I started read this article about Windows XP just to fill time, but by the time I got to the second page, I was noticing some subtle and poignant things being said.

The initial simplicity [of Windows XP] almost never survives contact with software installers. Most of them ignore Microsoft’s programming guidelines by dumping shortcuts and icons across the Start Menu, the desktop and the “tray,” that parking lot of tiny icons at the bottom-right corner. Good luck finding anything on the screen after you’ve let the likes of AOL Instant Messenger or RealPlayer have their way with XP.
With all that extra software, Microsoft needs to persuade other companies to play by its rules, but it’s had trouble getting even its own programmers to do that. The mere presence of Windows Vista can’t change this failure to communicate.

From device drivers to installed software, it all basically does whatever it wants to do, due to Microsoft’s approach to system architecture. I am fully convinced that Windows is a product of consumer usability, and not of any intelligent security design or means to be solid and stable and loved for decades. Now, whether that is good or bad is another story, as Microsoft has grown rich and huge for those choices.

The operating system has done little to ensure that programs move in and move out in an orderly manner; they can throw supporting files and data all over the hard drive, then leave the junk behind when software is uninstalled. As a result, something that should have been fixed in Win 95 — the way Windows slowly chokes on the leftovers of old programs — remains a problem.

This is all too true, but again, what alternative is there? And with moving forward in Vista, how exactly will that fix everything? So many programs are bound to act funky or outright break with the new OS. People who have paid for these programs will clamor for support with upgrades (which thankfully software vendors have gotten consumers used to purchasing these upgrades). But, in the end, turning this huge ship that is a Windows-based community around is not going to be easy, or maybe even possible with the Windows OS architecture.
Imagine having Windows running so many important things for years, or even 20 years from now. The world is also becoming more PC-literate, but you can bet that 99% of all the next generation users are growing up with Windows, as opposed to other OS flavors, although I will give that next-gens will be better able to adapt to other OS options if they so chose to. This means that there is a very real threat to *nix servers and tools that they will slowly be bred out of existence (of note, putting *nix into the hands of developing countries can then be both a saving grace or also further stratification…).
Hopefully Windows gets some things right with Vista, but somehow I really doubt it. XP was a major step for Microsoft and it has lasted 5 years during the stabilization of the PC in our daily lives, young and old. I think it will look prettier, be larger, be more complex, will have more layers and layers of cool graphics and security apps, but it all just covers the same buggy and outdated architecture underneath.
At least it still means job security. 🙂

Now this is a really fun-sounding idea for a metro game: players attempt to control as many payphones in an area as possible by calling from the phone to a central scorekeeper. The link gives plenty of information. This isn’t necessarily something to be done in say, my state of Iowa, but would be amazingly fun in a very payphone-heavy metro area. What would be most interesting, though, is seeing how it is set up and run. Checking out the Asterisk setup behind the scenes, as well as how the payphone signatures are determined. I wonder if a game like this can be devised for DefCon? I wonder if payphone signatures can be spoofed such that a player can just adjust the variable and keep calling back from one phone?
Now what about expanding this to, say, the entire city of New York in a never-ending game where you can call up at any time? What about doing this for wireless hotspots or networks? Granted, you can spoof your IP and stuff, but what about needing to maintain a solid session with a central server from a wireless network, and submit data about that network? And note that I’m not saying open, public wireless networks… This whole idea is similar to a capture the flag competition, only mixing physical movement along with travesing the digital landscape. All the more reason to move to a more urban location. 😉

This is just a little bit old, but there are still plenty of cars that sport the numbered keypads to unlock the driver’s side door. There are really only 5 keys here, and thinking outside the box, one can quickly test that this is just a password entry, but there is no end bit or anything. It just sits and listens and waits for the proper combination no matter what preceeded it or followed it. Turns out, it only takes 3129 keypresses max to get the door to open. The article states this takes about 20 minutes. Just imagine reciting the cheat sheet into a recorder like an ipod and then just listening to the sequence as you key it in.
The more I think about it, the more it makes sense that this whole idea didn’t last very long and not all that many cars used it or still use it.

I diss on the blogosphere a lot for being bad reporters of news, but great reporters of experience and opinion (which in a way is news as well). I guess the difference is journalists have a level of ethics to maintain whereas bloggers can basically do whatever the heck they want.
Anyway, one question I had in my head lately are the career writers. There are bloggers and journalists in IT that I sometimes see or read and I frequently look at their bios or background, just to see where they are coming from. Often, I see they have 15-20 years of writing about IT and journalism and papers and 15+ books written or contributed to.
I don’t get this sometimes. Are they career writers? Do they actually do any IT stuff either in an enterprise or at least at the consumer level? Or do they just play at home, talk to others more knowledgable, and just write about it? Those people kinda bug me…

I’ve used Linux in the past, Red Hat, SuSE, Slackware, Knoppix, and various other livecds, but have never been able to make it a regular box that I use 95% of the time. Hopefully this will change.
But first, I want to just out and say it: Linux is not ready for prime time. Not even Ubuntu. Unfortunately, Windows is far easier to wield and get things done on. It might be less secure, but this is the classic usability vs security relationship. Thankfully, Ubuntu is not just for the uber-geek elite anymore, and can be adopted by hardcore geeks and even casual geeks, but it is not ready for the average consumer or user, and has a long way to go.
What better way to compare the two than by keeping score. Now, keep in mind Ubuntu is going to win in the end, as Linux will for me. I plan to stick with it and hammer away at it until I’m firmly on the “other side.” It might be painful, but this is just part of learning and becoming a better geek (read: IT professional).
The install, as stated before, was amazingly fast compared to any other OS I’ve run. I literally thought I was still running the livecd portion of Ubuntu when I first rebooted (Ubuntu +1). However, the partition options leave a lot to be desired. While Windows is simple with partitions, Linux has always been arcane with them and knowing how many you need and how to carve them up is, in my opinion, the single biggest detractor for new users to try out Linux. Right from the start, it is complicated and difficult and unknown. Many people put it down right there without really giving it a true try. Ubuntu is an all or “know it yourself” install. Either it takes the whole disc or pre-made partition, or you have to know what you’re doing. Sadly, I don’t, and many people won’t either (Windows +1).
So, last night I went about making sure I could do the typical things I want to do. I first updated Ubuntu, which, like Windows, prompted me with a nag screen saying there were updates. Nice! The updates were relatively quick for having 170+ updates, and of course required no reboot (Ubuntu +1).
Synaptic is really cool, and I’m happy with it. One bad point though, is that you’re stuck with Ubuntu’s packages and you need a little bit more knowledge to open up the universe and multiverse to more downloads. But, I always have liked having a central repository for many programs, all of which are free (Ubuntu +2, Windows +1 [how many people really catch the universe/multiverse updates without work?]). My biggest complaint about Synaptic, though, is how easy it is to do something and say, “omg, wtf did I just do?” I did this by selecting some packages and not paying close attention to the required packages or things that needed removal. After walking away to pop in a movie, I came back and hit “Apply,” only to see Ubuntu quickly remove some things. I have no idea what they were, but I hope they were not important. I have learned, however, that I really should do one thing at a time, and scribble down what is added and removed, at least until I’m comfortable with this process.

sudo gedit /etc/apt/sources.list
add in: deb http://us.archive.ubuntu.com/ubuntu/ dapper universe
deb-src http://us.archive.ubuntu.com/ubuntu/ dapper universe
deb http://us.archive.ubuntu.com/ubuntu/ dapper multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ dapper multiverse
save, then: sudo apt-get update

And this is the second biggest issue people have with Linux, and myself: the installs. Windows has a huge boost here with automatic installers that take care of everything. You don’t need to unzip things usually (and if you do, it’s easy). You don’t need to compile from source code. You don’t need to hunt for packages that work with your OS flavor (Windows flavors don’t run concurrently, there’s really only one active one at any time now, not counting Server). You don’t need to wonder what the executable is or how to run it, it appears automatically in your Start->Programs list. Ubuntu is not so helpful all the time. I installed about 10 different packages from kismet and airsnort to lxdoom and tcpdump. Over half the installed packages were installed, and then promptly hidden from me. They were not in the Application list nor did I find them in the filesystem. Granted, most of the ones now found seem to be command-line apps, but this is a huge hole for most casual users. “I installed lxdoom to play it, now it doesn’t appear, what gives?” (Windows +1) Not only that, but at least Synaptic takes care of linked packages or things you need before something you want. Trying to track these down and align the planets just to install one program can be a huge headache in Linux. (Windows +1)
So, an OS that is going to be a “Windows killer” better do some basic things without fuss. Ubuntu’s wireless works, Firefox is installed by default, Thunderbird is installed by default, but is not the default mail program and does require being added into the Application list (Windows Start->Programs list). I installed GAIM without problem and promptly got on my IMs without issue at all. (Ubuntu +1 Windows +1)
I then popped in a DVD. Totem, the default media player threw an arcane error. Ok, I didn’t want Totem anyway. So I installed mplayer. It also threw an error, even more arcane than the first. I then installed Ogle and Xine, both of which also could not read my DVDs. Wow. I did some research and it turns out encrypted DVDs are just enough of a closed format that Ubuntu decided not to include the ability to play them out of the box, or even after installing new players. In fact, I couldn’t find the libraries I needed in Synaptic. D’oh. I found libdvdread3 jus fine, but libdvdcss2 had to be downloaded from some guy’s FTP in Sweden. (Windows +1)

use synaptic to get libdvdread3
install libdvdcss2: sudo /usr/share/doc/libdvdread3/examples/install-css.sh

Whoa, wait a minute here…what version did I just download? What command did I have to run to make it work? I have to download some weird library that may or may not be 2 years old from some guy’s FTP site in Sweden? I did more searches and found more German and other foreign sites, none of which looked commercial. This is the kind of thing in Windows that we, as security people, work to avoid: downloading from sites that make us stop and get paranoid about. (Windows +1)
After putting in the new library, though, all the players could play my DVDs without problem (I think I like the Xine interface best, but it doesn’t fill my whole screen, sadly…which may be a graphics driver issue, but with the player…). However, this sort of hassle and *need* to Google up and understand uber-geek Linuxspeak to get it to work is going to keep Ubuntu from being used by my parents and friends. (Windows +1)
So that is where I stand right now. I can do most of the things I want to do on a daily basis (email, web, IM, and accessing my external drives for media like music, and dvd playing [with effort]), but where Ubuntu makes up ground on Windows in the install and ease of deployment, it loses ground in the places Linux has always lost ground: packages, not doing the necessary things out of the box, and needing to put on the geek cap just to work around things. Does Windows necessarily do this better? Perhaps not, but at least 99% of the computer-using world is used to it.
The score appears to be about how I expect, with Windows leading at this point, because this is all the hard, preventative stuff from Linux and Ubuntu so far. Windows 8 Ubuntu 5.

To put this topic to bed in my mind, here is Apple’s notice about wireless security updates. This hopefully will also put other people to bed who criticized and had panic attacks and panic fanboy defense when Maynor and Cache presented about wireless driver exploits and did so on a Mac. I love Macs as much as the next person, but please, don’t cannibalize our own people. We need to encourage research, not hang it out to be stoned when it discovers something important against our favorite hardware/software or isn’t fully disclosed like our mischievous hearts want. This whole situation ellicited passionate, emotional responses from many people (we should have seen that coming, with the Mac vs Windows vs Linux debates), including people who should be more disassociated due to our profession. That includes journalists and bloggers who completely misrepresented and had no comprehension of even a visual, video presentation and what the implications were. Unethical journalism (brought in large part due to the clashing and greying between proper journalism and amatuer bloggers) really did not help.
[ Update: Two more links just for me. First, Matasano’s commentary on the new patch, and a link from a commentor about third party accreditation when you can’t trust the researchers, the press, or the company. Excellent idea!! ]
At any rate, hopefully this is back to bed, and props to Maynor and Cache for putting their necks in the noose, whether for fame or public utility (I don’t much care), at least this improves our awareness about wireless issues and improves the software and drivers that power it. Ignorance is not a security blanket.
Totally unrelated: Is Amazon.com dying? Their pages the past two days load like molasses, if at all. I wonder if they are weathering some attack or what?

A recent theft from an ATM machine in broad daylight using a key sequence which unlocked the machine and allowed the criminal to reprogram it to dispense larger bills than it thought it was doing, has had plenty of follow-up.
While this issue may bring the idea to the minds of young people in some small groups of the nation, I doubt this will turn into some sort of crime spree. However, it does illustrate exactly the failings of computer network decades ago, and something that continues today in many electronics areas outside computer networks: default passwords. When a technician or operator installs electronic equipment like ATMs, it is very unclear whether they properly change default passwords or close any backdoors. Telephone boxes, ATMs, lighted road construction signs, and many more devices are frequently left with default passwords. The only protection is usually threefold, 1) A lock on the internal workings of the device, 2) obscurity by not publicizing the passwords and backdoors and manuals widely, 3) common human conscience to not do something criminal in public.
The hacking/phreaking community has known about these things for decades. ATM boxes are a very popular target and much of these issues have been long known. A lock can be picked, broken, or just plain left unsecured. Obscurity is not a protection when used alone, and hiding passwords, manuals, and basically not teaching no-qualified people how to use devices is not protection. Frequently, this is defeated by operators leaving the manual nearby or scrawling notes with passwords inside the box. Obviously, the conscience of the person is widely variable and some people will not be deterred by it.
It is only a matter of time before more things like this are discovered out and about in less technical areas of the world. These lie in the gray forgotten area when electronics started getting smarter and thus needed passwords for operations and the widespread security paranoia of computer systems with widely publicized attacks via a very efficient Internet medium. Also, many of these systems sit in an area between white collar workers and IT staff; a lost area that is as much ignored as actually forgotten.

I have used Linux here and there in the past 5 years, but in the past 2 years, my experience has been drastically limited to livecds (which, in their own right, are really awesome anyway!). I’ve long wanted to get away from Windows since I know 95% of what I’ll ever know about Windows XP and previous anyway, and I really want to use a Mac or Linux box as my main OS at home for various reasons.
I’ve never made the jump and kept putting it off due to this reason or that, most notably two major reasons: I wanted to play WoW, which is difficult for anyone on Linux, and I wanted easy wireless access that wasn’t a bitch to configure, support, or install. Wireless support has gotten better in the past few years, and my laptop really is not nearly as fun to play WoW on as my resurrected gaming rig. So…all the big barrier reasons are gone!
This weekend I went out and bought a new laptop drive, 100GB. My plan was to dual boot Windows and Ubuntu Linux and also have some room to run a VM in Ubuntu and Vm another Windows install or two plus others. The reason to dual-boot is so that I can get true wireless on both OS, since any VM is going to think it is on a wired connection. More on this later…
So I swapped my drive and put in Ubuntu 6.06 desktop. I did an install, it performed a format on my drive and was done. I literally blinked a few times and figured something screwed up or the instructions were incomplete. I rebooted Ubuntu from the livecd, saw that I had missed nothing, and on a whim decided to reboot without a cd. Sure enough, Ubuntu started up just fine and had been installed on the HD just like that. Wham! That’s the shortest install of an OS I’ve ever had!
The sad thing, though, is the Ubuntu partition support. It is basically an all-or-none approach and I didn’t get much help or options in doing manual partitioning. Unfortunately, the automatic part made me use all 100GB of the disk for ext3. Hrmm..well, I guess I can live with that for now and just swap hard drives when I want to go Windows. I may have to add in a mini-project to see if I can get an external enclosure and boot from it, but that’s another project.
So, Ubuntu was working. In fact, both my wired and wireless network cards were recognized immediately. I hooked into my wired network, got an IP address, connected to my wireless AP to get my WEP key (yes I use WEP because I practice breaking my own network with various tools…long story), and configured up my wireless. Big props to Ubuntu, as it took on the first try and I had wireless on Linux with zero blood and sweat. Wow!
Now, I’m swapping back and forth between my hard drives and Windows and Linux as I move all my tasks and things I do on Windows over to Linux one by one. Hopefully in the next week or two, I will be running Ubuntu 95% of the time my laptop is powered on. The only snag may be if I figure out how to most properly carve up my disk so that I can still dual-boot Ubuntu and Windows XP. This might mean installing XP first and using it to format the disk, then seeing if Ubuntu will limit itself to whatever space is still open. I’d like to just do about 35GB for Ubuntu (ext3), 15Gb for Windows XP (NTFS), and the rest for either shared space (FAT) or VMs.
Next steps: Opening up Synaptic to allow me to install packages from the universe and multiverse, finding the root password (yeah, go figure, I couldn’t find it and it never asked me for one on the install?) so I can su up, and getting some common apps installed that I use on a daily basis, such as Thunderbird, gaim (or a Linux equivalent to gaim), and mp3 player. Now that I think about it, my ipod support may be all borked up now. I use winamp+ml-ipod to manage my ipod and music as opposed to iTunes, but thankfully that is a minor gripe. I’ll live. 🙂

If I can get my hands on a pix for educational purposes, I can play around with the capture command.

I have posts on how to crack wep on most any other flavor, now to add Mac too!

I’ve read this in a few places recently, in particular regards to security software and appliances, but this video of one of the TED talks by David Pogue ties that in with my own feelings of the lashback on computers and electronics and how things are just too damned complicated. Too many buttons, too many clicks, too many features I will never use. For some people they stomach it, for others, they abandon the tech. I know too many people who are abandoning computers and the Internet because of all the complications.
Well, simplicity sells, and the above-linked talk was very well-done. Take out features, don’t cram them in. The company 37signals does this as well, and has been remarkably successful, as have other post-dotcom small software companies, and even large companies like Apple with the ipod. This world needs simplicity and to get back to basics as opposed to bolting on features. Google, while maybe not as simplistic anymore overall, still has the best, most-trusted, and simple web search. Do that one thing and do it well.
I look forward to security software and appliances taking note of this trend and offering just the one or two things instead of trying to package every security measure into one device or app. I think this is short-sighted and just a way to increase their market and market share. Instead of doing things well, overwhelm others by just out-featuring them to get into as many markets at once as possible.
Linux and Unix have done this well for years, decades. Simple programs with few bells and whistles that do their designed task and no more. To do more, you combine them with other equally streamlined tools. cat firewall.log | grep denied. That’s the true beauty in *nix, the command line power and simplicity. Granted, this is a geek’s take on it… 🙂 At least in the *nix world, the techs like me can still milk our creative sides in using these tools together in complex and beautiful ways as opposed to being handed a huge soundboard with 209208 dials and switches to do god-knows-what and produce 45x more reports than I’ll ever use.

Stream of consciousness amazes me. In addition, the stream by which we discover new experiences is fun too. Take for instance this quick journey.
I like hacking and computers and security. Recently, I found a bunch of movies from the 22nd Chaos Computer Congress lectures from late last year. One lecture was “The Realtime Podcast.” The lecturer basically ran an actual podcast on stage, but the podcast consisted of him lecturing on how to do podcasting, the tools, styles, marketing, etc. His background music was really cool. Thankfully he acknowledged it as DJ L’embrouille. The music is just this really chilled out electronic/ambient mixes. Amazingly, he releases these to the public and can be downloaded. So now I have been listening to about 10GB of his mixes and loving every minute of it. This is awesome stuff to just have playing in the background while doing some computer work.
Now, if this guy had not released this stuff freely, would I have ever heard of him? Doubt it. Would I pay to see him in person? Yup…and that would be money in his pocket due to free Internet distribution. Wake up RIAA.

I finally tracked down this link to a HUGE collection of videos (mp4 format) available through BitTorrent of presentations at the 22nd Chaos Communication Congress (223c) in Europe. Will need a Torrent client like Azureus. I have already started downloading this and am not even 1/4th through the list and it is already taking up 12GB of space. Will also need QuickTime or an alternative to QuickTime (recommended).

Updated link: videos. Be creative with the URL and you can find past years. When in doubt, hit the root site.

This study on insider threats in IT is a bit dated, but let’s be honest. People don’t get outdated. This study is amazingly detailed and very important even today, 10+ years later.

Here is some more interesting spy information and insider threat character analysis.

And here is a guide to insider threat risk assessment.

The wifi hog project. Not sure what to make of this, but gotta read it someday.