppix Security distribution. Sadly, it came out as version 0.1 and remains at that level. Knoppix has tons of documentation and tutorials, including this little bit on [http://blogs.ittoolbox.com/security/investigator/archives/quick-inspection-technique-for-windows-laptops-10094 mounting a Windows disk and doing some forensics].
is probably the most solid and most-maintained security-based live cd around right now. Extensive support for wireless and a very solid, matured distribution. This distro really has pretty much moved into the lead of security livecds, if there is such a thing.
is a very vulnerable live cd and local installation distro that is designed to teach about security and insecurity through tutorials and providing an insecure Linux installation. Really sounds like a cool idea and on par with something ike WebGOAT or the Foundstone Hackme series of exercises.
is a currently maintained livecd with a forensics focus to it.
Trinity Rescue Kit
is also a forensics-based livecd.
is a Gentoo-based livecd for penetration testing and security.
is an Ubuntu-based livecd. While not necessarily of a security focus, it is still a solid distro. The live-cd version can also be installed locally.
has been succeeded by BackTrack, but is still a highly documented auditing and security livecd.
looks like an in-line Snort/IDS implementation in a livecd.
OWASP Live CD Project
has not really kicked off yet, but I'm hoping they are able to put something out.
Ultimate Windows Boot CD
is not really a livecd in the strictest sense, but it is as close as it gets for Windows.
is another of the "original" few security livecds from a number of years back. Development has stalled, but may still get going on version 0.4.
is a full DVD loaded with 10 security livecd distros. This hasn't really been maintained, but is an excellent source and reference for some other livecd distros.
is a Slackware-based livecd.
by michael 05.08.08 at 2:00 PM in /general
The SecurityWannabe has posted one of the better lists I've seen in some time: 10 Myths About Life As An IT Security Professional
. Some I wanted to pull out:
4. You won’t learn as much as someone doing a “normal” IT job.
Depending on your role in security, I find that we need to have some level of aptitude in everything IT, from scripting, to programming, to low level memory analysis, desktop troubleshooting, networking, packet analysis, web app coding and architecture, cc surveillance, wireless cracking, optimized scanning, manual scanning, and on and on. Even a jack-of-all-trades in an SMB may not know quite this much. And if we don't know one of these topics, we know places and people to ask to get answers and self-teach.
5. Your friends will disown you - IT security is geek - but not “cool” geek.
One of the best parts is being able to relate to non-geeks. For instance, my parents and I can talk to each other on their level about data theft and credit card fraud risk, or the concerns about adopting wireless in their home or at work. I can't talk to them about coding kickass C# apps, the newest developments in virtualization, how sexy the latest big iron is, or the most recent Ubuntu release. I once even had a roommate who thought her boyfriend was looking at too much porn. And let's just say he couldn't do anything to stop me from keeping her well informed indeed.
An excellent list
that I consider a must-read highlight so far this year.
by michael 05.09.08 at 9:15 AM in /general
I was pondering the point of Twitter again today. It is so much like IRC. If you step away and don't read updates for a few days (or you have a really busy list you're following!), there is no way to really catch back up on what was said or jump back into a conversation. In fact, you likely will miss reponses even directed to you! Just like stepping away from IRC and it continuing to scroll on by.
So, I wonder when a botnet will use Twitter for command-and-control?
by michael 05.09.08 at 10:13 AM in /general
Herein lies the story of a botnet herder.
I find these sorts of stories far more interesting than vague reports on data disclosures, akin to the difference between cheesecake and rice cakes.
We thankfully have a few trends available to us that help keep these threats in check. Greed, arrogance, stupidity. While some criminals make stupid mistakes out of their pursuit of money, there are many others who are more savvy than to be obvious and brazen with their tradecraft. I guess in another lifetime if I wanted to be a cyber criminal, I would follow a few non-technical steps:
tell no one, don't brag
always respect your adversaries, don't be sloppy or cocky
make enough money to be comfortable, don't be greedy
by michael 05.09.08 at 1:51 PM in /general
ZFO has released their latest e-zine
(read: old school text file ). While infuriatingly juvenile most of the time, docs like this still hold a huge wealth of knowledge on both attackers and some of the things they do to gain and expand their access (and some of their really lame victims). It is unfortunate that people get pwned, but at least the rest of us can learn from others. I'd recommend scrolling through the zine once.
by michael 05.12.08 at 1:30 PM in /general
The methods used in the TJX breach have been widely "known" for some time now; crack WEP, remotely connect upstream, sniff transactions. Prat Moghe has posted
an organized list of details supposedly from actual testimony. There is nothing new yet, but this at least lends more weight to some facts.
Still, there are gaping questions not covered, or at least not covered yet. I posted a couple questions on the comments for the link. Here they are, plus a couple more.
1) What sort of protection was or was not in place to filter and detect fraudulent traffic from the store to the datacenter? My guess would be a leased line or site-to-site VPN that was wide open.
2) How did the attackers gain admin rights to the "RTS" server(s)? If it was just a little wave of a magic wand, then here is another breakdown with patching or HIPS protection.
3) How did the attackers install "custom sniffing" software on the "RTS" server(s)? Did this show up under installed software (gah!) or in a task listing? If so, this should be ideally monitored (yeah, ideally anyway), or some sorts of tripwires set up.
4) Outbound FTP from the data center? I guess, but this could be blocked or at least alerted upon. I mean, how often would this bank of servers really initiate FTP connections or any connections to the Internet cloud?
5) I'm curious at what level the sniffing occurred. For instance, was it grabbed right off an unencrypted connection, or pilfered lower in the OS?
And I'm still just scratching the surface. Interestingly, everything above is not integral to actually making the payment transaction system work as needed. All of this is added on as security tightening. Kinda illustrates that priority is getting things working, not getting things working securely.
by michael 05.12.08 at 1:53 PM in /general
has reposted a campus P2P network story from WPI (Worcester Polytechnic Institute)
I could have my own story on campus P2P.
When I started school at Iowa State University in the fall of 1996, they had recently tapped into a nearby backbone and were sitting on a sweet T3 connection or better (this is one reason I was addicted to Quake my first couple years there!). The local network was pretty damn nice too. I could open Network Neighborhood and immediately browse a listing of hundreds of systems in the residential network. Some had files shared, many did not, some didn't know they were sharing things like c:\.
With trial and error, I could find the systems that actually had files shared. Music, warez, porn. And later on movies. At the time, mp3s were only just taking off.
Within a couple years, a couple guys down the hall started hosting a new website on their resnet connection. StrangeSearch (appears to no longer exist at ISU
) indexed all the files shared out on the network and provided a nifty, simple Google-like search box to search for whatever you wanted. So now if I wanted to browse files randomly I could do so, or I can look up specific things I wanted. I could even search for the biggest sharers so I didn't have to trial and error on individual systems anymore.
In fact, StrangeSearch and the ISU network was the entire reason I never had to use Napster or Kazaa back in the day. I completely skipped that development because everything I actually ever wanted I could find locally at LAN speeds. Movies, obscure music, newest versions of Photoshop and other cracked games, etc.
Now, this freedom is interesting. Back in the day, I didn't have a huge musical collection; most everything came from friends or (gag) radio. But because I could browse stuff on the network randomly, including people who had similar tastes, I was able to find new music, artists, and even movies quite easily (I had never heard of Heat, for instance, until I saw it on the network; I have since purchased it three times over and remains a favorite). In fact, I was opened to and spent money on people and things I likely would never have found before.
by michael 05.12.08 at 2:11 PM in /general
Just dropping a link here for the Iowa State Cyber Defense Competition wiki
. Notes don't seem to make much sense out of context, but this seems to be the most recently updated source of info ongoing about ISUs CDC programs. I try to keep somewhat updated. :)
by michael 05.12.08 at 3:14 PM in /general
Excellent slideshow (in pdf format)
of a BlackHat 2008 Europe presentation on lock-picking and physical security. Now to get my hands on the video...
by michael 05.12.08 at 4:05 PM in /general
Now, let me first start out that I'm not a racist or stereotyping kind of person. But I am using this as an example of the sort of developers I am supporting lately. This isn't my trouble ticket (it's for the desktop folks), but I did see this come in from a software (.NET) contractor of ours:
> This is Brahma
> My pc RAM capacity is 2.00 GB. But Speed is very slow ,could you
> make it Increases my pc RAM. It is very helpful for me.
These are the software developer contractors we have coming in and out through a revolving door pretty much. This is infuriating for me, systems/network support, for several reasons.
1) Most of these contractors know a little bit about coding .NET (for instance). But that's it! DNS, IP, IIS, SQL Reporting Services, even SSLs are completely foreign concepts... I know they are being hired to fill a cube and poop out some code, but it really is frustrating to know most of them cannot relate or understand what impact their code may have elsewhere or what their code depends upon. Seriously, I could only hope someday to have such a small sliver of responsibility as opposed to supporting every system, software, hardware, and process that involves (even to the most remote sense) electricity or the magical Internet! No, I'm not trying to trivialize real software developers who know their shit really well and have adapted to new languages over the years. But there are many a developer I have worked with who couldn't properly run their own IIS server, even though their code depends on it (or they try to them make these wild dependencies that result in "But it works on my machine and now I have a deadline tomorrow...")
2) Because they keep coming in and out, they have very little structure in their requests for support. It typically consists of "Make X work," where X is as vague a description as you can get. By the time I teach one to make a proper ticket for me to do work quickly rather than a back and forth interrogation, they're replaced and I get to start all over. This happens far too often: "I get an error on the site." Me: "Uh, which site? What error? What were you doing? Was this working yesterday?"
3) I'm pretty adaptive in how I explain things to people; it's something I've been complimented on professionally over the years. But, typically, foreign contractors with limited breadth of knowledge stymie me. I can explain something 5 different ways in various contexts and still get blank looks. I often have to get into that really negative zone where I have to be very direct with my words. Things that normally get me in trouble like, "I cannot do this until blah blah blah," or, "You're not doing this how we expect, please go talk to your supervisor/mentors," or, "No, I can't troubleshoot your code for you, I'm not the coder. What do you mean you don't know what an application is in IIS?"
4) They all have varied backgrounds and may have an idea to implement XYZ. Sadly, this issue is compounded by the first two issues, and also because they are almost always short-timers. I wonder how many companies have implemented Crystal Reports because of a short-timer, and now regret it deeply.
by michael 05.13.08 at 8:49 AM in /general
I like gaming, PC games, consoles, etc. I've been a console player since my Atari 2600 and was a *huge* Nintendo nerd. I also had a subscription to Nintendo Power shortly after the magazine debuted.
One of the things I most liked in Nintendo Power was the ongoing Top 100, 50, 25 games (it changed in length over the early years). These were games that ranked based on submitted votes and were not always necessarily obvious games. I found a few gems that way, most notably Chrystalis which appeared in the top 50 regularly for *years.* I finally rented a copy of this popular but rather rare game and absolutely loved it.
Modern mags don't seem to have this anymore, or if they do it's so small I miss it! I don't care which games are selling the most or have had the highest editorial ratings for the past 6 months or some aggregate score as rated by gamers on the web site. I would like to see ongoing user-submitted lists of the most favorite games per platform every month.
Fine, I'll concede this approach breaks with PC games (I could still vote for Doom 1), but in the console world which flushes the toilet every few years (not including backwards compatibility), this works nicely.
by michael 05.13.08 at 9:46 AM in /general
Couple articles for security fodder.
The 7th Cyber Defense Exercise
recently took place, which places networks run by various military departments under attack by the NSA in a controlled, scored, exercise. I found this nugget an interesting observation:
The choices in software tools for responding to any attack really boiled down to "automatic" versus "custom," says Eric Dean, a civilian programmer and instructor. He adds that while automatic tools that do most of their own work are certainly easier, custom tools that allow more manual tweaking are more effective. "I expect one of the 'lessons learned' will be the use of custom tools instead of automatics."
And a classified Hong Kong "watch-list" was leaked
out onto the Internet. It appears a user brought some classified data home and stored it on a computer running a popular P2P application (Foxy). That's a nice series of poor decisions.
The blunder occurred after a newly-recruited immigration officer working at the Lok Ma Chau border point took home some old classified files to study without authorisation.
His computer contained the "Foxy" programme and when he connected to the internet, the files were distributed without his knowledge.
Both stories came to me by way of the Infosecnews
by michael 05.13.08 at 1:19 PM in /general
Another link to ongoing stories coming from the UCLA Medical Center where employees improperly accessed confidential medical information
of celebrities and even co-workers. I consider this situation an important illustration that policy does not ultimately work. The article mentions 68 persons snooped on 61 personal records. That means this is not an isolated incident. The article also mentions the sharing of passwords. Whoa.
Human curiosity or even greed (if any info was sold) was beating policy. I believe such impulse will always beat policy, in fact. These are crimes of opportunity, and technology/process should be limiting that opportunity. Yes, that might impact the ability for people to get some things done, but there is always that balance between getting things done any way you can and getting things done in a secure, trustworthy manner that limits unlawful opportunity.
However, in the end, someone has to have access to the information. Usually, someones so they can make decisions or even perform clerical work. This is where audits, logs, policy, managerial oversight, and hiring practices come into play. Does someone need to be watching the audit logs and report possible violations? Maybe, maybe not, but that could certainly be a measure for an organization that really needs to provide a high sense (or real state) of security.
by michael 05.14.08 at 9:28 AM in /general
I am looking for a new portable music player. I have my trusty 4th gen 20gb ipod sitting in my car most (99%) of the time, hooked into my stereo. I have a small
desire to get a second music player that I can load more music on, but also keep more on my person rather than in my car.
- I don't mind keeping the 20gb ipod in my car permanently, so I don't need my new one to be compatible with my stereo.
- I have over 40gb of music.
- I don't use nor want to ever use iTunes or some other "marketplace" software. (die DRM!)
- I use Ubuntu Linux and would much prefer to use Linux to manage my new device.
- I currently use Winamp on Windows to manage my 20gb ipod. (I'm simple.)
- I don't plan to browse photos, cover art, or crap like that. Movies, maybe, but I don't need that. My need is just music player and simple shuffled playlists based on genre.
Does anyone have any suggested music players and Linux software (probably Amarok and its clones) that I should look at? Sticking to an ipod classic is definitely an option.
by michael 05.16.08 at 9:43 AM in /general
So I've given Twitter a chance, and I think I'll let this novelty slide. I find the following/followers thing a bit disconcerting. It is the equivalent of lots of people in an IRC channel, but everyone having rather extensive ignore lists so that half of what is said is lost on half the people present. Almost turns into a virtual ego trip or popularity measure, sometimes.
I think if I had more real life friends on Twitter it might be far more worthwhile to know what's going on in their lives at 7:34pm at night, but it just feels like another tacky social tether to the computer. I'll stick to IM and IRC for that, I think. :)
Update: I reserve my right to change my opinion on this. I do much of my work right now on a laptop and at a workplace where I can't necessarily have something like a Twitter client running all the time as a distraction. Catching up on the past day of Twitters is retarded. But now with the gaming rig built, my old machine will become an always-on desktop system and running a Twitter client for popping up new messages as they come in may change my experience. I doubt it, since it offers nothing beyond what I get with IRC/IM other than less hardcore geeks and more links, but it could.
by michael 05.16.08 at 10:31 AM in /general
I missed this the first time around, but I see Marcus Ranum has a couple postings on the Tenable blog. His first talks about cybercrime
. The second alks about cyberterror
. I think this link will end up holding whatever he posts
I really like the first piece on cybercrime, although I think he misses one aspect that should be brought up: efficiency
. Stealing data 30 years ago would have required reams of printed paper or boxes and boxes of tapes or discs. And that might have just impacted few people. Today, a USB stick can contain millions of important records that are all worth money. Just like software pirating, these issues have always been around, only in the past they were so inefficienct that we could accept those risks or mitigate them indirectly. Efficiency plus Ranum's Automation make this a huge deal. Criminals can steal huge amounts of digital property that we attribute high value to.
by michael 05.16.08 at 11:21 AM in /general
Sometimes the obvious does make sense. I-Hacked.com
shows how to do some office lock-picking if you see a key laying out in the open. Snap a picture of the key along with something to provide scale, cut the outline of it out of an aluminum soda can, insert and open! (I think I'd add a tension wrench which can also easily be made from common office items, for instance a paper clip or the clip part of a pen.)
by michael 05.16.08 at 1:20 PM in /general
A pdf file detailing the changes between PCI DSS 1.1 and 1.2, which is due out in October 2008.
Erp, I'm an idiot. Wrong doc. :)
by michael 05.16.08 at 1:43 PM in /general
I tonight read news that some kid was wearing earphones and died because he didn't hear a helicopter fall on him
, so the issue of safe use of headphones has been raised up. Huh? I normally wouldn't post something like this, but the discussion potential of this is both disturbing and hilarious (definitely fark fodder and sure to be revisited for the 2008 Darwin Awards despite not entirely being the kid's fault).
I've taken a few snippets from the discussion thread over on HardOCP
Why do people look to freak accidents as examples for change?
I mean, if he had been mowing the lawn would they be arguing that lawn mowers are too loud[?]
An RIAA representative said that a fleet of 400 choppers have been acquired and you should expect similar actions taken against people suspected of violating their rights.
Yes, there is a personal choice made whenever someone is wandering around and wearing headphones turned up too loud, from cars to other pedestrians to bikers sneaking up behind them, that is typically their own choice to lose their sense of hearing for that period of time. At the very least, a kid wearing headphones too loudly is only a danger to himself.
At the end of the day, a helicopter fell out of the sky and killed someone. Really, what the fuck are ya gonna do?
by michael 05.16.08 at 6:01 PM in /general
[Note: I accidentally left this in my unpublished bin for a couple months. I can see why, as this is a bit unpolished and confusing, but I wanted to post up my thoughts on "data-close" and "data-distant" objects and how they relate to the changes in security and even IT consumption in general over the years.]
Last week I posted
about Bruce Schneier's latest essay
on product suites and the course of security purchasing. I see Bejtlich has also posted
, and has some really good comments going on it. Two thoughts kinda struck me.
First, Bejtlich says, "...what are the 'crown jewels'? It's the data, not the hardware and software." Second (Bejtlich did not say this), trying to get an outsourcer to manage one's security or even IT as a whole is a lot like Nicholas Carr likening IT to a utility like eletricity.
So can some utility provider manage a company's data? I'd have to say I don't think so, unless the company is such a cookie-cutter company that the data offers zero differentiation from its competitors.
From there, we can create this spectrum with data on one side and electricity on the other. Data, the applications that gather/hold/report the data, applications that interact with others to glue all that data together into something useful...on up to the very commoditized desktops systems, networking hardware, 1s and 0s on the wire, the electricity powering it, and the Internet access. I can describe this spectrum as "data-close" objects and "data-distant" objects.
I can also explain one aspect of the rise of web applications. Web applications can be pretty specific to a company, especially the internal apps. They are pretty "data-close." Desktop systems are "data-distant." The configuration or maintenance or even presence of a desktop machine is rather unimportant unless it needs a lot of fat applications to consume data. Since a web browser is in every OS (we'll just assume this, since that's really the case in any business endpoint system), we have now moved the data-consuming app closer to the data where it should be, leaving the guts of the desktop system to be "data-distant," where it should be. Hard disk encryption continues this trend, since the hard disk is a bit more "data-close" than the rest of the desktop system.
by michael 05.20.08 at 9:07 AM in /general
When having a discussion about digital security, it is important to keep in mind a few things. Perspectives, assumptions, definitions. In short, getting on the same page so that we can discuss properly, sort of like normalizing fractions so that you can compare them directly. Is 13/15ths greater than 41/45ths?
When it comes to security solutions, I increasingly find two different perspectives related to scale. In fact, I'm sure I have these sides as well. And no, I don't have good names for these sides; microscopic and macroscopic didn't seem to quite fit.
First, I have a side that looks only to what my finite organization needs in terms of security. What works for me may not work for others. These solutions only need to scale as far as I need for my org. They may even scale poorly to the cybersphere. For example, I like to use arpwatch on my local networks to spot rogue devices. This works for me, but may not work for a 10,000 node infrastructure. Another example would be my personal decision to use a seatbelt when driving.
Second, I have a side that I would show more often if I worked for an ISP, or some less finite organization looking for absolute or universal utility. These solutions need to scale only so far as...well...everyone and every system. An example might be trying to solve a universal cyber identity issue, or protocol issue (DNSSEC), or global security standard. Or the entire existence of seatbelts in cars.
Both of those sides can often be at odds, and each have good reasons. It is important to make sure discussors match their perspectives and scopes. It is also important to be consistent with our own application of these perspectives to our goals and projects.
by michael 05.20.08 at 9:16 AM in /general
Back in high school and college, a buddy and I made some ground rules for ourselves dealing with relationships and women. These rules were designed to not waste time with mistakes or bad situations, and make sure our own behavior didn't turn sour. (While excellent, something may have been wrong since I'm still single! :) )
In some past posts I see I've been slowly formulating some security practice and discussion rules.
I talked about security religions
and the difference between people who believe security must be baked in and absolute versus those people who believe in the value of incremental security.
I just posted as well about different perspective scales
. This contrasts people who see security in their own fortress against those who view security on a globally relevent scale.
I'm sure I have had more, and will have more yet, but I wanted to start getting in the habit of keeping similar posts linked together, for my own reference. Maybe this is one of those places blogs are insufficient and a wiki would be more appropriate.
by michael 05.20.08 at 9:17 AM in /general
by michael 05.20.08 at 10:42 AM in /general
This might be worthwhile to check out. SSHWindows
is OpenSSH running on Windows. This still runs using cygwin, but it sounds like all the grunt work of managing cygwin is taken care of by SSHWindows.
Snagged this from Adnan.
by michael 05.20.08 at 5:01 PM in /general
The cost of technology is frustrating to the business. Hell, it's frustrating to other technologists! As a disclaimer, I am by no means a Microsoft hater. I like Windows products. I use them at work and often at home.
In my company we use Altiris as our desktop deployment solution. We buy systems from Lenovo/IBM. These systems come with an OEM version of Windows.
We just learned this week that that OEM version is not transferable in our deployment architecture (or any imaging architecture). We now have to repurchase pretty much every copy of Windows that we have. Woot! And people wonder why I refuse to spend my personal money on Microsoft stuff...
Microsoft reps have really wanted to get us to move to an enterprise contract which is basically a high end software assurance deal. But we don't want to pay Microsoft for the belief that someday they will come out with a product we want to deploy. Software assurances of the past have been a joke. A 3 year deal doesn't necessarily pay back anything. It took Microsoft 5 years to come out with a new SQL version. The time between XP and Vista was over 3 years. The time between Windows Server 2003 to 2008 has been over 3 years.
Microsoft does add a lot of things to the software assurance deals, but almost all of them have no value to us. In the past decade, our IT teams have no used those services much at all, and we don't see any real reason to; they have little value to us. It is far cheaper to purchase (and repurchase!) Microsoft licenses outside of an assurance agreement.
And that's not to even say the products Microsoft offers are ones we want to deploy. Vista adoption in the enterprise is far lower than XP was. And even if one wants to argue that number, there are many companies that have zero plans to adopt Vista, whereas at least with XP most planned to move to it. Business users don't need fancy graphics and 2GB RAM requirements. Home users use the OS more than business users.
Yes, there is a trend that computing is moving closer to the cloud. Yes, it feels like Microsoft is getting more desparate to cash in as much as they can before that move starts gaining momentum. But will Microsoft's own action hasten their own fears? Kinda like wanting to hold water in your hand but knowing it will seep out, and seep out faster if you hold it harder.
by michael 05.21.08 at 8:39 AM in /general
both laid sobering eggs in the last week, no doubt colluding to dilute... :) They lament the fact that they post information on the Internet about security and vulnerabilities, but now that they are increasingly deep into the corporate professional security ranks, they aren't able to talk quite as freely anymore when contracts and NDAs and so on are on the line. When only a handful of people know an issue, and it gets out, you know their asses would be nailed to the wall...or at least paychecks withheld.
No one with half a professional brain or experience in the actual industry is surprised by this revelation. But by posting this, they have really somewhat lost the ability to bitch about the lack of communication in the security ranks. And that's because they're just as much a part of the problem now as anyone. It's even worse when you tell people you know things, but can't expound. That incurs the ire of pretty much everyone, including those who Get It.
As Jeremiah's post title says, this *is* the nature of things, economic and legal. Corporations have a big stake in keeping quiet about anything even remotely negative or insecure, and so do security professionals who want to keep their integrity and credibility. Likewise, both Jeremiah and RSnake gotta eat, and full disclosure, as RSnake implies, doesn't pay the bills (or expensive cars).
While I agree that specifics on issues may be difficult to reveal, both Jeremiah and RSnake should still be free to talk about vague issues without getting anyone into trouble. Rather than some POC that has the client name hardcoded, create a copy somewhere and demonstrate with sanitized examples. I don't think anyone is really after smearing particular companies, products, or salivating at being the first one to profit off some vulnerability in a popular site. And if that is the fear, then we have a messed up view of reality.
Yes, I Get It. I know Jeremiah and RSnake have their reasons, but at some point we're going to need to catch up to the communication abilities of the attackers in countries without such paranoid views of disclosure and legal lashback. Sadly, there are already signs of this getting worse, as Germany and Britain have made huge steps to stifle innovation and sharing.with hamfisted attempts at control through law.
This is an opportunity for Jeremiah and maybe even moreso RSnake, to attempt and lead by eschewing such self-imposed gags. They don't have to be whistle-blowers by any means, but they are creative, enthusiastic, and experienced enough to be able to keep disclosing innovation and ideas without endangering lives or livelihoods. They made their reps and their current standing by talking about things. To change that now is perhaps succombing to the corporate machine of things.
Despite all of this and my own commentary above, I deeply admire and respect both Jeremiah and RSnake and fully respect (and even grudgingly sympathize with) their positions. I just wanted to leverage their posts for some soapboxing.
by michael 05.21.08 at 4:55 PM in /general
throws lots of interesting links into my reader, and a few I wanted to pull out and keep here.
5 ways to screencast your linux desktop
- Ooo, I like this quick roundup of tools. A year ago I had some problems trying to record a screencast. I didn't spend too much time on it, because I know Camtasia (Windows) and how easy it is to use. But I will totally try one or more of these out next time I have a reason to record my desktop.
10 most beautiful looking linux desktop [sic]
- Alright, these look awesome. It's been a long time since I really worked on my OS interface, mostly because I hate having to redo it on new systems or after reinstalls or whathaveyou. I also have always run Linux on my less stellar gear, but now that I have a 'retired' gaming system available, I may just have to check these out soon and see what I can imitate. I've been using Linux long enough, that it's about time I pull myself up another level of nix-geekiness.
10 tips for after you install or upgrade ubuntu
- Really, everyone needs a series of notes on what you want to do after performing an install. It doesn't take an IT worker long to figure this out, and it applies to home geek life too. These tips are almost all very useful and common issues Ubuntu users face. And yes, I admit my boot menu is out of control with old Ubuntu versions...
by michael 05.22.08 at 4:39 PM in /general
In the random bucket, and just in time for a long weekend, I stumbled upon this link to some freely available psy-trance/goa music downloads at Ektoplazm
. If you have any interest in psytrance
(think: Infected Mushroom, Hallucinogen, or faster more layered beat-driven electronica/trance than what you would hear in a club, but not quite distorted and chaotic), check out the downloads
page for popular examples.
Oh, and there are some quieter, more ambient (progressive) types of psytrance available as well. Rather than let you hunt for it, check out Koan
, the Entheos sampler
, and the Amber
compilation. The Entheos album probably drops out of the psytrance category and into more ambient electronica, and is far more tolerable to most people.
Fans of soma fm's Groove Salad
should download the Entheos sampler. Track 7 is Gifted by Osiris Indriya
(Seattle-area DJ, check his site for some awesome free club/trance mixes
! Check this mix* (mp3)
at a minimum) which is a downright excellent track and the whole reason I wandered to this site.
* If you know the sampled video game song at 3 minutes of the mix (Blaster Master?), please let me the hell know. It's taunting me! If anyone can devise a way to be able to search on music hashes (Google Music?), I'd love you! Those of us who listen to music genres that consist of remixes or non-vocal music always have songs that we have no idea who does them or other tracks whose tags we don't trust and suspect are wrong.
by michael 05.23.08 at 8:55 AM in /general
This topic will soon be beaten to death, but I need to post it for my future reference. TJX recently fired an employee who disclosed weaknesses in their security. ComputerWorld has an updated article
with details like the employee's name. Ha.ckers.org posted an original tidbit
last week, and here are the forum posts
in question (as long as they are still up). There is also a post talking about how to more properly "whistleblow."
I regularly decry the stifling glass walls of information disclosure and sharing of experiences, horror stories, and successes in our industry. I can also decry poor reactions to helpful employee suggestions or public disclosure of issues. If an organization can be so badly damaged if some information is leaked out (like poor password policies [or nonexistent!], unguarded servers, or poor network architecture), then something is definitely wrong.
Internal and even public open review of security stances should almost be a goal. If a security posture of an organization can withstand open review (like open source code), that can only be a good thing (unless your business relies on those practices as a competitive advantage, kinda like proprietary and secret warehouse sorting technologies).
We are in a new age where information travels far and fast with our efficient technologies, social networking, and news reporting services. It is no longer enough to think a security policy prohibiting talking about security issues in public is enough. Twenty years ago, such indiscretion when talking at a pub with some buds won't ever get very far, but talking with buds on a forum or online game can become re-referenced worldwide news very quickly. Is that something an organization should try to prevent and actively stamp out? I say not really.
There will always be people who disagree on issues and decisions passed down by management. One person's trivial issue is another person's crusade for insecurity; one manager's accepted risk is another worker's nightly worry. And there will be times where someone using a public forum as a soapbox to stir internal drama at an organization needs to be punished or removed. But an organization should use that as a last resort, and instead try to actually fix things rather than make them just appear to be fixed. And when not fixing things, admitting such and disclosing why, at least internally.
All this said, there will always be exceptions, and I'm not saying I would ever be a 'whistleblower' or support such actions. Just saying there is a better way of dealing with it.
(This is probably all stemming from our highly litigious culture..rather than working together to do great things, we worry about covering our asses from all the life-damaging lawsuits that get thrown around. That and the quest for green...)
by michael 05.27.08 at 8:55 AM in /general
I was catching up on comments from the link
in my last post
about the TJX 'whistleblower' on Ha.ckers.org and caught this one:
HOWEVER, I can speak from experience that too frequently companies claim that they were hacked by an evil vicious mastermind when the fault lies in their own lackadaisical response to reported holes in their security.
I get that feeling with most of the disclosure press releases and news reports I read. Really? You had this mastermind hacker attack you? Uh-huh.
This is why I decry our lack of information-sharing.
Ok, I'm done being ornery after the long weekend. :)
by michael 05.27.08 at 9:22 AM in /general
points over to Xenu's Link Sleuth
Xenu's Link Sleuth (TM) checks Web sites for broken links. Link verification is done on "normal" links, images, frames, plug-ins, backgrounds, local image maps, style sheets, scripts and java applets. It displays a continously updated list of URLs which you can sort by different criteria.
by michael 05.27.08 at 4:47 PM in /general
It is amazing I don't get to work from home more often, being a technology worker and all. Since 9/11 and other disaster events, there has been lots of talk about business continuity and disaster recovery, and it seems to me that working from home is a constant reminder of what it might be like if an office building were suddenly not available. Then again, a huge majority of the stuff I do is remote-based anyway, from VPNs to email to SSH to virtual consoles, to rdp... Besides which, it's a nice change for the work-life balance, and means I'm removed from interruptions.
Speaking of, I get to work from home all next week as I will be attending training online from Citrix. We just received 4 load-balancers (Netscaler 7000s) to support our web environments, so I get to play with them extensively. It will be nice not only to master the new devices, but to also get closer to the end of this project. Last year we got hosed by Juniper and their shoddy line of load-balancers (now discontinued!), and then our vendor basically stopped talking to us after that. Not really sure why, it's not like one bad recommendation was going to sink our use of them. Hell, we'll still do business with other Juniper products as well.
Oh well, we're moving forward and I'm excited by these devices. They have a ton of reporting options, and really just lots of other features in general. It's been a while since I've seen a modern generation load-balance device (hell, they don't even call them that anymore, but I'm stuck in my ways). And all devices should have dashboards. Even if I don't use them a ton, they look important and impressive to everyone else.
by michael 05.29.08 at 11:04 AM in /general
Ever read the comments for popular security articles? If you do, you likely wonder a little less at why security is such a frustrating endeavor. :) Take an article on TheRegister about the Debian OpenSSL issue of recent note. Skim the comments
and reach for the shot glass(es).
by michael 05.29.08 at 3:44 PM in /general
This weekend I noticed Revision3 was not online. Turns out they were the victim of a DoS attack
. Any emphasis added is mine.
In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that’s the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.
Maybe not a huge deal, right, especially since they're not pirating anything except their own shows? Oh wait, it gets loads better.
A bit of address translation, and we’d discovered our nemesis. But instead of some shadowy underground criminal syndicate, the packets were coming from right in our home state of California. In fact, we traced the vast majority of those packets to a public company called Artistdirect (ARTD.OB). Once we were able to get their internet provider on the line, they verified that yes, indeed, that internet address belonged to a subsidiary of Artist Direct, called MediaDefender.
Oh my. I've heard of
MediaDefender in the past
, and I've been less than impressed by their business tactics.
Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.
I really shouldn't make conclusions from just one side of the story, but this does illustrate huge issues for companies involved in any sort of cyber security. How ethical is it to DoS unwanted systems or services, i.e. attacking the attacker (and did you verify they really are an attacker)? Why was MediaDefender injecting bad torrents into a legitimate torrent service, and how is that any different from an evil hacker doing it?
Oh, and this can be interesting especially if some of MediaDefender's customers are Revision3 competitors.
by michael 05.30.08 at 9:26 AM in /general
Sometimes there really just aren't solutions available. I've been doing some research on a new KVM unit, since my old one is about 4 years old and only PS/2 and VGA.
I have my gaming system plus my old gaming system that I'd like to have co-exist on the same keyboard, mouse, and monitor. The newer system is Windows and the older system is Ubuntu Linux. The keyboard is a wired, USB Logitech G15 (yes, I'd like the LCD to work on at least the newer system). The mouse is a generic wireless Logitech mouse. The monitor is a 21" with DVI connector. Audio would be optional, but cool. Hotkey switching would be optional, but ideal. Both systems can do dual-monitor, but I really don't need that to go through a KVM.
Meeting these requirements, especially the G15 keyboard, seems to be a little out of the reach of KVM technology. And being DVI pretty much doubles the price.
Still, it would be highly desirable to find a decent unit someday, that can co-exist with both systems.
by michael 05.30.08 at 2:50 PM in /general