putting it to bed and dying?

To put this topic to bed in my mind, here is Apple’s notice about wireless security updates. This hopefully will also put other people to bed who criticized and had panic attacks and panic fanboy defense when Maynor and Cache presented about wireless driver exploits and did so on a Mac. I love Macs as much as the next person, but please, don’t cannibalize our own people. We need to encourage research, not hang it out to be stoned when it discovers something important against our favorite hardware/software or isn’t fully disclosed like our mischievous hearts want. This whole situation ellicited passionate, emotional responses from many people (we should have seen that coming, with the Mac vs Windows vs Linux debates), including people who should be more disassociated due to our profession. That includes journalists and bloggers who completely misrepresented and had no comprehension of even a visual, video presentation and what the implications were. Unethical journalism (brought in large part due to the clashing and greying between proper journalism and amatuer bloggers) really did not help.
[ Update: Two more links just for me. First, Matasano’s commentary on the new patch, and a link from a commentor about third party accreditation when you can’t trust the researchers, the press, or the company. Excellent idea!! ]
At any rate, hopefully this is back to bed, and props to Maynor and Cache for putting their necks in the noose, whether for fame or public utility (I don’t much care), at least this improves our awareness about wireless issues and improves the software and drivers that power it. Ignorance is not a security blanket.
Totally unrelated: Is Amazon.com dying? Their pages the past two days load like molasses, if at all. I wonder if they are weathering some attack or what?

atm crime spree? more about default passwords

A recent theft from an ATM machine in broad daylight using a key sequence which unlocked the machine and allowed the criminal to reprogram it to dispense larger bills than it thought it was doing, has had plenty of follow-up.
While this issue may bring the idea to the minds of young people in some small groups of the nation, I doubt this will turn into some sort of crime spree. However, it does illustrate exactly the failings of computer network decades ago, and something that continues today in many electronics areas outside computer networks: default passwords. When a technician or operator installs electronic equipment like ATMs, it is very unclear whether they properly change default passwords or close any backdoors. Telephone boxes, ATMs, lighted road construction signs, and many more devices are frequently left with default passwords. The only protection is usually threefold, 1) A lock on the internal workings of the device, 2) obscurity by not publicizing the passwords and backdoors and manuals widely, 3) common human conscience to not do something criminal in public.
The hacking/phreaking community has known about these things for decades. ATM boxes are a very popular target and much of these issues have been long known. A lock can be picked, broken, or just plain left unsecured. Obscurity is not a protection when used alone, and hiding passwords, manuals, and basically not teaching no-qualified people how to use devices is not protection. Frequently, this is defeated by operators leaving the manual nearby or scrawling notes with passwords inside the box. Obviously, the conscience of the person is widely variable and some people will not be deterred by it.
It is only a matter of time before more things like this are discovered out and about in less technical areas of the world. These lie in the gray forgotten area when electronics started getting smarter and thus needed passwords for operations and the widespread security paranoia of computer systems with widely publicized attacks via a very efficient Internet medium. Also, many of these systems sit in an area between white collar workers and IT staff; a lost area that is as much ignored as actually forgotten.

linux as my main box – part 1

I have used Linux here and there in the past 5 years, but in the past 2 years, my experience has been drastically limited to livecds (which, in their own right, are really awesome anyway!). I’ve long wanted to get away from Windows since I know 95% of what I’ll ever know about Windows XP and previous anyway, and I really want to use a Mac or Linux box as my main OS at home for various reasons.
I’ve never made the jump and kept putting it off due to this reason or that, most notably two major reasons: I wanted to play WoW, which is difficult for anyone on Linux, and I wanted easy wireless access that wasn’t a bitch to configure, support, or install. Wireless support has gotten better in the past few years, and my laptop really is not nearly as fun to play WoW on as my resurrected gaming rig. So…all the big barrier reasons are gone!
This weekend I went out and bought a new laptop drive, 100GB. My plan was to dual boot Windows and Ubuntu Linux and also have some room to run a VM in Ubuntu and Vm another Windows install or two plus others. The reason to dual-boot is so that I can get true wireless on both OS, since any VM is going to think it is on a wired connection. More on this later…
So I swapped my drive and put in Ubuntu 6.06 desktop. I did an install, it performed a format on my drive and was done. I literally blinked a few times and figured something screwed up or the instructions were incomplete. I rebooted Ubuntu from the livecd, saw that I had missed nothing, and on a whim decided to reboot without a cd. Sure enough, Ubuntu started up just fine and had been installed on the HD just like that. Wham! That’s the shortest install of an OS I’ve ever had!
The sad thing, though, is the Ubuntu partition support. It is basically an all-or-none approach and I didn’t get much help or options in doing manual partitioning. Unfortunately, the automatic part made me use all 100GB of the disk for ext3. Hrmm..well, I guess I can live with that for now and just swap hard drives when I want to go Windows. I may have to add in a mini-project to see if I can get an external enclosure and boot from it, but that’s another project.
So, Ubuntu was working. In fact, both my wired and wireless network cards were recognized immediately. I hooked into my wired network, got an IP address, connected to my wireless AP to get my WEP key (yes I use WEP because I practice breaking my own network with various tools…long story), and configured up my wireless. Big props to Ubuntu, as it took on the first try and I had wireless on Linux with zero blood and sweat. Wow!
Now, I’m swapping back and forth between my hard drives and Windows and Linux as I move all my tasks and things I do on Windows over to Linux one by one. Hopefully in the next week or two, I will be running Ubuntu 95% of the time my laptop is powered on. The only snag may be if I figure out how to most properly carve up my disk so that I can still dual-boot Ubuntu and Windows XP. This might mean installing XP first and using it to format the disk, then seeing if Ubuntu will limit itself to whatever space is still open. I’d like to just do about 35GB for Ubuntu (ext3), 15Gb for Windows XP (NTFS), and the rest for either shared space (FAT) or VMs.
Next steps: Opening up Synaptic to allow me to install packages from the universe and multiverse, finding the root password (yeah, go figure, I couldn’t find it and it never asked me for one on the install?) so I can su up, and getting some common apps installed that I use on a daily basis, such as Thunderbird, gaim (or a Linux equivalent to gaim), and mp3 player. Now that I think about it, my ipod support may be all borked up now. I use winamp+ml-ipod to manage my ipod and music as opposed to iTunes, but thankfully that is a minor gripe. I’ll live. 🙂

simplicity sells

I’ve read this in a few places recently, in particular regards to security software and appliances, but this video of one of the TED talks by David Pogue ties that in with my own feelings of the lashback on computers and electronics and how things are just too damned complicated. Too many buttons, too many clicks, too many features I will never use. For some people they stomach it, for others, they abandon the tech. I know too many people who are abandoning computers and the Internet because of all the complications.
Well, simplicity sells, and the above-linked talk was very well-done. Take out features, don’t cram them in. The company 37signals does this as well, and has been remarkably successful, as have other post-dotcom small software companies, and even large companies like Apple with the ipod. This world needs simplicity and to get back to basics as opposed to bolting on features. Google, while maybe not as simplistic anymore overall, still has the best, most-trusted, and simple web search. Do that one thing and do it well.
I look forward to security software and appliances taking note of this trend and offering just the one or two things instead of trying to package every security measure into one device or app. I think this is short-sighted and just a way to increase their market and market share. Instead of doing things well, overwhelm others by just out-featuring them to get into as many markets at once as possible.
Linux and Unix have done this well for years, decades. Simple programs with few bells and whistles that do their designed task and no more. To do more, you combine them with other equally streamlined tools. cat firewall.log | grep denied. That’s the true beauty in *nix, the command line power and simplicity. Granted, this is a geek’s take on it… 🙂 At least in the *nix world, the techs like me can still milk our creative sides in using these tools together in complex and beautiful ways as opposed to being handed a huge soundboard with 209208 dials and switches to do god-knows-what and produce 45x more reports than I’ll ever use.

pruning links

I am hoping that I finally am hitting critical mass with all my links at left. With some luck and free time, I can start pruning the list of all the useless links/blogs that don’t offer me much of anything, and instead focus on what I truly want to read. I’ve been getting behind on more than a few of these sites, and it doesn’t help that the web filter at work is more stringent than I am very comfortable with. Lame. Nonetheless, I need to start blocking off some time, maybe Sunday mornings at the bookstore or some other place I find that is conducive to reading sites, and make a habit of it.

Some ramblings for myself… Do I need 56 news sites and 234238 blog sites? Most likely not. I bet most anything of interest in the news will be covered in at least a couple of the blogs I visit. Do I need 9 antivirus sites? Actually, I do prefer a range of them. Whenever I do some research or incident response on a particular bit of malware, I prefer to look at reports from multiple sources to get the most information possible. You can’t have too much info when dealing with malware infections. Do I need all the podcast/vidcast sites? Nope. Despite my best intentions to watch and listen to them all, I just simply do not. I like visual stuff, but so far have yet to even begin to catch up on the audio-only stuff. I just have no habit for it, or automatic way to download them all and get them someplace for me to listen to. Perhaps when I get a car adapter for my ipod, I’ll develop this habit… Yeah, I definitely need all of this in wiki format. 🙂

And yup, now that my little veil has been lifted, or kimono shifted open a bit, I’ve seen some trackbacks from a few other sites that I visit from here, now. I guess I can’t complain, and don’t mind the company at all. 🙂 It certainly makes coding just a smidgeon easier, and visiting links as well, since it doesn’t take three clicks per, now. Simplify, simplify!

blogs and wiki

Well, my main site is going to be updated in the coming months with a real blog. In recent updates here, I’ve noticed that a blog format, even as open as blosxom is, is just not the ideal format for me to use here. My updating style and the way I use this little site is much more akin to a wiki. In fact, it is a wiki, only not yet. So I think this can give me some experience (again) with installing a wiki and a blog. I’ve never fully put up a wiki myself, so this will be a good task to do.

Of course, I am not about to pay for something I could likely make on my own with enough time and energy. For blogs, Movable Type is now free for personal use again. My current site new is kept in MT, so I have no real reason to change. For the wiki front, nothing has a more rounded listing and look at CMS products as OpenSourceCMS. Wow!

stream of discovery?

Stream of consciousness amazes me. In addition, the stream by which we discover new experiences is fun too. Take for instance this quick journey.
I like hacking and computers and security. Recently, I found a bunch of movies from the 22nd Chaos Computer Congress lectures from late last year. One lecture was “The Realtime Podcast.” The lecturer basically ran an actual podcast on stage, but the podcast consisted of him lecturing on how to do podcasting, the tools, styles, marketing, etc. His background music was really cool. Thankfully he acknowledged it as DJ L’embrouille. The music is just this really chilled out electronic/ambient mixes. Amazingly, he releases these to the public and can be downloaded. So now I have been listening to about 10GB of his mixes and loving every minute of it. This is awesome stuff to just have playing in the background while doing some computer work.
Now, if this guy had not released this stuff freely, would I have ever heard of him? Doubt it. Would I pay to see him in person? Yup…and that would be money in his pocket due to free Internet distribution. Wake up RIAA.

security and hacking videos

I finally tracked down this link to a HUGE collection of videos (mp4 format) available through BitTorrent of presentations at the 22nd Chaos Communication Congress (223c) in Europe. Will need a Torrent client like Azureus. I have already started downloading this and am not even 1/4th through the list and it is already taking up 12GB of space. Will also need QuickTime or an alternative to QuickTime (recommended).

Updated link: videos. Be creative with the URL and you can find past years. When in doubt, hit the root site.

usb switchblade

From Hak5, here is a link to a USB “Switchblade,” which is basically a Windows-hacking USB key that is really slick. I’m looking into making this right now if I can find a spare key.

The show notes on this section are helpful as well. I only have one U3 key, so I have been playing with the non-U3 technique. You still have to click something when using a non-U3 key. I may look for a small, cheap U3 key here soon.

Even more info on the forums.