Posts

Showing posts from 2010

Best Book Bejtlich Read in 2010

Image
It's the end of the year, which means it's time to name the winner of the Best Book Bejtlich Read award for 2010! I've been reading and reviewing digital security books seriously since 2000. This is the fifth time I've formally announced a winner; see 2009 , 2008 , 2007 , and 2006 . Compared to 2009 (15 books), 2010 was a good reading year -- 31 technical or security books, or my fifth highest total since 2000. Incidentally I read a decent number of "security history" books, meaning characterizations of "the scene." Many covered the 1990s and are fairly old, but I had always wanted to read them. My ratings for 2010 can be summarized as follows: 5 stars: 14 books 4 stars: 9 books 3 stars: 5 books 2 stars: 3 books 1 stars: 0 books Please remember that I try to avoid reading bad books. If I read a book and I give it a lower rating (generally 3 or less stars), it's because I had higher hopes. Here's my overall

Reflections on Four Tufte Books

Image
This week I finished the four main books written by Edward Tufte, namely The Visual Display of Quantitative Information, 2nd ed , Envisioning Information , Visual Explanations , and Beautiful Evidence . I decided not to review them individually at Amazon.com for several reasons. First, I received them as a set 2 1/2 years ago at The Best Single Day Class Ever , what I call Tufte's class. Tufte's class and written work present a single set of ideas and some material is presented from multiple angles in several books. This makes it congnitively difficult for me to review them individually. Second, I did not treat them like other books I read, meaning I did not mark them with my own notes and underlining. Frankly the books are like works of art and it would pain me to mark them up! That makes it tough for me to review my reading process and withdraw comments suitable for a book review. Third, so many people have already reviewed the books that I did not feel I would bring

Review of The Dragon's Quantum Leap Posted

Image
Amazon.com just posted my five star review of The Dragon's Quantum Leap by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure. The Dragon's Quantum Leap (TDQL) is the third in a trilogy by Timothy L Thomas. A colleague introduced me to all three books, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in TDQL. Published in 2009, TDQL is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by American translators and the Open Source Center, successor to the former Foreign Broadcast Information Service (FBIS). The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. TDQL covers Chinese IW thought from 2

Review of Decoding the Virtual Dragon Posted

Image
Amazon.com just posted my five star review of Decoding the Virtual Dragon by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure. Decoding the Virtual Dragon (DTVD) is the sequel to Timothy L Thomas' 2004 book Dragon Bytes. A colleague introduced me to both books, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in DTVD. Published in 2007, DTVD is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by American translators and the Open Source Center, successor to the former Foreign Broadcast Information Service (FBIS). The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. DTVD covers Chinese IW thought

Review of Dragon Bytes Posted

Image
Amazon.com just posted my five star review of Dragon Bytes by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure. A colleague introduced me to Dragon Bytes (DB) by Timothy L Thomas, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in DB. Published in 2004, DB is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by the former Foreign Broadcast Information Service (FBIS) and other American translators. The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. DB covers Chinese IW thought from 1995-2003. Thomas' subsequent books, Decoding the Virtual Dragon, and The Dragon's Quantum Leap, cover later

Steve Jobs Understands Team Building

Image
I stumbled upon the following excerpt from the 1998 book In the Company of Giants by Rama Dev Jager and Rafael Ortiz. They interviewed Steve Jobs, who had the following to say about team building, as printed in BusinessWeek : Q. What talent do you think you consistently brought to Apple and bring to NeXT and Pixar? SJ. I think that I've consistently figured out who really smart people were to hang around with. No major work that I have been involved with has been work that can be done by a single person or two people, or even three or four people... In order to do things well, that can't be done by one person, you must find extraordinary people . The key observation is that, in most things in life, the dynamic range between average quality and the best quality is, at most, two-to-one... But, in the field that I was interested in -- originally, hardware design -- I noticed that the dynamic range between what an average person could accomplish and what the best person could acc

Trying PC-BSD 8.2-BETA1

Image
After reading PC-BSD 8.2-BETA1 Available for Testing last week I decided to give the latest version of PC-BSD a try on my ESXi server. I failed earlier to get the installation to succeed using PC-BSD 8.1, but I had no real issues with the new BETA1 based on FreeBSD 8.2 PRERELEASE. (PC-BSD will publish their final 8.2 version when the main FreeBSD project publishes 8.2 RELEASE.) For this test I downloaded the 64 bit network installation .iso and installed the OS within ESXi. I decided to try a few new features offered by the PC-BSD installer, namely ZFS and disk encryption for user data as shown in the top screenshot. When I booted the VM I was prompted to enter the passphrase I used when installing the OS: da0 at mpt0 bus 0 scbus0 target 0 lun 0 da0: Fixed Direct Access SCSI-2 device da0: 320.000MB/s transfers (160.000MHz, offset 127, 16bit) da0: Command Queueing enabled da0: 16384MB (33554432 512 byte sectors: 255H 63S/T 2088C) Enter passphrase for da0p4: GEOM_ELI: Device da0p4.

Trying VirtualBSD 8.1

Image
Reece Tarbert sent an email announcing the availability of VirtualBSD 8.1 , a version of FreeBSD 8.1 aimed at demonstrating FreeBSD on the desktop. It's a 1.3 GB zipped VMWare image that expands to 4.1 GB. I downloaded the image via Bittorrent, expanded the image, and then used the VMWare Converter to transfer the VM from my laptop to my ESXi server. I accepted all the defaults and successfully converted the VM. However, after booting the VM I noticed the kernel did not recognize the network card. I shut down the VM, removed the NIC, and added a new e1000 NIC. After booting that version the VM recognized the NIC and got an IP address via DHCP from my Cisco 3750 switch. One of my definitions of "desktop ready" is whether I can see YouTube videos out-of-the-box. As the screen capture shows, VirtualBSD worked without incident. If you're wondering about PC-BSD, I plan to give version 8.2 a try soon. As I Tweeted last month, I had trouble with the installer and cou

FreeBSD on Amazon EC2

Image
Thanks to Colin Percival you can try FreeBSD on Amazon EC2! According to Colin's blog more is to come, but for now you can try FreeBSD 8.2-RC1 and FreeBSD 9.0-CURRENT. I decided to try spinning up 8.2-RC1. I used the command line tools for Ubuntu rather than the Web interface. richard@neely:~$ sudo apt-get install ec2-api-tools richard@neely:~$ export EC2_PRIVATE_KEY=$HOME/.ec2/pk-GO7RNG3LZTNPOUD5TH4YRCA4LFNGP5SB.pem richard@neely:~$ export EC2_CERT=$HOME/.ec2/cert-GO7RNG3LZTNPOUD5TH4YRCA4LFNGP5SB.pem richard@neely:~$ export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/ Now I check my security settings and authorize my IP. richard@neely:~$ ec2-authorize default -p 22 -s [MYIP]/32 GROUP default PERMISSION default ALLOWS tcp 22 22 FROM CIDR [MYIP]/32 richard@neely:~$ ec2-describe-group default GROUP 162896439853 default default group PERMISSION 162896439853 default ALLOWS all FROM USER 162896439853 GRPNAME default PERMISSION 162896439853 default ALLOWS tcp 22 22 FROM CIDR [MYIP]/32

Bejtlich Teaching at Black Hat DC 2011

Image
Over the holiday break I've been putting the finishing touches on TCP/IP Weapons School 3.0 , to be presented first at Black Hat DC 2011 on 16-17 Jan 11. This is a completely new class written from the ground up. I'm very pleased with how it has developed. While keeping the distinctions from other offerings that I described last year , I've extended this third version of the class to include explicit offensive and defensive portions. Students will receive two VMs, one running a modified version of Doug Burks' SecurityOnion distro as an attack/monitor platform, and the second running a Windows workstation as a victim platform. The purpose of this class is to develop the investigative mindset needed by digital security professionals. Junior- to intermediate-level security and information technology (IT) staff are the intended audience. The class is a balance of discussion and hands-on labs. Defensive aspects of the labs emphasize how to discover suspicious and m

Speaking at RSA 2011

Image
Mike Rothman and Rich Mogull were kind enough to invite me to speak at their e10+ Experienced Security half-day event on 14 February 2011 at RSA 2011 in San Francisco. I'll participate in the "What's Going to Keep Me Up at Night?" panel. (The joke possibilities write themselves.) I'll stay for a few days of the conference as well. I like the idea of an event aimed at senior security people, i.e., 10+ years of experience. Please consider checking it out! Tweet

Courtesy of APT

Image
The photo at left is Bill Sweetman 's take on a photo posted to an aviation forum (.jpg) that is probably China's Chengdu J-20 fighter, claimed to be their "stealth fighter." Bill's comment caught my attention: I think that we can count on China to start delivering more technological surprises - and in some cases they will be aided by cyber-espionage. Remember that's what the Advanced Persistent Threat is all about , and the great thing about cyber-espionage is that it can be exploited without risking human sources. That makes it much more useful - both in learning how to do things and avoiding blind alleys and pitfalls in R&D. (emphasis added) There are several ways information stolen by APT could have helped with this aviation program. A few include: Theft of Western technology for direct application to building the Chinese aircraft Theft of Western technology to help design the Chinese aircraft to counter Western aircraft Theft of Western technology

Splunk 4.x on FreeBSD 8.x using compat6x Libraries

Image
Two years ago I posted Splunk on FreeBSD 7.0 showing how to use the FreeBSD compat6x libraries to run the 3.4 version of Splunk compiled for FreeBSD 6.x. I decided to try this again, except using the newest Splunk on an amd64 FreeBSD system. As you can see below, it took me only a few minutes to get the system running thanks to the precompiled compat6x-amd64 package. If I needed to install on i386, I could have used the ports tree. r200a# uname -a FreeBSD r200a.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 r200a# pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable /misc/compat6x-amd64-6.4.604000.200810_3.tbz Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable /misc/compat6x-amd64-6.4.604000.200810_3.tbz... Done. ******************************************************************************* *

Bruce Schneier, Cyber Warrior?

Image
Do you remember the story from the Times in 2009 titled Spy chiefs fear Chinese cyber attack ? [UK] Intelligence chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities. They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies. The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China... The company [Huawei] is providing key components for BT’s new £10 billion network, which will update the UK’s telecoms with the use of internet technology. The report says the potential threat from Huawei “has been demonstrated elsewhere in the world”... T]he ministerial committee on national security was told at the January [2009] meeting that Huawei components that form key parts of BT’s new network might already c

Trying Ubuntu 10.10 in AWS Free Usage Tier

Image
After trying 60 Free Minutes with Ubuntu 10.10 in Amazon EC2 yesterday, I decided to take the next step and try the AWS Free Usage Tier . This blog post by Jay Andrew Allen titled Getting Started (for Free!) with Amazon Elastic Cloud Computing (EC2) helped me. One important caveat applies: this activity will not be completely free. The AMI chose uses a 15 GB filesystem, and the terms of the free usage stipulate no more than a 10 GB filesystem. I'll pay $0.50 per month for the privilege of using a prebuilt Ubuntu AMI. Since I'm an AMI n00b, I decided to pay the $0.50. At some point when I am comfortable creating or trusting 10 GB AMIs, maybe I'll switch. First I visited http://aws.amazon.com/ec2/ and signed up for Amazon EC2. At Amazon Web Services Sign In, I chose to "Identity Verification by Telephone." When I completed sign up I received three emails: 1) Amazon Virtual Private Cloud Sign-Up Confirmation; 2) Amazon Elastic Compute Cloud Sign-Up Confirm

60 Free Minutes with Ubuntu 10.10 in Amazon EC2

Image
I decided to try Ubuntu in the Cloud because 1) I had a few minutes this afternoon and 2) it's free. If you follow the directions on their Web site you'll have access to an Ubuntu 10.10 server for 60 minutes, hosted by Amazon Elastic Compute Cloud (Amazon EC2) . It's really simple, so easy a caveman could do it. (Ouch.) First make sure you have a public-private SSH key pair. richard@neely:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/richard/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/richard/.ssh/id_rsa. Your public key has been saved in /home/richard/.ssh/id_rsa.pub. The key fingerprint is: c6:e0:9c:84:74:3d:2d:09:b3:a2:e5:97:7b:63:59:da richard@neely The key's randomart image is: +--[ RSA 2048]----+ | . +o o | | . o o= . | | + + o | | + = = | | . . * S . | | . o = | |

Stop Killing Innovation

Image
I hear and read a lot about how IT is supposed to innovate to enable "the business." Anytime I see "IT" in one part of a sentence and "the business" in another, a little part of me dies. Somewhere there is a Nirvana where "thought leaders" understand that there is no business without IT , that IT is as part of the business as the sales person or factory worker or janitor, and that IT would be better off not constantly justifying its existence to "the business." But I digress. I want to address the "innovation" issue in this post. CIO magazine recently published an interview with Vinnie Mirchandani titled Taking Business Risks With Your IT Budget . I liked what Mr Mirchandani had to say, although I'm going to omit his multiple references to "cloud." Instead, consider how he sees innovation in IT: More [CIOs] want to be [innovators], but organizations don’t let them... In the 1980s, we talked about IT as a

The Problem Is with Gmail

In my last post I lamented a problem with Sendmail on FreeBSD. I was trying to troubleshoot a problem sending email from FreeBSD's periodic scripts to Gmail. I've determined that, as crazy as this sounds, Gmail is broken. (Some of you are probably not surprised. If you want to skip the drama and see the bottom line, scroll to the bottom of the post.) Let me start my case by showing network transcripts of one successful "periodic" email and one unsuccessful "periodic" email. I'm not going to change any email addresses in this post. The following email is delivered successfully . Computer vm.taosecurity.com sits behind NAT so the public IP is 73.128.35.11. The entries prior to the SMTP transactions (e.g. 074.125.091.027.00025-073.128.035.011.57184: and similar) were added by Tcpflow, which I used to render the transcript manually. 074.125.091.027.00025-073.128.035.011.57184: 220 mx.google.com ESMTP my6si2476635qcb.101 073.128.035.011.57184-074.125.0