I just wanted to say I can’t believe how exciting my chosen field of work is. I love it beyond words and every time I read something new (even a negative article deriding Metasploit which prompted this exclamatory post), I get just a little bit giddy. I love security/insecurity!

I’ve tried a number of stand-alone and web-driven RSS readers in the past few months, but none really gave me what I wanted or presented it in a way that was compelling and simple and, well, just right.
Much to my surprise, I tried out Google Reader and was immediately hit by, “this is exactly what I wanted.” I added a few of the feeds I most regularly check, and I’ve been amazingly happy with this layout and simple feature set. I hope SufrControl doesn’t add this to the list of things denied outright (yes, web filters are evil, more on that in another future post).

Just a note and a small rant to myself. I’ve been using the McAfee IntruShield IPS here at work for a few days now (been poking at it for a few weeks, really), and I must say I really dislike being so disconnected from the actual packets and wire. I really like the information on exploits and alerts that McAfee includes, and also the reporting and dashboard (they recently updated it!).
However, any time I see something new or noteworthy run across the wire, my first instinct is to look at the packets and the flow before and after the actual alert triggering event. Sadly, these capabilities are far lacking. And what really is disappointing is any false positives even when the device itself is tuned up tighter. I don’t really care if the IPS sees a UDP Port Scan all day when it is just a printer trying to reach out for some SNMP love because it lost contact with something.
Such is the price we pay these days for products trying to be the “silver bullet” of security or trying to be “all-in-one” and end up just disconnecting us from the real data and activity. Give me Snort and Wireshark and a portable tap (or the ability to put windump/tcpdump anywhere I want) anyway…
What I feel like is one of those Plato’s cave analogies, where I’m no longer really looking at the actual subjects, and instead I am seeing only the dim shadows of the events…

I just read an article on HD Moore, one of the most influential and brightest “non-corporate” white hat security researchers, in which he answered a quick question on his favorite hangout, “A dark room full of electronics.”
Not only is that cool, but it got me thinking about what my own favorite room or hangout would be. I’ve been doing some casual thinking lately on owning property sooner than later, and how I would plan to do some stuff with it. Right now, I’m in “money-saving” mode, so my spare apartment bedroom is acting mostly as a place to put things I don’t have a place for, instead of being developed into something much cooper.
So, what would I deem as a perfect room to hang out in? Honestly, I have three major ideas on that question.
1) The dark room full of electronics. Some people feel at ease and most happy when surrounded by other people or doing social things. For people like myself, I feel similarly when surrounded by electronics and maybe a person or two of like mind. A dark room illuminated by the soft glow and unjudging winking of LED lights and monitor displays. Maybe an indirect light source or two with a narrow cone of light to important places that need lit. It would need to be cooler than warmer. I would also prefer a house as opposed to an apartment, so that I could set up a decent (but not high-end) speaker system so I can play such music from quiet classical/ambient to pound out some industrial or metal depending on my moods. A clutch of test machines, a couple separated networks (one a main network and the other a sniffed, testing one), a workbench for system surgery and parts. The monitors would preferably be displaying specific things as opposed to operating screensavers. One should play movies that I can half watch in the background, another display an active packet watch on my main system (just to watch now and then and learn more) or even my test network if I am running something, another with network monitoring, and another with a security dashboard up or even cycling through a few. That would be an awesome hangout.
2) Now, even the most hardcore of us needs to unplug every now and then. For a more unplugged experience in my abode, I would love to have an entertainment room that has a nice tv and sound system, is ideal for watching movies or sports events (about all I watch, I don’t take to television anymore), and is filled with plants and a pleasing atmosphere. Something calm and idyllic, a place to relax and lounge and sprawl out in, to read a book, magazine, listen to some music, or watch a movie, or even pull a laptop into to just chill out, but not dominated by obvious electronics all over.
3) Lastly, completing the unplugging, my third preference would be the great outdoors, away from most everyone else and anything technological. Give me a breezy, amazing woodlands or mountaintop or tropical island beach, and I could find some real peace there. Give me a cabin up in the woods that I can escape to and some space to roam. Internet connection…debatable.

I have been working at my current job now into my 5th month. A lot of my time has been spent getting used to the environment and culture of working here, along with a majority of the time spent supporting and working with our .NET/ASP application development team. This basically means I’ve been more involved in Windows systems administration than I’d like to be doing, especially for someone who is not pursuing .NET programming. Windows sysadmin is not that difficult in the long run (you can make it as difficult as you want, by adding scripting, etc), but it is not all that fun or glamorous. I’d pretty much rather be doing anything but, however, I will admit there is plenty of demand in the role in business.
Anyway, starting this week I get to begin working on and taking control of our McAfee Intrushield IPS device. This device sits inline with our external firewall and our internal DMZ firewall and logs intrusions attempts. Right now it is passive and set to IDS-mode only, as no one has had time to really sit down and configure it properly while minimizing the risk of preventing legitimate traffic. That will end up being my role here, forthcoming.
I’m not the biggest of fans of IPS devices. I believe that a company like ours which is small and has a good amount of money to spend on IT is better served by installing only an IDS system and staffing to monitor it properly, as opposed to an IPS that will automatically block traffic based on various turned-on rules.
However, this is still majorly exciting and almost as good as managing the firewall. This device straddles the two areas I would like to grow in: networking and security/insecurity. So, that was some good news in the past few weeks in regards to my job, and I’m really looking forward to talk to our Accuvant guest this week and getting my fingers deeper into this device.
I will be very disappointed in the device if I am not able to see the actual packets and payload for various detections and alerts. Installing and playing with an IDS (Snort) at home has been on my extended list of things to do, but I have some bigger fish to try lately. So to be able to do this at work is actually the first ray of sunshine that I have had at this new job.
UPDATE: I did some research on case studies for Intrushield and found one (pdf warning) that doesn’t name the company, but it does name the CSO. Turns out it’s the CSO from McAfee itself. While I can say, “d’oh” to see a company use itself as a case study, I have to say I like the idea that a product is in use internally. In my short career, I’ve already felt the irony of a company that doesn’t use its own products or follow its own paradigms that it tries to sell.

Just removing some links. First, Ubertechnica appears to no longer exist. I have long read Xatrix, but ever since they had some legal woes they’ve slowly eased up on updates. Looks like no one is maintaining the site anymore.

Since I have moved on from using SuSE extensively, I no longer need the SuSE Security page. The antiforensics section of Metasploit is looking a bit old, so there is no need to keep it on its own link. I can get there through other means if need be.

I’ve always hoped Erin would finish work on her site, amoebazone, especially the log part, but I guess development has stalled for other pursuits. I do still like the layout and design though, which is one of the real reasons I am making notes when removing sites. This site was here as a reminder of the design as much as wanting to see the completed work. Another largely personal site that predates real blog/journal apps is Thor’s site, Hammer of God. Dunno really why I kept it or even included it, but it no longer will be.

Insidethebeltway seems to have disappeared. I really just don’t read any of the blogs from the RStack white hats. The Lost Olive offered me nothing either, other than an awesome 404 page

I am hoping that I finally am hitting critical mass with all my links at left. With some luck and free time, I can start pruning the list of all the useless links/blogs that don’t offer me much of anything, and instead focus on what I truly want to read. I’ve been getting behind on more than a few of these sites, and it doesn’t help that the web filter at work is more stringent than I am very comfortable with. Lame. Nonetheless, I need to start blocking off some time, maybe Sunday mornings at the bookstore or some other place I find that is conducive to reading sites, and make a habit of it.

Some ramblings for myself… Do I need 56 news sites and 234238 blog sites? Most likely not. I bet most anything of interest in the news will be covered in at least a couple of the blogs I visit. Do I need 9 antivirus sites? Actually, I do prefer a range of them. Whenever I do some research or incident response on a particular bit of malware, I prefer to look at reports from multiple sources to get the most information possible. You can’t have too much info when dealing with malware infections. Do I need all the podcast/vidcast sites? Nope. Despite my best intentions to watch and listen to them all, I just simply do not. I like visual stuff, but so far have yet to even begin to catch up on the audio-only stuff. I just have no habit for it, or automatic way to download them all and get them someplace for me to listen to. Perhaps when I get a car adapter for my ipod, I’ll develop this habit… Yeah, I definitely need all of this in wiki format.

And yup, now that my little veil has been lifted, or kimono shifted open a bit, I’ve seen some trackbacks from a few other sites that I visit from here, now. I guess I can’t complain, and don’t mind the company at all. It certainly makes coding just a smidgeon easier, and visiting links as well, since it doesn’t take three clicks per, now. Simplify, simplify!

Well, my main site is going to be updated in the coming months with a real blog. In recent updates here, I’ve noticed that a blog format, even as open as blosxom is, is just not the ideal format for me to use here. My updating style and the way I use this little site is much more akin to a wiki. In fact, it is a wiki, only not yet. So I think this can give me some experience (again) with installing a wiki and a blog. I’ve never fully put up a wiki myself, so this will be a good task to do.

Of course, I am not about to pay for something I could likely make on my own with enough time and energy. For blogs, Movable Type is now free for personal use again. My current site new is kept in MT, so I have no real reason to change. For the wiki front, nothing has a more rounded listing and look at CMS products as OpenSourceCMS. Wow!

Now that I should have some more time on my hands, I am looking at possibly upgrading my site a bit. I seem to alternate between back-end updates and front-end design updates, and I’m overdue for both. However, I still like the site design, so I think it is time to jump into a back-end upgrade.
I am looking at blog systems that I can install. Currently I run on Apache with PHP4 (it might be 3!) with Movable Type 1.4 using flat files instead of a database backend on a very stable Windows 2000 Pro box. Movable Type fit my bill exactly, back in the day, but then quickly went commercial and I’m not really willing to pay for something like this. I also have Perl installed, and am willing to update all of these components (I would prefer to keep Windows 2000 though, simply because it is stable, I can get it free, and I’m intimately familiar with it).
My requirements/wishlist, for my own edification:
– easy posting from anywhere (u/p login)
– optional comments…bonus: toggle comments per entry as opposed to per site
– MSDE/SQL 2000 (preferably MSDE) backend with little administration needed
– php-based, but something that requires very little tinkering and coding other than templates/layouts
– the ability to make everything very minimized/minimalistic, from archives, comments, to posts, and the whole blog itself
One thing that is a bit flexible for this version of Movable Type was not just having multiple blogs, but to be able to use them creatively. For instance, my movie list on the right is actually another blog embedded into this page.
I also have a private page where I host all my geekier things. This is almost like a knowledgebase for myself. I am currently running Blosxom which I really love for its simplicity, but I think I am ready to move to a wiki or knowledgebase system.
– easy posting and updating of posts/topics
– good support for wiki-style knowledgebase stuff
– comments system or possible collaboration
– MSDE / SQL 2000 (preferably MSDE) back-end
This upgrade may not happen for a long time simply due to other things going on, and I plan on evaluating some solutions over time, so that I can get the most out of a wiki or blog system. I also now have spare systems to test things on, which will be ideal.

So, I’ve been asking myself some questions and kind of dealing with how to present myself on the net while at the same time categorizing my own information overload by spilling things out into this log. I’ve decided that I don’t know why I maintain my cute redirection code in place to thwart trackbacks and referral readers. On a bigger note, I’m not really sure why I keep this site secret, other than just because I don’t have a desire to really share this with people.

However, I think I have decided to remove the clunky code that at least veils the referreals. I may not entirely open this site up to the world, but I guess I won’t bother trying to actively obfuscate it.

Every now and then I go on a stream-of-linkage romp through blogs and security sites. Check out a site, head to the links, start spidering out and repeat. Well, today I brushed through the Nomad Mobile Research Center where I found a lot of 404 links to various people who were big in the security industry years ago. I then came across Rain Forest Puppy’s site and memorandum.

I’ve just finished reading The Cuckoo’s Egg by Cliff Stoll. The book details some of the early hacking attempts in a very new network of computers and systems and open sharing of information back in the mid-to-late 1980s, a time when I was just discovering Atari and Nintendo and Arcade gaming. In looking at the landscape of the time, of computing, networking, and security itself, things have much changed…I mean, DRASTICALLY changed since then. And I can see how people take values from back then and futiley fight the good fight for years and years, even when the time of those networks and openness are gone. The openness and phreaking got replaced with coding and open source and free tools and grassroots hacking…and today, we have commercialization of security.

I read RFP’s memo on his site and realized that this is one of the things I look for in my web romps through security links and blogs and personal sites (sites made back before “blog” was even a thought); the people who have been here already and where they are now, sometimes the dusty relics of long-forgotten websites or stories of how people have moved on, grown up, lost faith, or become part of the commercialization. The Internet and computing are still changing so much, and security even more. In 5 years from now, I could be like them or perhaps just part of the commercialization. Either way, I feel that this sort of web-trotting into the lives of other security persons from the present and past gets back to where the real security happens (or happened), where the real culture of hacking and security lies…not in the Symantecs and Microsofts of the world, but rather in the continued traditions of Black Hat and Defcon and the smaller underground groups of hackers (although slightly less underground than 5-10 years ago).

To anyone that feels like RFP, I just have to say that that kinda just happens, especially when you have a youth-fueled culture in the midst of a brand new, rapidly changing frontier like the Internet and networking. Things change so rapidly, people grow up and out of their hacking 24/7 mindsets, get married, move on in life, and into more conservative affairs. This happens, but it does not take away from the grassroots, “pure” hacking and security that has come before and still happens now.

I will say it is interesting running over sites of people whose names I know as part of the hacker scene, but their sites are outdated. Sometimes you see a resume or a post about where they’ve gone or what they were doing when their site got dusty. Then I realize just how weird the net is. Some sites disappear in moments, others, stick around on servers for years, decades. Just sitting there, waiting, listening, maybe logins have long been since forgotten and the servers just whirr away diligently maintaining their uptime. I’ve seen this in the early gaming scenes in Quake where clan pages are still sitting in cyberspace, waiting for really nothing. Links, images break over time, and they look like those old rusting cars you can find in overgrown pastures…

Some site designs I liked (for future reference): jexe and guninski. I would love a throwback design even if that throws back to a time before I was into computers, but there is something nearly romantic and appealing to the idea of a nighttime black world with the only light the soft greenish glow of a computer terminal illuminating the outline of a determined hacker…

After a lengthy break from blogging (3 months), which included a 2 week work trip to DC, a move from one apartment to another one, plus a number of smaller things like Christmas and New Year’s, I am back and everything is up and running like it should be.

Over the past 3 months I have stopped being what I would call frenetic about my research and delving into security. I had been doing lots of reading and scouring of information, and less actual doing. Now that I have amassed a nice book collection on security related things, I am finally actually getting around to reading them for benefit. This includes much more actual “doing” as opposed to bouncing back and forth like a super bouncy ball between new tools and sites and books and articles…

I am also eliminating some of the prohibitive things on this site, such as the “sanitization” for links on the right menu. I’ve removed them all except for the blogs/personal sites. I still don’t want this site frequently visited, mostly because of the comments section, but I really am discouraged from clicking links due to the sanitization. I figure most larger sites don’t much look at referral logs, but I expect bloggers and personal sites do so much more often…hence the decision for the change.

Anyway, hopefully I can actually get down to enhancing myself and using this site much more actively and efficiently again.

This page has a presentation-level type of introduction to subnetting. This might be very useful to review.

I’ve not heard much about VLANs until the last few days when our security pen testers mentioned possibly implementing some VLAN segmentation to control our traffic and manage groups of users. Since then I’ve been attempting to research them with mixed luck. My best lead is a technical article from Intel.

I have decided that VLANs don’t really truly segregate people into separate groups, but rather separate (layer 3, I think it is) broadcast traffic that simply does not need to be read by every workstation. It is much like 5 years ago with the big push away from “chatty” hubs into actual switches that were much more private with their information. Broadcast traffic adds a decent amount of traffic to most networks of decent sizes, especially when you factor in some variables like wireless traffic or VOIP traffic.

Anyway, I’m still researching this, and I think the best way to truly segregate users (I have developers in mind, who tend to want the most freedom with their computers coupled with the least security) would be to create VLANs, create their own subnets, and then plop a firewall between their VLAN and the rest of the network space. But…that’s just my initial understanding. I’ll post more links to information as I find them.

For the second time in twice as many weeks, a developer has reported the same error. When opening a table to view in Enterprise Manager, the error “the provider was not found for this property” displayed. Reinstalls of SQL 2000 client tools and MSDE did not work, but it turns out just a newer MDAC was needed. The sad part is that I solved the issue the first time two weeks ago, but was unable to do the same this time. Burnt out…