Tuesday, October 26

Snort Community Pig Roast

(If you read this on Twitter, please RT!)

Sourcefire is going to throw a community pig roast at our World Wide Headquarters on November 12, 2010.  We'll have some talks by Marty Roesch (our fearless leader) and Matt Watchinski (or VRT fearless leader).

Date: Friday, November 12, 2010
Time: 12:00PM

Where: Sourcefire HQ
9770 Patuxent Woods Dr.
Columbia, MD 21046

The event is open to our community, and we'd like you to come on over and hang out!

Please RSVP at: http://now.sourcefire.com/?elqPURLPage=2?elqformname=101112_snort_bbq&URL=

Notes syncing between Mail.app and iPhone, finally

I've written several times over the years about the need for Notes to sync automatically between the iPhone and the Mac Mail.app Desktop application.  Well, unbeknownst to me (because I stopped using Notes in Mail.app because of the lack of this feature), in iOS 4.0 Apple has built this in.

I didn't test it right away when the release came out, and just now that I haven't written about it either since they built this in.  But it works.

If you have an IMAP account, you can go into your account settings on your iPhone and turn on "Notes" in that account's preferences.  Mail will create a folder called "Notes" on the IMAP server, and your "Notes" on Mail.app will be sync'ed Over-the-Air with your iPhone.

I have my Mail.app set up like this:

So that all my notes and to-do's stay intact in one account, and not spread apart different accounts.  But there is more than one advantage to MobileMe for this particular feature.  If you set it to MobileMe, Notes are pushed.  (As opposed to pull, as they would be with other IMAP accounts.)

In short, Apple enabled Notes syncing in iOS 4.0.  It works.  Give it a shot.


Facetime, Apple’s new iPhone 4 to iPhone 4 video chat application got a bit of an update on Tuesday of this week.

Jobs said it himself, the biggest thing that people wanted when facetime was shown on the iPhone for the first time was the integration of the system into the Mac desktop.  I talked about this back on this original post when the iPhone 4 came out.  Finally, at Tuesday’s speech Jobs and Apple rolled out the Facetime client for the desktop.

It works.

You can call Mac to Mac using Facetime, you can also call Mac to iPhone or iPhone to Mac, likewise with the iPod Touch. The resolution is good (it’s scaled down a bit if you are used to iChat’s resolution), audio is excellent, and it works flawlessly. In fact, when it came out, I was on a hotel network. I tried to initiate an iChat connection to my Dad, and we couldn’t do it for lack of bandwidth, however, Facetime connected right away without a problem.

The only thing that I thought was a bit strange, and I know I'm not the only one, was that Apple released it as a separate application for the Mac.

However, after I thought about it for a bit, I came back to my original conclusion that this is a temporary step. The application is simple and easy to write, so that’s what Apple did. I imagine in order to build the feature into iChat, they'd have to rewrite the whole application, and while they didn’t at all indicate that this was going to happen in 10.7 Lion (which they also started talking about on Tuesday), it makes a lot of sense to have it built into the OS.

One of the other things that i noticed about facetime is that it doesn’t really give you any kind of “presence” notification. For instance, it would make sense that since Apple knows you are connected to the internet via $device, they would be able to provide some type of presence notification along with it, I assume this is going to come with 10.7 too.

Friday, October 22

The Mac App Store, why it's awesome.

On Tuesday this week, Steve Jobs got up in front of journalists and announced several things.  I'd like to cover them all at once, but I realized the post was going to be way too long, so I thought I'd cover them in separate topics.

The Mac App Store

First let me talk about, what I thought was the biggest announcement of the entire press conference.  The Mac App Store.

Similar to the iOS App store that you can find in iTunes, Apple will be rolling out a separate application onto the OSX platform where developers can upload their apps to Apple in order for them to be purchase-able through the "one-click" easy access of this app.

Apple is taking the same 'cut' that it takes for the iTunes app store, 70/30.  70% of the developers revenue for selling an app goes to the developer, the other 30% goes to Apple to pay for the store, the hosting, the bandwidth, etc.  Some developers will think that this is Apple gouging into their profits, and while true, they have to think of a couple things:

1) I can raise the price of my app, just enough, to make it worthwhile for me.

2) The prices of the apps in the Mac App store will generally be higher, as they will be of higher quality. (Theory of mine, as they won't be just little fart apps for the iPhone.)

3) You would now be featured in the "showcase" as it were for Apps.  This is a genius idea.  Yes you have to sacrifice the 30% of your revenue, but your download count will go through the roof.  Look at the developers that have made millions off of the iPhone app store in just a short amount of time after it's release.

Conspiracy Theories

Some people I've heard talk about the App store seem to think this is Apple's way of locking you into their platform.  Let me share my opinion on this.

They already have you locked into their platform.

First off, if you buy your app from the app store, you click the button, it downloads over the internet (further reinforcing my theory that I wrote a couple years ago when the Macbook Air came out, I said that it was going to be the end of distributing software via physical medium), it installs by itself.  Done.  Easy.

If you want to update the app, you go to the "updates" section of the app store, and you click "update" or "update all" and all your apps are automagically updated.  What I'd like to see Apple do is have all their updates take place through this system.  I think "Software Update" and the "Updates in the App store" may be confusing for some users, but that will remain to be seen I guess.

At the same time yesterday we found out that Apple is depreciating Java on their system, and the new Macbook Air (which I'll talk about in a later post) is shipping without Adobe Flash.  I think both of these are smart decisions, and would like to see both of these in the App Store.  Oracle submits a Java build, and Adobe submits Flash.  You download both of these with one click, from one place (instead of going all over the internet to find them and their updates), and that way when a new update comes out for Flash or Java, you just click "Update" in the app store.  This does two things:

A) Makes security better, by providing an easy way for people to update their apps.

B) It absolves Apple from having to maintain older software on their system and keep it updated (such as Flash).

Great idea.

More Conspiracy Theories

Yesterday on my drive home I was listening to the latest "MacBreak Weekly" podcast, and even though Alex Lindsay has been saying it for several months now, he reiterated it again in the latest broadcast.  He thinks that the OS on the Mac is going to iOS.

I think he could not be more wrong, and let me explain why.

Steve Jobs said yesterday that they were bringing some of the things they have learned form the iPhone and iPad back to the Mac.  Good idea.  It's great to have a unifying experience across all your platforms.

Does that mean that the OSX Operating system will be all touch based?  No.  Jobs said that yesterday, trying to manipulate objects on a vertical surface doesn't work.  Think about it as you are reading this right now, if you are reading this on a traditional computer.  Think about not having your mouse, and moving the cursor or using gestures on your monitor.  Play with that idea a second.  Your arm would get so tired and you'd get frustrated after awhile.  Heck, when I dock my iPad and use a regular keyboard with it, and I have to reach up and tap something on the screen when it's in a vertical configuration, it's annoying.  This won't work.  I agree.

Does that mean that OSX can't learn some multi-touch gestures?  No.  In fact, you can already scroll with two fingers (have been able to do for years on the Mac), three finger swipe forwards and back, even rotate photos and documents by the same rotation method that you use on the iPod Nano's screen.  Add a few more of these and the system will not only be intuitive, but you'll be able to get a lot done, faster.  That's why Apple invented the Magic Mouse, and that's why they invented the Magic Trackpad.  Look at the direction of the Operating System and it makes sense.

OSX is not becoming iOS.  It won't work.  But there are advantages that iOS has that OSX does not have, again, let's come back to the App Store.  The App Store on the iTunes/iPod touch/iPhone/iPad system is an easy one-click access to any app on the Apple store.  The App store on the Mac is going to be the same way.  However, what side effects does this provide that people may not have thought of yet?

1) Your Apps are tied to your iTunes account.  Okay, that means that if I want to rebuild my computer, or buy a new one, all I have to do is open the App Store and I can suck down all the apps that I've already paid for without having to re-find them on the internet, or from a backup.  Better yet, I don't have to keep track of licenses and other non-sense like that.

2) Easy updating.  This is important, not only for functionality, but for security.  I think this is one of the best features of the App Store.

3) Your Apps are tied to your iTunes account.  Which means what?  That's right.  They are DRM'ed to your name.  Which means what?  That's right.  You can't pirate the Apps.

Let me pause for effect.

Apple.  Just figured out a way.  To stop.  Software piracy.

Yup.  That's just happened.

Genius.  I buy all my applications anyway, so it doesn't affect me, but that's awesome.

The apps that are sold through the app store can't be packaged up and sent to your friend anymore.

Yes, you can still download apps and what not from the Internet in general (meaning that developers for the Mac don't HAVE to sell their apps through the app store), but then you are dealing with not being in front of tons of eyes through the App Store, licensing and purchasing schemes.  You have to maintain all of that yourself.  Whereas through the App Store, Apple has taken care of all of that for you and prevented the piracy of your Apps.

I also think this will totally increase the amount of apps available for the Mac platform.  All of a sudden people will have easy access to a way to simply get their Mac Application out there without having to shrink wrap it and get it into the big-box stores.


Honestly, I see nothing but good things here.  The only time I'll have a problem with the Mac App Store is when Apple says that the only place you can get the apps is from them.  .....and they are still taking their 30% cut.

That's not really fair (which isn't happening, I'm just theorizing).

Although it would be interesting, because then all code would come from Apple, approved, and signed.  Malware and what-not could be rendered totally non-existant.

Apple has also stated in their terms of service that "violent" video games can't be on the App Store.

That sucks.  I think that'll hurt the store overall, but who knows, they may fix that.

Monday, October 18

Ray Ozzie leaving post as Microsoft's chief software architect

Ray Ozzie is the gentleman that took Bill Gates's place after he retired from his day to day duties at Microsoft, and unfortunately, this kinda makes me feel more confident in the opinion I had when that event took place.

Microsoft is losing their spirit.

Let's face it, it's quite obvious now that Bill Gates was the driver behind the Microsoft brand and direction.  This is the third notable post that is being vacated since Bill Gates left (the first being the designer behind the Zune interface Robbie Bach, second being CFO Chris Liddell), and yet, somehow Ballmer stays in charge.

Don't get me wrong, Ballmer knows how to make money.  Which is why he's a good CEO, but in my opinion, it doesn't feel like he is ushering in a strong "direction" for the company.  But maybe I'm being a little critical, trying not to compare him to Steve Jobs, but hate him or love him, Steve Jobs is a great CEO.

It just feels to me that Microsoft is playing the catchup game.  Saying "me too" to everything that is coming out.  Windows Mobile Phone 7, (which was started a long time ago, but not until the iPhone came out was serious pressure put on this), the Xbox360 (which is probably Microsoft's best product), the Zune copied after the iPod, Windows's constant comparison to OSX, chasing after Google with Bing, and chasing after the iPad now with whatever-the-heck tablets (slate) they come out with.

Sad part is, Microsoft almost invented the tablet business.  They pretty much pioneered it.  However, they tried to shoe horn a Desktop OS into a tablet PC and wrote enough software to be able to use a pen.  Well, it doesn't appear to have caught on en-masse.  They didn't go back to the drawing board (like they did with Windows Mobile Phone 7) and design a new user interface, even if they copied the WMP7 interface from the Zune HD.  Their current tablet offering does not bode well for touch, and it's unclear where their future direction is going as far as touch is concerned, but it doesn't look good right now.  It still looks like they are trying to shoehorn Windows 7, the desktop operating system, into the tablet.  It's not going to work!  You tried that once, and it failed.  So I refer to the current class of computing devices (the iPad, and all the competitors that are trying to come out now as "slate" devices.)

Ray Ozzie, as it states in the below linked article, is best known for creating Lotus Notes.  Which really doesn't speak volumes to quality, but it does speak to success.  Even a totally awful program can make tons of money.  But Mr. Ozzie didn't seem to provide the direction that Gates did.  Face it, Gates was the genius behind the Microsoft brand.  Even if his tactic was to copy everything he saw, which I'm not saying he did, but even if his tactic was that, it was genius and it worked well.

I am not a Microsoft Shareholder, heck, I'm not even an Apple shareholder anymore,  but I'd wonder why Ballmer was still in power considering the stock price hasn't moved much in over 10 years.

Ray Ozzie leaving post as Microsofts chief software architect.

Friday, October 15

MobileMe Calendar Comes out of Beta

Following up on this post that I wrote back in July, the MobileMe calendaring system has come out of Beta.  Which means that if you are using the MobileMe service and you are on Snow Leopard (or Leopard) your iCal calendar should automatically switch over to WebDAV.  As well as your iPhone's calendar if you are running 4.0.

The nicest part about the system is the ability to invite other people to events from your iPhone and iCal, as well as see their Free/Busy schedules.

Update:  Apple's article on the subject.

Monday, October 11

I'm speaking at Security B-Sides Delaware

We have a lot going on in Delaware.  Tax-free shopping, we elect crazy people, and we have the Security B-sides Delaware event happening in November.

I was asked if I would submit a talk to the conference, and lo and behold, it was accepted. (Along with a bunch of other great presenters, check out the first round of CFP accepts here.  Hopefully lots of people will come.  I actually have a confession to make, I've never actually been to a Security B-sides, although, from watching the Twitter, they are very popular.

Abstract of my talk:
Shining light into the "now what" arena of IDS and IPS tuning, I'll talk about  what the next steps should be with the alerts, tuning, and maintenance of the ruleset and  configuration deployed into an IDS or an IPS.  General guidelines will be provided, however,  all guidelines must be adapted to your specific environment.

I look forward you seeing many of you there, thanks for supporting B-sides.  Okay, back to making slides.

Security B-Sides / BSidesDelaware.

Monday, October 4

Snort 2.9.0 has been released

Now available from Snort.org, Snort 2.9.0 and DAQ 0.2.    I'll be writing some articles at some point to expand upon some of the functionality of Snort 2.9, but for now, know that there are some very nice new keywords in 2.9 and also an improved Stream model, as well as lots of improvements all over the place in the engine.

...and now some cut and paste from the release notes!   Download it now!


[*] New Additions
* Feature rich IPS mode including improvements to Stream for
inline deployments.  Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React.  A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments.  When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket.  For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links to.

* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule

* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms.  Visit http://www.intel.com to find out more about
Intel Quick Assist.

[*] Improvements
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

Evernote, Omnifocus, and my productivity

Over the past several years my job here at Cisco Talos has changed drastically.  I took on new roles, which is awesome and exciting, but in ...