Back to Top

Saturday, February 28, 2009

The limits of mob-style takedowns


It is interesting to observe the dynamics of the interactions on the Internet. In the last couple of years several hosting (RBN, McColo and so on) organizations have been taken down by "denouncing them to the masses". The usual flow of events was:

  • Evidence was gathered against them
  • The media "exposed" them
  • Their upstream providers cut the peering with them

What I find especially disturbing is that there is no "fair process" part involved here, it is based all on the varying level of sensibility of the people who operate different ISPs. Now I'm not saying that these organizations shouldn't be taken down, but some kind of process should be placed around it, otherwise we will create a lot of collateral damage. A silver lighting in this darkness is the ICANN procedure for negotiating with registrars: they have a process and, even though it is sometimes slower, it works, while still having the guarantees of a "fair process". The main reason I bring this up is because the FireEye blog has been running a series with "Industry Bad Actors":

Besides the fact that the posts have a xenophobic tendency (the enumerated organizations are from Ukraine, China, etc - none from the USA), they don't give a clear and objective measure for classifying a network as "bad". So they found a couple of IP's in a network serving up malicious content. Is that enough to classify it as "bad"? I can show at least twice as many in US based networks (AT&T anyone?). These numbers are not proof for anything. In a recent study of malicious domain names I found that the correlation between the country and the probability of a domain hosted there being malicious is the same as the correlation between the country and their "connectedness" (to put it simpler: larger networks have more bad stuff in them). So please: lets move away from arbitrarily labeling networks as bad and lets try coming up with objective criterion and guidelines for fair process before we have more cases of innocent victims suffering because of hasty take-down procedures.

Mixed links


New blog in town: Telic Thoughts about information security - I especially liked their Is the CIA model still relevant? post. The CIA triad is a concept which I often reference and it is interesting to see how its limits are being pushed.

Windows Server 2003 SP1 Out of Support in April - the Microsoft site is confusing as always, but luckily the blogpost contained a link to the Microsoft product lifecycle search page.

From the /dev/random blog: Bash: History to Syslog - something I recently thought about and it is nice to see a solution.

Microsoft offers a simple online tool to help evaluate the functionality of routers - again, an interesting sounding tool with a webpage that offers zero information about what it is.

checksec - an interesting little script to check if different security features are enabled for your ELF files. compromised


Today I was greeted by the following e-mail in my inbox:

EH-Net Compromise Disclosure

EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.

We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.

We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.

Donald C. Donzal
The Ethical Hacker Network

Pretty sad. I enjoy their challenges. This goes to show that you have to be always vigilant and assuming that your site is "unhackable" is a very dangerous attitude.

Friday, February 27, 2009

Mixed links


A new security Linux distro announced: SUMO Linux

Notes on hardening Apache – some of them is not applicable if you are installing Apache from packages. I liked the idea mailing the admin whenever the server is (re)started.

IWF causing problems for – interesting. While it wasn’t intentional, it was more an interoperability issue, it highlights the potential problems of deploying in-band filtering.

TSAdminEx beta released – like Process Explorer for Terminal Server. You might want to check it out if you manage TS.

From the absoblogginlutely bookmarks: Using BITS to download large files – this can be also leveraged by malware to download files in a non-suspicious (less-suspicious) way. Also, the Windows Post-Install Wizard. Looks interesting.

A followup on the DDoS of the Metasploit and other security sites: How Metasploit Turned The Tables On Its DDoS Attackers (from The Daily Incite)

building and scaling a startup – some interesting point-counterpoint type of discussion about scaling, especially how it relates to databases.

From Light Blue Touchpaper: Optimised to fail: Card readers for online banking [PDF]. It is somewhat disheartening to see how the implementations are downgraded from a security point of view, and also the fact that there are active attacks out there against these systems.

Via (the author of Curl): Despotify. The soundtrack with their introductory video is awesome!

Preventing Domain Group Policies from Applying – interesting stuff, much in the same vein as the Circumventing Group Policy as a Limited User article.

Embedded System Challenge – the idea was to modify an existing encryption circuit implemented in a FPGA to undermine its safety (leak information, make it non functioning, etc), but still make the basic sanity tests pass. The ideas in the papers are very interesting!

Draw a bunny!



So I joined a useless but fun meme started by Andreas Gohr. As you can see, my artistic skills are not that good, but it is still fun to experiment. I tag kurt wismer, Dan Dascalescu and LonerVamp.

Yahoo! Briefcase closing


Apparently Google isn’t the only big web company closing down some of its offering. I got this email today:


I didn’t use the service, but some of my readers (all 2 of them :-p) might, so watch out. As a security side-note: it is nice how Yahoo attaches a little icon to their “official” mails. The problem with this approach is that it isn’t scalable (should every entity has its own icon? who would make sure that the icons are distinct enough?). There is also a lack of awareness (I’m not sure that many people know that “official” mails should have this icon – this was the first time I observed it).

PostgreSQL data corruption issues


2626218960_101c543326_oLately I’ve been helping out a friend with PG data corruption issues. Usually PG is pretty good about data consistency, but it too can fail under extreme conditions (multiple power failures, fsync=off in the name of speed, no battery-backed RAID controller). The interesting thing I didn’t realize, is that your transaction log can get corrupted!

Some errors I’ve seen include:

Exception [OperationalError] - [could not access status of transaction 1277830 DETAIL:  Could not open file "pg_clog/0001": No such file or directory. 
PANIC: corrupted item pointer [...]

Some ideas I've found / had:

  • Recreate the missing files if=/dev/zero of=0001 bs=1024 count=256– from here
  • Use pg_resetxlog (located in /usr/lib/postgresql/8.3/bin/pg_resetxlog under Debian/Ubuntu)
  • Dump and reload the data on an other machine. A problem which can appear is that of data which violates constraints (like NOT NULL). One should remove all the constraints and add them back one by one, cleaning out the data which violates it.

This is very much a “work in progress” situation, since I didn’t manage to solve it to my satisfaction, but maybe these pointers will be useful for somebody.

Image taken from nvshn's photostream with permission. Created with corrupt – the data corruption software :-)

8bit music



I was checking out the site of the hugi e-zine the other day, where I came over the next announcement:

22 December 2008: News: CGM UKScene Radio is back online
News from Solorize: "I have decided to start up the station again! With Nectarine being down I thought I should start streaming again as I do have a lot of demoscene music, which I am sure a lot of people would like to hear again. I have put together a very simple website (but I will revamp it when I have more time):, and the new stream URL is: I have opted for a 32kbps parametric stereo AAC+ stream as it will allow more listeners and still gives good quality sound."

And sure enough, you can listen to great retro music on the station. It brings back memories of the old videogames I used to play on my 386 :-). Give it a try! (If you are looking for a great no-fluff media player for Windows, check out foobar2000 – it is free, very lightweight and can do everything you can imagine).

Image taken from Wbs 70's photostream with permission.

Quick tips for installing PHP + IIS7 under Windows 7



If you are trying to install PHP under the default configuration of IIS7 with Windows 7 (and presumably Vista & Server 2008, but I observed it under Win7), you might run into problems (for example getting “Service Unavailable” errors). Here is how I managed to fix them:

First, make sure that you’ve installed all the “Application Development Features” as shown in the screenshot below. They are not installed by default and at least some of them are mandatory for being able to load PHP (I would assume that they are “CGI” and “ISAPI Filters” / “ISAPI Extensions”), but install them all, just to be on the safe side.


Now (from an Administrator command line) go to the “C:\Windows\system32\inetsrv\config” directory and open up the file “applicationHost.config” with notepad. Remove all the references to PHP. Finally, re-add the *php <-> php5isapi.dll script mapping. Make sure that all your apppools are started and now everything should work.

I got some of the advice from this blogpost: Where did my IIS7 server go? Troubleshooting 503 "service unavailable" errors. Picture taken from psd's photostream with permission.

Wednesday, February 25, 2009

Mixed links


98388785_9a5278c5cb_oMultiple websites on Windows XP – links to IISAdmin. It doesn’t seem to work 100%, so caveat emptor.

From the as days pass by blog: Opera Web Standards Curriculum. A nice addition to the Sitepoint references.

Google apologizes for the Japan fiasco – in big company it is hard to enforce standards across the board, but it is nice to see the swiftness and openness of their reaction (the gist of the story is: Google came out against paid posts, but Google Japan used them to market itself) – see also Matt Cutts post about the issue.

Via slashdot: How to write a Linux virus in 5 easy steps (also the followup) – it is an low-tech high-impact type of situation, similar to the social engineering scams we see a lot of on the Windows side.

An other one from slashdot: Static analysis of the SHA3 submission’s reference implementation. Interesting read. Also, the submission Bruce Schneier contributes to had no bugs :-)

A good summary of the Pirate Bay trial: The Definitive Primer to the Pirate Bay Trial

From the day there were no news.

From Abstruse Goose:

Caching Tutorial for Web Authors and Webmasters – a well written and comprehensive guide about caching on the web.

From /dev/random: Dokan – an user mode filesystem for Windows (like FUSE under Linux). Very cool, although I can get less and less excited about Windows technology. This means that you don’t have to write kernel-mode drivers anymore to support a new filesystem. It also provides an implementation for SSHFS.

Top Ten Web Hacking Techniques of 2008 – from Jeremiah Grossman’s blog. Interesting and worth checking out, because it is very probable that you’ll find some you didn’t know about.

An epic Bill Gates e-mail rant (related: No BS: A glimpse of the real Bill Gates) – the nice part about this is that the “big boss” not only understands but actually uses the product which is being made. A lot more companies could benefit from this approach!

Write in C – a funny video:

A classic piece from Charles Petzold about pregenerated code: Does Visual Studio Rot the Mind?

Image taken from Indy Charlie's photostream with permission.

Migrating feeds over to Google Feedburner


474975762_67c1c8a5bf_oI migrated over the feeds from Feedburner to Google Feedburner. Everything seems to went well and hopefully there won’t be any problems. All you need is to signed into your Google Account, after which you try to sign into Feedburner and it will automatically offer to bind the Google account to your Feedburner account. Hopefully the old URL’s will all work (they seem to at the moment). Some useful links:

If you are using Feedburner, you might want to sign into your account to migrate over to Google (the deadline is AFAIK the 28th of February).

Image taken from dannysullivan's photostream with permission.

Massaging DVDs


2938666611_8515170332_oA couple of tools that can be used to move around DVDs (and video files in general). All the tools are free, many of the open source. Some of them might include additional programs (like toolbars), but they can be deactivated during install. Sorry for the list being Windows centric, but I was a Windows guy for the longest time.

  • AutoGK – Auto Gordian Knot – the mother of all encoding utilities. It merges a lot of utilities in one package and makes them interoperate. Secunia PSI reports that the media player classic it contains has some vulnerabilities, but it can safely be deleted (it isn’t a vital part of the package)
  • DVD Shrink – to get a bigger video DVD on a smaller one. Download it from here. Very easy (and straight forward) to operate. Even with the highest quality settings it is quite quick on modern hardware.
  • VirtualDub – one of the best linear video editors out there. And it’s FLOSS!
  • AviDemux – a cross platform alternative to the previous. I mentioned it in an earlier post.
  • CDBurnerXP – does everything Nero does for free. Can be flanky sometimes a simple restart of the program solves the issues
  • DVD Decrypter – to get ISO’s of video DVD’s. It is reported that DVD Shrink sometimes works better on these ISO’s than directly from the disk.
  • 7zip – archive utility which can peek into ISO’s (there are others out there with the same ability like IZArc)
  • Videolan VLC media player – play back everything,including files and DVD’s
  • Daemon Tools – to mount ISO’s

Image taken from samantha celera's photostream with permission.

Tuesday, February 24, 2009

Parse the camel


238560751_9c312d09fa_oA quick note about the  B::Deparse Perl module: use it to tame hairy (obfuscated) Perl code, even code like this. Use it like this:

perl -MO=Deparse

In the area of obfusctation, but more on the funny side there is Acme::Smirch and Acme::Bleach.

Have fun!

PS. You can exercise your skills on the perl one-liners. What I especially like about them is the fact that they make you recall things which you might not used for some time, like the scalar result of a replacement regex or the command line to loop on the STDIN.

Picture taken from steve phillips' photostream with permission.

Interesting site / videos


I finished watching the Crash Course from It is interesting and slightly frightening. Although my BS detector had some faint signal (like saying on the front page “Chris Martenson, PhD”, only to find out on a closer read that he is not a PhD in economics), I’m no economist to judge how accurate the description, but it is interesting to watch. Embedded below for your convenience:

For the final video visit the website. A similarly oriented YouTube channel is the The Byron Dale Channel. Of course caveat emptor, you shouldn’t take anything on face value.

I saw/read about SSLstrip – should I be afraid?


515712475_c2fa41a516_oA friend of mine said that  he saw the SSLstrip presentation from BlackHat DC 2009 and asked me if he should be afraid. Here is the advice that I gave:

  • you shouldn’t be afraid. Fear is a bad motivator because it wants to force you to act quickly. A much better concern is informed concern.
  • if someone really wants to get to you (think TLA’s – Three Letter Agencies, but also some very skilled individuals are in this category), they can, so I’m talking here about the shotgun-type attacks which are people are much more likely to encounter
  • the good news: this attack requires someone to be “in the middle” of your conversation (it is a Man-In-The-Middle type of attack). Such attacks can be executed using things like ARP poisoning or BGP hijacking.
  • the bad news: it is a MITM attack :-) There are already quite a few malware in the wild with the capability to do ARP poisoning in an automated way and it is quite likely that (in the near future) they will add these methods to their arsenal

What can you do? If you are using Firefox, use the NoScript extension to force sites into HTTPS mode. As a site owner you might want to ensure that “secure” domains are only accessible via HTTPS (for example is listening only on 443 not on 80). This of course is not always possible.

Further info (from the Security4all blog):

Presentation slides and a video of the presentation. Below you can see a short interview about the topic:

Picture taken from JoVivek's photostream with permission.

Does Google Chrome prevent CSRF?


200332127_cc7f9ea020_bSome time ago I was reading the article Session Destroyer: Automatic Webapp Session Invalidation from the Linux Journal. It was a neat idea, however the part which peeked my interest was the following:

Mozilla Firefox does not protect you against this attack by default. However, Google Chrome supposedly does because they implement each tab in it's own virtual sandbox.

I tried to search around, but didn’t find any results which seemed relevant, so I went ahead and did some experimentation on my own. The results are:

  • No, Google Chrome doesn’t introduce further sandboxing to passing cookies between requests coming from different sites (this is the main reason for CSRF). I tested this in all the process modes available for Chrome (and it is logical that they all behave the same, since the passing or not of cookies is a “higher level” policiy”)
  • I also tried it with IE 8, the other browser at the moment which uses processes to separate out tasks. Besides being much slower (adding an other entry to my Windows 7 annoyances list), it didn’t show different results. (BTW, I did the comparison with the “process-per-tab” mode for Chrome to compare oranges to oranges, and it still was considerably slower!)

The conclusion? The initial comment was made probably because of a misunderstanding. Still, a solution of this sort might be useful. What I’m pondering here:

  • each tab has a “zone”. The zone is determined by the FQDN of the address entered in the address bar (ie. clicking on links doesn’t change the zone).
  • cookies are sent with the request only if the site which set the cookie and site which is sending the cookie are in the same “zone” as specified by the same origin policy

What does this brake? Probably some Web 2.0 widgety type things (in the sense that they have to revert back to the “copy this snippet over there” more or require an extra login – both of which are tolerable). However it may also break situations where people navigate using search engines (ie. they don’t enter the address but rather search for it).

Image taken from nellee100's photostream with permission.

Update: a somewhat related post - Bug in Internet Explorer security model when embedding Flash. Very cool!

Monday, February 23, 2009

A very cool scene from a film


And I write rhyming titles. W00t! :-) The scene is from the 1986 film Crossroads:

Just in case the copyright overlords take that one down, here is an alternative version:

How to handle problems?


2695443721_d6410e65d2_bPretend they don’t exists!

Some time ago I complained about WinPatrol. Today its author published a blogpost badmouthing Adobe because of the recent flaw in Adobe Reader. Myself in turn, posted a comment pointing out that no software is perfect (his included) and furthermore: the advice he gives is partially wrong and leaves people exposed to exploitation.

You see, he recommends for people using his product to disable the Adobe Reader ActiveX. However, all that this does is that it disables the loading of PDF’s in IE. It doesn’t disable it in Firefox and even IE still remains vulnerable, since it will offer you to download and/or open the PDF’s, and the moment you open it (inside or outside of the browser), the shellcode gets a chance to be executed.

And what did he do? Deleted the comment :-)

PS. The correct solution is to disable Javascript (this will kill the current exploit circulating out there not because it is a flaw in JS, but because – probably for convenience – it uses JS) and patch as soon as a patch is available. Also, consider using alternative readers (even though they have their own set of flaws, the probability of them being targeted is lower).

Image taken kennymatic's photostream with permission.

Mixed links


2128556632_fd2a4fa5dc_oNew Shool Information Gathering Toorcon X Edition Video – embedded below. You can also download the presentation. Very interesting and a lot of tools are mentioned which can be useful for reconnaissance.

It looks like the GDrive is coming. Hopefully soon I can build my backup home-grown backup strategy, which should look something like this: home folder under SVN, synchronized to a home server (with encrypted drive), synchronized to SkyDrive and GDrive (using password protected archives of course).

Towards a Law of Malware Probability – nothing extraordinarily new, but synthesizes the current information well. The summary: there will be more malware. Lots more :-)

From Andy ITGuy: 25 Random Reasons I Won’t Tell You 25 Random Things About Me – a funny (but very good) post about why the “tell X things about yourself nobody knows” meme is stupid. We should all rather draw bunnies.

How frequently are results in the the McAfee SiteAdvisor service updated? It seems that not very often. This of course shouldn’t be a big surprise, because (a) this process is resource intensive and (b) just because a service didn’t do anything bad with your signup email address (ie spammed it) for a couple of days, you can’t say that it won’t do so in the near future.

After talking about a similar Python feature, it is only fair to mention this in Perl: Class::Sniff can be used to create nice dependency diagrams between the used packages.

A funny response to the "10 kinds of people" meme from AbstruseGoose.

Sandi is bothered by advertisement in the feeds. My opinion? Nothing is for free. And as long as they give me full feeds, I’m not bothered by a little advertisement.

A little HTTP proxy written in Python. Cute.

Image taken from Cross-stitch ninja's photostream with permission.

Thursday, February 19, 2009

Brave new world


2072794115_74660d9221_oWhat do you call a world where tens of thousands of people have the ability to take out considerable part of an important infrastructure item. This the world we live in. Tens of thousands of people can create botnets and use them to attack other sites.

Most recently the Metasploit site was attacked together with other security sites. They’ve seen a 15MBps traffic, which isn’t much by networking standards, but it can definitely bring a webserver to its knees. If you have a website, ask yourself this question: how likely is that your host will stand up to such traffic? The response probably is: very unlikely. Just a few big players can afford to take on these attacks, mostly because they have a high degree of distribution and redundancy (think Google, Akamai, Microsoft, etc).

The conclusion? There is no conclusion... We should start to put more effort into cleaning up computers and preventing their infection or accept that tens of thousands of people have the ability to take down sites at will in this new technocracy.

PS: The Computer Defense blog put up the analysis of a survey about DoS. Read part 1 and part 2.

Image taken from Idea-Listic's photostream with permission.

Spot the flaws in the Windows 7 UI


I've been playing around with the Windows 7 beta for a couple of days now, and it feels painful! Regardless of what Leo Laporte says, it is very much a beta. And even the recent beta releases of Ubuntu are better than this. Below you can see a screenshot in which I tried to exemplify as many bugs as possible:

Now here is my buglist (including things that are not visible from the picture):

  • The initial "one icon to represent everything" (running programs and programs which might be run) was confusing to me, so I tried to revert to a more classic method - however, as you can see from the picture, it is very confusing still: it seems to try to respect the original order or the icons, sticking IE and Explorer to the left and Media player (which is not started) in the middle. The uneven spacing is very confusing.
  • Also, the new design manages to actually show less info at once and overflows very quickly.
  • For applications which have a single window, the popup that should help you select between the windows is blank (you can see the dark-gray rectangle in the screenshot - it was generated by hovering over the Metasploit button)
  • Hiding the notification area has two issues: first, it makes it harder to access icons which you do want to keep an eye on. Second, it will almost certainly be "hacked" by application vendors to make their icon always visible (this can be achieved currently by going to the "Customize..." option, so you can do the same programatically), thus negating any benefit.
  • The explorer doesn't have a "one level up" button any more, just a back button. Given that most of the windows are based on Explorer, or at least use the same metaphore, this is very annoying. For example, when configuring IIS, there is a discrepancy between the folders you see on the left (and the "address" shown) and your actual position. To put it an other way: there are situations where there is no way to go "one step back".
  • IE8 beta offers to download IE8 RC1, but on the page it takes me to there is no link for Windows 7!
  • After searching for something from the search box and clicking on a link from the result page, the search box is filled with the URL!

I have a theory (based on personal observations) about Microsoft shooting themselves in the foot (even though I'm not saying that it is a bad thing) with the recent UI changes (beginning with the Office 2007 ribbon): these UI might make it easier for first-time users, however it forces you to throw away all the things you have in "muscle memory". This is annoying for power users (every time I have to use Office 2007 I have violent reactions) but it is outright catastrophic for less computer-savvy people who've learned "dances" like "go to the third menu and click the fifth element". An other contributing factor (which might be specific to non-English speaking countries) is the large number of English Windows/MS Office installations combined with the fact that most people don't speak English, so these types of memorizations are their only solutions. All of these people are left out in the cold with these UI changes. Most people (from my experience) don't learn by reading a book or a help file, they learn from other people. But with the latest release MS nullified all the expertise in the domain, making this kind of "folklore" almost impossible.

Update: here are two "bonus" videos - one displaying a Mac OS X UI to the text of a Windows 7 presentation, and the second one convincing people that KDE is new Windows 7. I got the second link from Jupiter Broadcasting.

Wednesday, February 18, 2009

Writing binary values to files from VBScript


Browsing the interwebs, I came across the following article: Invisible Denizen: ie_unsafe_scripting metasploit module. In it I found a part which raised my curiosity:

Unfortunately, it does not allow you to directly write binary files to the file system. (You can use WScript.FileSystemObject to create a 'text' file that contains binary data, but this will only work if you are in an ANSI / ASCII-based version of Windows, such as us in the USA. If you're in Japan, it apparently epicfails. No promises mine won't do the same thing, even though I've tried to work around it.)

So I followed the link and was surprised to find that indeed, the naive code only works for some locales (like English or Romanian). The comments in the post also give a solution which I’ve seen in a lot of malicious scripts: using ADODB.Stream, and this clears things up.

PS. The code generated by msfpayload ... V is not VBScript (which uses the old Basic syntax to open a file in binary mode), rather it is VBA (Visual Basic for Applications) which can be found in MS Office a other programs.

Image taken from hercios' photostream with permission.

Books to read


3287986172_f7f153f5be_bI’m entirely aware that probably I won’t have time to read all of them, but I’m putting them here for future reference (all of the linked books are free):

Image taken from ailatan's photostream with permission.

Mixed links


2896165854_7dbae886fa_b From Slashdot: Facebook Scrambles To Contain ToS Fallout. I especially liked the line “a new Facebook group called 'People Against the new Terms of Service' that has added more than 10,000 members today” (emphasis added). So yeah, start a group on the same site we are disagreeing with to show our protest. That should show them :-)

From the OldNewThing blog: Another Seattle bus tool: One Bus Away – a site to provide real-time updates for the busses in the area. It also reminded me how low-tech solutions can be very effective (in this case relaying the distance rather than full-blown GPS coordinates). I also recall hearing that in Romania there is a very effective low-bandwidth communication channel between train-stations using the tracks (which has the advantage of not needing extra conductors to be laid down).

Raymond Chen tells us that there is no API to get the sizes (or count) of files in a directory. I’m sure that he is talking about documented API’s :-). If you want to go the undocumented way, here are some pointers to get you started.

From mnot’s Web log: Stop it with the X- Already! Very interesting, I didn’t know that there was a convention to prefix with “X-“ the names of things considered experimental (then again, what is experimental, since we have a lot of such elements in our protocols).

From the Simple DBA blog: HotSos, Concurrency, Papers and Related Thoughts. It discusses concurrency issues with databases (see the full paper here: Seven Sins of Concurrency). The reasons this is very interesting is because, in many ways, databases abstract away concurrency issues (in fact ACID is specifically defined in the context of multiple users accessing the database simultaneously).

A little library to compute all kind of distances between two stream of bytes: distance. It is also a good overview of the distance metrics out there (although I’m not 100% sure that they all are metrics in the strictest sense of the word).

From Nati Shalom's Blog: Have we learned the lesson from the recent economic meltdown?

6a00d835457b7453ef011278dba19428a4 Children of Men – looks like a Sci-Fi film worth watching.

From the blog: Submarine cable repair: “Ever wonder how broken undersea cables get repaired?”. Interesting stuff. The most surprising thing was to me how they pick up the cable from the sea floor. Again, simplicity prevails over complex precision operations.

A Python feature I can get excited about: Universal Newline Support. You can use it to read files line-by-line without worrying the about the newline conventions it uses (Unix, Windows, Mac).

From the Technorama blog: Star Trek as the A-Team - very, very funny, especially given that both of those serials were determining parts of my youth.

From the programming stuff blog comes this book review: Book Review - The Adventures of Dr Debugalov. While the book itself sounds not worth buying, it pointed me to these series of cartoons, which are mildly funny.

I was inspired by a post on the Windows Incident Response blog to find a reference to programmatically disable the Windows System File Protection. So here it is: Hacking Windows File Protection.

From the Educated Guesswork blog: Trapcall – a method to spoof caller ID. No surprise there, but it still might be news to people just how easy it is to spoof caller ID.

Anton Chuvakin reviews a book about conflicts in the next 100 years. I really, really hope that there will be no such things, since we already have the technology to bomb ourselves back in the stoneage (if not to extinction) and it is really frightening how easy such a conflict can be provoked.

A stackoverflow question pointed me to this article: Patterns for things that change with time. One thing I would like to add is that you need to analyze the frequency of accessing different versions of the the data (ie. the latest version, versions from the last month, and so on) and plan your storage method accordingly. Using a single table (I’m talking in the RDBMS context here) with a separate column to store version / timestamp or something equivalent can lead to less than optimal performance.

From the Demotivator Blog (warning, some of them are offensive):

Image taken from stuart.mundy's photostream with permission.

Tuesday, February 17, 2009

Update to the Top Commenters widget


404571262_a7ce21a9f2_oSome time ago I created a "Top Commenters" widget for Blogger using Yahoo Pipes. Unfortunately my efforts to use the resulting RSS directly failed. The problem was that Blogger was displaying older entries, even though I tried a bunch of different things to convince it that the element were new (like setting the date, adding random characters to the name and/or the link). Even after extensive discussions on the Blogger Help Group I couldn’t figure it out.

So I give it up and embed directly the Blogger widget offered by Yahoo. I didn’t want to go this way for two reasons: I didn’t want my readers to have to load an other javascript. Also from a security stand point, it is better not to load Javascript / Flash from third party sources (not that I don’t trust Yahoo, but better safe than sorry).

PS. I checked out some alternative RSS manipulation services, but none of them could deliver HTML in a sinkable enough format. So until Yahoo offers HTML out or I figure out the mysteries of the Blogger RSS fetcher, I’m stuck with this solution.

Image taken from Tomas Caspers' photostream with permission.

Back of the napkin security research


I came up with the idea after seeing the following quote on the metasploit website:

"powered by phpbb" "hacked by" - Results 1 - 10 from approximately 239.000

So you could do something similar to the TIOBE index (and with the same level of "accuracy" - this is more a fun thing than something which should be taken seriously).

I came up with the following two:

WordPress "hacked by" ~ 93.000 
"" "hacked by" - 9

Have fun :-)

Image taken from Tolka Rover's photostream with permission.

Update: the idea was to include a string which is present in all the installations of the particular product (a kind of "watermark"), and the string "hacked by" (because many defacers include this in their message). Sorry if I implied that any particular site was hacked.

Monday, February 16, 2009

Interesting (and informative) videos


10 Things about Hard Drives:

Also check out the guy's YouTube page, because it contains two other interesting videos from the domain of data recovery (and he seems to be somebody who actually knows what he is talking about when it comes to hard drives, not like some other people).

Tyler Pitchford - They Took My Laptop! Search and Seizure Explained – watch it at If you don’t have QuickTime installed, you can download the m4v file and watch it in VLC for example.

System 2008: What is Google Website Optimizer? – if you have a website (or work on websites) this is something to watch.

John Resig: Drop-in JavaScript Performance – I’m still in the process of watching this, but it should be real interesting (for the ones who don’t know: John Resig is the “jQuery guy”).

Credits: I’ve got the links for some of the videos from the Security4All blog.

Fun little game


From the All About Linux blog: spot the differences between the two picture. The right image is divided in 9 (3 by 3) regions, and you have to click on the region which contains the difference. The rule: don’t pause during play. Start below:

Sunday, February 15, 2009

PostgreSQL musings


First, a very good article about creating (and maintaining!) data clustering with PostgreSQL. This made me think: wouldn't it be nice if the automated tuning wizards would give you a short article to read which discusses the proposed solution instead of just the "turn knob X" type of suggestions?

Also, Percona is hiring performance experts, including PostgreSQL ones. This is good news, since Percona is known both for conveying useful information and for the valuable source contributions they make to the product. Will we see a "high performance" PostgreSQL soon? (Yes, PG is high performance, I'm referring to their blog name here).

Saturday, February 14, 2009

The Amazon Mechanical Turk


A good series of posts from the "A Computer Scientist in a Business School" blog on the topic of the Amazon Mechanical Turk (and using it to solicit reviews of products):

Also a very cool chart about the MT activities created with the Google Chart APIs.

Friday, February 13, 2009

Getting full contents for partial feeds


In my opinion partial feeds are not feeds. While I understand the need to get pageviews, I don’t like it. My time is valuable and I don’t want to hop between Google Reader and other browser windows to read the content. Disclaimer: this method might or might not be a violation of some laws, TOS, etc. IANAL. Use this method at your own risk.

The method: use Yahoo! Pipes to fetch the HTML page for each entry. The setup can be seen below:


The feed used in the example is the old feed from the Truested Source blog (since they’ve been bought by McAfee, they publish a new feed with the complete posts ;-)). The first operator (the Loop) fetches each page specified in the link for the element. Two remarks:

  • site owners can prohibit Yahoo Pipes from fetching pages using robots.txt
  • pages are not fetched at each evaluation of the pipe, rather at each change of the source feed (for those who are worried about a pipe DDoS-ing the site)

Set the “Cut content from” and “to” so that what you obtain the HTML part you want. “Split using delimiter” must be set to something, preferably something which doesn’t occur in the text. I just used some random MD5.

The second loop tries to protect against XSS-ing yourself :-). I discovered this by accident, because the feed contained the following post: A Little Filtering Can Halt Some XSS Attacks. The problem is that the inserted HTML content gets double decoded, resulting in execution of the script, even if it was encoded properly for the HTML page. The method used in the above example is rather lame, hower there is a good news: Google Reader disallows Javascript so you are not at risk, even without this transformation.

Enjoy your full feeds.

Update: Originally I came up with the idea while reading the article Build a Web Page Monitor with Google Docs and Track Changes Automatically, however the Yahoo Pipes solution is much cleaner, task oriented solution (but the Google Docs one is still worth checking out for other possible usecases).

Update: two alternative solutions (which are easier to use than creating a custom pipe for every feed) - via

Heavy Metal Band Names Etymology


Found it via the Comic vs Audience blog. Created by Doogie Horner:


Quick Google Reader technical tip


I was looking for a way to export the complete feed (all the incoming elements) from Google Reader. I rather quickly found out that you need the session cookie and that trying to use basic auth wasn’t going to cut it. I found a rather old post about the topic, but none of the advices given there seems to work.

What I discovered however, is  that you can go into your Google Reader –> Settings –> Folders and Tags and make certain folders / tags public. This will generate a publicly accessible (ie without authentication) page / RSS feed. This is exactly what I was looking for!

Wonky security posts


2414219177_c2d2c44c22_b I was reading two security blog posts recently from security vendors which seemed a little “off”:

The first one was from Avira talking about a great new feature: as I understand it, in the new version of their product if an application is permitted by the Application rules of the firewall, the port rules are not checked. So my thought was: long live the injected DLLs.

The second one was from ThreatExpert. The post is somewhat murky and self contradicting. As I understand it, it says that Conficker uses two separate methods of injecting DLL’s, neither of which is particularly new (in fact the first one is very old). This seems to be stupid, since why would it inject multiple copies of the DLL in the same process? I’m not saying that malware doesn’t have bugs (in fact most of them have a lot of bugs), but my hunch is that the analyst missed a conditional jump somewhere (ie. the second method is called only if the first one fails for example).

PS. I would have left a comment on their blog asking for clarification, but they didn’t enable comments. A blog with partial feed and/or no commenting facility is not a blog!

Image taken from DeclanTM's photostream with permission.

Start offering solutions


2974424283_3b4b9757c8_o Some time ago I’ve read two blogposts from security vendors: The Oldest Un-Patched Microsoft Vulnerability from the ESET blog (makers of NOD32) and Consumers deserve less intrusive products from the McAfee Security Insights blog. Both of them were complaining:

  • On the ESET blog Randy Abrams was complaining that autorun is a vulnerability. I would ask him this: what is wrong with trying to make computers easier to use? Having autorun on all the disks might be considered problematic (although it probably is only the result of an engineering over-generalization), but the concept in itself is very valid. Taking the feature away (and possibly replacing it with a prompt “are you sure you want to run program X?”) does nothing in the way of security, it just serves as a scapegoat to blame the user, who “should have known better”.
  • On the McAfee blog Madhurima Pawar (luckily I don’t have to pronounce that name :-)) complains that security products display too many prompts. While some of the examples mentioned are valid, but the age old wisdom is: security or convenience – pick one (BTW, my comment saying exactly this got mysteriously moderated away).

Picture taken from kaibara87's photostream with permission.

Mixed links

431530372_cde87d5d56_b seems to have a lot of cool videos, like this one: Just a reminder why you should never talk to the police: Some good advice to protect yourself. Of course this is just applicable in the USA to citizens (so it is not applicable to a large percentage of the people on so many levels :-)), but it is still interesting to watch.

Windows 7 beta is now available on the MSDNAA program, so I will be downloading and running it in the VM :-)

If you want to edit Wikipedia, you might want to check out Wikipedia: The Missing Manual, because even though it seems that you can just jump in and edit anything, there are a lot of rules and conventions which you need to respect if you don’t want your edit to be reverted in very short time period.

Via the PostgreSQL stuff blog: pycallgraph. Cool!

Hyper-V R2 enforces separate (physical!) mangement NICs – it is nice to see such steps which will lead to more secure installations by default.

Adding network taps to your network preemptively

Via the Security Shoggoth blog: INetSim – an alternative to Truman to simulate the Internet. And it is written in Perl!

Via the blog: How to approach a newspaper interview. Interesting. However I’m very weary about talking to journalist, because (at least in the technical realm) I found a tendency to blow things out of proportions and quote you in a way that makes you look less knowledgeable and a spreader of FUD, even when it is not their intention.

Fixing DSL lost sync problem – very cool, I didn’t know about MTU’s / “half ringers”. I wonder if they are also present in Romania, since I know somebody who has been having similar problems (the situation is somewhat different here: AFAIK there is no demarcation point between the telco and you, the telco – which means Romtelecom – owns all the equipment and you are not supposed to touch it at all).

GizmoDrive – an other free solution for mounting all your ISO / NRG / IMG / CUE / BIN images. I personally prefer the free version of Daemon Tools (just make sure to uncheck the toolbar they offer). There is also the Virtual CD-ROM from Microsoft, but it is unsupported and can only handle ISO files (even though it is free).

From the vaporware, inc. blog: UDF repository for MySQL and info about fast string search algorithms.

From the Journal of Ovid: API to get stock quotes.

On twitter: perl one-liners.

From Breaking Eggs And Making Omelettes I found out about c++filt, which is a nice little command line utility for Linux (or Cygwin if you are stuck with Windows) to demangle C++ decorated function name exports. Use it like this:

 strings | c++filt

Image taken from bre pettis' photostream with permission.

Why Directi should be kicked



It is known in “security folklore” that a domain registered at Directi usually spells bad news. However I know have some stats to show it. How these stats were generated:

  • The malicious domains were taken from DNS-BH
  • The benign domains were taken from Alexa
  • The registrar for each domain was extracted

Of course, this is by no means a very precise results, because no estimation was done on the accuracy of either of the two lists. Also, a better metric would be to use the total number of domains registered at a registrar, however I don’t have that number. But the graphic nicely shows what has been known for a while: there is a large cluster of bad domains at Directi.

SDHC - Shared Dictionary Compression


19894053_cd84612e9a_b I saw the following article on the GOS blog: Google Search Pages Load Faster if You Use Google Toolbar. It turns out that Google added an experimental feature in the Google web servers and the Google toolbar to reduce the network traffic by supplying a dictionary of frequently used page elements (BTW, I find the fact of adding support for this to IE via toolbar ingenious).

Is it just me, or did others also instantly think: cool, yet an other way to profile web users to see if they visited a certain site (similar to the attacks which used time measurements to find out if a particular element is taken from the cache or fetched from the network). The document says that each dictionary is limited a domain though...

An other possible avenue of attack I see is that a malicious domain advertises the same dictionaries as a benign domain (either by specifying the target domain or the “.” domain) and inserts malicious content in the dictionary. The VCDiff content is protected by an Adler CRC, but one can generate content with a chosen CRC in linear time by adding just 4 bytes.

Picture taken from jovike's photostream with permission.

Good security news


Teletypesetter keyboardBeing Friday the 13th one can really use some positive news: on we have an article about Implementing SMM PS/2 Keyboard sniffer. How is this good news you ask me? Towards the end of the paper we have the following text (emphasis added):

The limitations of hacking through SMM are obvious. It is almost impossible to use in reality. The largest problem is that BIOS since 2004 set D_LCK bit during booting, which blocks access to SMRAM. Also, modern operating systems use ACPI. In ACPI, #SMI does not occur, so we cannot use Device Trap based on chipset. There is also a document about hibernation, which shows that system enters hibernation mode after the intruder uploads handler in SMRAM. Then, when system memory is restored, SMRAM space is reset so that the handler we uploaded disappears. Loic Duflot’s OpenBSD Exploit obtains permission by manipulating the physical memory in SMM status, and to apply this to Linux, we have to be able to access PCI Configuration Space. In order for a general application to access PCI Configuration Space, iopl() function has to be used to obtain I/O permission, but that function does not operate if not by superuser.

The gist of it: some very specific conditions need to satisfied for this to work, and there is very little chance for that to happen in everyday life. W00t!

Image taken from Quinn deEskimo's photostream with permission.

ASPROX presentation video


Via Greg Martin's blog: a presentation about ASPROX delivered at Toorcon by Dennis Brown from Verisign:

I had that idea!


Today I stumbled upon the paper Rethinking Antivirus: Executable Analysis in the Network Cloud. It talks about running lightweight processes on the hosts which ship files to be scanned to a network server which scans them and gives the clean/infected verdict. I had the exact same idea around the same time :-). Some benefits of this method would be:

  • Performance: while modern (especially multi-core) computers can perfectly well handle desktop AV suits, a multi-engine approach is still a little too heavy weight for them.
  • An other performance aspect: since the same file will be coming from multiple machines, it can be scanned once and (supposing it is clean), the other machines don't even need to send the file (just an MD5 hash for example).
  • Aggressive caching can be employed both at the client (don't recalculate hashes on files which didn't change on the disk) and at the server. Of course the server needs to purge its cache whenever an AV engine is updated (since it is possible that a file which wasn't detected until now is detected). The effect of this can also be mitigated: the server should keep a copy of the most frequently submitted files and rescan them preemptively whenever an AV engine is updated (of course the rescanning is to be done only with that engine). This way these "hot" files can be placed back in the cache.

One thing I didn't see in the paper is the discussion of false positive rates, which also increases when you combine multiple engines like that.

Image taken from Fernando Arconada's photostream with permission.

Cool epoch counter


As probably many of you geeks already know, today the epoch counter (AKA unix timestamp) will reach the value 1234567890, which is cool I guess because it is in the order the keys are on your keyboard. You can find a countdown here. You can use the following perl snippet to find out when the event will occur in your timezone (apparently the timestamp is to be interpreted in UTC/GMT, which I didn't know):

perl -e 'print scalar localtime(1234567890),"\n";'

From Abstruse Goose:

Update: as seen also on the PostgreSQL stuff blog.

Update: a more detailed article on O' Found it via use Perl;.

Thursday, February 12, 2009

Don't overthink software security


While reading the trapkit blog, my attention was drawn to the following post: Commercial usage of ScoopyNG. ScoopyNG, in case you didn't know about it before, is a proof of concept tool to detect VMWare. In the post the author of ScoopyNG details how the makers of a commercial product (Atempo Time Navigator) use the code and asked him for permission to do so which he says is very nice, and I agree.

However :-), my question here is: why does a backup software need to know if it is being run inside of a VM? Such measures, besides slowing down (not stopping, mind you), the perceived threat have a lot of negative impact:

My message to all of the companies is: don't overthink the security of your products. It hurts and annoys users and doesn't generate revenue (someone who pirates your product is very unlikely to buy it, even if s/he is prevented from using it without paying - it is much more likely that s/he will use a competing product which can be used for "free").

Tuesday, February 10, 2009

And you thought the JRE was big


I was updating a VM with WinXP today and it downloaded the “Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847)”, which weight in at a whopping 238MB! An update! WTF? As a comparison: the Java 6 JRE is around 15MB.

Monday, February 09, 2009

A portable AntiVirus collection


Over at the GSD blog I found a nice collection of descriptions on how to create portable anti-viruses. VIPRE would fit nicely in the collection, however I wanted to do a quick description on how to do this with BitDefender (I’m doing this from memory, so some details might be wrong!):

  1. Get the free edition
  2. Locate the folder where you can find bdc.exe
  3. Copy the given folder (it should have a plugins subfolder) to the location you want to run it from

That’s it! To update it, you need to run bdc.exe /update (and have the plugins directory writeable of course – so it doesn’t work for CD'’s for example).

New Ethical Hacker Challenge


Brady Bunch Boondoggle – at the first read I confused it with the Dukes of Hazard, but I’ve since seen the err of my ways :-)