Sunday, August 31, 2008

Country First, Principles above Politics?

It's really sad. From Advisers Say Conservative Ire Pushed McCain Away From Picking Lieberman

For weeks, advisers close to the campaign said, Mr. McCain had wanted to name as his running mate his good friend Senator Joseph I. Lieberman of Connecticut, the Democrat turned independent. But by the end of last weekend, the outrage from Christian conservatives over the possibility that Mr. McCain would fill out the Republican ticket with Mr. Lieberman, a supporter of abortion rights, had become too intense to be ignored.

With time running out, and after a long meeting with his inner circle in Phoenix, Mr. McCain finally picked up the phone last Sunday and reached Ms. Palin at the Alaska State Fair. Although the campaign’s polling on Mr. McCain’s potential running mates was inconclusive on the selection of Ms. Palin — virtually no one had heard of her, a McCain adviser said — the governor, who opposes abortion, had glowing reviews from influential social conservatives.

This is the difference between McCain in 2000 and 2008. This is why folks that have never voted Democrat (like myself) will be doing so this year. Well, that and the small problem of the incompetent arrogance of Bush-Cheney.

Saturday, August 30, 2008

The Joke Continues

Creepy, downright creepy... And since when do Republican's have "PEACE" in their slogan. As Clay Davis would say, "that is some shameful shit!"

And I thought he was reading her speech

From the Jed Report (of course). When I watched their speeches the first time, their presence together was really awkward and bizarre.

This is only one day in, and I'm sure there will be a lot more of this. It would be funny if it weren't so frightening.

Best McCain/Palin Analysis So Far

And the best line from the politico article

Nor can McCain argue that he was looking for someone he could trust as a close adviser. Most people know the staff at the local Starbucks better than McCain knows Palin.

Friday, August 29, 2008

Not Only did she play the flute she has a PoliSci Minor from the Univ of Idaho

Yeah, sure both inexperienced and have no foreign policy experience. Yeah definitely, worse than Quayle.

They don't call him Isane John McCain for nothing.

AccordingWikipedia entry

Palin was born Sarah Louise Heath in Sandpoint, Idaho, the daughter of Sarah Heath (née Sheeran), a school secretary, and Charles R. Heath, a science teacher and track coach.[2][3] She has English, Irish, and German ancestry.[2] Her family moved to Alaska when she was an infant.[3] She and her father would sometimes wake at 3 a.m. to hunt moose before school, and the family regularly ran 5 km and 10 km races.[3]

Palin attended Wasilla High School in Wasilla, Alaska, where she was the head of the school Fellowship of Christian Athletes,[3] and the point guard and captain of the school's basketball team. She helped the team win the Alaska small-school basketball championship in 1982, hitting a critical free throw in the last seconds of the game, despite having an ankle stress fracture at the time.[3] She earned the nickname "Sarah Barracuda" because of her intense play,[3] and was the leader of team prayer before games.[3]

In 1984, Palin won the Miss Wasilla beauty contest, then finished second in the Miss Alaska pageant,[4] which won her a college scholarship.[3] In the Wasilla pageant, she played the flute and also won Miss Congeniality.[5][6]

Palin holds a bachelor's degree in journalism from the University of Idaho, where she also minored in political science.[7] She married Todd Palin, her boyfriend since high school, on August 29, 1988. She then briefly worked as a sports reporter for local Anchorage television stations while also working as a commercial fisherwoman with her husband.[3]

Now Obama

Barack Hussein Obama II[1] was born on August 4, 1961, in Honolulu, Hawaii, to Barack Obama, Sr., a Black Kenyan of Nyang’oma Kogelo, Siaya District, Kenya, and Ann Dunham, a White American from Wichita, Kansas. His parents met while attending the University of Hawaii at Manoa, where his father was a foreign student.[2] They separated when he was two years old and later divorced.[3] Obama's father returned to Kenya and saw him only once more before dying in an automobile accident in 1982.[4] After her divorce, Dunham married Lolo Soetoro, and the family moved to Soetoro's home country of Indonesia in 1967, where Obama attended local schools in Jakarta until he was ten years old. He then returned to Honolulu to live with his maternal grandparents while attending Punahou School from the fifth grade in 1971 until his graduation from high school in 1979.[5] Obama's mother returned to Hawaii in 1972 for several years and then back to Indonesia for her fieldwork. She died of ovarian cancer in 1995.[6] As an adult Obama admitted that during high school he used cocaine, marijuana, and alcohol, which he described at the Saddleback Church Civil Forum on the Presidency as his greatest moral failure.[7]

Following high school, Barack Obama moved to Los Angeles, where he studied at Occidental College for two years.[8] He then transferred to Columbia University in New York City, where he majored in political science with a specialization in international relations.[9] Obama graduated with a B.A. from Columbia in 1983, then worked for a year at the Business International Corporation[10] and then at the New York Public Interest Research Group.[11][12]

After four years in New York City, Obama moved to Chicago to work as a community organizer for three years from June 1985 to May 1988 as director of the Developing Communities Project (DCP), a church-based community organization originally comprising eight Catholic parishes in Greater Roseland (Roseland, West Pullman, and Riverdale) on Chicago's far South Side.[11][13] During his three years as the DCP's director, its staff grew from 1 to 13 and its annual budget grew from $70,000 to $400,000, with accomplishments including helping set up a job training program, a college preparatory tutoring program, and a tenants' rights organization in Altgeld Gardens.[14] Obama also worked as a consultant and instructor for the Gamaliel Foundation, a community organizing institute.[15] In mid-1988, he traveled for the first time to Europe for three weeks then Kenya for five weeks where he met many of his Kenyan relatives for the first time.[16]

Obama entered Harvard Law School in late 1988 and at the end of his first year was selected as an editor of the Harvard Law Review based on his grades and a writing competition.[17] In his second year he was elected president of the Law Review, a full-time volunteer position functioning as editor-in-chief and supervising the law review's staff of 80 editors.[18] Obama's election in February 1990 as the first black president of the Harvard Law Review was widely reported and followed by several long, detailed profiles.[18] He graduated with a Juris Doctor (J.D.) magna cum laude from Harvard in 1991 and returned to Chicago where he had worked as a summer associate at the law firms of Sidley & Austin in 1989 and Hopkins & Sutter in 1990.[17][19]

The publicity from his election as the first black president of the Harvard Law Review led to a contract and advance to write a book about race relations.[20] In an effort to recruit him to their faculty, the University of Chicago Law School provided Obama with a fellowship and an office to work on his book.[20] He originally planned to finish the book in one year, but it took much longer as the book evolved into a personal memoir. In order to work without interruptions, Obama and his wife, Michelle, traveled to Bali where he wrote for several months. The manuscript was finally published as Dreams from My Father in mid-1995.[20]

Obama directed Illinois Project Vote from April to October 1992, a voter registration drive with a staff of 10 and 700 volunteers that achieved its goal of registering 150,000 of 400,000 unregistered African Americans in the state, leading Crain's Chicago Business to name Obama to its 1993 list of "40 under Forty" powers to be.[21][22]

Obama taught constitutional law at the University of Chicago Law School for twelve years, as a Lecturer for four years (1992–1996), and as a Senior Lecturer for eight years (1996–2004).[23]

In 1993 Obama joined Davis, Miner, Barnhill & Galland, a 12-attorney law firm specializing in civil rights litigation and neighborhood economic development, where he was an associate for three years from 1993 to 1996, then of counsel from 1996 to 2004, with his law license becoming inactive in 2002.[11][24]

Obama was a founding member of the board of directors of Public Allies in 1992, resigning before his wife, Michelle, became the founding executive director of Public Allies Chicago in early 1993.[11][25] He served on the board of directors of the Woods Fund of Chicago, which in 1985 had been the first foundation to fund Obama's DCP, from 1993–2002, and served on the board of directors of The Joyce Foundation from 1994–2002.[11] Obama served on the board of directors of the Chicago Annenberg Challenge from 1995–2002, as founding president and chairman of the board of directors from 1995–1999.[11] He also served on the board of directors of the Chicago Lawyers' Committee for Civil Rights Under Law, the Center for Neighborhood Technology, and the Lugenia Burns Hope Center.[11]

Even Pat Buchanan liked the speech

I always liked Pat Buchanan, even when I didn't agree with him. And he nails what I also thought was one of the most effective moments last night.

What all this change and hope stuff is about (in case you don't get it yet and which Obama explained aound "it is about you" lines in his speech) is the shedding of your cynical beliefs. It is abandoning the urge to tear things down.

The reason why people liked Reagan is because he inspired people. Words matter. Words inspire. Words bring people into action.

Thursday, August 28, 2008

More Interesting than ModScan

From SCADA Scanning

I’ve you ever wanna try something fun, scan some frequencies that are assigned to local utilities. Sometimes you might happen upon some signals that sound like an old modem. It might surprise you to learn that some of these are actually modems that are transmitting data via analog signals. If you hook up the audio out from your scanner to the audio input on your notebook you can utilize various programs decipher or decode those transmissions. Below is a screen shot of a scanner program doing just that. The information that is in hex which would need to be converted to ascii to make it human readable.

Since I was not an intercept operator I don't know anything about this stuff.

Sunday, August 24, 2008

McCain should return to Honor

I actually saw Return with Honor in the theatres back in the mid-late 90s (or whenever it was, all I remember is that I saw it in San Antonio). And as a child I remember reading Five Years To Freedom. Both good stuff.

It is really too bad "I was a POW" is McCain's answer to everything now. It makes a mockery of this experience and deservedly brings on mockery like this....

Something is Rotten with Gimp & Powerpoint

Gimp causes blue screens on Windows. It's happened a half-dozen times lately. IRQL something or other. Oh and and you can predictably crash Powerpoint 2003 and 2007 by pasting in cut's from Gimp.

Two-three hours gone. Powerpoint 2007 autorecovery (saving every 10 minutes) didn't work for shit.

Thursday, August 21, 2008

Funny Thoughts On Why Folks don't go to SCADA Conferences

So the the latest on why someone isn't going to a SCADA conference comes from Walt on why he isn't going to PCSF this year.

I am not attending PCSF next week because of the press of work here. I have a 100 page magazine to get out by Friday of next week, and we are significantly behind schedule.

We'll I'm not going to PCSF (although I was invited to present, too) because I picked another SCADA CyberSecurity conference instead. Besides having bad memories of PCSF in 2006 (being told I was arming terrorists or something, I'm probably exaggerated) I have a bit of Cisco nostalgia, so I wanted to go to San Jose instead.

Of course the real reason I'm blogging on this is due to Joe's complaining about who didn't show up to his conference and Dale's post on why most SCADA conferences aren't worth attending.

Country First!

(I think I'm going to end all my posts with that until the election!)

Go To a Non-Technical (Non-Security) Conference, Dummy!

So I've been to a lot of conferences and trade-shows over the past 15 years, but the last two days at the SALT Interactive Technologies Conference in Crystal City has been refreshing and not just because I took the MARC down.

I also learned that taking public transportation from Western Maryland is sort of impractical, because each way the commute took over 2 hours. But I was able to work the majority of the time, so it wasn't wasted time and there were only a few places on the Brunswick Line the EVDO faded out.

My main objective in a attending the conference was to brush up on instructional design and get a jump start on e-Learning tools and technologies. But there were three things that I noticed that were refreshingly different from most of the technical security conferences I've been to as long as I can remember.

1) There weren't all the big egos.

2) The speakers could actually communicate effectively.

3) There was none of "the sky is falling"/"we are so F-d" talk that seems to be the norm.

Among the better presentations were by Marie-Pierre Huguet (on blending constructivism and behaviorism in instructional, a talk on thinking strategically (when developing eLearning solutions) by Mark Siegel.

There was also really good talk on rapid development of training using a modified spiral development model used quickly develop FISA training on the Protect America Act last summer. So you can guess the agency affiliation of these "DoD" and duo that gave the talk.

So if you've been doing security (or technology) for more than 5-6 years (that was about when I started to get restless and start wishing for a career change that would never come) I encourage you to find a business, or training, or knowledge management -- or something non-technical for a change of pace.

You won't regret it!

Tuesday, August 19, 2008

Awkward Teenage Cisco?

Here are some interesting quotes from CSO said Cisco security is growing up

Microsoft has been very public about how they changed the company to make security a priority. What's the story at Cisco? How did the security program get built?

We were probably in the same space. Many companies, including our own, started with building stuff first that solved communications problems and then thinking about the safety of communications afterwards.

About five years ago, we were fighting the company, my team. Mostly in the information security business. We were the "no" organization, the ivory tower. That's a dangerous place to be because my take is we ought to be a consultative fulfilment arm, not an adjudicator.

So we changed a lot of it and we started injecting things, like "You're going to have expertise in your team. We're not going to be even in the middle, so that way you can invest the expertise for what you need and we're not holding you up or bringing you into a slower position."


So did you do something like adopt a secure development lifecycles or change the way you built products?

We're not mature in this. We're in the awkward teenage phase. We're testing at the end of the development process and we're figuring out from that data how do you go backwards into the definition process. Now some definition happens anyway. So for example there are some baseline requirements of every product we built. However, I still say there's a lot to be learned. When you think you've got it right and you build it and you test it, the learnings from the test should benefit the next thing you build.

We haven't adopted a secure development lifecycle like Microsoft yet. We haven't nailed up equally on all product lines in a very consistent methodical measurable way, and that's why I say we're in that awkward teenage phase.

Saturday, August 16, 2008

Comments on Saddleback

I missed the first part of Obama's conversation with Warren tonight at Saddleback, but caught all of McCain's. Definitely the best campaign discourse I've seen in a while. And McCain definitely was sharper that I expected

But I think one of Sullivan's readers nailed it on McCain.

While he is more animated than usual, he recites the tired talking points of his stump speech we all have heard a million times. Not conversational like Obama, he says nothing remotely original. His responses are set pieces he has seared in his memory from countless repetition.

Apart from the style and the generally "grandpa tell me a story" approach to McCain's answers, I think there was stark contrast on the following questions:

Supreme Court Justices - Obama carefully reasoned it out. Thoroughly. McCain just picked those he didn't agree with. I never thought I'd say this, but this is Bush III to a tee. No time for thinking, here. You are for us or you are against us. This is why folks like me (who in the past might have called themselves "conservative" but now are afraid to use the term) would even consider a Democrat this year. And this Democrat. And the answer on Roberts and Executive Power was right on the money. McCain is either not capable of this or sort of thoughtfullness or is not willing to show it. I'm not sure which is worse. We need competence, not ideology.

Taxes - How can the "Democrats will raise you taxes" work in 2008? I guess that is all Republican party have? I did happily find out I was middle class, though. I was sort of worried. McCain used humor to defuse his arrogance and ignorance and dodge the question. It's all about hope and optimism and other 20th Century cliches that will not rebuild our infrastructure or solve this century's problems.

Evil - McCain is delusional if he thinks AQI (or even AQ) is the greatest evil and that Iraq is where we will defeat evil. Evil can only be defeated by God. Obama stressed the need from humility and how evil can be done by those trying to do good -- to do God's work. It is Bush's (and Rumsfeld's) hubris that by hard power alone we can exact change that we can spread "freedom" (insert your best Dubya pronunciation here) The world does not work like that. In the 1980s (whether through luck or by strategy) talked about the "Evil Empire" and it appeared to work. The "Axis of Evil?" Not so much.

It was clearthat McCain's audience tonight was his base (how many times did he repeat "Judeo-Christian" and "Reagan" and he did not blink an eye about when life begins) and Obama had a much lower bar. Show up. Not appear Muslim or scary.

But seriously, Obama's confident closing pretty much summed up the differences and what is at stake this year. If the American people want 4 more years of simple, black-and-white (but ultimately delusional) answers to difficult problems then we will get McCain and we will deserve him.

Bring it on.

McCain (or the "millennial" McCain) would have made a fine president in the 80s or maybe even the 90s but the world is too complex, too interconnected, moves too fast and America is clearly much worse off than it was 10 or 20 years ago.

Friday, August 15, 2008

Iraq Vets on C-SPAN: Must Listen To Radio

I tried to convey my excitement about this series on C-SPAN but I think it is one of those things you really can't appreciate unless you were in the military. The positive attitude that these soldiers demonstrated, the lack of bitterness after incredible suffering

Unfortunately I couldn't find the female Sergeant who I heard last night washing dishes and again today on the commute home. But what I do remember was her disappointment in the media about "telling the truth" about what went on, her ambivalence about what is at state in this year's election, and so much more.

It's the kind of thing can simultaneously inspires and depresses you.

Thursday, August 14, 2008

CPNI Secures the Internet

Wonder how much Fernando Gont got for writing this

This document aims to raise awareness about the many security threats based on the IP protocol, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations community.

And some profound statements like

Producing a secure TCP/IP implementation nowadays is a very difficult task partly
because of no single document that can serve as a security roadmap for the protocols.

Sure. Great. Uh huh. And it only took a year.

What next?


How about Ethernet while you are it.

Oh no, definitely go for TCP.

Tuesday, August 12, 2008

L2 Bridge ACLs on Cisco 800 Series ISRs

So it's obvious from this blog I was never a CCIE.

Hell, I barely passed the CCNA 2.0 exam many years ago (not because my IOS skills were that lacking, it was a bad exam, I tell you)

So had a hell of a time finding the extremely simple way to filter MAC addresses on a bridge interface, such as what I'm using on my 851 at home on my kids subnet. Well it was just my kids subnet until the damn Verizons Westel started acting up so bad with WPA with my Linux boxes lately.

I'm too lazy to do WEP (although it does work) and I've never had any luck with WPA under IOS. And yeah the first thing I did was wipe the web interface from flash.

So I figured how hard could it be. But I couldn't find it anywhere until I ran across a CCIE study guide on bridge filtering. Duh.

851w#sh access-lists 700
Bridge address access list 700
permit 0012.f0xx.xxxx 0000.0000.0000 (23 matches)
permit 001d.7exx.xxxx 0000.0000.0000 (38 matches)
permit 0013.e8xx.xxxx 0000.0000.0000 (1930 matches)
permit 0013.5fxx.xxxx 0000.0000.0000

I learned the hard way there is an implicit deny at the end. And with the 700 series ACLs you don't need to have the 0000.0000.0000

So then you just add "input-address-list 700" to your bridge group and viola!

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

Completely secure, because like the OpenBSD folks I don't rely on security at Layer 2 or 3. It's all in the OS and applications.

And I didn't try it (enough for one night, my reading glasses are already on) but I'm guessing I could do masks as well so I could filter out Apple or Dell MAC addresses and only allow Intel Wireless client adapters.

Now that would be really secure!

Monday, August 11, 2008

Bush as Carter / Georgia as Afghanisation '79

Andrew Sullivan nails it

Imagine that Bush is a Democrat (not that hard when you consider his fiscal record). Now imagine that a Democratic president had presided over the worst attack on American soil in history, a far stronger Iran on the brink of nukes, and a resurgent, aggressive Russia, willing and able to invade and terrorize a neighboring country in part because the president long believed that its president was a good man, and had looked into his soul.

I think they would have impeached him a few years ago, no? He would be viewed as the Carter to end all Carters

Then there is of course all the impotent tough talk against the Russians. We aren't going to do shit about Russia -- nor should we.

Russia's Georgian adventure is actually pretty brilliant. It demonstrates the impotence of an apathetic Europe that is probably suspicous of the East anyway and an overextended (oil-starved) America that is talking tough about NATO expansion and missle defense in Russia's backyard.

Start a small (or not so small) invasion of a pro-Western (maybe!) neighbor for a few days. Then back down when America agrees to stop all messing around in your backyard.

Brilliant, I tell you.

Sunday, August 10, 2008

If you get invaded, bombed, shut off the net, start blogging!

So I guess we really have no way of knowing whether is really the Ministry of Foreign Affairs of Georgia but here are the good parts

Georgian military forces were able to resist attacks by the Russian army and managed to push and keep Russian forces out of the South Ossetian town of Tskhinvali until very late into the night.

The fierce battles inflicted heavy damage on the Russian forces. During the course of the day, they lost about 40 tanks, as well as a number of smaller artillery pieces, APCs and soldiers.

Early in the morning, overwhelming Russian reinforcements were poured into the theatre, including dozens of tanks, APCs, and katyusha rocket trucks, supported by hundreds of troops.

Russian air forces have been attacking Georgian positions throughout the night in and around Tskhinvali, in a "burned earth" tactic reminiscent of the Russian devastation of Grozny, Chechnya, in the 1990s. As a result, Tskhinvali was largely reduced to rubble, and Georgian forces were forced to redeploy to the outskirts of the city, and unilaterally ceased returning fire. Nevertheless, Russian attacks continued.

Youtube videos please!

For the price of registering my 2001 Accord in Maryland I could get...

I really need to stop reading LinuxDevices because I continue to be intrigued by Netbooks although there is no way in hell I'm getting another laptop.

But on Amazon for $399... ASUS Eee PC 900 16G (8.9" Display, Intel Mobile CPU, 1 GB RAM, 16 GB Solid State Drive, Linux, 4 Cell Battery) Galaxy Black.

1 GB, 16 GB Solid State... sweet!

More Interesting than Modscan: .ru vs. .ge

If you've been following the Defcon SCADA silliness check out Dale's post then look at these on the Cyber aspect of the Georgia vs. Russia conflict.

Part I

As requested by community relay, the following is a report on the cyber war underway in parallel with conventional warfare. Many of Georgia’s internet servers were under external control from late Thursday, Russia’s invasion of Georgia commenced on Friday. It is further requested of any blog reader the information below is further relayed to the International Press and Community to ensure awareness of this situation. Also as much of Georgia’s cyberspace is now under unauthorized external control the following official press statement is circulated without modification. Report on the cyberwar below:

And part II

As an update; within the community, our friends in Germany had managed to pierce the siege and gain a direct routing to Georgia via AS3320 DTAG Deutsche Telekom for a few hours. this afternoon. For the time being AS8359 COMSTAR Direct Moscow region network CJSC COMSTAR Direct Smolenskaya Sennaya Sq, 27 block 2 119121 Moscow, Russia, have intercepted this and are redirecting this route of cyber traffic via their servers. The good news is other German servers are now also attempting to access Georgia servers directly.

Saturday, August 09, 2008

McCain as Bush 3rd^H^H^H1st Term?

Whether it is rhetorically effective or not, I never cared much for the McCain as 3rd Bush term line of argument from the Democrats but the Bush 1st term makes a lot more sense

Obama’s statement put him in line with the White House, the European Union, NATO, and a series of European powers, while McCain’s initial statement—which he delivered in Iowa and ran on a blog on his Web site under the title “McCain Statement on Russian Invasion of Georgia,”—put him more closely in line with the moral clarity and American exceptionalism projected by President Bush’s first term.

I admit that I found this "moral clarity" appropriate following 9/11 but in hindsight it has obviously been flawed.

Sunday, August 03, 2008

Top 10 Worst TItles (and other thoughts on BlackHat 2008)

With each passing year I find it difficult to get excited about BlackHat (of course I don't attend) but regardless of the topics there are some real doozies in terms of lame titles (who cares about the content)
  • SQL Injection Worms for Fun and Profit / Windows Hibernation File for Fun and Profit - nothing with "fun and profit" should be accepted in 2008
  • Bad Sushi: Beating Phishers at Their Own Game - sushi is a security cliche, almost as bad as fuzzing
  • Taking the Hype Out of Hypervisors - nice try
  • Got Citrix, Hack It! - uh huh, sure.
  • Black Ops 2008 -- Its The End Of The Cache As We Know It - I'm a big fan of eschatology but channeling REM is not cool
  • Highway to Hell: Hacking Toll Systems - AC/DC is better than REM but rm the "hacking..." bit
  • The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation - if I hear the Internet is broken one more time...
  • Pushing the Camel through the Eye of a Needle / Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls - they shouldn't have accepted two prezos with "eye of the needle"
  • Satan is on My Friends List: Attacking Social Networks - without Dan Farmer it just doesn't work
  • A Fox in the Hen House (UPnP IGD)
Which titles (if not necessarily the content) do I think work? No explanation is necessary.
  • Leveraging the Edge: Abusing SSL VPNs
  • REST for the Wicked
  • Malware Detection Through Network Flow Analysis
  • Braving the Cold: New Methods for Preventing Cold Boot Attacks on Encryption Keys
  • Pointers and Handles, A Story Of Unchecked Assumptions In The Windows Kernel
Presentations that actually look interesting and I will probably look at the slides when they are out
  • Passive and Active Leakage of Secret Data from Non Networked Computer
  • SmartCard APDU Analysis
  • Predictable RNG in the Vulnerable Debian OpenSSL package, the What and the How
  • Side-channel Timing Attacks on MSP430 Microcontroller Firmware - anything that mentions JTAG is cool
  • The Four Horsemen of the Virtualization Security Apocalypse - gotta check out the Hoff
  • Circumventing Automated JavaScript Analysis Tools - I probably won't understand a lick of it
  • Developments in Cisco IOS Forensics - go FX!
  • Malware Detection Through Network Flow Analysis
  • No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler UsingTraffic Profiling - a Black Hat talk that actually proposes solutions!

Saturday, August 02, 2008

McCain Ad Parody Roundup


and (although not a parody but or good as the Hillary one) still amusing

Is Digital Bond's SCADApedia arming attackers?

Unless you've subscribed to the RSS you've probably missed all the cool stuff like a list of control systems ports (watch out for typos or other errors though on Bacnet and Modbus/TCP of all things!) that is on SCADApedia. Several years ago I can a remember a fairly high level official in a government critical infrastructure protection group commenting that this sort of information should not be made public and of course I would guess that over 75% of the "real SCADA Security experts" (you know the ones that come out of an automation background, hold a PE, use the term "Cyber Security" without a trace of irony) would think this sort of information is dangerous. Or how about the members of the upcoming PCSF Panel on Vulnerability Disclosure (I ran the first one back in 2006 which led to some controversy).

It will be interesting to see how much (or how little) things have changed since then.

Friday, August 01, 2008

Lua is Not Perl so It Must Be OK (or maybe not!)

I'd heard of Lua before, but this week I kept on hearing about it and I have nothing better to do while waiting outside my daughter's door hoping, praying, she'll finally get to sleep.

Lua 5.0.3 Copyright (C) 1994-2006 Tecgraf, PUC-Rio
> print "blah"
> print "blah"
> d = [1,3,4]
stdin:1: unexpected symbol near `['
> d = (1,3,4)
stdin:1: `)' expected near `,'
> d = { 1,3,4 }
> d
>> print d
stdin:3: `=' expected near `print'
> print d
stdin:1: `=' expected near `d'
> d
>> puts
stdin:2: `=' expected near `puts'
> print (d)
table: 0x8062df8
> type(d)
> print type(d)
stdin:1: `=' expected near `type'
> print (type(d))

The parentheses are weird, but I actually sort of like it, it feels sort of Pythonic but I'm sure its not so off to the Tutorials!

A few minutes later.

Yuck, but OO is bloody awful and after doing Ruby anything with __ just feels dirty, even Python.

OK, there is not point in bothering with Lua, but for a minute there it looked interested.

Move on, nothing to see here.