Friday, February 26

Monday, February 22

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second question: “We have “aol” as the id and Import method name. Should we use “aol” along with “Import”?”. Just because we narrowed down to “clsid:” followed by CLSID number, does not mean that we have to narrow down in this case too. Just like how the Shellcode will change, the attackers might change the ID too, to just find out if they could evade the IDS/IPS. Why give them a chance? Hence, we should broaden our search to just the import method: content:”.Import(“. The reason why we have “.” and “(” around the key “Import” is to narrow the chances of triggering the signature on some term “Import” and to concentrate on the vulnerable method.

This post is about ActiveX and CLSID detection with a Snort rule, trying to detect an AOL 9.5 ActiveX 0day.  Okay, fair enough, so the above paragraph is trying to find the Import command to call the javascript.  So I kept reading.

Then I got to this part:
In here, I would like to position the CLSID before the method. This would help me trigger the signature specific to “AOL 9.5 ActiveX 0day Exploit (heap spray)“. I can do this ordering by using “Offset”. We cannot set the “Depth” in this case, since the position of CLSID or Method in a packet will change according to the packet size or the way in which it is sent. Hence, the content of final signature would look something like this:

content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase;content:”.Import(“; nocase; Offset:0;

The writer is correct in a couple things.
  • First, they say they want to position the CLSID before the method, so they want to do with using offset.
  • Second, they say they cannot set a "depth" because the position and method in the packet will change according to the packet size, which is partially correct.

However, the problem with this above signature is that the offset is placed after the second content match.

So here's what would happen with the above signature so far.  The CLSID content match is the longest, so it would be fed into the fast pattern matcher.  If the fast pattern matcher came across a packet that matched the CLSID that is specified in the rule, <leaves stuff out>, then the packet would then be run through the detection engine (rule) for detection.  Contrary to popular belief, unless an offset/depth/distance/within modifier is specified, there is no order for the packet to match.  So if I were to write the above as this:

content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase;content:”.Import(“;nocase;

Snort doesn't care which order the content matches are in.  As long as both the contents are in the packet, then the rule will fire.  So putting a content:".Import("; nocase; offset:0; does absolutely nothing.  You can kind of think of offset:0; being implied, but if you don't have any relative content matches, then it really doesn't matter unless you are trying to be specific to a position match.  However, as the author already stated, you can't add a depth statement to the rule, so it plain, just doesn't matter.  I see this kind of thing all the time, so I figured common mistake.  So I kept on reading:
Now, let us look into the direction of traffic. Client-side exploits generally flow from server to client: “flow:to_client,established;“.

The author explains that "Client-side exploits generally flow from server to client".  Okay, correct in this instance, but not always, so let me explain:

Flow has four direction operators you can specify:

  • to_server
  • from_server
  • to_client
  • from_client

What happens is when I hear from people is that they think "server" as that 2U thing back in the server room (hence the name), and client being "you".  But that's not how Snort thinks about it.  Snort thinks about client server in the "who initiated the conversation" term.  So, at the beginning of a TCP conversation there is a 3-way handshake.  SYN, SYN-ACK, ACK.

The client is who initiated the conversation, the server is who is responding. So, in this case, since we are attempting to catch a web browser accessing a webpage and downloading a webpage which contains this CLSID, the flow would be to_client.  (Or from_server) Correct.  However, what if someone downloaded a PDF, and upon opening the PDF the PDF went and grabbed something off the internet.  This is a client side exploit, however, the flow would be reversed.  So, the author is correct in saying that "Client-side exploits are generally..." I wanted to explain to make sure no one was confused.  The "established" keyword means the the session is established.  So beginning on the 3rd part of the 3-way handshake.
In this case some folks might believe that CLSID is already in the “content” part of the signature, and that this is a repetition if we use it in PCRE once again. We are not using this PCRE to repeat the value in the content, but to ensure that we do not miss any possibilities of matching this exploit. Let us look into the PCRE part of this signature:


In here, the signature is telling the PCRE compiler that there is “< object” followed by strings and “>” with multiple-strings possibly following it followed by “classid” & “=” with the “clsid”, “:” and “{“. The true classid is then inserted into the PCRE. The PCRE ends with /i to indicate the case-insensitive nature of this regular expression.

The first paragraph is partially correct.  If you check for a content match, you can use a pcre to clarify what you are looking for.  This is done for a couple reasons.  One, as the author states above, is to not miss the possibilities of matching the exploit, but more accurately, it's to avoid obfuscation of the exploit.  So for example, let's go back and take a look at the content match before we look at the pcre portion.

content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase;

Problem with this content match is, well, I wouldn't have put the specific "clsid:" in there.  Reason?  If I was an attacker and I wanted to bypass your rule, I would put "clsid: A105BD70-BF56-4D10-BC91-41C88321F47C”. (Notice the space after the colon.)  Which completely bypasses the content match.

So let's come back to the pcre and take a look at it.

Now, this PCRE format was written by the VRT and a lot of people have copied it blindly without understanding what it does.  So let me explain, as what the author wrote in the second paragraph quoted above, is wrong.  As I said, I'm not trying to be mean or whatever, I am simply trying to teach.

So, the pcre is this:


(I am going to put double quotes around the things we are trying to match that are explicit, the quotes don't actually exist in the regular expression unless specified)

So we are looking for "<OBJECT"

Then a whitespace (\s).  That's what "\s" is.  (It says 'followed by strings' in the above quoted paragraph).  Whitespace is a tab, (0x09), space (0x20), new line character, or a line feed (0x0A), or a carriage return (0x0D).  The "+" sign after the "\s" means 'any character directly proceeding it as many times, but there must be at least 1'.  So there must be 1 or more "\s" there.

Then you see this "[^>]", which the author says that we are positively looking for.  The thing about character classes "[ ]" is, they allow you to do some nifty things.  Range matching, ([0-9]), multiple matches, [abc] (this will look for either an a, b, or c, for one character), and you can also do negative matches.  Or "lack of" matches.  The way you specify a negative match within a character class is to use the carat within a character class.  So "[^>]" means, "the next character after any amount of positively matched "\s" cannot be a ">".  Directly after that is a "*" character.  The "*" is similar to a "+" but the difference is, while a "+" means you must have at least 1 match of the proceeding character (in this case the negative character class), the "*" means you don't have to have a positive match.  It means "0 or more".

Following that we have a "classid\s*=\s*" match.  So look for classid(maybeaspacehere,it'soptional)=(maybeanotherspacehere)

Then there is a "[\x22\x27]".  In regular expressions, if you want to specify a hex character you have to write "\x" before the hex.  So, you might see a space specified like this: 0x20.  You might see it specified in Unicode like this: %20.  In regular expressions, it would be "\x20".  Since there are two characters within the character class, 0x22 is the hex for a double quote.  "  and 0x27 is hex for a single tick. '

Since this is a run of the mill character class match (not a range or something more complex) this means that the next character that the "[\x22\x27]" pattern match is looking for is either a ' or a ".  Notice the "?" after the character class?  That's a 'lazy optional'.  So without going into a long book about lazy and greedy (which, by the way, if you are interested, I suggest checking out the book "Mastering Regular Expressions" by Jeffery Friedl, it's the bible), the "?" basically means "The Character that is directly in front of the "?" is optional".  So, it essentially means, when all put together the match is either a ' or a " or not at all.

Then we have (maybesomewhitepacehere)clsid(maybesomemorewhitespacehere):(maybesomemorewhitespacehere){(optionally)(maybesomemorewhitespacehere)A105BD70-BF56-4D10-BC91-41C88321F47C.

Notice that I translated "\x3a" and "\x7B" (the latter of which has the "?" behind it, so it's optional) above.

Then the modifiers of the whole Regular Expression at the end are "/si".

"s" means "include new lines in the dot metacharacter".  However, there are no "." metacharacters in the regular expression, so that was probably put there by habit (and good practice), and the "i" means "anything within the regular expression treat with case insensitivity"  similar to the "nocase;" keyword in Snort's regular rule language.

So the final signature that the writer comes up with is:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ActiveX Exploit Signature Sample”; flow:to_client,established; content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase; content:”.Import(“; nocase; Offset:0;pcre:”/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si”; reference:url,; rev:1;)

Which I am going to rewrite:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ActiveX Exploit Signature Sample"; flow:to_client,established; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:".Import("; distance:0; pcre:”/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,; rev:2;)

So, what did I do different?  Removed the "CLSID" content match, it won't speed up detection, and it checked for in the pcre anyway. So, if you are going to fire up the pcre engine to check the content match on the long content match, just knock out two birds with one stone.

What's with the "distance:0;" stuff?  I made the content match directly proceeding that relative to the previous content match.  Since I don't have a within, I don't constrain the match.

Why did you keep the ".Import(" stuff?  False positive reduction.  It will do nothing to speed up the match.

So, be careful when writing rules.  Unless you understand all the pieces and parts you can walk yourself right into a dark hole and do it wrong.  You can do that to yourself, but take extra care that you don't walk anyone down the hole with you.

Again, I post this, not to be mean, but to be constructive.

Sunday, February 21

Page for my Mustang

Someone wrote me on Twitter and asked if I had a webpage about my 1968 Mustang, and I said I didn't, although it was a good idea for those that are interested.  So I made a quick page here on my website that I will keep updated with it's progress.

Check out the page here.  Thanks.

You can also find it under the "Pages" links on the right hand side of the homepage of the blog.

Friday, February 19

Why buying a DVD sucks

This is an image that's been floating around the past couple days on the internet.  I have no idea where it originally came from.

I don't pirate movies, I buy movies from iTunes, which, skips all the nonsense illustrated above and just gives you the movie.  Which, really, is all we want anyway right?

I thought this image kind of sums it up correctly though.

Thursday, February 18

Stop Google Buzz From Showing the World Your Contacts

Stop Google Buzz From Showing the World Your Contacts - google buzz - Lifehacker.

If you are a person who values their privacy and want to secure you Google Buzz contacts, I.E.  Not show everyone in the world who is in your contact book, follow the directions above.

I've done this, just for good citizen's sake, as well as manually blocked some people that I don't trust.  Keep on top of this stuff people!  As an online community becomes more ubiquitous, the more risk you present in revealing too much.

Wednesday, February 17

Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk

Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk.

Here is an article I wrote for CSO magazine, thought the readers of my blog might like to check it out as well.

I was asked to write a fairly technical article for CSO magazine about Snort, the problem is, which part of Snort do you write the article for?  An article about Snort can be very technical or not so technical.  One of the advantages of having Open-Source software.

In any case, enjoy.

Tuesday, February 16

Will Hack For SUSHI » MiFi Config Hack

Will Hack For SUSHI » MiFi Config Hack.

A post by friend and collegue at SANS Joshua Wright.  Joshua is one of the guys I know that is really proficient at hacking wireless.  Bluetooth, wifi, etc.  He does some really wonderful work at that, and he's fantastic at it.

This post is about him hacking his Mifi (Verizon).  He has two posts on the subject you should check out if you have a Mifi.

The other post is here.

Monday, February 15

Fun with Firewall Logs

So, after my post about's network...  Here's another quiz for you.

Feb 15 09:16:39 localhost kernel: IN=eth0 OUT= MAC=00:03:47:f1:52:0d:00:18:01:b6:c1:4d:08:00 SRC= DST=192.168.x.x LEN=72 TOS=0x00 PR

EC=0x00 TTL=45 ID=32394 DF PROTO=TCP SPT=52764 DPT=22 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0

What kind of fun is that!

Monday, February 8

Hey,, what are you doing?

So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:
Feb  8 14:47:55 localhost kernel: IN=eth0 OUT= SRC= DST=192.168.x.x LEN=455 TOS=0x00 PREC=0x00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0x00 ACK PSH URGP=0

The Source is, the DST is my webserver, but take a look at the Ports.  SRC port 80?  DPT 58709?  Anyone else see anything like this?  This is being denied at my firewall because of my ESTABLISHED,RELATED line.  So, the connection was not made from here.  It's initiated from the outside.

What's going on over there at

WP Greet Box is back

I took away the WP Greet Box for awhile based on the fact that I didn't really have it configured optimally.  I wanted the Greet Box (which is a little pop up widget that say "Hello, welcome to the site, you can subscribe here" -- pretty much) because on several of the themes I have been partial to, had no obvious way to subscribe via RSS.  I've fixed that now with, as the blog will advertise that it has a feed in the URL bar now (for most modern browsers), also with a link over in the sidebar that points you to the feed.  But I wanted a little something, non-intrusive, that pointed to the RSS feed when you came from certain sites.  (Digg, StumbleUpon, things like that).  So it's there again, but only if you get directed from certain webpages to my site.  Which, actually, is the majority of the hits I receive.  Basically it's just an experiment.  Bear with me.

Sunday, February 7

A couple snow pictures

Lots of Snow over the past couple days. 2nd biggest snowfall ever for this area.

Friday, February 5

One in five physicians likely to purchase Apple iPad - study

AppleInsider | One in five physicians likely to purchase Apple iPad - study.

This is what I said back here, so I am glad that someone did a study on it.  Very interesting what the future holds for this form factor of device.  I think the early critics are going to be eating their words in a year or so.

If you never knew it occurred, did it occur in the first place?

In my To-Do list, I have a section for Blog topics that I think of in $random_place and I want to jot down for brainstorming later. This topic has been on my to-do list for about a year.

I was standing on a stage giving a speech at a military base, in about 2004.  The people I was giving a speech to were about 200-250 different "network" and "Systems" administrators from all over this military base in tons of different units.  In this audience I had military, civilian, and contractor.  I was asked to give a speech to the system administrators because some of them didn't see the value in security in their systems.  It was an afterthought and people weren't terribly excited about having to follow $regulation that ensured proper lock down of various controls in the operating system and network.

I asked this question:  "If you never knew it occurred, did it occur in the first place?"  I paused for effect, waiting for an answer.  One didn't come.  Obviously they had no idea was I was talking about.

I proceeded to explain the importance of reviewing logs, system and network information, explaining to them the importance of what I had found that week upon a security audit I was doing of their Army post.

Hundreds of compromised machines, botnets, poor security controls, inadequate permissions, etc.  This was all from about 3 days of work.  I didn't even get into the trenches trying to find things, this was just surface level scanning and network monitoring.  Not even penetration testing, just scanning.

They didn't know.  They thought their network was perfect.  They thought it was clean.  They didn't need to review logs.  They thought wrong.

If you aren't going to review logs, if you aren't going to look at the system logs, the firewall logs, the IDS/IPS logs, then why collect them?  The problem is, we have things like SOX compliance now that mandates that we have some kind of logging system.  Which is fine, it's a great idea, but people are missing the point.  The point of the SOX compliance and log review is for people to REVIEW the logs.  Otherwise what is the point?  So you can go back and see when you were compromised?

Some people will agree with me here and say "Yes, I'd like to have historical information so I can go back and see when the intrusion occurred."

That's fine, I don't disagree, but stop for a second while reading this and meditate on this question "Why?"  What are you going to do about it?

If you are going to look at your logs and dismiss them, instead of looking at your logs and doing something about the mistakes that you find, then what's the point in looking at the logs.  Don't waste your time.

It's your JOB to be looking at these things, if you aren't going to DO your job, then quit.  We don't need you in our industry because it's people like YOU that are messing things up for the rest of us.

I'm going to do it...  I am going to use APT (Advanced Persistant Threat).  APT was found by looking at logs.  APT has been around for a long time.  Before I worked at Sourcefire, I worked for the Department of the Army in computer security, and we were dealing with APT (only it wasn't called that back then) then.  We didn't have an advanced term for the threat, we used terms like 'rootkit' and 'trojan'.  We were looking at hacks that we had never thought possible offloading information to countries that weren't ours.  Some of the techniques were so interesting and secret, they haven't been made public to this day, so I can't talk about them here.

But we found the compromises by looking through logs.  I've said this before, and I'll say it again, what's the point in having a security device that keeps logs if you aren't going to LOOK at it?

Thursday, February 4

Review: Jawbone ICON Bluetooth Headset

I am not trying to jump on you like a bully and pummel you with reviews for a few posts recently, but I feel, as a geek, I have the need to tell my other geeky friends if something sucks, or if something is good. That way, not everyone spends money on things that are complete pieces of crap.

For those of you seeking a Bluetooth headset, you may want to look no further than the Jawbone ICON headset. Little bit of background before I proceed.

I've had all three versions of the Jawbone now. The Jawbone One, was big, bulky, but it did it's job right, however, it did not survive the trip through the washing machine. The second version fixed that, (not the washing machine part, the big and bulky part). Same awesome noise cancellation technology, much much lighter, the only problem was, it wasn't very solid in your ear, and it fell out of my ear a lot, simply because it just felt like it was Stallone in Cliffhanger, hanging on for dear life. The only other thing I didn't like about the second generation jawbone was the buttons. I could never find them. There were two buttons, one on the side and the other on the back, kinda. They were next to impossible to find with your fingers, as they didn't have any raised indication that said "hey, this is a button!"

But let me tell you what, with this new one, they have really outdone themselves. The Jawbone ICON comes in six different designs. "The Hero", "The Bombshell", "The Catch", "The Ace", "The Thinker", and "The Rogue". All are various colors and designs, but they all have the same key features.

The NoiseAssasin® technology is awesome. On by default, it uses a sensor that presses against your cheek to sense when you are talking, it compares that vibration with the mic's input, and thusly uses the difference to cancel out all the remaining background noise. It's awesome for wind, trains, or whatever. You can be in a noisy room and talk to someone on the phone, and the only thing that the people on the phone can hear is you. It's incredible. For a video demonstration of how this works, go to Jawbone's website and click on the lower right area. Check it out.

This version of the jawbone adds a few awesome features:

1) If you are using the jawbone with the iPhone, the battery indication is on the screen of the iPhone up next to the battery indicator for the iPhone itself. If you ever bought the iPhone bluetooth headset (which I didn't), you'll recognize what this indicator looks like.

2) But that doesn't matter cause you can reach on the back of the jawbone, press the button once, and it announces in your ear how many hours of talk time you have remaining.

3) When you receive a call, the ICON will read the caller id into your ear. Just the number. Not any names or anything, which kinda stinks. I wish it would at least try to pronounce some of my coworkers and friends names just so I could get a laugh out of it. But the number is just fine. It's a heck of a lot better than scrambling for your phone when the thing rings just to see who called. I mean isn't that the purpose of a bluetooth headset? So you don't have to fumble for your phone?

4) It doesn't have any blinking lights on the outside. Which is nice, because then you aren't sitting on a train or something and have an annoying blue blinking light on your ear. Or even better, when you are in a hotel room and the blue blinking light is so bright it lights up your whole hotel room every 10 seconds or so.

5) Voice control. The Jawbone has always had voice control, but now, coupled with the iPhone 3GS that I have, I can hold down the button for two seconds and say "Call Wife", which the iPhone then asks "Home, Mobile, or Work?" And I simply say what I want. I like the fact (and this is more on the iPhone than the Jawbone) that I don't have to hit ANOTHER button to say "Work". I just say it after the little 'beep'.

6) It has an on-off switch. I don't have to hold down a button that I can't find to turn this thing on and off. The button is a toggle sliding switch on the inside (faces your face) side of the jawbone. Flick it on or off, and you KNOW which one it's doing.

7) Redial is a double tap of the button on the back. The Jawbone then says "Redialing" in your ear

8) When the battery does get low, it will tell you in your ear. No more guessing.

9) You can connect this thing to multiple phones. YES SERIOUSLY. You can even manage calls from two different phones at the same time. Are you kidding me? This is 2010 right? We aren't in 2020 or anything?

10) They converted from their annoying proprietary charger attachment to a Mini-USB plug. Very standard and easily replaceable if you lose it.

So, overall, I'm very satisfied with this thing, and if you are looking for a new one, or if you are happy with your old one... this one is better, it's smaller Oh and one more thing?

This thing stays in my ear! No loop around the top of my ear, I just put it in my ear and it stays there.

Go, run, don't walk, to the nearest Best Buy/Apple Store/AT&T store. This thing is new, so it may not be in all the stores yet (so it's available online via their website) your milage may very. Check the websites.

I got mine at a Best Buy.

Review: Capitol Hilton, Washington, D.C.

This week I had to come down to Washington, DC to work with a customer.  Now, I've been to loads and loads of Hotels, and most of the big ones in Washington, DC.  This week I decided to stay at the Capitol Hilton.  It's about three blocks North of the White House.

So, being the traveler I am, I am a Diamond member with Hilton, for the past three years, which is the highest you can get as a "premier traveler" with Hilton Rewards.  I'm not saying that to brag, I'm saying that to illustrate a point.  As a diamond member, you automatically get certain things.  Free Gym access, free breakfast, free newspapers, and free room upgrades just to name a few.

So, and you might call me spoiled, but whatever, I'm not trying to act that way, I'm giving a review.

So, I get my room.  No refrigerator, shower was dirty, shower head sprayed water every which way (indicating that you have hard water, and the shower head hasn't been cleaned), and no electrical outlets in the bathroom.

Now, how do you not have electrical outlets in the bathroom?  God forbid I should be a woman and need to plug in the hair dryer!  Where was the closest outlet? Behind the TV. Which was on a TV stand, which was immovable. So, there was no way to dry your hair (and curl it, with a curling iron, cause I think of stuff like that for my wife) anywhere close to in front of a mirror. Matter of fact, the only place you could have plugged it in, was behind a TV stand in the middle of the room.

There were four outlets available in the whole room. Two on the lamp on the desk, and two behind the night stand. So, if you are technical person like me, you have stuff plugged in all around the room. Fairly annoying.

The TV was ancient, you couldn't hook up any external media to the TV, which, is also annoying.

Room service food was so-so. The menu consisted of things like foi-gras and the like. Seriously? Who is going to eat food of "that" caliber from the room service menu? People that order room service want things like wings, and quesadillas, pizza. Room service is like, a last resort and you just want something good. Oh, and by the way, a sandwich for 19 dollars? So, you add delivery fee onto that, drink.. You have a 30 dollar dinner? A bit much for a regular sandwich. I order room service fairly often (because I get tired of prowling through a city trying to find food -- you travel as much as me, you'll know what I mean) and the average price is around 19-25 bucks. 30+ dollars for dinner is overpriced for simple food.

Internet. The Internet speed was pretty good actually, but it was something like $15 dollars a night. Again, not what I am used to, and not comparable to the other hotels in DC. The room rate per night was reasonable, (for DC), but the other things they charge you for a the hotel was overpriced.

Now, saying all that, there was a note on the desk of my room saying that the hotel is currently undergoing a 36 Million dollar renovation. So let's hope they fix some things. The biggest request I have, of all hotels, is: PUT MORE OUTLETS IN THE HOTEL ROOMS. Accessible. Easy. In the Desk or something.

So, until the renovations get done, I recommend the Marriott Metro Center.  It's nice (without going higher to the Mandarin, W hotel, or JW Marriott), or either of the Hyatt's.  They are nice, but they have the 'lack of outlet' problem as well.

So, my review is pretty unhappy.  Now, finally, as I said in the beginning, I'm a Diamond member.  Would you like to see my view out of my hotel window of the lovely Washington DC?

Lovely eh?

I stay in a lot of Hilton's.  Most are nice.  This one is obviously old, and we'll forgive them for that.  So, maybe I'll try them again after they complete their renovation.

Wednesday, February 3

Steve Jobs: The Rolling Stone Interview : Rolling Stone

Steve Jobs: The Rolling Stone Interview : Rolling Stone.

This is an older interview (2003) with Steve Jobs.  This is shortly after the iTunes rollout on Windows, iPods were just taking off, before the iPhone, before the App Store, before the iPad.

This is an interesting interview and you can see where Apple was at the time as far as Steve's thinking was concerned, and how that thinking has come to shape Apple.

Great Anti-Email post

Jeff Atwood, blogger and coder over at Coding Horror, one of the many blogs I read, had this post up sometime last year, and I thought it was such a good post that I've recommended it to a couple friends, but I realized I never actually blogged it.

Jeff discusses a similar topic to what I've discussed in the past.  Checking email less often, shutting your email off for periods of time, turn off the "new message" ding.   All great points.

Go check out his post here.  Jeff, great job!

Tuesday, February 2

YouTube in html5, enable it now

I received this link on one of my mailing lists and thought it was the greatest thing since sliced bread.  Following up on my "Flash is dead" post, you can enable to work in HTML5.

Go to: and you can "opt-in".  I assume it places a cookie in your browser so that every time you try and view a video, the video plays in html5 instead of flash.  My browser doesn't run at 100% CPU or anything.  It's awesome.  Go do it now, help kill flash.

Monday, February 1

Google to kill off IE6 support in 2010

In a big move by Google I just received an email letting me know that Google will be phasing out support for IE6 in Google Apps in 2010.
"In order to continue to improve our products and deliver more sophisticated features and performance, we are harnessing some of the latest improvements in web browser technology. This includes faster JavaScript processing and new standards like HTML5. As a result, over the course of 2010, we will be phasing out support for Microsoft Internet Explorer 6.0 ​as well as other older browsers that are not supported by their own manufacturers."

I think this is a phenominal move by a company as big as Google to say "not anymore". I wish other companies would take such a firm stance against my other pet peeves. You know, ActiveX, Flash, and Silverlight.

Snort Ruleset tuning, by the VRT

Awhile back here on this blog I wrote about PulledPork 0.3.4 being released and about the VRT making the "Connectivity, Balanced, and Security over Connectivity" policies.  Also about how you can use PulledPork to automate the updating of your open source Snort rules to take advantage of these recommendations.

Around about the same time VRT put a post up entitled the "VRT Guide to IDS Ruleset Tuning".  It was a good post, and I didn't really highlight it.  They post some really great examples towards the bottom of the post.  If you run a Snort installation and you've read some of my posts about Snort tuning, and "I've installed Snort, now what".  This is a good read as well.

Check it out here.