Sunday, April 27, 2008

Nice Corrective on Clinton Foreign Policy

If you want to stroll memory lane, check out this Nation piece on Clinton foreign policy.

The whole thing is worth reading, but here are some of the highlights I remember from the 90s. In particular I remember Somalia (while I was in college) then resulting genocide in Rwanda. Remember how they showed all the bodies floating down the river?

Yeah, happy times. Bring back the 90s.
The Clinton record on which Hillary is running is anything but stellar in global or even US security terms. What would become the hallmark political timidity of the Administration was first demonstrated after eighteen American troops were killed in Mogadishu in October 1993 in an ill-fated assault on a Somali warlord. Though that operation was entirely American-planned and led, the Clintons let stand (if not promoted) the isolationist falsehood that the tragedy was the fault of the United Nations, which also had a peacekeeping mission in Mogadishu.
and
The Clintonian record on Osama bin Laden, Afghanistan and the defense of the United States itself is both bleak and tragic in the light of what happened after the Clintons had gone from the White House. The trial of Ramzi Yousef, implicated in the first attack on the World Trade Center in 1993, had revealed an Al Qaeda blueprint for strikes against high-value American targets, but the Administration did not act expeditiously to shore up policies and tools at home for dealing with this possibility--or inevitability.

Instead, the Clinton Administration focused on Khartoum, where bin Laden had established a base. He was ultimately chased out of Sudan under US pressure, only to find in a welcome haven in battered, bankrupt Afghanistan, first under the mujahedeen and then the Taliban. One useless US missile attack on an Al Qaeda camp there in 1998 after the bombings of two American embassies in Africa failed to do him any harm. (The United States also hit a pharmaceutical factory in Khartoum, possibly the wrong target, in an effort to destroy what was believed to be a chemical weapons facility.)

and to concluded
Administratively, the Clintons (we are now asked to assume that it was both of them) signed off on a reform that took away the independence of the Arms Control and Disarmament Agency, merging it, as well as the United State Information Agency, into the State Department. Arms control lost an important voice in policymaking. Crucial information services took a hit worldwide, and the United States could not have abandoned an effective public relations tool at a worse time.

In diplomacy, even a veneer of decency and statesmanship can matter. Neither Richard Holbrooke, the author of Dayton, who lost no opportunity to refer to the UN as "deeply flawed" or Secretary of State Warren Christopher, who disposed of Boutros Boutros-Ghali in the most high-handed and thoughtless manner, can lay claim to glory as statesmen. Albright, responding to critics at the UN, reminded everyone that we are the "indispensable nation," so get over it.

Could there be a subliminal message now in talking tough to foreigners? Is Barack Obama somehow one of them? Patriotic lapel pins are in and substantive discussions about America and the world are not.


I wish more would have spent on exploring the possibilities of continuities (or at least Bush foreign policy as a logical consequence/progression) of the Clinton years, but perhaps that can be found elsewhere.

Saturday, April 26, 2008

Open Source Virtualization in Ubuntu Hardy (First Impressions)




So Open Source Virtualiztion in Ubuntu hasn't been a smooth ride. The linux-virtual and linux-xen kernels panic my T-61 due to what appear to be SATA and USB issues, respectively, but KVM seems to be working a little better (you need to apt virt-manager, kvm, libvirt-bin, and probably a few others) and actually surprisingly snappy.

Virtual Manager is now included and works reasonably well (if run as root, there are some permission issues) to provide VMWare-console like experience. I was able to boot (from the .iso) a Debian Etch install but I aborted due to hda (DSC Timeouts) but Hardy Server worked amazing well:

root@ubuntu:~# uname -a
Linux ubuntu 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
root@ubuntu:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 2
model name : QEMU Virtual CPU version 0.9.1
stepping : 3
cpu MHz : 1994.872
cache size : 2048 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 up pni
bogomips : 4007.02
clflush size : 64

Networking "just worked" a pleasant suprise thinking about what a pain it used to be back in the day with User Mode Linux. You'll also note that you connect into the console via VNC, which was nice.

Update
So Hardy seems to be the anomaly. OpenBSD 4.2 failed to install, Ubuntu 7.10 failed to boot the CD. Also Virtual Manager frequently wouldn't start up or shutdown VM's.

So all in all a pretty dismal picture.

Thursday, April 24, 2008

Stumped Nails It

In Hillary Clinton, GOP Heroine Andres Martinez, nails it:

Clinton is a capable woman who'd make a credible presidential candidate in her own right. But she is not here in her own right. She is cashing in on her husband's brand. She didn't become a senator just because she is hard-working and smart and talented. She also became a senator (in an adopted home state, no less) because she was the president's wife -- and not just the president's wife but the president's aggrieved wife, able to draw on a reservoir of good will and sympathy. How her ascent advances the meritocratic cause of women is beyond me.

We all know this, and yet the Clintons ask us to deny it. They also ask that we accept the notion that a term and a third in the U.S. Senate is plenty of experience, while two-thirds of a term is woefully lacking. There have been plenty of other conceits we have been asked to accept along the way, including that one about how you could innocently "remember" coming under sniper fire when you never had.

This was Hillary Clinton's nomination to lose. And if she had won it as expected, none of this would be worth revisiting -- the voters would have spoken, and the nomination would be rightfully hers. But she failed to win it. Obama won't win either, at least not on the basis of pledged delegates, but he is ahead both in the delegate and popular count, and has wildly surpassed expectations.

A Worthy Replacement for My 12" Powerbook G4?



The HP2133 looks amazing. Probably no coincidence that it looks like my old PowerBook. About one more year on AppleCare left on it.

Wednesday, April 23, 2008

My New Minimalist Retro Desktop




So despite my glowing reports about hardy it hasn't been all wine and roses. I finally filed a a really annoying bug which causing the keyboard to go wacky in X, so that I couldn't enter any control characters. That is the bad news. Really annoying. At first I thought it was just some weird control character shit within gnome-terminal that was screwing up remote minicom sessions (IOS wasn't too happy either) but no it was the whole shebang.

But in the good news, having HAD IT with Openbox (it too was not happy under Hardy, and WTF can't I disable window contents when moving them!) I've fallen in love with fluxbox and (as you can see) it plays nice with panel apps like nm-applet, pidgin, and amarok. And good old gkrellm does a really nice job on Thinkpad hardware stats.

And oh yeah, gRun is so much faster than using blasted GNOME/KDE menus.

Believe me.

So who needs OSX?

(Well actually I still haven't had much luck with dual headed displays, so maybe I still do)

Cisco Convergence Award: Garretcom



Similar to the Daily Dish Awards this probably gets the Cisco Convergence Award - which means everything is better over Ethernet/TCP/IP!.

Way to go GarretCom!


Establishing common ground between physical and cyber security strategies

As industrial networking evolves and processes change at a rapid pace, the need for cost-effective security is at an all time high. Today, a dependable industrial network operation is not just nice-to-have, but a must, as is the need to understand the interrelated structure between physical and cyber security.

IP technology offers many benefits including network flexibility, increased productivity and cost-savings. Moreover, bandwidth in Ethernet-based protocols is rapidly increasing, enabling fiber and copper media to transmit more data.

Tune into this Control Engineering editorial Podcast and listen to success stories from combining physical security and IP functionality, including cyber security, on existing IP-based systems.

* Combining fire, security, and access control into a standard IP-system to increase security and simplify management by bringing the control in-house.
* Having access logs, intrusion detection and fire alarm reporting to one control station.
* Using hardened Ethernet switches and PoE (Power over Ethernet) to make it possible to deploy IP-based security devices reliability and cost-effectively throughout a hostile and/or widely distributed industrial environment.

Tuesday, April 22, 2008

95%



Although I started a blog how my wife is like Tom Hayden's wife (yes that Tom Hayden) but the exit polls were more interesting.

VMWare Server on Ubuntu Hardy

This is all you need, but the libgcc was what tripped me up:

# unzip VMware-server-linux-client-1.0.5-80187.zip
# tar xzf VMware-server-console-1.0.5-80187.tar.gz -C /tmp
# cd /tmp/vmware-server-console-distrib
# sudo ./vmware-install.pl
# sudo cp /lib/libgcc_s.so.1 /usr/lib/vmware-server-console/lib/libgcc_s.so.1/

Monday, April 21, 2008

I've been hacked by PBS Kids!

So this is as a pretty good example of why you need to tune your Snort signatures. These are what have fired from the Debian signatures. Pretty lame, huh?

As my 4-year old would say (DUH!)

From Call is out to bring security testing into the QA process

Testing the security of software applications should be part of the process of developing the software, not an afterthought. But one security analyst says that’s easier said than done.

Danny Allan, an IBM security researcher, made the case for advancing security research for software applications at the Software Test & Performance Conference April 16.

Allan argued, citing Gartner research, that while 75% of IT attacks are targeted at applications, 90% of IT security spending goes to securing the network, not the applications.

Oh and you can get rid of all those pesky firewalls, too.

Sunday, April 20, 2008

OpenBSD Finally Gets WPA/WPA2

This could be good news for all those fools^H^H^H^Hfolks that try to run *BSD on their desktop/laptops (although I'm sure someone will prove me wrong, cause I didn't take the time to man those devices)
Damien Bergamini (damien@) just committed WPA-support (wikipedia) for OpenBSD. In the commit message, Damien states that "bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4), rum(4), upgt(4), and zyd(4) should work." And, Damien says "support for more chipsets should arrive soon."
To me this is of more significance for folks that build wireless routers than anything else.

But what do I know/care. Although truth be told I wouldn't mind running PF as my home firewall if the USB EVDO card would work.

Another Small Cheap Linux Laptop (like the Eee PC) Except This is Completely Resistent to Worms and Viruses



Ran across the InkMedia on LinuxDevices that is in the same class as the Eee PC with the following specs:


VIA C7-M ULV Processor
Internal 8.6" Diagonal SVGA (800x600) LCD panel
Supporting 1024 X 768 True Color Video Output on external monitor
Supports MPEG2 and MPEG4 decode acceleration in hardware.
4 USB 2.0 ports, 1 USB 1.1 port (for keyboard)
2 SD slots
512 MB Ram
2 GB NAND Flash, containing read only file system (compressed)
User file storage on SD card
1 Stereo minipin audio out, stereo minipin mic in
1 RGB out for VGA monitor
10/100 Ethernet jack
802.11 a/b/g WiFi
100-250V 50/60Hz universal power supply
5-8 Hours of battery life


The most impressive thing is it is completely secure
After many years of working with School Net India, Gerry Morgan, the founder and designer behind InkMedia, became frustrated with the huge number of computers that were ruined because of virus infections. As a result, he set out to create a computer with a flash-based operating system that comes with software imbedded into its core. It has everything that a typical student, family or small business would need.
It figures the Canadians would come up with a completely secure device first. Damn them. One step behind. And their restrooms are cleaner, too (at least the ones I remember on Vancouver Island)

Saturday, April 19, 2008

Obama Rally in Philly Last Night



Not a small crowd. Not a bad speech. Do I believe every line? No. Can the tide of Globalism be stopped? No. Are those rustbelt jobs coming back? No. Do I really think McCain is a Bush third term? No.

If elected, how much could Obama really accomplish? Could he break gridlock and change "the game?" Who knows?

That is not the point. We don't know those answers, but we do know that things need to be shaken, not stirred and the chances of that occuring with Clinton (or McCain) are slim to none. Then of course there is the painful prospect of listening to a Clinton (with her disgusting Chicago accent and patronizing Gore/Kerry-like tone) inaugural address or State of the Union or even press conference is too unbearable to contemplate.

Tuesday, April 15, 2008

It wasn't my fault, Dad!



It was that computer you were on!

Blame it on Jing!




Well I did a little bit worse than last last year on getting the old taxes in (hour and a half to spare), but hey a lot going on (like selling my house!) but the real culprit was Jing. Or the fact that the addition of Sam has cleaned one to many brain cells causing me to forget my Intuit password like every hour.

Another I-35 Security Startup


Following my LinkedIn updates led me to CoreTrace and this great picture.

I don't wnat this guy anywhere near my endpoint. Wonder how long he'll will be the mascot? He looks like he could get a bit bitter and cling to guns (but probably not religion!) if his VC money drys up and he had to go work on 6th Street.

Then he could do shots with Hillary and drive over to College Station and go shooting near the Brazos River like I used to do back in the day. Meaning the shooting part. Nothing like a nice stream bank to unload a few clips.

But application whitelisting? And from the usual suspects (if you were anywhere close the Austin/San Antonio scene in the last decade) but speaking of Austin startups that green appliance sure looks nifty. And based on the screencast, looks a hell of a lot easier than SmartBits/WebAvalanche. What a pain!

Sunday, April 13, 2008

As Clean As It Gets



House goes on the market soon. Third house we've had to make ready in four years. No more moves after this one.

But this is the hole where I'll be working until June or when the house sells, whichever comes first.

And for those of y'all in more temperate climates, it is still cold enough to wear a stocking cap, especially in my basement office.

I don't give a shit, I'm a researcher (and the E-Word in SCADA)

I wasn't at RSA but based on this An Open Letter to Joanna Rutkowska this session would have been either really cool (or really frustrating to see)

I think it's only fair to point out that given your performance, you're not only an "independent researcher" but more so an "independent contractor." Using the "I'm a researcher" excuse doesn't cut it.

I know it's subtle and lots of folks are funded by third parties, but they also do a much better job of drawing the line than you do.

Despite your position on the matter and unlike you, I do give a shit, Joanna. I care very much that your research as presented to the press and at conferences like RSA isn't only built to be understood by highly skilled technicians or researchers because the continued thrashing that they generate without recourse is doing more harm than good, quite frankly.

Now, I know you can't control the press or what they print, but you certainly don't seem to invest much in terms of ensuring accuracy or clarifying the corner cases you're talking about. Here's an example from a Forbes article based upon your RSA presentation:


This is actually not entirely irrelevant to another classic discussion on Ethics on the SCADA mailing list but I have to get back to getting my house ready for the photo shoot tomorrow!

For some reason this comment me of a line from the Hunt for Red October, when a much thinner Alec Baldwin, says at a critical moment in the movie, "I'm just an analyst." And the San Angelo movie theatre (full of 98C's and 98G's from Goodfellow AFB) breaks out laughing. Much simpler times.

Ah to be 19 again. Just kidding!

Saturday, April 12, 2008

What the hell are Midwestern Values?



I was born in Kansas (but never lived there much) but I'm at a loss for these "Midwestern Values" Hillary refers to in her attacks on Obama? Of course this infers that Obama does not have them.

Some here are some some ideas my wife and I came up with

* Insanely clean floors (or perfectly rounded shrubs)
* Taking your Christmas lights down within two weeks (or not leaving you Christmas tree in the back yard until the first day of Spring, like someone I know)
* At least 6 months of Cheerios in your pantry (or "storm cellar")
* Informing on your neighbors? (or at calling the village when your dog barks too much)
* Fascist snow day regulations (you know, the even/odd thing that cost me hundreds of dollars since I moved to Skokie)

Then of course it gets interesting if you replace Midwest with Mideast, West Coast, Southern, African, Indonesian, Hawaiian, Asian, etc.

But the good news, after Hillary's response to Bitter-gate, my wife finally thinks Hillary is evil!

Yes, I have won!

NOTE: If you are wondering about the image, that (and all sorts of other freakish things) came up when I did a google image search for "midwestern values"). If female robots are the embodiment of "midwestern values" you can count me out.

CNN Gets it Right on the Bitterness (or Blue Collar Park Ridge?)

Hardy Heron Beta and T-61: Pretty Much the Perfect Laptop



With all my whiny blogs lately I figured I'd do something positive for a change. A few weeks ago I took the plunge with the Hardy Heron (the next LTS) release and it definitely had a few rough spots, but at least on my T-61 it is definitely the best distro I've tried so far and things have been pretty stable, especially give the hundreds of package updates to core components since then. Performance is improve. Suspend and hibernate work perfectly now without any special hacking. This is was not the case with Gutsy. Wireless/Network Manager seems much more reliable. And then there are few security features. Ubuntu finally has a firewall (/etc/init.d/ufw) which isn't enabled yet in my build. GPG is integrated into the desktop. You can right-click to encrypt/sign files. Java installed perfectly when I went to Hushmail. Flash did, too. And the fonts, there seems to be big improvements there as well.

See the wiki page for the complete list of stuff and keep the Ubuntu spirit alive!

But what's up with "wintry mix" of rain and snow around tax time?!?

Friday, April 11, 2008

The Angry Bitter Rustbelt

So even Andrew Sullivan (about as big as an Obama fanboy as you can find) is somewhat critical of the Obama remarks about the "bitterness" working class whites. But I don't find much to disagree with in the spirt or the words themselves.

Three weeks ago we drove from Chicago to Frederick, Maryland and back. On the way East we took the Southern route down through Indianapolis (the Northern suburbs, where we stopped for dinner, seems surprisingly nicer, nicer than the Indianapolis I remember from 1980) and spent the night in Columbus, which wasn't too bad either. We drove through the old factory towns of Eastern Ohio. Down into Maryland through Cumberland, Hagerstown, then Frederick.

On the way back I accidently took the PA Turnpike (and was pleased to see my iPass worked) and it had a much different feel. Particularly around Pittsburgh, then heading North through Youngstown, then Akron, before spending the night in Cleveland. The decay was visceral. The rot. The feeling of places that have been but that no longer are. (I wish I could find a comparison between Texas and Ohio that I found somewhere, that came out during the primaries that illustrated the opposite path these two states were on, on a number of levels.)

A couple of years ago when we decided to move from Austin, were briefly considered Pittsburgh (I was entertaining the idea of trying to get a job CERT) but all the research my wife did, it seemed to be one of the most racist intolerant places in the country driven by pent up anger and bitterness (damn foreigners taking our American jobs away, since all the best jobs belong to Americans you know! We deserve factory jobs were folks make as much as MCSE's) Sure there was a haven around Universities and you could get some cool houses for relatively cheap in Squirrel Hill, but who would want to live there? Especially with an adopted Chinese daughter? Even the Episcopal Church is stuck in a time warp there.

Call me an elitist (or just nostalgic about the Great State of Texas) but these "blue collar" parts of Ohio or Pennsylvania seem scary in ways that parts of East Texas (or West Texas) are certainly not. Yes there is Jasper, but there is something different about the racism in a place that actually has minorities than what that doesn't. There is something different about states that are on a downward trajectory and those that have some life in them (the Sunbelt) with people on the move, with a horizon in front of them, people moving in, moving out, people that are not stuck between hills, along the rivers, in dying little downs with smokestacks

I think even think Illinois and the well-off North side of Chicagoland has a bit of that feel of death and rot that is hard to put a finger on unless you've lived somewhere else.

Thursday, April 10, 2008

Layer 8 Stealth Firewall Switches




So here's a rule of thumb, if your knowledge of networking is based on what you can pick up at Buy Buy on that first trial credit card's they give you in college, you probably shouldn't be shooting your mouth off.

Read this fw-wiz thread to see what I'm talking about.

Friday, April 04, 2008

Happy Birthday Nessus!

Renaud has a nice Birthday writeup on Nessus over on the Tenable Blog.

I first used Nessus (and Ethereal, back when both were far less stable than they are now!) in the Summer/Fall of 1998 when I included it in "Network Attack & Defend," a five-day hands-on TCP/IP Security class I developed/taught down in San Antonio for Trident Data Systems. Lot of frequent flyer miles later, brain cells lost, grey hairs, since then....

(CAVEAT: I work for Tenable now)

Thursday, April 03, 2008

Not Alerting on Scheduled Nessus Scans with Snort (Debian-style)

So my (Debian based) firewall routes traffic for the three subnets I have behind it, each which is front-ended by either a Cisco 851 or a Linksys AP. On one of the subnets I have a VM running Tenable Security Center which runs daily Nessus scans from two Nessus scanners.

The first scanner (on my Son's Ubuntu 7.10 Optiplex) scans the non-Linksys devices connected to the AP, both wired and wireless. (I exclude the traffic because even traffic through the APs hangs the WRT54G and sometimes the WET54G (bridge). The second scans its local subnet and the other Cisco-protected subnet. I will add a third Nessus scanner behind this subnet that scans back so that on the non-Linksys segments I have a perspective of scans both inside and outside the Firewall (meaning router ACLs)

But this obviously causes even the default Debian Snort ruleset to alert. So tweaking this knowledge base entry to the pecularities of a Debian (4.0) Snort install, I did the following:

1) Create an /etc/snort/excludes.conf that has BPF (not host scanner-ip) to ignore scans to/from that host

2) Modify the PARAMETERS variable in /etc/defaults/snort


# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-F /etc/snort/excludes.conf -m 027 -D -d "


3) Restart snort as usual
Simple, almost too simple to even blog about...