Tuesday, December 21

Macworlds 2010 App Gems Awards

Macworlds 2010 App Gems Awards | Mobile | Macworld.

p.p1 {margin: 0.0px 0.0px 12.0px 0.0px; font: 12.0px 'Lucida Grande'}

Macworld’s list of the best iOS apps from 2010.  Some really nice stuff here, good to see that I have most of them and use them quite often.

If you are an iOS user, check it out.

Tuesday, December 14

Whew, what a whirlwind

Talk about a busy end of the year, so on top of going my actual consulting gigs for customers, I am also doing the other full time job I have of the Snort Community Manager. If you read my blog, you've known this.

So, what have I worked on so far.

  • Snort Twitter account. Not really a lot of work here, other than getting Twitter to remove it from the parker's clutches and give it to us.

  • Snort Blog. Getting this set up, with the DNS entries, blog posts, editing, writing, design, and even the banner image (thanks CC for that!) was about 3 weeks worth of work.  Check it out http://blog.snort.org

  • Snort Mailing list/Forum Consolidation. I thought it best to let the Community decide, so I made a non-scientific poll to choose between the forums, the mailing lists, or the penultimate solution, to merge the two. Thought of Google Groups for this. Google Groups allows you to post like a forum, and post like a mailing lists, and Google Groups takes care of the arrangement, merging, and threading. Very nice. I had this all set up, and was preparing for everyone to start making the move over to Google Groups, and we came up with another idea. So we're working that angle right now (stay tuned).

  • Snort Subscriptions. Been doing a bit of backend work on Snort subscriptions, trying to figure out how to work this out to be a more streamlined process and eliminate a lot of the headache and purchasing obstacles for our users. Concept work mostly.  Also talking about VRT Subscriptions with various members of the legal team and VRT.

  • ClamAV subscriptions. Working on what we are doing and going to do for certified ClamAV code.

  • Code licensing. Meetings with our legal team!

  • Writing articles for magazines and getting ready for speaking engagements in 2011. Pretty much what it says.

  • Laying the groundwork for webcasts and Snort User Group Meetings. Going to fire these up in 2011 again. Several Snort User Group meetings are wanting to start back up. Great to see that there is a lot of interest for our community.

  • Bug filing and progress. What I've started doing is, if bug reports come in via various methods of bug reports, I take them in, triage them, put them into bugzilla, and provide feedback to the people that filed the bugs. This seems to be working quite well right now.

  • Working with our Web-team on any Snort.org issues. Pretty much what it sounds like.

  • Fixing Snort.org. For instance, I rearranged the http://www.snort.org/docs link. To bring the content that people are looking for the most to the front page. Also it was brought to my attention that we had a bunch of W3C html coding errors. I went through and fixed about 40+ of these.  Along with about 100 other barely seen or noticed changes to Snort.org in order to bring the good content to the front, and the content that is barely used to the back (or done away with).

  • Internal VRT Subscriptions. It was brought to my attention that several people that work at Sourcefire apparently didn't have access to the VRT rules (like they should have).  Had to fix that!

Had an email that today that asked me about all these new "news" dissemination  methods that we are standing up and is it going to create confusion.  That's probably a blog post left for the Snort.org blog.

Wednesday, December 8

Snort has a Twitter account

Another post for my Snort/IDS audience that read my blog.

We managed to get a hold of the "Snort" account on Twitter.  Someone was simply squatting on the name, not using it, so Twitter has a way of petitioning to get a hold of a name for a bunch of different reasons.  So we got with Twitter and they freed up the @Snort Twitter name for us.

Using the @Snort Twitter account we'll post new news, upcoming items, blog posts, news about Snort and interesting other tidbits that may or may not be found anywhere else on Snort.org

Check it out, follow us:  http://twitter.com/Snort.  Thanks!

Wednesday, December 1

Snort Released!

To let my Snort audience know, if you don't know already by the mailing list, we just released Snort v2.9.0.2, a bug fix release.  Enjoy!

Snort :: Snort Released!.

Tuesday, November 30

Sorry for the lack of posts, I've been particularly busy.

Been pretty busy lately with my two full-time day jobs at Sourcefire.  The good news is, if you are a Snort user, that I am working on a lot of things that will not only make our community better, but improve how Sourcefire interacts with that community and allow us to move forward in a more progressive manner.

Aside from Sourcefire/Snort stuff, the shop that is restoring my Mustang is almost done (should get it back this week, and when I do, I'll post pics), I'm working on the shops website too (as the old one needed some TLC).  I got with the owner and we decided to redo the whole thing, so I am doing that in my spare time as well.

Thank you Squarespace!

Also working on another website that I tighten up a bit (aside from tightening up Snort.org a bit as well) for another company (Car alarm company) that I do a bit of consulting/marketing for.  So, it feels like I am buried in html lately.

On top of all of that, my son is doing well, my daughter is awesome and my wife's Grandmother died this past week, so we are all dealing with that as well.

Busy Busy Busy.  Stay tuned.  I've got a few posts lined up for the pipeline for not only this blog but for another blog I am starting, so when that all comes together, stay tuned!

Sunday, November 28

Tuesday, November 23

"So I have this IDS now what?" presentation at BSidesDE

Joel Esler, so I have this IDS now what BSidesDE1 on USTREAM. Conference.

Above is a link to my presentation from BSidesDelaware a couple weeks ago.  For some reason the audio and video are like 5 minutes off, but the presentation (for the most part) is intact.

Monday, November 22

Monday, November 15

New Role at Sourcefire

This is just an announcement to let the users of our OpenSource products know that we have a new community manager here at Sourcefire.

Over the past year or so, Mike Guiterman, our former Community Manager has taken on a different role within Sourcefire.  In the meantime, I've been filling some of the void.

For those of you that weren't able to make the Snort Rally/Pig Roast this past Friday at Sourcefire HQ, I have been officially assigned the role of Sourcefire's OpenSource Community Manager.

I know many of you, but for those who I don't, I came from the OpenSource community, working for the government using Snort in actual deployments.  I submit rules to VRT, and was one of the original submitters to BleedingSnort (Now Emerging Threats).  I've worked with both the OpenSource community and with our Corporate customers since I came to Sourcefire giving me first hand knowledge at how the community plays a vital role in the direction, development, and QA of our products.

I'll be focusing on product innovation in our OpenSource projects, as well as:

  • Communicating with the communities.

  • Being available to answer questions and receive comments.

  • Coordinating the release of OpenSource project software.

  • Providing whitepapers and instructional materials on our software.

  • Providing the go-between for the OpenSource communities and Sourcefire software developers, including receiving OSS feature requests and bugs.  Entering these into our internal bug tracking system, and following up with the submitters.

  • Snort-Groups.  Standing these back up, both virtually and in person.

  • Speaking about our software at events and shows.

I have several projects in mind alerady, but the first thing is I want to hear from you.  Suggestions, ideas, complaints, and compliments.

  • How we can make things better.

  • Problems with Snort, ClamAV, DaemonLogger, or Razorback

  • Features you'd like to see with these projects

  • What isn't working now?

  • What is working now!

  • How can we make bug tracking more efficient?

  • How can we make False positive submissions better?

  • What can we put out (in terms of training and whitepapers) for better understanding and results?

  • ???

Let me hear it.  Email me directly at jesler@sourcefire.com.  I want to be able to track your ideas so I can write you back when we make movement.

I'll summarize your submissions in a blog post in the future and let everyone know where we are at with the progress of these great ideas.

I'd like to thank people both internally at Sourcefire and the community for building the community into what it is today, and I look forward to a great future!  Also thanks to Mike Guiterman for his years of hard service working with our OpenSource communities.

For Razorback(tm) please continue to submit feature requests and any
other Razorback items to the Razorback Trac at:


And for Nugget related items please use:


You can of course, also use the mailing lists for Razorback and the
Nugget Farm.

Tuesday, November 2

Security B-sides Delaware tickets are almost gone!

If you are in the area (or even if you aren't, I know of people traveling a pretty good distance to get here) and you haven't got your ticket for Bsides DE yet, you may want to get on it.

The first round of tickets are all gone, and there are only 40 left of the extension tickets.


I'm speaking at 1:00, right after lunch.  See the speaker's schedule here.  But anyway, if you haven't got your tickets yet, you might want to hurry up and grab them from here.  Cost?  Free.

Archiving Emails in Mail.app, there's an app for that.

If you are using Mail.app on OSX, this post is for you.

It's been well known to people that read my blog that I am an Inbox-Zero ninja, and generally pride myself on my ability to get through vast amounts of email quickly because of the system that I have refined over the past several years of experimenting.

Techniques in Archiving

One of the things about Inbox Zero is the ability to quickly move an email out of your "Inbox" and into another folder.  If you sort your emails that come into your Inbox by topic or subject or whatever, different folders may do good things for you.  For instance I have a folder where all Snort related email goes.  The three Snort mailing lists go straight to my inbox where I read most of them and then file them away using a keyboard shortcut.  Other Snort related mailing lists just go straight to this box, leaving me with only the important ones in my inbox.

Most listserver traffic of the 40 or so listservers that I belong to go straight to a "listserver" folder, where I can deal with it later.  You get my point.

But everything that I don't filter, is in my inbox, which usually nets me about 200~ emails a day that I need to deal with.  When I read an email I have possible outcomes.

  • Delete it

  • Archive it (if I need it later)

  • Respond to it (if it takes shorter than 2 minutes to accomplish this task)

  • Delegate it (if I am not the appropriate person to deal with "x" email)

  • Make a todo to deal with it later.

Delete it

Duh.  I don't do enough of this.

Archive it.

This is the meat of the post, and kind of the point of writing this article.  I am a firm believer in leaving your hands on the keyboard if possible.  Learning the keyboard shortcuts in your favorite app will not only save time, but it also keeps your hands where you need to be doing work.  On the keyboard (instead of continually reaching for your mouse).  There are keyboard shortcuts for almost anything in OSX, and if you can't find it, or the menu command doesn't have a keyboard shortcut, you can make a keyboard shortcut to do what you want in Snow Leopard.  Heck, there are keyboard shortcuts in Gmail (learn em!)

Now, how do you do this in Mail.app, well there is a little app called "Archive" that will allow you to do this.

Archive.  Archive allows you to do exactly that.  Archive the email that you are presently on.  It creates a folder in your email accounts named "Archive", and when you mash the shortcut in your inbox, it puts the email that you have lighted in the appropriate Archive folder.  Simple, clean, done.

There is also Mail Act-On, which I've talked about before here, is a nice little app if you need to do more advanced things than Archive, but for 99% of you, check out Archive, it does what you need.

Respond to it

If I think it'll take less than 2 minutes to respond to the email that I am currently reading, I'll bang out a response.  I try to not bang out a "quick" response "just to keep the ball moving" as Kevin Rose says.  I try to write out a through response.  My point in doing this is to eliminate further email by providing any answers I can, by asking the appropriate question so that the response to my email is full of exactly what I need it to be, and so that people don't waste more time by me not wasting theirs with a "short terse banged-out email".

Delegate It.

Otherwise known as the "Forward" button.  I get a ton of email, not all appropriate for me to handle, some need to go to our web team, some need to go to our research team, but it comes to me, because I "handle" the email, as opposed to ignore it.  I don't mind being the conduit to which people communicate, at least I know things are getting done, and I have a pulse on what is going on.

Todo It.

If the email contains an action that I need to perform, but I can't do it right now, I have a keyboard shortcut that allows me to highlight a section of text, mash a keyboard shortcut, and Omnifocus will grab the hightlight-ed input that I selected and makes a Todo out of it, along with a link in Omnifocus back to the email that generated it.  (This is called "Clipping" for you Omnifocus nerds, get ON IT.)  I quickly set a context (email) and a due date.  Then I go onto the next email.  Everyday, I get to the bottom of the "Todo"s that are due that day, and that includes the thoughtful emails.

Matter of fact, writing this post about "Archive" was a Todo.

Let me go mark it done.

BTW -- Inbox Zero comes from Merlin Mann.  I'm not stealing his work.  It's insightful.  He rocks.  MerlinMann.com and InboxZero.com

Tuesday, October 26

Snort Community Pig Roast

(If you read this on Twitter, please RT!)

Sourcefire is going to throw a community pig roast at our World Wide Headquarters on November 12, 2010.  We'll have some talks by Marty Roesch (our fearless leader) and Matt Watchinski (or VRT fearless leader).

Date: Friday, November 12, 2010
Time: 12:00PM

Where: Sourcefire HQ
9770 Patuxent Woods Dr.
Columbia, MD 21046

The event is open to our community, and we'd like you to come on over and hang out!

Please RSVP at: http://now.sourcefire.com/?elqPURLPage=2?elqformname=101112_snort_bbq&URL=

Notes syncing between Mail.app and iPhone, finally

I've written several times over the years about the need for Notes to sync automatically between the iPhone and the Mac Mail.app Desktop application.  Well, unbeknownst to me (because I stopped using Notes in Mail.app because of the lack of this feature), in iOS 4.0 Apple has built this in.

I didn't test it right away when the release came out, and just now that I haven't written about it either since they built this in.  But it works.

If you have an IMAP account, you can go into your account settings on your iPhone and turn on "Notes" in that account's preferences.  Mail will create a folder called "Notes" on the IMAP server, and your "Notes" on Mail.app will be sync'ed Over-the-Air with your iPhone.

I have my Mail.app set up like this:

So that all my notes and to-do's stay intact in one account, and not spread apart different accounts.  But there is more than one advantage to MobileMe for this particular feature.  If you set it to MobileMe, Notes are pushed.  (As opposed to pull, as they would be with other IMAP accounts.)

In short, Apple enabled Notes syncing in iOS 4.0.  It works.  Give it a shot.


Facetime, Apple’s new iPhone 4 to iPhone 4 video chat application got a bit of an update on Tuesday of this week.

Jobs said it himself, the biggest thing that people wanted when facetime was shown on the iPhone for the first time was the integration of the system into the Mac desktop.  I talked about this back on this original post when the iPhone 4 came out.  Finally, at Tuesday’s speech Jobs and Apple rolled out the Facetime client for the desktop.

It works.

You can call Mac to Mac using Facetime, you can also call Mac to iPhone or iPhone to Mac, likewise with the iPod Touch. The resolution is good (it’s scaled down a bit if you are used to iChat’s resolution), audio is excellent, and it works flawlessly. In fact, when it came out, I was on a hotel network. I tried to initiate an iChat connection to my Dad, and we couldn’t do it for lack of bandwidth, however, Facetime connected right away without a problem.

The only thing that I thought was a bit strange, and I know I'm not the only one, was that Apple released it as a separate application for the Mac.

However, after I thought about it for a bit, I came back to my original conclusion that this is a temporary step. The application is simple and easy to write, so that’s what Apple did. I imagine in order to build the feature into iChat, they'd have to rewrite the whole application, and while they didn’t at all indicate that this was going to happen in 10.7 Lion (which they also started talking about on Tuesday), it makes a lot of sense to have it built into the OS.

One of the other things that i noticed about facetime is that it doesn’t really give you any kind of “presence” notification. For instance, it would make sense that since Apple knows you are connected to the internet via $device, they would be able to provide some type of presence notification along with it, I assume this is going to come with 10.7 too.

Friday, October 22

The Mac App Store, why it's awesome.

On Tuesday this week, Steve Jobs got up in front of journalists and announced several things.  I'd like to cover them all at once, but I realized the post was going to be way too long, so I thought I'd cover them in separate topics.

The Mac App Store

First let me talk about, what I thought was the biggest announcement of the entire press conference.  The Mac App Store.

Similar to the iOS App store that you can find in iTunes, Apple will be rolling out a separate application onto the OSX platform where developers can upload their apps to Apple in order for them to be purchase-able through the "one-click" easy access of this app.

Apple is taking the same 'cut' that it takes for the iTunes app store, 70/30.  70% of the developers revenue for selling an app goes to the developer, the other 30% goes to Apple to pay for the store, the hosting, the bandwidth, etc.  Some developers will think that this is Apple gouging into their profits, and while true, they have to think of a couple things:

1) I can raise the price of my app, just enough, to make it worthwhile for me.

2) The prices of the apps in the Mac App store will generally be higher, as they will be of higher quality. (Theory of mine, as they won't be just little fart apps for the iPhone.)

3) You would now be featured in the "showcase" as it were for Apps.  This is a genius idea.  Yes you have to sacrifice the 30% of your revenue, but your download count will go through the roof.  Look at the developers that have made millions off of the iPhone app store in just a short amount of time after it's release.

Conspiracy Theories

Some people I've heard talk about the App store seem to think this is Apple's way of locking you into their platform.  Let me share my opinion on this.

They already have you locked into their platform.

First off, if you buy your app from the app store, you click the button, it downloads over the internet (further reinforcing my theory that I wrote a couple years ago when the Macbook Air came out, I said that it was going to be the end of distributing software via physical medium), it installs by itself.  Done.  Easy.

If you want to update the app, you go to the "updates" section of the app store, and you click "update" or "update all" and all your apps are automagically updated.  What I'd like to see Apple do is have all their updates take place through this system.  I think "Software Update" and the "Updates in the App store" may be confusing for some users, but that will remain to be seen I guess.

At the same time yesterday we found out that Apple is depreciating Java on their system, and the new Macbook Air (which I'll talk about in a later post) is shipping without Adobe Flash.  I think both of these are smart decisions, and would like to see both of these in the App Store.  Oracle submits a Java build, and Adobe submits Flash.  You download both of these with one click, from one place (instead of going all over the internet to find them and their updates), and that way when a new update comes out for Flash or Java, you just click "Update" in the app store.  This does two things:

A) Makes security better, by providing an easy way for people to update their apps.

B) It absolves Apple from having to maintain older software on their system and keep it updated (such as Flash).

Great idea.

More Conspiracy Theories

Yesterday on my drive home I was listening to the latest "MacBreak Weekly" podcast, and even though Alex Lindsay has been saying it for several months now, he reiterated it again in the latest broadcast.  He thinks that the OS on the Mac is going to iOS.

I think he could not be more wrong, and let me explain why.

Steve Jobs said yesterday that they were bringing some of the things they have learned form the iPhone and iPad back to the Mac.  Good idea.  It's great to have a unifying experience across all your platforms.

Does that mean that the OSX Operating system will be all touch based?  No.  Jobs said that yesterday, trying to manipulate objects on a vertical surface doesn't work.  Think about it as you are reading this right now, if you are reading this on a traditional computer.  Think about not having your mouse, and moving the cursor or using gestures on your monitor.  Play with that idea a second.  Your arm would get so tired and you'd get frustrated after awhile.  Heck, when I dock my iPad and use a regular keyboard with it, and I have to reach up and tap something on the screen when it's in a vertical configuration, it's annoying.  This won't work.  I agree.

Does that mean that OSX can't learn some multi-touch gestures?  No.  In fact, you can already scroll with two fingers (have been able to do for years on the Mac), three finger swipe forwards and back, even rotate photos and documents by the same rotation method that you use on the iPod Nano's screen.  Add a few more of these and the system will not only be intuitive, but you'll be able to get a lot done, faster.  That's why Apple invented the Magic Mouse, and that's why they invented the Magic Trackpad.  Look at the direction of the Operating System and it makes sense.

OSX is not becoming iOS.  It won't work.  But there are advantages that iOS has that OSX does not have, again, let's come back to the App Store.  The App Store on the iTunes/iPod touch/iPhone/iPad system is an easy one-click access to any app on the Apple store.  The App store on the Mac is going to be the same way.  However, what side effects does this provide that people may not have thought of yet?

1) Your Apps are tied to your iTunes account.  Okay, that means that if I want to rebuild my computer, or buy a new one, all I have to do is open the App Store and I can suck down all the apps that I've already paid for without having to re-find them on the internet, or from a backup.  Better yet, I don't have to keep track of licenses and other non-sense like that.

2) Easy updating.  This is important, not only for functionality, but for security.  I think this is one of the best features of the App Store.

3) Your Apps are tied to your iTunes account.  Which means what?  That's right.  They are DRM'ed to your name.  Which means what?  That's right.  You can't pirate the Apps.

Let me pause for effect.

Apple.  Just figured out a way.  To stop.  Software piracy.

Yup.  That's just happened.

Genius.  I buy all my applications anyway, so it doesn't affect me, but that's awesome.

The apps that are sold through the app store can't be packaged up and sent to your friend anymore.

Yes, you can still download apps and what not from the Internet in general (meaning that developers for the Mac don't HAVE to sell their apps through the app store), but then you are dealing with not being in front of tons of eyes through the App Store, licensing and purchasing schemes.  You have to maintain all of that yourself.  Whereas through the App Store, Apple has taken care of all of that for you and prevented the piracy of your Apps.

I also think this will totally increase the amount of apps available for the Mac platform.  All of a sudden people will have easy access to a way to simply get their Mac Application out there without having to shrink wrap it and get it into the big-box stores.


Honestly, I see nothing but good things here.  The only time I'll have a problem with the Mac App Store is when Apple says that the only place you can get the apps is from them.  .....and they are still taking their 30% cut.

That's not really fair (which isn't happening, I'm just theorizing).

Although it would be interesting, because then all code would come from Apple, approved, and signed.  Malware and what-not could be rendered totally non-existant.

Apple has also stated in their terms of service that "violent" video games can't be on the App Store.

That sucks.  I think that'll hurt the store overall, but who knows, they may fix that.

Monday, October 18

Ray Ozzie leaving post as Microsoft's chief software architect

Ray Ozzie is the gentleman that took Bill Gates's place after he retired from his day to day duties at Microsoft, and unfortunately, this kinda makes me feel more confident in the opinion I had when that event took place.

Microsoft is losing their spirit.

Let's face it, it's quite obvious now that Bill Gates was the driver behind the Microsoft brand and direction.  This is the third notable post that is being vacated since Bill Gates left (the first being the designer behind the Zune interface Robbie Bach, second being CFO Chris Liddell), and yet, somehow Ballmer stays in charge.

Don't get me wrong, Ballmer knows how to make money.  Which is why he's a good CEO, but in my opinion, it doesn't feel like he is ushering in a strong "direction" for the company.  But maybe I'm being a little critical, trying not to compare him to Steve Jobs, but hate him or love him, Steve Jobs is a great CEO.

It just feels to me that Microsoft is playing the catchup game.  Saying "me too" to everything that is coming out.  Windows Mobile Phone 7, (which was started a long time ago, but not until the iPhone came out was serious pressure put on this), the Xbox360 (which is probably Microsoft's best product), the Zune copied after the iPod, Windows's constant comparison to OSX, chasing after Google with Bing, and chasing after the iPad now with whatever-the-heck tablets (slate) they come out with.

Sad part is, Microsoft almost invented the tablet business.  They pretty much pioneered it.  However, they tried to shoe horn a Desktop OS into a tablet PC and wrote enough software to be able to use a pen.  Well, it doesn't appear to have caught on en-masse.  They didn't go back to the drawing board (like they did with Windows Mobile Phone 7) and design a new user interface, even if they copied the WMP7 interface from the Zune HD.  Their current tablet offering does not bode well for touch, and it's unclear where their future direction is going as far as touch is concerned, but it doesn't look good right now.  It still looks like they are trying to shoehorn Windows 7, the desktop operating system, into the tablet.  It's not going to work!  You tried that once, and it failed.  So I refer to the current class of computing devices (the iPad, and all the competitors that are trying to come out now as "slate" devices.)

Ray Ozzie, as it states in the below linked article, is best known for creating Lotus Notes.  Which really doesn't speak volumes to quality, but it does speak to success.  Even a totally awful program can make tons of money.  But Mr. Ozzie didn't seem to provide the direction that Gates did.  Face it, Gates was the genius behind the Microsoft brand.  Even if his tactic was to copy everything he saw, which I'm not saying he did, but even if his tactic was that, it was genius and it worked well.

I am not a Microsoft Shareholder, heck, I'm not even an Apple shareholder anymore,  but I'd wonder why Ballmer was still in power considering the stock price hasn't moved much in over 10 years.

Ray Ozzie leaving post as Microsofts chief software architect.

Friday, October 15

MobileMe Calendar Comes out of Beta

Following up on this post that I wrote back in July, the MobileMe calendaring system has come out of Beta.  Which means that if you are using the MobileMe service and you are on Snow Leopard (or Leopard) your iCal calendar should automatically switch over to WebDAV.  As well as your iPhone's calendar if you are running 4.0.

The nicest part about the system is the ability to invite other people to events from your iPhone and iCal, as well as see their Free/Busy schedules.

Update:  Apple's article on the subject.

Monday, October 11

I'm speaking at Security B-Sides Delaware

We have a lot going on in Delaware.  Tax-free shopping, we elect crazy people, and we have the Security B-sides Delaware event happening in November.

I was asked if I would submit a talk to the conference, and lo and behold, it was accepted. (Along with a bunch of other great presenters, check out the first round of CFP accepts here.  Hopefully lots of people will come.  I actually have a confession to make, I've never actually been to a Security B-sides, although, from watching the Twitter, they are very popular.

Abstract of my talk:
Shining light into the "now what" arena of IDS and IPS tuning, I'll talk about  what the next steps should be with the alerts, tuning, and maintenance of the ruleset and  configuration deployed into an IDS or an IPS.  General guidelines will be provided, however,  all guidelines must be adapted to your specific environment.

I look forward you seeing many of you there, thanks for supporting B-sides.  Okay, back to making slides.

Security B-Sides / BSidesDelaware.

Monday, October 4

Snort 2.9.0 has been released

Now available from Snort.org, Snort 2.9.0 and DAQ 0.2.    I'll be writing some articles at some point to expand upon some of the functionality of Snort 2.9, but for now, know that there are some very nice new keywords in 2.9 and also an improved Stream model, as well as lots of improvements all over the place in the engine.

...and now some cut and paste from the release notes!   Download it now!


[*] New Additions
* Feature rich IPS mode including improvements to Stream for
inline deployments.  Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React.  A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments.  When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket.  For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links to.

* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule

* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms.  Visit http://www.intel.com to find out more about
Intel Quick Assist.

[*] Improvements
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

Tuesday, September 28

OpenFPC, in other words, Leon is a Ninja

I put this up to basically draw attention to this project.  Leon (a fellow Sourcefire employee and Ninja over in the UK) can explain the project much better than I can, so I'll let him:

OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or set watch events for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.

Full packet capture is something that has been suggest as the answer to all by many.  I don't disagree, it does aid in the forensic investigation of traffic.  Heck I do it at my house (full packet capture).  I find this idea to very intuitive and interesting, especially the search capabilities.

To be honest, I've seen something like this before when I worked for the military.  I don't want to disclose where or what agency was using this, but it was vastly helpful when we wanted to investigate something.

We used Snort and another IDS to prompt us to look for something and we'd start going through the full packet captures to investigate it.  I got the idea for this from another Army agency that had a GUI for it, and the whole nine yards.  I thought it was a beautiful system and it worked great.  I was quite impressed.

Anyway, I'm glad to see that Leon is making a tool like this Open-Source.  I think this is a phenomenal idea, and I'd like to see something like this used in a test-production network system somewhere, just to prove how useful it could be.


Monday, September 27

Let me tell you about my past two weeks

The past couple weeks I've had the opportunity to do some really amazing work, something that most people, if they could do, would understand a lot more of what goes on behind the veiled curtain.

The last two weeks I worked for Sourcefire's Vulnerability Research Team (VRT).

First I'd like to say that I've never worked with a more professional organization.  Period.  I came in to do some technical work with them, which consisted of analyzing hundreds of pcaps, tons of analysis, and as a result writing rules for those threats.  We did, kind of a tech exchange type of thing.

Now, we weren't shooting in the dark.  (even though there is no overhead lighting in the VRT offices, and you have to watch for getting hit in the head with a Nerf dart)  The VRT doesn't take the random vulnerability or exploit found on exploit-db.com or milw0rm or whatever, and just bang out a rule for it.  They do labor intensive work.

For instance, I had to write a rule for a vulnerability in a piece of software that had to do with email.  In order to test of this vulnerability, could I have taken a piece of a malicious attachment, or looked for a malicious attachment and written a "signature" to check for the exploit here.  Sourcefire's standard is higher than that.  We try to not do that kind of thing.  We try and write a rule to look for the vulnerability itself.  For example: If the vulnerability is actually the fact that a certain field, if it's over 512 bytes, can be used to overflow a buffer in the software, looking for a series of "A"s isn't going to work.  Looking to see if the field is bigger than 512 bytes is the correct way to do it.

But I digress….

The easiest way to emulate this problem is to send an email with an attachment on it, and capture the pcap, then pick it apart from there.  The problem with that is, most  email (well at least Sourcefire's) is encrypted.  So, I got with one of the other VRT guys and we came up with a solution.

Write an email delivery system.

So he did.  It's in ruby, and it allows you to send an email, just like any other email client would, unencrypted, and much faster and more reliable than a regular email client would, if we were trying to trick the client into doing something.

We took the ruby script that he wrote, made it attach a file in base64, and captured the pcap.  Now, you may ask me a question, "Heck, why didn't you just make a new email with Outlook Express and make an attachment and send it?"  Because Outlook Express uses a different attachment system, it's crackheaded, and it's non-standard.  Don't believe me?  Send an email with Outlook and then send an email with Outlook Express and compare the two pcaps.

So I captured the pcap -- that's all well and good, except that I noticed that the checksums in the pcap was wrong.  Sometimes when you capture traffic on an interface, on certain OSes, it will capture the traffic before the checksum is computed, so it will write to disk incorrectly.  So that has to be corrected before you can write a rule to look for the vulnerability.

So, I used tcprewrite to correct the checksums on the packet, and off I went from there.

Now, you come up with the realization that this happens, sometimes 10-20x a day for the VRT, and you come to realize that the rules that are written by these guys are very professional and come with a higher degree of accuracy and purpose.

I'd like to thank the VRT to allowing me to come in and learn and share with them.  I hope I helped them out as much as they helped me.

Final thought -- Take your time when writing your rules.  The time spent writing them makes for a much more reliable rule than just banging out a rule…. and I have seen a lot of "just banging out a quick rule" lately.  A quick rule usually isn't a rule.  It's a signature.  There is a difference.

Oh, and whomever wrote the Microsoft Word and Excel standard is a crazy crack smoker.

Long live Razorback.

Friday, September 10

Verizon Rumored To Replace Google With Bing On All Android Devices

Yesterday, Spetember 9th, Verizon gave a preview to their newest "Android" phone coming out for their network, Samsung's Galaxy S.

It has a 4-in AMOLED screen, 1GHZ Hummingbird Processor, and it has the ability to become a hotspot.  However, Verizon has ruined the phone, and may ruin every phone on their network from now on.  Why?

The thing that makes Android great is it's integration.  Google built the OS, it's integrated into Google's infrastructure, and that's the way it works best.  Just like the iPhone, which works best with Apple's infrastructure (MobileMe, iTunes, etc).

Verizon has decided to cripple this phone by instead of tying it to Google, they have tied it to Bing.  Bing Search, Bing Maps, and instead of Google's awesome navigation app, they have replaced it with Verizon's own Navigation app, which, btw, they cleverly charge you 10 bucks a month to use.

Bloatware..  Blockbuster apps, Tetris apps that charge you money, etc.

To make it worse, Verizon has stated that they will be moving all of their "Droid" line to Bing.  It won't be exclusive, (meaning you can switch everything back to Google), but this is basically how to ruin a franchise.  (Verizon having Android on everything.)

This is where Verizon did it wrong with the iPhone as well.  When Apple came to Verizon and said "We are going to make a phone, you can be the carrier, but you can't put any apps or logos or anything on it"  Verizon said No.  So Apple went to Cingular (which later was bought by AT&T).  Cingular agreed, therefore the iPhone is on AT&T right now.

Apple's iPhone doesn't have bloatware (unless you count the apps that Apple puts on there themselves, which, I can understand your argument), it starts off with Google as the search engine by default, but you have the option to change it.

The iPhone doesn't force you to use a service, they force you to use the apps that are built in (unless you download new ones), like the "Maps" application, it's Google Maps and Google Search, but you'd almost never know it.  So far Apple hasn't ruined it, but we'll see.

Verizon may be ruining a good thing here.  Hopefully they don't.

Here's Gizmodo's review as well: here.

Verizon Rumored To Replace Google With Bing On All Android Devices | Markets | Minyanville.com.

Friday, August 27

Why I haven't written

I haven't been writing recently.  Been kinda busy.

For those of you that haven't heard, my wife gave birth to our baby boy last Wednesday.

His name is Paul Esler.

Thursday, August 12

Start with a cage containing five monkeys.

Start with a cage containing five monkeys.

Inside the cage, hang a banana on a string and place a set of stairs under it. Before long, a monkey will go to the stairs and start to climb towards the banana. As soon as he touches the stairs, spray all of the other monkeys with cold water. After a while, another monkey makes an attempt with the same result - all the other monkeys are sprayed with cold water. Pretty soon, when another monkey tries to climb the stairs, the other monkeys will try to prevent it.

Now, put away the cold water.

Remove one monkey from the cage and replace it with a new one. The new monkey sees the banana and wants to climb the stairs. To his surprise and horror, all of the other monkeys attack him. After another attempt and attack, he knows that if he tries to climb the stairs, he will be assaulted.
Next, remove another of the original five monkeys and replace it with a new one. The newcomer goes to the stairs and is attacked. The previous newcomer takes part in the punishment with enthusiasm! Likewise, replace a third original monkey with a new one, then a fourth, then the fifth. Every time the newest monkey takes to the stairs, he is attacked. Most of the monkeys that are beating him have no idea why they were not permitted to climb the stairs or why they are participating in the beating of the newest monkey.
After replacing all the original monkeys, none of the remaining monkeys have ever been sprayed with cold water. Nevertheless, no monkey ever again approaches the stairs to try for the banana.

Why not?

Because as far as they know that's the way it's always been done around here.
And that, my friends, is how policy begins.
-- Don't know the original author or where this came from, but it was posted on a Listserv I belong to, and I thought it was great. If anyone knows where this originally came from, please post in the comments so I can attribute it.
However, I think this really exemplifies some points that I've said for years. Just because "That's the way it's always been" doesn't mean that's the way it always needs to be done. Examine the status quo, and if you can try and make it better, do so.

Thursday, August 5

Security for the SMB makes sense, by Jason Brvenik

Security for the SMB makes sense.

I was off reading some older articles written on a couple of blogs that I follow looking for something in particular. Well, I never did find what i was looking for (in regards to the article itself), but I did reread this post by Jason Brvenik over at Snort.org.

This is a great article in response to another article about why small business shouldn't invest in IPS (which is a crazy view). Jason really does a nice job of laying out the reasons why its important. Definitely worth the read, or reread if you've seen it before.

Google Wave, it's dead. So sad.

In case you haven't heard.

So, on Google's "Official" Blog (which one guys?  You have so many!) they announced yesterday that they are pulling the plug on Google Wave.

So sad.

I think Wave had some really good potential, but I'll say it here, as I have said it since the beginning, Wave would have never caught on unless it replaced something else.  Wave was pretty neat, it was like a Wiki, Google Docs, Gmail, Gtalk, and god-knows-what-else all rolled into one.  It worked, it worked pretty well.  But it didn't replace anything for anyone.  It was a "and also" technology.

Let's Hope

Google rolls some of the technology they developed for Wave into the rest of their products.  For instance, simultaneous typing. That could be useful in Gmail and Gtalk.

I think the collaboration-on-documents idea was great.  That would be most useful in a corporate setting.  I would have loved to use it at Sourcefire.


Some of their design ideas were great. Look at the navigation window over here on the right.  Look at the shading around the box, Look at the title bar (how it can be collapsed).  Look at the "+" button.  It all looks very nice.  It has icons, it has lots of html5 being used to shade and render it.  The drop shadow, the links.  Every box on Google Wave seemed to be more carefully thought out and precise.  The GUI was a wonderful idea and one couldn't very well argue with that.  The scroll bar (not pictured here) was nice to use.  Every pane was separated into it's own individual boxes.  You could tell there was a difference in between all of them.  Take a look at this post over at lifehacker.org: http://lifehacker.com/5400644/google-wave-look-and-feel-coming-to-gmail-other-google-apps.  I don't where they got that screenshot, but that's the way that Gmail should look!  Look at the boxes, the drop shadows, the shading.  The whole look and feel reeks less of a "Web App" and more of a Desktop app.  It has polish.  It has great design.  If you take a look at a screenshot of Gmail, from my own inbox, you will see what I am talking about.  Look at the panes here.  Look at the navigation windows.  This is not good GUI design in a web app, functional?  Yes.  Good looking and easier to navigate? No.

If Gmail wants to act like they are a desktop email replacement tool, they need to stop looking like "Mutt" and start looking like Wave.

In a way, I'm kind of sad to see Wave go.  There was a lot of really great ideas there.  I enjoyed using it.

However, I can totally see how it didn't work for some people.  It was confusing.  People didn't understand how it was different from anything else they used.  As I said, it didn't replace anything they already had, it didn't have a "need".  When the iPhone was invented people immediately saw the "need" for it.  A phone that is brilliantly easy to use.  It also replaced things.  It replaced their phone, it replaced their blackberry.  It was simple.

Wave wasn't simple.  It didn't replace anything, and that is why it failed.  People don't need another email system.  In fact, they need less.

Tuesday, August 3

Now that I have these IDS events, now what?

In my full-time job I work for Sourcefire, as a Sourcefire and Snort Professional Services Consultant.  I deal with a different customer every week (sometimes every day), and with each customer comes a separate set of IDS events.  Customers will often tell me "this network is unlike any you've ever seen before", and for the most part, they are right.  While all networks consist of servers, desktops, switches, routers, firewalls, antivirus, and even IDSes, all networks are essentially the same in that respect.  However, each of them pose their own unique set up and vulnerability attack-landscape.  Each network is unique in this way, it doesn't matter if you have 300,000 users on your network or 10.  All that does is make your life as a security person more difficult, this is essentially a number.  That number may increase lots of things, people hired to handle them, number of sensors needed, the amount of bandwidth needed, etc.

So, in dealing with the hundreds, perhaps hundreds of thousands, perhaps millions of IDS events that I see during the day on different networks, how do I deal with them?  How can I get into a customer engagement and turn 400,000 events a day into 100?   How do I help my customers deal with this?

My answer is: One at a time.

How do I do it?  Well, I take the same fundamentals as I have applied to Getting Things Done and Inbox Zero (mostly the latter) to IDS events.  In other words, for each IDS or IPS event, there is at least one (maybe multiple) outcome(s) to that event.  While yes, that may seem redundant, (and it is) my point in saying that is that there should always be an outcome to any IDS event.  It shouldn't just sit.  You shouldn't just be "moving events to archive".

You can kind of think this as a flow chart.

First -> Look at the event, let's use this event as an example:

POLICY Adobe FLV file transfer

Analyze it in context, what does this event mean?  It means someone is watching a flash video on the internet.  Okay, big deal right?  Is that allowed by policy?  Look at the packet data, is it from youtube?  Is watching YouTube from the corporate network allowed?  Perhaps if you are on a Government network, this isn't allowed, okay, so what next?  Do I need to look at the flows around it recorded by Netflow or RNA?  Do I need to look at my SIEM tool?

Second, Now comes where you ask "what relevancy does this have to my network?"  If it's a Sourcefire protected network (read: not Snort) then you might have RNA to help you perform this function.  How is the impact rating on the alert?  Is it high?  Is the end host vulnerable to this "exploit"?  The impact rating for the above event is probably pretty high, since every browser on every OS (for the most part) can watch a flash video.  How old is the rule or alert?  Does it cover a CVE that was patched in 2002?

Now that we know what the event is, and what relevancy it has to our network, what are we going to do about it?  Well, I view this has having about four possible outcomes.  Of course, this is related to Snort, so your IPS may vary.  But all IPSes get better with tuning, so...

  1. If you are in IPS mode, do you want to block it or not?

  2. Threshold or Surpress?

  3. Edit the rule manually?

  4. Shut the rule off?

  5. Does it provide relevance to other rules?

  6. DO something about the alert.

1.  Set the rule to drop.

This only works if you are in IPS mode, should you change the rule to drop?  Do you want the traffic to go into the big bit bucket in the sky?  Prevent that FLV file from being downloaded?  Prevent that PDF from being downloaded, prevent that newest browser exploit?  If you are in IPS mode, this is your second question after you analyze the event.

2. Threshold or Suppress?

Thresholding in Snort essentially means you still want the rule to alert, but not as much.  Or not until a certain threshold is reached (or both).  Suppressing means you want to turn off alerting to a certain IP or CIDR block.  Say for instance an SNMP alert going to your HP OpenView server.  Legit traffic, so tune it out.

3. Edit the rule.

Probably something you want to stay away from as much as possible, unless you editing your own rules.  But it's always an option to edit the rule manually to reduce false positives.

4. Turn the rule off.

Is the rule out of date?  Do none of the above apply?  Has it no relevance to your network?  For instance, using our above example, if watching flash videos is allowed on the network, and you don't want to track to see if people are doing that kind of thing, then shut the rule off.  If you aren't going to use the final step in this process (DO SOMETHING) then do you need the rule?

5.  Is the rule providing you contextually aware information?

Some rules will make no sense on their own, but they may provide a contextual awareness to other rules.  For instance, if there was a rule to watch for vulnerabilities within a certain flash video file format to exploit older versions of the flash player, that rule coupled with the above example, may provide better contextually aware alerts.  You know the video was bad, but now you can refer back to the above example and perhaps see where the alert came from.  Kind of a bad example, because you could do it either way, but hopefully you grasp my point.


This requires you to go mitigate the problem.  Whether that be to "file a ticket" for your helpdesk to clean off spyware, clean up a botnet, perhaps you'll need to pull forensics on the host machine, perhaps you'll need to pull web proxy logs to get better awareness.  But this is the step where you actually have to use the alerts generated by your IDS to do your job.  Find the bad guy, eradicate the badness from the network, and move onto the next alert.  After all, that's the point of having an IDS or IPS right?

Following these simple steps should allow you to have a greater awareness of the alerts on the network, and perhaps actually do something about them.  Getting an IDS alert and then "moving it to archive" or "marking it as reviewed" is doing nothing.  Following the above ACTION steps should give you a more streamlined IDS or IPS, and then only cause your system to alerts when you need to conduct step 6, above.  DO SOMETHING.

Monday, August 2

New Digg Interface Invites

I have a couple posts brewing in my head that I need to get down on paper, but in the meantime, I have 5 invites for the new Digg.com interface if anyone wants them.

First five people to send me their email address get them.

Wednesday, July 28

Contrary to Recent Assertions - Snort 2.9 beta has been released, and it's awesome..

Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.

It's a big release with lots of enhancements, so here are the current list of things that need to be beta tested in Snort 2.9, and I'll expand upon them a bit:
* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.

This feature really does away with a lot of the old react/resp/reset code and unifies all that broken code under respond3.  It also allows for RST and ICMP injection into a stream in IPS mode (more reliable than IDS), so, for example, you want to cut a session off in midstream.  In regular IPS mode, we can drop the connection quietly.  With the new response module we can properly inject a RST (or other close) packet into a dropped stream, resetting the connection so that the end hosts don't have open TCP sockets.  There is also a normalization preprocessor,  (See README.normalize), which, essentially, cleans packets up.  For example here a just a few things that the normalization preprocessor can do to TCP:

  • Remove data on SYN.

  • Clear the reserved bits in the TCP header.

  • Clear the urgent pointer if the urgent flag is not set.

  • Clear the urgent pointer and the urgent flag if there is no payload.

  • Set the urgent pointer to the payload length if it is greater than the payload length.

  • Clear the urgent flag if the urgent pointer is not set.

  • [..]

Flexresp (Flex Response) 1 and 2 are now deprecated and a new Flexresp3 has been introduced.  Flexresp3 supports ALL of the flexresp1 and flexresp2 keywords and syntax.  Easy to move right over.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.

Hooray!  Libpcap 1.0 is now required.  Hooray Libdnet!  As you can read above, Snort 2.9 adds support for nfq and afpacket.  In addition to ipfw, ipq, and dump that they've read already.  IPQ wasn't working as well in past releases, so we replaced it with netfilterq.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

This was a feature requested by one of our community people.  They didn't want to see the IPs of their proxies as Source or Destination IPs in HTTP alerts.  They wanted the ability to see the "real" IPs for those proxies that support "X-Forward-For" and "True-Client-IP" header fields in their packets.  This output is only available if you are using the Unified2 output method.

Those of you that are NOT using Unified2 really, really need to move to it.  Older, slower, output methods are eventually going to be deprecated, so please, start your upgrades.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

This was a feature requested by the community as well, it came from an email I received as a request that we add something like this in Snort.  The ability to yank a value out of a packet and store it for later use with other keywords.  (Unlike byte_test or byte_jump that calculates the value on the fly.)
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

I think that one speaks for itself, but make sure you read README.SMTP in the doc/ directory of the tarball to make sure you fully understand what this does.
* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 and console event log if policy mode was set to inline.

This was a feature, also requested by our community.  They wanted to know, for a fact, what traffic would have been dropped had the rule in question be set to drop.  Again, this output is only available in Unifed2 and console, so please start moving over!
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule

Nice feature here.  Base64 decoding in a rule.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

Also added into README.normalize.  This is to continue to support the United States Government's push to IPv6.  In many environments, this is now mandatory.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology

This optimization is very hardware specific.  Make sure you read the PDF linked above which is a joint research project underway by Sourcefire and Intel.

I'm sure more tweaks and things will be added to 2.9 before it's actual release, so I look forward to these enhancements.

Be sure and check out Snort 2.9's beta code here, at http://www.snort.org/

Project Razorback has been unleashed on the World

For several months, the Vulnerability Research Team (VRT) here at Sourcefire has been heads down in coming up with a new framework for detection called Razorback, and now, it's been unveiled to the world this this morning.

Being announced at Defcon this weekend by the VRT, so if you are in Defcon this week, reading my posts, First: Have a beer for me, as I am not there this year due to the impending birth of my child, and Second: Attend this talk.  If no other talks are attended during your drunken hacking binge in Vegas, go to this talk.


What is Razorback?

In Marketing speak: "Razorback is an Open-Source Framework for an intelligence driven security solution."  Okay, okay, what does that mean?

Razorback is a system that detects and decodes, well, just about anything you need it to.  Following that, it has the ability to then block and alert on that activity.  So, for example:

  • Obfuscated Javascript?  Decoded, Blocked?

  • Bad PDFs? Decoded, Blocked?

  • Bad Word Documents? Powerpoint Documents? Decoded, Blocked?

This framework is aimed primarily at these Client based attacks, and, dare I use it?  Advanced Persistent Threat (APT).  It was born out of necessity and a discussion with the VRT during a panel they participated in last year about detection.  The community asked for something to be able to perform a function like this, and well, here it is.  Better.  There is nothing to combat these threats, so Sourcefire created one.

So, say for example, a PDF comes in via email.  The PDF is sent to Razorback by the SMTP engine, Razorback runs it through the detection, -- which I'm not even going to begin to explain here, because it's extremely awesome and complicated, and you should go to the talk to fully understand --, and if the detection decides the PDF is bad, it will record that fact in it's database so that all further attempts with a PDF like that one will be blocked from there on out.   Now, that's just one example.

Since Razorback is an Open-Source project and framework, anyone can write a detection "nugget" for it.  These nuggets, written in C, can detect pretty much anything and provide actionable intelligence on it afterwards, and of course, since it's Open-Source, many different "feeds" can be provided to Razorback.

SMTP, ClamAV, Snort, Web proxies, Web filtering devices, et all.  They can all be written to feed data to Razorback which then can have the ability to take further action after it's analyzation.

This is a different approach to detection than what's been tried before.  While IPS is great, it can't really grab a PDF off the wire, reassemble it, decode it, and block it in real-time.  With Razorback, Snort can grab the PDF off the wire, pass it to Razorback where it will be analyzed, and so on.

After the talk if the VRT puts their slides and more info up on their website, I'll make sure that I post further information about it.  But for now, here it is:


Here's another article about Razorback over at DarkReading.

Safari 5.0.1 Posted this morning

Back in June I wrote a post on a problem with Safari 5 creating a black background around certain objects when moved from one application to another.  For instance, when you attempt to use the "Mail this PDF" function from Preview.  Well, this morning Apple released version 5.0.1 of Safari.  This fixes the issue I described here, along with many others.  As posted on Apple's website here, the following are fixes:

  • More accurate Top Hit results in the Address Field

  • More accurate timing for CSS animations

  • Better stability when using the Safari Reader keyboard shortcut

  • Better stability when scrolling through MobileMe Mail

  • Fixes display of multipage articles from www.rollingstone.com in Safari Reader

  • Fixes an issue that prevented Google Wave and other websites using JavaScript encryption libraries from working correctly on 32-bit systems

  • Fixes an issue that prevented Safari from launching on Leopard systems with network home directories

  • Fixes an issue that could cause borders on YouTube thumbnails to disappear when hovering over the thumbnail image

  • Fixes an issue that could cause Flash content to overlap with other content on www.facebook.com, www.crateandbarrel.com, and other sites when using Flash 10.1

  • Fixes an issue that prevented boarding passes from www.aa.com from printing correctly

  • Fixes an issue that could cause DNS prefetching requests to overburden certain routers

  • Fixes an issue that could cause VoiceOver to misidentify elements of webpages

Safari 5.0.1 also packs in a bunch of security updates.  Of course Blackhat and Defcon are this week, so that may have something to do with this update being released.

Impact: Accessing a maliciously crafted RSS feed may cause files from the user's system to be sent to a remote server
Description: A cross-site scripting issue exists in Safari's handling of RSS feeds. Accessing a maliciously crafted RSS feed may cause files from the user's system to be sent to a remote server. This issue is addressed through improved handling of RSS feeds.
Credit to Billy Rios of the Google Security Team for reporting this

Impact: Safari's AutoFill feature may disclose information to websites without user interaction
Description: Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card. To trigger the issue, the following two situations are required. First, in Safari : Preferences : AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be checked. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected.
Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.
(Nice work Jeremiah!)

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of element focus. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of element focus.
Credit to Tony Chang of Google, Inc. for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's rendering of inline elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
Credit to wushi of team509 for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of dynamic modifications to text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
Credit? Apple Internal?

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of CSS counters. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's handling of the :first-letter and :first-line pseudo-elements in SVG text elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by not rendering :first-letter or :first-line pseudo-elements in SVG text elements.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of foreignObject elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through additional validation of SVG documents.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of floating elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
Credit? Apple Internal?

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of 'use' elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of 'use' elements in SVG documents. Credit to Justin Schuh of Google, Inc. for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in WebKit's handling of JavaScript string objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
Credit: Apple.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A reentrancy issue exists in WebKit's handling of just- in-time compiled JavaScript stubs. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved synchronization.
Credit? Apple Internal?

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue exists in WebKit's handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of JavaScript array indices.
Credit to Natalie Silvanovich for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of regular expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of regular expressions.
Credit to Peter Varga of University of Szeged for reporting this issue.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of "font-face" and "use" elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of "font-face" and "use" elements in SVG documents.
Credit to Aki Helin of OUSPG for reporting this issue.

Safari 5.0.1 and Safari 4.1.1 address the same set of security issues. Safari 5.0.1 is provided for Mac OS X v10.5, Mac OS X v10.6, and Windows systems. Safari 4.1.1 is provided for Mac OS X v10.4 systems

The thing to remember with the above vulnerabilities is that things that are labeled "Webkit", affect more than just Safari. They could possibly affect anything using the Webkit framework. Chrome included.

Tuesday, July 27

Apple's New Products

Apple announced a few new products this morning on their online Store.  New iMac, new Mac Pro, and a totally new product that I saw rumored a couple weeks ago, called the Magic Trackpad.

For years I've had a Fingerworks iGesture pad, I've been using it off and on since about the 2001 timeframe.  I found it to be the neatest and easiest way to navigate my computer's interface differently from the mouse ever.  I'm a big proponent of the keyboard, and hate taking my hand off of the keyboard to mouse, but for some reason I found the iGesture Pad fun to use (especially doing things like cut, copy, and paste.   Fingerworks was founded 1998 at the University of Delaware (a couple miles from where I live) and produced keyboards, pads, keypads, all to help with RSI and to introduce gesture based navigation into the world.  They weren't exclusively Mac based, in fact, they worked on Linux pretty well as well, of course, on Windows.  Which, back then, is what I used.

Apple bought Fingerworks back in 2005, coincidentally, when they started working on the iPad (before they started working on the iPhone.  They started working on the touch tablet first).  Presumably for their patents, and innovations in the technology.  If you've used an Apple product since about 2006 or 2007, you've used Fingerworks-based technology.

Two finger scrolling, three finger swipe, pinch to zoom and pinch to un-zoom, the whole Magic Mouse, the finger manipulation on the iPhone and iPad.

In this line, comes the Magic Trackpad.  Which is kinda like my old iGesture Pad (which is sitting right here -- not in use currently).  It's a trackpad that mimics the trackpad on the laptops.

There are, however, a couple things still missing.  Like these features:

However, since that's basically all software based, I am hoping that Apple builds that stuff into the interface now that we have the hardware.  Here's hoping.

Monday, July 26

Apple Stores are good to me

Yesterday my wife and I took a visit to the local Apple Store, my Time Capsule had died, and since it was one of the original models, it was under a replacement program. I took the Time Capsule back, they traded my broken one for a brand new one, and I was done.

My wife, however, was a different story. You may remember from a previous post of mine that my wife dropped her iPhone4 while getting my daughter out of the car. Whoops.  Cracked the back glass to shreds.

She was fairly upset, since she had it about a week. Anyway, she went in, explained what she did to the Apple Genius dudes, and guess what?

They gave her a brand new phone.

/That's/ why I like Apple Stores.

Thanks to the Christiana Mall Apple Store Geniuses. You rule.

Thursday, July 22

Reading Spam with Common Sense

Usually when I receive an email that looks like spam, I can just mash my "Send to Junk" keyboard shortcut and it goes away.  But every once in awhile there is a decent looking spam that *might* be real.  At first glance it won't have an images or selling viagra, or anything like that in it, and might just look real.

This is where the common sense approach to reading email kicks in.  Obviously this post it not for the expert, this is probably more of the occasional user, but maybe someone in between will find it useful.

Here's a spam I received this morning that prompted me to write this diary:

From: Comcast

"This is a courtesy reminder that your Comcast Billing Information needs to be verified.

In order to continue using comcast services,  click the link below, sign in and and follow the provided steps:

<Malicious Link was right here>

Comcast Billing Department"

So, let's look at this and see how easy this is to detect:

  1. I'm not a Comcast customer.  So right there, it was easy to detect.

  2. "comcast" in the second line is not capitalized.  A real Comcast email would have capitalized their own companies name.

  3. Usually an email like this (from Comcast corporate) would tend to have all kinds of disclaimers and other nonsense at the bottom of the email.

  4. The link that I removed was not to "comcast.com"

Now, if we get into the weeds a bit more, we can look at the headers and see where it came from.

It came from a server at a .edu.  I don't want to talk about which .edu (but it was in the United States), as I am going to try and get in touch with their security department after I get done writing this Diary.

Even more bad though -- it came from the "root" account on this server, the headers even indicate what version of Linux this server was running (Ubuntu).  Most likely culprit?  Probably an SSH scan that compromised the root account.

Make sure you have tight controls over those SSH accounts!  And use common sense when reading your email.  If it looks like bull, and it smells like bull.  Chances are, it's bull.

Hopefully this helped someone.

Oh, the malicious link?  Pointed you to a site that collected your usernames and passwords.

Monday, July 19

iPhone 4. A review after practical use, part 2

Part 1 Linked here.

Buttons and other Cosmetics

The volume button, the lock button, and the silent/ringer switch all got the same industrial treatment the rest of the phone did. They work much better, have better tactile feedback and are much more defined, making it much easier to find one of these buttons in the depths of your pocket.  (Like to turn the volume down on your ringer or something)

There is the single button on the front of the phone, the Home button, which they made a bit more "clicky" I would say. But the one thing about the design of the phone is, when you reach in your pocket to grab the phone and bring it out of your pocket in one swift motion while mashing the Home button, you can't do it.

Since the 3GS had that rounded back, it was easy to feel where the backside was and hit the button. With the square design, it's hard to tell which side is the front and back when it's your pocket unless you try and find the buttons on the side.

This isn't a big deal at all. It's just a quirk that I found that I had that I've had to get used to.


FaceTime is Apple's new "video chat" feature. You use two iPhone 4s, call each other on the phone, and as long as both of you are on Wifi, you can then mash the FaceTime button.  If everything is okay, (NAT transversal, etc) you'll shortly be talking to each other via video chat. Is it cool? Yes.

Does it work? Yes.
Have I used it? A lot.

Is it revolutionary? No, video chat has been done before. But this time it's implemented correctly and easily. It works. You don't have to go to Fring and sign up with an account, and then use Video (btw, Fring's video quality sucks, and their audio is a close second).  You don't have to do anything extra.  Ensure you are on Wifi, and hit the "Facetime" button. The quality is good, audio quality is good.  It allows me to sit in my hotel and video chat with my wife and daughter while they are at home.  My daughter can show me her picture that she drew that day, she can show me what she's eating for dinner, she can show me her "beautiful dress" that she's wearing.  (All dresses, according to my daughter, are "beautiful dresses".)

Could we have done this before?  Yes, and still do, with iChat.  But there's two things about that.  First, iChat requires more bandwidth, therefore hotel internet most of the time, can't handle it, and secondly, my wife doesn't always have her laptop.  She most always has her phone.  And since my wife is 8 months pregnant, I'm not about to make her get up to get her laptop.   I have better sense than that.

I think this is a great feature, it'll be neat if my parents get an iPhone 4 so they can enjoy it as well.  Especially when it comes to seeing my new baby.


This thing is quick.  If you bought the 3GS, upgraded from the 3G, or you have the 3G, or if you have the iPhone original.  The new iPhone 4 is dramatically faster than the 3G or the iPhone original, the 3GS, yes, it's faster than that, but you'd have do some some really processor intensive stuff to notice a huge difference (like compressing video).  So, if you have a 3GS and want to upgrade to the iPhone 4, you need to use one of the other of the 100 new features of the iPhone 4 as your excuse to upgrade.  However, if you have a 3G or the original iPhone, you will be blown away by the speed.

Think about this in perspective for a second, the A4's rumored speed is 1 Ghz (after a cursory search of the internet, it's the best metric I could find).  Now the A4 is the same chip that is in the iPad and the iPhone.  The iPhone A4 is rumored to be clocked down, to preserve battery life.

The amount of RAM on the iPhone 4 is 512 MB (as evidenced by a particular slide  at  WWDC, Apple doesn't announce the RAM amounts or the clock speed in their mobile devices).  I remember, in 2003, my last computer before I bought an Apple computer, was a 1.7 Ghz chip with 512 bytes of RAM.  Seven years later, I have a phone in my pocket that is almost as fast, has the same amount of RAM, and as 32 Gb of storage on it.  Really puts things in perspective, how things are advancing.  I feel it's impressive.  (Of course, back then, I had a 1.5 Mb/s Cable connection to the Internet and I thought that was fast.  Now I have a 25 Mb/s Fiber connection.)


On the back is a 5 Megapixel camera, on the front is a significantly lower megapixel camera.  The front camera is primarily for taking pictures of yourself, if you are that vain, and also for Facetime. Which serves it's purpose quite well.  The back camera, with the LED flash, is for taking good pictures.  The iPhone does take good pictures.  Not GREAT pictures, not like Cannon 5D Mark II pictures, but it will easily replace that point and shoot my wife carries in her purse.  Anything where I can carry  less devices is a win for me.

Problems with the camera.  The Flash is okay.  If you try to take a picture, in the dark, and if the subject is close, it'll work great.  As long as the person you are taking a picture of doesn't actually look at the flash.  I don't know why, but every picture I have taken of people with the flash at night has a weird "red-eye" effect, except it's not red.  It's white.  Making my photo subjects a bit creepy.

In low light, and if there is any kind of motion, the iPhone will blur the motion in the picture.  Most cameras do this, so I can't fault the actual iPhone.

However, if you are taking pictures during the day, morning, or evening.  Indoors or outdoors, sunny or overcast, the pictures are great.  It replaces point and shoots.

The other feature of the iPhone is the ability to record 720p HD video.  I've done this several times already, recording video of my daughter jumping off the diving board for the first time and things like that.  The iPhone 4 handles it just fine.  The video looks great on playback on the Retina Display or even after you offload it to your iPhoto and play it on the Desktop.


I have some opinions, and this is the place to share them I guess, since it's my blog.  Overall, I like the iPhone, but I always have.  The iPhone 4 is much better than it's predecessor.  I'm still not too crazy about the Antenna reception "Don't touch this 2mm of the outside of the phone" thing, but I can overlook it by not touching it there, and getting a case.  Do I think it's a bad design?  No.  I understand why they did it, and it can be overcome easily, but it kinda sucks.

I'm not crazy about the glass on both sides, but according to the things I've read, I understand why it was done.  Apparently, they did away with the plastic back because plastic retains more heat than glass, and the iPhone 4 can heat up when doing really processor intensive things like compressing video.  It's slippery and obviously, as tested by my wife, it breaks.  Apple charges waaay to much to fix this issue, and I think that's BS.

  • Do I think it's a good phone?  Yes.

  • Do I think it's a good computer? Yes.

  • Do I recommend it to friends?  Yes, if you buy a case with it, or at least have the cognitive ability to not touch that portion of the phone.

Overall?  Good.  Buy it.  It rocks.

Saturday, July 17

iPhone 4. A review after actual use.

Physical Design

Okay, much has been said about the physical design of this phone, it's industrial features, it's glass front and back, stainless steel metal band around the side that doubles as an antenna, dual camera, and an led flash. The buttons, the glass, the band, everything. It makes for a great design, feels smaller and better in your hand than the 3GS. In fact, the 3GS feels fat, plastic, and bloated. I only see two problems with the design.

One, front and back are both glass, meaning, if you drop it it might break. Even though Apple claims that the glass is harder than sapphire, if you drop the thing at the right angle, it will break. Ask my wife, who has already shattered the back of her phone after dropping it on the driveway. (Which Apple wants 199 dollars to replace the back, which is the cost of a new phone! Apple, have you lost your mind?).

Problem Two: it's slippery. If you place your phone on something smooth, say, like in my car, I have a center console. If I place the phone on there, it slips right off. Or on the arm rest of an easy chair. This is as a result of it being glass. Neither is that big of a deal, if you just are careful about how you take care of the phone. If you buy a bumper (which Apple is now giving away for free until September 30th) it has a bit of rubber on the back edge, making it non-slip, and a bit more protected.

The Display

Just after the iPad comes out, and those of us who bought one were running around saying "Wow, look at this really big touch screen display", then following that the Evo comes out with that big screen and people say "Wow, look at this really big touch screen display". For instance, I have a friend of mine that went from an iPhone (o.g.) to an Evo, and he was like "This screen is huge, it's so big!", but I digress.

Apple comes out with this display on the iPhone 4, it's has 4x the pixel display density of the iPhone 3GS. This results in much sharper rendering of, well, damn near, anything. Photos look great, video looks great, games look great, apps look great, but what's the one thing you do, or view on an iPhone the most?


Oh, it rocks. If you have an iPhone (not)4, do this, and you'll understand:

Go to http://nytimes.com. Don't zoom in after it loads. Big newspaper website right? Look at the text, see how it's barely readable and all pixelated? On the iPhone 4, you can read it. READ it. Right from this screen. You can zoom in on the (not)4, and you'll be able to read it just fine, which you'd probably want to do on the iPhone 4 as well, but that's just an illustration of how much better this display is.

After you see and use the "Retina" Display, and go back to another phone (even the iPad, or a regular computer) you'll wonder how you ever complimented that old screen and how bothersome it is to have all that fuzzy text.

There has been some dispute about the fact that Apple calls this the "Retina Display". As to whether or not the pixel density is actually higher than what the Retina can perceive. First off, two things.

  1. I am not an optical engineer, and don't play one on TV, so I'm not going to get into the argument by adding my own thoughts here. All I know is that it looks great.

  2. It's a marketing term people, there is a line to how pedantic you must be people.

In short, the display is quite awesome.

The Antenna

Now, the antenna has been in constant controversy since the iPhone 4 came out. Let me cover a few parts of it.

  1. The Antenna is broken into two parts, if you are looking at the left hand side of the phone, you will see a black band. The piece of metal that is around the outside of the phone on the left hand side is for Wifi, Bluetooth, and GPS. The rest of the metal is for Edge and 3G.

  2. It's on the outside of the phone, for better reception.

  3. If you touch it, right at that black band on the left hand side, the "bars" or signal on the phone degrade into almost nothing, and if you are in a weak signal area, your call will just drop.

Not really an optimum design for an antenna you might think. One that you can touch in 2mm of the phone and the call drops? Yup. I can replicate it, I can do it, at will. You know what else I can do?

Not put my pinky over that part of the phone.

Or if worst comes to worst, get a case.  I got a bumper for my phone which covers the antenna and the phone works perfectly.

Now, some people have said that Apple should have never released a phone like this. Well that may be a good point, but I don't know if that would have helped. The antenna is on the outside of the phone, okay? Any phone you grip around the antenna is going to attenuate the signal. It's just the way it is. Apple says this, and you can replicate it on any of the prior iPhones as well as a bunch of the iPhone's competitors.

Remember when we were kids and you grabbed the rabbit antennas on your TV? Remember how the signal would get worse when you did that, even some times when you just got close to the TV? Same principle.

The phone is a radio. Sorry. It has to retrieve and transmit, and they have to put the antenna somewhere. Apple put the antenna on the outside of the phone to try and reduce the dropped calls everyone on AT&T was complaining about.

I personally have much less dropped calls than I used to (despite what Apple said about the iPhone 4 dropping more calls), and I'm not complaining about it one bit. Yes, I can hold the phone in a certain way to attenuate the signal and make the bars go down, so I just don't hold it like that.  It de-tunes the antenna, and therefore make signal reception go down.

Since this post is running right around 1000 words right now, I'll cut it into two posts...  stay tuned for part two.

Call of Duty Error 6034 for the Xbox

Several friends and I play Call of Duty nearly every night.  However, Activision’s most recent multiplayer update broke the heck out of Call...