Senin, 28 Februari 2011

Collating and parsing netmon capture files

I have added a Powershell function that uses logparser to mux all the netmon capture files in a directory and list unique IPs and Ports.

Sabtu, 26 Februari 2011

Portrait Photography in Linux - An Extensive Guide


Right now Windows and Mac dominate the professional photography world. That does not mean though that Linux does not have the tools available for professional photography.

While most photography software is designed to run on Windows or Macs, there are a lot of great software that runs on Linux. The purpose of this guide is to show what tools are available to someone wanting to do photography using only Linux tools.

Read article »

How to Add Watermarks in batch to Your Photos in Linux - DigiKam



If you are a photographer who uses watermarks on your photos, you know that adding a watermark by hand on every image is a laborious and time consuming process. Instead of doing it one by one, it obviously is much faster add all your watermarks at once using a batch process. DigiKam probably has the easiest way of doing this in Linux.

Read article »

How to Create A Watermark for Your Photos Using Inkscape

If you want to be a photographer to make a living, or perhaps as just a side job, chances are you will want to start watermarking your images for more exposure. Fortunately, creating a watermark is really simple to do using Inkscape.

Read article »

How to Edit RAW Photos in Linux Using RawTherapee

After having tried many different RAW editors in Linux, I came to the conclusion that RawTherapee is my favorite. RawTherapee has many great features. In effort to show some of what RawTherapee can do, I created this video tutorial:


Best Software for Editing RAW photos in Linux

If you are a photographer who shoots in RAW, then chances are you have heard of and probably used Adobe Lightroom. If you use Linux however, Lightroom is not a viable option.

Some of the more popular RAW editors in Linux include UFRaw, RawTherapee, Darkroom and Raw Studio. I will briefly discuss each below so you can decide which program is best for you. Each of these programs can easily be installed through apt-get using a package manager (such as Synaptic).

-->

Read article »

Organizing your photos in Linux



If you do any sort of photography or photo editing, you will need a photo manager to handle all your photos.

Linux offers quite a few different photo managers and editors. DigiKam, F-Spot and Shotwell are some of the more popular photo managers in Linux. Though these photo managers all have different positive features, the photo manager I prefer to use is a bit less traditional for Linux. It is Google's Picasa. This tutorial will discuss briefly how I organize my photos and why I use Picasa to do so.

Read article »

10 Tips for Portrait Photography


Portrait photography can be a lot of fun. There tends to be some higher expectations when you do portrait photography though. With landscape photography, you can take photos of mountains or trees, and they won't care if the pictures don't turn out, but with portrait photography, there are people who hope and expect the photos to be the best possible quality. Here are some tips on how you can acheive that.

Read article »

Kamis, 24 Februari 2011

Tip of The Day - Backing up files using external media

I recently did a post on different options for backing up and storing files online. Even though online storage and backup is wonderful, there is a chance that we could experience an apocalypse. In that case, online storage would do us no good and we could possibly loose important files (ok... in the case of an apocalypse, files are the last thing to worry about, BUT there IS a chance our file storage company of choice might go under). To ensure that our important files are kept safe, it is wise to consider other methods for backup.

Read article »

Senin, 21 Februari 2011

Tip of The Day - Use Your Email Client To Send and Receive Facebook Messages

Something happened this morning that made me super happy. I replied to a message from Facebook using Gmail and it worked! This must be a new feature because I have never noticed it before. Facebook just started posting message threads in emails so I decided to try to reply in Gmail to see if it would work. It did!

The sad news is that I tried doing multiple threads but it only seemed to work for the initial message sent. As this seems to be a new feature, I will post any updates as I get more info.

Also; if you are like me and you have Facebook notifications going to a spam email account, you can have your spam account forward to your real Gmail account and it works just the same.

If you have had this work for you, or have more info, please post a comment.

Tip of The Day - Your Best Options for File Sharing, Backup and Online Storage

Today I just signed up for another online file storage website. http://uploadingit.com. I tend to sign up for as many different file storage websites just in case they end up being good. Most are not that great, but some are. So far I think Uploadingit.com might be one of the good ones.

Everyone has files that they consider to be important (in many cases, priceless), but most people don't do anything to ensure the safety and protection of these files. I am not going to discuss why you should do this (it should be obvious) but I will talk about some free options available to you.

I will go over some of my favorite online storage websites and discuss some of the advantages and disadvantages of each. Each of the sites I talk about are going to offer free services (yep; I am cheap that way).

Read article »

Jumat, 18 Februari 2011

Getting Familiar with Chrome OS - Google's CR-48

Chrome OS running on CR-48

Here is an in depth review of Chrome OS on the Google CR-48 computer. The Chrome OS is a new concept for the computing world so rather than just giving it a grade comparing it to other existing computers, or operating systems, I am going to talk about the most common tasks done while on the computer and write about how well Chrome OS performs for these tasks.


Read article »

Selasa, 15 Februari 2011

Parsing Windows 7 Firewall Logs

I've talked quite a bit about on this blog about parsing Microsoft's Windows Firewall
There are a number of Microsoft sites with more information on Windows Firewall:
This is the report output of two scripts (1, 2) designed to help suggest a "Windows Firewall Log Parsing" Framework.





There are several issues with parsing information from Windows Firewall logs:
  1. Windows Firewall is one of three native sources of network data offered by Microsoft, the other two being Network Monitor and ETL (Kernel TCP/IP and NDIS Capture)Tracing,
  2. Windows Firewall must be configured for complete logging and the logging file rotates only one file (*.old) by default.
  3. The log file can be exceptionally large depending on configuration.
Processing the 'pfirewall.log'[1] with Powershell was a lengthly affair until multi-core processors and  V2. These two scripts (12) , one which uses only Powershell and the other which depends upon Microsoft's logparser2.2, could serve as templates for further processing and analysis. The next step would be to develop a series of rulesets that would parse and count the unique results for ' anomalous' activity. What kind of rule-sets? Here are some thoughts:

  1.  A comparison of destination IPs to the external Firewall 'Block' list.
  2. A comparison of destination or source IPs to the ISCs (daily list) of top 100 IPs.
  3. A comparison of destination or source IPs to the "Stop Badware" database.
  4. A subset of IPs known as business competitors.
  5. A chronology of outbound activity on "known suspect" ports.
  6. A chronology of outbound activity on "known good" ports used for suspect activity.
  7. A chronology of outbound activity on either "known good" or "known suspect ports" to targets that are not part of "previously known profile" for those ports.
Additional rulesets could be developed based on 'tuple' analysis. For example, given the following ordered set:
'DROP UDP 192.168.0.15 255.255.255.255 68 67 RECEIVE'

  • Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255")?
  • Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255") on dstPort ("68")?
  • What is the expected 'action' for either case? (e.g. DROP or ALLOW)?
For now, I leave this as an exercise for the user. Also I will leave as an exercise for the user any 'vissec' presentations of this data.. Powershell V2 and Logparser 2.2 are the engines for these scripts, but other data mining techniques (PERL, GAWK, T-SQL, etc) could be more scaleable and useful. Powershell has the advantage of being (1) native to Windows 7, (2) configurable for remote invocation of scripts, (3) configurable as domain based scripting. 

[1] By default located at 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log'


Senin, 14 Februari 2011

Happy Valentines's Day!

OK. So Valentine's Day is usually not the funnest holiday. Spending many miserable valentine days getting hopes dashed I decided to do something about it. I can't determine how many Valentines I get, but I can determine how many I give out. Here are some I did this year:

This one did not turn out as well as I would have liked, but I think the idea is pretty funny.

I tried to think of a funny caption for this one, but figured a hard core cupid would be good enough.
If you want to see how I do these Valentine's, check out my post here.

Jumat, 11 Februari 2011

Ten Years After Leaving the Air Force

Ten years ago today was my last official day as an active duty officer in the United States Air Force.

I left the Individual Ready Reserve in June 2002, but I don't count that extra time since I worked as a civilian full-time.

I find it ironic that the "Officer In Charge" (OIC) of "Career Enhancements" signed my Honorable Discharge! Leaving the service can be quite a "career enhancement" when you want to continue defending Air Force data assets but the service feels its time to "career broaden." :)

To this day I am grateful for the colleagues, training, experiences, missions, and responsibilities of my time in the Air Force. At the same time, I remain amazed that I spent almost 11 years of my life wearing the uniform. It seems so long ago now, but I am always pleased to run across people in the security and intelligence worlds who remember working with "Captain Bejtlich."

I've greatly enjoyed the last ten years out of uniform and I look forward to more good ones, God willing!

Kamis, 10 Februari 2011

Why I switched from Firefox to Google Chrome (And why I think you should give it a try)




VS



About a month ago I made the switch official. I now use Google chrome as my default browser. I remember it as being a bitter sweet day for me. I should say that I love Firefox. I have used Firefox before most people had even heard of it. I was using it back in the day when it was still Firebird. Firefox has always been good to me. So why the switch then? Let me tell you why I switched, and why I think you should give it a try.

Read article »

Rabu, 09 Februari 2011

Create a Celebrity Wallpaper using Inkscape - Jimmer Fredette




With all the hype BYU's Jimmer Fredette has been receiving, I decided to do a celebrity wallpaper tutorial featuring him using the Gimp. Like most things I do, I always wonder if I could do it in both Gimp and Inkscape. So I decided to try it. This tutorial will show how to remove backgrounds from raster images. I will talk briefly about bitmap traces, and I will also be using many texture filters and layers.

Read article »

Create a Celebrity Wallpaper using the Gimp - Jimmer Fredette



Jimmer Fredette has been a Utah celebrity for a while now, but has slowly worked his way into the national spotlight. I thought it would be fun to show everyone how to use the Gimp to do a Jimmer wallpaper. These concepts can be used for any celebrity wallpaper you may want to do.

Read article »

Jimmer Fredette/BYU Basketball Wallpapers - Free, High Quality

The Jimmer - You Got Jimmered!



BYU Cougars - Jimmer Fredette #32


The Jimmer

BYU Basketball - You Got Jimmered. Done in Inkscape

If you like these wallpapers, press the links below and share them with your friends. If you want me to make a custom wallpaper (you choose the text) write a comment below and I will see what I can do.

If you would like to try making your own wallpaper, I have tutorials for how to do it using the Gimp and in Inkscape.

Selasa, 08 Februari 2011

Comparing Microsoft's Communication Methods

Today is Microsoft Patch Tuesday, which means if you so choose you can read posts by the Microsoft Security Response Center like February 2011 Security Bulletin Release. The advisory states "we have 12 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information Services). Three bulletins are rated Critical."

Microsoft communicates information about these vulnerabilities using two graphics.

The first is "Severity and Exploitability Index":



The second is "Bulletin Deployment Priority":



I'm not even going to start a discussion about why the first chart shows "risk" and then "impact" (isn't impact a component of risk?) I'm also not going to dwell about how the first column of the second chart has been "overloaded" to include only a small bit of information on the code affected, rather that prominently communicating that data in a column of its own.

Instead, I'd like to know who else finds this sort of red-yellow-blue presentation to be an assault on your senses? I mean, at the very least, isn't all the information from the top chart present in the bottom chart (despite more lovely coloring?)

In contrast to that communication method, I'd like to highlight content from a related Microsoft blog post titled Breaking up the Romance between Malware and Autorun. Why do I like this post? Check out this table:



Why do I like it?

  • It shows 40 numbers. What you say? It only shows 36? I consider the NULL values to be valuable too because they demonstrate Microsoft wasn't tracking those malware families yet, or they didn't exist, etc.

  • It identifies 10 malware families.

  • It shows trends over time.

  • The results are ranked by totals for 2H10.

  • Nothing is colored RED to tell me THIS IS BAD.


I like to see content like that table because it treats the viewer like an adult who can at least read at the level of the sports pages in the newspaper, as the great Tufte says.

Senin, 07 Februari 2011

The Best Way to Download Free Textures for your Designs

Anyone getting into graphic design will eventually start using different textures. I want to feature a few of my favorite places to find some free textures.


Textureking.com


Texture King has a large database of textures. The website is easy to navigate and downloading is super simple.


















Image Abstraction also has a great database of textures and is well organized. I found downloading to be a bit easier on Texture King, but it is still easy to download at Image Abstraction.

Texturespot.com/


Texture Spot's database is not as large, but still worth taking a look.

Google.com
















This is my favorite place to find textures from my favorite web company. Google image searches always helps you get what you are looking for.

Go a Google search for the texture you want, click the Images link above the search results and when the results come up, press the "Large" link for image size to make sure you are getting the best possible textures.

Disclaimer:
Whenever you download textures, make sure you read the terms and conditions from whatever website you are downloading them from.

Bacon Candle; Fact of Fiction? How to Make a bacon candle.



Recently on Lifehacker.com I read this article on making an oil lamp using bacon grease. I did a bit more Googleing found a site where someone posted pictures of their bacon candle. I wondered how well this would work, so I set out to do it myself.

Read article »

Jumat, 04 Februari 2011

Fake Depth of Field in Gimp - DOF Explained


Before Fake DOF
After Fake DOF
This tutorial will be discussing depth of field and how to create this effect in the Gimp.

Read article »

Rabu, 02 Februari 2011

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part II


Working with Windows Tracing (ETL) logs
This is part of ongoing research project to understand how improved tracing providers in Windows 7 can help detect the presence of malware.  Microsoft has been improving event tracing for a number of years. The latest versions allows netsh to invoke multiple providers. After you have chosen your providers, you start the trace either by referencing the provider name or GUID. 'Netsh trace start' allows for keyword or capture filters, which can be useful if you know what specific events for which you need to trace. For this example, we will not create an NDIS capture ('capture=yes') nor will we select keywords or levels for the filters. After a few busy hours, this leads to quite a bit tracing.



[Cmd.exe]
netsh trace show providers | findstr "Network Security IP"
{6E7A2FC0-9244-4EE4-804F-E812924ABF26}  Windows NetworkMap Trace
{D9131565-E1DD-4C9E-A728-951999C2ADB5}  Network Profile Manager
{6B510852-3583-4E2D-AFFE-A67F9F223438}  Security: Kerberos Authentication
{CC85922F-DB41-11D2-9244-006008269001}  Local Security Authority (LSA)
{6D04BF88-60A5-4D02-BC5C-94A20BA490EC}  IPBusEnum Service Trace
{94335EB3-79EA-44D5-8EA9-306F49B3A040}  Downlevel IPsec Service
{94335EB3-79EA-44D5-8EA9-306F49B3A041}  Downlevel IPsec API
{EB004A05-9B1A-11D4-9123-0050047759BC}  TCPIP Service Trace
{A7EB57F6-145E-4F18-BD75-DBBF6F7E23A7}  WMP Network Sharing Service
{6165F3E2-AE38-45D4-9B23-6B4818758BD9}  Security: TSPkg
{37D2C3CD-C5D4-4587-8531-4696C44244C8}  Security: SChannel
{FB6A424F-B5D6-4329-B9D5-A975B3A93EAD}  Security: WDigest
{E4FF10D8-8A88-4FC6-82C8-8C23E9462FE5}  Downlevel IPsec NetShell Plugin
{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}  Security: NTLM Authentication


netsh trace show providers | findstr "NTLM Security Protocol"
{C92CF544-91B3-4DC0-8E11-C580339A0BF8}  NTLM Security Protocol


netsh trace start provider=Microsoft-Windows-Kernel-Network provider=Microsoft-Windows-Kernel-Process provider=Microsoft-Windows-Security-Auditing provider=Microsoft-Windows-Security-Netlogon provider=Microsoft-Windows-TCPIP provider="{C92CF544-91B3-4DC0-8E11-C580339A0BF8}"


In Powershell V2, 'Get-Winevent' is your ticket to parsing the trace (ETL) file. As a note, you can easily export the ETL format to (the new log format) ETVX and view either file format in Event Viewer. You can also export the file with 'netsh trace convert'. The size of the file increases greatly with the ETVX format. I don't recommend this unless you have a need.  Even a 50 MB ETL takes a while to process in Powershell (see below).  However, you can view the file and filter per eventID, provider, or otherwise inside the Event Viewer interface and then save the filtered events to a separate log.  Below, I show the respective file sizes of an ETL vs. and ETVX format. I then load the 54 MB ETL into a Powershell variable and export it into an ASCII format. This takes eleven minutes on an i5 core laptop.


[Powershell]
(ls NetTrace.etl | % {$_.length})/1MB
54.875


measure-command {netsh trace convert input=NetTrace.etl output=knpasntlm.evtx dump=EVTX}
Days              : 0
Hours             : 0
Minutes           : 8
Seconds           : 15
....


(ls .\knpasntlm.evtx  | % {$_.length})/1MB
883.06640625


measure-command {$KNPASNTLM=get-winevent -path 'NetTrace.etl' -oldest}
Days              : 0
Hours             : 0
Minutes           : 11
....


Analyzing the Trace


'Get-Winevent' has both XPath and Filterhashtable query options for working with event logs. But for working with raw tracing logs, we also have other some other options. Logparser 2.2, a six year old 'sql' parser works with ETL logs.  Once the file is loaded into a Powershell variable, we can query based on properties below. However, rather than create those queries right now, let us look at the properties of our variable and export variable contents to an ASCII file. Once again, this takes some time on a five core laptop.


$KNPASNTLM | gm | Select Name


Name
----
....
Message
ActivityId
Bookmark
ContainerLog
Id
Keywords
KeywordsDisplayNames
Level
LevelDisplayName
LogName
MachineName
MatchedQueryIds
Opcode
OpcodeDisplayName
ProcessId
Properties
ProviderId
ProviderName
Qualifiers
RecordId
RelatedActivityId
Task
TaskDisplayName
ThreadId
TimeCreated
UserId
Version


measure-command {$KNPASNTLM | Select TimeCreated,ID,RecordID, Message | ft -autosize | out-file -encoding ASCII knpasntlm.ASCII.txt}
Days              : 0
Hours             : 0
Minutes           : 6
...


Now we have a file we can look at in Linux, BSD, or Cygwin with wc, less, head, tail, awk, grep, etc.:
[Cygwin]
$ wc -l knpasntlm.ASCII.txt
491392 knpasntlm.ASCII.txt


$ head knpasntlm.ASCII.txt
TimeCreated            Id RecordId Message
-----------            -- -------- -------
1/31/2011 1:31:02 PM 1300        0 TCP: connection 0xfffffa8008e79170 (local=192.168.0.11:1193 remote=74.125.224.23:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300        1 TCP: connection 0xfffffa8004489cf0 (local=192.168.0.11:1076 remote=74.125.224.54:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300        2 TCP: connection 0xfffffa8004531cf0 (local=192.168.0.11:1037 remote=74.125.127.100:80) exists. State = CloseWaitState. PID = 4376.
1/31/2011 1:31:02 PM 1202        3 IP: Interface rundown: Index = 1, Linkspeed = 0 bps, PhysicalMediumType = NdisPhysicalMediumUnspecified, IP Address = 127.0.0.1   .
1/31/2011 1:31:02 PM 1202        4 IP: Interface rundown: Index = 12, Linkspeed = 54000000 bps, PhysicalMediumType = NdisPhysicalMediumNative802_11, IP Address = 192.168.0.11   .
1/31/2011 1:31:02 PM 1202        5 IP: Interface rundown: Index = 1, Linkspeed = 0 bps, PhysicalMediumType = NdisPhysicalMediumUnspecified, IP Address = 0.0.0.0 (Ignore IPv4 address), IPv6 address...
1/31/2011 1:31:02 PM 1202        6 IP: Interface rundown: Index = 12, Linkspeed = 54000000 bps, PhysicalMediumType = NdisPhysicalMediumNative802_11, IP Address = 0.0.0.0 (Ignore IPv4 address), IPv...


$ tail knpasntlm.ASCII.txt
1/31/2011 7:53:22 PM    0   491379
1/31/2011 7:53:22 PM    0   491380
1/31/2011 7:53:22 PM    0   491381
1/31/2011 7:53:22 PM    0   491382
1/31/2011 7:53:22 PM    0   491383
1/31/2011 7:53:22 PM    0   491384
1/31/2011 7:53:22 PM    0   491385
1/31/2011 7:53:22 PM    0   491386


$ grep connection knpasntlm.ASCII.txt  | wc -l
150079


$ grep connection knpasntlm.ASCII.txt  | less
1/31/2011 1:31:02 PM 1300        0 TCP: connection 0xfffffa8008e79170 (local=192.168.0.11:1193 remote=74.125.224.23:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300        1 TCP: connection 0xfffffa8004489cf0 (local=192.168.0.11:1076 remote=74.125.224.54:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300        2 TCP: connection 0xfffffa8004531cf0 (local=192.168.0.11:1037 remote=74.125.127.100:80) exists. State = CloseWaitState. PID = 4376.
1/31/2011 1:31:19 PM 1158      682 TCP: connection 0xfffffa8004489cf0 delivery 0xfffffa8004489e50 satisfied 0x35 bytes 0x17a requested. IsFullySatisfied = 0. RcvNxt = 2280417497.
1/31/2011 1:31:19 PM 1074      685 TCP: connection 0xfffffa8004489cf0: Received data with number of bytes = 53. ThSeq = 2280417497.
1/31/2011 1:31:19 PM 1156      686 TCP: connection 0xfffffa8004489cf0, delivery 0xfffffa8004489e50, Request 0xfffffa80040fb1a0  posted for 0x145 bytes, flags = 0. RcvNxt = 2280417550.
1/31/2011 1:31:45 PM 1158     1097 TCP: connection 0xfffffa8004489cf0 delivery 0xfffffa8004489e50 satisfied 0x35 bytes 0x145 requested. IsFullySatisfied = 0. RcvNxt = 2280417550.
1/31/2011 1:31:45 PM 1074     1100 TCP: connection 0xfffffa8004489cf0: Received data with number of bytes = 53. ThSeq = 2280417550.
....


$  grep -f search knpasntlm.ASCII.txt  | grep received | awk -F":" {'print $5'} | awk {'print $3'} | sort -nr | uniq -c | sort -nr | less
   2416
   1696 192.168.0.15
   1403 192.168.0.11
    586 224.0.0.252
    527 67.192.97.131
    403 74.125.224.54
    333 74.125.127.83
    313 74.125.53.19
    227 192.168.0.255
    174 74.125.155.191
    132 184.73.205.16
    128 74.125.127.17
    120 239.255.255.250
    107 208.71.123.76
    103 96.17.109.9
....


To be continued...

How to make a DIY Phone Charger Stand using Tennis Balls



This is a pretty simple project for making a phone charger stand out of tennis balls. It can be used for just about any type of phone with any type of charger.

Read article »

Geeky News - Bing copies Google. Just one more reason why I use Google

If you want to do a search for something online, you google it. You don't bing it. That just sounds bad (and perhaps inappropriate). Google has been the search engine giant for over the past decade. Other search engines have been trying to play catch up, and some have done relatively well. Microsoft announced bing.com not too long ago, and it has been doing quite well. Not well enough though for bing to succeed without piggybacking off Google.

Google had been suspecting bing of copying their search engine results, so they set up a trap to see whether or not they were right. They were.

By setting up specific results for some gibberish text, they were able to find that bing yielded the same results.  The text "mbzrxpgjys" normally would not bring up any results, but Google set it up so that it would. Then all of a sudden, it started showing up in bing as well.

Interesting. I think I will keep using Google.

Other Articles:
http://www.worldnewsinsight.com/hiybbprqag-and-mbzrxpgjys-catches-microsoft-out/5469/
http://news.oneindia.in/2011/02/02/microsoft-bing-copy-google-search-result-accuse-aid0102.html

Make your Designs Better by having better fonts



One of the simplest ways to improve any design is by having a well designed font. Fontsquirrel.com is perhaps the best place I have seen to get fonts that are free for commercial use. This is definitely a site you will want to bookmark.

The site is clean and well design and makes it easy to browse for whatever font you need. Before you tackle your next design, hop on over to Font Squirrel to see if there is a font that will work for your design.