looking for a real kvm

Sometimes there really just aren’t solutions available. I’ve been doing some research on a new KVM unit, since my old one is about 4 years old and only PS/2 and VGA.

I have my gaming system plus my old gaming system that I’d like to have co-exist on the same keyboard, mouse, and monitor. The newer system is Windows and the older system is Ubuntu Linux. The keyboard is a wired, USB Logitech G15 (yes, I’d like the LCD to work on at least the newer system). The mouse is a generic wireless Logitech mouse. The monitor is a 21″ with DVI connector. Audio would be optional, but cool. Hotkey switching would be optional, but ideal. Both systems can do dual-monitor, but I really don’t need that to go through a KVM.

Meeting these requirements, especially the G15 keyboard, seems to be a little out of the reach of KVM technology. And being DVI pretty much doubles the price.

Still, it would be highly desirable to find a decent unit someday, that can co-exist with both systems.

mediadefender dos floods revision3

This weekend I noticed Revision3 was not online. Turns out they were the victim of a DoS attack. Any emphasis added is mine.

In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that’s the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.

Maybe not a huge deal, right, especially since they’re not pirating anything except their own shows? Oh wait, it gets loads better.

A bit of address translation, and we’d discovered our nemesis. But instead of some shadowy underground criminal syndicate, the packets were coming from right in our home state of California. In fact, we traced the vast majority of those packets to a public company called Artistdirect (ARTD.OB). Once we were able to get their internet provider on the line, they verified that yes, indeed, that internet address belonged to a subsidiary of Artist Direct, called MediaDefender.

Oh my. I’ve heard of MediaDefender in the past, and I’ve been less than impressed by their business tactics.

Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.

I really shouldn’t make conclusions from just one side of the story, but this does illustrate huge issues for companies involved in any sort of cyber security. How ethical is it to DoS unwanted systems or services, i.e. attacking the attacker (and did you verify they really are an attacker)? Why was MediaDefender injecting bad torrents into a legitimate torrent service, and how is that any different from an evil hacker doing it?

Oh, and this can be interesting especially if some of MediaDefender’s customers are Revision3 competitors.

working from home next week while training

It is amazing I don’t get to work from home more often, being a technology worker and all. Since 9/11 and other disaster events, there has been lots of talk about business continuity and disaster recovery, and it seems to me that working from home is a constant reminder of what it might be like if an office building were suddenly not available. Then again, a huge majority of the stuff I do is remote-based anyway, from VPNs to email to SSH to virtual consoles, to rdp… Besides which, it’s a nice change for the work-life balance, and means I’m removed from interruptions.

Speaking of, I get to work from home all next week as I will be attending training online from Citrix. We just received 4 load-balancers (Netscaler 7000s) to support our web environments, so I get to play with them extensively. It will be nice not only to master the new devices, but to also get closer to the end of this project. Last year we got hosed by Juniper and their shoddy line of load-balancers (now discontinued!), and then our vendor basically stopped talking to us after that. Not really sure why, it’s not like one bad recommendation was going to sink our use of them. Hell, we’ll still do business with other Juniper products as well.

Oh well, we’re moving forward and I’m excited by these devices. They have a ton of reporting options, and really just lots of other features in general. It’s been a while since I’ve seen a modern generation load-balance device (hell, they don’t even call them that anymore, but I’m stuck in my ways). And all devices should have dashboards. Even if I don’t use them a ton, they look important and impressive to everyone else.

there are hacker masterminds everywhar!

I was catching up on comments from the link in my last post about the TJX ‘whistleblower’ on Ha.ckers.org and caught this one:

HOWEVER, I can speak from experience that too frequently companies claim that they were hacked by an evil vicious mastermind when the fault lies in their own lackadaisical response to reported holes in their security.

I get that feeling with most of the disclosure press releases and news reports I read. Really? You had this mastermind hacker attack you? Uh-huh.

This is why I decry our lack of information-sharing.

Ok, I’m done being ornery after the long weekend. 🙂

the honesty of corporate security

This topic will soon be beaten to death, but I need to post it for my future reference. TJX recently fired an employee who disclosed weaknesses in their security. ComputerWorld has an updated article with details like the employee’s name. Ha.ckers.org posted an original tidbit last week, and here are the forum posts in question (as long as they are still up). There is also a post talking about how to more properly “whistleblow.”

I regularly decry the stifling glass walls of information disclosure and sharing of experiences, horror stories, and successes in our industry. I can also decry poor reactions to helpful employee suggestions or public disclosure of issues. If an organization can be so badly damaged if some information is leaked out (like poor password policies [or nonexistent!], unguarded servers, or poor network architecture), then something is definitely wrong.

Internal and even public open review of security stances should almost be a goal. If a security posture of an organization can withstand open review (like open source code), that can only be a good thing (unless your business relies on those practices as a competitive advantage, kinda like proprietary and secret warehouse sorting technologies).

We are in a new age where information travels far and fast with our efficient technologies, social networking, and news reporting services. It is no longer enough to think a security policy prohibiting talking about security issues in public is enough. Twenty years ago, such indiscretion when talking at a pub with some buds won’t ever get very far, but talking with buds on a forum or online game can become re-referenced worldwide news very quickly. Is that something an organization should try to prevent and actively stamp out? I say not really.

There will always be people who disagree on issues and decisions passed down by management. One person’s trivial issue is another person’s crusade for insecurity; one manager’s accepted risk is another worker’s nightly worry. And there will be times where someone using a public forum as a soapbox to stir internal drama at an organization needs to be punished or removed. But an organization should use that as a last resort, and instead try to actually fix things rather than make them just appear to be fixed. And when not fixing things, admitting such and disclosing why, at least internally.

All this said, there will always be exceptions, and I’m not saying I would ever be a ‘whistleblower’ or support such actions. Just saying there is a better way of dealing with it.

(This is probably all stemming from our highly litigious culture..rather than working together to do great things, we worry about covering our asses from all the life-damaging lawsuits that get thrown around. That and the quest for green…)

some psytrance and house for the weekend

In the random bucket, and just in time for a long weekend, I stumbled upon this link to some freely available psy-trance/goa music downloads at Ektoplazm. If you have any interest in psytrance (think: Infected Mushroom, Hallucinogen, or faster more layered beat-driven electronica/trance than what you would hear in a club, but not quite distorted and chaotic), check out the downloads page for popular examples.

Oh, and there are some quieter, more ambient (progressive) types of psytrance available as well. Rather than let you hunt for it, check out Koan, the Entheos sampler, and the Amber compilation. The Entheos album probably drops out of the psytrance category and into more ambient electronica, and is far more tolerable to most people.

Fans of soma fm’s Groove Salad should download the Entheos sampler. Track 7 is Gifted by Osiris Indriya (Seattle-area DJ, check his site for some awesome free club/trance mixes! Check this mix* (mp3) at a minimum) which is a downright excellent track and the whole reason I wandered to this site.

* If you know the sampled video game song at 3 minutes of the mix (Blaster Master?), please let me the hell know. It’s taunting me! If anyone can devise a way to be able to search on music hashes (Google Music?), I’d love you! Those of us who listen to music genres that consist of remixes or non-vocal music always have songs that we have no idea who does them or other tracks whose tags we don’t trust and suspect are wrong.

linux: screencasting, beautiful desktops, install tips

Hackers Life throws lots of interesting links into my reader, and a few I wanted to pull out and keep here.

5 ways to screencast your linux desktop – Ooo, I like this quick roundup of tools. A year ago I had some problems trying to record a screencast. I didn’t spend too much time on it, because I know Camtasia (Windows) and how easy it is to use. But I will totally try one or more of these out next time I have a reason to record my desktop.

10 most beautiful looking linux desktop [sic] – Alright, these look awesome. It’s been a long time since I really worked on my OS interface, mostly because I hate having to redo it on new systems or after reinstalls or whathaveyou. I also have always run Linux on my less stellar gear, but now that I have a ‘retired’ gaming system available, I may just have to check these out soon and see what I can imitate. I’ve been using Linux long enough, that it’s about time I pull myself up another level of nix-geekiness.

10 tips for after you install or upgrade ubuntu – Really, everyone needs a series of notes on what you want to do after performing an install. It doesn’t take an IT worker long to figure this out, and it applies to home geek life too. These tips are almost all very useful and common issues Ubuntu users face. And yes, I admit my boot menu is out of control with old Ubuntu versions…

grossman and rsnake lay eggs!

Jeremiah Grossman and RSnake both laid sobering eggs in the last week, no doubt colluding to dilute… 🙂 They lament the fact that they post information on the Internet about security and vulnerabilities, but now that they are increasingly deep into the corporate professional security ranks, they aren’t able to talk quite as freely anymore when contracts and NDAs and so on are on the line. When only a handful of people know an issue, and it gets out, you know their asses would be nailed to the wall…or at least paychecks withheld.

No one with half a professional brain or experience in the actual industry is surprised by this revelation. But by posting this, they have really somewhat lost the ability to bitch about the lack of communication in the security ranks. And that’s because they’re just as much a part of the problem now as anyone. It’s even worse when you tell people you know things, but can’t expound. That incurs the ire of pretty much everyone, including those who Get It.

As Jeremiah’s post title says, this *is* the nature of things, economic and legal. Corporations have a big stake in keeping quiet about anything even remotely negative or insecure, and so do security professionals who want to keep their integrity and credibility. Likewise, both Jeremiah and RSnake gotta eat, and full disclosure, as RSnake implies, doesn’t pay the bills (or expensive cars).

While I agree that specifics on issues may be difficult to reveal, both Jeremiah and RSnake should still be free to talk about vague issues without getting anyone into trouble. Rather than some POC that has the client name hardcoded, create a copy somewhere and demonstrate with sanitized examples. I don’t think anyone is really after smearing particular companies, products, or salivating at being the first one to profit off some vulnerability in a popular site. And if that is the fear, then we have a messed up view of reality.

Yes, I Get It. I know Jeremiah and RSnake have their reasons, but at some point we’re going to need to catch up to the communication abilities of the attackers in countries without such paranoid views of disclosure and legal lashback. Sadly, there are already signs of this getting worse, as Germany and Britain have made huge steps to stifle innovation and sharing.with hamfisted attempts at control through law.

This is an opportunity for Jeremiah and maybe even moreso RSnake, to attempt and lead by eschewing such self-imposed gags. They don’t have to be whistle-blowers by any means, but they are creative, enthusiastic, and experienced enough to be able to keep disclosing innovation and ideas without endangering lives or livelihoods. They made their reps and their current standing by talking about things. To change that now is perhaps succombing to the corporate machine of things.

Despite all of this and my own commentary above, I deeply admire and respect both Jeremiah and RSnake and fully respect (and even grudgingly sympathize with) their positions. I just wanted to leverage their posts for some soapboxing.

when the cost of technology outweighs the value

The cost of technology is frustrating to the business. Hell, it’s frustrating to other technologists! As a disclaimer, I am by no means a Microsoft hater. I like Windows products. I use them at work and often at home.

In my company we use Altiris as our desktop deployment solution. We buy systems from Lenovo/IBM. These systems come with an OEM version of Windows.

We just learned this week that that OEM version is not transferable in our deployment architecture (or any imaging architecture). We now have to repurchase pretty much every copy of Windows that we have. Woot! And people wonder why I refuse to spend my personal money on Microsoft stuff…

Microsoft reps have really wanted to get us to move to an enterprise contract which is basically a high end software assurance deal. But we don’t want to pay Microsoft for the belief that someday they will come out with a product we want to deploy. Software assurances of the past have been a joke. A 3 year deal doesn’t necessarily pay back anything. It took Microsoft 5 years to come out with a new SQL version. The time between XP and Vista was over 3 years. The time between Windows Server 2003 to 2008 has been over 3 years.

Microsoft does add a lot of things to the software assurance deals, but almost all of them have no value to us. In the past decade, our IT teams have no used those services much at all, and we don’t see any real reason to; they have little value to us. It is far cheaper to purchase (and repurchase!) Microsoft licenses outside of an assurance agreement.

And that’s not to even say the products Microsoft offers are ones we want to deploy. Vista adoption in the enterprise is far lower than XP was. And even if one wants to argue that number, there are many companies that have zero plans to adopt Vista, whereas at least with XP most planned to move to it. Business users don’t need fancy graphics and 2GB RAM requirements. Home users use the OS more than business users.

Yes, there is a trend that computing is moving closer to the cloud. Yes, it feels like Microsoft is getting more desparate to cash in as much as they can before that move starts gaining momentum. But will Microsoft’s own action hasten their own fears? Kinda like wanting to hold water in your hand but knowing it will seep out, and seep out faster if you hold it harder.

ground rules

Back in high school and college, a buddy and I made some ground rules for ourselves dealing with relationships and women. These rules were designed to not waste time with mistakes or bad situations, and make sure our own behavior didn’t turn sour. (While excellent, something may have been wrong since I’m still single! 🙂 )

In some past posts I see I’ve been slowly formulating some security practice and discussion rules.

I talked about security religions and the difference between people who believe security must be baked in and absolute versus those people who believe in the value of incremental security.

I just posted as well about different perspective scales. This contrasts people who see security in their own fortress against those who view security on a globally relevent scale.

I’m sure I have had more, and will have more yet, but I wanted to start getting in the habit of keeping similar posts linked together, for my own reference. Maybe this is one of those places blogs are insufficient and a wiki would be more appropriate.

getting on the same page: perspective

When having a discussion about digital security, it is important to keep in mind a few things. Perspectives, assumptions, definitions. In short, getting on the same page so that we can discuss properly, sort of like normalizing fractions so that you can compare them directly. Is 13/15ths greater than 41/45ths?

When it comes to security solutions, I increasingly find two different perspectives related to scale. In fact, I’m sure I have these sides as well. And no, I don’t have good names for these sides; microscopic and macroscopic didn’t seem to quite fit.

First, I have a side that looks only to what my finite organization needs in terms of security. What works for me may not work for others. These solutions only need to scale as far as I need for my org. They may even scale poorly to the cybersphere. For example, I like to use arpwatch on my local networks to spot rogue devices. This works for me, but may not work for a 10,000 node infrastructure. Another example would be my personal decision to use a seatbelt when driving.

Second, I have a side that I would show more often if I worked for an ISP, or some less finite organization looking for absolute or universal utility. These solutions need to scale only so far as…well…everyone and every system. An example might be trying to solve a universal cyber identity issue, or protocol issue (DNSSEC), or global security standard. Or the entire existence of seatbelts in cars.

Both of those sides can often be at odds, and each have good reasons. It is important to make sure discussors match their perspectives and scopes. It is also important to be consistent with our own application of these perspectives to our goals and projects.