Installing Redmine on Debian Etch

Here is a step by step summary of what I did to get to get Redmine up and running on Debian 5.x (Linux etch55 2.6.24-24-openvz #1 SMP Fri Sep 18 19:57:34 UTC 2009 i686 GNU/Linux)

If you don't know what Redmine is, it is like Trac, but better and on Rails. If you don't know what Trac is you probably wouldn't be interested in Redmine, so you can stop reading.

What it took?

1. Review this Rails on Debian guide. I'm sure there are others, but this is was a good starting point to get the nuances of running Rails apps on Debian, which can be a bit of pain if you are relying on packages. I know real rails folks use OSX but I'm not a real rails guy.

2. Install the necessary Debian packages. This is what I had to do on an OpenVZ VE, so you your packages may differ slightly: ruby ruby-dev irb sqlite3 ri libzlib-ruby libsqlite3-ruby libmysql-ruby mysql-serer mysql-client libopenssl-ruby

3. Install Rubygems the normal way. I installed 1.3.5. I created a symlink for gem1.8 just because.

4. Read the Redmine Installation Guide. Most of what you need to know is there, and I'm not going to repeat what it is there because it should just work, especially if you are familiar with rails or the configuration of rails apps.

5. Install rails and rake. I installed rails 2.1.2 based on the minimum for the 0.8x of redmine. I assume more recent versions of rails will work.

6. Download the stable release of Redmine.

7. You should have already configured mysql-server during the install, but make sure you put your password in the database.yml.

8. Create your database.yml, the session key and run the various rake scripts in the installation guide.

9. Fire up with webrick and login with admin/admin.

What went Wrong?

The main issues I had were related to not installing the right Debian packages. For example you definitely need libopenssl-ruby or the startup scripts will fail. I also screwed up the database.yml.

What Next?

Get git working following the instructions here. But first I need to work on my git skills, since I mostly have used subversion.

Sexing Up Your Boring Hardy Desktop to thwart Mac-Envy

So image is important. I get that. That is why so many security folks like Mac's these days. It certainly isn't because they are more reliable, but I digress.

Karmic has decent themes and wallpapers, but 8.04LTS is bloody awful. And you can't go onsite somewhere with a bunch of non-IT folks that will already be looking over you shoulder with ugly Ubuntu brown. It is bad enough that I have to use an older Dell D630, which of course runs faster than my E6400 with XP.

So the Bisigi Project has some pretty cool themes. I picked Showtime, a nice monochrome, almost but no completely OSX like theme. Next you need a simple monochrome theme for Firefox. If you have to use Firefox, Full Flat kicks ass, especially on Netbooks with limited resolution, but I swear it is faster. Lastly you need a nice monochrome wallpaper like Dark Times (after all it is Advent remember) from gnome-look.org.

And this just in, a monochrome Chrome theme to match.

Linux Netbook Use Case: EVDO/Wifi Firewall to protect your "Big Company" XP Laptop

So if you've used any large enterprise XP image you know they are awful.

The larger the company, the worse the build. They are slow. They crash all the time. They have a zillion agents running doing God knows what and they probably have the firewall disabled.

But you want to do the "right thing" and actually follow policy and NOT put Linux on the lovely Dell hardware they give like you used to do "back in the day."

And you don't want to run these in a coffee shop or an untrusted network. But I feel reasonably safe about running my Ubuntu S10-2 in relatively hostile environments.

Because most modern NICs (including the Broadcom's in most Atom-based netbooks) have auto-MDX so you can just directly plug in your laptop into the unused Ethernet on your Netbook after doing the following:

1) Configure a static address on the eth0 in (/etc/network/interfaces) making sure it is not an network you actually use (DOH!)

2) Make the appropriate change to sysctl.conf (if you have to ask...)
3) Install dnsmasq for DNS and DHCP (an apt-get away)
4) Add whatever iptables rules you want to rc.local (or run manually because if the ppp0 interface is not up it may not work)

Sometimes I share over the Wifi others I use my EVDO card.

Bottom line: it just works.

Bonus: you get to see whatever the hell all those pesky agents are doing when they phone home to your corporate network over the Internet.

Snow Photos and More

In lieu of Facebook. Recent birthday party, lego club, and more!

blizzard09

WebSocket Service Fingerprinting with Curl

Fingerprinting is probably a bit of a stretch, but at least I didn't use the "h" word, but using pywebsocket is probably the easiest way to learn about the protocol.

Startup the server....

franz@mfranz-s10-2:~/Documents/pywebsocket-read-only/src/mod_pywebsocket$ python standalone.py -p 8888 -w ../example/

Then the client...

mfranz@mfranz-s10-2:~/Documents/pywebsocket-read-only/src/example$ python echo_client.py -s 127.0.0.1 -p 8888
Send: Hello
Recv: Hello
Send: 日本
Recv: 日本
Send: Goodbye
Recv: Goodbye

Look at the traffic on the wire with ngrep.

interface: lo (127.0.0.0/255.0.0.0)
####
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
GET /echo HTTP/1.1..                                              
##
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
Upgrade: WebSocket..                                              
##
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
Connection: Upgrade..                                             
##
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
Host: 127.0.0.1:8888..                                            
##
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
Origin: http://localhost/..                                       
##
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
..                                                                
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
HTTP/1.1 101 Web Socket Protocol Handshake..                      
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
Upgrade: WebSocket..                                              
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
Connection: Upgrade..                                             
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
WebSocket-Origin:                                                 
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
http://localhost/                                                 
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
..                                                                
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
WebSocket-Location:                                               
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
ws://127.0.0.1:8888/echo                                          
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
..                                                                
##
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
..                                                                
##
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
.Hello.                                                           
#
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
.Hello.                                                           
#
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
........                                                          
#
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
........                                                          
#
T 127.0.0.1:44284 -> 127.0.0.1:8888 [AP]
.Goodbye.                                                         
#
T 127.0.0.1:8888 -> 127.0.0.1:44284 [AP]
.Goodbye.                                                         
###

Now with curl, notice the headers that you have to add to get a response. With anything less I got a 404. The origin header can be anything.

mfranz@mfranz-s10-2:~$ curl -v http://127.0.0.1:8888/echo -H "Upgrade: WebSocket" -H "Connection: Upgrade" -H "Origin: http://localhost"

* About to connect() to 127.0.0.1 port 8888 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> GET /echo HTTP/1.1
> User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> Host: 127.0.0.1:8888
> Accept: */*
> Upgrade: WebSocket
> Connection: Upgrade
> Origin: http://localhost
>
<>
But if the URI doesn't match you get

mfranz@mfranz-s10-2:~$ curl -v http://127.0.0.1:8888/ -H "Upgrade: WebSocket" -H "Connection: Upgrade" -H "Origin: http://localhost"

* About to connect() to 127.0.0.1 port 8888 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> Host: 127.0.0.1:8888
> Accept: */*
> Upgrade: WebSocket
> Connection: Upgrade
> Origin: http://localhost
>
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server
* Closing connection #0

Generating SVG Output (from Graphviz) in your Django App

So accomplishing new coding tasks can be a challenge with interruptions and I've had a lot of interruptions this week but I finally got there. And I'm thankful!

I have an app that is storing data, meaning Django models for the uninitiated. What is in there doesn't matter, but it is something that is conducive to plotting with graphviz. So the starting point is a string that is in the .dot format. I have some code that makes queries to the database and I end up with a string.

So there is a utility function that creates this string...

def make_svg_str:
 #blah blah blah snip
 dot_string += "}"
 p = subprocess.Popen('/usr/bin/dot -Tsvg', shell=True,\
 stdin=subprocess.PIPE, stdout=subprocess.PIPE)
 (stdout,stderr) = p.communicate(dot_string)
 return stdout

So I almost got this right the first time except that I forgot the stdout in Popen() which caused the output to go to stdout (and not be assigned to the string) so I saw the .xml in the dev web server logs.

The graphviz string (dot_string) is being piped to the dot executable and then the function is returning the XML SVG as a string, and is obviously assigned to the stdout variable in the tuple.

Now the tricky part within my views.py.

My first mistake was using the Django CSV docs instead of the PDF docs because the latter is what we need. I also didn't remember that HttpResponse is a file-like object so we can can just write to it once we have the SVG text.

def svg(request):
f = Foo.objects.all()
response = HttpResponse(mimetype='image/svg+xml')
response['Content-Disposition'] = 'filename=somefilename.svg'
response.write(make_svg_str(f))
return response

So this will display your image within your browser (which is what I wanted) instead of downloading file if you the use the "attachment" in the Content-Disposition key.

The name of the game is taking shortcuts that get the job done. I'm using the admin interface to provide a good-enough UI to enter the data and now I'm using Graphviz to visualize that data without having to spend a lot of time writing UIs or nasty JavaScript.

Where's the Controversy about Shodan?

So like a lot of folks I spent no more than 15 minutes this morning googling Shodan for anything interesting. I looked for SCADA protocols (there were none that I could easily find) or obvious field automation devices, so I went back to work. At best I found a bunch of VxWorks systems (and whole lot of ESX servers, shiver) and others like @chrisjager have also commented about the large number of embedded devices directly connected to the Internet, which is, indeed, frightening.

But @taosecurity just made some interesting comments, questioning how long the site will be up and hit upon in the ethical issues of a site which so obviously allows easy amplification of vulnerable systems. This was the first I've seen that even considers this angle. I'm not sure if everybody is getting ready for the holidays, trying to get the last bit of work done, or already gone but at least on the 300+ plus folks I follow on Twitter there were absolutely no questions about the site, and whether or not such as site was appropriate, ethical, etc. Just to be clear, I'm not claiming it is or is not, I'm just surprised it hasn't come up yet either way. Now if and when this happens (perhaps everyone else is so jaded and just does not want to go there) I'm sure the arguments will quickly fall into the typical cliched responses around disclosure:

• The site is raising awareness so is a good thing. Administrators can actually find and fix their systems.
• Anyone who has systems directly connected to the Internet with systems that vulnerable deserves to be compromised.
• The site is irresponsible and we should immediately DDoS it
  

And so on...

I don't actually believe any of those arguments. I'm not sure what to think. And I find that troubling. After nearly a decade in information security, I've become weary of all the arguments on either side of these sorts disclosure issue so I resort to know opinion because my opinion doesn't really matter and folks will release 0-days (or not) or more interesting sites like this (or not) and what will happen will happen regardless of any international standards or documented best practice working groups.

So back to trying to find a way to graphviz to generate SVG images within a Django app. That is at least a problem I can solve.

And what exactly would we be doing differently?

A blackout caused by hackers is the holy grail, the proof that extra terrestrials exist, the debunking of the Warren Commission, the final evidence that we are truly headed toward conflict with a parallel universe and shape-shifting mercury-blooded agents are among us. After Eligible Receiver after Cyber Spies Penetrated the Grid (and don't forget Aurora) after all the incidents cited in every SCADA security presentation, the hunger for one documented incident is still so strong that remote attendance won't be allowed at an upcoming SCADA Cyber Security Conference. And you can taste in the latest Call for SCADA Security Researchers from Project Grey Goose

I challenge you to try to get an answer to that question. I spent the last few weeks doing just that and ran into one brick wall after another, and I have some pretty decent connections to fall back on. It turns out that private industry, which essentially owns the U.S. power grid, enjoys a protection from public scrutiny that extends even to Freedom of Information Act (FOIA) requests, and they get to decide what falls under that protection and what does not. So who does this secrecy benefit?

Walking through .nessus files with Python xml.etree.ElementTree

Back when I used to teach Tenable's Nessus course I was always surprised how most folks, if to perform additional analysis or manipulation scan results, used Excel to process NBE/NSR files rather than using XML. So I added some simple examples of how to use Python and Ruby to the course and how easy it is you write a simple parser. In my slides I believe I used expat which requires you to build a list/hash of the data you extract as you encounter the start or end of the element. This works and expat or Sax are the primary parsers I've used over the years, although I did recently discover minidom.

If you click on the capture above (blogger doesn't handle XML or code that well) you'll see that after parsing the .nessus file and starting with the top node (I'm not sure why I had to call getroot())
I navigated through the different nodes within the .nessus file starting with Report, ReportHost, and ending with ReportItem where I extracted the port, and plugin id so that when you run the script you get this for all the

192.168.20.3
- 22/tcp|0
- 1241/tcp|0
- 111/tcp|0
- 1243/tcp|0
- 111/tcp|10223
- 59370/tcp|11111
- 111/tcp|11111
- 33145/udp|11111
- 111/udp|11111
- 1241/tcp|22964
- 22/tcp|22964
- 1241/tcp|10863
- 1241/tcp|35291
- general/tcp|12634
- general/tcp|22869
- 59370/tcp|25221

This code snippet isn't terribly useful but it illustrates the API and how it is very straightforward to parse .nessus files.



Some Benchmarks
Besides being much cleaner (IMHO) the nice thing about ElementTree is that there is a C implementation. This is a 2.0 MB file that consists of 4 scans and the scans include the results from only a handful of targets.

On Python 2.5 / Cygwin on my Ideapad S10-2 (Windows XP SP3)

Pure Python
real 0m4.250s
user 0m3.155s
sys 0m0.357s

C Version
real 0m1.422s
user 0m0.405s
sys 0m0.374s

I wanted to do a comparison with Win32 on Python 2.6 on the same system but I was unable to get timeit.exe working from the Windows 2003 Resource Kit.


NOTE: ElementTree is available in Python 2.5 and later and you should be ashamed if you are using anything older than that.

Mortal Netbook Sins (or, why is it impossible for vendors to get it right?)

So I'm typing this on my (well, actually my wife's) Lenovo S-10, who I admit that I covet. She inherited it after her Powerbook G4 12" (actually my favorite laptop of all time) suffered at the hands (or paws) that typically does in laptops in our household.

Even though my two main laptops (a T-61 and a Dell E6400) are both 14.1" and smallish, I still miss the two pound form-factor and the small screen/keyboard, so I've been agonizing for a while whether or not and which one should be my 2nd Netbook purchase. It should be easy, since there are literally around 50 different models on the market. But it isn't.

The Ideapad S-10 is by no means perfect (the keyboard is too small, it only has 2 USB ports and I don't use the express card slot) but compared to what is available at Best Buy, it is hard to beat. But as I've been comtemplating getting another Netbook that I want but really don't need, here is the dogma:

By far the most damning flaw, the one that cannot be reconciled ever, is an unusable touchpad and buttons. This basically removes any of Dell's offerings because they cut corners and implemented a single, rocker-style button, and the touchpad itself is awful, jumpy, and could. I actually. The Asus 1005HA is not terrible but not great either.

The second abomination is the battery bulge. As Netbooks have added 6 and 9 cell battries they have added a rear bulge that sticks straight out to the rear of the laptop. The S12 and S10-2 with the larger capacities succumb to this temptation. As well as many others.

The third sin is the appearance of cheapness. All of these systems are cheap but they should appear so. The Gateway 3103 falls prey to this. It also runs Vista and is not Linux friendly, taking it out of consideration.

A last fatal flaw is price. It should be below $350. Period. A $400 netbook makes no sense given their underpowered components, especially since I can get a T400 for right around $750, as my total credit card bill reaches $500 it makes no sense to considor an Atom processor when I can get the real thing for a few hundred dollars more. this rules out the Sony and Toshiba models

Not a showstopper, but definitely a flaw, is the inability to customize and lack of a two year warranty. Basically this means you are left with Lenovo or HP, since to the vast majority of vendors do not allow you to build custom systems with only the size of the battery.

Notice what I left out: sound, keyboard, screen, ports, ease of upgrade. None of these really matter if the essentials are met.

So right now I'm not sure, but the two choices I'm considering is a 3-Cell, Lenovo S-10-2 and an HP Mini XP with the higher resolutions 1366x768 display. Both meet all these criteria, so we'll see if I give in to temptation and place an order this weekend.

Why must I be Unnerved? (#25 from Brand You 50)

About 18 Months Ago I blogged about a conversation I had with a friend and how we both were stuck in an 18 month job cycle. Several months ago (besides worrying that my 18 month clock was ticking, and for those that follow my personal twitter feed, know the egg timer rang and I'm starting a new job tomorrow) I ordered another copy of the must have Brand You 50 and started reading it again.

This was something I hadn't done for a while, but something I highly recommend.

So tonight I read #27 (TO STEER ME INC THROUGH THE WHITE WATER OF CHANGE IS TO DARE, DAILY) contained some clues to decipher my (and I assume, others) 18 month curse.

From the T.T.D. at the end of the chapter, I ran across the question "does my current project scare me shitless?" and I think Tom is really on to something here. Believe it or not I think it is possible to be confident on your abilities and experience, yet still be unnerved about the leap you are taking. If you aren't a little bit scared about what is before you, how could you possibly grow from the experiences around the corner. I can definitely remember this anxiety about various projects at past employers and unfortunately this often occurs only in the beginning of the job. Near the middle and the end things become repetitive and it becomes increasingly difficult to maintain a steep learning curve.

I'll return to the topic in 18 months to see where I'm at!

NOTE: This topic is not unrelated to the survey a month or so back that One in Two Security Pros are Unhappy in Their Job tp which my wife cynically responded that this is only because the security job market is so strong and you can bounce around...

Some Gems (however heavy) from Peter Rollins

I'll take slice and dice some memorable statements from ‘Why Do I Do What I Do’, or ‘The Horror of Relationships’ (focusing more on the why do I do what I do what I do, than the relationship part, although my wife and I just celebrated our 16th anniversary this weekend) from the end:

It is today very common to see reason opposed to faith in popular literature (with reason or faith being the better depending on which side the apologist sits). The point is not that they are opposed but rather that reason is saturated with faith. In other words, all real decisions, no matter how reasonable, involve a faith act. Neither the facile liberal nor the crude fundamentalist examples mentioned above allow for the anxiety of making a real decision about love, politics or prayer. While the former only ever minimally commits (not making a full blooded decision), the latter knows what to commit to in advance of doing it (thus not making a real decision, as one can only ever make a decision when one does not know what needs to be done – thus making a choice).

Which is teed up near the beginning

The question ‘Why do I do what I do’ disturbs the smooth running of our lives because it involves a certain amount of anxiety. Yet, far from seeing its manifestation as a minor disturbance in our ongoing life, perhaps we should see it as a site of truth. As a moment in which the foundations of our decisions are momentarily manifested to us in their underlying contingency.

Most of us do not feel the full force of this question either because we never fully commit to a cause (choosing to travel through life without real investment – allowing the TV we watch and papers we read to experience life on our behalf) or because we attempt to ground our theological/philosophical/political projects, or romantic ones, in some absolute (God, Reason, Destiny, Historical Necessity etc.). In the former we never truly make a radical commitment to some cause, while in the latter we never experience the fear and trembling which such a commitment should engender.

Yep, "sites of truth." I like it.

Lessons from Netflix Culture: The 9 Behaviors & Skills

Culture

View more presentations from reed2001.

While some folks were making a big deal about the fact that Netflix doesn't have a formal vacation/time off program (and I've actually worked at a place like that before) what caught me eye from the presentation was the 9 behaviors and skills.

Notice they don't use the term "values," probably because values seem to imply things that you just have (or are) vs. things you can learn or be taught.

The 9 values they define are judgment, communication, impact, curiosity, innovation, courage, passion, honesty, and selflessness.

I really encourage you to drill down and look at the bullet points. I'm sure you'll find some you do well at and others where you need some work. I know I did.

I picked 9 of the ones I found the most interesting and important. And folks that have worked with me before know that some of these I'm pretty good at, while others continue to be a work in progress:

You exhibit bias-to-action, and avoid analysis paralysis.

You listen well, instead of reacting fast, so you can better understand.

You make tough decisions without excessive agonizing.

You say what you think even if it is controversial.

You contribute effectively outside your specialty.

You smartly separate what must be done well now, and what can be improved later.

You make time to help colleagues.

You think strategically, and can articulate, what you are, and are not, trying to do

You treat people with respect independently of their status or disagreement with you.

Yep, there are some tough ones in there and there is a lot more gold these 128 slides that reinforced by my experience in small and large companies alike.

(NOTE: If you register for a slideshare account you can download a .pptx version and print them out for you cube/office wall like I did.)

CyberSpies: They are back (and we have the logs to show it!)

From Cyber attacks at U.S. energy companies.

From the Loglogic Department of Statistics

“Ever since cyberspies hacked the U.S. electrical grid earlier this year, businesses have become increasingly aware that a security breach at an energy company that results in a major blackout has the potential to wreak havoc,” said Pat Sueltz, CEO at LogLogic. “We talked to leading information security professionals in the energy sector to find out how they determine the level of risk they carry and architect their security infrastructures to fortify against both internal and external attacks.”

The study surveyed information security professionals from a broad spectrum of energy corporations and government organizations ranging from less than $99 million to more than $1 billion in annual revenue. Of the respondents, two-thirds field more than 75 serious security vulnerabilities each week, with half resolving more than 150 attacks per week.

How can someone use the phrase, "Ever since cyberspies hacked the U.S. electrical grid earlier" without cracking up?

Who doesn't have 75 severe vulnerabilities a week? 75 seems a bit low, actually?

What does "resolving 150 attacks a week" even mean?

Loglogic gets the award for this one.

(CAVEAT: Loglogic is sort of a competitor of my employer, but this has nothing to do with that)

Choose Civility?

Once in Austin we had a Great Horned Owl in the large Elm in our back yard. As I was watching it, my wife walked up behind me and scared me. We have a running joke about being scared of owls and birds of prey carrying off pets and small children. So last night during supper when I saw the flash of large wings through the side window and I rushed outside and brought our overweight Boston Terrier inside to spare her from this unknown bird of prey.

On our front lawn all of us (including Sam, our 20 mo old) watched as a large vulture tore up an unidentified creature into pieces no larger than a small child's fist.

It turned out to be a possum. I and the two oldest walked over to investigate, or as close as the flies would let us.

Then we went to Rita's to wash the taste of buzzard out of our mouth.

Choose Civility

Best firmware choice for WGR614L?

So my WGR614L arrived yesterday and I have it running with the built-in firmware but I'd obviously let to get something new on on there that gives me a command line. I used OpenWRT a while back and definitely liked the ipkg's but am wondering what the best/most actively maintained Broadcom distro that runs well on the WGR614L these days?

Squid v. DDoS

This is hardly more than worth a tweet but longer than 140 chars but Squid Defense against DDoS caught my eye.

I see two lessons here:

Using Open Source tools to respond to an incident is a crude but powerful technique that can get the job done. Try doing this with commercial products.

Environments that were properly engineered with caching and load balancing and could respond to DDoS wouldn't have to worry about the attacks in the first place.

CyberSecurity isn't new and needs domain knowledge

I agree with Joe 100% on this. So much so that if you replace "Smart Grid" with "Cyber Security" everything is also true.

If all one had to draw from was the flood of conferences, webinars, and advertisements, it would appear that CyberSecurity is a very recent invention that will be achived en-masse in the near future. In reality, elements of CyberSecurity first appeared in the 1998-2000 time-frame. Additionally, decades old best practices will continue to be used in "CyberSecurity" for at least the next 5-10 years. Until about 6-8 months ago, domain knowledge was a given for those participating in the "CyberSecurity." Now, domain knowledge doesn’t seem to be a requirement.

How Chinese CyberSpies Really Compromised the Grid

Now that I've got your attention. Honestly, I have no idea, but it will be really amusing to see my google analytics stats on this one, I wonder how much malware gets spread through typos in the most popular web sites. Maybe everybody else allows their browser to get them to the right place, but not me. I end up at some weird sites, or at least sites that people in Frederick, Maryland would consider weird.

BTW, the site above is from dgmail.com but it would be an interesting research project to analyze the content of fat-fingered sites. Sure, most are probably ads, but may be some goodies lurking in there.

First Impressions: HP Mini (Best Buy Style) vs. Lenovo S10

So I picked up whatever the model of the HP Mini that they sell at Best Buy for $329 (the 10.1 model with a 16GB flash drive) for my mother with the goal of installing Ubuntu, since she the one family member that I've successfully converted from Windows.

Keyboard - the larger keyboard of the HP Mini's are well known. You can definitely tell the difference with the larger keys in that it allows more natural touch typing but the feel is spongier. About what you'd expect from a consumer laptop. The arrow keys are smaller size that all the other keys which is very annoying. It is difficult to see the special keys since they are light grey. On my white Lenovo they are blue so it is much easier. Overall the action is much crisper on the Lnovo

Ubuntu Netbook Remix 9.04 installation - Installation took slightly longer, I assume due to the flash drive, but the OS upgrade too so longer (scrollkeeper was pegged at 100%) I killed gdm and went into the console and did the apt upgrade's there which seemed to work better. Still really slow. Hangups at upgrade of synpatic and other packages. I assume this is all do to the flash drive. There is also a known bug in the sound support. No sound through the speakers. Haven't tried a headphone.

Wireless - Even though both use the same Broadcom chipset I had more problem with the Mini. It connected to 1/3 of the networks I tried (a WPA2 for my Verizon Westell DSL modem) but not successfully with an HP 420 WPA access point or a Cisco 851W that was wide open. Perhaps I had L2 ACLs on the latter, not sure.

Ethernet - the RJ-45 port is plugged by default. The Mini appears to use a Marvell driver (as opposed to the Reatek used most other Netbooks). I could not get a lease and was getting PHY errors.

Touchpad - the buttons are on the side which are really annoying but I could probably get used to them. But the touchpad is definintely better than the Dell Mini 10. I prefer the buttons on the buttom that are much crsiper.

Screen - the 576 vertical resolution is definitely a pain since 600 of most Netbooks is too small. The screen seems somewhat brighter than the Lenovo.

Ports & Form Factor - these I knew about so wasn't suprised. No VGA. Ethernet is plugged. Two USBs (like the Lenovo). It is too narrow, IMHO. Sitting side by side the top of the screen is a full 3/4" shorter than the Ideapad. These sacrifices are needless in my opnion because it makes the form factor too small and thin.

Upgradeability - RAM bay is easy on the back, takes up to 2GB but you have to remove the keyboard to upgrade the drive.

Noise: It is definitely seems quieter that the Lenovo. Not sure whether it is the driver or the fan.

Bottom line: I've very happy with my Lenovo even though it hurts my hands and the keyboard is small. Overall Linux runs much better. I don't see the need for a slow (if quiet) flash drive. The form factor of the Mini is just too weird for me. The Ideapad feels like a small version of a real laptop.

Are 6 cell batteries ruining Netbooks (or why you should return your Dell Mini 10)

So based on these pictures of the new Lenovo S-10-2 it looks like the S-10-2 which otherwise looks like a winner, has the same ugly, bulky, downward-extending battery as the Dell Mini-10, which my parents ended up not liking (and hopefully will be able to return)

Here are my beefs on the Dell Mini-10 (with Ubuntu) most which relate to the touchpad:

• Given that it is Ubuntu 8.04 the Xorg (synaptics) touchpad driver is not the same as in 9.04 and it is impossible to make the touchpad usable, despite all the tweaking of the mouse settings. This may be both a software as well as a hardware issue but it is does not bode well for Linux.
  
• The touch pad and mouse buttons are all-in-one. It is nearly impossible to click.
  

As I would expect from Dell, sloppy engineering shortcuts, both in hardware and software.

And now Lenovo only sells the S10-2 with these bulky 6-cell monsters and has the ugly shiny finish.

Netbook Broadcom (43xx) Cards with Debian Lenny

So with Ubuntu 9.04 (and possibly earlier) the Broadcom Wireless NIC in your Netbook (mine happens to be a Lenovo Ideapad S10) should just work. But obviously this will not happen with Debian 5.0. Because very little in Debian just works.

So the first thing to know is to ignore an articles such as these that tell you to mess with firmware. Also ignore whatever is on the Debian.

You do NOT have to use the fwcutter tools. Do it this way.

First, install your kernel headers (I use an OpenVZ kernel)

# apt-get install linux-headers-`uname -r`

Download the module source for the Linux STA driver from Broadcom.

Create a directory and uncompress the tarball (mine was hybrid-portsrc-x86_32-v5_10_91_9.tar.gz)

debian-s10:~/bc# pwd
/root/bc
debian-s10:~/bc# ls
built-in.o                 Makefile     src       wl.mod.o
hybrid-portsrc-x86_32-v5_10_91_9.tar.gz  modules.order     wl.ko       wl.o
lib                     Module.symvers  wl.mod.c

The above is what you should see when you after you compile the module using the step below. Execute the command below from wihtin the directory that has the Makefile

# make -C /lib/modules/`uname -r`/build/ M=`pwd`

The resulting module you care about is wl.ko (assuming you have the ieee80211 module installed you will be able to insmod this and see the following in dmesg)

[  922.523743] ACPI: PCI Interrupt 0000:05:00.0[A] -> GSI 18 (level, low) -> IRQ 18
[  922.523997] PCI: Setting latency timer of device 0000:05:00.0 to 64
[  922.622849] ieee80211_crypt: registered algorithm 'TKIP'
[  922.623123] eth1: Broadcom BCM4315 802.11 Wireless Controller 5.10.91.9

and with a lshw

description: Wireless interface
product: BCM4312 802.11b/g
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:05:00.0
logical name: eth1
version: 01
serial: 00:21:00:7e:7a:7d
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless
configuration: broadcast=yes driver=wl0 driverversion=5.10.91.9 ip=192.168.1.24 latency=0 module=wl multicast=yes wireless=IEEE 802.11bg

so I modified /etc/modules so that it looks like

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.
loop
ieee80211

So that ieee80211 gets loaded and then added the following line to my rc.local file (before the exit 0, obviously)

insmod /usr/local/lib/modules/`uname -r`/wl.ko

After copying the module there and creating the directory (remember mkdir -p is your friend)

Now NetworkManager should work just fine. And WPA2 worked just fine with my crappy Westell AP.

I tried putting in somewhere in lib/modules/`uname -r` with no luck, but this works for me...

* * *

NOTE: Don't click on the image PCI Express Card image. It contains Chinese Ghostnet Malware that will turn your Mac (and only your Mac) into a Zombie botnet enabling a complete blackout or extortion of the power grid.

Additional keywords: NERC, FERC. SCADA. Project Grey Goose. Cyberwar. ISN. TASE.2

Best Linux Virtualization for Netbooks?

So I use my Lenovo Ideapad S10 as my main Linux box nearly 40% of the time. I've 1.5GB of RAM and 120GB drive so this a decent machine. My current setup is two Linux partitions, one for Ubuntu 9.04 and the other for Debian 5.0. Ubuntu is my production distro and Debian is for bleeding edge stuff. My main requirement is to run Linux VM's (of other distros than what I run on the host) because if I need to run Windows or Solaris or whatever I can connect to a remote system. For Linux systems I want "server virtualization" meaning I don't have to have a console up. Realistically there is no single solution that will meet my requirements, but here are my thoughts on the alteratives for running on a Linux Atom-based Netbook.

1) OpenVZ - this would be my first choice. Unfortunately there are only kernel for Ubuntu 8.04 LTS and Debian for the these and Ubuntu LTS is too old to work well for a desktop on netbooks. I have yet to get the Broadcom drivers working yet on Debian and the latest stable OpenVZ kernel patches are 2.6.18. I guess the real issue is if I could get the Broadcom drivers working on the stock kernel that would be the way to go.

2) VMware Player - I don't want to put VMWare Server 2.x on my laptop and this seems like the logical choice. I already have this for BSD or Windows.

3) lguest - this is something new that I've just discovered. Can I run a CentOS VM under this. Not sure.

I don't care for VirtualBox and Qemu is too damn slow. Is there anything else I'm missing?

Painless, Distro-Agnostic Cisco Webex on Linux

For true cross-platform web conferencing, Cisco Webex is the only way to go. GotoMeeting only recently added OSX support, and Linux, forget about it?

My experience on getting it work with the built-in components on my Thinkpad... forget about it!

Ubuntu 8.0.4 worked sporadically and and on 8.10 Firefox crashed. Hard.

I Googled a bit and didn't find any quick workarounds, so I decided to try it the old fashioned way. So here is what I came up with to get it working reliably. I assume this works on other distros as well.

(All of this assumes you create another user for just webex so you don't corrupt your local .mozilla and .adobe files etc.)

Download Components

1. Get the tarball of Adobe Flash (10.0.22.87 tested)
2. Download Firefox 3.x (3.0.8 tested)
3. Download JRE .bin installer (jre6u13-linux-i586.bin used)
4. Create a webex directory and move all of these to it
5. Uncompress them there

Configuration

1. Remove ~/.mozilla and ~/.adobe
2. Run ~/webex-local/firefox/firefox then quit
3. Run the ./flashplayer-installer script
4. Run the java installer binary
5. Create the symlink for the java plugin within $HOME

ln -s ../../webex-local/jre1.6.0_13/plugin/i386/ns7/libjavaplugin_oji.so

Testing Webex

1. Run your local firefox
2. Confirm you can execute java applets by visiting http://java.sun.com/applets/jdk/1.4/demo/applets/Clock/example1.html
3. Click on the test meeting http://support.webex.com/support/support-overview.html

SCADA CyberSpy Reverse Forensics Contest

So given the hoopla on Chinese/Russian CyberSpy Hacking the Power Grid Story I figured it was time to break Blog-silence.

I had the misfortune of hearing Siobhan Gorman on NPR yesterday on my commute so I was still fuming yesterday about the vermin in the Intelligence Community that leak classified threat data on "background" to reporters to influence policy. This data cannot be repudiated not only because most journalists don't have the technical wherewith all to know better but because the leakers cannot be held accountable. The "good guys" in the IC (those that follow the rules and don't disclose secrets) cannot challenge (or confirm) it. It is a one-sided game that leads to bad policy, scaring the public, and bad legislation. Does anyone not remember Iraq and WMDs?

But I digress.

What was interesting about the Gorman interview was that she mentioned network forensic data that showed how control systems not only had been penetrated and were being remotely monitored and possibly controlled.

So some readers may remember the HoneyNet Projects Reverse Challenge. Basically a contest to analyze malware, if you never heard of it

What I think would be cool is some aspiring folks with the skills and time (I have some of the former but none of the latter) to basically create some forensic data, let's say packet captures that show the power grid being mapped, HMI's and PLCs being monitored, ICCP traffic being captured and retransmitted back to our Chinese and Russian masters so they can "monitor power flows" like Gorman mentioned in her interview. Remember be sure to visit APNIC and pick your IPs to spoof wisely.

The minimum entry can just be some packet captures, but you are guaranteed to at least place if you release actual tools used by our Chinese and Russian overlords to blackmail us at will and cause us to resort to cannibalism.

You get bonus points if you actually show some slight knowledge of Mandarin or Russian.

But here's the rub, don't release it on your blog don't talk about it at the next Con because there will inevitably be lots of presentations on the topic. Silently release your own "evidence of Chinese Russian control over the power grid" into a P2P network, or better yet let your laptop get stolen in an airport (make sure you have the right colored classification stickers on your laptop) and wait for your "data" to make the news.

An Oldie But a Goodie

Yeah, back during the 01 layoffs at Cisco (or was it afterwards, during one of the never-ending reorgs can't recall) I had a DIVX of Office Space that I would watch while I worked to remain productive and we'd take lots of orbits around the parking lot and watch for this old guy with a beard down to his knees that would get off his shift at 3:30 at the Tyco fab next door and walk to his Corvette. Happy days!



Time to leave the SBUX and get to work...

"Cyber Katrina" or "Digital Pearl Harbor" (which is a more loathsome term?)

Every time you hear 9/11 or Cyber Katrina you should reach for your wallet.  

Does anyone find this sort of hyperbole rhetorically effective?

Chairperson

House Permanent Select Committee on Intelligence

Washington, D.C.

RE: Establishment of North American Urgent Radiological Information Exchange

Madame Chairperson:

While we do not believe that this is a matter that rightfully falls under the province of your Committee, in the interest of cooperation, this letter will address the events leading up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE).

As you know, on the 10th year anniversary of 9/11, all of our nation’s nuclear power plants were targeted in a massive distributed denial of service attack orchestrated by the Conficker III botnet which had grown to a heretofore unheard of 30,000,000+ infected PCs.

While US CERT teams as well as regional DOE cyber security personnel were focused on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached from the inside due to the use of pirated hardware with malicious embedded code that passed server control to external users.

Of even more concern is the fact that all of these plants were targets of a carefully planned, longterm social engineering attack which relied on human error and the broad-based appeal of Social Network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks and lay dormant until activated by the attacking force.

This led to a number of consecutive failures in our safety mechanisms resulting in partial to complete core meltdowns at 70% of our plants. When these plants went offline, the nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call, looting of businesses began in earnest as did home invasions in the wealthier neighborhoods.

One year later, we still do not have a final count on the number of deaths and casualties but most responsible estimates place them in the tens of thousands. If we extrapolate out for the as yet unknown future effects of radiation poisoning on the victims, the count goes into six figures.

While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as late as 2009, in a letter to the Los Alamos National Laboratory, did our part in improving security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well.

Also, that our G3 physical security model (Gates, Guards, Guns) was not compromised, and that cyber security compliance has never been a mandatory policy; that instead it was an ongoing negotiation among various other considerations.

Sincerely,

Director, National Nuclear Security Agency

(BTW, this is far less salacious than the scenario we came up with for CyberStorm 2005 in the Energy sector)

So. Am I just a reactionary? Is this sort of FUD a necessary evil to make "progress on cybersecurity" or just another boondoggle.

ASA5505 SSLVPN Port Forwarding

So as I've been chronicling over on @frednecksec I've been pleasantly surprised with the new ASA5505 I got for my classroom network. Although I'm looking forward to replacing iptables the main reason for the purchase was the WebVpn. In particular the ability to do port forwarding. Yes this is just like SSH local port forwarding.

Here is config snippet for ASA 7.2(4) to allow you to get port forwarding working.

Enable WebVPN

webvpn                                                                   
 enable outside

Actually if you stop here you would be able to do URL redirection and get to web servers behind the ASA, although this doesn't show up anymore now that port forwarding is setup.

 port-forward SSH 2223 192.168.55.100 ssh     

group-policy first internal                                                  
group-policy first attributes
 vpn-tunnel-protocol webvpn
 webvpn                                                                      
  functions port-forward auto-download                                       
  port-forward value SSH

Some gotchas here. "port-forward" and "auto-download" have to be on the same line together. It wasn't immediately obvious to me that I had to do the "port-forward value" line. My general approach for Cisco CLI work is to just brute force it to find the minimal config. But this was the key thing I ran across. Unless you had this line, the session won't show up in the UI (see above) although the applet will download.

The steps below are pretty straightforward once you have the group-policy created (above)

username vpnuser password ... encrypted                         
username vpnuser attributes                                                  
 vpn-group-policy first                                                      
tunnel-group test type webvpn                                                
tunnel-group test general-attributes                                         
 default-group-policy first

This works on Ubuntu 8.10 (Java6) and Firefox 3.x, OSX 10.4 with Safari 3, and Windows XPSP3 both Firefox 3.x and IE (who knows what versions).

Personal or Professional (or, why one Twitter account is Not Enough?)

So I just hit my 400th tweet on @mdfranz but am scarcely up to 20 @frednecksec and I've learned a few things about how I like to use this addictive service in the past few months. And yeah (if you went there) my updates are protected, but more or that later.

When I was first started following people, I was annoyed by technical people (whose blogs I read or knew personally) that only tweeted about personal stuff, so I didn't follow them. I could give a shit about what what sort of decadent food they were cooking, what they were doing with their wife, or their kids accomplishments. But I was interested in 140 characters of wisdom on some technical/technology topic. If there was at least a 50:50 ratio of personal to professional context I kept following, otherwise I dropped them.

Personal Branding
As Tom Peters would say, "you are your customers." Your personal brand is reflected in the those that you do business with and those that do business with you. The same applies to you twitter followers and folks you tweet with. If people that follow you tweet about stupid shit (to put it crudely, but probably characterizes some large % of tweets) that reflects poorly on you, since one of the first things I do when I follow someone (or someone follows me) is I check out the people they follow and their followers. It is the same principle as only connecting with "people you trust" on LinkedIn. On my public account I'm more open to follow somebody I don't know well enough or let anybody follow me, including spambots. But on my private account I approve all followers.

Privacy
Frankly, a lot of stuff you tweet on has no business on public Internet (and all the various bots that follow you) where you shop, what you eat, the activities you do with your family, where you are geographically is none of the damn business of people that you don't really know, let alone twitter's public timeline. This is why I protect my updates on @mdfranz but don't on @frednecksec. Several weeks ago I registered for a demo version of some webapp and a product manager/sales person started following me. Creepy. I don't want sales people following me. And during the inauguration I wondered about how well Sprint's EVDO network would hold up and I had somebody in customer server ping me. She was nice/professional enough but I don't want that sort of interaction. I also don't want people I don't know to where I frequent.

Different Media for Different Messages
I've found that there are also two kinds of tweets: those personal, biased observations, and more objective factual statements that answer the original twitter question, "what are you doing?" More specifically what I'm am I reading that might be of interest to my readers. More reflective, opinionated tweets go on my personal account while the others (especially that are narrowly security related) go on my public account. This is the reason I've moved most of my high volume twitter lists (that mostly shared links and article) over to my public account. Public content stays public, private content stays private and I can also see on my public account when something I've read about, seen has already been tweeted on. I think RT is lame since the whole point is to post original content or content that reflects a certain perspective or range of interests.

So what Twitter client allows you to use multiple accounts at once, twhirl. Or use multiple browsers which is generally a good idea.

Installing OpenSolaris on Lenny dom0 (sort of)

Here is my domain config file (open1.py)

mfranz-61lenny:/alt/xen/domains/opensol# cat open1.py 
name = "solaris"
memory = "1024"
disk = [ 'file:/alt/isos/osol-0811.iso,6:cdrom,r', 'file:/alt/xen/domains/opensol/disk.img,0,w' ]
vif = [ '' ]
bootloader = '/usr/lib/xen-3.2-1/bin/pygrub'
kernel = '/platform/i86xpv/kernel/unix'
ramdisk = '/boot/x86.microroot'
extra = '/platform/i86xpv/kernel/unix - nowin -B install_media=cdrom'

And here is proof that I did it

mfranz-61lenny:/alt/xen/domains/opensol# xm create -c open1.py 
Using config file "./open1.py".
Started domain solaris
                      v3.2-1 chgset 'unavailable'
SunOS Release 5.11 Version snv_101b 32-bit
Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: opensolaris
Remounting root read/write
Probing for device nodes ...
Preparing live image for use
Done mounting Live image
USB keyboard
 1. Albanian                      22. Latvian                       
 2. Belarusian                    23. Macedonian                    
 3. Belgian                       24. Malta_UK                      
 4. Bulgarian                     25. Malta_US                      
 5. Croatian                      26. Norwegian                     
 6. Czech                         27. Polish                        
 7. Danish                        28. Portuguese                    
 8. Dutch                         29. Russian                       
 9. Finnish                       30. Serbia-And-Montenegro         
10. French                        31. Slovenian                     
11. French-Canadian               32. Slovakian                     
12. Hungarian                     33. Spanish                       
13. German                        34. Swedish                       
14. Greek                         35. Swiss-French                  
15. Icelandic                     36. Swiss-German                  
16. Italian                       37. Traditional-Chinese           
17. Japanese-type6                38. TurkishQ                      
18. Japanese                      39. TurkishF                      
19. Korean                        40. UK-English                    
20. Latin-American                41. US-English                    
21. Lithuanian                    
To select the keyboard layout, enter a number [default 41]:

[snip]

User selected: English
Configuring devices.
Mounting cdroms
Reading ZFS config: done.

opensolaris console login: root

Now what do i do?

Grampa, where did you live during the "Long Depression" that started in 2008?

Richard Florida's article How the Crash Will Reshape America captures a lot of what has been on my mind (and occasionally blogged about) since we left Skokie last June. 

From the packing up and leaving what my son called "best house ever" (the shaky footage is his) without a sold sign out front to some motel thoughts on the trip to premonitions of the impending collapse back to July (more specifically the non-sustainability of suburban sprawl) to the "discussions" my wife share on how long we should rent and when and where we should buy a common thread is that where you live matters.

It matters a lot. A hell of a lot. Your future may depend on it.

In October, less than a month after the financial markets began to melt down, Moody’s Investor Services published an assessment of recent economic activity within 381 U.S. metropolitan areas. Three hundred and two were already in deep recession, and 64 more were at risk. Only 15 areas were still expanding. Notable among them were the oil- and natural-resource-rich regions of Texas and Oklahoma, buoyed by energy prices that have since fallen; and the Greater Washington, D.C., region, where government bailouts, the nationalization of financial companies, and fiscal expansion are creating work for lawyers, lobbyists, political scientists, and government contractors.

Back in September, in the early days of the of the financial crisis, I thought about it a lot as I would look out into the Catoctins from the little park in our subdivision while my kids played (oblivous to what was on the radio) and I started to feel the first hint of Fall, that reminded me of 1987, my first Fall back in the states after living in Malaysia for 2 years. 

It was scary. With dozens of showings since our house went on the market on April 15th, 2008 yet not a single offer the constant talk of the forelosure crisis on the NPR, to say that it was stressful, it was an understatement.

Why did we buy in Chicago when we did? Why did we buy in one of the most overpriced suburbs on the Chicago North side? Well, because we couldn't afford Evanston or Winnetka and because of Skokie's diversity. We did not want our adopted Chinese daughter to be "the Chinese girl" in her pre-school class. Yes the schools were full of industrious recent immigrants. Immigrants that didn't care for the red brick Cape Code with the master bedroom where I sometimes bumped my head on the ceiling or the hardwood floors. All they wanted was space.

Multiple generations would fill the ugliest split level boxes you can imagine adjacent Crawford or Dempster. We heard from our realtor only the split levels were selling and how the demographics of the visitors were "different" (she was trying to abide by some regulations)  between our house and the those on nearby streets. Yes, so much was different between Austin and Skokie. Our first house two blocks from North Lamar (and where you could hear the music from Threadgills) sold on the first day. Those were different times and different places. 

Mostly white folks in their late 20s and early 30s. The hint of pot when you walked down the streets, some which had sidewalks some that did not. Certainly a larger percentage of Gay/Lesbian couples than in our previous neighborhood in San Antonio. Small three bedroom houses (if you were lucky) built in the late 40s and early 50s during the postwar boom. Aging water mains under streets and periodic electric outages. DSL was just starting to roll out. 

I remember seeing the street literally explode in front of our house on Brentwood: the last affordable neighborhood south of Anderson lane. Stay at home moms with graduate degrees. At the Elementary School meetings I felt out of place because I was sans tattoo. If I recall, our first night in Austin was on Halloween of 1999. The dotcom boom was in still in full swing and drcoop.com still held prime real estate overlooking MOPAC. 

We sat in the swings in Pease park that Thanksgiving, childless, awaiting what would be our final referral from Russia that would arrive in a matter of weeks and we would discuss it at the Little Deli on my lunchbreak, short 5 minute drive from the Southwestern Bell office on Huntland, adjacent to I-35. 

And all that we now know was still ahead of us: the letdown of Y2K, the NASDAQ crash in the Spring (I remember a day-trading colleague who had just joined from Dell) losing a lot that spring. I joined Cisco right after the last stock split in May 20o0 and I remember someone from SBC saying something about how I "was set" and could "retire." 

Yes, Austin is/was one of Florida's poster children for these new creative cities.

Thirty years ago, educational attainment was spread relatively uniformly throughout the country, but that’s no longer the case. Cities like Seattle, San Francisco, Austin, Raleigh, and Boston now have two or three times the concentration of college graduates of Akron or Buffalo. Among people with postgraduate degrees, the disparities are wider still. The geographic sorting of people by ability and educational attainment, on this scale, is unprecedented.

The University of Chicago economist and Nobel laureate Robert Lucas declared that the spillovers in knowledge that result from talent-clustering are the main cause of economic growth. Well-educated professionals and creative workers who live together in dense ecosystems, interacting directly, generate ideas and turn them into products and services faster than talented people in other places can. There is no evidence that globalization or the Internet has changed that. Indeed, as globalization has increased the financial return on innovation by widening the consumer market, the pull of innovative places, already dense with highly talented workers, has only grown stronger, creating a snowball effect. Talent-rich ecosystems are not easy to replicate, and to realize their full economic value, talented and ambitious people increasingly need to live within them

Returning home right before noon on that fateful blue September morning in 2001 after we watched both towers Fall live in the conference room. Watching the Reserve and National Guard Intelligence units gradually get activated and a getting a call from my XO down in San Antonio saying my name was on the list to deploy to Fort Belvoir. Packing my duffel bag, sitting around the table of our retro kitchen table and trying to explain to a toddler that Dada was going to go away for a while. Of course the orders were rescinded but my son and I were baptised in the Episcopal church anyway that Fall. There was more to it than that of course, but that was Austin. 

Years later I would grow restless and leave Cisco and work (virtually) from coffee shops on Lamar, Burnet, and Anderson and from my hot home office that used to be a kitchen and where supposedly a previous resident had died.  From the heat and the solitude I would slowly go crazy and would start looking to find a new job where I could work in an office again. I would strike out in Seattle (yeah I wrote that after bombing my AMZN interview, badly) but cool clarity would come soon. 

Giving up on big West coast software companies, I dug into the SCADA Plugins and a recruiter from Hewitt called, offering crazy money, a chance to run/develop Open Source security boxes in a large company and not do vuln work which I'd grown, a sweet relocation package,  and a way to escape the Texas heat. 

* * *

We will see if it is true but one of the more important (and troubling) charactization of our current malaise, elswhere Florida says our depression has more in common with the "Long Depression" of the late 19th century than the Great Depression:

Economic crises tend to reinforce and accelerate the underlying, long-term trends within an economy. Our economy is in the midst of a fundamental long-term transformation—similar to that of the late 19th century, when people streamed off farms and into new and rising industrial cities. In this case, the economy is shifting away from manufacturing and toward idea-driven creative industries—and that, too, favors America’s talent-rich, fast-metabolizing places.

And on the importance of geography:

To a surprising degree, the causes of this crash are geographic in nature, and they point out a whole system of economic organization and growth that has reached its limit. Positioning the economy to grow strongly in the coming decades will require not just fiscal stimulus or industrial reform; it will require a new kind of geography as well, a new spatial fix for the next chapter of American economic history.

Suburbanization was the spatial fix for the industrial age—the geographic expression of mass production and the early credit economy. Henry Ford’s automobiles had been rolling off assembly lines since 1913, but “Fordism,” the combination of mass production and mass consumption to create national prosperity, didn’t emerge as a full-blown economic and social model until the 1930s and the advent of Roosevelt’s New Deal programs. 

And, among other things, the foolishness of the American Dream of owning your own house. Thank God we're still renting.

On one level, the crisis has demonstrated what everyone has known for a long time: Americans have been living beyond their means, using illusory housing wealth and huge slugs of foreign capital to consume far more than we’ve produced. The crash surely signals the end to that; the adjustment, while painful, is necessary.

But another crucial aspect of the crisis has been largely overlooked, and it might ultimately prove more important. Because America’s tendency to overconsume and under-save has been intimately intertwined with our postwar spatial fix—that is, with housing and suburbanization—the shape of the economy has been badly distorted, from where people live, to where investment flows, to what’s produced. Unless we make fundamental policy changes to eliminate these distortions, the economy is likely to face worsening handicaps in the years ahead.

Suburbanization—and the sprawling growth it propelled—made sense for a time. The cities of the early and mid-20th century were dirty, sooty, smelly, and crowded, and commuting from the first, close-in suburbs was fast and easy. And as manufacturing became more technologically stable and product lines matured during the postwar boom, suburban growth dovetailed nicely with the pattern of industrial growth. Businesses began opening new plants in green-field locations that featured cheaper land and labor; management saw no reason to continue making now-standardized products in the expensive urban locations where they’d first been developed and sold. Work was outsourced to then-new suburbs and the emerging areas of the Sun Belt, whose connections to bigger cities by the highway system afforded rapid, low-cost distribution. This process brought the Sun Belt economies (which had lagged since the Civil War) into modern times, and sustained a long boom for the United States as a whole.

But that was then; the economy is different now. It no longer revolves around simply making and moving things. Instead, it depends on generating and transporting ideas. The places that thrive today are those with the highest velocity of ideas, the highest density of talented and creative people, the highest rate of metabolism. Velocity and density are not words that many people use when describing the suburbs. The economy is driven by key urban areas; a different geography is required

Of course a lot of this (as well as the stimulus package) hinges on whether or not the era of manufacturing jobs is truly gone.

Twitter / FredneckSec Updates

For better or worse, I'm now up to 2 twitter accounts, having created @frednecksec with the goal of trying (once again) to form a Security networking group in the Frederick area along the lines of CharmSec or NoVA Sec except for us country folks that live too far out to make it into (or stick around after work) to the DC/Baltimore area.

Yeah, so this is definitely cutting into my blogging. Apart from a regional focus I hope to tweet on stuff you won't see elsewhere on any of the twitter, even if it tends to border on the obscure.

FredneckSec was something a couple of us (unsuccessfully) tried to do last Summer but am hoping with power of twitter and some new folks I've met here in the New Market area to tried to get this rolling again real soon now.

Twitter Starts to Grow Up

Looks like they are actually starting to address twamming or or whatever (tweet-spam) is called. Cause I went to block JENNY and got this image.

Good for them. About time.

How long until they get non-Base64 authentication?

Is jennydddggeee too hot for you? (or, Automated Twitter Spam Blocking?)

If you are reading this blog, you don't know anyone like this, don't want to know anyone that looks like that -- and certainly don't want either of them following your every move.

So it should be pretty easy to write less than 25 lines of Python using Twyt that automatically removes any followers that have a single post.

But there have to be tools that already do this. Or any Twitter clients that will automatically block spam followers.

Another Post-Twitter Poor Excuse for a Blog Entry

After getting hooked on Twitter, I really don't blog anymore (but in the tradition of Luv Them Firewalls, another picture of my my daughter on our now defunct Macbook) here was a picture tonight. Was barely able to get her unglued from Gcompris. It is funny how kids get attached to certain items of clothing. This year it was this Santa hat. Back in Austin it was this pink pair of snow boots.

Khe Sanh?

Yep, that stood out for me as well, but this is as good as an exchange as I heard/read today.

Visit msnbc.com for Breaking News, World News, and News about the Economy

Childish Things and Hand Me Downs

I really wanted to blog on our new President's comments about "putting away childish things" behind us, but I'm too tired. I woke up 4-ish again, and made the drive in at 6:15 to avoid the traffic that never came. So instead I'll post a picture of my youngest child.

Appropriate, since my wife has some new project where she is rifling through old physical photos in plastic tubs.

Slightly more than nine years ago, my oldest son wore this same snowsuit in Samara and Moscow (yes, both are in Russia) but he never got played in the snow.

We returned home with him in the 2nd week of February in 2000 to our 1st "Green House" in Austin and Spring had sprung. This snowsuit was not worn again. At three months older and barely walking, my Chinese daughter, in March of 2005, was too small to wear this snowsuit on a ski trip to Utah.

But we kept it. And I remember packing it up in June, when I was single-handedly packed our 4 bedroom house in Skokie.

Yesterday, we had the first decent snow here in New Market (but not nearly as much as when his was born) but it was enough.

My wife found the snow suit and Sam wore it.

Inside the Gmail Login Sequence (or, has anyone documented all the parameters and JSON response codes)

I generally don't like Wiley books, but near the end of a chapter on how Gmail works actually isn't that bad.

I'm sure there has to be more stuff like

/gmail?
ik=344af70c5d
&view=cv
&search=inbox
&th=101865c04ac2427f
&lvp=-1
&cvp=0
&zx=9m4966e44e98uu

As you can see, this the message ID of the message I clicked on.
But the others are mysterious at the moment. At this point in the
proceedings, alarms went off in my head.Why, I was thinking, is
the variable for message ID th—when that probably stands for thread.
So, I sent a few mails back and forth to create a thread, and loaded
the Inbox and the message back up

elsewhere dissecting the URL parameters, but I haven't found it apart from looking at the libgmail source, the constants file in particular. Has nobody documented this stuff or is google burying any documentation on reverse engineering Gmail?

It is sort of curious that the author is using tcpflow. Fine tool, but using an interceptor proxy like paros or something like firebug is a hell of a lot more efficient than sniffing.

Another word for stakeholders

This is probably more worthy of a tweet (funny how tweeting has cut down on my blogging) but Alex Payne writes about the challenges of securing twitter (a relevant topic given my Twitter usage lately)

The thing about security is that it requires stakeholders. I have a security background, but Twitter’s security isn’t my job. In fact, my job is pretty much the opposite: I open up as much of Twitter’s functionality as I can without (hopefully) making the system insecure. So while I’ve usually been a “first responder” to security incidents because of my background, it requires a major mental context switch from the work I normally do.

Several months after I joined Twitter in early 2007, I suggested to the team that we do a full internal security audit. Stop all work, context switch to Bad Guy Mode, find issues, fix them. I wish I could say that we’ve done that audit in its entirety, but the demands of a growing product supported by a tiny team overshadowed its priority. Now we‘re in an unwelcome position that many technical organizations get into: so far into a big code-base that’s never seen any substantial periodic audits that the only way to really find all the issues is to bring in some outside help – something I sincerely hope we end up doing, but is not my call.

This post is depressing on a number of levels, mainly because it reminds me of the attitudes (and my own personal frustrations) from back in the early years of doing product security at Cisco.

I hear thing have actually have improved (however slowly) there, but obviously in the supercool world of 2.0 and social networking, they are still pre-2001.

Stakeholders, yeah I'll tell you another word for stakeholders: people that give a shit.

I remember a certain Director of Marketing in the Security & VPN BU. These guys have long since cashed out their options (and the product is killed off), so I don't feel any reservations about blogging about it. Yeah, he was a stakeholder all right, he told us (a small, understaffed, security testing team with no power or authority) that his remote access VPN product was a communication product so security didn't really apply. (Leaving out the far more interesting & cynical quote from a GSR Director of Marketing)

So I understand the frustration, but the idea (that even even if you are a developer, product manager, system administrator) that suddenly you put on your security security hat, stop the presses, fix everything is a quaint notion alongside that 20th century concept that your application, device, or TCP/IP enabled Kleenex box (a big shout out to the Hewitt appsec crew!) is behind a firewall (or not on the Internet) so therefore security isn't a big deal.

You are the stakeholder. And to paraphrase The Wire, "Is you up or is you not?"

Security is not about losing the big battles. It is about winning the small ones. The one's you can win. You do what you can and don't whine about it. If it is not your call, then it is not your problem. Worry about what is your call. That is all you can do.

Been there and done that, you are wasting a lot of time and energy. Trust me.
If you don't believe me, read Unfettered. Bless his heart, Joe is still preaching (nobody gets it, nothing is being done, etc.) the same way he did the first conference of his I attended on SCADA security back in 2003.

Either they get it or they don't and maybe if they don't appear to get it, it is because it really isn't that important in the grand scheme of things. Or maybe you aren't explaining it well enough. If it is really important it work itself out in the long run.