I just got an email from my web host that I now have unlimited traffic, which means no worrying about overages and no worrying about extra fees. As a result... I've re-enabled the DVL mirror, DVL 1.5 is available here
When I started this site I did something called the daily link list. Back then I had time to gather links of interest articles every morning and share them with some comments. I don't have that kind of free time anymore... but I noticed I've got a number of open tabs and decided it was time to read them and that I might as well share everything that was open.
VMWare Authorization Service Haunted by DoS Vulnerability
This is an interesting one because I've always wondered why VMWare Workstation opens listening ports by default. It just feels like a bad option but given how hectic my day is, I've yet to have time to really play around. I'm glad someone is looking and is starting to show why maybe it isn't necessary. If I were writing malware, I'd be paying attention to these types of attack and writing my malware to target systems on the network. It might be a little noisy but depending on circumstances it'd be an easy way to eliminate VMs used to analyze malware.
Downtown Santa Rosa eatery damaged in blaze
This isn't something I'd normally even read. It's a shame to lose a business like that... but a coffee shop in Santa Rosa doesn't really affect me. The reason this is open and that I read it though was the mention that Windows Update may possibly be to blame.
To Vendors Everywhere: If your product is driven by a computer, please treat it like a computer... ensure that it can be properly updated and all security patches can be applied. I don't care if it's a CT scan, a coffee roaster or a giant billboard. These systems are just as likely to be affected by a worm and help the malicious software propagate as your accountant's desktop computer and are more likely if you don't update them due to failed interoperability. Make your software work properly and solve the problem!
Another Denial of Service and while it may simply be my fascination with DoS, I thought this was worth pointing out. The vendor quickly pushed out fixed software. This is the response that I wish we'd see more of from vendors. It's a welcome change.
The Month of Facebook Bugs Report
A wrap up detailing what was found during the month of Facebook bugs. Some of the numbers are interesting and if you haven't seen this, definitely worth the read.
Varkens hacken computersysteem (Pigs computer hacking)
It seems that pigs are smart enough to figure out how to beat RFID sensors... a humorous video to watch.
Snow Leopard guest account bug deletes user data
How could I not include this one? Given the Apple fanboys love of their product, this simply had to be pointed out. How do you get this far in your operating system and introduce a bonehead bug that wipes out all of a users data when they log in and then out as Guest. On top of that, how do you fail to resolve the issue in the first update you push for the system? I'd have to say this one takes the cake on stupid bugs of the year.
Windows TCP/IP Denial of Service Attacks (Sockstress)
From what I've seen, no details on the actual sockstress attack have been released before. So for me, this was the first time I'd seen a detailed explanation on the topic. I'm not in a position to verify the validity, but it seems reasonable.
Ont. researchers tout cheap eHealth alternative
For those outside of Ontario, we've spent $1 Billion (with a B) on a secure online medical records system that will connect all the doctors and hospitals. It has come under review and there has been quite a bit of discussion on the overspending. Researchers with a piece of medical records software that is open source say their software could have been used for only $20 Million. I see a big problem when one of the developers of the OSS states that there was no need to build an expensive secure network. This is my health information... I'd much rather see my tax dollars go to building a secure network to share my health records on, than a number of other things it could be spent on. Was there overspending... sure, but what government project doesn't overspend? I also like the comment on OSS being "free from viruses" when compared to the "more common software we're familiar with". How much common software ships with viruses these days? His comment is technically inaccurate for a number of reasons... I know what he meant but that's beside the point... I'm not sure he knows what he meant. It has been proven time and time again that OSS isn't free and that it has operating costs associated with it, many times operating costs that are more expensive than their commercial alternatives. In other words, I don't agree with this article at all.
Thawte discontinues Web of Trust for free SSL certificates
thawte is discontinuing it's personal email certificates. Nothing big, but worth pointing out. If you hold a valid thawte personal email certificate right now, you can sign up with Verisign for a free 1 year email certificate.
And those are the open tabs in my browser that I will now be closing.
For my 500th blog post, I figured I'd share something amusing.
From time to time, my wife and I order from Swiss Chalet and the order it pretty standard, quarter chicken and a baked potato. The one thing we've always found is that they don't provide enough sour cream with the baked potato but luckily, for $0.25, you could add an additional container of sour cream. Recently however, they've removed that option. The item is still on the menu, and you can still visit the page, however the 'Add this to your order' button was removed. This weekend, while we were ordering I decided to see if Firebug could assist me in ordering my extra sour cream.
I guess it's time for that post SecTOR write-up. Time to share every little thing I can remember... which, luckily for you, isn't much. I'm going to divide this up in sections to make it easier to organize my thoughts (or for you to skip parts).
Canadian Information Security Awards
Kudos to the organizers for attempting this, but it was a bust. I don't think it should be abandoned though. I just think we need improvements for next year. So few products are limited to one country for contribution that I wonder if a lot of people didn't vote because they didn't know what counted. I'd like to suggest new categories for next year:
Those are things I'd be interested in voting on and I think the prize of a netbook is much better suited as an individual award.
Speakers
Once again SecTOR had top notch speakers, some returning and some new. I have to admit though, that I didn't see nearly as many talks as I wanted to... I spent to much time chatting with people in the vendor area, keynote hall and hallways. I took in three talks the first day and that was the extent of it. I saw Raf's Web 2.0 talk... I love the look on people's faces when he mentions Native Client. I also took in RSnake and Hoff's sessions. I had intended to see two or three more sessions but other commitments kept me away from those. From what I heard, everyone enjoyed what they saw... and the complaints were few and far between, if they existed at all.
I definitely enjoyed being able to meet up and chat with a few of the speakers, at the speakers dinner and sitting around the bar afterward. I was able to share some stories and hear some at the same time. While Toronto has a strong security community, it's nice to expand the contact list and network until you can't even hold your beer, and even then you can simply pass over the business card as you fumble with your pint.
Reception & Speakers Dinner
While I preferred the reception in previous years with the open bar in the keynote hall, I was fairly impressed with the reception at Joe Badali's. The food was good and the drinks were free. We filled tables and chatted and had a great time.
Even though I'm in Toronto, I had never been to Joe Badali's before so I wasn't sure what to expect from dinner. I was surprised by how good the food was. I opted for the vegetarian option (pasta) and it was incredible. I will say that the last thing I expected to see at the speakers dinner was a lap dance... but at least it was good for a laugh (video I recorded coming later).
Vendors
Vendors are great because their money helps keep your ticket price down. I had the opportunity to chat with a number of vendors this year and while the talks were interesting... everyone's always interested in the swag, so let's give a run down of that.
In the 'best geek swag' category, eSentire had password keeper Post Its at their booth, unfortunately I didn't stop by and get any... they were pretty cool looking though but beyond the humor not overly useful.
In the 'best over all' category, I want to give it to nCircle, but people might call me biased. We had the only t-shirt give away and the slogan was my idea... so I need to vote for it 
We also had caffeinated chocolates that were mighty tasty.
Beyond that, most of my swag didn't even make it home... I've got a ForeScout stress cube that survived and I gave away my Tripwire flashlight because someone asked for it (always a nice offering, although when I first saw it I was hopeful for a laser pointer). I took a couple of pens, which weren't bad but unfortunately there were limited offerings of notepads and papers, one of my favourite conference take aways... I did manage to snag some Post Its from Rapid7 but that was about it.
In the, 'I thought it would be cool but it wasn't' category is the travel alarm clock from Sentry Metrics. They had mentioned to me that the clocks were a rush order, so they can't be held responsible but the company that was peddling the clocks originally definitely had a horrid product. I actually have pictures from a table at Lonestar with the clock spread out in pieces. The hinge came out of the box broken, the open button worked once and the instructions reminded me that "PM is displayed in the afternoon". It was good for a laugh over beer and that was about it.
Socializing
The best part of SecTOR was the social scene... just like it usually is. Whether it was chatting at the con, or afterward at the bar, it was a great time. I got to put faces to names that I've chatted with and never met but also gather with people that I don't get to see often enough. We had some great conversations, some ideas for interesting concepts/research to put together and a whole lot of fun.
I'm already counting the days until SecTOR 2010, it'll be a great time!
Tomorrow is SecTor and I'm rather excited. There are so many talks I want to take in that I, unfortunately, can't see them all. On top of that the speakers dinner and meet-up at the Loose Moose should be awesome.
nCircle will have a booth this year and will be giving away T-Shirts and chocolate. So stop by and say hey to everyone there. I'll be floating around but I still haven't finalized my schedule (too many good talks, too many people to see, the conference needs a third day to fit everything in).
Anyways, ping me on twitter (@treguly) if you're floating around and want to meet up to chat or grab a drink. If I'm not around, it means I'm rushing to finalize my slides for the SSLFail.com panel.
I remember one day in elementary school when we were dressing up for our future careers. I don't remember why they had us perform this ridiculous act, but I do remember it happening. I got up that morning, got ready for school, dressed up in nice clothes and picked up my "brief case", in reality it was a cassette carrying case with the dividers removed but it served it's purpose. I was going to be a teacher. Then when I was old enough to see the looks in my teachers faces in high school... the face palms, the head shakes and the rolling of the eyes as they dealt with student after student, I quickly changed my mind. After about 20 other options, I settled on IT and then narrowed the field and ended up in IS.
I can't say that I've never looked back and had a "what if" moment. In fact, I had many "what if" moments over the years and I always told myself I'd make a great teacher. Unfortunately, no matter how many letters I sent to the Ontario College of Teachers, they were convinced that computers were not a "technology" course but rather general education... which meant a university degree (something I don't have) is required to teach computers. So teaching was always put on the back burner, something I would do as soon as I went back to school to turn my three year diploma into a degree.
In the end though, it turns out I can teach... I just can't teach high school. Where do you put someone you don't feel is educated enough to teach teenagers? In college . Earlier this year I was contacted to develop a new course on computer security, and after the course was submitted I was asked if I was interested in teaching it. I jumped on the opportunity and I'm now a teacher.
So now I'm sharing it with all of you... why? Because my students are required, as one of their assignments, to blog on the course and what the learn... I figure I should be subject to the same requirements (and it's another excuse to find time to blog).
I have to admit that on that first day, I was scared shitless... still am really but I'm having a lot of fun. So far it's been pretty basic stuff, setting up VMs, installing some tools, talking about malware and playing with python but it's been really good. There's something great about watching someone figure out the next line of code in a small python script or getting back thoughtful discussion comments to questions you pose. I'm really looking forward to seeing where the rest of the semester goes.
There are a few things to get used to though. One of those is that not everyone is at the same level, some people need more help and some people don't want help. I should have remembered this from when I was in college, but somehow it had slipped my mind. The really odd thing is being called 'sir'. I'm sure the last time I was called sir, it was followed by, "Would you please leave, you're making a scene." I'm from the same generation as a lot of my students, so hearing 'sir' actually feels rather awkward. That being said, it's a small price to pay to do something I've always wanted to do.
So, that's my story... I teach 6 hours a week, and probably spend another 20 hours working on class related material (sending emails, reading labs and thinking about what we're doing next). And on that note, this Friday we cover reverse engineering and I've got some prep to do.
If one of my college professors stumbled across this post she'd probably have a heart attack, since she taught an entire course on ethics. Yet it seemed like the most appropriate title for this post.
Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.
Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate) should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.
This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.
So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.
So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.
So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.
So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys to beat you to the punch is highly unethical.
I think that the Security Bloggers Network (SBN) is amazing, so please don't misinterpret this post... I've provided the domain for the website and host a mailing list (although it was infrequently used even during the 2 months when people used it). Yet I have to wonder if it is perhaps becoming a little too large and if it requires a filter.
I know there have been debates in the past over whether or not SBN was full of noise and you can't really debate that... but it's full of noise in the way that twitter is full of noise... most of the noise is useful.
Let's take a look at the BrickHouse Security blog... first it should be stated that BrickHouse is an online storefront selling GPS Trackers, Spy Equipment, etc. Now let's look at some of their recent blog posts...
Taconic Car Accident Tragedy Could Have Been Avoided with Technology- For anyone who hasn't read it, or can't guess from the title... it's a blog post about a woman dying in a car accident... at least the first two paragraphs are. The second two? A write-up on how if she'd had a GPS Tracker in her car, she'd still be alive... Wait! What does BrickHouse sell again? Oh yeah... GPS Trackers. <-- I hope other people's stomachs turned... because mine sure did.
How about this post, spread FUD explaining bump keys (first thought: "Wait.. hasn't this been discussed everywhere for a couple years now, why bring this up now?"). Then I reached the last two paragraphs that contained the solution to bump keys... Biometric Locks -- Conventiently sold by BrickHouse Security (including a link to them)... with the following text:
These tools are the first step towards having a secure home and for thwarting the steps criminals take to get around security measures. As long as homeowners are smart and realize the technology that is at their disposal, the bogeyman will fade away.
I see... they can protect me. After all, we've never, NEVER, never seen biometrics bypassed!
I honestly don't see any value add from blogs like this being included with in SBN.
A couple of weeks ago, I posted regarding the logs of some SSH bruce force attempts I had logged on my server, and was looking through. One of the comments was asking for geolocation of the IP Addresses. Tonight I decided to make use of the service available at ip2location.com and geolocate each of the IPs that I had. I'm actually fairly impressed with the service, you can do 20 lookups per IP per day unregistered and if you register you can do 200 lookups per IP per day. I registered and then pasted my entire list into a textbox they provide and it looked them all up at once and provided the results.
Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.
I have to say that I was completely shocked when I read this (via SpywareGuide)yesterday... the first thing I did was send it to everyone I was talking to on IM. Write to help protect people from phishing sites and have a complaint filed with the FBI? There's something seriously wrong with this picture.
PayPal seems to be stepping all over themselves lately, they completely stall HFC (thankfully resolved now) and now this. I just can't imagine what goes through someone's head that they send a letter to the ISP and file a complaint with the FBI... did they even have any idea what they were looking at? Did they understand that the site was helping people not hurting them?
I could continue to rant on this, but mainly I just wanted to make sure as many people as possible saw and read it. Though it should be noticed this isn't the first takedown request with the threat of legal follow-up based on a screenshot, FailBlog was hit with this not too long ago. Although Guiness Book of World Records didn't go to the FBI.