Friday, December 28, 2007

Down Came the Snow, Down went RCN Cable

Coicidentally with the snow today, RCN went to hell again but my Debian EVDO Router was ready. Actually got rid of the OpenWRT box (wasn't using the wireless anyway) and switched to wvdial, which has done a great job of automatically running pppd if the connection drops.

/etc/rc.local
if mount /dev/sr0 -t iso9660 /mnt
then
echo "Found Novatel u727"
sleep 3
umount /dev/sr0
eject /dev/sr0
fi

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
sleep 10
wvdial &


/etc/wvdial.conf
[Dialer Defaults]
Modem = /dev/ttyUSB0
Baud = 460800
Init = ATZ
ISDN = 0
Modem Type = USB Modem
Phone = #777
Username = ''
Password = ''
Carrier Check = no
Stupid Mode = yes


Obviously need to clean up the iptables rules, although I'm not terribly worried about it.

Best WRT54G (v3) for Intel 4965AGN

I've been having a hell of a time with the Wireless card in my T-61and my Linksys router (firmware v1.02.0, Jan. 16, 2007) for the last few days. No problems with the OSX on either my Powerbook G4 (Broadcom) or my wife's Macbook (Atheros). Some of these were screwups on Ubuntu but there definitely appear to be some issues with this card and some Linksys WPA configurations. Under XPSP2, I was becoming dissasociated 3-4 times an hour and with WPA2 Personal (TKIP+AES) would not even work with LInux

I believe these are the default settings which seem to work the best:

WPA Personal
AES
Group Key Renewal - 3600

If you don't believe me, at least believe Chris Rock

Although not as good as the line about him not being afraid of "the media" robbing him at an ATM machine, this isn't bad either

“I love Hillary Clinton,” he continued, “but to me she is the Democratic version of George Bush: someone who is running, and the only reason you know who this person is is because of their name.”

But seriously, Check out Obama's latest speech from Iowa

That's the kind of change that's more than just rhetoric - that's change you can believe in. It's change that won't just come from more anger at Washington or turning up the heat on Republicans. There's no shortage of anger and bluster and bitter partisanship out there. We don't need more heat. We need more light. I've learned in my life that you can stand firm in your principles while still reaching out to those who might not always agree with you. And although the Republican operatives in Washington might not be interested in hearing what we have to say, I think Republican and independent voters outside of Washington are. That's the once-in-a-generation opportunity we have in this election.

I've been pretty cynical about politics (and most things over the years) but I actually contributed a few bucks to his campaign. I haven't decided who I'll vote for (or if I'll even vote) but I do know for damn sure who won't be getting my vote: Clinton or Romney.

Wednesday, December 26, 2007

Novatel u727 on Debian Etch

I previously blogged on getting this card working on Ubuntu but obviously nobody tried my instructions because it wouldn't have worked. The bizarre thing is that in order to get the USB serial devices to show up, you have to first mount the "Novatel CD" device that gets detected, unmount it, and then eject it. This only has to be done once after the device is powered up ( meaning if you unplug it) so here is what I added to the /etc/rc.local an old Optiplex 100 running Etch so things get automatically setup.

if mount /dev/sr0 -t iso9660 /mnt
then
echo "Found Novatel u727"
sleep 3
umount /dev/sr0
eject /dev/sr0
sleep 10
pppd call sprint
fi

The only thing left is to add an iptables commnad to masquerade everything out the ppp0 interface and I have my backup EVDO gateway. Well and change the default route on a box or two -- or get VRRP working.

So the next time RCN hits the fan (must have been the weather) I'll power up this box and plugin the EVDO adapter and I'll be good to go.

Sunday, December 23, 2007

Aspen: A Python Web Server You Can Get Excited About



A year ago (or at least over Christmas and New Years) I was playing a lot with Django (and reading about WSGI) so its fitting I ran across Aspen.


Aspen is designed around the idea that there are basically two kinds of websites, publications and applications, differentiated by their organization and interface models. A publication website organizes information into individual pages within a hierarchical folder structure that one navigates by browsing. In an application website, on the other hand, data is not organized into hierarchical pages but is dealt with via a non-browsing interface such as a search box.

The HTML version of this documentation is an example of a publication website: a number of hypertext documents organized into sections. If we weren't using LaTeX (or if I knew how to use it better), the sections would probably be encoded in folders. Gmail is a pure application website, one which organizes and presents information non-hierarchically. Most websites, however, are hybrids. That is, within an overall hierarchical organization you will find both individual pages of information as well as applications such as a site search feature, or a threaded discussion forum.

Publication websites are actually a subset of application websites, of course. An application site can use any interface metaphor; a publication is an application that uses the familiar folder/page metaphor to organize and present its information. Therefore, every website is fundamentally an application.

Aspen enables the full range of websites: publications, applications, and hybrids. It uses the filesystem for the hierarchical structure of publication and hybrid websites, and provides a mechanism for including applications within that hierarchy.


Based on the screencast, it looks very cool. Why? It is so un-Ruby: well documented, it supports multiple frameworks (a Python HTTP server that support PHP!) and Conan O'Brien-style talking faces. Hopefully I'll be able to squeeze some time away from baby care to play around with it.

Saturday, December 22, 2007

Open Source NAC and A [Kind of/Sort Of] Agentless Endpoint Posture Assessment for Debuntu Boxes

Previously I described a quite common situation I've encountered where non-compliant laptops and OS's are used by members of security teams, frequently in violation of technology/security policy (anyone else know the term "shadow IT"?) Another use case might by highly-skilled/trusted security consultants that could own your ass if they wanted to and probably already have the keys to the kingdom. A reader noted that one solution would be just to grant an exception to policy for these [already] trusted users, but this doesn't sit too well with me.

I personally would like to have some additional layer of monitoring above and beyond good-faith adherence to policy and the desire to do the right thing. The various Open Source NAC toolsets that are out there (many which seem to be developed within Universities) such as packetfence, FreeNAC, or RINGS seem like overkill and clearly inappropriate for this sort of user base.

What I had in mind was something much lighter weight that:
  • Runs with user-level privileges
  • Requires minimal level of installation, perhaps simple Ruby/Python script minimal to no third party libraries
  • Communicates to a server vs. having the server interrogate the client (i.e. no agent listening for connections back from a centralized server)
  • Provides flexible execution (run as a startup script or within desktop environment, gnome-session something or other)
  • User authentication against to some sort of directory server (so we can associate a given endpoint with a user)
An initial environment would be Debian/Ubuntu (although OSX would be nice, too) that could provide the following information to a Rails/Django web app
  • Linux kernel version and running kernel modules
  • Last apt-get update
  • Hardware (both real and virtual)
  • Whether or not filesystem encryption is enabled (look for /dev/mapper stuff)
  • Information about packages (such as the output of a dpkg -l)
  • Listening services (netstat or lsof)
  • Network information (interfaces, routing)
This assumes that there is something NAC-like (in the sense of segregating non-compliant PC's to a certain network/tunnel) or that users will voluntarily run some sort of script upon login.

That being said, as easy as this is to imagine, I'm sort of ambivalent about the usefulness of something like this (perhaps I've heard too many of the arguments about NAC "fighting the last war"), but it doesn't seem like it would be terribly difficult or time consuming to whip up a small client script that pulled together some basic Linux system information and sent it to a CRUD webapp to provide some basic auditing and reporting. And it wouldn't be much of a stretch to add some policy definition/enforcement based on the data or tie it to a iptables/PF box with anchors to implement different access profiles. Obviously, unlike most of the commercial (or even the Open Source) NAC solutions) this is a L3, n-hop-away solution. No 802.1x, no DHCP, no VLAN assignment, but it is actually deployable and might immediately provide some useful (and perhaps even actionable) information that is higher fidelity than a scan the endpoint with Nmap/Non-Auth Nessus or use passive device/app fingerprinting which seems a waste of time for the problem at hand.

Is there anything out there along these lines?

Thursday, December 20, 2007

Sprint Novatel u727 on Ubuntu 7.10

Add vendor and product options to /etc/modules

usbserial vendor=0x1410 product=0x4100

Disable automounting of USB serial devices with gnome-volume-properties

Otherwise the USB Serial devices won't show up and you would have to unmount WTF that image that is being mounted from the

Create /etc/ppp/peers/sprint
/dev/ttyUSB0 # modem
115200 # speed
921600 # works, abt 60kbytes/sec on S620
#1036800 # doesn't work
defaultroute # use cellular network for default route
usepeerdns # use the DNS servers from the remote network
nodetach # keep pppd in the foreground
crtscts # hardware flow control
lock # lock the serial port
noauth # don't expect the modem to authenticate itself
local # don't use Carrier Detect or Data Terminal Ready
user
ppp
#passive
debug
lcp-echo-failure 4 # prevent timeouts (1of2)
lcp-echo-interval 65535 # prevent timeouts (2of2)
connect "/usr/sbin/chat -v -f /etc/chatscripts/sprint-connect"

Create /etc/chatscripts/sprint-connect

TIMEOUT 10
ABORT 'BUSY'
ABORT 'NO ANSWER'
ABORT 'ERROR'
SAY 'Starting SPRINT connect script\n'

# Get the modem's attention and reset it.
"" 'ATZ'
# E0=No echo, V1=English result codes
#OK 'ATE0V1'

OK 'ATDT#777'
CONNECT

Start pppd

root@gutsy61:~# pppd call sprint
Starting SPRINT connect script
Serial connection established.
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/ttyUSB0

I might add links to the source materials (cause I obviously didn't come up with this all on my own) but this should work.

Hello Sprint EVDO Goodbye AT&T DSL!



Although I haven't yet managed to cancel my AT&T DSL order yet (I only had 5-6 hops before giving up, which reminded me of the reason I a year ago never to use them again) but after 24 hours I've given up. The service tech was nice enough, but DSL Self Install kit never arrived and I could never get a dial tone. Maybe the three daisy-chained telephone network interfaces had something to do with it. Or maybe it was the rats nest mix of Cat 5 and 1950's era kit, but I started looking for wireless alternatives. I've only been logged with the Novatal U727 (on my Powerbook, it supposedly works with Linux, too) for 32 minutes but so far so good.

Wednesday, December 19, 2007

WTF is "spock power" and why does it think I know Wietse Venema?

Well some folks in my LinkedIn network are now sending me spock trust invitations. Sure why not? Live on the edge. Invite more identity theft. Some of the obvious differences (besides all the tagging) between LinkedIn are that (I guess) you can trust someone and they might not trust you and that you (and your community?) can vote on various attributes (tags?). Another nice feature was the automatically generated (via google) content that you can also vote on. For example I was able to vote down a Matthew Franz's (in Arizona) MySpace page. Maybe I should get one of those too, assuming they let folks over 30 even use it. Nah.

Tuesday, December 18, 2007

Smartphones, Dementia, and the Demise of the PDA Market


I've never been a fan of $300 phones that can easily be dropped [into a bathtub] by your kids, or eaten by your dog but I ordered one of the Palm Centro's (from Sprint) over the weekend. Of course I had to cancel the order because not only did boneheads at Sprint interrupt an important call with my son's Dr. yesterday to confirm the order I placed over the weekend, but they wanted me to fax a copy of my drivers license and a bank statement F--- that. Like I have time to fax something somewhere. And I'm certainly not going to give them a bank statement. Why the hell do they need that if they've already done a credit check?

But, basically, I have felt like I've been losing my mind.

I have assumed most of the administrative/transportation/[child|pet]care duties while my wife recovers from the C-section. I can't remember names. I don't have all the phone numbers of neighbors, zillions of school officials I'm dealing with, various meds, and I only can only remember the times of appointments to the nearest 4 hour granularity.

I needed a PDA! That will solve my problems. But who uses PDA's anymore? Do they even sell them? Or perhaps a phone with decently calendaring and todo lists. That's all I want. No MP3 player. No camera. No shitty web browser. Why don't these devices exist? There were a couple of Samsung's (since the first little Startec I had when I worked at SBC I have loathed Motorola devices) that might have worked, but I don't want to sign another contract to get a decent price.

So I desperation, I picked up a Z22 (you can't spit without running across a Best Buy on this side of town, but good luck finding a Sprint store, of course now I just realized they sell Centro's at Best Buy, but no matter). Small and $99 and I didn't need to get new cell service. Whether or not it actually works, the GTD principle of dumping as much of the things you have to do/decide to do onto paper (or some electronic form) to avoid thinking about them (as a means of de-cluttering and de-stressing) has always seemed appealing. And it appears to be working.

And the Z22 feels very comfortable and soothing. I've had 5-6 PalmOS devices over the last decade. My 2nd CLIE was pro bably the best (before my dog cracked the screen) but Sony exited the market 3-4 years ago. It is a shame, because palm got a so many things right: a simple desktop and graffiti. I have looked at Window Mobile, Pocket PC, or WTF it is called but it just feels klunky. And of course you can't sync to Linux or use something like JPilot or pilot-link right?

Monday, December 17, 2007

Quick Blog Break to Retain Sanity (and Ron Paul cracks $12 million)

Back in May I first blogged on Paul. BTW, the number of political blogs are directly proportional to the stresses and strains of everyday living, but who would have thought they'd play Bush as Paul crosses 12 Million (Youtube video) and gets Andrew Sullivan's endorsement

But the deeper reason to support Ron Paul is a simple one. The great forgotten principles of the current Republican party are freedom and toleration. Paul's federalism, his deep suspicion of Washington power, his resistance to government spending, debt and inflation, his ability to grasp that not all human problems are soluble, least of all by government: these are principles that made me a conservative in the first place. No one in the current field articulates them as clearly and understands them as deeply as Paul. He is a man of faith who nonetheless sees a clear line between religion and politics. More than all this, he has somehow ignited a new movement of those who love freedom and want to rescue it from the do-gooding bromides of the left and the Christianist meddling of the right. The Paulites' enthusiasm for liberty, their unapologetic defense of core conservative principles, their awareness that in the new millennium, these principles of small government, self-reliance, cultural pluralism, and a humble foreign policy are more necessary than ever - no lover of liberty can stand by and not join them.
He's the real thing in a world of fakes and frauds. And in a primary campaign where the very future of conservatism is at stake, that cannot be ignored. In fact, it demands support.



Paul is likable enough, but I'd still have side with the only other authentic candidate on the Republican side. I mean I like crazy (McCain, like Paul has that sort of crazy edge) but Paul is just too out there. But I doubt either will get the nomination, barring a miracle. Of course the amazing thing is that (about 14 hours into my wife's labor) we watched the last Republican debate and she actually liked Huckabee. (And she will vote for Hillary, if she gets the nomination) And I'm still struggling with how the Christian Right can actually support him, when he sounds socially (if probably not culturally) liberal enough. Weird.

Back to the kid-ferry.

Sunday, December 16, 2007

Into the World


I've gotten hooked on Andrew Sullivan's the View from your window so I thought I'd add mine.

The snow has finally stopped and we are going home.

Thursday, December 13, 2007

Welcome Samuel Austin!




12/12 @ 10:38 CST - 8 lbs 14 oz much bigger than expected!


(Would have got this up sooner but had to setup a quick squid over SSH to get through websense)

Tuesday, December 11, 2007

AntiDote for Bad Customer Service Experience and Icy Roads

Between dealing with RCN and a clueless United Behavioral Health rep yesterday thinking I last had service in 2001 (this is my first bad experience with them, otherwise they are awesome and kick Magellan's ass) there is a need for some humor so check out the Immanual Kant Attack Ad (by Nietzsche) and Ron Paul's favorite Super Hero and Andrew Young's absurd comments on [Bill] Clinton and Obama who claims he was the first black president because he has slept with more black women than Obama.

Oh and on the not funny (but reassuring that conservative support for Obama is not a vast right wing conspiracy) this National Review article mocking the Messianic Obama.

Unfortunately, must leave warm Panera, get on the icy roads, and go to work.

RCN Cable Internet: Fun while it lasted



I knew I should have learned more about Cable when I was at Cisco (although I vaguely remember trolling EDCS for one of my projects so the CMTS acronym sounds familiar) but my 2nd attempt at using Cable provider is coming to an end, anyway. After 10 months of nearly blip-free service (not bad for $29.95 a month) with RCN, things have gone to hell in the last week. God I miss Speakeasy, but a year after swearing never to give another dime to AT&T/SBC, signed up for AT&T Yahoo DSL and even bought one of their little gateways so I don't have to muck with PPPoE (I hope) over the weekend just in case. I don't look forward to dealing with AT&T but what can you do? Maybe two shitty $29.95 Internet Services are better than a single decent $55/month service. And we'll actually have a land line for a change.

Although working as first line support for a consumer Internet provider (even if you are offshore) must suck, it was a surreal experience dealing with them for 3 hours last night, but I did learn a little bit about these mysterious cable modems

Toshiba Cable Modem Diagnostics Page

CM Info: MODEL PCX2500 ; HW_REV 9.2.3 ; SW_REV 1.0.14
MAC Address 00-00-39-xx-xx-xx SerialNO. 3316470xxx Version Capability D1.0

CmStatus:todEstablished ServerBootState:waitingForTftp
sysUptime:0d:00h:02m:15s CMTS MAC Address:00-30-B8-C6-EB-90
Last CmStatus - prior reset:

Power Level:
Received: -13.1 dBmV Transmitted: 45.1 dBmV

Received SNR: 28.0 dB

Frequency:
Downstream: 735.000 MHz Upstream: 33.000 MHz

User Set Parameter:
Polling Time: No Polling

So besides the high packet loss, on all my devices (2 routers and 2 different laptops) I kept getting leases for 192.168.100.2 (the tech support folks said it must be a configuration error on my end) which reminded me AirLink Cellular Modems we used in the SCADA Honeynet, where the modem itself has a DHCP server which temporarily assigns you a private address before forwarding your DHCP requests and then turning into bridge mode (or whatever) and then your interface finally gets a public address. So I unplugged the coax and sure enough I got a private address (192.168.100.1 was the router) did a quick TCP scan and found the web server up (see the display above) Didn't bother with UDP, would probably find TFTP and some other stuff. Of course one of the bizarre things was that at some point during all my troubleshooting I saw the 172.30.88.1 (the tech said this was also the Cable modem) attempting to ping a 208.x.x.x address. But I saw that on the Ethernet side? Something clearly must not have been well on the modem. And try as I could, I ended up hanging up, because there was obviously going to be no resolution.

Saturday, December 08, 2007

Saint Barack of Iowa


So after reading the latest cover story on Obama it's starting to get creepy how how the conservative press (and perhaps even certain kinds of conservatives, which I am probably one) are fawning over Obama. What is up with this? Is this support real or is a cynical Anything But Hillary agenda based on the foregone conclusion that the Republicans have no chance in '08.

In my case, I've only voted in two Presidential elections since I was of age (1988 and 2004) and I voted for a Bush in both, but real soon now you are likely to see Obama '08 bumper stickers on both our blue Hondas and I might even contribute 25 bucks. Both would be a first for me and this might be the explanation of why someone who can't help find Rumsfeld and Cheney amusing (and not frightening) would even consider Obama

This is the Obama trick, and it explains why, despite his very liberal voting record in the Senate (and in the Illinois Senate before that), he is not viewed as a left-wing ideologue. When a student asks Obama for his views on the Second Amendment, he reminds his audience that he taught constitutional law at the University of Chicago and is thus familiar with the arguments regarding the right to bear arms. He acknowledges "a tradition of gun ownership in this country that can be respected," and says that his academic studies convinced him gun ownership "is an individual right and not just the right of a militia."


Or perhaps I'm just politically schizophrenic, since I certainly do not agree with his entire platform -- particularly on Iraq, which I'm much more in line with McCain. Of course my strange enthusiasm for Obama (although I'm ambivalent about his speech at Google but I did like his "not bubble sort" answer to a Google interview question) leads to some interesting discussions with my wife who "likes" Obama (and has actually read his memoir, I have not) but is willing to settle for Hillary because she thinks Obama is unelectable. And she thinks the "Republican machine would crush him." She also thinks McCain will be the Republican candidate. I wish that were the case (and I liked McCain in 2000) but it ain't gonna happen.

Wednesday, December 05, 2007

SCADA Compromise in 08? Bring it On!


So as yet another sign that SCADA is out of the closet, it made Hoff's 2008 [In]Security Predictions.

Be-Afraid-A of a SCADA compromise...the lunatics are running the asylum! Remember that leaked DHS "turn your generator into a roman candle" video that circulated a couple of months ago? Get ready to see the real thing on prime time news at 11. We've got decades of legacy controls just waiting for the wrong guy to flip the right switch. We just saw an "insider" of a major water utility do naughty things, imagine if someone really motivated popped some goofy pills and started playing Tetris with the power grid...imagine what all those little SCADA doodads are hooked to...


Call me cynical, but was has changed to make things worse in the last five years that would increase the liklihood of a "SCADA Compromise" (WTF that means). While things are probably different (meaning better, more rational) inside in large asset owners, in public forums the IT vs. Control System debate is as unealthy as it was back in 2003. Many control systems folks are still intent on making broad generalizations based their own bad experience with "IT".

What we're seeing here is a clash of technological focus and philosophies. IT departments don't do risk analysis the way Control Engineers do. Often things are replaced only because they're going to be out of date real soon now. Many throw software and servers at the wall until something useful sticks. I've heard estimates that up to 1/3 of all IT projects are regarded as failures. Few seem to see anything wrong with this. They take the risk anyway, knowing that the payoff can be very lucrative. Conversely, the control engineer tends to run a risk analysis on everything before making a move. They're very conservative and often don't change anything unless there are no parts for it any more and they've run out of spares. Their bosses are penny pinchers. They won't spend money to invest in anything that isn't broken.


and
And the fundamental difference between the IT department and the industrial control system engineer is that the engineers usually work at the application level. There is very little knowledge of the OS under the hood.

It pretty easy to come of with counterexamples for these. For every Areva admin that has no clue about Windows 2000 and TPKT/COTP, I'll bet there is an Oracle DBA that is equally clueless about Solaris 2.8 and TCP/IP.

But the more interesting question of about high visibility critical infrastructure compromise scenarios is why they aren't happening vs. how they could happen.

Tuesday, December 04, 2007

Conveniance Laptops/Operating Systems in the Enterprise



In most of the [security] teams I've been a part of in large companies, the first step an engineer would do upon receipt of new hardware (whether lease or purchase) was to immediately purge the box of the official corporate (always Windows) install and install your own OS (typically some Linux flavor, but perhaps BSD). More recently, you might purchase you own hardware (often a Mac) possibly in clear violation of the corporate security policy.

If you needed a rationale, it was because the standard IT image didn't allow you to do your job. Yeah you might be able to build and run libdnet/libpcap based apps on Windows, but why would you want to. You needed the right network, development, and security tools -- which in an of themselves are most definitely a violation (that is if the policy applied to you, since you were special, you were a security genius!). A fringe benefit was that you were free of the nasty IT-installed agents that suck the life out of laptops and the corporate spyware monitoring your every move. Oh yeah, and you also were more up to date on security packages than the IT build.

So with NAC and other endpoint control regimes designed to stamp out these rogue systems, there is the real possibility of controlling access to campus or remote access networks to "supported systems." What is a passive aggressive security guy to do? Sure, there are ways to subvert these controls, but you want to do the right thing, sort of. It is one thing to simply ignore policies that really weren't designed for you in the first place. It is another to actively thwart countermeasures. And then there is stuff in between like reverse engineering the "software token" so that a Linux user can enjoy the benefits of hardware token free authentication that the Windows users enjoyed.

And no this last example wasn't me (I'm not smart or motivated enough) but you know who you are!

Sunday, December 02, 2007

Control System Security: Two Man Enter One Man Leave



Because I know a lot of the players and because its sort of quaint, I continue to follow the trials and tribulations of "SCADA Security" community I used to be part of while I was at Cisco and later, Digital Bond. I'd love to do the color commentary, but I'll just hit the highlights and let you make up your own mind. But believe me I am biting my tongue.

I'm assuming this whole spat started with Dale's Blog on a Wonderware NetDDE Vulnerability which led to Joe's Weiss Cybersecurity disclosures– the game everybody can play:

The way that the cybersecurity establishment has presented the Wonderware disclosure on the Digital Bond website clearly shows the lack of control system expertise in the cybersecurity “industry.” It IS an industry, and it is filled with people from IT security and cryptographic analysis backgrounds who have rarely, if ever, set foot in a control room for a process plant, refinery, or power plant.

It isn’t enough to be able to understand a vulnerability. It is every bit as important to understand the relative danger of the vulnerability IN CONTROL SYSTEMS. For example, the Wonderware disclosure isn’t very dangerous. Why not? Because the vulnerability disclosed is limited to a very small population of control systems using an outdated version of the Wonderware software. Like the ICONICS issue, revealing a vulnerability without a corresponding assessment of its impact is not only detrimental, but could be viewed (and certainly would be by Wonderware and ICONICS, for example) as unnecessarily injurious to their brands.

Which was followed by an exchange between Dale and Walt that almost didn't happen.
We have a serious problem in cybersecurity in control systems…we don’t have enough “cybersecurity experts” who know anything about process control or factory automation. We have a bunch of soi-disant experts who descended on control systems (remember, they’re the guys who thought every control system was “SCADA”?) because they saw a big market, and have been spreading FUD ever since. Recently, a Wonderware vulnerability has been disclosed, and the disclosure is making the rounds. Several months ago, an ICONICS vulnerability was disclosed, causing ICONICS significant distress. Why? Well in both cases, the vulnerability was, although accurately described, not dangerous.

Followed by Walt's attempt to trick Dale (and preach to the choir) on the Australian SCADA Mailing List

Since you have referenced the exchange Dale and I have had on my blog, I'm curious to hear YOUR answer to the question I kept asking Dale, and he kept not answering.

Here's what I asked, repeatedly. "Do you disagree with my premise: that in order to adequately advise people about cybersecurity in the process industries, significant familiarity with those industries and control systems is required?"

Dale didn't answer. I'd be delighted to hear others' answers.

What's behind all of this. Maybe we we are at a tipping point of some sorts. a power shift? All this talk of "the establishment." Perhaps we are at that point in martial arts movies where blood is dripping down over one of the fighter's eyes and he starts to get desperate and defensive. And then swing wildly. This is also before he cracks his neck with his hands and motions with both fingers to "bring it on." Before getting kicked in the head. And then the credits scroll.

Or perhaps it is just the same inane "IT vs. SCADA" conversation that has been raging for the past 5 years.

Yeah Jjakpae is an awesome Korean martial arts (taekwandoe) movie. A must see.

Saturday, December 01, 2007

Using Hashes Like it is 1999

This week I picked up [what I thought would be] a quick logfile analysis task. Things started out great. I took the time to look at the logfile format and generalized 4-5 different messages (with appropriate regexes to get the data I needed) generated by the security device. Next I extended a basic "logrunner" class I wrote last month for analyzing the debug output from the Intel FreeBSD drivers (basically you do some sysctl's and it dumps some kernel messages to see counters missed, received packets--much better than netstat).

In my logrunner class, you basically can "attach" various simple regex matches and a symbol and you get a nice hash back with the values you want and it hides all the low-level details of matching or handling time stamps, etc. (HINT: If you are mucking with syslog files in Ruby and you are not using the Time API, you are a fool, but I digress).

After a few hours in I thought things were going fine, before some distractions kept me from working on it again until until the next afternoon (I overconfidently estimated this would take about 4 hours from start to finish), so I was in a rush. The initial desire to develop something be a more general purpose tool and that was designed properly was replaced with the brute force, quick hack, get-r-done approach.

I ended up iterating through the output hashes output by the logrunner tool to create more hashes some with the IP address as a key, others with a username as the key. And all of this pointed to at least another hash (or two) so I ended up with something like:

blah[blah][blah] = { 1 => { a => b, c => d }, 3 => { a=> q, d => z } }

This would have been a trivial task except there was no single session identifier (or even username or IP address) on each line that I could tie the various pieces of data together. Then I kept getting confused (and alternating between |k| and |k,v| with my Ruby blocks) it took my longer than I had hoped but I was done in about 7. I had the output I wanted. Went from a few hundred megs of logs to a nice Excel-friendly CSV file. And I thought I was done.

Until Friday afternoon, when I found it some additional data was needed. Extracting the data wasn't a problem (that was done in 5 minutes), but correlating it and getting the report format was. Should I add another hash? Redefine the hashes I'd written? Five o'clock on Friday (with restless hungry kids) is not a time for clarity of thought, but this morning I realized the Ruby I was written was as unreadable as the Perl I used to write back in the day.

Spending the afternoon driving out in the snow which turned to sleet which turned to rain finally beat some sense into me. I mapped out the data on paper (this time) and did right. Came up with 6 simple classes (2 base and 4 sub) to abstract away the hashes and ended up with less than 1/10th of the lines of code in the main loop and a 1/3 of the iterations. Nothing fancy, no Ruby foo, nothing that couldn't be done in Python. And the code is actually readable. The moral of the story? If you are using hashes 4-6 levels deep you have a problem. Stop, step away from the keyboard and come up with a cleaner design. Do it right the first time, you won't regret it. Because quick hacks have a funny way of running on systems for a long, long time.

Wednesday, November 28, 2007

File IO in Dynamic Languages or Fun Political You Tube?



Forget about Simple File IO in Dynamic Language when you've got a very pregnant wife with a bad YouTube habit, you are bound to find some good shit.

Tonight it is Clifton's Notes (and if you don't get his schtick you obviously don't know who Cornel West is) from David McMillan.

This guy is a genius.

Tuesday, November 27, 2007

Must Read Atlantic Piece on Obama


Andrew Sullivan get's really gets it. You must read Goodbye to All That in The Atlantic (which like the Economist is is about the only thing worth buying in airports--how can anyone read Wired after 9/11, oh for the shiny happy 90s).

As someone a few years shy of 40, he really nails on the need to get over the debates of the 1960s and the concerns of our parents, the baby boomers.
At its best, the Obama candidacy is about ending a war—not so much the war in Iraq, which now has a mo­mentum that will propel the occupation into the next decade—but the war within America that has prevailed since Vietnam and that shows dangerous signs of intensifying, a nonviolent civil war that has crippled America at the very time the world needs it most. It is a war about war—and about culture and about religion and about race. And in that war, Obama—and Obama alone—offers the possibility of a truce.
However many irrational political arguments (although they happen much less frequently now) I've had with my wife, we agree on Obama. His authenticity (most recently his comments on "inhaling" were a case in point).

And on the surface, this Obama "soft power" War on Terror seems compelling:
It’s November 2008. A young Pakistani Muslim is watching television and sees that this man—Barack Hussein Obama—is the new face of America. In one simple image, America’s soft power has been ratcheted up not a notch, but a logarithm. A brown-skinned man whose father was an African, who grew up in Indonesia and Hawaii, who attended a majority-Muslim school as a boy, is now the alleged enemy. If you wanted the crudest but most effective weapon against the demonization of America that fuels Islamist ideology, Obama’s face gets close. It proves them wrong about what America is in ways no words can.
And the willingness of Independents (who might lean more Rep than Dem) on some issues, putting the issues aside

Of the viable national candidates, only Obama and possibly McCain have the potential to bridge this widening partisan gulf. Polling reveals Obama to be the favored Democrat among Republicans.... It isn’t about his policies as such; it is about his person. They are prepared to set their own ideological preferences to one side in favor of what Obama offers America in a critical moment in our dealings with the rest of the world. The war today matters enormously. The war of the last generation? Not so much. If you are an American who yearns to finally get beyond the symbolic battles of the Boomer generation and face today’s actual problems, Obama may be your man.
And on Senator Clinton:
Her liberalism is warped by what you might call a Political Post-Traumatic Stress Syndrome. Reagan spooked people on the left, especially those, like Clinton, who were interested primarily in winning power. She has internalized what most Democrats of her generation have internalized: They suspect that the majority is not with them, and so some quotient of discretion, fear, or plain deception is required if they are to advance their objectives. And so the less-adept ones seem deceptive, and the more-practiced ones, like Clinton, exhibit the plastic-ness and inauthenticity that still plague her candidacy. She’s hiding her true feelings. We know it, she knows we know it, and there is no way out of it.
And on Obama's authentic spirituality
To be able to express this kind of religious conviction without disturbing or alienating the growing phalanx of secular voters, especially on the left, is quite an achievement. As he said in 2006, “Faith doesn’t mean that you don’t have doubts.” To deploy the rhetoric of Evangelicalism while eschewing its occasional anti-intellectualism and hubristic certainty is as rare as it is exhilarating. It is both an intellectual achievement, because Obama has clearly attempted to wrestle a modern Christianity from the encumbrances and anachronisms of its past, and an American achievement, because it was forged in the only American institution where conservative theology and the Democratic Party still communicate: the black church.
And the final pargraphs on the stakes of the waning years of the first decade of the 21st century

The paradox is that Hillary makes far more sense if you believe that times are actually pretty good. If you believe that America’s current crisis is not a deep one, if you think that pragmatism alone will be enough to navigate a world on the verge of even more religious warfare, if you believe that today’s ideological polarization is not dangerous, and that what appears dark today is an illusion fostered by the lingering trauma of the Bush presidency, then the argument for Obama is not that strong. Clinton will do. And a Clinton-Giuliani race could be as invigorating as it is utterly predictable.

But if you sense, as I do, that greater danger lies ahead, and that our divisions and recent history have combined to make the American polity and constitutional order increasingly vulnerable, then the calculus of risk changes. Sometimes, when the world is changing rapidly, the greater risk is caution. Close-up in this election campaign, Obama is unlikely. From a distance, he is necessary. At a time when America’s estrangement from the world risks tipping into dangerous imbalance, when a country at war with lethal enemies is also increasingly at war with itself, when humankind’s spiritual yearnings veer between an excess of certainty and an inability to believe anything at all, and when sectarian and racial divides seem as intractable as ever, a man who is a bridge between these worlds may be indispensable.

We may in fact have finally found that bridge to the 21st century that Bill Clinton told us about. Its name is Obama.

I fear the future of a rematch from the past

Sunday, November 25, 2007

Syslog-ng For Dummies (or SCADA Folks)

Continuing on the cleaning up my home network (aka Dummy!) theme , I decided to turn on remote syslog from one of my routers. We use syslog-ng on a lot of our boxes at work, but I've never actually configured it on any my Debian/Ubuntu boxes at home. How hard could it be? (HINT: A hell of a lot easier than on *BSD or *&$%*! Solaris)

1) Install the package

apt-get install syslog-ng

This removes the default syslogd and creates a nice config file in /etc/syslog-ng/syslog.conf that mirrors (I think) your old syslog.conf

2) Enable remote UDP syslog:

Uncomment the udp() line in s_all

3) Add a destination

destination my_cisco { file ("/var/log/851.log"); };

4) Add the filter to grab stuff from my router

filter f_my_cisco { host("192.168.169.1"); };

5) Put them all together at the end of the file:

log {
source(s_all);
filter(f_my_cisco);
destination(my_cisco);
};

Oh if you are wondering about the SCADA/Dummy in the title. It refers to a thread on Server Monitoring on the SCADA Mailing list and the frequent tendency for control system folks to do a "default deny" and reject mature technologies (firewall, AV, IDS) or practices (patching security vulnerabilities or public disclosure of vulns by CERT/CC) as "office" or "IT" and therefore completely inappropriate for consideration in control system devices, applications, servers, networks, etc. Or perhaps it is just the light, or lack thereof, this far North.

851 ISR's use SNTP Dummy!



So I've configured NTP on quite a few Cisco and non-Cisco devices and I expected it to be an "ntp ?" away. NTP was only mentioned in the ports reference in the configuration guide and I didn't feel like resetting/remembering my password to be able to check the good old IOS feature navigator.


sntp server 192.168.100.100


851w#conf t
Enter configuration commands, one per line. End with CNTL/Z.
851w(config)#sntp ?
broadcast Configure SNTP broadcast services
logging Enable SNTP message logging
multicast Configure SNTP multicast services
server Configure SNTP server
source-interface Configure interface for source address


Of course this worked like a charm on one of my 851's but the other (with a nearly) identical config (I hope) is still having problems both syncing time from that router and through the router (ntpdate's are failing from a Linux box behind it, no NAT) although the packet traces superficially look fine. The other oddity is that the OpenWRT box that is front-ending (as in iptables-masquerading) all of these (as well as a Linksys AP, probably VXWorks based) is occasionally sourcing some of the NTP traffic from UDP port 6 -- or at least that is what the tcpdump from OpenWRT says, which *can't* be right. Can it?

Tuesday, November 20, 2007

Best Small Case for 14" T-61/MacBook



A month ago I lamented the lack of a perfect case for my Thinkpad. Basically I wanted something small, very snug that I could fit the power supply, some tiny crap (like cell phone, secureid, or keys or whatever) when I didn't want to carry a backpack. I was hoping for something under $75 but I didn't find it, plus I just trust Booq for good gear so I ended up going with the Boa Slimcase M even if I though it might be a bit smug. The rep online suggested a bigger XL, and that would have been a mistake. Oh and it also fit MacBooks just fine.

Saturday, November 17, 2007

Only 12 Beds? (and "the West" of Jack Burden)



Call me crazy, but you'd think childhood psychiatric units in major hospitals on the rich, white side of the third largest city in America would have more than 12 "beds" each for inpatient care. But that seems to be a magic number. Wonder how they came up with that? Highland Park, Lincoln Park, and Park Ridge. Like hell I'm driving down to Rush or even bothering to give them a call. No room in the inn. One of the more surreal experiences: "we've got 20-30 kids in the emergency room, it's the crazy time of the year." Tell me about it.

I remember being surprised hearing about the low number (maybe less than a 100) of "beds" (are these "beds" individual rooms or two neat rows of six where they strap screaming kids down) available in post-Katrina New Orleans (and all the mayhem that ensues), but I guess that is the state of mental health care system in America. Which is something I've been meaning to blog on for a while, cause I've got some stories to tell. And folks think the "normal" health care system is messed up?

But things are strangely peaceful as I struggle to assemble cheap Ikea dresser, in preparation for the baby (my daughter urging me to get back to work) listening to the title track Lucinda Williams latest album:

Who knows what the future holds
Or where the cards may fall
But if you don’t come out west and see
You’ll never know at all

I look off in the distance
And blow a kiss your way
The thousand miles between us
Will disappear some day

I watch as all the starling
Fly in from the north
The beating of their wings
Echoes the beating of my heart

I sleep out in the desert
Under the stars above
And keep making an effort
To wander in your love

Who knows what the future holds
Or where the cards may fall
But if you don’t come out west and see
You’ll never know at all


Every time I hear this song I think of the 6:00 AM American "Nerd Bird" flight from Austin to San Jose. Leave Central Austin by 4:00 AM and be in your first meeting on Tasman by nine as the poor suckers are stuck in traffic on the 101. I loved those flights up over the Hill Country, over the flat West Texas plains, over the Rockies, over the Central Valley, then that last worn line of mountains before that scary approach over downtown. Peace in the sleepy silence of a Super 80. Catch a bit of shut-eye and wake up for an crystaline ice cream sundae if you were lucky enough to upgrade to first class.

That is the west and this westward movement was as close as I've come to Jack Burden's road trip in All the King's Men. And this rainy late Fall/Early Winter evening (the orange leaves, as bright as inthat fight scene between Maggie Cheung and Ziyi Zhang in Hero, neatly raked into piles on the narrow Skokie streets) is as about as far from the West as you can be.

Thursday, November 15, 2007

Ubuntu JeOS: Its the thought that counts



You'd think JeOS wou actually work on Ubuntu and VMWare Server.

"Canonical has produced a robust virtualised OS core in the Ubuntu JeOS Edition that is optimized for virtual appliances," said Dan Chu, vice president of emerging products and markets at VMware. "Virtual Appliances are fundamentally changing how software is developed and deployed, with ISVs now including a thin and highly optimized OS along with their application in a ready-to-run virtual machine. We are excited that Canonical is providing Ubuntu JeOS for vendors interested in building VMware virtual appliances."

But you'd be wrong.

It took three times to get it to install.

And then 3 more times to get a prompt. Oh yeah, notice the (initramfs)


Use Ubuntu Server or a Debian Etch Network Install Boot CD id you want a small distro for appliances.

That actually works.

Wednesday, November 14, 2007

IOS + NET-SNMP v3 = F.U.N. (just like it said on our badge)

Statement: So anything that remotely has anything to do with ASN.1(or perhaps it is International standards organizations) is going to be a pain in the ass.

Explanation: I've been trying to squeeze in here an there some time to get Cacti working with SNMPv3 on my 851 at home (12.4(15)T). I warn you. Don't bother trying to do this intuitively -- meaning just thinking you can fill in the forms and "question mark" your way to getting the config right in IOS. Plus net-snmp command line options are also painful.

But here is how what I got working with with AuthNoPriv with a little bit of help from here. Yeah, don't go to any of the creepy Russian sites that are the top google hits for "net snmp ios snmpv3"

The stuff that shows up in your config will be. You'll probably have to define the views first.

snmp-server group cactigroup v3 auth read readview
snmp-server view readview internet included
snmp-server view readview mib-2 included
snmp-server view readview system included
snmp-server view readview interfaces included
snmp-server view readview chassis included
snmp-server location blah
snmp-server contact donkey


and the line that won't (God Bless the SFB, yeah you know what I'm talking about)


851w(config)#snmp-server user cactiuser cactigroup v3 auth md5 whateverman


And then you can make sure they are there

851w#sh snmp group
groupname: cactigroup security model:v3 auth
readview : readview writeview:
notifyview:
row status: active


851w#sh snmp user

User name: cactiuser
Engine ID: 8000000903000014A40E21BD
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: cactigroup

Oh, and the worst part


mfranz@gutsy61:~$ snmpget -v3 -u cactiuser -l authNoPriv -a md5 -A whateverman 192.168.2.100 system.sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: donkey


Did it work on Cacti, don't know. Must sleep. Ubuntu says 19 minutes of battery left.

Tuesday, November 13, 2007

HEW vs. CSCO (Maddening, I tell you Maddening)




I do not own any Hewitt stock. I do own Cisco, even some ESPP'd at under $10. I was going to sell, some. I swear I was. Right at the tippy top. Not quick enough...

Monday, November 12, 2007

Killing SATA Compatibility Mode on T61

So the default Gutsy Gibbon kernel packages don't enable modules for ahci or the Intel SATA drivers necessary for you on the latest Intel laptop chipsets (like the Santa Rosa used in T-61s and in whatever is used in MacBooks) so you'll have to change the driver to compatibility mode to get it to boot after the install. Since I was used hand-rolled kernels under Etch, I didn't have to do this before. Unfortunately I've encountered some nasty (but temporary) freezes on Gutsy (drive spins for a while, I lose total control) under Gnome. This often happens with VMWare. So I thought compatibility mode might be the culprit.


1) Update /etc/initramfs-tools/modules to include the following:

ahci
ata_piix

2) Rebuild your initramfs

# update-initramfs -k all -u

3) After a reboot, check the modules

mfranz@gutsy61:~$ lsmod | grep ahci
ahci 23300 2
libata 125168 3 ata_generic,ata_piix,ahci

Sunday, November 11, 2007

Quick Thoughts on 170th Diocesan Convention

So it is unfortunate (but not terribly surprising, since most of the time I've had personal experience on some topic that has made it into the mainstream press, they get it wrong) that the headline summing up the two days of the 170th Convention of the Episcopal Diocese of Chicago was "No Lesbian Bishop for Chicago Diocese." The AP news stories on the topic cast the election of the Rev. Jeff Lee as a vote for "the moderate."

But having been at the convention, I don't buy either of these. Moderation maybe, but the tone of the election (and the convention) didn't seem overtly political to me. True, the broader concerns of the Anglican Communion were in the background, bubbling under the surface but the results did not send a strong message (nor should they, in my opinion, either way --) on the ongoing strains over human sexuality and the consecration of openly gay/lesbian bishops.

Although she was an impressive candidate (and she was in my "top 3"), the Very Rev. Tracy Lind just did not make the cut. And this not only means the complex mix organizational/leadership skills, spirituality, the right personality, training and experience -- but the political savvy necessary to build alliances and campaign. I really doubt the final result would have been different if she had not been a lesbian, although it might have taken more ballots and we wouldn't have been through by 2:30 on Saturday afternoon.

This is not only based on the convention but from attending the "walkabout" in Lake Forest last month, where the 8 candidates for the 12th Bishop of Chicago gave short keynotes then entertained questions from members of the diocese in small breakout sessions. In the words of Petero Sabune (who I shifted my vote to in the 2nd ballot, after voting for Lee in the initial ballot) gays and lesbians are "already on the bus." The decision has been made. Some Episcopalians might be uncomfortable with it, but in the parish's I've attended, it is a done deal, they are in. Views on human sexuality was simple not a differentiating issue (at least based on their statements and the way they answered questions) of any of the 6/8 candidates I heard speak.

Sunday, November 04, 2007

Some previously disclosed Cisco CLI Vulns, the joys of youth hockey practice, and fuzzing like a ninja

The highlight of my Sunday is my son's hockey practice at the Skatium here in Skokie. Among the more amusing things that almost always happen:
  • One of the parents (who acts & looks like a coach, but I don't think he is) arguing with the real coach about religion (the parent is a Christian, probably fundamentalist, and the coach is Jewish, I assume)
  • Eight and nine year olds tripping and falling on the ice and occasionally doing some nasty checks on each other (usually unintentionally)
  • The previously mentioned parent (who is out on the ice for some reason, has a flattop and is a damn good skater) doing "hockey stops" (resulting in a shower of ice fragments) in the faces of kids. Today he also banged on his son's knee with his stick shouting "knee's can't get hurt" while his son was flat on his back, not wanting to get up.
All Good stuff. But other than that (and the upcoming election of the 12th Bishop of the Episcopal Diocese of Chicago , today I've been sort of been fixated on CLI vulnerabilities after my last blog entry on the futility of router vuln work in 2008 and Thomas's Quarterly Affirmation (reversing IOS images is not an option for a whole lot of reasons) so I was curious what was out there:

In cisco-sa-20060712-cucm we see this
The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line.
And in cisco-sa-20010131-arrowpoint-cli-fs
The Cisco CSS11000 must be configured to permit command line access to users by providing a management address and defining user accounts. Once command line access is gained by non privileged users (defined user accounts without administrative privileges), running a command requiring a filename, and providing a filename that is the maximum length of the input buffer can cause the switch to reboot, and a system check to be started which will prevent normal function of the switch for up to 5 minutes. The show script, clear script, show archive, clear archive, show log, and clear log commands are capable of causing the CSS to restart if the specified file name is the maximum length of the input buffer. Cisco Bug ID CSCdt08730.
And from cisco-sa-20060719-mars
The CS-MARS CLI is a restricted shell environment which allows authenticated administrators to perform system maintenance tasks. The CLI contains several privilege escalation vulnerabilities which may allow shell commands to be executed on the underlying appliance operating system with root privileges. These vulnerabilities are documented by Cisco bug IDs CSCsd29111 ( registered customers only) , CSCsd31371 ( registered customers only) , CSCsd31377 ( registered customers only) , CSCsd31392 ( registered customers only) and CSCsd31972 ( registered customers only) .
And Cisco Security Response: Cisco IOS Reload on Regular Expression Processing
Some regular expressions that make use of combined repetition operators ('*' or '+') and pattern recalls ("\1", "\2", etc.) into the same expression may result in a stack overflow on the Cisco IOS regular expression engine. A stack overflow will result in a reload of the device.
Given the ubiquity of dumb (IOS-like) shells on network devices (and not just on Cisco boxes), it would appear that this might be fertile ground for a tool that:
  • Allowed you to connect to various transports (SSH, Telnet, serial)
  • Obviously support authenticated/unauthenticated sessions and configuration modes
  • Using built in command expansion and help documentation, map out the various commands (and their syntax) depending on the helpfulness of the shell you could probably prepopulate various payloads for common configuration parameters that have to be parse (IP addresses, netmasks, hashes, etc.)
  • Could leverage some existing fuzzing/fault injection framework so you would have to generate control characters, malformed arguments, and other sequences
Although this is sort of intriguing, I doubt I have the time to pull this off. And if I've managed sketch up this idea, somebody has probably already written a tool like this somewhere. And if not, it would certainly be a more useful project than what they are teaching the kidz these days at Berkeley. Of course I'm probably just bitter that I couldn't get into any dept. there, let alone that one. Yeah some parent's hard-earned cash is going towards having their little one learn how "fuzz like a Ninja."

Saturday, November 03, 2007

Hacking Vyatta (or is there any interesting router vuln work to be done 2008?)

In one month I will be clean. Straight. Sober. No vuln work for a year. A year ago I was struggling to finish up the ICCP vulnerability paper I presented at S4, although I've had a few tempted a few times in 2007. Like before Fortify released their Java script Hijacking paper, I was sort of of interested in JSON and JSON-RPC.

And yesterday, this absolutely silly Network World article on Vyatta (a Linux based on Open Router platform -- I have another blog entry on Vyatta in progress, we'll see if I ever complete it) but as I was walking with my kids to the park I struggled to come up with anything interesting. After FX, after the BGP work Sean Convery and I did, after "Slipping in the Window," after Mike Lynn, after Gadi Evron's routesec list, after whatever Raven Alder was trying to accomplish with her SchmooCon talk, I'm not sure the point. (NOTE: the last two I list as efforts that might show that the field is played out, exhausted, that there isn't much to be done)

What can (or should) be done security/vuln-wise for commodity routing and switching features. Sure, you could fuzz/audit all the Quagga (or whatever they use) protocols and there are probably some more bugs to be found -- just like there probably are in IOS protocol implementations. If they mucked with lower layer (TCP/IP) protocols, well you could look at that. Yawn! And their web interface is an obvious (but also boring) target. Privilege escalation from within the CLI, maybe? We never had much time for post-auth stuff back in the day. Automated CLI testing (and fuzzing?) seems sort of interesting, if only because it wouldn't be protocol work. If they really had some virtualization features (like Cisco's that might be worth looking at) but just running in VMWare? Come on guys! I dunno maybe there is something to look at in their HA features like their VPN clustering technological or their "protocol sandboxing" (assuming that just doesn't mean each protocol is just running a separate Linux process). Who knows? Maybe I'm just not being creative enough.

Friday, November 02, 2007

Back on Ubuntu Again (on Desktop at least)

So has it only been a little under three years since I first installed Hoary Hedgehog on my T40 while I was still at Cisco? Seems like ages.

But I'm pretty pleased with Gutsy on my T-61. I did the alternative install CD and kept my /home partition (this caused some issues with XFCE and gnome settings) and compiz (which is amazingly snappy) didn't work until I checked out the hint on the Thinkwiki page. VMWare Server 1.04 installed without a hitch. Sound (after modified some perms, since it only works on the user you installed with) Flash and Java installed Fine.

Now if only I could get my kids to go to bed on time and keep my dogs from killing each other, I'd be happy.

Believe or not an 80lb lab mix and and 30lb Boston Terrier is a fair fight.

End of Festung Mac (or the curse of Liberal Arts majors turned security pundits)

Lisa Vaas's article "Fortress Mac is Gone" is typical of the vacuous shit that is out there in response to whatever the name the new trojan is. DaveG provided a much needed corrective to this nonsense.

The subtitle? While I don't know if Ms. Vaas has a BA, I certainly do, but from a decent engineering school, damnit!

And yes I'm still pissed about this blogger captcha.

Thursday, November 01, 2007

OpenBSD Kernel Janitors Sound Good to Me



I must be bored because I'm reading I'm reading openbsd-misc but this kernel janitor thread was pretty classic and almost as good as the one last month when a Google recruiter propositioned Theo.

Here are some quotes although I skipped the good ones:

> > Development is not the same process as writing a whiny mail.
>
> that is a shame. i can probably better understand the relectance to
> re-visit this if it has failed before. perhaps, others are right,
> perhaps linux can tolerate it because it's not as good as openbsd.

and

> i think we'll simply agree to disagree. i personally find it quite
> disheartening to hear the attitude that prevails here but that's the
> community's decision. it certainaly seems to refelect the attitute
> of it's leaders (developers).
>

Consider it the voice of experience (bitter).

Its easy to tell which ones are the programmers.

They write code, then they submit it, it does not suck too much and they
take the suggestions of the current project leads. Then they resubmit
better code.

The rest of us should simply buy CD's, ask and answer the occasional
question, and other wise keep quiet.

And those weren't even the best (the one where Theo tells the n00b he has anger issues, in particular) but this Blogger word verification is pissing me off, but if you want ask some questions to the OpenBSD crowd to stir the pot, here are some ideas:
  • Ask if anyone is interested in porting dpkg/apt to OpenBSD (I actually did the former over the Xmas holidays last year)
  • Ask where the "forums" for OpenBSD are and point to the Ubuntu Forums as examples
  • Ask where the "desktop edition" of OpenBSD, you know the one with the GUI isntaller instead of this

Monday, October 29, 2007

Only 2-3 Weeks from Cyberattack to Cannibalism?




So there's been an amusing thread over on the SCADA mailing list about the interdependencies of various critical infrastructure sectors
Fact is, Los Angeles, Chicago, SFO, Detroit, NYNJ, Boston, WaDC, etc. are two to three weeks away from cannibalism. Any large city will devolve into rioting and block warfare if the power stays off for longer than about 48 to 72 hours. As soon as the stored food is gone, people will die, or other people will kill and eat them.
Maybe Walt has recently read Cormac McCarthy's novel The Road or perhaps he is just tapping into that little voice inside all of us that wants to stock water, food, and ammunition in preparation for the "big one." I wonder if kids that are old enough to appreciate 9/11 have the same fears those of us who grew up during the cold war did?

How many rounds of .223 is enough for your Mini-14? How many plastic milk jugs full of rice will last you until food shows up on the shelves again? Can you ever prepare enough? As for myself, I put my faith in martial law and I have enough real problems (and real madness close at hand) rather than preparing these sorts of fantasies. But if you want to go there, definitely check out this amazingly haunting, spiritual, Pulitzer-prize winning book, which I read in nearly one sitting a few months back:
The clocks stopped at 1:17. A long shear of light and then a series of low concussions. He got up and went to the window. What is it? she said. He didnt answer. He went into the bathroom and threw the lightswitch but the power was already gone. A dull rose glow in the window glass. He dropped to one knee and raided the lever to stop the tub and then turned on the both taps as far as they would go. She was standing in the doorway in her nightwear, clutching the jamb, cradling her belly in one hand. What is it? she said. What is happening?

I dont know.

Why are you talking a bath.

I'm not.
However, it is not what you think. You will not get a linear description of what happened that led the father and son to wander across a ash covered America of the future and encounter various characters out of Mad Max. But there is cannibalism. And infanticide. And it is definitely good read.

Sunday, October 28, 2007

Gutsy Gibbon on Thinkpad T-61: First Impressions




So I'm using the Gutsy Gibbon (Ubuntu 7.10) LiveCD on my Thinkpad right now and I'm quite impressed. I assume much of the stuff that didn't work was because it was a LiveCD? Not sure. In any case this is a significant jump over what I've got with Debian Etch

What worked?
  • Sound card
  • 1440x900 Resolution in X
  • Adobe Flash installation (after adjusting synaptic)
  • Intel 4965 Wireless Card with WPA Personal
  • Brightness Controls

What didn't work?
  • Sun Java5/Java6 Installation
  • Flash Installation
  • Multiple Displays weren't autodetected (not sure if Linux can even do this)
  • Fancy Desktop effects (who cares, since I'll probably install xfce anyway)
What sort of worked?
  • Suspend (on resume screen was really dim)
  • Volume controls (they showed up on the screen but it didn't impact XMMS)

Wednesday, October 24, 2007

I used to think the Internet was wive's tale



Yeah I think I've lost my mind from running one too many script to pull various firewall stats, generate .csv's, then create plots in Excel. (The great think about Ruby is that it makes you so productive that in the time you could use manage to get something working out of CPAN you could write right your own API in Ruby. And of course that is more fun, too.) So of course I think Gabe and Max's Internet thing is pretty hilarious. And I'm not sure why but I could watch this guy all day long.

Who cares about the iPhone/iTouch Web Apps


So this email for the iPhone Development Center just showed up in my Inbox and I'm not sure it was meant to placate folks that want an Open OSX "Mobile" platform, but I found it more infuriating:
  1. I don't want an iPhone, I want an iTouch. Expensive cell phones are for hip 20-somethings that don't have big dogs that eat cell phones (or destroy laptops) or kids that drop your cell phone in the bath tub.
  2. I want offline apps. I want console apps. I want GUI apps. I want apps that don't run in Safari.

Sunday, October 21, 2007

Itouch and Google-Blogger Collusion



And I wondered why I was getting all those hits, but #2?

Crazy.

But I didn't Work All Weekend!



Although I did spend way too much time near Lincolnshire both days. And yeah my daughter's bangs have almost grown out after her "scissor work" during the summer.

Project Work and the Dreaded "Middle Third"

Whether it was doing security testing of [Cisco] products or commercial webapp assessments or conducting some sort of critical infrastructure security research -- the "middle third" was always the worst.

You are stuck between the initial thrilling period of a whole lot of learning and the final culmination of the project where you are wrapping up the deliverables or presenting them to a client -- or to the community. This middle phase is sheer drudgery. Nothing makes sense, everything is up in the air, and you wish you never started the project. But eventually but you will experience enough angst to be able to pull the project together and in the end it will have been all worth while.

And you will repeat the cycle all over again.

I have not yet figured out the curve yet for operational security work, responding to unplanned outages, or administering behind the scenes gear that folks only care about when it is breaking or broken. But it does not follow this pattern. Or if it does the curve is dramatically compressed (perhaps the bipolar cycling patterns of adults vs. children is analogous) so that the initial excitement of kicking off what you thought would be a minor upgrade and the terrifying spiral of unexpected events to the moment of relief when you are back on steady ground and you manage to scrape together some solution to the problem -- all in a matter of a few hours.

Unlike consulting or R&D work this "middle third" is where you find clarity, where you realize in quite concrete terms some of the information (or assumptions) you had was incorrect and you know you would do things differently next time. This is wear the real learning occurs, where mistakes become crystal clear, where things become concrete.

So, yeah its been a busy week and I had to pull another early-morning upgrade today. And I'm exhausted. And how many more weeks of Edens construction?

Sunday, October 14, 2007

Best Vertical Case for 14.1" T-61?

I'm ashamed to say I'm a bit laptop bag snob, so finding a small, sturdy case for my T-61 is proving to be difficult due to its weird dimensions: 9 1/4 x 13 1/8 x 1 3/8 (my measurements, not the official one).

I have a crappy 15.4" Targus sleeve I use when putting it in the laptop compartment of my Boa XM but I want something small for only the laptop like the Booq PowerSleeve XS I have for my 12" PowerBook, when I don't need to carry a backpack.

So far the candidates are the McKlein S Series Transporter (Nylon) Trager Vertical Transporter, Higher Ground 14" Shuttle or the Tom Bihn Vertical Brain Cell (Size 4) or maybe the Booq Natrix SlimCase but that's probably bigger than I want. None of these are cheap, some I'm sure they are all good quality. I'd like to be able to fit the small power adapter somewhere. and have a decent shoulder strap.

Any experiences with these? Or anyone find the perfect case for their 14.1" T-61?

Update on iTouch Hacks



So I previously pondered the feasibility of running non-Apple/webapps on the iTouch (which I looked at again at the Northbrook Apple store last week, and I really like this little devices) and it looks iPhone hacking community is making progress:

Very late tonight (or early, depending on your timezone), we were able to decrypt the iPod Touch/iPhone 1.1.x ramdisks. We are proud to announce the md5 of the asr binary from the 1.1.1 iPhone image, as proof that we do indeed have access to it: 358bf0bd1f1024ed25fa69ced23dab90

As for the actual key, it's sure to pop up in the next few days, keep your eyes peeled.

It's been a long month with many distractions, but we are finally breathing a sigh of relief as we work towards the release our own iPod Touch jailbreak solution, as well as expediting the process of unbricking 1.1.1 phones that were renedered unable use their SIMs after running AnySIM on mobileOSX 1.0.2. Contrary to claims made by the so-called "elite" iPhone development group, we are indeed very dedicated to getting a free and workable solution out to the general public. At the very least, a baseband downgrader should be possible. We understand your frustration, and please don't think for a second that we've forgotten you.

We have been able to install many of the third-party iPhone applications working on the iPod Touch, and can confirm that Mail and Maps work great. Stay tuned for more info on how to add more Apple apps.


Here is the RSS Feed for the wiki so you can track progress..