TaoSecurity Blog

NWFusion reports on sFlow , saying: "SFlow, which the IETF approved as a draft standard in 2001, is a technology that uses random sampling of LAN and WAN data packet flows across an entire network to give users a detailed, real-time view of network traffic performance, trends and problems, according to Foundry Networks and HP. Both offer sFlow-based switches." Notice this is a sampling technology, unlike the default usage of Cisco's NetFlow . NetFlow does support sampling, but that is for high load conditions.

Confused about the state of the graphical desktop X? Read X Marks the Spot by Oscar Boykin . Many of the story comments are interesting too.

Just in time to raise my spirits after my SMC NIC debacle, FreeBSD 5.2.1 was released, along with Snort 2.1.1 . All I need now is barnyard 0.2 and I'll release a new install guide for Sguil using those tools and MySQL 4.0.x . Remember to download FreeBSD .iso images using one of the mirrors . If you want to upgrade you can go the binary-only route using freebsd-update . I just saw that OpenSSh 3.8 was released too. There's a FreeBSD HEADS-UP message for the new version.

Yesterday I began a journey to get two of my 802.11b NICs to function as promiscuous sniffers. I own a SMC EZ Connect 802.11b Wireless PCMCIA card, model 2632W v.1 , and a SMC EZ Connect 802.11b Wireless PCI card, model 2602W v.1 . I wanted to use Tcpdump's new ieee802_11_radio options to see raw 802.11 traffic, announced for FreeBSD in December . I started with the 2632W and had the most luck. It worked as a normal NIC under FreeBSD 5.2, but I could not get it to work with the bsd-airtools , even with the net-mgmt/bsd-airtools port. I had installed the net/libpcap and net/tcpdump ports. This is how the 2632W looked to FreeBSD 5.2 REL: orr:/root# dmesg | grep wi0 wi0: at port 0x100-0x13f irq 11 function 0 config 1 on pccard0 wi0: 802.11 address: 00:04:e2:29:3b:ba wi0: using RF:PRISM2 MAC:HFA3841 CARD:HWB3163 rev.A wi0: Intersil Firmware: Primary (0.3.0), Station (0.8.3) wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps orr:/root# ifconfig wi0 up orr:/root# ifconfig wi0 wi0: flags

Today I got my new ports email from FreshPorts and saw a new ports category: net-mgmt . This contains some of my favorite programs, like Argus and fprobe . I don't agree with many of the ports being in this category though. Why are ISIC , NBTScan , and Packit in net-mgmt when Nemesis , NAT , and IPsorc still in net ?

OSNews featured an article by Tony Bourke on SPARC Optimizations with GCC . Tony does a good job explaining the different SPARC CPUs in Sun hardware and how to compile applications with various flags.

I read at the OpenBSD Journal of a privilege separation version of Tcpdump being committed to OpenBSD current . You can see the changes in the OpenBSD source tree . (Browsing CVS source trees, as can also be done with FreeBSD , feature alone makes the BSD's coherent, understandable operating systems. Tcpdump also has a browsable CVS Web interface . Privilege separation is a topic I first learned about through Niels Provos' OpenSSH modifications . There appears to be interest in having Tcpdump run with less privileges. I found this thread on Tcpdump-workers take a different approach.

freebsd.png" align=left>I hadn't had luck getting Macromedia Flash support to work on FreeBSD with Mozilla until today. I read this thread and learned I needed to install the www/linux-flashplugin6 and www/linuxpluginwrapper ports. I noticed the linuxpluginwrapper port installed these items: /usr/bin/install -c flash6.so /usr/local/lib/pluginwrapper/flash6.so /usr/bin/install -c acrobat.so /usr/local/lib/pluginwrapper/acrobat.so /usr/bin/install -c java3d.so /usr/local/lib/pluginwrapper/java3d.so /usr/bin/install -c java3d_snd.so /usr/local/lib/pluginwrapper/java3d_snd.so /usr/bin/install -c jai.so /usr/local/lib/pluginwrapper/jai.so I made a file called /etc/libmap.conf as directed: # Flash6 with Mozilla/Firebird/Galeon/Epiphany [/usr/local/lib/linux-flashplugin6/libflashplayer.so] libpthread.so.0 liblthread.so.3 libdl.so.2 pluginwrapper/flash6.so libz.so.1 libz.so.2 libstdc++-libc6.2-2.so.3 liblstdc+

The Oregon State University Open Source Lab is preparing to host the 2004 Beaver Challenge . This contest seeks to benchmark different open source operating systems on Dell PowerEdge 2650 servers . The challenge states: "There will be two classes that each team will compete in. There will be a base class where everyone must follow the rules outlined below. The second class will have no rules except for the fact that every team must document all changes made to the base install." I recommend reading the methodology to see the full rule set. The FreeBSD-Hackers mailing list shows a call for tuners for the "unlimited" competition. There's also a FreeBSD forum at OSU. Results of the challenge will be posted for all to benefit.

In my never-ending question to understand FreeBSD application management, I took note of this post to the freebsd-current mailing list: From: Kris Kennaway (kris_at_obsecurity.org) Date: Fri, 20 Feb 2004 16:59:48 -0800 To: current@FreeBSD.org I don't normally announce these here, but since there's recently been a "flag day" people may like to know that I've uploaded a full set of 9189 post-libpthread i386 5.2-CURRENT packages to ftp-master. You can use e.g. portupgrade -afPP to update your installed ports if you want to avoid the need to recompile everything that uses libc_r. Packages for other architectures will follow over the next week or so. Kris

Jonathan Hassell wrote the first of a planned three articles on patching Windows. The first article describes Microsoft's Software Update Services (SUS). One of the tenets of operating defensible networks is that they can be kept current. In future articles, Jonathan will look at third party open source and commercial options for Windows patch management. Hopefully this will change, but a visit to www.jonathanhassell.com shows the default Windows Small Business Server home page...

I'm adding new Web site, Hacker Intel , to my TaoSecurity Interests page. Hacker Intel reminds me of the now defunct Hacker News Network . I'll check in with the site daily as it seems to post short summaries of security news on a daily basis. In related news, PacketStorm is back on my Interests page as it is being updated again.

While reading the Slashdot story Tech Training Schools Going Bust , I saw a link to Teach Yourself Programming in Ten Years . This essay argues it takes ten years to master a subject, so trying to "learn Java in 21 days" will result in failure. The author provides advice on the proper way to learn computer-related subjects.

While writing the last chapter of my book I checked into the status of Systrace support in FreeBSD. I mentioned Systrace last August . Since then, Vladimir Kotal has been working on porting Systrace to FreeBSD. I haven't tried his patches yet but I applaud his work. Systrace is a system-call monitoring and enforcement mechanism that brings a great deal of security functionality to Unix systems.

Kevin Poulsen, the best original writer in the security scene, published an article on TCNiSO . This group wrote Sigma, a program giving owners of certain Surfboard cable modems control of the device. Sigma only works with DOCSIS 1.0 cable modems, but the TCNiSO crew has plans for working with newer specifications. The article is an excellent read.

If you're a dial-up user who avoids patching Windows, check out the Windows Security Update CD . It's available for Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE). When I placed my order this is what I got: B82-00170 1 Win Update 2004 English NA Feb Direct 2CD Windows Security Kit For enterprise Windows users there's the Microsoft Security Guidance Kit CD v1.0 . It's free too, so I ordered one: P73-00958 1 Windows Svr Std 2003 English Direct CD Security Readiness April 2004

I downloaded this analysis ( .doc ) of the Windows source code leak from a Dutch Windows news site, Bink.nu . The author is a Dutch programmer named Tamura Jones, who wrote a book called Undocumented Windows . Jones makes several good points, which I reproduce below. "This is not the first time that Microsoft source code leaked onto the net. In 2000, the source code for MS-DOS 6 was leaked. It received considerable less attention, as most journalist considered it obsolete, despite the fact that it still had millions of users around the world, and that MS-DOS is actually the basis for many versions of Windows still in use today. That leaked source is still being passed around... In October of 2000, Microsoft had to confirm that crackers had broken into their network and actually gained access to the Windows source code. That breach was done using the Qaz trojan. Microsoft has stated that this time round, their security has not been breached... Evidence inside the Windows

I was aware that Éric Lévénez was the author of the UNIX history chart , but I just discovered his Windows and programming languages diagrams. They are truly amazing and very educational.

After hearing and reading misinformed commentary on Microsoft's source code leak elsewhere, I was pleased to be reminded that the Register has clueful writers. One of them, Ashlee Vance, reported on Solaris 10 . I've had a soft spot for Solaris since 1997, when I first used it as an Air Force lieutenant. I've only just started playing with Solaris 8 on my Ultra 30, never mind Solaris 9 . (Incidentally, major kudos to Sun for providing easy access to these earlier versions with intuitive URLs!) According to Ms. Vance: "One of the major new additions to Solaris 10 is the N1 Grid Containers product. Sun has gone through some name changes with the product since we first reported on the technology, but the premise of the software has stayed the same. The containers are Sun's answer to logical partitions (LPARs) on AIX and HP-UX and the virtual machines touted by VMware/EMC for Windows and Linux servers. The software permits users to carve up a server into mu

Not everyone wants to use a Linux-based live CD like Knoppix. I mentioned various live CD projects last year , but hadn't tried any but Knoppix until today. Slashdot informed of Bart's Preinstalled Environment (BartPE), a Windows-based live CD. I downloaded the software and created a Windows Server 2003-based .iso image using the evaluation copy Microsoft sent me. I tested the .iso within VMWare on my FreeBSD 5.2 REL laptop. It seemed to work fine. I decided to give FreeSBIE , the FreeBSD-based live CD a try. I downloaded the version which uses FreeBSD 5.2 REL and tested it within VMWare. It's impressive, with X ready to go just like Knoppix. A large screen shot follows. When 5.2.1 REL is released, I expect the FreeSBIE team to create a new .iso. I'll burn that one to CD to carry with me.

By now everyone knows about Microsoft code being "made available on the Internet" , according to the linked press release. Microsoft claims: "On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft?s corporate network or internal security, nor is it related to Microsoft?s Shared Source Initiative or its Government Security Program." This probably doesn't comfort Mainsoft , claimed by some to be involved in the leak. I found it amusing that news outfits like NPR and Wired and CNN found the amount of profanity in the Windows source to be newsworthy. A Slashdot post provided the following help grep syntax: grep -Hirn "INSERT PROFANITY HERE" ./* In case you're wondering about the switches: -H, --with-filename -i, --ignore-case -r

I'm so sad I missed this when it was active. AP and the New York Times report that Amazon.ca accidentally replaced the anonymous "A Reader From" monikers with the real names of reviewers on its Web site. For example, instead of reading a glowing five star review by "a reader from Chicago" for a book by author John Rechy, the name "John Rechy" appeared -- showing the author reviewing his own book! Fake reviews at Amazon.com have been a problem for years. The hundreds of fake reviews of Hack Attacks Revealed hit home for me, especially when the fictitious "l peterson" reviewed the book. Publisher Wiley printed a "review" by this fake person in the inside cover of Hack Attacks Encyclopedia , where "l peterson" said "Speaking for the Air Force Computer Emergency Response Team..." That really angered me, as I had just left the Air Force and that unit and confirmed there was no such person in the AFCERT.

We have a HP DeskJet 970 series printer connected to a Windows XP system. I wanted to print from my FreeBSD laptop to this printer. I decided to try installing Windows Print Services for UNIX , a sort of LPD for Windows, using these instructions . Once done the Windows system was listening on port 515 for print jobs. If the DeskJet understood Postscript , I should have been able to print directly from FreeBSD using the lpr command. Without Postscript support, I needed to use a filter to accommodate the printer. Inspired by Michael Lucas' recent articles on Apsfilter , I gave it a try. Unfortunately I could not get Apsfilter to work with my printer, so I turned to CUPS . I installed CUPS using the CUPS port . Through trial and error I figured out I needed to start cups-lpd from inetd by adding this line to /etc/inetd.conf: printer stream tcp nowait lp /usr/local/libexec/cups/daemon/cups-lpd cups-lpd This means I made sure the native lpd was not running, and inetd was

While perusing the FreeBSD-current news archive, I read a thread on comparing glxgears performance. I had never used this tool so I fired it up and saw my Thinkpad a20p laptop's performance: Xlib: extension "XFree86-DRI" missing on display ":0.0". 303 frames in 5.0 seconds = 60.600 FPS 361 frames in 5.0 seconds = 72.200 FPS 360 frames in 5.0 seconds = 72.000 FPS 360 frames in 5.0 seconds = 72.000 FPS 360 frames in 5.0 seconds = 72.000 FPS The error message bothered me, and these numbers looked much lower than those in the thread, so I started poking around. I found Eric Anholt's DRI page extremely helpful. I learned DRI is the Direct Rendering Infrastructure , "a framework for allowing direct access to graphics hardware in a safe and efficient manner... The first major use for the DRI is to create fast OpenGL implementations." The DRI page for ATI , the maker of my Rage Mobility 128 card showed it was supported. However, using Eric'

I just read this at Packet Storm : On January 12, 2004, Packet Storm had its connectivity turned off without any forewarning. After the plug was pulled, it took approximately two weeks to get a straight answer from our provider as to whether or not we were going to get turned back on. It seems that when bandwidth is donated to a worthy cause, the cause is not so worthy when it comes to returning phone calls. In the end, our hosting was cancelled. Due to the abrupt turnoff, we did not have time to set up safe hosting elsewhere. If you have a strong, fast, and secure location that can host 4-12U's of rack space, please contact fringe[at]dtmf.org with any information. Packet Storm has no plans to fall under corporate sponsorship again and we hope that the security community understands that this transition does not mean we are going anywhere. We do plan to get the site back up to speed and updated within the next week, but mail and cgi services will be unavailable. They will be r

Today Microsoft announced their Security Updates for February 2004 . Security consultancy eEye told Microsoft about one of the flaws, called MS04-007 by Microsoft, six months ago . The vulnerability affects code using Microsoft's ASN.1 library (MSASN1.DLL). The OpenSSL team reported a vulnerability and fix for ASN problems in September 2003 . The Slashdot thread makes good points about how Microsoft claims to fix errors faster and better than open source software. The following was published by The Register last October to recount an interview with Bill Gates at the TechNet/MSDN seminar in The Hague: "Microsoft is making progress. The company writes more secure code, essentially because of tools that show where problems might occur. It is also fixing problems much faster than it used to. Gates: 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.'" Who is Microsoft kidding? I'm ap

O'Reilly's UNIX Power Tools, 3rd Ed inspired me to change the default prompts on my FreeBSD systems. My user account uses bash, so I made the following entry in ~/.profile to ensure my prompt shows my username, system name, and present working directory when I log in. The single straight quotes ensure that $PWD is substituted every time I change directories. If I had used double straight quotes, then $PWD would be fixed at whatever my current directory was when the shell was started. Single straight quotes helps us use "dynamic substitution." Using the back ticks sets the value of the system name. PS1='$USER@`hostname -s`:$PWD ' Here's the result: richard@orr:/home/richard$ Changing .profile affects prompts seen when logging in to the terminal and remotely via SSH. This entry in ~/.profile doesn't influence the prompt seen by terminals started within X, as they are not "interactive" shells. (I still haven't figured that one out.)

Currently a slew of worms are scanning port 3127 TCP , looking for systems infected by MyDoom.A . They include MyDoom.B , Doomjuice , and Vesser . I collect session data using a variety of means, including Argus . I have the Argus daemon write what it sees into a directory. The elaborate date in the file name is a result of calling the date command like so: DATE=`/bin/date "+%Y%m%d-%H%M%S"` When the process is running, it looks like this: /usr/local/src/argus-2.0.6/bin/argus_bpf -c -d -i ngeth0 -w /nsm/argus/20040206-085201.bourque.taosecurity.com.ngeth0.arg - ip This process stores Argus data in the /nsm/argus directory. To quickly search the directory, I use the following at the command line: -bash-2.05b$ for i in `ls`; do ra -n -r $i - dst port 3127 | grep -v stream >> /tmp/3127.ra; done This yields results like the following: 28 Jan 04 16:47:32 tcp 80.181.182.157.2391 -> myIP.3127 RST 28 Jan 04 16:47:33 tcp 80.181.182.157.2391 ->

Amazon.com just published my five star review of Security Warrior . From the review: " Security Warrior is a heavyweight contender. Peikari and Chuvakin offer a dark counterpart to O'Reilly classics like Practical UNIX and Internet Security (PUAIS) and Securing Windows NT/2000 Servers for the Internet . If you've been waiting for the next good security book from O'Reilly, "Security Warrior" (SW) is it. Part I, "Software Cracking," was my favorite section. This material is largely not for beginners, which marked a welcome change from many competing books. Part I gave an introduction to assembly language, followed by reverse engineering exercises on Windows, Linux, and Windows CE. I admit a good portion of the section was beyond my skill level, but I was able to "patch" binaries to alter program flow and even use a buffer overflow to execute previously unreachable code in a sample program. These sorts of "hands-on" exercises w

Keeping the ports tree up-to-date is a big concern for FreeBSD users. Kris Kennaway posted a comparison of 'make index' and the portupgrade command ' portsdb -U'. Already one change has been made to the portupgrade port to address Kris' findings. Dru Lavigne wrote articles about Ports Tricks , Portupgrade , and Cleaning and Customizing Your Ports . Michael Lucas and Dan Langille have also written articles on using the ports tree. This thread in the freebsd-ports archive discusses ways to keep ports trees up-to-date on multiple machines. Update ": This post reminded me of how to create your own packages in FreeBSD. To create a package with all of its dependencies, change to the directory of the tool you wish to build in the /usr/ports tree. Once there, running 'make package-recursive' will create a package from the ports tree and all of its dependencies. They will be stored in the /usr/ports/packages/All directory.

I've finally figured out why visits to some Web sites take forever. I've maintained for years that "if something works, but takes a long time, blame DNS." Sure enough, a combination of Mozilla's behavior and uncooperative DNS servers are conspiring against Web users. Here's how Mozilla resolves a host name when the remote DNS server cooperates. First Mozilla causes a DNS query for an AAAA record. This is an IPv6 record. The name server (here a forwarding name server) replies that it doesn't know an AAAA record for xlonhcld.xlontech.net. Mozilla promptly asks for the A record, which is returned in the last packet. So far so good. 18:24:04.604363 192.168.2.5.49203 > 172.27.20.1.53: 56494+ AAAA? xlonhcld.xlontech.net. (39) 18:24:04.611197 172.27.20.1.53 > 192.168.2.5.49203: 56494 0/1/0 (104) 18:24:04.611474 192.168.2.5.49204 > 172.27.20.1.53: 56495+ A? xlonhcld.xlontech.net. (39) 18:24:04.619886 172.27.20.1.53 > 192.168.2.5.49204: 564

A few security advisories for FreeBSD and OpenBSD were announced. The latest for FreeBSD involves the System V Shared Memory interface . If you're running a GENERIC kernel you may be able to use Colin Percival's binary updates , like this: bourque# uname -a FreeBSD bourque.taosecurity.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Oct 27 17:51:09 GMT 2003 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386 bourque# freebsd-update -v fetch Fetching updates signature... Fetching updates... Fetching hash list signature... Fetching hash list... Examining local system... Fetching updates... /kernel... /kernel.GENERIC... Updates fetched To install these updates, run: '/usr/local/sbin/freebsd-update install' bourque# freebsd-update -v install Backing up /kernel... Installing new /kernel... Backing up /kernel.GENERIC... Installing new /kernel.GENERIC... ...reboot... -bash-2.05b$ uname -a FreeBSD bourque.taosecurity.com 4.9-SECURITY FreeBSD 4.9-SECURITY #0: Th

Slashdot has covered two interesting topics recently: Learning Computer Science via Assembly Language and Building Your Own Operating System . I learned of two online books to assist with these topics: PC Assembly Language and Programming from the Ground Up . If you want to run UNIX on your Commodore 64, try LUnix .

I decided to set up ssh-agent and ssh-askpass on my laptop to allow easier access to other systems on my LAN. First I created a public/private key pair: bash-2.05b$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/richard/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/richard/.ssh/id_dsa. Your public key has been saved in /home/richard/.ssh/id_dsa.pub. The key fingerprint is: OB:FU:SC:AT:ED:FO:RS:EC:UR:IT:YR:EA:SO:NS richard@orr.taosecurity.com Next I added the contents of /home/richard/.ssh/id_dsa.pub to newly-created authorized_keys files in the ~/.ssh/ directory on every server to which I wished to connect. To ease log-in, I changed my laptop's .xinitrc file to look like this: ssh-add < /dev/null exec fvwm-themes-start I also ensured my .profile had these entries: SSHAGENT=/usr/bin/ssh-agent SSHAGENTARGS="-s" if [ -z "$SSH_A

If you've been having troubles upgrading FreeBSD ports due to conflicts between version of devel/gettext , your problems are over. Joe Marcus Clarke's post to freebsd-ports indicates he's set all ports requiring gettext to use the newest version. The problem originated with the way the gettext port was modified in late January . I just updated all ports on my FreeBSD 4.9 STABLE system and am doing the same on my FreeBSD 5.2 RELEASE box now. Everything seems to work ok.

Amazon.com just posted my four star review of The Art of UNIX Programming . From the review: "I found histories of "UNIX vs. UNIX" and "UNIX vs the world" very informative. TAOUP presents concise explanations of licensing, RFC creation, and UNIX philosophy. I was happy to see that an open source project to which I contribute (Sguil) met many UNIX design criteria, like text-based communication between small collaborating daemons. I plan to follow TAOUP's recommendations for documentation so helpfully discussed in chapter 18 when I release the next set of Sguil guides. TAOUP offers numerous priceless quotes from UNIX pioneers, but ESR himself offers my favorite: "Open source is what happens when code reuse gets a flag and an army." I hope UNIX advocates everywhere carry TAOUP into battle against their proprietary, monopolistic OS foes. With a few more nods to the enemy and a more balanced comparison of languages, TAOUP will be unbeatable."

One of my favorite sites, www.packetstormsecurity.org , hasn't been updated since the second week in January. Email to staff@packetstormsecurity.org and staff@packetstormsecurity.nl is being refused: This is the Postfix program at host fallback-2.mail.widexs.nl. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program : connect to pop.packetstormsecurity.nl[213.206.75.252]: Connection refused Is this the end for PacketStorm?

I'm in the last month of writing The Tao of Network Security Monitoring , so I haven't had much time to fool around with FreeBSD or other items of technical or security interest. However, I'm still happy. The New England Patriots won Superbowl XXXVIII , considered by some to be the best ever . Now, after perusing Amazon.com, I just learned that on 16 March 2004, the entire First Season of the classic 1970s TV series Kung Fu will be released on DVD by Warner Home Video . I expect the second and third seasons to appear later this year. The Kung Fu TV series is the reason I first started studying martial arts seriously in 1994.