Jumat, 31 Desember 2010

Best Book Bejtlich Read in 2010

It's the end of the year, which means it's time to name the winner of the Best Book Bejtlich Read award for 2010!



I've been reading and reviewing digital security books seriously since 2000. This is the fifth time I've formally announced a winner; see 2009, 2008, 2007, and 2006.



Compared to 2009 (15 books), 2010 was a good reading year -- 31 technical or security books, or my fifth highest total since 2000. Incidentally I read a decent number of "security history" books, meaning characterizations of "the scene." Many covered the 1990s and are fairly old, but I had always wanted to read them.



My ratings for 2010 can be summarized as follows:



  • 5 stars: 14 books


  • 4 stars: 9 books


  • 3 stars: 5 books


  • 2 stars: 3 books


  • 1 stars: 0 books




Please remember that I try to avoid reading bad books. If I read a book and I give it a lower rating (generally 3 or less stars), it's because I had higher hopes.



Here's my overall ranking of the five star reviews; this means all of the following are excellent books.



  • 14, 13, and 12. The Dragon's Quantum Leap, Decoding the Virtual Dragon, and Dragon Bytes by Timothy L Thomas, Foreign Military Studies Office. Thomas examines Chinese information warfare like no one else. Enlightening and frightening.


  • 11. Intelligence, 4th Ed by Mark M. Lowenthal, CQ Press. Anyone interested in learning about the IC and how professional intelligence officers think and act will enjoy reading I4E.


  • 10. The Book of Xen by Chris Takemura, No Starch. This could easily have been a very dry technical book, but TBOX is entertaining from the start.


  • 9. IT Security Metrics by Lance Hayden, McGraw-Hill Osborne Media. If you want to introduce a comprehensive security metrics program in your environment, ISM will very skillfully offer one way to accomplish that goal. It's immensely practical and grounded in reality, and it will help you.


  • 8. The Victorian Internet by Tom Standage, Walker & Company. Being a history major, I find The Victorian Internet (TVI) to be an enlightening antidote to chronocentricity, and I recommend it to anyone trying to better understand modern times through the lens of history.


  • 7. The Hacker Crackdown by Bruce Sterling, Bantam. THC is one of my favorite books on hacker activity because it combines a narrative with the author's accounts of interactions with key individuals.


  • 6. The Cuckoo's Egg by Cliff Stoll, Gallery. I first read TCE 20 years ago when it was first published, but I was a high school student who couldn't appreciate the content. Now, as an IR team leader, I recognize that Cliff probably shares 25 IR lessons in the first 50 pages!


  • 5. Hacking Exposed Wireless, 2nd Ed by Johnny Cache, McGraw-Hill Osborne Media. HEW2 is the best book on wireless security available. If you want to understand wireless -- and not just 802.11, but also Bluetooth, ZigBee, and DECT -- HEW2 is the book for you.


  • 4. Wireshark Network Analysis by Laura Chappell, Laura Chappell University. Wireshark Network Analysis (WNA) is a very practical, thorough, comprehensive introduction to Wireshark, written in an engaging style and produced in a professional manner.


  • 3. Network Maintenance and Troubleshooting Guide, 2nd Ed by Neal Allen, Addison-Wesley Professional. NMATG brings a whole new dimension to network analysis, particularly at the lowest levels of the OSI model. I found topics covered in NMATG that were never discussed in other books.


  • 2. The Rootkit Arsenal by Bill Blunden, Jones & Bartlett Publishers. "Wow." That summarizes my review of "The Rootkit Arsenal" (TRA) by Bill Blunden. If you're a security person and you plan to read one seriously technical book this year, make it TRA. If you decide to really focus your attention, and try the examples in the book, you will be able to write Windows rootkits. Even without taking a hands-on approach, you will learn why you can't trust computers to defend themselves or report their condition in a trustworthy manner.




And, the winner of the Best Book Bejtlich Read in 2010 award is...



  • 1. Practical Lock Picking by Deviant Ollam, Syngress. My review said in part (emphasis added tonight):



    Practical Lock Picking (PLP) is an awesome book. I don't provide physical testing services, but as a security professional familiar with Deviant's reputation I was curious to read PLP. Not only is PLP an incredible resource, it should also serve as a model text for others who want to write a good book. First, although the book is less than 250 pages, it is very reasonably priced. Second, Deviant wastes NO space. There is no filler material, background found in other readily available texts, reprinted Web site content, etc. Third, the writing is exceptionally clear and methodical, with extreme attention to detail and a master's approach to educating the reader. Finally, the diagrams, pictures, and figures are superb.




The Army FMSO office led publishers with 3 books this year, while traditional media publisher McGraw-Hill Osborne Media followed with 2.



Congratulations again to Syngress, publisher of the last three Best Book Bejtlich Read winners!



Thank you to all publishers who sent me books in 2010. I have plenty more to read in 2011.



Congratulations to all the authors who wrote great books in 2010, and who are publishing titles in 2011!

Reflections on Four Tufte Books

This week I finished the four main books written by Edward Tufte, namely The Visual Display of Quantitative Information, 2nd ed, Envisioning Information, Visual Explanations, and Beautiful Evidence. I decided not to review them individually at Amazon.com for several reasons.

First, I received them as a set 2 1/2 years ago at The Best Single Day Class Ever, what I call Tufte's class. Tufte's class and written work present a single set of ideas and some material is presented from multiple angles in several books. This makes it congnitively difficult for me to review them individually. Second, I did not treat them like other books I read, meaning I did not mark them with my own notes and underlining. Frankly the books are like works of art and it would pain me to mark them up! That makes it tough for me to review my reading process and withdraw comments suitable for a book review. Third, so many people have already reviewed the books that I did not feel I would bring any real novelty or domain expertise to the discussion.

Rather, for this post I wanted to share a few ideas I learned from Tufte that I try to keep in mind when communicating. Some of these are reflected in my earlier post, but I'd like to share what has stayed with me during these past 2 1/2 years.

  1. Do not let the medium define your message. PowerPoint culture is endemic in my workplace and in many others. Rather than considering the message to be communicated, too many people concentrate on what the PowerPoint "pitch" needs to look like. I don't exclusively mean appearance, although that is definitely a factor. I'm referring more to what bullets are supposed to reflect a message to an audience. Rather than leading with bullets, determine what message you are trying to communicate, then select a medium.

  2. Replace "presentations" with conversations. I avoid delivering lectures as much as possible. Nothing kills the spirit like receiving a stack of 300 slides. That "deck" represents a plodding, instructor-paced, predetermined path where questions are more likely to be interpreted as interruptions of the "flow" of the class. After seeing Tufte in action in 2008, I stopped teaching my two day TCP/IP Weapons School class using slides. The second and now third editions of the class have no slides whatsoever. Instead I teach with workbooks, labs, and unscripted question-and-answer interactions with students.

  3. Carry the burden or stay off the field. It is NOT easy to teach "Tufte style." Too many "presenters" and "instructors" fall into the seductive embrace of reading slides, facing the screen and not the students, hoping to get to the end of the pitch as soon as possible.

    Instead, imagine walking into a room with 100 or more people, giving each a paper handout with some possible discussion topics, and then asking what they would like to know about the security field. That is just what I did at the FIRST conference this year, and from what I heard, people liked it. I'll say now that it was a somewhat scary experience for me to focus purely on conversation and not just march through a 30 slide PowerPoint deck. However, this is the sort of approach we need to see in the field. I don't recommend it for every talk, but if you're up to carrying the burden, give it a try!

  4. Seek data and graphic representations where possible. For me, this is probably harder than the previous point. Whereas talking in an unscripted manner is rough because of the mental gymnastics required, creating data-driven figures is tough because of the amount of preparation required. We struggle with this in our CIRT. We have thousands of data points but the collection, analysis, interpretation, and explanation of that information is much more difficult than I expected. As we add staff who spend less time fighting operational battles and more time contemplating the overall picture, I expect us to deliver the sorts of graphics that speak volumes to all sorts of audiences.

  5. When the available tools stink, make your own. Tufte did this by publishing his books himself. He did not accept the limitations of the publishers who claimed he could not include the novel features found in his titles. We've encountered similar issues at work where existing data collection tools were just not suited for our needs. Several very talented and motivated team members built and continue to build new tools to get the job done. This is even more difficult than the previous point because it requires anticipating the sorts of data needed to describe, explain, and improve security operations. I expect a lot of progress in this area in 2011.


That's my "applied Tufte" for 2010. Here's hoping he publishes another book soon. The best New Year's resolution you could make for 2011 is to attend one of his classes, even if you have to pay yourself. You get all four books with paid tuition -- real books, not slide decks!

2010 Review - 11 Best Tutorials for Learning Inkscape




This list is not necessarily the best Inkscape tutorials per se, but this is a list that will help someone become an expert using Inkscape. If you are a beginner just starting to use Inkscape, completing these tutorials will help you understand a great variety of the tools that Inkscape has to offer.

-->

Read article »

Review of The Dragon's Quantum Leap Posted

Amazon.com just posted my five star review of The Dragon's Quantum Leap by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure.

The Dragon's Quantum Leap (TDQL) is the third in a trilogy by Timothy L Thomas. A colleague introduced me to all three books, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in TDQL. Published in 2009, TDQL is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by American translators and the Open Source Center, successor to the former Foreign Broadcast Information Service (FBIS). The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. TDQL covers Chinese IW thought from 2007-2009, while the earlier books Dragon Bytes (DB) addressed 1995-2003 and Decoding the Virtual Dragon covered 2004-early 2007.

My reviews of DB and DTVD summarized key Chinese IW themes, all of which extend into TDQL. Therefore I'd like to highlight a few aspects of TDQL that should be of interest to Western digital security specialists.

TDQL opens with an analysis of the one book by Chinese IW experts likely to be known to some US military strategists: Unrestricted Warfare (UW), published by Qiao Liang and Wang Xiangsui in 1999. Thomas includes it here because it foreshadows developments in Chinese IW in later years. It was interesting to learn that initially the Chinese government treated the UW authors critically, but later their ideas became popular. UW is filled with gems that cut to the heart of Chinese IW. For example, "the biggest difference between contemporary wars and the wars of the past is that, in contemporary wars, the overt goal and the covert goal are often two different matters" (p 21). "Military threats are already often no longer the major factors affecting national security... these traditional factors are increasingly becoming more intertwined with grabbing resources, contending for markets, controlling capital, trade sanctions, and other economic factors" (pp 21-2).

The authors offer critical insights that the Chinese have operationalized: "Warfare can be military, or it can be quasi-military, or it can be non-military. It can use violence, or it can be nonviolent. It can be a confrontation between professional soldiers, or one between newly emerging forces consisting primarily of ordinary people or experts" (p 28). In an interview about UW, author Qiao called war with the US "inevitable... because China will grow strong only at the cost of consuming much of the world's resources which will put it in direct competition and eventually conflict with the US" (p 30). They also claim "The battlefield is everywhere and war may be conducted in areas where military actions do not dominate" (pp 33-4). This reminds me of the subtitle of James Adams' 1998 book The Next World War: Computers Are the Weapons and the Front Line Is Everywhere.

Another author, PLA Major Peng Hongqi says "the weaker side [in IW] must adhere to the active offense... especially in peacetime" (p 40). Thomas says "Peng seems to imply that it is the RIGHT [author's emphasis] of an inferior force to attack a superior force first" (p 41). Peng advocates concepts like "protracted control" and using civilians, hackers, or other computers to gain plausible deniability. He says "forces begin engagements and reconnaissance before a conflict emerges. Peacetime collection of key information... is vital" (p 42). One should "treat the peacetime struggle for information supremacy as 'a genuine, perpetual, never-ending battle'... gain as much enemy information as possible and keep the enemy from gaining information on one's own side" (p 42). Also, "the only way the inferior side can compete with a powerful enemy is by taking full advantage of peacetime to energetically elevate its material and technological foundation" (p 42).

Deng Yifei provides what might be the "money quote" in TDQL: "In confrontation on the future battlefield, what is scarier than inferior technology is inferior thinking" (p 56). Evidence of China's IW thinking involves their focus on penetrating Western computers. Thomas notes "it is suspected that Chinese reconnaissance performs two functions: to expose an opposing force's military plans and to study the conditions and vulnerabilities that lead to the successful use of Internet attacks" (p 119). These intrusions bring to life this Chinese strategem: "a victorious army first wins and then seeks battle" (p 174). Chinese thinkers also plan to target foreign commanders, even including "a study of hobbies, weaknesses and flaws" (p 121).

Thomas notes Taiwan's reporting on Chinese IW as well. He also includes suggestions made to strengthen Taiwanese IW defense. For example, Lin Chin-ching recommends that "all officers under the rank of lieutenant general would be tested on their knowledge of IW and computer information, and their test results would be taken into consideration when their files are reviewed for promotion" (p 216). I suggest the same for business managers as well as US military leaders.

I strongly recommend reading TDQL and Thomas' other works if you want to better understand Chinese IW history and thinking.

Review of Decoding the Virtual Dragon Posted

Amazon.com just posted my five star review of Decoding the Virtual Dragon by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure.

Decoding the Virtual Dragon (DTVD) is the sequel to Timothy L Thomas' 2004 book Dragon Bytes. A colleague introduced me to both books, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in DTVD. Published in 2007, DTVD is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by American translators and the Open Source Center, successor to the former Foreign Broadcast Information Service (FBIS). The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. DTVD covers Chinese IW thought from 2004-early 2007. Thomas' earlier book discusses 1995-2003, and his later book addresses 2007-2009.

My review of DB summarized key Chinese IW themes, all of which extend into DTVD. Therefore I'd like to highlight a few aspects of DTVD that should be of interest to Western digital security specialists.

Chinese military leaders have always promoted development of theory and strategy, but they are now integrating practice into their doctrine. This is difficult for a military that lacks the ops tempo of a force like the US military, with a decade of continuous war experience on hand. However, IW allows continuous practice, since it can be exercised "using a borrowed sword" (i.e., using deception and "camouflage" to lend plausible deniability to Chinese IW offensives against the West).

Chinese thought leaders often see the US as an offensive force. Thomas reports on the views of two theorists thus: "Conflict-oriented strategy still holds a strong place in Western strategic culture. Expansion and the seizure of hegemony are Western strategic targets while China's has been an introvert-type behavior whose targets are peace, safeguarding national territories, and seeking unification and resisting aggression" (p 23). (That's apparently how the Chinese frame their activities in Tibet and their missiles facing Taiwan.)

The two theorists (Peng and Yao) also note that "the seizure of information has become a primary task of modern warfare" (p 30). One form of conflict perpetrated by the West is "strategic psychological warfare (SPW)," which includes "attempts to advance their [Western] political system and life style, to use economic aid as bait, to seek economic infiltration and control, and to promote western values via TV, movies, newspapers and journals, audio and video products, and especially over the Internet" (p 34). China sees this as a threat to their "network sovereignty" (p 124).

War is increasingly a financial affair: "War with the objective of expanding territory has already basically withdrawn from the stage of history, and even war with the objective of fighting for natural resources is now giving way to war with the objective of controlling the flow of financial capital" (p 76). "IW will gradually shift into the primary form of war, and military objectives will shift from eliminating the enemy and preserving oneself to controlling the enemy and preserving oneself" (p 87).

DTVD includes a translation of a Chinese IW dictionary and questions and answers on IW. The definition of Computer Network Attack (CNA) says "various measures and actions taken to make use of security flaws in the enemy's computer network systems to steal, modify, fabricate, or destroy information and to reduce or destroy network utility." The definition of IW mentions "the use of computer network systems to gain enemy intelligence," not just destroy targets. Crucially, "in this day and age, there is no distinction between peacetime and wartime network warfare" (p 127). Hopefully for world peace, "network warfare could develop in another direction and work to create 'network deterrence' or 'network containment.' That is, it may be more valuable for both sides to simply comply with the rulebook of not attacking another's networks if two sides attain a mutual balance of network power" (p 128).

Dai Qingmin notes "an individual can threaten an entire country in the information age" and "in some cases the more technologically advanced a country becomes, the more vulnerable it becomes as well" (p 134). Individuals who conduct IW can be hard to find or retaliate against, hinting at the PLA's interest in leveraging individual civilian hackers. Thomas writes: "Dai's discussion focuses heavily on obtaining key information via reconnaissance of foreign computer systems in peacetime... As he [Dai] states, 'Computer network reconnaissance (CNR) is the prerequisite for seizing victory in warfare.' His focus on CNR provides added context to current Chinese operations aimed at the reconnaissance of US systems" (p 137). A later section in DTVD mentions "intelligence warfare" as another Chinese concept where "two sides in a conflict adopt various means to gather and steal information from one another" (p 207).

Father of IW Dr Shen notes "the goals of war have changed from territorial expansion and economic aggression to information plundering and targeting psychological elements" (pp 160-1). Skilled people are key, according to another author, who writes "the personnel system of the armed forces will have to enlist computer hackers or treat them as wartime reserves and give them preferred treatment to provide technical support for military building and operations" (p 173); hear that, US military?

Finally, Thomas observes the "extensive knowledge that the Chinese have about our concepts and systems," with bookstores in China offering "translations of thirty or forty (perhaps more, depending on the size of the store) US military books... [but] a US military bookstore is usually limited to five Chinese titles" (p 304).

I strongly recommend reading DTVD and Thomas' other works if you want to better understand Chinese IW history and thinking.

Review of Dragon Bytes Posted

Amazon.com just posted my five star review of Dragon Bytes by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure.

A colleague introduced me to Dragon Bytes (DB) by Timothy L Thomas, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in DB. Published in 2004, DB is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by the former Foreign Broadcast Information Service (FBIS) and other American translators. The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. DB covers Chinese IW thought from 1995-2003. Thomas' subsequent books, Decoding the Virtual Dragon, and The Dragon's Quantum Leap, cover later periods in Chinese IW history.

DB is really unlike any of the books I have reviewed before, because it summarizes the IW doctrine of another country. As a former Air Force intelligence officer, I helped develop our nation's IW plans in the late 1990s and have defended civilian infrastructures for the last 10 years. DB provides a view of a world that is plain to see if only the reader knows where to look and can read Chinese. Thanks to FBIS translations and Thomas' keen eye, Western readers can learn what the Chinese military says about IW.

I'd like to highlight a few concepts and excerpts that I feel are important to understanding Chinese IW theory.

The Chinese do not seek to simply copy Western IW concepts. Rather, they stress development of IW "with Chinese characteristics." They draw heavily on Marx and Engels for their military doctrine, including People's War, and believe Mao brought Marx's ideas to fruition in China. They feel that IW is a natural implementation of People's War, especially when individual Chinese citizens can participate simply by virtue of owning a computer. Unlike Western militaries and governments, China vigorously integrates civilians and reservists into their military framework, to include individual "hackers."

Traditionally China has pursued "active defense" as their military model, meaning they do not seek (or claim not to seek) conquest beyond their borders. Rather, they respond with People's War when attacked by aggressors. IW, however, does not lend itself to an active defense strategy because losing the initiative means losing the war. Chinese IW theorists increasingly abandoned "active defense" with IW and now promote active offense, which takes various forms.

Chinese IW theorists are advocates of proper thinking over force (p 101). Unsurprisingly, theorists channel Sun Tzu by seeking to "win without fighting" through IW. They devote a lot of energy to developing strategy and "strategems," sometimes considered to be "tricks" or "schemes" to overcome superior forces. They believe information is as important as energy and materials, and "warfare may be waged around the struggle for intellectual resources, such as the allegiance of a high-tech expert or the patented right to a piece of technology" (p 13).

The Chinese military sees Western culture, particularly American culture, as an assault on China, saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries... Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a "frontier" that has extended beyond American shores into the Chinese mainland. The Chinese therefore consider control of information to be paramount, since they do not trust their population to "correctly" interpret American messaging (hence the "Great Firewall of China"). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.

Dr Shen Weiguang, China's "father of IW," defines IW as "two sides in pitched battle against one another in the political, economic, cultural, scientific, social, and technological spheres," (p 32) or as "brain war" (p 40). Thomas reports Shen's views thus: "information control is the doorway to an opportunity to dominate the world" (p 33). Shen mentions "total IW" where "information aggression" involves "violating the information space of another country and plundering its information resources" (p 36). Shen recommends creating an "information academy" and believes "'attack in order to defend' is more effective than defense alone in many cases since advance warning is impossible and the effectiveness of defense is hard to predict" (p 45). However, Shen seems to believe IW should be constrained by international norms, since he also advocates developing a "set of information rules" to limit IW (p 48). Finally, academic Deng Xiaobao discusses "dwindling distinctions... between wars and non-wars (referring here to the lack of distinction between IW and times of peace, where an IW can start with an information assault and the side under attack may not be able to judge that it is a war)" (p 125).

I strongly recommend reading DB and Thomas' subsequent works if you want to better understand Chinese IW history and thinking.

Kamis, 30 Desember 2010

Steve Jobs Understands Team Building

I stumbled upon the following excerpt from the 1998 book In the Company of Giants by Rama Dev Jager and Rafael Ortiz. They interviewed Steve Jobs, who had the following to say about team building, as printed in BusinessWeek:

Q. What talent do you think you consistently brought to Apple and bring to NeXT and Pixar?

SJ. I think that I've consistently figured out who really smart people were to hang around with. No major work that I have been involved with has been work that can be done by a single person or two people, or even three or four people... In order to do things well, that can't be done by one person, you must find extraordinary people.

The key observation is that, in most things in life, the dynamic range between average quality and the best quality is, at most, two-to-one...

But, in the field that I was interested in -- originally, hardware design -- I noticed that the dynamic range between what an average person could accomplish and what the best person could accomplish was 50 or 100 to 1. Given that, you're well advised to go after the cream of the cream.

That's what we've done. You can then build a team that pursues the A+ players. A small team of A+ players can run circles around a giant team of B and C players.

Q. So you think your talent is in recruiting?

SJ. It's not just recruiting. After recruiting, it's building an environment that makes people feel they are surrounded by equally talented people and their work is bigger than they are. The feeling that the work will have tremendous influence and is part of a strong, clear vision -- all those things.

Recruiting usually requires more than you alone can do, so I've found that collaborative recruiting and having a culture that recruits the A players is the best way.

Q. Yet, in a typical startup, a manager may not always have the time to spend recruiting other people.

SJ. I disagree totally. I think it's the most important job... When you're in a startup, the first ten people will determine whether the company succeeds or not.


Steve is right. That is why I Tweeted this last week:

Real IT/security talent will work where they make a difference, not where they reduce costs, "align w/business," or serve other lame ends.

I was emphasizing the point that motivated people want to make a difference. They want to bring good things to life. (I loved that motto -- time to junk the present one, if you catch my drift, and go back!)

Photo credits: Wikipedia

Selasa, 28 Desember 2010

Trying PC-BSD 8.2-BETA1

After reading PC-BSD 8.2-BETA1 Available for Testing last week I decided to give the latest version of PC-BSD a try on my ESXi server. I failed earlier to get the installation to succeed using PC-BSD 8.1, but I had no real issues with the new BETA1 based on FreeBSD 8.2 PRERELEASE. (PC-BSD will publish their final 8.2 version when the main FreeBSD project publishes 8.2 RELEASE.)

For this test I downloaded the 64 bit network installation .iso and installed the OS within ESXi. I decided to try a few new features offered by the PC-BSD installer, namely ZFS and disk encryption for user data as shown in the top screenshot. When I booted the VM I was prompted to enter the passphrase I used when installing the OS:

da0 at mpt0 bus 0 scbus0 target 0 lun 0
da0: Fixed Direct Access SCSI-2 device
da0: 320.000MB/s transfers (160.000MHz, offset 127, 16bit)
da0: Command Queueing enabled
da0: 16384MB (33554432 512 byte sectors: 255H 63S/T 2088C)
Enter passphrase for da0p4:
GEOM_ELI: Device da0p4.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI: Crypto: software
Trying to mount root from zfs:tank0

That was cool. In addition to encryption, I need to learn more about how PC-BSD uses jails to support ports and packages. This is different compared to any other BSD I have seen.

PC-BSD is also supposed to be desktop-friendly, so I tried my "can I see a YouTube video out of the box" test. The screenshot at right shows it worked.

I should note that before I could connect remotely using SSH, I had to disable the Pf firewall. (I could also have reconfigured the firewall if I wanted it to stay active.)

Now that I have a working PC-BSD OS in my lab, I'll try to learn more about it. I'll probably wait until the RELEASE version arrives.

Trying VirtualBSD 8.1

Reece Tarbert sent an email announcing the availability of VirtualBSD 8.1, a version of FreeBSD 8.1 aimed at demonstrating FreeBSD on the desktop. It's a 1.3 GB zipped VMWare image that expands to 4.1 GB.

I downloaded the image via Bittorrent, expanded the image, and then used the VMWare Converter to transfer the VM from my laptop to my ESXi server. I accepted all the defaults and successfully converted the VM. However, after booting the VM I noticed the kernel did not recognize the network card. I shut down the VM, removed the NIC, and added a new e1000 NIC. After booting that version the VM recognized the NIC and got an IP address via DHCP from my Cisco 3750 switch.

One of my definitions of "desktop ready" is whether I can see YouTube videos out-of-the-box. As the screen capture shows, VirtualBSD worked without incident.

If you're wondering about PC-BSD, I plan to give version 8.2 a try soon. As I Tweeted last month, I had trouble with the installer and couldn't install 8.1 to my ESXi server. I could try installing to VMWare Workstation and then converting that VM too.

FreeBSD on Amazon EC2

Thanks to Colin Percival you can try FreeBSD on Amazon EC2! According to Colin's blog more is to come, but for now you can try FreeBSD 8.2-RC1 and FreeBSD 9.0-CURRENT.

I decided to try spinning up 8.2-RC1. I used the command line tools for Ubuntu rather than the Web interface.

richard@neely:~$ sudo apt-get install ec2-api-tools

richard@neely:~$ export EC2_PRIVATE_KEY=$HOME/.ec2/pk-GO7RNG3LZTNPOUD5TH4YRCA4LFNGP5SB.pem

richard@neely:~$ export EC2_CERT=$HOME/.ec2/cert-GO7RNG3LZTNPOUD5TH4YRCA4LFNGP5SB.pem

richard@neely:~$ export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/

Now I check my security settings and authorize my IP.

richard@neely:~$ ec2-authorize default -p 22 -s [MYIP]/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM CIDR [MYIP]/32

richard@neely:~$ ec2-describe-group default

GROUP 162896439853 default default group

PERMISSION 162896439853 default ALLOWS all FROM USER 162896439853 GRPNAME default

PERMISSION 162896439853 default ALLOWS tcp 22 22 FROM CIDR [MYIP]/32

Next I start the 8.2-RC1 AMI.

richard@neely:~$ ec2-run-instances ami-d29b6abb -k taosecuritykey -t t1.micro

RESERVATION r-a54c17cf 162896439853 default
INSTANCE i-44bda629 ami-d29b6abb pending taosecuritykey
0 t1.micro 2010-12-28T15:21:41+0000 us-east-1b
aki-407d9529monitoring-disabled ebs

After a few seconds I check to see if it is running.
 
richard@neely:~$ ec2-describe-instances i-44bda629
RESERVATION r-a54c17cf 162896439853 default
INSTANCE i-44bda629 ami-d29b6abb ec2-50-16-108-39.compute-1.amazonaws.com
ip-10-243-6-109.ec2.internal running taosecuritykey 0 t1.micro
2010-12-28T15:21:41+0000
us-east-1b aki-407d9529 monitoring-disabled 50.16.108.39
10.243.6.109 ebs

BLOCKDEVICE /dev/sda1 vol-200caa48 2010-12-28T15:21:44.000Z
BLOCKDEVICE /dev/sdb vol-220caa4a 2010-12-28T15:21:44.000Z

Now I connect to it.

richard@neely:~$ ssh -i .ssh/taosecuritykey.pem root@ec2-50-16-108-39.compute-1.amazonaws.com

Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

FreeBSD 8.2-RC1 (XEN) #1: Fri Dec 24 05:49:26 UTC 2010

Welcome to FreeBSD!

Before seeking technical support, please use the following resources:

o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.

o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.

If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.

You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.

ip-10-243-6-109# uname -a

FreeBSD ip-10-243-6-109 8.2-RC1 FreeBSD 8.2-RC1 #1: Fri Dec 24 05:49:26 UTC 2010
root@chch.daemonology.net:/usr/obj/i386/usr/src/sys/XEN i386

ip-10-243-6-109# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/da1s1 4.8G 193M 4.3G 4% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/da0 1.0G 20M 945M 2% /boot/grub

When done I disconnect and terminate the instance. I could have also just shut down the machine within SSH if I wanted to use the instance in the future.

richard@neely:~$ ec2-terminate-instances i-44bda629
INSTANCE i-44bda629 running shutting-down

That's really cool! Many thanks to Colin for his work on this. If you want to support development on this sort of project, consider donating to the FreeBSD Foundation as Colin suggests in his blog.

Senin, 27 Desember 2010

Bejtlich Teaching at Black Hat DC 2011

Over the holiday break I've been putting the finishing touches on TCP/IP Weapons School 3.0, to be presented first at Black Hat DC 2011 on 16-17 Jan 11. This is a completely new class written from the ground up. I'm very pleased with how it has developed.

While keeping the distinctions from other offerings that I described last year, I've extended this third version of the class to include explicit offensive and defensive portions. Students will receive two VMs, one running a modified version of Doug Burks' SecurityOnion distro as an attack/monitor platform, and the second running a Windows workstation as a victim platform.

The purpose of this class is to develop the investigative mindset needed by digital security professionals. Junior- to intermediate-level security and information technology (IT) staff are the intended audience. The class is a balance of discussion and hands-on labs.

Defensive aspects of the labs emphasize how to discover suspicious and malicious activity in network and log evidence. Offensive aspects of the labs offer the student a chance to do the same sorts of actions that caused the suspicious and malicious activity in the labs. I encourage students to keep an open mind and feel free to expand their interaction with the labs beyond the required material. Take advantage of this time away from the office to enjoy defensive and offensive aspects of the digital security arena!

Registration is open and continues at the current rate until 15 Jan, after which the onsite rate kicks in.

I'll also teach the course in Las Vegas this summer. Thank you.

Speaking at RSA 2011

Mike Rothman and Rich Mogull were kind enough to invite me to speak at their e10+ Experienced Security half-day event on 14 February 2011 at RSA 2011 in San Francisco. I'll participate in the "What's Going to Keep Me Up at Night?" panel. (The joke possibilities write themselves.) I'll stay for a few days of the conference as well. I like the idea of an event aimed at senior security people, i.e., 10+ years of experience. Please consider checking it out!

Courtesy of APT

The photo at left is Bill Sweetman's take on a photo posted to an aviation forum (.jpg) that is probably China's Chengdu J-20 fighter, claimed to be their "stealth fighter." Bill's comment caught my attention:

I think that we can count on China to start delivering more technological surprises - and in some cases they will be aided by cyber-espionage. Remember that's what the Advanced Persistent Threat is all about, and the great thing about cyber-espionage is that it can be exploited without risking human sources. That makes it much more useful - both in learning how to do things and avoiding blind alleys and pitfalls in R&D. (emphasis added)

There are several ways information stolen by APT could have helped with this aviation program. A few include:

  • Theft of Western technology for direct application to building the Chinese aircraft

  • Theft of Western technology to help design the Chinese aircraft to counter Western aircraft

  • Theft of Western technology to help Chinese integrated air defense systems and other counter-aircraft weapons to deny, degrade, or destroy Western aircraft and systems

  • Theft of Western program histories and experiences to guide Chinese designers and builders away from failed approaches and toward more promising methods

  • Theft of Western plans and tactics to assist Chinese pilots flying against Western pilots


Building Chinese stealth fighters isn't the end goal of APT activity. They are tasked with their missions to further national ends, which involve strategic goals. This fighter is a means to an end.

Jumat, 24 Desember 2010

Tip of the Day - Scraping ice off your windshield

Living in Utah, many mornings I get the joy of scraping ice off my windshield.  There was a trick I learned last year that was a great time saver.

If you live in an apartment complex, or park in a parking lot, look for a spot near a tree.  If you can park under a tree (evergreen trees work best), it will prevent ice from forming on your windshield.

Last year I found a nice big juniper tree to park near and I never had to scrape ice off my car!

Senin, 20 Desember 2010

Enhancing the colors of your photos



There are many different ways to enhance the colors of your photos using the Gimp. In this tutorial, I will show you the basic process for color enhancement, then I will show you differences in each method so you can decide which way is best for you.

Read article »

Tip of the Day - Backing up Important Documents

For a few years, I worked in a computer lab giving technical support. The saddest thing I would see is when students would spend hours and hours on a document and have it all lost because they reset the computer or there was a power outage.  There is a simple solution to making sure you never loose a document: Use Google Docs.  Google docs will save your document every 5 minutes. You can access it anywhere you get the Internet, and it is stored on a very secure server.

People may argue that Google Docs does not allow you to do what Microsoft Word does. This is true.  Usually, I will type my document in Google Docs, then print it or change the formatting in Word; but at least this way I know I have it backed up.

If you still don't want to use Google Docs, please please please, save your document as soon as you start one, and save frequently.  If you have a power outage, or your computer resets for some reason, if Word's auto recovery does not work, you can always try file recovery software like Recuva.

How to remove elements from your photos without using the clone tool



NOTE: Resynthesizer no longer seems to work well in newer versions of Gimp. It has been replaced with the tools Heal Selection and Heal Transparency. I did a tutorial on those tools here. Frequently, you will have a need to take an element out of a photo. In the past, I have always used the clone tool, but recently, I discovered the Gimp plugin called Resynthesizer. When I first used it, my mind was totally blown! In this tutorial, I will show you how to use it, and why you want to.

Read article »

Sabtu, 18 Desember 2010

Tip of the Day - Running Programs from your USB Drive

One thing that I have been doing for the past 5 years or so has been running all my programs from a portable or USB drive.  This allows me to take my software wherever I go.  If I need to use certain programs on other people's computers (or on school computers where they don't allow you to install software), this has been a perfect solution.

I recommend using portableapps.com or liberkey.com

Both of these come with custom start menus and other options.

I started out using portableapps, but recently I have been using liberkey.  Liberkey allows for automatic updating of the software. This is a great way to keep your software updated and organized.

Rabu, 15 Desember 2010

Powershell LSOF/Parsing Netstat Part II

Two 'lsof for Powershell' scripts covering v4 and v6 have been placed here:

hhttp://rmfdevelopment.com/PowerShell_Scripts/PS_LSOF.ps1
http://rmfdevelopment.com/PowerShell_Scripts/PS_LSOF_gwmi.ps1

This is a second update to this script which matches the port to the process in Powershell by parsing netstat for TCP and UDP and then appending 'ps' or 'gwmi' information associated with the process related to that port.  There's nothing in this function (but sorted port order) which carries through a relational tie from port to process information. There is a lot of information produced in this script, as I print all of netstat -ano and then query the corresponding network process with either 'ps' or 'gwmi'. (Click to enlarge):

Tip of the Day - Using someone elses computer to use the Internet

Ever been to a friend's place and needed to use their computer for just a bit?  You get on, then log off their Gmail, log off their Facebook etc just so you can log into the same websites.

Next time you need to do that, try this: Use the browser's incognito or private browsing mode (CTRL+SHIFT+P for Firefox or CTRL+SHIFT+N for Chrome).  This way, it keeps the existing user logged in to their email or Facebook, and you can still log in.  It won't keep track of your history or passwords and it is a quicker and hassle free way to use someone's computer without having to log them out.

How to make money from your blog

I think there are a few types of bloggers.
  1. Those who blog because there are passionate about something, or want to share something with others.
  2. Those who blog just to make money.
  3. A combination of the previous two bloggers.
If you are reading this, you are probably the third type of blogger. You probably already have a blog and have begun wondering if you can make money on your blog or not. This post will talk about why you should or shouldn't try to make money on your blog and what you can expect in your attempt.

Read article »

More WikiLeaks News

Pro WikiLeaks hacker group’s DDoS tool downloads top 40,000 (12/13/10)
Imperva, the web security specialist, has reported that the tool released by the Anonymous Hacker Group for would-be WikiLeaks protesters has been downloaded over 40 000 times, with the majority of downloads occurring in the US. Imperva said there were three versions of the denial of service tool that members have been able to use:
http://www.infosecurity-magazine.com/view/14611/pro-wikileaks-hacker-groups-ddos-tool-downloads-top-40000/

Anonymous attacks more websites, as second Dutch teenager is arrested in WikiLeaks saga (12/13/10)
http://www.infosecurity-us.com/view/14621/anonymous-attacks-more-websites-as-second-dutch-teenager-is-arrested-in-wikileaks-saga/

WikiLeaks Imbroglio Renews Focus on Risk Management (12/13/10)
http://www.information-management.com/news/risk_management_data_storage_security_WikiLeaks-10019275-1.html

WikiLeaks-Related Spam Spotted (12/13/10)
http://blog.trendmicro.com/wikileaks-related-spam-spotted/

UK.gov braces for possible Wikileaks hacklash (12/14/10)
http://www.theregister.co.uk/2010/12/14/wikileaks_hacklash/

The Hacka Man

Selasa, 14 Desember 2010

Edit Movie Poster Text Using Gimp - Chronicles of Narnia



Yesterday I had a friend ask me for help editing a movie poster for Chronicles of Narnia. This will be a long and in-depth tutorial that will focus a lot on replicating existing text.

Read article »

Tip of the Day - How to Bowl a 200+ game

I think that most people have the following two misconceptions about bowling:
  1. You should bowl straight down the center, hitting the pins head on
  2. You should force spin on the ball and curve it into the pins
This tip of the day/tutorial will tell you why these are not the best options, and what you can do to improve your bowling game.

Read article »

WikiLeaks

So Wikileaks recently made the news headlines on all major media. Companies with dirty secrets needs to be on extra vigilant and watch out for attacks. The next attack target, BAC??? Are controls and processes in place?? What mitigation techniques are effective? Let's monitor and watch for now. :)

Attacking BAC

The Hacka Man

Senin, 13 Desember 2010

Taking advantage of Facebook's new layout to make a cool screenshot using the Gimp



Facebook's new layout has a bit more pictures on it, which makes it handy if you want to make a creative screenshot. This will be a quick and easy tutorial.


Read article »

Jumat, 10 Desember 2010

How to make a flash diffuser and reflector from your existing built in flash


There are hundreds of easy ways you can build a flash diffuser and reflector, but I think this is by far the easiest and cheapest.

Read article »

How to make Wassail - The cheap and easy way (the geeky way)


Yay for Christmas! Yay for wassail. This is the quick and easy way to make it. Since this is a blog for geeks, this is NOT a recipe; just a general easy way to do it. Recipes are lame.


Read article »

How to make a Christmas card or flier - Elegant style


This is another Christmas card/flier/invite tutorial using Inkscape. This one will be a bit more elegant and feature a Christmas tree made of snow flakes.

Read article »

How to make a Christmas card or flier - Christmas present style



For this tutorial I will show you how to make a Christmas card or flier using Inkscape. The end result will be a card that looks like a Christmas Present.

Read article »

Kamis, 09 Desember 2010

Splunk 4.x on FreeBSD 8.x using compat6x Libraries

Two years ago I posted Splunk on FreeBSD 7.0 showing how to use the FreeBSD compat6x libraries to run the 3.4 version of Splunk compiled for FreeBSD 6.x. I decided to try this again, except using the newest Splunk on an amd64 FreeBSD system.

As you can see below, it took me only a few minutes to get the system running thanks to the precompiled compat6x-amd64 package. If I needed to install on i386, I could have used the ports tree.

r200a# uname -a

FreeBSD r200a.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49
UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

r200a# pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable
/misc/compat6x-amd64-6.4.604000.200810_3.tbz
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable
/misc/compat6x-amd64-6.4.604000.200810_3.tbz... Done.

*******************************************************************************
* *
* Do not forget to add COMPAT_FREEBSD6 into *
* your kernel configuration (enabled by default). *
* *
* To configure and recompile your kernel see: *
* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html *
* *
*******************************************************************************

r200a# pkg_add splunk-4.1.6-89596-freebsd-6.2-amd64.tgz
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run the command:
/opt/splunk/bin/splunk start

To use the Splunk Web interface, point your browser at:
http://r200a.taosecurity.com:8000

Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------

r200a# /opt/splunk/bin/splunk start --accept-license
Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
/opt/splunk/etc/auth/audit/private.pem
/opt/splunk/etc/auth/audit/public.pem
['openssl', 'genrsa', '-out', '/opt/splunk/etc/auth/audit/private.pem', '1024']
/opt/splunk/etc/auth/audit/private.pem generated.
/opt/splunk/etc/auth/audit/public.pem generated.
Generating RSA private key, 1024 bit long modulus
.........++++++
............................++++++
e is 65537 (0x10001)
writing RSA key

/opt/splunk/etc/auth/distServerKeys/private.pem
/opt/splunk/etc/auth/distServerKeys/trusted.pem
['openssl', 'genrsa', '-out', '/opt/splunk/etc/auth/distServerKeys/private.pem', '1024']
/opt/splunk/etc/auth/distServerKeys/private.pem generated.
/opt/splunk/etc/auth/distServerKeys/public.pem generated.
Generating RSA private key, 1024 bit long modulus
.............++++++
............................................++++++
e is 65537 (0x10001)
writing RSA key


This appears to be your first time running this version of Splunk.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Creating: /opt/splunk/var/lib
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary

Splunk> The IT Search Engine.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.

Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... /opt/splunk/share/splunk/certs does not exist. Will create
Generating certs for splunkweb server
Generating a 1024 bit RSA private key
............++++++
.................++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=r200a.taosecurity.com/O=SplunkUser
Getting CA Private Key
writing RSA key
Done.

If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation

The Splunk web interface is at http://r200a.taosecurity.com:8000

And that's it! I pointed my Web browser to the FreeBSD server and I accessed Splunk. Kudos to Splunk for providing a free version of their product to run in this manner!

Postscript: I realized Splunk installs to /opt, which on this system lives in /, which is small. So, I made this change after stopping Splunk:

r200a# mv /opt /nsm/
r200a# ln -s /nsm/opt/ /opt

That put Splunk in the larger /nsm partition. I should have created the symlink before installing, but no real harm was done anyway.

Tip of the Day - Portrait photography using a zoom/telephoto lens

Usually when you want to take nice portrait pictures, you will use a nice, fast lens, and adjust your aperture to get a blurry background.

The reality is that most people have a simple point and shoot camera that does not allow manual aperture settings, or they don't know how (or why) to change the settings.

Next time you are trying to take a portrait photo, try zooming in all the way and standing back a bit. This will create a blurry background and have a nice effect.  When you do this, make sure to have steady hands and good lighting (this probably will not work well indoors unless you are using a tripod).

Rabu, 08 Desember 2010

How to switch the face of someone famous with your face



A few years ago I started making a lot of cheesy Valentines with my face inserted on the body of someone famous. Then I would write something super cheesy for the Valentine. I have gotten better over the years and thought this would make a great Gimp tutorial. The tutorial is mainly concepts, so you could probably do this in Photoshop as well.

Read article »

Tip of the Day - File organization

We often create folders to contain a set of organized folders.  For instance, we can create a folder called "Pictures" and have many picture folders inside, or a folder called "Music" and have folders inside that are albums.

When we want to organize some of these folders, we will usually create a folder called "organize" or "sort me."  Something to let us know the content needs to be sorted.

Next time you create a folder like that, call the folder "0rganize."  Use the number 0 instead of the letter o.  It looks almost identical, but because of the zero it will come up first in the list of folders.

Tip of the Day - Better file navigation

Suppose you want to go to another Window to navigate to a file, but you still want to keep your current window open. Instead of opening a new window, hold the CTRL key down while pressing the folder icon for going up a level. This will open the level in a new window.

Tip of the Day - Deleting files

Next time you want to delete a file, hold the shift key down while pressing delete.  This actually deletes the file rather than sending it to the recycle bin. This is a good way to delete sensitive data.

How to eliminate your cell phone bill


I have never had a cell phone plan. I pay about $20 a YEAR to use my cell phone. I always try to explain how it is I do this, and recently my friend suggested I do a tutorial on it. So here it is!

Read article »

Selasa, 07 Desember 2010

Pimp your blog - Make your blog look less bloggy and more like an actual website

Before and After
This tutorial is to show you how to change your blog from something ordinary or boring, to something that looks less like a blog and more like an actual website (or to just become a better looking blog).

Read article »

Senin, 06 Desember 2010

Wedding Photo Enhancement using The GIMP


I have been giving a lot of love to Inkscape lately, so I thought I would do a Gimp tutorial today.
I recently did a photo shoot for a wedding. I will show you how to do some enhancements to the photos using the GIMP.

Read article »

Jumat, 03 Desember 2010

Bruce Schneier, Cyber Warrior?

Do you remember the story from the Times in 2009 titled Spy chiefs fear Chinese cyber attack?

[UK] Intelligence chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.

They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.

The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China...

The company [Huawei] is providing key components for BT’s new £10 billion network, which will update the UK’s telecoms with the use of internet technology. The report says the potential threat from Huawei “has been demonstrated elsewhere in the world”...

T]he ministerial committee on national security was told at the January [2009] meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network”, the meeting was told...


Ok, old news. But what did I just read in Huawei's US Sales Push Raises Security Concerns from September 2010?

Should United States telecommunications companies consider purchasing -- or even be allowed to purchase -- infrastructure equipment from a major Chinese company that could, maybe, be a significant national security risk?

Some US government officials and security experts are concerned about products from Huawei Technologies Co. Ltd. , which has begun more actively courting US customers...

Another security expert concerned about foreign tampering is Bruce Schneier, chief security technology officer at BT and a well known blogger about security. Although he doesn't have any proof, Schneier says it "certainly wouldn't surprise me at all" if Huawei installed software that could endanger US security. He would "think twice" before buying equipment from Huawei.


Wow. Did Bruce tell his bosses at BT this? I mean, he has been Chief Security Technology Officer at BT since BT acquired Counterpane in late 2006. (The BT-Huawei deal predates that acquisition by a few years, so Bruce didn't have input back then.) I guess it's possible Bruce really is a closet cyber warrior...

Rabu, 01 Desember 2010

How to change your Blogger Favicon - Pimp your blog Part IV



If you look at the left corner of this open tab, or the left side of the URL box, you will see a small icon. This icon is called the favicon. If you have a blogspot blog, then your favicon will look like an orange B. In this tutorial I will show you how to change that icon using Inkscape and Gimp.

Read article »

Selasa, 30 November 2010

How to make a simple text logo for your website or blog - Pimp your blog Part III


Now that I have thought of the name "Tutorial Geek" for my blog, I am going to make a simple text logo rather than just having simple text. I will show you how to do this in Inkscape. This is similar to my post on Textures. Feel free to refer to that for additional ideas.

Read article »

Sabtu, 27 November 2010

How to change your Blogger domain URL - Pimp your blog Part II

This is going to be about how I changed my blog name and URL from mckayhead.blogspot.com to tutorialgeek.blogspot.com and kept all my stats and links in tact.

Read article »

Rabu, 24 November 2010

How to make a blog background - Pimp your blog Part I

Paper texture for a blog.


http://mckayhead.blogspot.com/2010/11/creating-business-card-using-inkscape.htmlNow that I am getting somewhat serious about blogging, I figure I might as well have a blog that looks somewhat decent. The background sets the tone for your entire blog, so this is my first step.

The look I am trying to go for is kind of a geeky designer look. I have kind of been liking the grunge look recently and think I want to go for something similar to what I did with the business card tutorial.

Read article »

How to Draw Hello Kitty

Hello Kitty!
So the last post I did was drawing a pumpkin. I am not too happy with that so I wanted to get something new up quick. Being in a somewhat Asian mood this morning, I decided a nice simple project would be to use Inkscape to draw Hello Kitty.


Read article »

Trying Ubuntu 10.10 in AWS Free Usage Tier

After trying 60 Free Minutes with Ubuntu 10.10 in Amazon EC2 yesterday, I decided to take the next step and try the AWS Free Usage Tier. This blog post by Jay Andrew Allen titled Getting Started (for Free!) with Amazon Elastic Cloud Computing (EC2) helped me.

One important caveat applies: this activity will not be completely free. The AMI chose uses a 15 GB filesystem, and the terms of the free usage stipulate no more than a 10 GB filesystem. I'll pay $0.50 per month for the privilege of using a prebuilt Ubuntu AMI. Since I'm an AMI n00b, I decided to pay the $0.50. At some point when I am comfortable creating or trusting 10 GB AMIs, maybe I'll switch.

  1. First I visited http://aws.amazon.com/ec2/ and signed up for Amazon EC2. At Amazon Web Services Sign In, I chose to "Identity Verification by Telephone." When I completed sign up I received three emails: 1) Amazon Virtual Private Cloud Sign-Up Confirmation; 2) Amazon Elastic Compute Cloud Sign-Up Confirmation; and 3) Amazon Simple Notification Service Sign-Up Confirmation.

  2. Next I visited the AWS Management Console at https://console.aws.amazon.com/ec2/home. In Getting Started, I choose Launch Instance. I had to decide what sort of virtual machine I wanted to run. I decided to try a 64 bit Ubuntu 10.10 Amazon Machine Image (AMI) I found mentioned at http://uec-images.ubuntu.com/releases/maverick/release/ and at http://alestic.com/. I selected an AMI available at Amazon's us-east-1 facility, identified as ami-548c783d. This AMI uses Amazon's Elastic Block Store (EBS) so that changes persist.

  3. Under Instance Details, I chose:

    Number of Instances: 1
    Availability Zone: No Preference
    Instance Type: Micro (t1.micro, 613 MB)

  4. Under Select Launch Instances, I chose:

    Kernel ID: Use Default
    RAM Disk ID: Use Default
    No Monitoring
    No User Data
    No Tags

  5. Next I had to Create and Download Key Pair. That produced a file called taosecuritykey.pem which we'll use later.

  6. I chose

    Security Groups: Default

  7. When I reviewed my choices I saw:

    AMI: Ubuntu AMI ID ami-548c783d (x86_64)
    Name:
    Description:
    Number of Instances: 1
    VPC Subnet:
    Availability Zone: No Preference
    Instance Type: Micro (t1.micro)
    Instance Class: On Demand
    Number of Instances: 1
    Availability Zone: No Preference
    Instance Class: On Demand
    Maximum Price:
    Request Valid From:
    Availability Zone Group:
    Request Valid Until:
    Launch Group:
    Persistent Request:
    Placement Group:
    Strategy:
    Monitoring: Disabled
    Bursting:
    Kernel ID: Use Default
    RAM Disk ID: Use Default
    IP Address:
    User Data:
    Key Pair Name: taosecuritykey
    Security Group(s): default

  8. Finally I launched Launched the instance and visited the Instances Page.

  9. In order to SSH to my AMI I had to add "SSH" to my Security Group and I decided to add my own IP address (with /32 netmask) as the IP allowed to traverse the firewall.

  10. To SSH to the system I had to find the hostname in the EC2 Instance listing at the bottom of the page, e.g., ec2-obfuscated.compute-1.amazonaws.com. I also had to set permissions on my .pem so I could use it with SSH:


    richard@neely:~$ mv taosecuritykey.pem .ssh/
    richard@neely:~$ chmod 400 .ssh/taosecuritykey.pem

  11. Then I connected to the AMI:

    richard@neely:~$ ssh -v -i .ssh/taosecuritykey.pem \
    ubuntu@ec2-obfuscated.compute-1.amazonaws.com

    Linux domU-12-31-39-14-F9-0C 2.6.35-22-virtual #33-Ubuntu SMP
    Sun Sep 19 21:05:42 UTC 2010 x86_64 GNU/Linux

    Ubuntu 10.10

    Welcome to Ubuntu!
    * Documentation: https://help.ubuntu.com/

    System information as of Wed Nov 24 20:36:24 UTC 2010

    System load: 0.0 Processes: 60
    Usage of /: 4.4% of 14.76GB Users logged in: 0
    Memory usage: 6% IP address for eth0: 10.206.250.250
    Swap usage: 0%

    Graph this data and manage this system at https://landscape.canonical.com/
    ---------------------------------------------------------------------
    At the moment, only the core of the system is installed. To tune the
    system to your needs, you can choose to install one or more
    predefined collections of software by running the following
    command:

    sudo tasksel --section server
    ---------------------------------------------------------------------

    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    To run a command as administrator (user "root"), use "sudo ".
    See "man sudo_root" for details.

    ubuntu@domU-12-31-39-14-F9-0C:~$


At this point my system was working, so I poked around a little.

ubuntu@domU-12-31-39-14-F9-0C:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 15G 665M 14G 5% /
none 290M 108K 290M 1% /dev
none 297M 0 297M 0% /dev/shm
none 297M 48K 297M 1% /var/run
none 297M 0 297M 0% /var/lock

ubuntu@domU-12-31-39-14-F9-0C:~$ sudo netstat -natup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 468/sshd
tcp 0 48 10.206.250.250:22 98.218.35.11:57655 ESTABLISHED 577/sshd: ubuntu [p
tcp6 0 0 :::22 :::* LISTEN 468/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 387/dhclient3

ubuntu@domU-12-31-39-14-F9-0C:~$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 12:31:39:14:f9:0c
inet addr:10.206.250.250 Bcast:10.206.251.255 Mask:255.255.254.0
inet6 addr: fe80::1031:39ff:fe14:f90c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:429 errors:0 dropped:0 overruns:0 frame:0
TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67019 (67.0 KB) TX bytes:49777 (49.7 KB)
Interrupt:9

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ubuntu@domU-12-31-39-14-F9-0C:~$ sudo lft -D eth0 www.bejtlich.net

Tracing __________________________________.

TTL LFT trace to vhost.identityvector.com (205.186.148.46):80/tcp
1 10.206.248.3 0.8ms
2 216.182.232.236 0.5ms
3 216.182.232.64 0.4ms
** [neglected] no reply packets received from TTLs 4 through 6
7 dca-edge-18.inet.qwest.net (65.120.78.57) 2.1ms
8 dcp-brdr-03.inet.qwest.net (205.171.251.110) 4.9ms
** [neglected] no reply packets received from TTL 9
10 216.88.34.170 3.7ms
11 cr02-1-1.iad1.net2ez.com (65.97.48.206) 9.7ms
12 65.97.50.26 4.2ms
13 static-70-32-64-246.mtsvc.net (70.32.64.246) 4.2ms
14 vzd052.mediatemple.net (205.186.147.5) 3.7ms
15 [target] vhost.identityvector.com (205.186.148.46):80 4.1ms

I decided to update the AMI using apt.

$ sudo apt-get update
$ sudo apt-get upgrade

After reboot

ubuntu@domU-12-31-39-14-F9-0C:~$ uname -a
Linux domU-12-31-39-14-F9-0C 2.6.35-22-virtual #35-Ubuntu
SMP Sat Oct 16 23:19:29 UTC 2010 x86_64 GNU/Linux

I decided to try sending email from the system:

ubuntu@domU-12-31-39-14-F9-0C:~$ sudo apt-get install exim4-daemon-light
...edited...
ubuntu@domU-12-31-39-14-F9-0C:~$ sudo dpkg-reconfigure exim4-config
* Stopping MTA for restart [ OK ]
* Restarting MTA [ OK ]

ubuntu@domU-12-31-39-14-F9-0C:~$ echo "test mail 1557" | mailx -v -s "test mail 1557" richard@bejtlich.net
LOG: MAIN
<= ubuntu@domu-12-31-39-14-f9-0c.compute-1.amazonaws.com U=ubuntu P=local S=489
ubuntu@domU-12-31-39-14-F9-0C:~$ delivering 1PLMPR-0000eu-4P
R: dnslookup for richard@bejtlich.net
T: remote_smtp for richard@bejtlich.net
Connecting to ASPMX.L.GOOGLE.COM [74.125.93.27]:25 ... connected
SMTP<< 220 mx.google.com ESMTP g35si18125523qcs.170
SMTP>> EHLO domU-12-31-39-14-F9-0C.compute-1.internal
SMTP<< 250-mx.google.com at your service, [174.129.106.239]
250-SIZE 35651584
250-8BITMIME
250 ENHANCEDSTATUSCODES
SMTP>> MAIL FROM: SIZE=1523
SMTP<< 250 2.1.0 OK g35si18125523qcs.170
SMTP>> RCPT TO:
SMTP<< 250 2.1.5 OK g35si18125523qcs.170
SMTP>> DATA
SMTP<< 354 Go ahead g35si18125523qcs.170
SMTP>> writing message and terminating "."
SMTP<< 250 2.0.0 OK 1290632265 g35si18125523qcs.170
SMTP>> QUIT
LOG: MAIN
=> richard@bejtlich.net R=dnslookup T=remote_smtp H=ASPMX.L.GOOGLE.COM [74.125.93.27]
LOG: MAIN
Completed

I also decided to try an IPv6 tunnel client:
ubuntu@domU-12-31-39-14-F9-0C:~$ sudo apt-get install miredo

ubuntu@domU-12-31-39-14-F9-0C:~$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 12:31:39:14:f9:0c
inet addr:10.206.250.250 Bcast:10.206.251.255 Mask:255.255.254.0
inet6 addr: fe80::1031:39ff:fe14:f90c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5025 errors:0 dropped:0 overruns:0 frame:0
TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2717010 (2.7 MB) TX bytes:1308113 (1.3 MB)
Interrupt:9

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

teredo Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: 2001:0:53aa:64c:102c:3760:517e:9510/32 Scope:Global
inet6 addr: fe80::ffff:ffff:ffff/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:144 (144.0 B)

ubuntu@domU-12-31-39-14-F9-0C:~$ host ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has IPv6 address 2001:4860:800f::68

ubuntu@domU-12-31-39-14-F9-0C:~$ ping6 2001:4860:800f::68
PING 2001:4860:800f::68(2001:4860:800f::68) 56 data bytes
64 bytes from 2001:4860:800f::68: icmp_seq=1 ttl=59 time=3.70 ms
64 bytes from 2001:4860:800f::68: icmp_seq=2 ttl=59 time=3.97 ms
64 bytes from 2001:4860:800f::68: icmp_seq=3 ttl=59 time=4.73 ms
^C
--- 2001:4860:800f::68 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.707/4.140/4.736/0.435 ms

I did that all under an hour, so before the first hour finished I shut down the AMI.

The next time I want to use it, I'll visit the console, start it, and SSH. I don't have any real plans for this AMI besides experimentation, for now. I'll probably keep my eye on this ec2ubuntu Google Group too.