netflix has a ways to go yet

Netflix is one of the sweetest services in years and I love them. Then tonight I decided to try their instant viewing option. I have a very untouched Windows system that I use for gaming and nothing much else; no security crap or anything. I tried to watch Ghost in the Shell SAC volume 4 (out of 7). I clicked Play next to the selection in my queue, and I am taken to the very first episode on volume 1. I actually have to click through 12 episodes to get to where volume 4 starts.

Sadly, clicking through without watching the whole damn thing means the Netflix player randomly thinks my connection has an error and throws up. I then have to start the whole thing over.

It feels like flipping a coin and hoping for heads 13 times in a row.

Nonetheless, if I just wanted the first title (like most movies they offer on instant play), it was slick, quick, and decent enough quality! I just happen to have some trouble trying to skip to the middle of a series.

digital comfort

Much like a baby is comforted by the rhythmic heartbeat and protective arms of a mother, so too am I comforted by monitors, logs, throughput graphs, scrolling shells; the dull background thrum of my infrastructure, all speaking the steady pulse of the network.

mbta-mit editorial on securosis

Mogull has posted a guest editorial from Jesse Krembs which is a rather excellent read about the MBTA/MIT incident. I suggest checking it out and posting some feedback. I posted some of my own thoughts, but like most people, I’m open to how others think, especially as I’m not strongly inclined either way. Actually, I’m pretty strongly inclined to sit in the middle rather than gravitate to either side. Not uncommon for an INFP. 🙂

authority figure intimidation

I’ve actually had some time to do some reading this morning; look out! I read over Joel Spolsky’s latest INC.com article: “How Hard Could It Be?: How I Learned to Love Middle Managers.

But they also said that Michael [co-owner] and I did not seem to them to be approachable. If you wanted to talk to management, you had to coordinate a time when both founders were available, and frankly, a lot of people were too scared to do that. This surprised me, because my door is always open, and people seem to come in constantly to ask me questions. I didn’t realize that some of the newer people were intimidated.

Joel chose to tackle this issue several ways, most prominently by appointing leaders (pseudo-middle managers) who are more comfortable approaching the CEO then the newer guys. Yeah, that’s a way to go, but it really doesn’t solve the intimidation problem, does it? It just abstracts it a layer away.

To me intimidation always starts out as a perceived thing and it can come from a few conditioning factors. (Note: I’m using “intimidation” as more like an employee being timid, as opposed to an employer being actively menacing and intimidating.)

1) The employee’s previous workplace was highly authoritative and the managers really were actively intimidating or controlling. Hit a dog enough, and it will cower any time anyone moves towards it suddenly. Only time fixes this.

2) A natural sense that an authority figure is of some higher stature or importance and won’t consort with buddy-buddy talk with lower employees. Can the CEO really relate to my Rock Band hobby? The authority figure can fix this.

3) A utilitarian sense that the value of an authority figure’s time is too important to spend listening to an employee. (Really, just think how much a minute your CEO likely makes…that’s intimidating). The authority figure can fix this.

4) A perception that any time spent in front of an authority figure is judgement time; every movement, word, and tic is being judged by the authority figure and may get you on their negative side. The authority figure can fix this.

I wonder, however, if there is a better way: make some time to buddy-up to the new employees. Take them out, get dirty and play paintball, sit down and join in with some video games and trash talk, go out for beers Friday night and check out the game or the girls. Basically, bridge the gap of friendship and familiarity.

Don’t make this a fear-inducing lunch outing with the CEO on Friday (“am I being fired?”), but rather something that doesn’t make someone question whether they’re acting properly for the CEO, nor forced like it is the CEO stooping down to rub shoulders in the trenches….while he wears his suit and tie and cuff links and checks the time on his next appointment.

To the outside world, be the CEO. But to the inside intimate company, be just another guy who knows the answers.

(Disclaimer: I’ve never been a manager, so I may be full of shit. 🙂 )

eavesdropping on the internet

At Defcon 16, I missed an unscheduled talk by Anton Kapela and Alex Pilosov on stealing the Internet. I quickly learned that they had leveraged BGP to route traffic from the Las Vegas con over to one of their servers in New York, and back to the con again, with no one the wiser.

Kim Zetter over on Wired has an article discussing this eavesdropping attack. While it doesn’t sound new or innovative (kinda like I can prank call you on the phone because, get this, the phone lets me call you!), it is still a decently big deal.

The attack is called an IP hijack and, on its face, isn’t new.

Pilosov’s innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn’t work — the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

Kim has a follow-up post with more information that didn’t make the first one.

samurai web testing livecd

In other livecd news, I see there is one geared towards the web app testing crowd: the Samurai Web Testing Framework v0.1. I can’t comment on the quality since I’ve never seen or heard about it, but might be interesting to someone. Looks like it might be put up by some Intelguardians guys.

Update: Low and behold I found more info over at the actual website for the Samurai Web Testing Framework site! Stolen from their post:

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

discovering more security blogs

It’s been a long time since I just randomly browsed other security-related blogs, checking them out, finding their own list of friends or links, clicking on them, and just doing that for a few hours and linking my way around to all sorts of new sites and people.

In seeing Mubix’s post about Defcon tools on his blog, I saw he tracks others who link to it. Nice! For a post like Defcon tools, it is both popular and pretty security-related, which means every one of those links is likely another fellow who has similar interests.

Hell, I should get around to harvesting my own web logs for such trackbacks…

multi-iso livedvd with security distros

Sticking to a week of Mubix reposts, he has mentioned the release of a LiveDVD consisting of various security-related LiveCDs from badfoo.net. The file is just over 4.0 GB in size, but sounds intriguing as an all-purpose boot disc/key for flavors like Backtrack 3, Knoppix, and MPentoo. Sounds like a great excuse to finally bump up into the higher USB sticks.

I swore I’d seen something similar a year or so ago, but can’t for the life of me find it. I might have gotten confused with blog “round-ups” of various live cds…

kaminsky talk posted; hacker media archive needs a home

I’ve seen this posted a few places already.* Dan Kaminsky’s Black Hat talk has been released. It was just last night I was flipping through his slides, but felt like a little was missing on a few pages and left me yearning for the talk. I guess I yearned hard enough as it is now posted!

Audio
Video
Future/current home of Black Hat Audio Visual files

I’ve also seen a few postings* as well about the hacker media archive needing a new home or assistance with bandwidth. Darkoz just posted in the last few days about it. 550 GB+ is a lotta information that should remain available!

* Picked this up from Security4All, but I also see McGrew has posted too! Others as well, but those are the two I saw first.

amrit’s 11 worst ideas in security

Amrit Williams has posted his “11 worst ideas in security.” Excellent list and I’ve pulled a few out for my own reactions.

#11 – Security Industry and Market Analysts – Yeah, they say more to the marketing teams of the players in the markets than to anyone actually using or looking to use the products.

#8 – Scan and Patch – I think this one is a challengable position, and could make for nice discussions. He’s right though, it can come down to incessant nagging.

#7 – PKI – It’s a love-hate thing. I love reading articles that talk about implementing PKI to support this-or-that, because I hate so much about how misled such people are. A drink to anyone who has implemented real PKI successfully!

#3 – The Vulnerability Disclosure Debate – Amrit is right, who the crap really cares? In the end, the attackers certainly don’t.

#1 – Security Vendors and the VC’s that love them – It sucks to keep this in mind: “The goal of the security industry is not to secure, the goal of the security industry is to make money.” I think many people create or work in such organizations because they do want to promote security, but yes, in the end the industry and organizational entities themselves are just there to make money (as are some of the hierarchy in such orgs).

bypassing the terrorist watch list

It is not new that the TSA/FBI gets shit for their “terrorist watch list” (or no-fly list) in the airline industry. But I read through this article (top story on CNN front page even) out of amusement, which quickly turned to head-shaking, and even a bit of anger by the end of it.

Wow, just get rid of the fucking thing! Not only is it obvious how easy it is to avoid, but it’s not like being denied entry on a plane will thwart anything. So they don’t fly that day. They’ll fly the next day under a slightly different name like the people in the article. What a waste. And then the people who an stop such madness just end up pointing fingers and blaming each other while not actually doing a damn thing.

Such stupid decisions get made with something as big and visible as the gov’t and airline safety. I guess I shouldn’t then be surprised when far smaller groups of people in various organizations make equally bonehead security decisions, eh?*

(* On a side note, I’m becoming more convinced that lots of people in high positions make poor decisions, especially with security, because the people who report to them aren’t entirely honest or maybe unintentionally miscommunicating… one thing I hope to learn sooner than later is to lay things out to such persons, even if their name is on my check and they don’t initially like what I have to say.)

warcraft guild hacked, illustrates challenges to normal users

Sometimes you get painful lessons in what “normal” people think about computers and security. Sometime in the last 4-5 days my World of Warcraft guild’s guildmaster had his account broken into. The attacker logged into his account, raided the guild bank and his toon, then did a /gdisband (disbands the guild) among probably other things. Our gm was’t even in town, as he’s away to GenCon. Tough times. (And just as we’ve started our first few weeks of pulls on Illidan).

In correspondence with him subsequent to the event, I find out that he uses the same password/account for many sites and may have used one or two of them while at the con, including our guild forums which do not have SSL. Rut roh. Of course, this only adds risk, but this actual attack could have come from elsewhere for all we know so far.

He has a good idea about running rootkit scans, keylogger scans, and a personal firewall, but beyond those general concepts the thoughts of properly managing accounts, passwords, and operating on potentially hostile networks is a bit foreign.

Here’s another way to look at it: He’s getting to be ok in knowledge of his own computer, but the more boring concepts of security are falling by the wayside. Network knowledge is a whole different ballgame for most people, and deeper knowledge of how one interacts with the Internet is not as useful to most people as how they interact with their actual system.

Could this be fuel to the fire that says passwords suck? I don’t think so. Password, tokens, keys, digital IDs; they all need key management. I think this is fuel on the fire of teaching better key management, i.e. don’t use the same strong password everywhere.

While an annoyance to me, it is a good reminder not to look at normal people like they’re idiots because they don’t know SSL or the threats posed by wow-related webpages, but to have patience and make an attempt to bring them up to speed.