Friday, December 31, 2010

Best Book Bejtlich Read in 2010

It's the end of the year, which means it's time to name the winner of the Best Book Bejtlich Read award for 2010!

I've been reading and reviewing digital security books seriously since 2000. This is the fifth time I've formally announced a winner; see 2009, 2008, 2007, and 2006.

Compared to 2009 (15 books), 2010 was a good reading year -- 31 technical or security books, or my fifth highest total since 2000. Incidentally I read a decent number of "security history" books, meaning characterizations of "the scene." Many covered the 1990s and are fairly old, but I had always wanted to read them.

My ratings for 2010 can be summarized as follows:

  • 5 stars: 14 books

  • 4 stars: 9 books

  • 3 stars: 5 books

  • 2 stars: 3 books

  • 1 stars: 0 books


Please remember that I try to avoid reading bad books. If I read a book and I give it a lower rating (generally 3 or less stars), it's because I had higher hopes.

Here's my overall ranking of the five star reviews; this means all of the following are excellent books.

  • 14, 13, and 12. The Dragon's Quantum Leap, Decoding the Virtual Dragon, and Dragon Bytes by Timothy L Thomas, Foreign Military Studies Office. Thomas examines Chinese information warfare like no one else. Enlightening and frightening.

  • 11. Intelligence, 4th Ed by Mark M. Lowenthal, CQ Press. Anyone interested in learning about the IC and how professional intelligence officers think and act will enjoy reading I4E.

  • 10. The Book of Xen by Chris Takemura, No Starch. This could easily have been a very dry technical book, but TBOX is entertaining from the start.

  • 9. IT Security Metrics by Lance Hayden, McGraw-Hill Osborne Media. If you want to introduce a comprehensive security metrics program in your environment, ISM will very skillfully offer one way to accomplish that goal. It's immensely practical and grounded in reality, and it will help you.

  • 8. The Victorian Internet by Tom Standage, Walker & Company. Being a history major, I find The Victorian Internet (TVI) to be an enlightening antidote to chronocentricity, and I recommend it to anyone trying to better understand modern times through the lens of history.

  • 7. The Hacker Crackdown by Bruce Sterling, Bantam. THC is one of my favorite books on hacker activity because it combines a narrative with the author's accounts of interactions with key individuals.

  • 6. The Cuckoo's Egg by Cliff Stoll, Gallery. I first read TCE 20 years ago when it was first published, but I was a high school student who couldn't appreciate the content. Now, as an IR team leader, I recognize that Cliff probably shares 25 IR lessons in the first 50 pages!

  • 5. Hacking Exposed Wireless, 2nd Ed by Johnny Cache, McGraw-Hill Osborne Media. HEW2 is the best book on wireless security available. If you want to understand wireless -- and not just 802.11, but also Bluetooth, ZigBee, and DECT -- HEW2 is the book for you.

  • 4. Wireshark Network Analysis by Laura Chappell, Laura Chappell University. Wireshark Network Analysis (WNA) is a very practical, thorough, comprehensive introduction to Wireshark, written in an engaging style and produced in a professional manner.

  • 3. Network Maintenance and Troubleshooting Guide, 2nd Ed by Neal Allen, Addison-Wesley Professional. NMATG brings a whole new dimension to network analysis, particularly at the lowest levels of the OSI model. I found topics covered in NMATG that were never discussed in other books.

  • 2. The Rootkit Arsenal by Bill Blunden, Jones & Bartlett Publishers. "Wow." That summarizes my review of "The Rootkit Arsenal" (TRA) by Bill Blunden. If you're a security person and you plan to read one seriously technical book this year, make it TRA. If you decide to really focus your attention, and try the examples in the book, you will be able to write Windows rootkits. Even without taking a hands-on approach, you will learn why you can't trust computers to defend themselves or report their condition in a trustworthy manner.


And, the winner of the Best Book Bejtlich Read in 2010 award is...

  • 1. Practical Lock Picking by Deviant Ollam, Syngress. My review said in part (emphasis added tonight):

    Practical Lock Picking (PLP) is an awesome book. I don't provide physical testing services, but as a security professional familiar with Deviant's reputation I was curious to read PLP. Not only is PLP an incredible resource, it should also serve as a model text for others who want to write a good book. First, although the book is less than 250 pages, it is very reasonably priced. Second, Deviant wastes NO space. There is no filler material, background found in other readily available texts, reprinted Web site content, etc. Third, the writing is exceptionally clear and methodical, with extreme attention to detail and a master's approach to educating the reader. Finally, the diagrams, pictures, and figures are superb.


The Army FMSO office led publishers with 3 books this year, while traditional media publisher McGraw-Hill Osborne Media followed with 2.

Congratulations again to Syngress, publisher of the last three Best Book Bejtlich Read winners!

Thank you to all publishers who sent me books in 2010. I have plenty more to read in 2011.

Congratulations to all the authors who wrote great books in 2010, and who are publishing titles in 2011!

Reflections on Four Tufte Books

This week I finished the four main books written by Edward Tufte, namely The Visual Display of Quantitative Information, 2nd ed, Envisioning Information, Visual Explanations, and Beautiful Evidence. I decided not to review them individually at Amazon.com for several reasons.

First, I received them as a set 2 1/2 years ago at The Best Single Day Class Ever, what I call Tufte's class. Tufte's class and written work present a single set of ideas and some material is presented from multiple angles in several books. This makes it congnitively difficult for me to review them individually. Second, I did not treat them like other books I read, meaning I did not mark them with my own notes and underlining. Frankly the books are like works of art and it would pain me to mark them up! That makes it tough for me to review my reading process and withdraw comments suitable for a book review. Third, so many people have already reviewed the books that I did not feel I would bring any real novelty or domain expertise to the discussion.

Rather, for this post I wanted to share a few ideas I learned from Tufte that I try to keep in mind when communicating. Some of these are reflected in my earlier post, but I'd like to share what has stayed with me during these past 2 1/2 years.

  1. Do not let the medium define your message. PowerPoint culture is endemic in my workplace and in many others. Rather than considering the message to be communicated, too many people concentrate on what the PowerPoint "pitch" needs to look like. I don't exclusively mean appearance, although that is definitely a factor. I'm referring more to what bullets are supposed to reflect a message to an audience. Rather than leading with bullets, determine what message you are trying to communicate, then select a medium.

  2. Replace "presentations" with conversations. I avoid delivering lectures as much as possible. Nothing kills the spirit like receiving a stack of 300 slides. That "deck" represents a plodding, instructor-paced, predetermined path where questions are more likely to be interpreted as interruptions of the "flow" of the class. After seeing Tufte in action in 2008, I stopped teaching my two day TCP/IP Weapons School class using slides. The second and now third editions of the class have no slides whatsoever. Instead I teach with workbooks, labs, and unscripted question-and-answer interactions with students.

  3. Carry the burden or stay off the field. It is NOT easy to teach "Tufte style." Too many "presenters" and "instructors" fall into the seductive embrace of reading slides, facing the screen and not the students, hoping to get to the end of the pitch as soon as possible.

    Instead, imagine walking into a room with 100 or more people, giving each a paper handout with some possible discussion topics, and then asking what they would like to know about the security field. That is just what I did at the FIRST conference this year, and from what I heard, people liked it. I'll say now that it was a somewhat scary experience for me to focus purely on conversation and not just march through a 30 slide PowerPoint deck. However, this is the sort of approach we need to see in the field. I don't recommend it for every talk, but if you're up to carrying the burden, give it a try!

  4. Seek data and graphic representations where possible. For me, this is probably harder than the previous point. Whereas talking in an unscripted manner is rough because of the mental gymnastics required, creating data-driven figures is tough because of the amount of preparation required. We struggle with this in our CIRT. We have thousands of data points but the collection, analysis, interpretation, and explanation of that information is much more difficult than I expected. As we add staff who spend less time fighting operational battles and more time contemplating the overall picture, I expect us to deliver the sorts of graphics that speak volumes to all sorts of audiences.

  5. When the available tools stink, make your own. Tufte did this by publishing his books himself. He did not accept the limitations of the publishers who claimed he could not include the novel features found in his titles. We've encountered similar issues at work where existing data collection tools were just not suited for our needs. Several very talented and motivated team members built and continue to build new tools to get the job done. This is even more difficult than the previous point because it requires anticipating the sorts of data needed to describe, explain, and improve security operations. I expect a lot of progress in this area in 2011.


That's my "applied Tufte" for 2010. Here's hoping he publishes another book soon. The best New Year's resolution you could make for 2011 is to attend one of his classes, even if you have to pay yourself. You get all four books with paid tuition -- real books, not slide decks!

Review of The Dragon's Quantum Leap Posted

Amazon.com just posted my five star review of The Dragon's Quantum Leap by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure.

The Dragon's Quantum Leap (TDQL) is the third in a trilogy by Timothy L Thomas. A colleague introduced me to all three books, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in TDQL. Published in 2009, TDQL is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by American translators and the Open Source Center, successor to the former Foreign Broadcast Information Service (FBIS). The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. TDQL covers Chinese IW thought from 2007-2009, while the earlier books Dragon Bytes (DB) addressed 1995-2003 and Decoding the Virtual Dragon covered 2004-early 2007.

My reviews of DB and DTVD summarized key Chinese IW themes, all of which extend into TDQL. Therefore I'd like to highlight a few aspects of TDQL that should be of interest to Western digital security specialists.

TDQL opens with an analysis of the one book by Chinese IW experts likely to be known to some US military strategists: Unrestricted Warfare (UW), published by Qiao Liang and Wang Xiangsui in 1999. Thomas includes it here because it foreshadows developments in Chinese IW in later years. It was interesting to learn that initially the Chinese government treated the UW authors critically, but later their ideas became popular. UW is filled with gems that cut to the heart of Chinese IW. For example, "the biggest difference between contemporary wars and the wars of the past is that, in contemporary wars, the overt goal and the covert goal are often two different matters" (p 21). "Military threats are already often no longer the major factors affecting national security... these traditional factors are increasingly becoming more intertwined with grabbing resources, contending for markets, controlling capital, trade sanctions, and other economic factors" (pp 21-2).

The authors offer critical insights that the Chinese have operationalized: "Warfare can be military, or it can be quasi-military, or it can be non-military. It can use violence, or it can be nonviolent. It can be a confrontation between professional soldiers, or one between newly emerging forces consisting primarily of ordinary people or experts" (p 28). In an interview about UW, author Qiao called war with the US "inevitable... because China will grow strong only at the cost of consuming much of the world's resources which will put it in direct competition and eventually conflict with the US" (p 30). They also claim "The battlefield is everywhere and war may be conducted in areas where military actions do not dominate" (pp 33-4). This reminds me of the subtitle of James Adams' 1998 book The Next World War: Computers Are the Weapons and the Front Line Is Everywhere.

Another author, PLA Major Peng Hongqi says "the weaker side [in IW] must adhere to the active offense... especially in peacetime" (p 40). Thomas says "Peng seems to imply that it is the RIGHT [author's emphasis] of an inferior force to attack a superior force first" (p 41). Peng advocates concepts like "protracted control" and using civilians, hackers, or other computers to gain plausible deniability. He says "forces begin engagements and reconnaissance before a conflict emerges. Peacetime collection of key information... is vital" (p 42). One should "treat the peacetime struggle for information supremacy as 'a genuine, perpetual, never-ending battle'... gain as much enemy information as possible and keep the enemy from gaining information on one's own side" (p 42). Also, "the only way the inferior side can compete with a powerful enemy is by taking full advantage of peacetime to energetically elevate its material and technological foundation" (p 42).

Deng Yifei provides what might be the "money quote" in TDQL: "In confrontation on the future battlefield, what is scarier than inferior technology is inferior thinking" (p 56). Evidence of China's IW thinking involves their focus on penetrating Western computers. Thomas notes "it is suspected that Chinese reconnaissance performs two functions: to expose an opposing force's military plans and to study the conditions and vulnerabilities that lead to the successful use of Internet attacks" (p 119). These intrusions bring to life this Chinese strategem: "a victorious army first wins and then seeks battle" (p 174). Chinese thinkers also plan to target foreign commanders, even including "a study of hobbies, weaknesses and flaws" (p 121).

Thomas notes Taiwan's reporting on Chinese IW as well. He also includes suggestions made to strengthen Taiwanese IW defense. For example, Lin Chin-ching recommends that "all officers under the rank of lieutenant general would be tested on their knowledge of IW and computer information, and their test results would be taken into consideration when their files are reviewed for promotion" (p 216). I suggest the same for business managers as well as US military leaders.

I strongly recommend reading TDQL and Thomas' other works if you want to better understand Chinese IW history and thinking.

Review of Decoding the Virtual Dragon Posted

Amazon.com just posted my five star review of Decoding the Virtual Dragon by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure.

Decoding the Virtual Dragon (DTVD) is the sequel to Timothy L Thomas' 2004 book Dragon Bytes. A colleague introduced me to both books, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in DTVD. Published in 2007, DTVD is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by American translators and the Open Source Center, successor to the former Foreign Broadcast Information Service (FBIS). The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. DTVD covers Chinese IW thought from 2004-early 2007. Thomas' earlier book discusses 1995-2003, and his later book addresses 2007-2009.

My review of DB summarized key Chinese IW themes, all of which extend into DTVD. Therefore I'd like to highlight a few aspects of DTVD that should be of interest to Western digital security specialists.

Chinese military leaders have always promoted development of theory and strategy, but they are now integrating practice into their doctrine. This is difficult for a military that lacks the ops tempo of a force like the US military, with a decade of continuous war experience on hand. However, IW allows continuous practice, since it can be exercised "using a borrowed sword" (i.e., using deception and "camouflage" to lend plausible deniability to Chinese IW offensives against the West).

Chinese thought leaders often see the US as an offensive force. Thomas reports on the views of two theorists thus: "Conflict-oriented strategy still holds a strong place in Western strategic culture. Expansion and the seizure of hegemony are Western strategic targets while China's has been an introvert-type behavior whose targets are peace, safeguarding national territories, and seeking unification and resisting aggression" (p 23). (That's apparently how the Chinese frame their activities in Tibet and their missiles facing Taiwan.)

The two theorists (Peng and Yao) also note that "the seizure of information has become a primary task of modern warfare" (p 30). One form of conflict perpetrated by the West is "strategic psychological warfare (SPW)," which includes "attempts to advance their [Western] political system and life style, to use economic aid as bait, to seek economic infiltration and control, and to promote western values via TV, movies, newspapers and journals, audio and video products, and especially over the Internet" (p 34). China sees this as a threat to their "network sovereignty" (p 124).

War is increasingly a financial affair: "War with the objective of expanding territory has already basically withdrawn from the stage of history, and even war with the objective of fighting for natural resources is now giving way to war with the objective of controlling the flow of financial capital" (p 76). "IW will gradually shift into the primary form of war, and military objectives will shift from eliminating the enemy and preserving oneself to controlling the enemy and preserving oneself" (p 87).

DTVD includes a translation of a Chinese IW dictionary and questions and answers on IW. The definition of Computer Network Attack (CNA) says "various measures and actions taken to make use of security flaws in the enemy's computer network systems to steal, modify, fabricate, or destroy information and to reduce or destroy network utility." The definition of IW mentions "the use of computer network systems to gain enemy intelligence," not just destroy targets. Crucially, "in this day and age, there is no distinction between peacetime and wartime network warfare" (p 127). Hopefully for world peace, "network warfare could develop in another direction and work to create 'network deterrence' or 'network containment.' That is, it may be more valuable for both sides to simply comply with the rulebook of not attacking another's networks if two sides attain a mutual balance of network power" (p 128).

Dai Qingmin notes "an individual can threaten an entire country in the information age" and "in some cases the more technologically advanced a country becomes, the more vulnerable it becomes as well" (p 134). Individuals who conduct IW can be hard to find or retaliate against, hinting at the PLA's interest in leveraging individual civilian hackers. Thomas writes: "Dai's discussion focuses heavily on obtaining key information via reconnaissance of foreign computer systems in peacetime... As he [Dai] states, 'Computer network reconnaissance (CNR) is the prerequisite for seizing victory in warfare.' His focus on CNR provides added context to current Chinese operations aimed at the reconnaissance of US systems" (p 137). A later section in DTVD mentions "intelligence warfare" as another Chinese concept where "two sides in a conflict adopt various means to gather and steal information from one another" (p 207).

Father of IW Dr Shen notes "the goals of war have changed from territorial expansion and economic aggression to information plundering and targeting psychological elements" (pp 160-1). Skilled people are key, according to another author, who writes "the personnel system of the armed forces will have to enlist computer hackers or treat them as wartime reserves and give them preferred treatment to provide technical support for military building and operations" (p 173); hear that, US military?

Finally, Thomas observes the "extensive knowledge that the Chinese have about our concepts and systems," with bookstores in China offering "translations of thirty or forty (perhaps more, depending on the size of the store) US military books... [but] a US military bookstore is usually limited to five Chinese titles" (p 304).

I strongly recommend reading DTVD and Thomas' other works if you want to better understand Chinese IW history and thinking.

Review of Dragon Bytes Posted

Amazon.com just posted my five star review of Dragon Bytes by Timothy L. Thomas. I'm posting the entire review here because it's the sort of content that I believe should get wide exposure.

A colleague introduced me to Dragon Bytes (DB) by Timothy L Thomas, and an expert on the Chinese hacker scene was kind enough to secure a copy of the book. I thank all of them for the extraordinary journey presented in DB. Published in 2004, DB is an historical review of key publications by Chinese information warfare (IW) theorists and thought leaders, as translated by the former Foreign Broadcast Information Service (FBIS) and other American translators. The author is an analyst with the Foreign Military Studies Office, and is a West Point graduate, a retired Army Lt Col, and a former Foreign Area Officer focusing on the USSR and Russia. DB covers Chinese IW thought from 1995-2003. Thomas' subsequent books, Decoding the Virtual Dragon, and The Dragon's Quantum Leap, cover later periods in Chinese IW history.

DB is really unlike any of the books I have reviewed before, because it summarizes the IW doctrine of another country. As a former Air Force intelligence officer, I helped develop our nation's IW plans in the late 1990s and have defended civilian infrastructures for the last 10 years. DB provides a view of a world that is plain to see if only the reader knows where to look and can read Chinese. Thanks to FBIS translations and Thomas' keen eye, Western readers can learn what the Chinese military says about IW.

I'd like to highlight a few concepts and excerpts that I feel are important to understanding Chinese IW theory.

The Chinese do not seek to simply copy Western IW concepts. Rather, they stress development of IW "with Chinese characteristics." They draw heavily on Marx and Engels for their military doctrine, including People's War, and believe Mao brought Marx's ideas to fruition in China. They feel that IW is a natural implementation of People's War, especially when individual Chinese citizens can participate simply by virtue of owning a computer. Unlike Western militaries and governments, China vigorously integrates civilians and reservists into their military framework, to include individual "hackers."

Traditionally China has pursued "active defense" as their military model, meaning they do not seek (or claim not to seek) conquest beyond their borders. Rather, they respond with People's War when attacked by aggressors. IW, however, does not lend itself to an active defense strategy because losing the initiative means losing the war. Chinese IW theorists increasingly abandoned "active defense" with IW and now promote active offense, which takes various forms.

Chinese IW theorists are advocates of proper thinking over force (p 101). Unsurprisingly, theorists channel Sun Tzu by seeking to "win without fighting" through IW. They devote a lot of energy to developing strategy and "strategems," sometimes considered to be "tricks" or "schemes" to overcome superior forces. They believe information is as important as energy and materials, and "warfare may be waged around the struggle for intellectual resources, such as the allegiance of a high-tech expert or the patented right to a piece of technology" (p 13).

The Chinese military sees Western culture, particularly American culture, as an assault on China, saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries... Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a "frontier" that has extended beyond American shores into the Chinese mainland. The Chinese therefore consider control of information to be paramount, since they do not trust their population to "correctly" interpret American messaging (hence the "Great Firewall of China"). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.

Dr Shen Weiguang, China's "father of IW," defines IW as "two sides in pitched battle against one another in the political, economic, cultural, scientific, social, and technological spheres," (p 32) or as "brain war" (p 40). Thomas reports Shen's views thus: "information control is the doorway to an opportunity to dominate the world" (p 33). Shen mentions "total IW" where "information aggression" involves "violating the information space of another country and plundering its information resources" (p 36). Shen recommends creating an "information academy" and believes "'attack in order to defend' is more effective than defense alone in many cases since advance warning is impossible and the effectiveness of defense is hard to predict" (p 45). However, Shen seems to believe IW should be constrained by international norms, since he also advocates developing a "set of information rules" to limit IW (p 48). Finally, academic Deng Xiaobao discusses "dwindling distinctions... between wars and non-wars (referring here to the lack of distinction between IW and times of peace, where an IW can start with an information assault and the side under attack may not be able to judge that it is a war)" (p 125).

I strongly recommend reading DB and Thomas' subsequent works if you want to better understand Chinese IW history and thinking.

Thursday, December 30, 2010

Steve Jobs Understands Team Building

I stumbled upon the following excerpt from the 1998 book In the Company of Giants by Rama Dev Jager and Rafael Ortiz. They interviewed Steve Jobs, who had the following to say about team building, as printed in BusinessWeek:

Q. What talent do you think you consistently brought to Apple and bring to NeXT and Pixar?

SJ. I think that I've consistently figured out who really smart people were to hang around with. No major work that I have been involved with has been work that can be done by a single person or two people, or even three or four people... In order to do things well, that can't be done by one person, you must find extraordinary people.

The key observation is that, in most things in life, the dynamic range between average quality and the best quality is, at most, two-to-one...

But, in the field that I was interested in -- originally, hardware design -- I noticed that the dynamic range between what an average person could accomplish and what the best person could accomplish was 50 or 100 to 1. Given that, you're well advised to go after the cream of the cream.

That's what we've done. You can then build a team that pursues the A+ players. A small team of A+ players can run circles around a giant team of B and C players.

Q. So you think your talent is in recruiting?

SJ. It's not just recruiting. After recruiting, it's building an environment that makes people feel they are surrounded by equally talented people and their work is bigger than they are. The feeling that the work will have tremendous influence and is part of a strong, clear vision -- all those things.

Recruiting usually requires more than you alone can do, so I've found that collaborative recruiting and having a culture that recruits the A players is the best way.

Q. Yet, in a typical startup, a manager may not always have the time to spend recruiting other people.

SJ. I disagree totally. I think it's the most important job... When you're in a startup, the first ten people will determine whether the company succeeds or not.


Steve is right. That is why I Tweeted this last week:

Real IT/security talent will work where they make a difference, not where they reduce costs, "align w/business," or serve other lame ends.

I was emphasizing the point that motivated people want to make a difference. They want to bring good things to life. (I loved that motto -- time to junk the present one, if you catch my drift, and go back!)

Photo credits: Wikipedia

Tuesday, December 28, 2010

Trying PC-BSD 8.2-BETA1

After reading PC-BSD 8.2-BETA1 Available for Testing last week I decided to give the latest version of PC-BSD a try on my ESXi server. I failed earlier to get the installation to succeed using PC-BSD 8.1, but I had no real issues with the new BETA1 based on FreeBSD 8.2 PRERELEASE. (PC-BSD will publish their final 8.2 version when the main FreeBSD project publishes 8.2 RELEASE.)

For this test I downloaded the 64 bit network installation .iso and installed the OS within ESXi. I decided to try a few new features offered by the PC-BSD installer, namely ZFS and disk encryption for user data as shown in the top screenshot. When I booted the VM I was prompted to enter the passphrase I used when installing the OS:

da0 at mpt0 bus 0 scbus0 target 0 lun 0
da0: Fixed Direct Access SCSI-2 device
da0: 320.000MB/s transfers (160.000MHz, offset 127, 16bit)
da0: Command Queueing enabled
da0: 16384MB (33554432 512 byte sectors: 255H 63S/T 2088C)
Enter passphrase for da0p4:
GEOM_ELI: Device da0p4.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI: Crypto: software
Trying to mount root from zfs:tank0

That was cool. In addition to encryption, I need to learn more about how PC-BSD uses jails to support ports and packages. This is different compared to any other BSD I have seen.

PC-BSD is also supposed to be desktop-friendly, so I tried my "can I see a YouTube video out of the box" test. The screenshot at right shows it worked.

I should note that before I could connect remotely using SSH, I had to disable the Pf firewall. (I could also have reconfigured the firewall if I wanted it to stay active.)

Now that I have a working PC-BSD OS in my lab, I'll try to learn more about it. I'll probably wait until the RELEASE version arrives.

Trying VirtualBSD 8.1

Reece Tarbert sent an email announcing the availability of VirtualBSD 8.1, a version of FreeBSD 8.1 aimed at demonstrating FreeBSD on the desktop. It's a 1.3 GB zipped VMWare image that expands to 4.1 GB.

I downloaded the image via Bittorrent, expanded the image, and then used the VMWare Converter to transfer the VM from my laptop to my ESXi server. I accepted all the defaults and successfully converted the VM. However, after booting the VM I noticed the kernel did not recognize the network card. I shut down the VM, removed the NIC, and added a new e1000 NIC. After booting that version the VM recognized the NIC and got an IP address via DHCP from my Cisco 3750 switch.

One of my definitions of "desktop ready" is whether I can see YouTube videos out-of-the-box. As the screen capture shows, VirtualBSD worked without incident.

If you're wondering about PC-BSD, I plan to give version 8.2 a try soon. As I Tweeted last month, I had trouble with the installer and couldn't install 8.1 to my ESXi server. I could try installing to VMWare Workstation and then converting that VM too.

FreeBSD on Amazon EC2

Thanks to Colin Percival you can try FreeBSD on Amazon EC2! According to Colin's blog more is to come, but for now you can try FreeBSD 8.2-RC1 and FreeBSD 9.0-CURRENT.

I decided to try spinning up 8.2-RC1. I used the command line tools for Ubuntu rather than the Web interface.

richard@neely:~$ sudo apt-get install ec2-api-tools

richard@neely:~$ export EC2_PRIVATE_KEY=$HOME/.ec2/pk-GO7RNG3LZTNPOUD5TH4YRCA4LFNGP5SB.pem

richard@neely:~$ export EC2_CERT=$HOME/.ec2/cert-GO7RNG3LZTNPOUD5TH4YRCA4LFNGP5SB.pem

richard@neely:~$ export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/

Now I check my security settings and authorize my IP.

richard@neely:~$ ec2-authorize default -p 22 -s [MYIP]/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM CIDR [MYIP]/32

richard@neely:~$ ec2-describe-group default

GROUP 162896439853 default default group

PERMISSION 162896439853 default ALLOWS all FROM USER 162896439853 GRPNAME default

PERMISSION 162896439853 default ALLOWS tcp 22 22 FROM CIDR [MYIP]/32

Next I start the 8.2-RC1 AMI.

richard@neely:~$ ec2-run-instances ami-d29b6abb -k taosecuritykey -t t1.micro

RESERVATION r-a54c17cf 162896439853 default
INSTANCE i-44bda629 ami-d29b6abb pending taosecuritykey
0 t1.micro 2010-12-28T15:21:41+0000 us-east-1b
aki-407d9529monitoring-disabled ebs

After a few seconds I check to see if it is running.
 
richard@neely:~$ ec2-describe-instances i-44bda629
RESERVATION r-a54c17cf 162896439853 default
INSTANCE i-44bda629 ami-d29b6abb ec2-50-16-108-39.compute-1.amazonaws.com
ip-10-243-6-109.ec2.internal running taosecuritykey 0 t1.micro
2010-12-28T15:21:41+0000
us-east-1b aki-407d9529 monitoring-disabled 50.16.108.39
10.243.6.109 ebs

BLOCKDEVICE /dev/sda1 vol-200caa48 2010-12-28T15:21:44.000Z
BLOCKDEVICE /dev/sdb vol-220caa4a 2010-12-28T15:21:44.000Z

Now I connect to it.

richard@neely:~$ ssh -i .ssh/taosecuritykey.pem root@ec2-50-16-108-39.compute-1.amazonaws.com

Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

FreeBSD 8.2-RC1 (XEN) #1: Fri Dec 24 05:49:26 UTC 2010

Welcome to FreeBSD!

Before seeking technical support, please use the following resources:

o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.

o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.

If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.

You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.

ip-10-243-6-109# uname -a

FreeBSD ip-10-243-6-109 8.2-RC1 FreeBSD 8.2-RC1 #1: Fri Dec 24 05:49:26 UTC 2010
root@chch.daemonology.net:/usr/obj/i386/usr/src/sys/XEN i386

ip-10-243-6-109# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/da1s1 4.8G 193M 4.3G 4% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/da0 1.0G 20M 945M 2% /boot/grub

When done I disconnect and terminate the instance. I could have also just shut down the machine within SSH if I wanted to use the instance in the future.

richard@neely:~$ ec2-terminate-instances i-44bda629
INSTANCE i-44bda629 running shutting-down

That's really cool! Many thanks to Colin for his work on this. If you want to support development on this sort of project, consider donating to the FreeBSD Foundation as Colin suggests in his blog.

Monday, December 27, 2010

Bejtlich Teaching at Black Hat DC 2011

Over the holiday break I've been putting the finishing touches on TCP/IP Weapons School 3.0, to be presented first at Black Hat DC 2011 on 16-17 Jan 11. This is a completely new class written from the ground up. I'm very pleased with how it has developed.

While keeping the distinctions from other offerings that I described last year, I've extended this third version of the class to include explicit offensive and defensive portions. Students will receive two VMs, one running a modified version of Doug Burks' SecurityOnion distro as an attack/monitor platform, and the second running a Windows workstation as a victim platform.

The purpose of this class is to develop the investigative mindset needed by digital security professionals. Junior- to intermediate-level security and information technology (IT) staff are the intended audience. The class is a balance of discussion and hands-on labs.

Defensive aspects of the labs emphasize how to discover suspicious and malicious activity in network and log evidence. Offensive aspects of the labs offer the student a chance to do the same sorts of actions that caused the suspicious and malicious activity in the labs. I encourage students to keep an open mind and feel free to expand their interaction with the labs beyond the required material. Take advantage of this time away from the office to enjoy defensive and offensive aspects of the digital security arena!

Registration is open and continues at the current rate until 15 Jan, after which the onsite rate kicks in.

I'll also teach the course in Las Vegas this summer. Thank you.

Speaking at RSA 2011

Mike Rothman and Rich Mogull were kind enough to invite me to speak at their e10+ Experienced Security half-day event on 14 February 2011 at RSA 2011 in San Francisco. I'll participate in the "What's Going to Keep Me Up at Night?" panel. (The joke possibilities write themselves.) I'll stay for a few days of the conference as well. I like the idea of an event aimed at senior security people, i.e., 10+ years of experience. Please consider checking it out!

Courtesy of APT

The photo at left is Bill Sweetman's take on a photo posted to an aviation forum (.jpg) that is probably China's Chengdu J-20 fighter, claimed to be their "stealth fighter." Bill's comment caught my attention:

I think that we can count on China to start delivering more technological surprises - and in some cases they will be aided by cyber-espionage. Remember that's what the Advanced Persistent Threat is all about, and the great thing about cyber-espionage is that it can be exploited without risking human sources. That makes it much more useful - both in learning how to do things and avoiding blind alleys and pitfalls in R&D. (emphasis added)

There are several ways information stolen by APT could have helped with this aviation program. A few include:

  • Theft of Western technology for direct application to building the Chinese aircraft

  • Theft of Western technology to help design the Chinese aircraft to counter Western aircraft

  • Theft of Western technology to help Chinese integrated air defense systems and other counter-aircraft weapons to deny, degrade, or destroy Western aircraft and systems

  • Theft of Western program histories and experiences to guide Chinese designers and builders away from failed approaches and toward more promising methods

  • Theft of Western plans and tactics to assist Chinese pilots flying against Western pilots


Building Chinese stealth fighters isn't the end goal of APT activity. They are tasked with their missions to further national ends, which involve strategic goals. This fighter is a means to an end.

Thursday, December 09, 2010

Splunk 4.x on FreeBSD 8.x using compat6x Libraries

Two years ago I posted Splunk on FreeBSD 7.0 showing how to use the FreeBSD compat6x libraries to run the 3.4 version of Splunk compiled for FreeBSD 6.x. I decided to try this again, except using the newest Splunk on an amd64 FreeBSD system.

As you can see below, it took me only a few minutes to get the system running thanks to the precompiled compat6x-amd64 package. If I needed to install on i386, I could have used the ports tree.

r200a# uname -a

FreeBSD r200a.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49
UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

r200a# pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable
/misc/compat6x-amd64-6.4.604000.200810_3.tbz
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable
/misc/compat6x-amd64-6.4.604000.200810_3.tbz... Done.

*******************************************************************************
* *
* Do not forget to add COMPAT_FREEBSD6 into *
* your kernel configuration (enabled by default). *
* *
* To configure and recompile your kernel see: *
* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html *
* *
*******************************************************************************

r200a# pkg_add splunk-4.1.6-89596-freebsd-6.2-amd64.tgz
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run the command:
/opt/splunk/bin/splunk start

To use the Splunk Web interface, point your browser at:
http://r200a.taosecurity.com:8000

Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------

r200a# /opt/splunk/bin/splunk start --accept-license
Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
/opt/splunk/etc/auth/audit/private.pem
/opt/splunk/etc/auth/audit/public.pem
['openssl', 'genrsa', '-out', '/opt/splunk/etc/auth/audit/private.pem', '1024']
/opt/splunk/etc/auth/audit/private.pem generated.
/opt/splunk/etc/auth/audit/public.pem generated.
Generating RSA private key, 1024 bit long modulus
.........++++++
............................++++++
e is 65537 (0x10001)
writing RSA key

/opt/splunk/etc/auth/distServerKeys/private.pem
/opt/splunk/etc/auth/distServerKeys/trusted.pem
['openssl', 'genrsa', '-out', '/opt/splunk/etc/auth/distServerKeys/private.pem', '1024']
/opt/splunk/etc/auth/distServerKeys/private.pem generated.
/opt/splunk/etc/auth/distServerKeys/public.pem generated.
Generating RSA private key, 1024 bit long modulus
.............++++++
............................................++++++
e is 65537 (0x10001)
writing RSA key


This appears to be your first time running this version of Splunk.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Creating: /opt/splunk/var/lib
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary

Splunk> The IT Search Engine.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.

Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... /opt/splunk/share/splunk/certs does not exist. Will create
Generating certs for splunkweb server
Generating a 1024 bit RSA private key
............++++++
.................++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=r200a.taosecurity.com/O=SplunkUser
Getting CA Private Key
writing RSA key
Done.

If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation

The Splunk web interface is at http://r200a.taosecurity.com:8000

And that's it! I pointed my Web browser to the FreeBSD server and I accessed Splunk. Kudos to Splunk for providing a free version of their product to run in this manner!

Postscript: I realized Splunk installs to /opt, which on this system lives in /, which is small. So, I made this change after stopping Splunk:

r200a# mv /opt /nsm/
r200a# ln -s /nsm/opt/ /opt

That put Splunk in the larger /nsm partition. I should have created the symlink before installing, but no real harm was done anyway.

Friday, December 03, 2010

Bruce Schneier, Cyber Warrior?

Do you remember the story from the Times in 2009 titled Spy chiefs fear Chinese cyber attack?

[UK] Intelligence chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.

They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.

The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China...

The company [Huawei] is providing key components for BT’s new £10 billion network, which will update the UK’s telecoms with the use of internet technology. The report says the potential threat from Huawei “has been demonstrated elsewhere in the world”...

T]he ministerial committee on national security was told at the January [2009] meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network”, the meeting was told...


Ok, old news. But what did I just read in Huawei's US Sales Push Raises Security Concerns from September 2010?

Should United States telecommunications companies consider purchasing -- or even be allowed to purchase -- infrastructure equipment from a major Chinese company that could, maybe, be a significant national security risk?

Some US government officials and security experts are concerned about products from Huawei Technologies Co. Ltd. , which has begun more actively courting US customers...

Another security expert concerned about foreign tampering is Bruce Schneier, chief security technology officer at BT and a well known blogger about security. Although he doesn't have any proof, Schneier says it "certainly wouldn't surprise me at all" if Huawei installed software that could endanger US security. He would "think twice" before buying equipment from Huawei.


Wow. Did Bruce tell his bosses at BT this? I mean, he has been Chief Security Technology Officer at BT since BT acquired Counterpane in late 2006. (The BT-Huawei deal predates that acquisition by a few years, so Bruce didn't have input back then.) I guess it's possible Bruce really is a closet cyber warrior...