Why AWS S3 is Cool

So I've been using Amazon S3 (which I heard about when I interviewed for security position with AMZN back in August) to store various stuff like most of Seasons #1 and #2 of the The Office.

Greetings from Amazon Web Services,

This e-mail confirms that your latest billing statement is available on the
AWS web site. Your account will be charged the following:

Subtotal: $1.24 (plus applicable taxes)

A Death in the Class of 9/11

Having grown up in an "Army family" and having served in Army Reserve (my time in service ended in January 2002, a month before a stop-loss was declared on all Reserve Military Intelligence personnel and I narrowly escaped activation in October 2001), I have been known to be emotional (occasionally irrational) on issues relating to the military and military life.

The issues raised in a recent article on the death of a 2LT Emily Perez as did the original May Time 2005 cover story on the "Class of 9/11" I read in a doctor's office are no exception.

I consider both of these "mandatory reading" for this day and age, as a reminder of the sacrifices of others and the trivial nature of most of our daily concerns and fears compared to those serving in Iraq and Afghanistan.

Pcapper: cool non-C based PCAP

Jeff Dell from Activeworx pointed out that Pcapper is a great cross-platform way to decode captures from tcpdump and friends in response to my question on my work blog.

franz-g4:~/dev/scada-nasl/dnp3 mdfranz$ pcapper.py -v dnp.1

Packet:
asctime 2006-09-19 11:53:36.711335
caplen 54
destination 00:c0:4f:0c:7b:1d
ether_type 8
pktlen 54
source 00:0c:29:cf:38:82
tv_sec 1158684816
tv_usec 711335
IP datagram:
checksum 0
destination_address 192.168.169.140
flags 2
fragment_offset 0
header_length 5
id 18544
protocol 6
source_address 192.168.169.11
tos 0
total_len 40
ttl 128
version 4
TCP datagram:
ack 1
ack_number 3660227963
checksum 54275
data_offset 5
destination_port 20000
fin 0
flags 16
psh 0
rst 0
sequence_number 2451677669
source_port 3016
syn 0
unused 320
urg 0
urgent_pointer 0
window 17469
Payload:
Dump source has length: 0
                                                 

Run time 0.903 seconds
Processed 108 packets
Processed 10376 bytes
Processing speed 119 packets per second
Processing speed 11 kbytes per second

End of program

Works on OSX, haven't tried it on anything else. Next is to use the lib in a new protocol reverse engineering tool I started just today.

Stay tuned.

OpenRecord: Your next wiki?

I'd run across JavaScript browser based wiki's before (I remember a GTD one in particular), but OpenRecord is incredible.

The current wiki you know and love (for me, it is MoinMoin) is primarily suited for text with a little perhaps a little graphics (but ultimately unstructured content). If MediaWiki (used by Wikipedia) is suited for Encyclopedias, OpenRecord is meant for Almanac-style data such as the CIA World Factbook. OpenRecord targets tabular, statistical, more structured data as well as graphical views of that data (plots, graphs, etc.) that all can be created with a WYSIWYG interface.

Beyond the different use case, these folks are also addressing some of the inherent problems with wikis you bump your heads against: offline view, forking/merging, concurrent editing and much, much more.

Now this is still pre-alpha but of course there is a demo where you can create your own pages, etc. And since I haven't done this project justice, be sure to check out the screencast if you don't have religion.

Fuzzing on Rails

Only 10 minutes in playing around with a new web fuzzer I wrote vs. an unnamed Rails app, I'm getting stack traces. Probably not the end of the world, but not great either. I'm wondering what Rails provides out of the box for validation and how it compares to what other frameworks such as Struts.

undefined method `include?' for nil:NilClass
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb:49:in `parse_request_parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb:47:in `each'
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb:47:in `parse_request_parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_process.rb:70:in `request_parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/request.rb:12:in `parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:122:in `set_session_options_without_components'
./script/../config/../vendor/rails/actionpack/lib/action_controller/components.rb:178:in `set_session_options'
./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:116:in `process'
./script/../config/../vendor/rails/railties/lib/dispatcher.rb:38:in `dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:115:in `handle_dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:81:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:172:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:161:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:161:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:67:in `dispatch'
./script/../config/../vendor/rails/railties/lib/commands/servers/webrick.rb:59
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require__'
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:136:in `require'
./script/../config/../vendor/rails/railties/lib/commands/server.rb:30
script/server:3:in `require'
script/server:3

Lenten Summer's End

What a week!
The first rain in Austin

since Independence Day--
or so the driver said.

And this morning (at 2AM)
below 70

with no hint of Northwest.

I predict cool clarity, soon.

Eclipse 3.2.1 on OSX Might Suck Less Than Netbeans

So I was pleasantly suprised by the Carbon Version of Eclipse 3.2.1. I had heard horror stories of how slow it ran and how unusable it was on OSX, but on my 1.2mb 12" Power G4 and I'd always found Netbeans more intuitive. But this time, I somehow managed to get a hello world to run. Which was not the case the last time I fooled around with Eclipse on a SuSE install. Not that I'm doing a huge amount of Java development, but the LAPSE plugin looked interesting. We'll see if its useful enough to others.

IKE DoS Attacks are Like So Year 2000

The folks over at Liquidmatrix are in their Cisco Conspiracy Theory Mode again as a result of a Cisco IKE Advisory in VPN3k, IOS, and PIX causing me to lapse lose my normally quite-restrained blogging persona and lapse into bouts of inside jokes.

Must be a slow news week. What next? "Telnet Weak Authentication Vulnerability in IOS" leads to Internet collapse?

In hindsight, it's amazing (I guess the ask for forgiveness not for permission rule was still effect back at Cisco in 2001) that I was even able to present on this stuff (on those ugly templates no doubt!), but if you look at slides 56-72 in a CanSecWest Prezo I did back in April '01 you'll see treatment on DoS issues in IKE although these had been discussed earlier much within the IETF. And if I am talking about it, it can't be rocket science.

And of course I can't go without mentioning the IKE DoS king and the Son of IKE Dos King. Perhaps Venkat (or Earl) will be able to get the Director/VP level approval to blog on this issue. We'll see.

Don't get me wrong developing exploits for silly protocol design errors and saying the sky is falling is all good fun, but let's lose to tone of exasperation.

Jython Applets

This is a very cool way to run Jython -- in your browser!

Hell, even readline works - which is more than I can say for my Mac :(

Finally bit the bullet...

and slapped down $200 at Crucial for a long needed 1 Gig DIMM for my 12" Powerbook G4. Wish I'd done it sooner. Noticable performance increase even on stuff that shouldn't (typing within terminal or right now!) and Netbeans is actually usable.

Oh, also saw the 13" MacBooks at the Apple Store in Clarendon, VA. Ambivalent about the 80s retro "chicklet" keyboard, but the feel was better than the old 12" iBooks. Something about the screen aspect ratio was "off" though.

Vendors must be starting to "get it!" (or at least feel it!)

I'm not sure about other folks out there, but I lately I've been getting more frequent job inquiries from recruiters in fairly good-sized non-security companies looking for "security researcher" types to help improve their products and product lines. Of course I've "been there, done that" (at Cisco) and the big company life is not at all appealing right now.

But this is one small positive datapoint that perhaps things are starting to improve on the product security front.

Or perhaps things have gotten so bad vendors are desperate to "stop the bleeding."

Nobody must use Java Regular Expressions

I'm having a hell of a time converting some Python regex's to Java (first rule, you have to double escape everything) and I'm still getting a bunch of nasty exceptions, the "Illegal repetition" error in particular :(

Yes, I'm weak, but once you use Visual C# it is hard to go back.

package regextest;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class Main {
  public Main() {
  }
  public static void main(String[] args) {
      // Pattern p = Pattern.compile("^\\[char\\speer[\\d+]_[\\d+]*");
      // packet =  re.compile(r"^char\speer(\d)_(\d+)\[.*{(.+)};$")
      Pattern p = Pattern.compile("^\\[char\\speer(\\d)_(\\d+).*$");
      Pattern p1 = Pattern.compile(".*\\{(.*)\\};");
      Matcher m = p.matcher("[char peer1_2[] = {, 0x03, 0x00, 0x00,
0x31, 0x02 0x5f, 0x53, 0x50, 0x50, 0x31, 0x5f, 0x50, 0x41 };");
      Matcher m1 = p1.matcher("[char peer1_2[] = {, 0x03, 0x00,
0x00, 0x31, 0x02 0x5f, 0x53, 0x50, 0x50, 0x31, 0x5f, 0x50, 0x41 };");

      if ( m.matches()) {
          if ( m.groupCount() > 0 ) {
              System.out.println(m.group(1));
              System.out.println(m.group(2));
          }
      } else {
          System.out.println("No match");
      }

      if (m1.matches()) {
          System.out.println(m1.group(1));
      } else {
          System.out.println("You suck!");
      }
  }
}

I really need one of these!

Convert any baseball cap into a piece of protective headgear offering a mild form of head protection. The North SC01 Convert-A-Cap insert coverts your favorite personal baseball-style caps into comfortable and convenient light duty head protection against bumps and lacerations for applications...

ifsh: interactive fuzzing shell

Well my replay tool is now morphing into an interactive network fuzzing shell!

mdfranz@franz-d610:~/dev/realtcpreplay$ ./clientplay.py 172.16.126.132 102 follo
w.pickle pause
0>

Sending:22 bytes

Received: 14 bytes
1>

Sending:191 bytes

Received: 147 bytes
2> help


> rb filename - read binary file and use for next message
> ra filename - read ascii file (00 ff 00 ff) for next message
> testcase directory - specify a directory of testcases (binary file to use)
> fuzzload [min,max]
> fuzzcount n - how many fuzzloads to generate
> fuzzheader n - how deep in payloads to overloay fuzzloads
> send
> continue
> setpoint
> sh[ow] exchange - dump all messages sent/received so far
> sh[how] last-sent
> sh[how] last-rec


2>

Sending:36 bytes

Received: 32 bytes
3> fuzzcount 100
FUZZCOUNT now set to 100
3> fuzzload
Generating fuzzloads: Generating fuzzloads: . . . . .
3> go

*** Reset by peer ***

Beyond FreeMind: Check out CMAP Tools!

For those folks addicted to FreeMind, you should definitely check out Cmap

The CmapTools program empowers users to construct, navigate, share and criticize knowledge models represented as concept maps. It allows users to, among many other features, construct their Cmaps in their personal computer, share them on servers (CmapServers) anywhere on the Internet, link their Cmaps to other Cmaps on servers, automatically create web pages of their concept maps on servers, edit their maps synchronously (at the same time) with other users on the Internet, and search the web for information relevant to a concept map.

The CmapTools client is free for use by anybody, whether its use is commercial or non-commercial. In particular, schools and universities are encouraged to download it and install it in as many computers as desired, and students and teachers may make copies of it and install it at home. (Commercial companies that install their own CmapServer do need to get a separate license for a CmapTools client that will talk to the commercial version of the CmapServer).

Why I left Cisco Last Year

Death By Risk Aversion has some good lines that capture life in a big product vendor. The 2nd paragraph below nails it!

But whose fear? The metaphor Liz used (she got from someone else) was that many of the "leaf nodes" (what Microsoft and Sun and others refer to as "individual contributors") tend to be innovative and brave, but many of the "branches" (i.e. layers of management) can't stomach the risks. In their (admirable) desire to be strong and stable, the "branches" put safety above all else.

What kind of safety? Sometimes managers are putting the best interests of the company first. That's great--they're often more experienced and have a better grasp of the bigger context. But (and it's a really big but) sometimes they're just worried about their own damn job. In other words, the leaf node/individual contributors often think about the effect of their work on users, while the mid-level managers often think about the effect of their work on their job. And whose fault is that? All those layers of bosses. Even one risk-averse boss in the chain-of-command can do major damage to innovation, spirt, motivation, etc.

Now I'm even sicker of Fuzzing!

Someone does a slashdot post on muSecurity (actually they call them a "cracker attack emulator"-which, I must say sounds very cool), and along down in the thread, somebody mentions my Fuzzing page and I end up getting close to 4000 hits today.

What is the world coming to?

How to get a job on a pen-testing team

"Wow!" as we used to say in in CIAG

How to get a job on a pen-testing team has a great line that shows that 2006 is the year SCADA goes mainstream:

I was just working on my project for that Death Ray auto-pen-testing machine and wondered if you had any feedback regarding how we would handle shellcode delivery across SCADA or process control networks.

I finally "switched!"

This week my new 12" previous G4 came. I couldn't resist the discounted prices (sub $1300) that CompUSA, Mac Connection, and Mac Mall (and probably others) were on offering models with a smaller HD (60gig) and no DVD burner. Oh, and I'll eat my words for criticizing some former Cisco colleagues who switched years ago.

Ruby in 2006

It had been quite some time since I looked at Ruby. I went through a brief phase back in 2002, but it was still rough around the edges. There was/is however a very nice interface to libpcap that I started writing some protocol characterization tools which never did get completed or released. With all the hype around AJAX and Ruby on Rails I had to give it another look. Also the new version of Metasploit Framework is written in Ruby.

Among the improvements I've noticed:

• Easy installation on windows
  
• Ruby GEMS - a package adminstration tool simuliar to Gentoo Emerge, Debian Apt -- or yum if it actually worked right.