Skip to main content

Posts

Showing posts from 2008

Immaculate Collection

(Preface: I wrote this around January of 2007 and simply forgot about it. I wrote it around the time that Marty was writing these posts: here. Also when Richard was writing these posts here.)
I started playing with Sguil again recently, and for the benefit of those that don’t know, Sguil is a Snort based “NSM” system. It uses Snort and some other tools brought together in one interface to provide better analysis and results. The main factor of Sguil is that it runs something like Tcpdump, Snort, or Daemonlogger in order to dump ALL traffic to disk. I bought my good friend Richard Bejtlich’s “The Tao of Network Security Monitoring” book earlier this year.
Richard has the theory of: “collect all packets, because without all packets the total picture isn’t seen”. In principle, I agree. I used to use this methodology heavily in my last job, and it worked quite well at the time.
While he also goes on to say that IDS “alerting” has its place, without “context” (the surrounding traffic…

10 things I hate about Outlook, and you should too

Okay, so, it should be strikingly obvious that I probably hate Outlook. I stopped using Outlook in 2001, had to use it for a customer for awhile, and my love for it hasn’t gotten any fonder.
Non-Standards compliant. Really Microsoft? You didn’t like how all the other email programs that have been around for years have been doing it? You had to go create that MIME format crap that not only isn’t standards compliant, but that every other email program has issues with.Calendar invites. Seriously? Why are Outlook’s Calendar invites so screwed up when sending them to people not on the same Exchange server as you? CALDAV anyone?Exchange? Didn’t like the standards based email servers that were out there? Had to go create one? “But there wasn’t one that did all these “X” features on one server” Wa. Cry me a river. Apple did it. Yeah so what they had to invent a couple open standards and submit them.Top-Posting by default?! Seriously? Lotus Notes you are guilty too, don’t think…

10 things I hate about Outlook, and you should too

Okay, so, it should be strikingly obvious that I probably hate Outlook. I stopped using Outlook in 2001, had to use it for a customer for awhile, and my love for it hasn’t gotten any fonder.
Non-Standards compliant. Really Microsoft? You didn’t like how all the other email programs that have been around for years have been doing it? You had to go create that MIME format crap that not only isn’t standards compliant, but that every other email program has issues with.Calendar invites. Seriously? Why are Outlook’s Calendar invites so screwed up when sending them to people not on the same Exchange server as you? CALDAV anyone?Exchange? Didn’t like the standards based email servers that were out there? Had to go create one? “But there wasn’t one that did all these “X” features on one server” Wa. Cry me a river. Apple did it. Yeah so what they had to invent a couple open standards and submit them.Top-Posting by default?! Seriously? Lotus Notes you are guilty too, don’t think…

Why is your Blog named Finshake?

Someone wrote in and asked me why I named my blog “Finshake”. Well..

Finshake is an internal joke between me and the guys in VRT at Sourcefire. A while ago, I was an author on the “Snort IDS and IPS toolkit” book from Syngress. Well, with the rush to deadlines and things, there are several mistakes in the book. Okay, so there are alot of mistakes made in the book...

Well, one of the biggest mistakes in the book, actually happened in my chapter. (Chapter 6). I was talking about TCP Session initiation and TCP Session tear down and how Snort interprets those. In the final book, I wanted pictures of the TCP Handshake for session initiation, and the TCP exchange for session tear down.

In my copy of the manuscript I simply indicated where the pictures should go:




I didn’t actually draw the pictures. I knew Syngress had the pictures from the 2.1 book, and I just asked them to use those.

So in my final proofread of the pdf that I got from the publisher:


The place holder was there, but no pic…

Research

Okay, so MS08-067 Worm(s). I got some intel from some various listservers that I belong to about a new worm (or worms) that were starting to be seen in the wild. So I got a few url’s to play with and started poking around. Note, these are not all the url’s that I tried to get the exploit/worm from. They are not all of the same worm, and they may or not be related... BTW -- I am not a very good malware analyzer, Just an FYI.
It appears, one of the variants of this worm that I am looking at attempts to spread, not only though network vulnerabilities (08-067), but also through P2P networks like Emule.
So, I tried to get one of the files, named 6767.exe in this case. This EXE file does several things, some of which are very unclear as to the reason... as I said, I’m not a malware guy...


This exe downloads, and upon execution (again, in my particular sample, I am sure it will change), from a network perspective, on MY machine, it didn’t do anything. I have read several write ups of t…

Apple Store Photos

I moved my Gallery of Apple Store Photos to MobileMe. I travel to an Apple Store if I am in the city with one. Check out the gallery over there on the right, or click right here.
Thanks.
Subscribe in a reader

Apple Store Photos

I moved my Gallery of Apple Store Photos to MobileMe. I travel to an Apple Store if I am in the city with one. Check out the gallery over there on the right, or click right here.
Thanks.
Subscribe in a reader

ISC Podcast Episode Eleven Posted

Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode eleven. Thanks for all the emails asking me where it is! :) It helps to remind me....

All the podcasts
Just this podcast
Podcast through iTunes

Subscribe in a reader

CRCError

Recorded CRCError podcast last night, I've edited some of it, but I thought I would post something about the website on here. Well.. it's down. So wtf right?
Well something about the hosting company where the server is hosted is retarded or something, I don't know the whole drama or the issue, but we're working to get the server back up, and then punch the hosting provider in the face.


Subscribe in a reader

ISC Podcast Episode Eleven Posted

Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode eleven. Thanks for all the emails asking me where it is! :) It helps to remind me....

All the podcasts
Just this podcast
Podcast through iTunes

Subscribe in a reader

CRCError

Recorded CRCError podcast last night, I've edited some of it, but I thought I would post something about the website on here. Well.. it's down. So wtf right?
Well something about the hosting company where the server is hosted is retarded or something, I don't know the whole drama or the issue, but we're working to get the server back up, and then punch the hosting provider in the face.


Subscribe in a reader

Mark Wahlberg Talks to Animals

This has been cracking me up for like the past 3 days. I love it.


Of course it has a sequel as well:



Subscribe in a reader

Mark Wahlberg Talks to Animals

This has been cracking me up for like the past 3 days. I love it.


Of course it has a sequel as well:



Subscribe in a reader

Google Calendar Syncing, MobileMe, and iCal

Recently I've had to start keeping my Calendar on Google Calendar. (For a really good reason, and, it's not the free version of Google Calendar either.) However, I didn't know how I was going to get my iCal to publish to Google Calendar, AND sync with MobileMe at the same time.
Well I started trying to connect iCal to Google Calendar via CalDAV, which I wrote about in an earlier post. However, Google's implementation of CalDAV is still kinda broke. You can't really schedule people's time, you can't see their availability, you can't call people up from the address book, and you can't have To-Do's on the calendar that you are syncing, so that breaks a bunch of stuff for me.
So I was going to try and just keep my calendar on iCal, and have it publish to Google Calendar, well, that wasn't going to work either for a couple reasons. I actually can't remember all the reasons right now, but it had to be something really big for me to abando…

Google Calendar Syncing, MobileMe, and iCal

Recently I've had to start keeping my Calendar on Google Calendar. (For a really good reason, and, it's not the free version of Google Calendar either.) However, I didn't know how I was going to get my iCal to publish to Google Calendar, AND sync with MobileMe at the same time.
Well I started trying to connect iCal to Google Calendar via CalDAV, which I wrote about in an earlier post. However, Google's implementation of CalDAV is still kinda broke. You can't really schedule people's time, you can't see their availability, you can't call people up from the address book, and you can't have To-Do's on the calendar that you are syncing, so that breaks a bunch of stuff for me.
So I was going to try and just keep my calendar on iCal, and have it publish to Google Calendar, well, that wasn't going to work either for a couple reasons. I actually can't remember all the reasons right now, but it had to be something really big for me to abando…

1001

Some insight.
So, here I am at 1,001 posts. What do I have to say? Absolutely nothing more than what I said at 900. Do what you do, say what you say, and people will be interested.
Between my 900 and my 1000 posts, I've picked up about 200% more readers (rss subscribers) and average about 500% more hits a day.
Recently I've picked up a bunch more readers through subscriptions, it's basically like a heartbeat diagram that keeps going up. When my name is mentioned somewhere, or I do a post on the ISC or something, I get a huge influx of readers, then it dies off a little bit, but a few stick around to see what nonsense I have to ramble about. It hasn't been much lately as I've been pretty busy with work and what not.
I'll try and get more active in the future. I promise. I've just got alot going on right now, I'm lucky if I can get through my email.
Speaking of which, I need to do another "processing" email post, as I've changed alot …

1001

Some insight.
So, here I am at 1,001 posts. What do I have to say? Absolutely nothing more than what I said at 900. Do what you do, say what you say, and people will be interested.
Between my 900 and my 1000 posts, I've picked up about 200% more readers (rss subscribers) and average about 500% more hits a day.
Recently I've picked up a bunch more readers through subscriptions, it's basically like a heartbeat diagram that keeps going up. When my name is mentioned somewhere, or I do a post on the ISC or something, I get a huge influx of readers, then it dies off a little bit, but a few stick around to see what nonsense I have to ramble about. It hasn't been much lately as I've been pretty busy with work and what not.
I'll try and get more active in the future. I promise. I've just got alot going on right now, I'm lucky if I can get through my email.
Speaking of which, I need to do another "processing" email post, as I've changed alot …

Apple Security Update 2008-007

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.

Introducing Apple Security Update 2008-007. Just released last night:
Security Update 2008-007
Apache
CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Apache 2.2.8

Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

Certificates
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Root certificates h…

Apple Security Update 2008-007

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.

Introducing Apple Security Update 2008-007. Just released last night:
Security Update 2008-007
Apache
CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Apache 2.2.8

Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

Certificates
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Root certificates h…

ROFL

Saw this today, had to post it.  Man that's awesome.
BTW -- Star Wars.


Subscribe in a reader

ROFL

Saw this today, had to post it.  Man that's awesome.
BTW -- Star Wars.


Subscribe in a reader

An actual meeting held via iChat

Earlier this week, me and three of my coworkers held a 4-way iChat Video Conference as a meeting. It worked great.
Of course, as bandwidth decreases, the video codec is dynamically reduced, however, the 4 of us had a face to face video/audio chat for over an hour about some code testing. It worked great. I've been using iChat to do one-on-one meetings with one person for a couple years now, however, never had the opportunity to have a call with 4 people. (Never had the bandwidth to sustain it before), and now that I have FiOS... awesome.


Subscribe in a reader

An actual meeting held via iChat

Earlier this week, me and three of my coworkers held a 4-way iChat Video Conference as a meeting. It worked great.
Of course, as bandwidth decreases, the video codec is dynamically reduced, however, the 4 of us had a face to face video/audio chat for over an hour about some code testing. It worked great. I've been using iChat to do one-on-one meetings with one person for a couple years now, however, never had the opportunity to have a call with 4 people. (Never had the bandwidth to sustain it before), and now that I have FiOS... awesome.


Subscribe in a reader

Physical Fitness #2

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader

Physical Fitness #2

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader

A tale of Physical Fitness

Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.

One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)

I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.

So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things th…