Thoughts on NetBSD's New Logo

In other BSD news, NetBSD announced their new logo, pictured at left. Slashdot discussed the new logo, with the consensus being it is "uninspired," "corporate," and not "fun." I am not surprised that a tech crowd would think this way. One post broke from this trend by saying:"If you're trying to get people interested in your product, the first rule is don't offend people. Like it or not, there are folks out there who don't understand the difference between daemon and demon."I agree with this. I also found it fairly juvenile that Slashdot's...

Read More

FreeBSD 5.3-RC2 Released

img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG-KjDdWJD6hY-KDKnXbT2lvgaiyJo4pYpVB6s8VaqO1By2XmqdCFbo8bBKWY9NSZh7AZvb-bi-rSS_p66fnqfaHAZqqDhDz5ABH6lhP7g3979hZGvqRGAZI-JdErZiPZBnqUg2zOqRic/s1600/freebsd.png" align=left>The availability of FreeBSD 5.3-RC2 was just announced. The release engineer says "if no more show-stopper problems are found this will be the last test release done before 5.3-RELEASE." I intend to test this at work tomorrow morning. The release engineering team is doing everything they can to make this...

Read More

Using A Digital Camera with FreeBSD

I decided to try to get my Canon Powershot S40 digital camera working with my FreeBSD laptop. I found that plugging in the USB cable only yielded this entry in /var/log/messages: ugen0: Canon Inc. PowerShot S40, rev 1.10/0.01, addr 2The ugen driver provides support for all USB devices that do not have a special driver, according to its man page. Running usbdevs showed the camera connected to the laptop: sudo usbdevs -dvController /dev/usb0:addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), Intel(0x0000), rev 1.00 uhub0 port 1...

Read More

Former Foundstone Consultants Create New Firm

Earlier this month McAfee completed its acquisition of Foundstone. Previously I reported that several early refugees from Foundstone, led by Kevin Mandia, founded Red Cliff Consulting. Now a faction led by another former Foundstone director, Clinton Mugge, has created C-Level Security. Whereas Red Cliff focuses on computer forensics and incident response, C-Level concentrates on prevention-oriented services like vulnerability assessments and network...

Read More

Best Practices Chapter Now Online

In an arrangement with SearchSecurity.com and Addison-Wesley, chapter 11 of The Tao of Network Security Monitoring: Beyond Intrusion Detection is now available online . Although the chapter discusses "Best Practices," typically a boring management concept, I managed to include several packet trace-driven case studies. Chapter 11 joins the foreward, chapter 2, and chapter 10 as being available onli...

Read More

Red Sox Win!

...

Read More

PHK's Insights on Open Source Development

As an open source user and advocate, and especially as a FreeBSD user, I found this interview with Poul-Henning Kamp fascinating. PHK recently became famous for requesting and receiving funding from the community for FreeBSD development. PHK describes what it's like to be self-employed and working alone:"[I]t is a mixed blessing for me. The situation is not as much a bold 'I answer to nobody!' as a worried 'Shit! I'm all alone...'Normally then, as selfemployed, you have the separation from your customers, some kind of contract where you can draw...

Read More

MySQL 4.1 Now "Generally Available"

I read at OSNews.com that MySQL 4.1 is now Generally Available (GA). MySQL.com also issued a press release. GA status means the MySQL development team considers the software stable enough for production use. Previously MySQL 4.0 was the GA release and 3.23 was considered "Recent; still supported." Currently both MySQL 4.0 and 4.1 are GA, with 4.1 "recommended" over 4.0. The bleeding edge of MySQL development is 5.0, which is alpha code. When I began writing Sguil installation docs, I advocated using MySQL 4.0. One of the advantages of MySQL...

Read More

Will Compromises at Universities Aid Security Research?

Last year I reported my experiences attending the 2003 International Symposium on Recent Advances in Intrusion Detection, also known as RAID. Many briefers complained that their security research suffered due to lack of good data. For example, intrusion detection analysts usually relied on the 1999 DARPA Intrusion Detection Evaluation data. Data like this may be sanitized for analysis by researchers but it pales in comparison to watching live traffic from production networks.Several recent events may give security researchers the data they need....

Read More

New Tao of NSM Review

I just read a review of The Tao of Network Security Monitoring by the acclaimed network information site Firewall.cx. From the review: "Every once in a while you come across a book that really opens your eyes. One that talks in-depth about something completely different. Unfortunately, most technical IT books are rehashes of a bunch of papers and tutorials off the net, and you often wonder whether the time you spent reading the book would have been better spent on google. The Tao of Network Security Monitoring is not one of these books. It is...

Read More

Ed Skoudis Reports on Anti-Virus Vendor Support

The October 2004 issue of Information Security Magazine offers an excellent study by Ed Skoudis. I saw Ed speak at a Computer Associates sales pitch a few weeks ago and he gave me preview of the new article. Now the whole study is available online. In Ed's words: "As a follow-up to our technical review of desktop AV products, Information Security investigated the state of the AV industry's customer support, putting five vendors to the test: Computer Associates, McAfee, Symantec, Sophos and Trend Micro. We graded each on the entire support...

Read More

Dual-boot FreeBSD 5.3 and Windows 2000

For my testing of FreeBSD 5.3 before it's available as a RELEASE, I decided to work on dual-booting it with Windows 2000. I did not want to use any third-party boot loaders unless absolutely necessary. I preferred to use the FreeBSD boot loader as FreeBSD is the primary OS on my Thinkpad a20p. Unfortunately, I could not figure out a way to overcome the different ways Windows and FreeBSD see disk geometry while using the FreeBSD boot loader. The following describes how to dual-boot FreeBSD 5.3 and Windows 2000 with Windows in the Master Boot...

Read More

Improving Windows Baselining with Tlist.exe

Several people provided feedback on my Simple Post-Installation Baselines on Windows Blog entry. First, Beau Monday reminded me of his FirstOnScene incident response scripts. I haven't tried these out but you might want to see if they make life easier for your first responders. Second, Harlan Carvey pointed out the program tlist.exe shipped with the Debugging Tools for Windows. This is apparently not the same tlist.exe found on some Windows systems. You can obtain tlist.exe by downloading and installing the debugging tools, and then copying...

Read More

Benefits of Short Term Incident Containment

One of the regulars in the #snort-gui IRC channel of irc.freenode.net asked me the following question via email. This is an excerpt, and my response follows:"I am very interested to hear your insight on the topic of 'incident containment' via TCP resets... I am concerned about whether or not incident containment should even be used. From a purely technical standpoint it seems like 'Sure, it's better than just leaving the connection live. It's helping...

Read More

FreeBSD 5.3-RC1 Released

FreeBSD 5.3-RC1 just appeared on the FreeBSD FTP servers. I was hoping to see it soon after the schedule was updated. If only one Release Candidate is built (as planned), then we might see 5.3 RELEASE in about a week. After having seven BETAs produced, I expect we'll have RC2 as well. I imagine 5.3 RELEASE will appear the first week of November, as the release engineers have high standards for this FreeBSD version. With 5.3 the STABLE tag will...

Read More

Simple Post-Installation Baselines on Windows

I just finished setting up a new Windows XP SP2 system on a Shuttle SB52G2 for my wife. This box screams compared to the 1998-era PII 333 MHz tower it replaced. Now that the installation is done and I've loaded all the software we expect to use on the system and all appropriate patches, I've taken a few simple steps to record a baseline configuration. I use the free PsTools suite from SysInternals.com to record key aspects of the operating system and installed software. Here are the tools I run and sample output for each. All of this information...

Read More

Flash Sguil Demo Posted

The Sguil team just posted a trial version of our new Flash Sguil demo. There isn't any sound or text notes yet, but you can watch a user interact with the Sguil console on a Windows system. The user shows how to investigate alerts, generate transcripts, launch Ethereal, categorize events, and query for session data. The demo lasts a few minutes and shows some of what Sguil 0.5.2 can do. Provide any feedback to sguil-users at lists dot sourceforge...

Read More

Article in Nov 04 Dr. Dobb's Journal

The November 2004 issue of Dr. Dobb's Journal features an Addison-Wesley-sponsored article I wrote titled Considering Convergence? (.pdf). I wrote it as an elaboration of thoughts I posted to focus-ids two months ago: "I argue against 'convergence' between products doing 'detection' and those doing 'protection.' Too many people focus on detecting attacks when really they should be detecting failures in protection caused by poor access control, exposure of vulnerable targets, and misconfiguration. This means the IDS remains a network audit device...

Read More

Thoughts on Microsoft's Latest Security Bulletin

Microsoft's October 2004 security bulletin was released today. Some of the guys in #snort-gui were shocked that the bulletins ranged from MS04-029 to MS04-038. An astute Slashdot post notes that only one vulnerability, MS04-038, affects Windows XP SP2. The XP SP2 weakness is referred to as the drag-and-drop vulnerability as it allows intruders to install programs through malicious Web pages rendered by Internet Explorer.This reminds me of a saying...

Read More

Playing with Hping3 alpha-2

O'Reilly recently featured an interview with Hping author Salvatore Sanfilippo titled Network Tool Development with hping3. Hping is a packet crafting tool with a long lineage. I recommend reading the interview if you'd like background on Hping and what the developer formerly known as antirez is doing. I downloaded hping3-alpha-2.tar.gz to a system running FreeBSD 5.3 BETA1 and gave it a try. Before extracting and installing the new Hping3, you...

Read More

Three Developments in Snort Community

Three noteworthy events have occurred in the Snort community during the last few weeks. First, Kevin Johnson has forked the ACID (Analysis Console for Intrusion Databases) project due to lack of formal releases by Roman Danyliw. Kevin announced his new Basic Analysis and Security Engine (BASE) project last month. I don't think ACID provides the information needed to collect, analyze, and escalate indications and warning to detect and respond to intrusions. For that, check out Sguil. The fork is good news for the people who use ACID and expect...

Read More

Ranum on Secure Code

I just read an interesting article by Marcus Ranum titled Security: The root of the problem. Marcus makes some very good observations: "We're stuck in an endless loop on the education concept. We've been trying to educate programmers about writing secure code for at least a decade and it flat-out hasn't worked. While I'm the first to agree that beating one's head against the wall shows dedication, I am starting to wonder if we've chosen the wrong wall. What's Plan B?" Marcus' "Plan B" is trying to add more security checking at compile-time, or...

Read More

Latest Helix Release Features Sguil Client

I wrote about Helix in August. Helix is a Knoppix-based live CD. Drew Fahey at e-fense added the 0.5.2 version of the Sguil client to Helix. This means you can boot the Helix live CD and launch Sguil to connect to our demo server at demo.sguil.net.Although the client installation on UNIX is still difficult (due to the number of libraries and applications needed beyond most people's default installations), the Windows Sguil client installation is fairly simple. I documented the process for an older version last year, but the process is still...

Read More

Last FreeBSD 5.3 BETA Released

A few hours ago Scott Long announced the availability of FreeBSD 5.3-BETA7, the presumed last BETA in the 5.3 release cycle. The schedule has not yet changed to reflect this new BETA. Although only one release candidate (RC1) is planned, I would not be surprised to see a RC2 or maybe even RC3. Since FreeBSD 5.3 will be the first version of the 5.x tree marked STABLE, the release engineering team wants 5.3 to be the best FreeBSD version to date....

Read More