Saturday, May 31, 2008

Stunned Ickes?

So getting the kids back into a routine after a trip is always a challenge, but it was complicated by the DNC meeting. Just too hard not to watch. Even for my 9 year old. He was transfixed, although he obviously didn't get it all. We started watching when at the "15" vote and chants of "Denver, Denver, Denver" and I wasn't really sure who wont until it became obvious.

And Ickes was quite a treat. How many times did he say "ass?" He did say that, right? And who did he say became more eloquent the more he drank?

Classy, if a bit bitter. But didn't really represent himself (or Clinton) all that well, but I guess we should have expected that. "Hijacked!?"

These Democrats. First Florida in 2000 and now this circus.

(LULAC, hehe, I remember them from Texas)

Pretty rich. The real question is the all this an act to fire up the Hillary supporter and torpedo Obama or do they really believe what they are saying?

(You know, the whole are you a liar if you know you are a liar question. And Is lying to yourself really lying?)

So the new count is Obama: 2,052, and Clinton: 1,877.5 with 2118 necessary to win?

But maybe the fun is really over and I can go back to blogging mostly on Linux again

This Hillary Supporter is an "American" who will vote for McCain

It would be pretty fun to be in DC right now to see stuff like this

Thursday, May 29, 2008


From China’s Cyber-Militia: Chinese hackers pose a clear and present danger to U.S. government and private-sector computer networks and may be responsible for two major U.S. power blackouts.

One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. “They said that, with confidence, it had been traced back to the PLA.” These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected

And Nmap cause the Florida blackout?

A second information-security expert independently corroborated Bennett’s account of the Florida blackout. According to this individual, who cited sources with direct knowledge of the investigation, a Chinese PLA hacker attempting to map Florida Power & Light’s computer infrastructure apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” The hacker triggered a cascade effect, shutting down large portions of the Florida power grid, the security expert said. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”

And who has heard of Cybrinth or Stephen Spoonamore?

Stephen Spoonamore, CEO of Cybrinth, a cyber-security firm that works for government and corporate clients, said that Chinese hackers attempt to map the IT networks of his clients on a daily basis. He said that executives from three Fortune 500 companies, all clients, had document-stealing code planted in their computers while traveling in China, the same fate that befell Gutierrez.

I saw prove it. Show me the logs of an informed attacker demonstrating knowledge of their target device, protocol, or application. Not, random script-kiddie crap from Chinese Universities. Been there seen that -- as has anyone that has set up a honeynet.

Show me a journalist that has a clue on this topic.

Hat Tip: Marc Ambinder.

Tuesday, May 27, 2008

Air America: MIA in the Rustbelt

So I'm smack dab in the middle of a rustbelt rest area (my daughter is struggling with her PBJ bagel from Einsteins, yeah nice than the ones in Indiana) and scanning the dial there must have been a half-dozen different AM stations playing Limbaugh, and no Air America. No wonder this neck of the woods went to Hillary.

So was forced to listen to RUSH and it was quite amusing (before I became too disgusted) This half-wit women calling in asking for advice from Rush on how to "sell McCain" to her liberal California friends. And I swear there was a 30 seconds and lots of groans before Rush could come up with an answer. "He loves his country. He is for the war," was about the best he could come up with. Wasn't sure he supported the Bush tax cuts or not. Back on the road.

Saturday, May 24, 2008

My VPS (yearly) cost 2.85 Tanks of Gas

So I've been running a VPS box over on RimuHosting for a couple of years now and have been really happy, but I'm trying to "get lean with my IT" just like at my last employer. Plus my wiki has been down since the MoinMoin Vulns, and I really haven't missed it so I figure I'll pull the plug and create a wiki over on as well as use there SVN repo for config files and code snippets I want to remember. (For example I just comitted my fluxbox keys and startup scripts)

Why the hell not? Google already owns the keys to the kingdom might as well give them everything else, so that if some dangerous Web 2.0 hacker would compromise my whole virtual presence. What you can do!

Olbermann: Unforgiveable

OpenSolaris 2008.5 Isn't So Bad

OpenSolaris has come along way from that nasty red and blue console based installer I remember using back in the 90s. A nice GNOME based LiveCD. 32/64 bit. GRUB & GNOME. Tolerable package management although there must be some other repos somewhere. Imagine, having to have to built pcap and tcpdump from scratch in 2008, the horror. But it worked!

What didn't work (on my T-61):
  • Xen Dom0 (this is a known issue)
  • Sound
  • Intel 4965 has been sporadic
  • Novatel 727 EVDO card (probably just haven't figure it out yet)
  • VirtualBox/xVM (problems with kernel modules. probably fixable)
  • Compiz (totally hangs the box)
Sort of weird that the JDK isn't installed. But overall they did a nice job with the GNOME theme. Fonts look better than most Linux distributions and seems quite snappy. And of all things nmap (4.20) and NmapFE are in default install. Funny.

Friday, May 23, 2008

Is there a distro that supports dom0 out of the box (on my T-61)?

Not Hardy, Not Edgy, Not FC 8 or 9, Not OpenSolaris 2008.5, Not OpenSUSE 10.3/11. Not CentOS 5.1.

I give up.

Thursday, May 22, 2008

Anatomy of An SSH Brute Force Attempt (In Pictures)

Just for fun I decided to turn on SSH on the dirty interface on my highly secure Debian firewall to see what shows up in LCE.

First I filter on all TCP/22 activity

I'm actually most concerned with the valid logins first so I check them

Whew. Only 2 logins, those are probably OK.I could check and see who they are but I'm too lazy and I'm anxious to get to the invalid logins:

But I want to get a better sense of time. Big spike right has I was recovering from getting the kids ready for school.

I back up to look at the two types of events I'm seeing during this period of attack: failed passwords and invalid users. I actually discovered the other day that there is an SSH error message for failed login attempts where the username is valid but when it doesn't match the address in the AllowUser option of sshd_config. I thought that was cool. Not sure why I'm not seeing these here.


Yep, Italy again

inetnum: -
netname: UNIPG-NET
descr: Universita' degli Studi di Perugia
descr: Centro Ateneo Servizi Informatici, CASI
country: IT
admin-c: OG6-RIPE
tech-c: FG757-RIPE
remarks: Perugia Academic and Research Network
mnt-by: GARR-LIR
source: RIPE # Filtered

Tuesday, May 20, 2008

OpenSUSE 11 Beta 3 Impressions

My Thinkpad's started dying today, so after doing the long slow drive wipe to what was left, I tried OpenSUSE 11 (64 Bit) Gnome LiveCD, and here the first impressions:
  • Much prettier than Ubuntu, I like all the green (vs. the Ubuntu brown)
  • First Linux distro to get the resolution right through the GUI for a widescreen flat screen with my Thinkpad (only got display mirroring
  • Wireless worked flawlessly
  • Compiz worked flawlessly and snappily (although sound died after it installed)
  • Gstreamer plugins (for Totem) worked if a bit clumsily and Flash plugin auto installation failed (in contrast to Gutsy and Hardy)
  • Seems snappier, not sure if that is the 64 bit kicking in (always been too conservative) about that.
  • Repository auto updates have improved significantly since the last time I used SUSE much
No reason to try this on the server, but I may run this when my new drive shows up in the mail.

Sunday, May 18, 2008

Where did you obtain your academic qualifications to make these statements, Mr. Aitel?

Dave Aitel wrote a must read editorial over on Security focus called Thinking Beyond the Ivory Towers

In the information-security industry, there are clear and vast gaps in the way academia interacts with professional researchers. While these gaps will be filled in due time, their existence means that security professionals outside the hallowed halls of colleges and universities need to be aware of the differences in how researchers and professionals think.

I saw firsthand this gap when my group at Cisco funded security research at some of the leading Computer Science (and even information security) programs (that should know better) in the nation. You'd be surprised how difficult it was to find 4-5 projects to fund a quarter.

Anecdotally, I saw an absolute lack of understanding by some doctoral students (and their well credentialed advisors) about which attacks (against protocols, for example, like basic concepts of the what sort access was needed to the network) were practical or even how they would go about conducting them. No clue. And all the formal methods and literature review meant nothing.

And all I needed was my lame English & History degree from Texas A&M to see that -- well and some experience developing (or even just running) an attack tool or two. Even script-kiddie knowledge would suffice.

BTW, the title comes from the comment from Dr. Neal Krawetz, PhD

UUID and Fstab and Reiserfs (or lack therof) in CentOS

About a month ago, I forgot to blog on the Ubuntu wiki page UsingUIID which shows you how to get the UUID of a filesystem which is now necessary for fstab (has been since at least Edgy).

In short, use the vol_id command:

root@gx620:~# vol_id /dev/sda2

And given all the Debian pain (yes, code and operational diversity is good--and not blindly following the results of automated tools!), I actually put CentOS 5 on my main server at home until I realized that reiserfs (which I've used for quite some time for some irrational reason) is only available with CentOS Plus. Screw that. Ubuntu 8.04 LTS it is.

Best Kids Video: Sabatoge vs. Jozin z Bazin

Which is the least inappropriate for a 9 year old?

or (warning very catchy and gets stuck in your head)

Friday, May 16, 2008

Forgot about Iran, Obliterate W VA (But Spare Jessco!)

This Huffington Post Article has some pretty scary stuff. My wife (who was raised in the Mississippi Delta) thinks this is WORSE than Mississippi.

Wednesday, May 14, 2008

Encrypting Firmwire and Logic (who would have thought)

Haven't read any of my Control Engineering spam for ages but
Protect intellectual property: Encrypt firmware, control code
caught my eye tonight:

Opto 22 released the “Secure Strategy Distribution System, as part of PAC Project version 8.2, the company's flagship automation software suite that includes control programming, HMI development, OPC connectivity, and enterprise database integration components. The software gives OEMs and machine builders the ability to encrypt firmware and control programs so they can only be uploaded or downloaded to a controller via use of a secure encryption key," the company says.

Tuesday, May 13, 2008

AppleCare has been great, well, except...

So I finally wiped my 12" G4 last week and decided to finally get it looked at. Wednesday, less than a 5 minute wait with tech support, who spoke English (obviously one of of those hard working white Americans) and didn't even seem like she was reading off a script. Friday, brought into the Genius Bar. She (notice a pattern here, kind of like when mid year of my 2nd year of teaching, I realized the class that I had the best discussions with was 70% girls) ran some diagnostics could reproduce the problem, but shipped it out anyway and I got it back today by Fedex. They replaced the hard drive. Great! Should have done this a long time.

Except the the awful grinding noise is back again there (obviously a fan) and I've already started populating my PowerBook with apps.

Repeat the process or live with it?

Monday, May 12, 2008

Simon vs. Hoff: Who is Baiting? Who is Switching? And why does this smell like SCADA?

Mainly because I need to get a non-political blog in the top position again (because I'm certainly no expert on virtualization security, but I am a virtualization end user who wants to know! ) but Simon Crosby's reaction to Hoff gives me a feeling of deja view in terms of the bait-and-switch approach to vulns I've heard from some SCADA vendors (or control systems standards efforts) over the years.

Although slightly more sophisticated than spouting off how many bits of encryption a protocol uses, saying that a given protocol is not Internet-facing, or claiming that to fix an implementation flaw in a weak protocol you should upgrade to protocol that uses SSL, some of the security cliches (or at worst, half truths) that undermine his credibility, and even I can recognize include:
  • Open source is more secure...
  • He mentions viruses and virus vendors in his first breath.
  • Equating security fixes with security/insecurity (and slamming VMWare!)
  • Bringing up EAL something or other
  • Mentioning TPM in any context
Knowing a thing or two about mania, I'm also curious about this sort of manic efforts (apart from making it so small you can't even see it) to secure the hypervisor, and whether he is willing to admit that there are some classes of attacks against guests (or, obviously, against the hypervisor) that are unique (or perhaps only possible) in a virtualized environment and that they care about? Or will the AV vendors solve these, too?

Done. There no more faux Hillary (or Hilter) on top. Can sleep now.

Thursday, May 08, 2008

Funniest YouTube in A While

Even better if you've seen Der Untergang but amazingly well done!

But obviously quite vulgar so don't watch if you are easily offended. (I warned you!)

Best Line: "The Voters have stolen my nomination"

Runner Up: "I'm so sick of drinking whisky with those pigs"

EVDO airframe drivers and Hardy

Turns out (big surprise!) I was full of it the other night for contemplating leaving Linux for OpenSolaris to get better USB throughput.

[ 63.558567] /build/buildd/linux-2.6.24/drivers/usb/serial/usb-serial.c: USB Serial support registered for airprime
[ 63.558587] airprime 2-1:1.0: airprime converter detected
[ 63.558675] usb 2-1: airprime converter now attached to ttyUSB0
[ 63.558719] usb 2-1: airprime converter now attached to ttyUSB1
[ 63.558761] usb 2-1: airprime converter now attached to ttyUSB2
[ 63.558768] airprime 2-1:1.1: airprime converter detected
[ 63.558812] usb 2-1: airprime converter now attached to ttyUSB3
[ 63.558854] usb 2-1: airprime converter now attached to ttyUSB4
[ 63.558897] usb 2-1: airprime converter now attached to ttyUSB5
[ 63.558903] airprime 2-1:1.2: airprime converter detected
[ 63.558946] usb 2-1: airprime converter now attached to ttyUSB6
[ 63.558995] usb 2-1: airprime converter now attached to ttyUSB7
[ 63.559037] usb 2-1: airprime converter now attached to ttyUSB8
[ 63.559043] airprime 2-1:1.3: airprime converter detected
[ 63.559088] usb 2-1: airprime converter now attached to ttyUSB9
[ 63.559129] usb 2-1: airprime converter now attached to ttyUSB10
[ 63.559171] usb 2-1: airprime converter now attached to ttyUSB11
[ 63.559180] usbcore: registered new interface driver airprime
[ 63.577915] /build/buildd/linux-2.6.24/drivers/usb/serial/usb-serial.c: USB Serial support registered for GSM modem (1-port)
[ 63.577937] usbcore: registered new interface driver option
[ 63.577939] /build/buildd/linux-2.6.24/drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1


mfranz@ubuntu-t61:~$ lsmod | grep usb
usbserial 35688 5 option,airprime
usb_storage 73408 0
libusual 18980 1 usb_storage
scsi_mod 151180 6 usb_storage,sbp2,sr_mod,sg,sd_mod,libata
usbcore 146028 8 option,airprime,usbserial,usb_storage,libusual,ehci_hcd,uhci_hcd

Port Forwarding on Windows (Python to the rescue)

If there are Windows equivalents of redir I'm not aware of them, but the first proxy I tried on A list of open-source HTTP proxies written in python (a cool site I ran into several years ago) was TCPWatch and it worked great (at least on Python 2.5.1 under cygwin.)

(Truth be told, the first tool I ran across was pinhole in an ASPN recipe but it ran into some issues, possbly thread related)

Tuesday, May 06, 2008

He's closed it

Finishing up the dishes (2 and half kids in bed) and listening to Obama's victory speech and it feels like a winner. The high road. Classy. Presidential. Finally an uplifting Tuesday.

"We will end it by telling the truth..."


A Quarter from Report to Disclosure: Respectable

From the CORE Advisory on Wonderware

WTF is Python?

* 2008-03-03: Core sends proof-of-concept code written in Python.
* 2008-03-05: Vendor asks for compiler tools required to use the PoC code.
* 2008-03-05: Core sends a link to where a Python interpreter can be downloaded.

of the advisory is re-scheduled to March 31st 2008. With regards to the questions and requests about the contents of the security advisory, Core indicates that Core's technical publications are aimed at providing legitimate security practitioners worldwide with the technical details necessary to understand the nature of the security issues reported; so they are able to devise, by their own judgment, the risk mitigation approach that fits them the best. For that purpose, Core believes that it is fundamental that they have precise and accurate technical details about security issues -- as Wonderware itself has demonstrated with the request for further technical details and proof-of-concept code -- and that the whole reporting and disclosure process is transparent for scrutiny of all interested parties.

And back at ya..

The vendor says that is having trouble understanding what the value is in providing specific detail as to what technical issue is happening and asks for clarification to understand how this information would benefit organizations. The vendor acknowledges that the proof of concept code did help to replicate the issue and that without it, it would have needed more time to identify it from the report alone. The concern is that the details provided in the report may give a hacker a specific direction to look for the vulnerability. Finally, the vendor indicates that will have a better estimation for the rlease date of a fix by Friday March 28th, 2008.

A level playing field?

Thus, Core believes that it is necessary not only to indicate the mere existence of the bug, but also to explain how to uniquely identify it in the vulnerable software (to avoid confusion with all other known bugs or to differentiate it from others that may be discovered in the future). It is also important to determine how the vulnerability could be used by potential attackers so that proper detection mechanisms can be built, for example firewall rules, or IDS and antivirus signatures. While Core recognizes that this may provide some additional data to would-be attackers, clearly it also provides preciously needed information to the defenders thus, leveling a field on which Core believes the attackers are initially at advantage.

And all for just a DOS?

Welcome to the party!

A Spade?

Interesting Nation article that unpacks this notion of "electability"

So, in the name of another personal quality--honesty--I'd like Hillary Clinton to make the following statement: "Though my opponent has run a terrific campaign, in primary after primary, I have proven that I am the more electable candidate. I am more electable because I am white. Barack Obama--Wow!--he's certainly inspired a lot of hope, but as voters in Indiana and North Carolina make up their minds, as the superdelegates make up their minds, they should remember that Barack Obama is black. They should also remember that a whole lot of white working-class Americans are racists. White racists are an important part of the Democratic Party, and time and time again, they've supported me because I am white. I am ready on day one to govern as your white American president."

Monday, May 05, 2008

Faster EVDO: Maybe A Reason to Try OpenSolaris?

So the Linux USB serial driver is capped at 500Kb and as I found tonight (piece of shit RCN is averaging about 50% uptime these days) it was pretty much impossible to watch 30 Rock (or any of the other streaming NBC shows) with my EVDO card plugged into my Linux router. (or now that I think of it, maybe this is a just QoS issue since I'm going from 100Mb to 500kb?) but of course when I plopped the card into XP got 1MB easy and we could watch all about the Teamster sandwiches with no problems.

But this OpenSolaris WWAN project looks promising.... Wonder if I can get my Novatel card working with Nexenta Core?

Or are there any of the EVDO routers (that take USB) that don't run Linux or have somehow managed to work around the 500Kb cap?

To answer my own question, it looks like the airpime drivers might actually do the trick.

Sunday, May 04, 2008

The Cheap Thrill of Using Enterprise Security Tools to Monitor Your Kid's Surfing Habits

One of the nice things about working for a security vendor is being able to able to run cool product on your home network (like when I brought a Cisco 7120 home!). And given the complexity of my home network (4-5 routing/forwarding devices, 2-3 switches, and 10-20 hosts up at any given time) it's not as much overkill as you might think.

The image below shows a 5-day view of my network events using LCE.

The 2nd row is the "firewall" category which primarily consists of syslog's from my two Cisco 851's. The events drop off 2-3 days ago when I disabled the ACLs and forgot to turn them back on.


The last row is "web" which you'll see a spike during the last day.

What happened is I finally qot squid up an running for my son so he could use the Linux box in his room. Yeah normally a bad idea but probably not relevant if have security tools that cost as a midsize car watching your network.

If I drill down on the "web" events and find that they are all from squid logs (access.log) which I'm monitoring with an LCE client.

Most of the denies were to so I went into the whitelist and added that so that should flatten that plot.

Drilling down on the cache hits, I can see many of the thumbnails for one of the game sites I let him go to are being cached:

1209917543.808 7 TCP_HIT/200 19581 GET - NONE/- image/jpeg
1209917543.870 52 TCP_HIT/200 12089 GET - NONE/- image/jpeg
1209917543.871 4 TCP_HIT/200 15471 GET - NONE/- image/jpeg

And a one of the misses shows the sort of games my 9-year old likes to play.

1209906995.596 154086 TCP_MISS/503 1420 GET - DIRECT/ text/html

No More Suit/Tie in Indiana

A while back, my wife and I were talking about what it is that sounds fundamentally different about the way Obama, Bill Clinton (and Reagan, for that matter) speak and the last few Democratic candidates such as Gore, Kerry, and Hillary.

Whether they actually are or not, the latter sound like they are talking down to you, like they are patronizing you, lecturing you. And when try to talk "at your level" they sound inauthentic, scripted, stilted. I think is one of the factors why Kerry (and Gore, if you believe he actually lost) were beaten by a W.

Hillary knows this and this and she wants to paint Obama like Dukakis and Kerry were painted. This is why Clinton (channeling Rove, attacking strengths not weaknesses) attacked Obama as an elitist. I don't know much about community organizing, but I know that most people that have had non-elite jobs, those that have not had the upper advantages on their side from day one. I'm talking about public school teachers, the police, like those serving in the military (even as an officers) that have force you to be exposed (and work alongside, even when in a position of authority) folks from all walks of life -- do not talk this this.

Then of course there is a regional/dialectal element as well Gore is Southern but the patrician, old money South. Kerry, Dukakis, and Hillary are "Yankees" (as my wife would say) and just they can they can lose this from their identity that no more than Stringer Bell or D'Angelo Barksdale could lose the street.

Saturday, May 03, 2008

Your Little Friend Alsamixer

So I totally managed to screw up my kernel-modules (hint: trying to uninstall a running kernel package is never a good idea) so I ended up doing a new install of Hardy late last night. I only had server image so I used that. But no sound? So I ended up following the quite excellent SoundTroubleshooting wiki page and ran across the alsamixer command. I may have used it before. Not sure, but it helped me track down that the speaker was on mute. I'm still running into some weird GNOME (or GDM) startup issues when using XFCE or standing GNOME bootup.

A Little Post-Ikea Saturday Humor

East-west trips from Skokie to Schaumburg can be brutal. And then with three kids in the big yellow and blue (although we have discovered Smaland, thank God) but today wasn't too bad.

But watch this before they pull it down (or Youtube's CDN goes down). The last few weeks have been pretty depressing politics wise, but this is good fun.

Prez & Pedagogy on The Wire

I wouldn't know about policing or politics (although all the SIGINT doesn't seemed too far-fetched) but in Season 4, much of the school story line is spot on. Or at least based on my 3 years teaching in a Middle School.

Of course I wasn't in a failing inner city Middle School like Mr. P (coincidentally, so many of my kid's teachers here on the Chicago North Shore have have even more unpronounceable Polish names, but I digress...) but a lot of it still rings true.

After college (think Netscape IPO time), I taught 7th and 8th in a school that implemented many of Ted Sizer's ideas on school reform on the Northwest side of San Antonio, where kids lived in the same gated community as David Robinson and George Strait.

Although I had my share of "challenging" kids not I can't remember being told to Fuck Off like Mr. P and the only blood I ever saw in the class room was from bloody noses.

And although I left teaching (for tech) over ten years ago, so many of the scenes in the latest (meaning what we are watching now) season take me (and my wife, who was also a teacher) back to our frightening "first year" and give me a sick feeling in my stomach.

Stuff like getting your classroom ready. Never being prepared enough. That awful silence in the morning that will soon be broken when the door opens. The perceived weakness and lack of confidence that let's your classes get out of control (relatively speaking, of course). The older female teachers that get the respect you wish you could command -- and the fear, which you hope you never will. The making it up as you go along, figuring out a month in what you should have done the first day (like come up with a classroom management plan). And then there's the good stuff, too. Creating that fragile bond with your students. And the humor and the tragedy. We've just finished Disc 2 so it will be interesting to see where this ends up.