Of course it is only a matter of time, but I have slowly seen a few comment spam posts on my blog here. This is an itneresting way to see the growth of comment spam and make a few observations.

First, I’ve only seen comment spam on just a few of my posts, and typically over a week I’ll get about 10 comments on just those posts, no others. Odd, especially since two of them even pre-date this URL and site (posts ported over from my older site). I would almost think I am just getting collateral damage from a link to my site from somewhere else, but no one links to those posts that I can see. I might have to analyze my logs a bit deeper just out of curiosity. They are also almost all in chunks and only yesterday did they start getting past the junk comment filters in MovableType.

1/09 – 1/21 spam came to html in email from 12/2006
1/22 spam came to malware analysis: free video codec from 11/2006
1/31 – 2/07 spam came to illustrated guide to cryptography from 6/2006
2/02 – today spam came to remoteregistry issues from 8/2004
2/13 – today spam came to turn off ssdp and upnp from 8/2004

Second, I thought about changing their spam comments to something like, “My IP is blah and I tried to post comment spam.” But that itself is spammy and won’t scale. Or post regularly about my spammers, but again that is spammy itself and likely are just “innocent” bots.

I think I’ll just keep deleting them, but I am happy with MTs ability to score comments and hold them Unpublished if there is too much HTML in the comments. Also, there are limits to the length of certain fields which no legitimate poster should bump against, but spammers might hit. Still, some do get through, though. I also like that I can subscribe to an RSS comments feed which will show me published and unpublished comments readily and I can catch these things.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won’t be upset if you skip this post. I’m posting only because this will mark my first exposure to PowerShell.

The games have begun. Event 1 in the Beginner’s section basically wanted the creation of a message box (dialogue box, pop up box, et al) that changed a few attributes and did something based on the return behavior. My code looked like this:

[System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)
$answer = [System.Windows.Forms.MessageBox]::Show(“Do you want to continue?”, “Continue Processing”, “YesNo”, “Question”)
if ($answer -eq “yes”)
{echo “Yes – Processing will continue…”}
else
{echo “No – Processing stopped”}

Nothing really special there. The only bad part is that I wasn’t able to bring the pop up box to the front, although some Googling turned up that this is a known issue that can be solved with vbscript.

Beginner Event 2 was a series of questions, each scored independently. In one column were ten classes, and in a second column were ten properties. The question is to match the classes with their properties. Not so bad. While I could eyeball this list and likely get an easy 8 of 10 correct, a couple would have required guesses. However, there is an easier way to do this:

get-wmiobject [class] | get-member

Replace [class] with the class name and look through the list for the matching terms.

Now, because of my success in the Beginner Events, I thought I would try my hand at the Advanced Events, which are definitely more up my alley as long as they stay in the “logic” arena as opposed to knowing my way around all the various obscure commands and methods and objects in PowerShell that I don’t know yet.

Event A1 wanted to convert from Roman Numerals to regular numbers. This actually proved more interesting than I thought it would be, and my eventual program, while satisfying the requirements, would not hold up to invalid input, error checking, or additional roman numerals above M.

$r = Read-Host “Please enter a Roman numeral:”
$a1 = $r.ToCharArray()
$a2 = @()
$value = 0

for ($i=0;$i -le $a1.length;$i++){
Switch ($a1[$i]){
“M” {$a2 += 1000}
“D” {$a2 += 500}
“C” {$a2 += 100}
“L” {$a2 += 50}
“X” {$a2 += 10}
“V” {$a2 += 5}
“I” {$a2 += 1}
}
}

for ($i=0;$i -le $a2.length;$i++){
$v1 = $a2[$i-1]
$v2 = $a2[$i]
$v3 = $a2[$i+1]

if ($flip -eq 1){$value += ($v2 – $a2[$i-1]);$flip=0}
elseif ($v2 -ge $v3){$value += $v2}
else {$flip=1}
}

Write-Host $value

Event A2 was simpler even though I had more trouble finding the information I needed (syntax, really). Find the number that when multiplied by 3 would give the smallest answer that consists of nothing but 4s. The answer is 148, and while I could create a script to find this by iterating through every number by multiplying it by 3 and check if the answer is all 4s, or even start with 10 4s and divide them by 3 all the way down to the lowest, but I eventually decided I wanted to just build a string of growing 4s and check each one to see if it was evenly divisible. Sadly, when I submitted my entry I made the mistake and echoed out “444” instead of the needed “148.” D’oh! I was too excited about figuring this one out!

$a = @()
do {
$a += 4
$b = [String]::join(“”,$a)
$m = $b % 3
if ($m -eq 0){
$x = $b / 3
write-Host $x}
}
until ($m -eq 0)

Not too shabby there, I hope! So far, that is very encouraging and my goal has expanded to not just completing the Beginner section, but to complete at least half of the points from the Advanced.

So, the FBI is still losing laptops with sensitive information. What I really hate about this sensationalist news is things have been lost or stolen for decades upon decades. We have laptops and mobile devices and they will get lost. That’s fact and that’s going to be absolute. This is a classic example of a security incident that will happen. That means the real story here is about damage mitigation, disk encryption, and data management.

“Thus in war, I have heard tell of a foolish haste, but I have yet to see a case of cleverly dragging on the hostilities. -The Art of War, Chapter 2: On Waging Battle

I take this to mean, do. Don’t wait around and throw sticks at information security. Do things. Get to work. Perform some action.

They have begun! I started in on the Beginner challenges and finished the first two rather quickly. Just for my own benefit (ego) I’ll post my own answers here after the deadlines. If nothing else, it will be just for me to document my own code and dive into PowerShell.

Since I did the two first beginner events, I thought I’d try out the Advanced ones. These are a lot more complicated for me as a beginner, but at least I know the logic and can think through things like how to get from problem A to solution B. Now I just have to look up each little step like getting input into an array, any nuances with variable types (if any) that PowerShell may have, proper syntax for ForEach loops and Switches, and basically working with arrays. I also need to see how it performs with null values or the ends of arrays. Thankfully, the PowerShell syntax so far seems very familiar and standard. I think I might be fine with a couple of the Advanced problems.

Just a quick word of advice, both to anyone reading and myself as well. If you find yourself at a point in your career where you have some good experience/knowledge and some free time to spend either in your job or just at home when geeking out, keep your eyes open for new things and grab onto them with both hands. Look for something new, learn it, and become one of the early gurus. Things like PCI knowledge, PowerShell, wireless technologies, FDE, Python, AJAX, VMWare, and many other things I have had the chance to see kinda appear and grow in my time in IT. And those people who latched on early and became gurus definitely end up being go-to guys either in their own company, the community, and possibly beyond. People you know normally suddenly are the “first” to really offer good insight and knowledge get noticed for that.

Just a note to look for in the future as technologies, languages, and practices continue to move forward. This might not mean you can become a highly paid consultant or start your own business, but at least keeping the above in mind might really grow you professionally and get you noticed in the community.

“Therefore, the business of waging war lies in carefully studying the designs of the enemy.” -The Art of War, The Nine Kinds of Terrain

Carefully studying the enemy motivations and plans and mindset but also knowing their machinations, technology, techniques, and habits. Every now and then I hear about how evil it is to have “hacking” books that shouldn’t be teaching all the techniques and steps. I don’t buy that and think that we need knowledge and study not only of security, but of insecurity so that we can assess risk and protections properly.

Another aspect of this quote is carefully studying a war in progress so that you can move intelligently. If you have an attacker in your network doing something bad, carefully study them so you know what they want, what defenses they may have already dug in, and be best able to defeat them. Just like a chess game that has developed from the start game into one side moving into an offensive position. Play as many steps ahead as your time and brain allow.

Two sites I like to peruse for new ideas on things to try: AskApache.com and Howtoforge.com. Here are some links from there and elsewhere just for my own note, maybe for this weekend. I cannot attest to the quality of this information yet.

on favicons
on robots.txt
sniffing undetected?
bypassing VLANs?

odysseus and telemachus

I work in a Windows environment. I’ll likely work with Windows in some form or other for my entire career, unless I get completely sucked into networking. And yet I don’t know Windows scripting. Oh the travesty! Seriously, I like programming, but I’ve never freakin’ properly learned Windows scripting. I think I will be taking a good hard look at the Microsoft Scripting Games 2007 to see how things work and maybe tackle a few of the easier challenges and get my feet wet. Really, I don’t need to be some guru that uses scripting day in and day out. You can get by with things like maintenence scripting quite well with just occassionally challenging oneself to script a little bit.

And I like challenges like these Games. There are some ways to learn in this field of IT security, support, and networking. One way is troubleshooting fires that are burning. You can only learn so much theory from other people, books, and mentors. But you have to put it into practice to really get it in this area (hence my occassional disdain for analysts, IT journalists, and people who jus repeat “best practices” ad nauseum). I particularly love challenges, puzzles, and friendly competitions that run the gamut of amazingly fun to very competitive to real-life-mirroring scenarios.

In fact, in the sidebar menu way towards the bottom I have links to various “hacking” and other challenges mixed into the “cons/training” section. I have been putting off moving the actual challenge type items down to the new challenges section. I love those things, and even if I’m late to the party or don’t know the answers, reading the practical solutions offers some excellent insight.

Anyway, I’ll see how my schedule looks and give the Microsoft Scripting Games a try my hands at it.

Someday, I may actually post my answers to various challenges past and present on either this blog, or more likely on my wiki. I find that while reading is great theory, and hands-on is great experience, being able to regurgitate the steps and lessons on virtual paper for others to understand is the last step. When you can teach someone something, you reinforce your learning of it, even if the audience is non-existent and you’re just recording it down in a place no one else will look, or describing it to a loved one who really doesn’t care but is a willing sounding board.

Some *real* quick links from a Google search:
Windows PowerShell
Getting started (vbscript)
PowerShell blog and links
PowerShell FAQ

“By ‘strategic advance.’ I mean making the most of favorable conditions and tilting the scales in our favor.” – The Art of War, Chapter 1: On Assessments

Definitely useful to make the most of good situations when dealing with security. If you suddenly get a budget or have a chance to make an incident into a growing experience, do it. Likewise, be ready to make the most of bad conditions. Budgets or internal issues should not stop necessary security from being cobbled together.

The supreme accomplishment is to blur the line between work and play.” -Arnold Toynbee

Thankfully, when I am with a company I like, work and play are very blurred. Ahh, the geek lifestyle! This quote can be very easily twisted and might make some people very upset because they value separating work and play, but all of us are different, and it has been my mantra in 2006 and ongoing into this year to enjoy my work so much that it feels like play, since I play what I end up doing at work anyway for now. I just want to enjoy the way I spend 1/3 of my day (which you can extrapolate to being 1/3 of the rest of my working life). I want to thoroughly enjoy my job, company, and team, and I likely won’t be settled until I find that balance.

Going on about 5 months using Ubuntu as my primary laptop and things are still relatively good; good enough to stick with it. I do have a companion laptop with Windows XP that I use to stay sharp on XP, try out new stuff, and do the few things that Linux won’t do yet (particularly run my favorite P2P program, SoulSeek).

However, there are some growing concerns, particularly in how robust Linux can be as a desktop machine.

Ubuntu is sluggish. I’ve long noticed this, but only lately is it really grinding on me. Ubuntu with Gnome is not nearly as crisp to respond as my tried and true Windows machines. Nautilus is even slower and clunky and will sometimes hang when transferring 70+ files over an SMB connection on my network. Firefox 1.5.x (the kind Ubuntu 6.06 supports) is crashing or just having problems loading some content. Firefox on Ubuntu is far slower than Firefox on Windows, even on worse hardware, both on load and in serving content.

I’m going to stick with Linux because I really want to learn it, but I will say I don’t think it is yet ready to displace other OSs on the typical desktop. It still can’t do many things out of the box and it just is not as swift as Windows (assuming Windows is relatively free of spyware/adware). Linux has a long history of being appropriate for geeks, but Windows has a long history of meeting the needs of a vast majority of common users…and that’s where the desktop market is.

I am going to see if I can get Kubuntu 6.10 up and running on another box and try it out before I think about replacing my Ubuntu 6.06 install. Perhaps KDE will be more to my liking and I’m totally willing to check it out.

An article in InformationWeek has sparked some comments through the various security bloggers. I’ve decided to play devil’s advocate for a moment when it comes to user training. Basically, I’m just making a point or two, so don’t lambaste me too hard for being wrong or pessimistic. 🙂

the vcr clock dilemma
How many people do you know have a VCR/DVD player/Oven/Microwave clock that continuously blinks or is set to the wrong time? Ever wonder why? Typically, people don’t really care to be bothered with setting it after a power outage. Some people may have faulty power and have interruptions regularly, but most people just don’t care enough or maybe even find it cumbersome to change the time.

Similarly in security, not everyone wants to care about the technical ins and outs of security. They don’t want to be bothered in their life with technical details. It just might not be their thing, or, if they are adults, they just don’t have the time to become an expert. It is easy for us geeks to live this sort of lifestyle and to wonder loudly why people don’t educate themselves about their computer, just like it is easy for them to wonder loudly why we don’t get out more. 🙂 Some people tune their own cars and motorcycles, others take it to a shop to get fixed, and still others just let it all go to hell. Are those people idiots for doing that? Maybe the latter, but what if maintaining the car costs more than just letting it go and getting another junker? Basically speaking, we can’t make people care about their computers and put in enough time to become experts in a way that mitigates their risk. We all have friends who fall into this category, I’m sure.

the trampoline illustration
Most of us have likely seen or played on a trampoline at one time. You tell your kids to watch out and stay in the middle of the trampoline so that they don’t smack something on the side rails or outright fly off onto the less forgiving ground. Do kids really listen? Perhaps, but they still make mistakes or just plain do not heed warnings. Users are the same way, and who can blame them every time? Eventually, padding appeared on the supports and even a mesh apparatus encircled the play area like a cage for monkeys (which it kinda was). Now, kids can make a mistake and not have to learn from a broken bone.

This is technology in action. Where good common sense and training and all the words in the world may not have prevented every issue, technology has vastly mitigated the risk of injury and worry to parents. (Of course, there is something that can be said about their lack of developing restraint as they bounce against the mesh cage wildly or not learning by falling…)

Training is excellent to tell someone that a stove is hot. But some people touch it anyway. If your company cannot afford to have someone test the stove or play around near the stove and misjudge a distance or handfall, then you need to isolate the heat or the stove from the curious hands (technology). Many companies and employees cannot afford a mistake that technology could have prevented.

Now, all of that aside, training is important and will help augment technology. Training lessens user outrage at changes and restrictions they do not understand (at least for some, others will refuse to get it no matter what and just want their way). Training will help in those instances where technology cannot make the decision in a situation, and employees need to make better common sense decisions. Training will allow willing learners to become educated about technology and security at work and home. And training is even more necessary when talking about implementors of technology. Can you have untrained security guards make confident decisions about letting a C-level exec into the building with contraband or without a pass? Can you have untrained network admins building your firewall rules? Training shouuld definitely be mandatory for those people who touch or work with the technological security measures. But for the typical worker bee (no offense intended) employees, the effect of their education is still arguable.

some rhetoricals
The mishandling of data is one of the biggest problems, especially when we’re talking regular employees and their security infractions. But how can technology safeguard that? How can education safeguard that? How can social engineering ever be wiped out?

I need to watch the episode that Scott Wright references for this post. Instant Messaging is a technology that is still in flux when it comes to corporate use, and I’m always curious on the views people have of it, and how companies use it.

My last company had very little interest in controlling the IT environment. As such, people used Yahoo, AIM, and MSN as they wished. Sales used it regularly, especially those people outside the offices at home or on the road. It really was very useful, even if I wasn’t so happy about it. Eventually the company moved to get a centralized (kinda compliant) IM system. We set up a Jabber server, privatized registrations, and got most everyone on that product. Sadly, too often critical business issues were communicated via IM rather than accepted and more loggable avenues of communication such as a ticketing system, phone, or in person searching for someone to assist. Eventually our team went “invisible” on the system because of the abuse and poor “handing-off” of issues via unresponded-to IM messages (and people got pissed that we would always kindly ask for a trouble ticket so that the issue would properly get logged for metrics and reporting). Also, there was widespread fear that we were logging conversations, which drove people away from Jabber. (I never did understand what people were talking about that they were scared it might be logged…besides which we never did turn on logging since no one asked us to do so.) Unfortunately, no one ever supported removing the other IM programs, so eventually Jabber fell by the wayside and only our networking team used it extensively, albeit with a lot of invisibility (hell, our team was geographically split anyway). The user-base then “found” Skype and started installing and using it, despite network team objections. Management had little interest in curbing that, despite the compliancy holes. This is an example of the users pushing technology and process due to indifferent management.

My current company has banned IM use. Not only are many systems limited in user rights and installed software, but my IPS and possibly the web proxy will actively block known IM traffic. Needless to say, we don’t use IM, but there is talk about evaluating its use, especially as we do a lot of travel business which regularly sees employees in some exotic locations.

What is the proper answer? I don’t think there is a universal answer and it will depend on the company, the business needs, and compliance issues. I do think, however, that IM will eventually continue its push into business. Email is broken as a technology and will very, very slowly be replaced with more IM/SMS technologies. I also think that IM is such an integral tool in our culture and lives that business really cannot just completely preclude it forever. I’d rather properly implement it now rather than later, do it properly, and reap the business benefits. Many people will argue about lost productivity, but I don’t think that will necessarily be the case, especially in a private IM system. Besides, if someone is going to screw around, they will screw around whether it is via IM or not.

A recent post by Ed at SecurityCurve.com pointed me over to the PCI and Data Security Compliance blog. Now, I can’t speak intelligently about PCI these days, and a real auditor would run circles around me about compliance. I also don’t have to deal directly with this yet in my job, but someday I will, no doubt. And while I don’t have a ton of learning bandwidth right now to learn compliance, I at least can regularly peruse this blog and get used to the terminology and what is all kinda going on. So by the time I do get thrown into the PCI maelstrom, I can at least orient myself quickly. Kinda like webappsec blogs. I don’t do any web app coding for my job right now, but I certanly want to be familiar with the topic.

I’m just posting quick about a pet project of mine that is still just in the planning stages and likely won’t be done until later this year at the earliest. I’d like to develop and complete a more robust home entertainment system than I currently have.

I watch movies. I listen to music (cd and mp3). But I do not watch TV, and thus also do not record shows. In fact, despite owning a plasma TV, I have not watched a television show or had it even set up with television in about 10 months. I do game, although I own none of the latest generation of consoles. I’m looking to buy into that hobby again soon. I don’t typically download movies or rip them from existing media, but I am looking into doing that. There are many movies I’d love to have on hand, but wouldn’t really ever pay for. Netflix is as far as I would go there, and I wouldn’t mind ripping Netflix movies to digital media, or even copying them with a DVD burner (although I have little experience in that).

FurryGoat pointed me to the InFrant ReadyNAS device which I think is awesome. An alternative might be using FreeNAS, which could be a good project itself. This could act as a media repository, which is something I would certainly need.

I plan to purchase an X-Box 360, at a minimum, so I would stick to that for my DVD/media playing needs. I think I might need to get a Vista box for my Media Center, but I’m not terribly keen on that idea. I don’t really have a powerful enough system right now to run Vista well, although I do have some basic parts for a good base (motherboard and CPU that are good workhorses, but bad for gaming).

Any ideas, feel free to post, but otherwise this is just a planning post for me. I think I would be best served looking into getting into DVD ripping and burning, grab a console machine, and also get a storage NAS set up.

I tend to cloak myself in layers of anonymity in my professional online life. Mailing lists are not an exception. In fact, I try my best to participant on mailing lists in a way that does not disclose the company I work for, for various reasons (whether I stick to my other name or move back to LonerVamp, I’m still debating). I see other people do the same, and sometimes they use some wacky (and creative) psuedonyms that harken back to hacker days of old when handles were used more often than real names. They also typically come from email account at Gmail, Hotmail, or Yahoo.

To anyone who uses such accounts, be aware that how you use them may determine just how anonymous you remain. Using the webmail interface for each account is pretty secure when it comes to what the mailing list can see. However, if you do your email on a mail client and then POP3/SMTP up to the service, you may be revealing your home IP address in the mail headers. I am not sure if Gmail reveals this information, but I do know Hotmail reveals this. I encourage people to test such functionality well in advance of blindly trusting your security and anonymity.

Or, if the mailing list supports it, submit your replies via a web form. I know SecurityFocus has web-based submissions to its mailing lists if you so prefer. I actually prefer that method.