Back to Top

Monday, December 28, 2009

How to save/restore iptables rules on Ubuntu?


This might be an obvious thing to old Linux-heads out there, but it sure caught me off-guard, so there might be some use in spelling it out:

iptables-save and iptables-restore do not actually save/load the iptables rules to/from an external file. You are responsible for redirecting the output of iptables-save to a file and modifying the interface-up scripts such that it is loaded before the given interface comes up.

The Ubuntu documentation tells you how (although, it also was the source of my confusion) - the following commands should be executed as root, so don't forget to sudo su first:

  1. Save your rules in a file: iptables-save >/etc/iptables.rules
  2. Edit your interfaces file (substitute your own favorite editor here): nano /etc/network/interfaces
  3. Add a pre-up command to restore the saved rule. The fully configured file should look similar to this (the bold line is the one added):
    auto eth0
    iface eth0 inet dhcp
      pre-up iptables-restore < /etc/iptables.rules

HTH. And remember - security is a process / mindset, not a state. Always test the configuration changes you've done, don't just assume that everything went ok because you didn't receive error messages.

Saturday, December 26, 2009

How eco-friendly is a BMW?


The short answer is: I don't know :-)

While I was watching National Geographic, I caught a glimpse of the BMW "Efficient Dynamic" advertisement campaign. The claims made by this campaign were quite extraordinary and - being the cynic that I am - I thought: hang on, this sounds too good to be true. The claims as I recall were:

  • BMW reduced fuel consumption by 16%
  • This reduction is more than twice the reduction achieved by the next premium segment competitor
  • This reduction is more than twice the average reduction obtained by the industry

Being an aspiring skeptic I decided to look into these claims, but being the lazy ass that I am, quickly gave up after making a mental list of what would be involved (finding out what they mean by "premium segment" and who their competitor were, finding a reliable source of data, etc). So, instead, I turned to math to see if all these claims can be true at once. So, in math-talk we have the following data:

  • BMW = 16
  • Lets suppose that we have three competitors A, B and C with A being the closes to BMW
  • A, B and C are in the interval [0, 100]
  • BMW >= 2*A
  • BMW >= 2 * AVG(BMW, A, B, C)

Then I turned to the OpenOffice Solver which promptly came up with an answer: A=8, B=0, C=0. Starting from this I came up with a more plausible-looking solution: A=7, B=5, C=5.

What does this mean? That - mathematically speaking - the claims made might be true. As always - trust, but verify. These simple mathematical tools are available to everyone and can be used to unmask the more extreme false claims (of course, just because a claim is mathematically possible, it doesn't make it necessarily true). Go search for information. You should find it - since it wants to be free!

Picture taken from maazbot's photostream with permission.

Recouping your data from a hung program


Scenario: you are typing away in your blog editor on Ubuntu doing a (somewhat) Flash-heavy post. You make the mistake of hitting "Preview" and the blogging software hangs. How can you get your post out?

  1. Find the PID of your blogging software
  2. Coredump it (gcore [PID] - this will create a file called core.[PID] in the current directory) - sidenote: interestingly, coredumping doesn't actually kill the application - this makes me wonder about thread safety... What guarantees does gcore make about the consistency of the dumped state? Probably none... This isn't important in this case, since the program is hung for good.
  3. Use a hex editor (GHex for example) and search for a part of the blogpost. You will probably find it multiple times, but you can easily identify one occurrence which has a complete copy.
  4. Copy the blogpost from the hexeditor
  5. Profit!

Hope this saves somebody from retyping their text!

PS. This can be applied to other programs too where the storage format is "human readable" (like text editors - as opposed to spreadsheet editors). An other trick you might try is to search for the string as Unicode (since more international-aware programs might store it as that). While GHex doesn't support this directly, you can manually insert the 00 bytes between the Latin characters. An other option would be to run strings on the coredump file with different --encoding options.

Friday, December 25, 2009

Congratulation to AV-Comparatives!


AV-Comparatives is an independent, well-known and well respected testing organization in the AV/Anti-Malware field. They recently published two reports and one meta-report:

Go read them if you have questions like "which product is the best for me?". Thank you Andreas for providing a great and impartial service.

PS. One surprising thing for me was the high detection rates in the dynamic test - upward of 90%. This indicates that either I'm too much of a cynic or that their crawler system still has room to improve - I would expect AV products to be around 60-70% effective against new threats.

Don't listen alone!


Do you like Linux? Do you listen to podcasts? If you've answered yes to both of those questions, you should know what LUG Radio is (if not, do a quick checking - I promise you that it will be worth it!).

The bad news? They stopped it in 2008. The good news? A documentary titled "Don't listen alone!" - a great title if I may say so - about it just came out! So watch it below (sorry for splitting it up into 10 minute segments, but YouTube limits you to this):

Or go over to Jono's site and watch it from (my problem with is that their delivery method seems to be much less bandwidth friendly - I've got constant "buffering" even on connections where YouTube HQ clips play fine) or download it from You can also read up on how the documentary was created (on Linux!) here.

Finally, if you still miss their voices (as I do), head over to ShotOfJaq or to FLOSS weekly and you will be pleasantly surprised!

PS. Offtopic rant: I'm all for open formats and such, but when - after days of searching! - I can't find a tool which supports the OGV container (or the Theora codec for that matter) properly, I'm tempted to give up on them! On the AVI/XVID/h264 side there is Avidemux for example... Finally I had to re-encode the whole video into AVI/XVID just be able to chomp it into 10 minute segments.



A long overdue "linky" post:

Internet Guide |

Posted: 22 Oct 2009 04:55 AM PDT

Dyn (of DynDNS) is also getting in the internet content filtering business.

About the Fitbit

Posted: 23 Oct 2009 11:10 AM PDT

BorderWare ReputationAuthority

Posted: 23 Oct 2009 12:09 AM PDT

Petabytes on a budget: How to build cheap cloud storage | Backblaze Blog

Posted: 22 Oct 2009 11:25 PM PDT

Sucuri information security (BETA)

Posted: 22 Oct 2009 11:16 PM PDT

Wall Street (1987)

Posted: 22 Oct 2009 11:04 PM PDT

TeamViewer - Free Remote Access and Remote Desktop Sharing over the ...

Posted: 24 Oct 2009 02:21 AM PDT

On the Effectiveness of Aluminium Foil Helmets: An Empirical Study

Posted: 26 Oct 2009 11:05 PM PDT

BrightCloud - OEM Hosted Security Services

Posted: 26 Oct 2009 08:47 AM PDT

Bill & Ted's Excellent Adventure (1989)

Posted: 26 Oct 2009 08:07 AM PDT Masterminds of Programming: Conversations with the Creators of Major Programming Languages (Theory in Practice (O'Reilly)) (9780596515171): Federico Biancuzzi, Shane Warden: Books

Posted: 30 Oct 2009 08:20 AM PDT Programmers at Work: Interviews With 19 Programmers Who Shaped the Computer Industry (Tempus) (9781556152115): Susan Lammers: Books

Posted: 30 Oct 2009 08:20 AM PDT Coders at Work (9781430219484): Peter Seibel: Books

Posted: 30 Oct 2009 08:19 AM PDT Mobile Malware Attacks and Defense (9781597492980): Ken Dunham: Books

Posted: 30 Oct 2009 08:19 AM PDT Crimeware: Understanding New Attacks and Defenses (9780321501950): Markus Jakobsson, Zulfikar Ramzan: Books

Posted: 30 Oct 2009 08:19 AM PDT

ldd arbitrary code execution - good coders code, great reuse

Posted: 30 Oct 2009 08:19 AM PDT HACKING EXPOSED MALWARE AND ROOTKITS (9780071591188): Michael Davis, Sean Bodmer, Aaron LeMasters: Books

Posted: 30 Oct 2009 08:19 AM PDT Malware Forensics: Investigating and Analyzing Malicious Code (9781597492683): Cameron H. Malin, Eoghan Casey, James M. Aquilina: Books

Posted: 30 Oct 2009 08:18 AM PDT

The Old New Thing : What this batch file needs is more escape characters

Posted: 30 Oct 2009 01:55 AM PDT

Much like the universe, if anyone ever does fully come to understand Batch then the language will instantly be replaced by an infinitely weirder and more complex version of itself. This has obviously happened at least once before ;)

Eric Filiol - Analyzing Word and Excel Encryption [PDF] : ReverseEngineering

Posted: 02 Nov 2009 01:40 AM PST

This is very cool! It demonstrates how security is based on some basic assumptions (ie. consecutive versions overwrite each-other) and when those assumptions are broken (you can recover multiple versions), the security itself is compromised. Ergo, you must make as few assumptions as possible and check them as thoroughly as possible. Paranoia helps!

Zoomorama - Tech Crunch Web Trends

Posted: 02 Nov 2009 01:20 AM PST 97 Things Every Software Architect Should Know (9780596522698): Richard Monson-Haefel: Books

Posted: 08 Nov 2009 10:00 PM PST

C++ horrorshow - Educated Guesswork

Posted: 08 Nov 2009 10:21 AM PST

This is why I do Java and not C++ - because I'm not smart enough to comprehend such stuff.

Welcome to the BeaEngine Sweet Home - x86 x86-64 disassembler library - (IA-32 & Intel64)

Posted: 08 Nov 2009 10:01 AM PST

The Periodic Table of Bloggers - Slope Of Hope with Tim Knight

Posted: 12 Nov 2009 03:56 AM PST

Create your own Wallpaper - X3 Studios

Posted: 12 Nov 2009 03:15 AM PST

Achmad Z's Archives: Simple report on this month's Google Pagerank update

Posted: 12 Nov 2009 03:10 AM PST

Yet an other Google PR widget. Nice one, since it only includes a link.

The Old New Thing : Little-known command line utility: clip

Posted: 12 Nov 2009 11:45 PM PST

It's official! Perl rocks if even Raymond Chen uses it :-)

DealExtreme: $12.99 Bluetooth 2.0 A2DP AVRCP Stereo Music Receiver and Handsfree (Black)

Posted: 14 Nov 2009 10:56 PM PST

Recommended by Geourge Ou

winexe homepage

Posted: 13 Nov 2009 11:48 PM PST

PSExec for Linux - no Samba needed either!

TrojanHorse.jpg (JPEG Image, 700x558 pixels)

Posted: 17 Nov 2009 02:57 AM PST

Via Schneier:

This posting includes an audio/video/photo media file: Download Now

F-Secure Browsing Protection Portal

Posted: 19 Nov 2009 10:08 PM PST

Oh, the irony - Andrew's PostgreSQL blog

Posted: 20 Nov 2009 03:40 AM PST

YouTube - Umbrella Timpuri Noi

Posted: 08 Dec 2009 10:32 PM PST

YouTube - Timpuri noi - Emigrant USA[1992]

Posted: 08 Dec 2009 10:31 PM PST

YouTube - Timpuri Noi Victoria with Lyrics

Posted: 08 Dec 2009 10:31 PM PST

Timpuri Noi - Tata - Trilulilu Video Muzica

Posted: 08 Dec 2009 10:29 PM PST

Video: Douglas Crockford — The State and Future of JavaScript (YUI Theater)

Posted: 08 Dec 2009 10:29 PM PST The Customer Is Not Always Right: Hilarious and Horrific Tales of Customers Gone Wrong (9780740785788): A.J. Adams: Books

Posted: 10 Dec 2009 10:28 AM PST Why We Suck: A Feel Good Guide to Staying Fat, Loud, Lazy and Stupid (9780452295643): Dr. Denis Leary: Books

Posted: 10 Dec 2009 10:07 AM PST Everybody is Stupid Except for Me (9781606991589): Peter Bagge: Books

Posted: 10 Dec 2009 10:06 AM PST -- Home

Posted: 10 Dec 2009 09:38 AM PST

Software White-Listing Request

Posted: 10 Dec 2009 09:35 AM PST

Prezi - The zooming presentation editor

Posted: 10 Dec 2009 04:38 AM PST

Maker SHED from MAKE Magazine,, and Maker Faire

Posted: 13 Dec 2009 11:25 AM PST

Free DNS service - Easy, web-based domain manager -

Posted: 13 Dec 2009 02:07 AM PST

PHP Advent 2009 / JSON Gotchas

Posted: 15 Dec 2009 02:03 AM PST

Loved the pun: "eval has the same metaphone key as evil"

DNS History

Posted: 18 Dec 2009 05:54 AM PST

If broken it is, fix it you should : High CPU in .NET app using a static Generic.Dictionary

Posted: 21 Dec 2009 07:56 AM PST

.NET version of ConcurrentModificationException: consuming 100% CPU :-)


Posted: 21 Dec 2009 02:04 AM PST

Learning Advanced JavaScript

Posted: 21 Dec 2009 01:58 AM PST

Hivelogic - Top 10 Programming Fonts

Posted: 21 Dec 2009 01:44 AM PST

Mish's Global Economic Trend Analysis: Oh, CRE: Holiday parody of the song O Christmas Tree

Posted: 21 Dec 2009 01:42 AM PST

Monday, December 21, 2009

Schneier videos


Bruce Schneier is always fun, and together with Markus Ranum he is extra fun (sidenote: although it is title "face-off", they agree more than they disagree):

And here are some Schneier only videos (the first video has some audio problems in the first 3 minutes, but it gets better afterwards):

Open Rights Group: Bruce Schneier Security Talk from Open Rights Group on Vimeo.

Open Rights Group: Bruce Schneier Security Talk (Q&A) from Open Rights Group on Vimeo.

Friday, December 18, 2009

New challenges


2925822482_8c27197ba5_b After missing the announcement for the second part of the Network Forensics Puzzle (yes, I’m subscribed the feed now!) I would like to regain your trust by bringing two other contests to your attention:

Bonus content:

Have fun!

Picture taken from ChrisDag's photostream with permission.

A game of Chinese whispers


3558167656_06bb48a9f9_o Yet an other example of real-life Chinese whispers in the security journalism:

A Hungarian online news site published an article titled “Hackers tried to steal user data from Amazon” (here is a somewhat usable automatic translation for the non-Hungarian speakers). I assume that the information went like this:

What happened –> What the security company has written up about it –> What the “journalist” understood –> What s/he actually wrote.

What actually happened is that an Amazon EC2 rented to a third party was being used as a C&C server for a botnet. No Amazon user data compromise here, move along (also, this isn’t a new phenomenon at all).

To top it off, the article talks about the security issues involved in cloud computing. Surely they are paid by buzzwords / paragraph :-p.

As if you needed further proof that a large percentage of the news out there is false, even when there is no intent to “spin” it. Newer attribute to malice what can be explained by stupidity I suppose...

Picture taken from bignoseduglyguy's photostream with permission.

Twitter hacked


It had to happen, didn’t it? I’ve fired up Pidgin with the microblog-purple plugin, only to get an “invalid certificate” error for twitter. I’ve quickly became nervous, since a quick digging indicated that I was getting the wrong IP address for the domain

My first thought was: “I’ve been compromised”. After quickly verifying my hosts file and my DNS entry, all seemed fine on the surface. My second thought was: “my DNS server was compromised”, so I’ve done the same lookup using OpenDNS and the new Google DNS, both coming up with different (but wrong) answers. Finally I’ve checked out a couple of other HTTPS sites and they seemed fine. So I took a deep breath and (putting my faith in NoScript and RequestPolicy) visited to find the following page:


Quick analysis:

  • This seems to be a “good old” defacement
  • A very likely scenario is that they somehow compromised the DNS registrar account (phising, dumb password reset, etc) and changed it to point to an other IP.
  • Currently I’m seeing a couple of different IPs out there for the domain:
  • The correct address seems to be, so if you put the following line in your host file, thing should start working again (you might need to do an ipconfig /flushdns if you're on Windows):
  • The above is a hackish solution, and I would recommend using it only in life-and-death situations :-p. It is the best to let Twitter handle the incident and make sure that everything is cleaned up.
  • It is unclear when exactly the defacement happened, but it must have been in the last 10 hours or so. It might have been specifically targeted so that it is late in the day in the USA so that the reaction is delayed.
  • According to Google Translate (Babelfish doesn’t know Arabic unfortunately) the text below the picture says:

    Ok, so I'm a big ignorant idiot. The official language of Iran is Persian (also known as Farsi or Parsi), not Arabic. Thank you to Anonymous for pointing it out. According to this article the text in the picture says:

    This site has been hacked by the Iranian Cyber Army (on the flag)
    The USA thinks they control and manage internet access, but they don't. We control and manage the internet with our power, so do not try to incite the Iranian people (under the picture)
    Some people also seem to have screenshots with English texts on them.
  • The rogue server doesn’t seem to respond to any Twitter API requests, so it doesn’t seem to be that they were going after usernames and passwords (which they very well might have done, considering the number of users who click trough SSL certificate warnings), but just to be on the safe side, change your password and don’t use the same password on all the sites!

Update: As of now all seems to be back to normal and all the DNS servers return the correct IP address. I’m waiting for an explanation in Twitter (mostly because I’m interested in how it happened :-)).

Update: Twitter acknowledges the hack on their blog and say that they will provide more information as it becomes available (however they erroneously affirm that the API were working correctly – they weren’t, since they used the same DNS record to contact Twitter – in fact this is how I’ve became aware of the hack).

Bonus: what sources can you use to investigate such incidents?

  • First of all, be suspicious of SSL certificate errors! I know that they (sadly) are quite common these days, but be vigilant!
  • Check that the problem is not at your end. Check that you have the correct DNS server (there are a couple of malware families out there which set a custom DNS server for the machine to control the users browsing destinations). Check that the given hostname is not present in your hosts file (again, there are a couple of malware families using this method to misdirect users)
  • Check what the IP address should be, by using domaintools for example (and looking at the server stats page)
  • Try looking up the DNS name using several DNS servers (this might not work if your network filters DNS queries):
    # nslookup
    > set type=ANY
    > server
    > server
  • An other option is to use the vURL service to fetch the suspicious webpage from different location and compare the results with what you are seeing.

Using these methods you can quickly ascertain with pretty good accuracy where the fault lies and take appropriate action. Have a safe holiday everybody!


  • Read about the subject on the TrendMicro Countermeasures Blog.
  • Some more links to information and the source of the defaced webpage at Hacker News.
  • SANS posted about in issue in the diary.
  • I've update the translations, thanks to Anonymous
  • Twitter posted an update about the issue. It doesn't many more details, it does however give a timeframe for the problem: between 21:46 and 23:00 PST . There are some rumors out there that somehow (phising?) the correct password to the DNS management interface was obtained and it was used to modify the records. Twitter still has the original blogpost up saying that API's were not affected, but this is not true! If you've used a third party Twitter client and you've clicked trough the certificate warning (or maybe it doesn't use TLS at all), your password might have been compromised. Currently there is no evidence that the rogue server was logging passwords, but until the time some forensics is done on it, there is no sure way to tell if this was the case (since it is trivial to configure a webserver such that it responds with a 404 error, while still logging the details of the request).
  • Arbor Networks posted a related article.
  • Sucuri has also posted about the issue. They have a nice little network monitoring / alerting system. You can also use them as a third-party information source.
  • ISS X-Force (part of IBM) has also a nice writeup about the incident.
  • Brian Krebs has an informative writeup on the SecurityFix blog about the issue which quotes Dyn's (the host for the Twitter DNS) CTO as saying: "Someone logged in who purported to be a legitimate user of their [DNS] platform account and started making changes", further strengthening the probability that a Twitter employee's email account was broken into via some mechanism.
  • There is also a lot of confusion out there, as it always is the case with (security) news. I've heard someone saying that "why did the DNS host allow the redirection of Twitter to a host in Iran?" - just to clarify: even though the hack was claimed by the "Iranian Cyber Army" (which might not mean anything! it could be your nerdy neighbor), the server it was redirected to was in the US.


Picture taken from pugetsoundphotowalks' photostream with permission.

Thursday, December 17, 2009

Discount Codes UK review


These days most online shops offer the ability to use discount codes at checkout and get a price reduction anywhere from 5% to 50%. These codes are announced in various media (like podcast or blogs), but even if you don’t follow the particular program, it is rather easy to find them with a search engine.

Given these premises, sites like Discoount Codes UK are welcome. I didn’t use their services personally, but it is well organized with direct links from the discount code to the store where you can use it and good reputation on sites which track such things (MyWOT, Norton SafeWeb and SiteAdvisor). For added safety I would recommend entering the addresses of the shops manually, rather than using the provided links. So there you have it: discount codes at your finger tips with the possibility to get a couple of percents off. And even if some don’t work, you have nothing to loose by trying to use them. Again a word of caution, especially around holiday shopping: be cautious and either use big-brand shops (like Amazon) or thoroughly check out the given shop (using a search engine and searching for phrases like “[shopname] complaints”, “[shopname] problems”, “[shopname] fraud”, etc). Better safe than sorry!

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Tuesday, November 24, 2009

I’m the spam killa’


SONY DSC I’m happy to announce that I’m one of two “spam killers” on the Software Engineering radio website. Spam was starting to run rampant on their site, so they asked for help and I responded. It is so simple to donate your time to a worthy cause. You to can do it, it takes just a couple of minutes per day!

PS: If you are interested in software development / design, this is definitely a podcast you should give a listen.

Picture taken from Manuel_Marin's photostream with permission.

Screenshot forensics


2390570910_09a697ffee_o One of the interesting thing I like to do when reading (security) blog posts, is to try to deduce details about the machine setup used. You can find some very interesting tidbits of information, like Sunbelt using Symantec AV on some of their machines.

A couple of current examples:

If you want to avoid exposing such details, try the following:

  • Crop the screenshot as much as possible. This has other advantages as well (smaller image size which leads to quicker display for example)
  • Remember that identification can be done in any number of ways:
    • Using prominent OS features (like the Mac OS X dock or the Windows start menu)
    • Using window “chrome” (title bar, frames, buttons on them, their color, etc)
    • Colors and fonts
    • Metadata in the image (if it was edited with Paint .NET for example, it is very probable that it happened on a Windows machine)
    • Never use “blur” or similar effects to hide information, since they can be reversed (given that they are completely deterministic)

If you are really paranoid, you might want to consider taking the screenshot on an entirely different OS (Haiku for example :-).

Got fun “screenshot archeology” findings? Share them in the comments!

Picture taken from DeusXFlorida's photostream with permission.

Monday, November 23, 2009

Plugging a good friend of mine (not in a sexual way! :-P)


A talented photographer with a lot of beautiful images. Check them out below or on his flickr stream. Go OPE!

Today’s fudbuster


4039543987_2ea3fb6e8b_b We begin today’s FUD-buster with – applause please – cyberterorism via an “article”: Cyberterrorism: A look into the future. The article talks about Estonia (which is the poster-child for “cyber” incidents these days) and says the following thing (amongst others equally high-quality content) – emphasis added:

“The three-week cyberattack on Estonia threatened to black out the country's digital infrastructure, infiltrating the websites of the nation’s banks and political institutions”

The article cites as source (hey, at least they cite sources) an equally “well researched” piece from the which says almost the same thing. Now I seem to remember that the Estonia incident was just a large scale DDoS attack, so I’ve looked around for more reliable sources, like this article on Dark Reading Authoritatively, Who Was Behind The Estonian Attacks? by Gadi Evron (or see this other article). This confirms what I was remembering: it was a large scale DDoS attack with some minor defacements, but in no way were they “infiltrating the websites”.

The second (unrelated, other than the fact that it is an overstatement) quote comes from the Kaspersky blog, where we can read that:

“a vast amount of pirate software nowadays contains trojans, both for the PC and Mac”

This depends very much on your interpretation of “vast amount” (as me how I know :-P). Of the actual pirated software shared in limited networks like college campuses, very little is infected. What are extremely likely to be malicious are the crack / keygen websites. Either they contain exploits directly or they bundle malware with the downloads. An other sneaky way, seen on P2P networks like Gnutella or eDonkey, is to run bots which respond to any search with an executable that contains the keywords in the name and is – of course – malicious. So, depending on your interpretation of “vast amount”, this doesn’t hold up.

The conclusion, as always: do your own research!

Picture taken from cooljinny's photostream with permission.

ActivTrack review


ActivTrak is an activity tracking and employee monitoring software. It currently supports the 32 bit versions of Windows 2000, XP and Vista with support for 64 “coming soon” (no word on support for Windows 7 as of yet). The features are the basic ones one would expect from such a product:

  • direct deployment from the management console (however this can become tedious for a large number of computers)
  • tracking active programs / windows and URLs (in case of browsers)
  • taking periodic screenshots
  • basic reporting about the data

One nice thing is the fact that it employs a “reverse connection” (ie. the server opens up a port and the clients connect to it). This has the benefit of requiring less configuration on the clients and making them more secure (also, the server configuration part is done during install automatically). While trying out, you can run both the viewer and the agent on the same machine (it will report it as “no running”, but the data will still be available). You can watch multiple workstations at once by tiling the screenshot windows and setting them to auto-refresh.

Two shortcomings of the program are the fact that (from what I understand) the server needs to be running continuously for data collection (then again, it might be just a misunderstanding on my part, but this was the impression I got). The second shortcoming (maybe its not a shortcoming, but definitely something to be aware of) is the fact that you have very limited interaction with the surveyed computers: no controlling the mouse / keyboard / file-transfer. You can send messages and chat with the user. This means that the product can’t be used directly in a “support” type environment.

A final word of caution: consult with a lawyer before deploying such a solution (it might be illegal depending on the circumstances!). Also, consider the impact on the morale. If you have staff which needs this level of constant supervision, you might be better looking for new employees.

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Small Business VoIP review


I have posted reviews trough ReviewMe for VoIP products before, but here is an other other one: Vocalocity is a provider specialized on small business voip. They’ve been in business since 2005 and all the reviews about them which I could find were glowing (one might suspect foul play given all the good reviews, but digging deeper some of them mention problems and specify that the support was very good and helped them trough the hiccups). Of course if you had a negative experience with them, please share it in the comments.

An other positive aspect is that their pricing plan is prominently featured on their webpage, so you should have no problem finding it. They also pride themselves with not being resellers (“owning their own technology”) and have a nice office building:

View Larger Map

What else is there to say about them? If you are looking for a way to reduce the complexity of your phone network, take a look at them (of course, you have to consider other aspects of your business – like what level of guarantee you need that others won’t access the voicemail – the assurance you can provide in-house is always greater, at a higher cost of course).

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Saturday, November 21, 2009

To my dear wife


If you are viewing this from the RSS feed: please visit the blog to see the embed. Many RSS readers filter out embed codes.

Tuesday, November 17, 2009

Calls to action


With the motto “better late than never” here are some calls to action:

  • Vote for your favorite podcast on the Podcast Awards website. Votes are open until November the 30th and you can vote once per day (after you vote, you can an email with a link, which you must click on to validate your vote – this is to reduce the number of “fake” votes). If you are unsure for which podcast to vote, here are some suggestions: in the “Best Video Podcast” category I would recommend Buzz out loud – it is a very good (informative and fun) daily tech-news podcast. In the “Business” category I would recommend Career Tools- it (together with its sister podcast Manager Tools) is a great resource. In the Technology category I would recommend FLOSS Weekly – it is a superb podcast for all people interested in free / libre / open-source software. And it would be a great gift for them for the 100th episode which is quickly approaching. And besides – TWIT already won a couple of times :-). So go ahead my minions readers, fly like the wind and vote!
  • And here is a second poll related to Perl IDE’s: What other technologies, languages, templating systems are you using besides Perl?

After you have done your deed :-D, you can relax with two fun flash games: Little Wheel, a fun old-school point-and-click adventure game with very nice artwork (including an interesting soundtrack). Or play nine-balls. Let the lightning be with you!

Little Wheel
Little Wheel
Billiard Blitz 3 - Nine Ball
Billiard Blitz 3 - Nine Ball

Surprising numbers


2801309954_3af91bf56b_o I was reading the latest FudSec piece (Generating a False Sense of Insecurity) where I found the following statement (emphasis added):

Facebook now has 300 million users. Let’s assume that each user has at least one piece of user-generated content on their Facebook page cause, well, it’s a very user-content driven site. That means that of the 300 million home pages on Facebook that 95% (285 million) has either a malicious link or other insecure content. Conversely that means that 5% (15 million) are clean, uninfected, safe pages.

The average Facebook user has 120 friends or 281 friends, depending on which news article you might be reading. Let’s just assume for mathematical purposes that the number is somewhere in the middle, at about 200 friends per user. Let’s pretend, too, that you visit every friend’s page in a single day. Because it’s your day off, of course, you wouldn’t actually do that at work.

The mathematical likelihood that one of your 200 friends is one of the 95% that is infected is infinitesimal.

This statement seemed a little off. After all, we are selecting 200 pages out of 300 million where 275 million are infected. The chance to get to an infected / malicious page can’t be that low, right? Wrong! The problem as stated is known in mathematics (probability theory to be more precise) as the “drawing without replacement” and apparently the scientific name is hypergeometric distribution. Long story short, Wikipedia pointed me to a calculator which says that – given the parameters quoted above – you have a 99.9999608980365% chance that all of your friends will be clean / non-malicious! Talk about counter-intuitive!

Conclusion? First of all, trust but verify. If you hear something which sounds “off”, try to verify the information from multiple sources. Then again, our brains don’t seem to be wired to evaluate probabilities “heuristically”, so one should always sit down and work out the exact math (there are a lot of free tools on the Internet which can help you) before making important decisions.

Picture taken from EraPhernalia Vintage's photostream with permission.

Web Hosting Site Review Review :-p


WebHostingChoice pretends to be a hosting review site (it contains categories like “best uk web hosting”), however it only seems to be a placeholder for a couple of affiliate links to a limited number of hosts. Their WOT (web of trusts) rating isn’t so great either. While WOT has its limits (mainly because of its “crowdsourced” nature), when it has several negative ratings, it can be a good indicator that there are problems with the given site.

So how to find a good webhost? First of all, you should realize that (usually) you get what you pay for (ie. “free” webhosts are rarely free). I would recommend going with a “big brand” company like GoDaddy or Rackspace. You can fairly easily find coupon codes for them (just listen to some technical podcasts) which can get you a considerable percentage (like 20%) off. An other company which seems very good is firehost. While they are a little pricy (especially compared to the other two companies), they consider security an explicit priority, which is very important these days IMHO – if they are willing to take on people with large targets on their back like Kevin Mitnick, they should be able to protect your business too.

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Monday, November 09, 2009

The leaked Microsoft COFEE product


176571915_de1226bb5d_b So, the Microsoft COFEE (Computer Online Forensic Evidence Extractor) tool was leaked. I took a quick look at it, and – as expected – there is nothing “magical”, “secret” or “backdoorish” about it (even though I love the picture which comes with the Gizmodo article, the text itself is complete and utter BS – COFEE isn’t a tool “that helps law enforcement grab data from password protected or encrypted sources” as the article claims).

So what is Microsoft COFEE?

  • it is a collection of information gathering tools which are either built into Windows (ie. net, arp, ipconfig) or can be freely downloaded from the Microsoft website (ie. pslist)
  • it contains a simple case-management software which helps users prepare a USB stick that need to be inserted in the target computer and manage the collected information
  • the software on the USB stick is executed either using the autorun mechanism or by manually launching it. There is no built-in functionality to bypass passwords or other protection mechanisms
  • It also contains a detailed analysis of the registry / filesystem fingerprint of each tool (this is important if the other party argues that running the tool caused modifications on the system which are pertinent to the case)

Conclusion: there is no magical pixie dust here, move along! (in fact, it is quite similar with the winenum Metasploit script).

PS/Update: regarding the "defense" against these tools: first of all, they all seem to be user-mode tools. This means that they probably have limited capability of detecting kernel-mode rootkits. Also - from what I've seen - they are all public tools, so there is a good chance that there exists malware out there there which "defends" itself against these software. Again, no magic.

Now before you conclude that this is utterly useless - if I were a IT forensicator :-p, I would prefer having this data compared to no data at all. It will give you some basic idea of the system (or the network for that matter if ran on every PC) which may enable you to come back with a very precise target in mind.

Picture taken from raddaqii's photostream with permission.

What VirusTotal is not


2139429_dedfc5706f_b Since its inception VirusTotal has been used by people to compare different AV products (just in case you don’t know: VirusTotal is great free service which scans the uploaded file with 40 AV engines currently and reports back the results). The AV industry has objected to this practice because of a couple of reasons, some more valid than others IMHO.

Today however I want to talk about the practice of saying “(only) X% of AV detect this” and then giving a VirusTotal link. Two recent examples: here and here (to be clear: I don’t have anything against the particular blogs / companies / authors – there are many more examples of this practice, these are just two recent ones which came to my attention).

Why is this percentage meaningless and serves only to perpetuate FUD?

  • As I first argument I could mention all the discussion about AV engine configuration (this is frequently raised in discussion regarding the detection discussion, so I won’t dissect it further). A very thoroughly discussed argument is also that VT results represent a “point in time” rather than “now” (ie. detections since the scanning might have changed).
  • The second argument would be: VirusTotal goes for quantity not necessarily quality. Ie. the fact that a given engine is included in the list of engines used by VirusTotal isn’t a statement about the engine resource use, detection rate or false positive rate. Again, this doesn’t mean that the engines used are of low quality, it just means that VirusTotal isn’t in the AV engine testing business. It doesn’t say anything about the market share of the product either.
  • This means that the affirmation “X% of the engines detect a given file on VT” isn’t equivalent with the affirmation “X% of the users using AV are protected” or “AV software is X% effective”. However these are the thoughts which appear (by association) in a readers mind when seeing the initial affirmation.
  • Furthermore, some engines appear in multiple products (for example GData integrates BitDefender – amongst others) while other engines appear “split” (for example the McAfee desktop product contains both the “classical” and “cloud” engine, however on VT they appear as two separate entries “McAfee” and “McAfee+Artemis” respectively). If these relations are not considered (and I’m almost sure that they aren’t – given that these relations are not always publicly documented and they can change over time), the results come out skewed.

Conclusion: please never, ever take the VT result page and copy-paste the percentage from it! Do provide permalinks to the result pages and you can even make some sensible general statements (like “most of the major AV vendors detect this threat” or “this threat is not well detected by the smaller, Asian AV companies, but given its reliance on the English language for social engineering, it might not be such a big threat”). However, giving percentage wreaks of FUD and smells of negative propaganda (do we really want to be at each-others throat, analyzing which vendor doesn’t detect what? – there would be no winners in such a discussion). Lets concentrate on giving sensible security advice to users instead.

Picture taken from Peter Kaminski's photostream with permission.

Monday, November 02, 2009

Grooveshark VIP member



I’ve written about Grooveshark in the past, however I want to mention them again for a couple of reasons:

First of all, they introduced a new user interface, which works great. More than that, you can now seek in the songs! This means that Grooveshark directly addresses three out of the five methods of music use which I’ve enumerated in my original post. There are some small quirks (I don’t really like the popup-type controls, where you first have to hover over it for the useful part to appear), but those are just a matter of personal taste. They’ve also made it available as a desktop application via Adobe Air (currently available only for VIP subscribers).

Which brings me nicely to my second point: I’ve subscribed to their VIP services. I thought that I’ve been using them for a month now and I’m satisfied, so I should give something back aka. “Vote with my money”. So, as of today, I’m a Grooveshark subscriber. A couple of things I didn’t like about the subscription process: there is an additional tax of 15% to the advertised 3 USD monthly price. Also, the subscription payment is set as recurring by default. You can deactivate it later, but even so, it made me feel a little uneasy. Still, I decided to give them some of my money. Hopefully I won’t regret it.

As of now, I can only recommend Grooveshark to everybody! If something happens, I will update this blogpost.

PS. I’ve also removed the widget from my blog. Currently Grooveshark seems to be a much better deal than for approximately the same amount of money.

Disclaimer: I don’t receive anything from Grooveshark, I’m just a happy subscriber.

Friday, October 30, 2009

How to generate a stackdump with GDB


4054760074_609af75332_o I’m not a big GDB guy, but Google always helps:

  • Create a textfile with the following content:
    set height 0
    thread apply all bt
  • Run the following command:
    gdb $EXE -pid $PID -command $TEXTFILE > $OUTPUTFILE
    • $EXE is the path to the executable
    • $PID is the PID it is running under
    • $TEXTFILE is the file where your've saved the previous commands
    • $OUTPUTFILE is the file where you would like your stackdump to be saved.

The cool little crawling logo was taken from HiR, head over there for an explanation.

The importance of false positives


2748438226_c0ed3e06f6_o An interesting paper was bought to my attention recently by this blog post: The Base Rate Fallacy and its implications for the difficulty of Intrusion Detection. The central question of this paper is: if we have a flow of N packets per day and our network IDS has a false-positive rate of X, what is the probability that we are experiencing a real attack, given that the IDS says that we are? The paper uses Bayes’ theorem (of which you can find a nice explanation here) to put some numbers in and to get horrifying results (many false alerts), and to conclude that such a rate of FPs seriously undermines the credibility of the system.

The issue of false positives is also a concern in the anti-malware industry. And while I rant quite a bit about the AV industry, you have to give this one to them: the number of false positives is really low. For example, in the AV-Comparatives test 20 false positives is considered many, even though the collection is over 1 500 000 samples (so the acceptable FP rate is below 0.0015%!). Update: David Harley was kind enough to correct me, because I was comparing apples (the number of malware samples) to oranges (the number of clean files falsely detected). So here is an updated calculation: the Bit9 Global File Registry has more than 6 billion files indexed (they index clean files). Consider whatever percent from that which is used by AV-Comparatives for FP testing (as David correctly pointed out, the cleanset size of AV-Comparatives is not public information – although I would be surprised if it was less than 1 TB). Some back-of-the-napkin calculations: lets say that AV-Comparatives has only one tenth of one percent of the 6 billion files, which would result in 600 000 files. Even so, 20 files out of 600 000 is just 0.003%.

Now there were (and will be) a couple of big f***-ups by different companies (like detecting files from Windows), but still, consumers have a very good reason to trust them. Compare this with more “chatty” solutions like software firewalls or – why not – the UAC. Any good security solution needs to have at least this level of FPs and much better detection. AV companies with low FP rates – we salute you!

PS. There might be an argument to be made that different false-positives should be weighted differently (for example depending on the popularity of the file) to emphasize the big problems (when out-of-control heuristics start detecting Windows components for example). That is a valid argument which can be analyzed, but the fact remains that FP rates of AV solutions, is very low!

Picture taken from wadem's photostream with permission.