Thank You for a Strong Year

The image above comes from my Sitemeter blog statistics page. I'd like to thank all of my readers for making the TaoSecurity Blog part of their Internet experience. We've had about 337 posts this year, on a range of subjects. Our two year anniversary will happen January 8th. I'd also like to thank those of you who have been reading my Amazon.com book reviews and voting them "useful." I receive no monetary compensation for any book reviews done...

Read More

Review of Building Firewalls with OpenBSD and PF Posted

Amazon.com just posted my five star review of Building Firewalls with OpenBSD and PF. From the review: I was an early buyer of the first edition of 'Building Firewalls with OpenBSD and PF' (BFWOAP), but I am confident my opinion applies to the second edition as well. BFWOAP is the perfect book for anyone looking to build an firewall with Pf. Since Pf is now part of FreeBSD, NetBSD, and DragonFly BSD, this book will be helpful to anyone looking to...

Read More

Today's ISC Handler's Diary Is Partially Right, and Then Completely Wrong

I read the following in today's Internet Storm Center Handler's Diary: "Pay attention, you’re about to read something vitally important: COMPUTERS ARE NOT APPLIANCES. THEY ARE TOOLS. Tools require that their user be skilled. Tools require education and training to use. Tools require a level of involvement beyond that of an appliance because 'tool use' carries with it an inherent danger... [O]ver the past decade, the computer industry has deliberately ignored the nature of its product. It has attempted to grind off the sharp edges, to put padding...

Read More

Review of The Unabridged Pentium 4 Posted

Amazon.com just published my four star review of The Unabridged Pentium 4 : IA32 Processor Genealogy. From the review:"Page 1 of 'The Unabridged Pentium 4' (TUP4) claims 'there is real value in understanding how the architecture has grown over the years,' where the 'architecture' is the IA-32 register set, instruction set, and software exceptions. If you accept this premise, you will find TUP4 to be a valuable book. If you are looking for detail...

Read More

UNIX History in Detail

I just finished reading the primary two parts of an advocacy piece called Elements of Operating System and Internet History: A FreeBSD Rationale. It appears to be self-published by the author, Bruce Montague. Dru Lavigne made me aware of this work in her blog. The first 64 pages are divided between a 22 page "FreeBSD Executive Summary" and 42 pages on "Unix History, Open Source, and FreeBSD." The third section, which I plan to browse later, consists...

Read More

FreeBSD Foundation Exceeds Its Goals

I'd like to thank everyone who donated to the FreeBSD Foundation. In less than five days we raised almost $40,000! That's simply amazing. Check back in with the Foundation in January when their Web site is redesign...

Read More

Review of Introduction to Microprocessors and Microcontrollers Posted

Amazon.com just posted my four star review of Introduction to Microprocessors and Microcontrollers. From the review: "I reviewed the 1998 edition of this book, 'Introduction to Microprocessors,' (ITM) about a year ago. I gave that book five stars for bringing the internal workings of CPUs within the reach of the computer layman. This new 2004 edition, 'Introduction to Microprocessors and Microcontrollers,' (ITMAM) isn't quite the update I expected,...

Read More

Try Identity Vector for Your Web Hosting Needs

Last month I switched my TaoSecurity.com Web-hosting provider to IdentityVector Solutions. The owner is a fellow US Air Force Academy graduate and a colleague at my day job with ManTech. Phil has the following to say about his offering: "IdentityVector Solutions (IVS) provides customized Linux-based web and email hosting services, primarily to small- and medium-scale clients. Rather than providing "cookie-cutter" package solutions that include options many clients would not need, our clients pick a complement of individual services that will...

Read More

TaoSecurity.com Exclusive: Keeping FreeBSD Applications Up-To-Date

I am happy to announce the publication at TaoSecurity.com of Keeping FreeBSD Applications Up-To-Date. This is the sequel to my article Keeping FreeBSD Up-To-Date. The new article takes the same case-based approach I used in the first paper. The article's sections include:IntroductionInstallation Using Source CodeInstallation Using the FreeBSD Ports TreeInstallation Using Precompiled PackagesUpdating Applications Installed from Source CodeUpdating...

Read More

Details on the Snort DoS Condition

You may have heard of an exploit for a denial of service condition in Snort. In short, according to Snort.org, "You are only vulnerable if you are running snort with "FAST" output (which isn't very fast) or in verbose mode... Using barnyard? Using snortdb? You are not vulnerable."Exploit code is here:http://www.k-otik.com/exploits/20041222.angelDust.c.phpLurking in #snort and #snort-gui on irc.freenode.net, I learned the following about this vulnerability by listening to Marty. I hope he doesn't mind being quoted in the hopes of getting this...

Read More

Nedit: Simple, Mouse-driven GUI Text Editor

I don't install desktops like Gnome or KDE on my workstations, so I try to avoid graphical applications that have a lot of dependencies. However, when I write articles, I try to avoid composing them in vi. I find vi is fine for editing configuration files or Web pages, but I like to be able to select text with a mouse when composing large articles. Previously I installed Gedit, a Gnome application that ends up carrying a lot of baggage with it. Today on one of my workstations I removed Gedit and as much else as I could using pkg_cutleaves. ...

Read More

Understanding Tcpdump's -d Option, Part 2

In September I referenced a post by libpcap guru Guy Harris explaining outfrom from Tcpdump's -d switch. After looking at the original 1992 BSD Packet Filter (.pdf) paper and the subsequent 1999 BPF+ (.ps) paper, I understand the syntax for the compiled packet-matching code generated by the tcpdump -d switch. For example: fedorov:/usr/local/etc/nsm# tcpdump -n -i em1 -d tcptcpdump: WARNING: em1: no IPv4 address assigned(000) ldh [12](001) jeq #0x86dd jt 2 jf 4(002) ldb [20](003) jeq #0x6 jt 7 jf...

Read More

Help FreeBSD Foundation Retain Non-profit Status

The FreeBSD Foundation's new quarterly newsletter reports that maintaining non-profit a href="http://www.irs.gov/charities/charitable/">501(c)3 status requires donations totaling US$30,400 by 31 Dec 04. While it's technically possible to retain non-profit status without those donations, the appeal process "can be a lengthy and expensive ordeal." Can the FreeBSD community meet the goal by donating via PayPal (click on the "donate" image)? I...

Read More

Book Reviews and Citations

I am happy to report a few more satisfied book reviewers. First, thank you to security sage Rik Farrow for his December 2004 USENIX ;login review (.pdf). Second, I'd like to thank David Bianco for his December 2004 Information Security magazine book review (published at InfoSecBooks.com). David is the same David Bianco featured in this priceless 1995 newspaper article titled Computer Security: "Gotta Be Sneaky". In the article David advocates the importance of computer security. Unfortunately, a member of his audience disagreed:"[Name censored...

Read More

Review of The Hacker Ethic Posted

Amazon.com just posted my three star review of The Hacker Ethic. From the review: "I bought and read this book because I enjoy reading about hacker history and culture. When I started, I simply read and flipped pages, thinking I wouldn't find much of deep importance. After about 20 pages I was extremely interested in the book and started underlining the author's main points. By chapter 5, and especially in chapter 6, the author lost my attention...

Read More

Upgrading to the New Java Patchset

Last month I described how I installed Java on my production server and laptop. Today my Portupgrade run showed that my JDK was out-of-date: jdk-1.4.2p6_7 < needs updating (port has 1.4.2p7)Sure enough, a visit to freshports.org/java/jdk14 showed a new patchset, number 7, was released at EyesBeyond.com. Prior to updating, here's how my Java version reported itself: orr:/home/richard$ java -versionjava version "1.4.2-p6"Java(TM)...

Read More

Review of Building Open Source Network Security Tools Posted

Amazon.com just posted my five star review of Mike Schiffman's Building Open Source Network Security Tools. From the review: "Books on hacking, cracking, exploiting, and breaking software seem to get all of the attention in the security world. However, we need more works like Mike Schiffman's 'Building Open Source Network Security Tools' (BOSNST). I regret having waited so long to read BOSNST, but I'm glad I did. Schiffman's book is for people who...

Read More

Northern Virginia BSD Users Group?

I was approached by a member of the NYC BSD Users Group recently. He asked if there was a DC area BSD users group. That got me thinking... are any readers interested in participating in a northern Virginia BSD users group? If you are, email me at taosecurity at gmail dot com. I might also post to some mailing lists, but it would be nice to get a head start here. Thank y...

Read More

Open Vulnerability Assessment Language

Jay Beale's excellent new article "Big O" for Testing brought MITRE's Open Vulnerability Assessment Language project to my attention. I didn't understand how this project was different from MITRE's Common Vulnerabilities and Exposures project until I looked at OVAL's details. Consider CAN-2003-1048. This is Microsoft Security Bulletin MS04-025, which described multiple problems with vulnerable versions of Internet Explorer. If you look at the CVE entry, you'll see the following information: - Name: CAN-2003-1048 (under review) - Description:...

Read More

Ripping Into ROI

In April I wrote Calculating Security ROI Is a Waste of Time. The latest print issue of Information Security magazine features a story by Anne Saita that confirms my judgement: "If you find executives resisting your security suggestions, try simply removing the term 'ROI' from the conversation. 'ROI is no longer effective terminology to use in most security justifications,' says Paul Proctor, Vp of security and risk strategies for META Group. [Paul is also author of the excellent book Practical Intrusion Detection, where he correctly said 'there...

Read More

Fedora Available via CVS

Last month I answered PHK's "Why Bother?" with FreeBSD Question. Reason 3 was "3. All FreeBSD source code is available via CVS. Rather than delete the latest issue of Red Hat Magazine, I should have paid attention to the Fedora Status Report. It notes that the The Fedora Project CVS Repository is now operational. You can now browse the Core or Extras CVS trees. This is a great development for the Fedora Core community, but it's not the same as what's available for, say, FreeBSD. The Fedora Core CVS gives greater access to the packages available...

Read More

Thoughts on Tenable's Nessus Changes at SearchSecurity.com

Shawna McAlearney of SearchSecurity.com contacted me about recent Nessus developments, meaning Tenable's new licensing deal with NASL scripts. She quotes me in her story Nessus no longer free: "'It is difficult to financially justify releasing the work of a corporate developer to the open source community when that developer is supported by thousands of dollars of equipment, salary and benefits,' said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech's Computer Forensics and Intrusion Analysis group. 'To do...

Read More

Cisco Network Analysis Module

It pays to subscribe to trade magazines like Network Computing. Today I read Sean Doherty's Cisco Integrated Services Routers: When Routes Converge. Although his article was a useful introduction to two of Cisco's new products, he mentioned the Cisco Network Analysis Module. I had never heard of such a product. I should have, since Greg Shipley wrote about it in his 2002 article Cisco's Network Analysis Module Fills Monitoring Gap for Switched...

Read More

Snort 2.3.0 RC2 Released

Jeremy Hewlett announced the availability of Snort 2.3.0 RC2. This comes about a month after the release of Snort 2.3.0 RC1. Check out the announcement or the CHANGELOG for specifics. Besides bug fixes, there are additional options added to byte_jump. I hope to see this information added to the manual once 2.3 final is releas...

Read More

3Com Buys TippingPoint

The Register is reporting that 3Com is buying TippingPoint for $430 million. TippingPoint employs 125 people and makes the UnityOne layer 7 firewall... I mean "Intrusion Prevention System." This is huge, since The Register says TippingPoint "reported Q3 2005 revenues of $9.7m (up 44 per cent from $6.7m in Q2 2005) and a net loss of $1.8m for the three months up to October 31." $430 million is a huge multiple. Before I left Texas to join Foundstone in 2002, I was asked to interview at TippingPoint. It looks like their employees made out much...

Read More

IPxray Reports on Top Five Vulnerabilities

We all should be familiar with the SANS Top 20 Internet Security Vulnerabilities list, which Paul Vixie rightfully criticized for its inclusion of dated BIND vulnerablities. Now security firm IPxray has published its top 5 vulnerabilities found in our universe of scanned hosts. This was reported by SearchSecurity.com as well. I find these results useful because they are based on the findings of this security firm and reflect what's happening "in the trenches." Rather than repeat the five here, I recommend checking out the lin...

Read More

Winfingerprint 0.6.0 Released

Kirby Kuehl, a Cisco engineer who provided great feedback on my first book, released version 0.6.0 of his Windows enumeration tool Winfingerprint. This tool is very comprehensive and features an exceptionally clean installation process. Note that although the Winfingerprint home page mentions inclusion of a command line version, Kirby is not currently bundling it with the latest release. Above is a screen shot of Winfingerprint running on a Windows...

Read More

Sun Thin Client Technology Upgrade

I learned about Sun's new thin client technology by reading a Register story by Ashlee Vance. Sun has released the new Sun Ray 170. This is like the new Apple iMac since it is essentially all screen. To power the new Sun Ray, Sun released Sun Ray Server Software 3. The Sun Ray server can be UltraSPARC-based to run Solaris or it can be an x86 box running Sun's Java Desktop System, Release 2, Red Hat Enterprise Server AS 3 (32-bit), or SuSE Enterprise Linux 8, service pack 3 (32-bit). According to Ashlee's article: "Sun will also be looking...

Read More

Review of Embedded FreeBSD Cookbook Posted

Amazon.com just posted my four star review of Embedded FreeBSD Cookbook. From the review: "When I skimmed 'Embedded FreeBSD Cookbook' (EFC) in the bookstore, I was impressed by the amount of general FreeBSD information it contained. Now that I've bought and read it, I'm glad this book caught my eye. Although EFC is somewhat dated by its use of FreeBSD 4.4 (released Sep 01), I learned more about about FreeBSD internals. I also gained insights into...

Read More

Review of Inside the Spam Cartel Posted

Amazon.com just posted my five star review of Inside the Spam Cartel. From the review: "Reading 'Inside the Spam Cartel' (ITSC) is like watching a racing car crash; you're horrified to see it happen, but you can't take your eyes off it. ITSC exposes spam from the point of view of the 'enemy' -- a spammer who claims 'you need to be ruthless in this industry if you want to make any money at it' (p. 132). This book is an absolute must-read for anyone...

Read More

NetBSD 2.0 Installation Issues

I wanted to install NetBSD 2.0 on a real system, so I called on one of the mightiest boxes in my arsenal to host a new installation. I picked a Dell-built 1996-era Pentium (original, not "Pro") 200 MHz with 32 MB RAM. This box was running Windows 98, and my father-in-law donated it to my collection when he bought a new system. I had multiple problems with this box. First, it has a Sony CDU311 CD-ROM that refused to read the CD on which I had burnt NetBSD 2.0. I created boot floppies and did an FTP install. I missed a crucial part of the partition...

Read More

New "Must Read" Security Blog

One of my buddies who's still with Foundstone (now part of McAfee) has started a blog. Aaron Higbee of DCPhoneHome fame, along with some of his well-dressed friends, have begun sharing their knowledge and sense of style at secureme.blogspot.com. They are deep into the assessment side of security, so I'm sure you can pick up a few tricks by regularly visiting their site. I'm afraid these guys look nothing like their "pictures," howev...

Read More

April 2004 Sys Admin NSM Article Online

I learned today that my April 2004 Sys Admin article Integrating the Network Security Model is now available online. I've also posted .pdf and .ps versions at my TaoSecurity.com publications page. From the article: " Intrusion detection is a controversial topic. Although intrusion detection systems (IDS) were once hailed as the answer to the shortcomings of firewalls, they are now labeled "dead" by some market analysts and are threatened by intrusion prevention systems (IPS) and 'deep inspection' firewalls. In this article, I'll look at the detection...

Read More

NetBSD 2.0 Released

NetBSD 2.0 has been released! The last major release was NetBSD 1.6, in September 2002. The last update to the 1.6 branch was 1.6.2, in March 2004. I strongly recommend finding a mirror site close to you. There are even torrents available. I've toyed with NetBSD before, but never in a serious manner. One aspect of the system I'm anxious to try is the well-documented NetBSD pkgsrc system. There is an excellent Web-based interface to the NetBSD packages at pkgsrc.netbsd.se. While there aren't as many NetBSD packages as there are FreeBSD...

Read More

Thoughts on Future Microsoft Servers

Robert L. Mitchell reported Microsoft goes to pieces in a recent ComputerWorld article. The article is light on specifics, but the message is interesting:"With the release of Longhorn in 2007, the company has said it will offer 'role-based' versions of Windows in which only the code needed to perform a given function will be included in a particular build of the operating system... Now, rather than simply selling task-specific editions of Windows,...

Read More

Pros and Cons of Outsourcing Security Tasks

Jian Zhen of LogLogic wrote two helpful articles for ComputerWorld. The first lists ten benefits of outsourcing security functions, and the second lists seven potential drawbacks. I largely agree with his analysis, particularly concerning the advantages of leveraging centralized security expertise. A managed security service that does nothing but handle security issues all day long has a much higher level of security situational awareness than an overtasked administrator with multiple responsibilities. How is a general purpose administrator...

Read More

I subscribe to Sys Admin magazine because it offers excellent articles. One that is available online is Bryan Smith's Dissecting PC Server Performance. He explains the major bottleneck issues in traditional CPU architecture and how the AMD Opteron is an improvement. I found the article highly technical yet readable and enlightening. This is a must-read before you buy your next high-load serv...

Read More

Nessus Developments

Recently I reviewed the new Syngress Nessus book, after installing Nessus 2.2 using the security/nessus FreeBSD port. Yesterday Tenable Network Security relaunched the Nessus home page. The author of the Nessus vulnerability scanner is Renaud Deraison, who co-founded Tenable and currently serves as Chief Research Officer there. Tenable formally supports the development of Nessus. Along with a sharp new Web design and the release of Nessus 2.2.1, the site announced a new policy on plug-ins. Plug-ins are code written in the Nessus Attack Scripting...

Read More

SpecialOpsSecurity.com Ready to Deploy

My buddy Erik Birkholz, fellow ex-Foundstone consultant and author of Special Ops, appears to be shifting more resources to his consultancy, Special Ops Security. I found his company's service datasheet (.pdf) offers several novel services. For example, SOS provides "Pre-Sales Engineers and Deployment Services" and "Security Sales Consultants." They act as hired technical guns, bridging the gap between account executives and customers or sales people and customers. I think this is an excellent resource for clients who need to know the "real...

Read More

Thoughts on Windows Server 2003 SP1 RC

Microsoft announced that Windows Server 2003 Service Pack 1 Release Candidate is available for testing on non-production servers. I installed it remotely using Rdesktop on a 180 day evaluation copy of Windows Server 2003 with hotfixes installed. The whole process went smoothly, and after a reboot I was still able to connect via Rdesktop and PsExec. Microsoft published Top 10 Reasons to Install Windows Server 2003 SP1, which I found interesting...

Read More

Dru Lavigne on Upgrading FreeBSD

img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG-KjDdWJD6hY-KDKnXbT2lvgaiyJo4pYpVB6s8VaqO1By2XmqdCFbo8bBKWY9NSZh7AZvb-bi-rSS_p66fnqfaHAZqqDhDz5ABH6lhP7g3979hZGvqRGAZI-JdErZiPZBnqUg2zOqRic/s1600/freebsd.png" align=left>Dru Lavigne's latest Blog entry explains her experiences upgrading two systems to FreeBSD 5.3. Her article nicely complements my Keeping FreeBSD Up-To-Date. Over 7,000 of you appear to have already read it. I've made a few tweaks recently, including changing the CVS tag for the FreeBSD 5.3 RELEASE to 5_3_0_RELEASE,...

Read More

Sguil 0.5.3 Released

Sguil 0.5.3, the analyst console for Network Security Monitoring, is now available. Updated screenshots are also posted. I'll be tweaking my install guide to reflect the version bump, but the content won't change. I wrote the latest version using a CVS version of Sguil, so it has the same capabilities as 0.5.3.You can read Bamm's release announcement and CHANGES for more information. If you have any questions, join us in #snort-gui at irc.freenode.net....

Read More

Enabling DRI on FreeBSD

Last February I wrote of my adventures enabling DRI on my laptop.I already had a few tweaks to my /boot/loader.conf to get sound and AGP working:snd_csa_load="YES"r128_load="YES"Using kldstat, I could see what kernel modules were loaded:orr:/home/richard$ kldstatId Refs Address Size Name 1 12 0xc0400000 5cdb30 kernel 2 2 0xc09ce000 7464 snd_csa.ko 3 3 0xc09d6000 1d4fc sound.ko 4 1 0xc09f4000 1520c r128.ko 5 14 0xc0a0a000...

Read More

FreeSBIE 1.1 Released

I was happy to see that FreeSBIE 1.1 was released today. FreeSBIE is a live CD version of FreeBSD. Version 1.1 offers FreeBSD 5.3 RELEASE as the underlying OS. If you've used Knoppix to get familiar with Linux in a live CD environment, you should give FreeSBIE a try. New for this version are the release announcement, a manual, and the list of packages installed on the live ...

Read More

Review of Nessus Network Auditing Posted

Amazon.com just posted my four star review of Nessus Network Auditing. It's been almost three months since my last book review. I hope to get several more done before the end of the year. It's tough when, as a reviewer, I actually try to read the books I critique. From my review: "'Nessus Network Auditing' (NNA) is the definitive (and only) guide to the Nessus open source vulnerability assessment tool. I recommend all security professionals read...

Read More

OpenBSD 3.6 on Soekris Net4801

In June I described a way to install OpenBSD 3.5 on a Soekris Net4801 small form factor system. I followed a similar method today with OpenBSD 3.6, installing from floppy to 2.5 inch HDD on one laptop and then moving the HDD to the Soekris. I had two problems. The first involved not being able to use dd to write the OpenBSD floppy image to the floppy drive. I used this syntax: orr:/root# dd if=floppyC36.fs of=/dev/fd0At one point I got errors from dd. Later I saw these error messages from the kernel: fdc0: ready for input in output...repeats...fdc0:...

Read More

Dru Lavigne Chimes in on "Why Bother?"

FreeBSD author and advocate Dru Lavigne has responded to PHK's "Why Bother?" article. While citing my previous Blog entry on the subject, she made me aware of a freebsd-chat thread discussing project goals. Two users (Chris Pressey and Paul Robinson) asked questions about goals that are similar to my earlier Blog entry. Chris ended up being attacked once he mentioned the "number of backouts and backout requests" to cvs-src as a metric for "the...

Read More

TaoSecurity Blog Under Construction

I'm experimenting with adding a comments feature to the blog. The easiest way to do that was to use a new template. You may see additional changes. Also, links which were previously in this format http://taosecurity.blogspot.com/2004_11_01_taosecurity_archive.html#110129970708337670 now take this format http://taosecurity.blogspot.com/2004/11/using-portsnap-to-update-freebsd-ports.html The old format appears to still work, however....

Read More

TaoSecurity.com Exclusive: Keeping FreeBSD Up-To-Date

I am happy to announce the publication at TaoSecurity.com of Keeping FreeBSD Up-To-Date. I wrote this article to answer questions I've received over the past few months on how to apply security fixes to a FreeBSD system. While the official Handbook is excellent, I thought a case-study approach would be enlightening for some readers. I thought it would be interesting to see a box begin life as FreeBSD 5.2.1 RELEASE, and then progress through a...

Read More