Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are

1. Offset
2. Depth
3. Distance
4. Within
5. nocase

These five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:

content:"joel";

Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content match with a simple string, and not specifying where in the packet to look for that string, your Snort instance will receive a ton of alerts, and then you, the analyst, are stuck looking through all of those alerts to try and pick out the alert that is needed.  While a content match for "joel" might be pretty unique (that might not occur a lot on your network), but it will occur a bunch on mine.

1. Offset

Offset in the Snort manual is defined as:

The offset keyword allows the rule writer to specify where to start searching for a pattern within a packet.

So, given a certain packet, Offset tells the content match it's modifying where to start looking, given an offset from the beginning of the data payload of the packet.

In the above example, if I wanted to find the word "GET" (highlighted).  I would write:

content:"GET"; offset:0;

Meaning, start at the beginning of the data payload of the packet (offset:0;) and find the word GET.  Now, in this example, the word "GET" is at the very beginning of the packet making the search very easy.  However, if I wanted to match on the word "downloads" that is found a bit later in the above screenshot, I could still start my content match at the beginning of the payload (offset:0;) but the content match would be more accurate and less computationally expensive if I were to make the offset more accurate.

content:"downloads"; offset:13;

Would tell Snort to start looking for the word "downloads" at the 13th byte in the data portion of the packet.  So, what if I chained these two together?

content:"GET"; offset:0; content:"downloads"; offset:13;

In other words, start looking for "GET" at the beginning of the data payload of the packet, and start looking for the word "downloads" at the 13th byte of the packet.  Now, why would I do this?   This example tells Snort, after the first content match, go back to the beginning of the packet, move over 13 bytes and then start looking again for a second content match.  There are several things wrong with this example, that I did on purpose. First off, if you are at the first content match in a Snort rule, or a content match you want to start at the beginning of the packet, you don't have to write "offset:0;".  Any content match that doesn't have a modifier after it automatically starts at the beginning of the data payload portion of the packet by default.  Offset:0; is implied for this type of match. Second, and a:
<Common Misconception>
Some tend to think that if they stack two contents next to each other, that Snort will look for those contents in the order they are provided.  For example, if I were to write:

content:"GET"; content:"downloads";

Some people generally think that in the above example, that the word "downloads" will have to occur after the word "GET" in the packet.  This is Wrong.  If no modifiers to contents are specified than the order of the matches within a given packet (or stream for that matter) doesn't matter.  "downloads" could be first, then "GET", and the rule will still fire. So given the above exampled screenshot, if I wanted to force the word "downloads" to occur after the word "GET".  I could use a distance modifier.  Which I will touch on a bit later.

 2. Depth

Depth in the Snort manual is defined as:

The depth keyword allows the rule writer to specify how far into a packet Snort should search for the specified pattern from a given offset.

So, given the above example again:

I want to match on "GET" but ONLY if it occurs as the beginning of the packet.  Notice when I was describing offset above I said that offset tells Snort where to start looking.  Not where to stop.  If I don't tell Snort where to stop using a content match, Snort will search the entire packet.  If I want to tell Snort where to stop looking for a content match, I have to use something like depth. So for the above example, if I want to match on "GET" but only at the beginning of the data portion of the payload:

content:"GET"; depth:3;

Notice some things.

1. I didn't start with Offset:0;.  Remember, if I am beginning a content search at the beginning of the data payload of the packet, offset:0; is implied.
2. Depth counts in positive integers.  While offset starts counting at "0" bytes, depth counts in positive integers, "GET" is three bytes long, so my depth is "3".
3. Depth starts counting from the offset point.  Not from the beginning of the packet.  While, in the above "GET" example, the offset point IS the beginning of the packet, don't get confused by this.
4. By telling Snort to only look in the first three bytes, if Snort is analyzing millions of 1500 byte packets, only matching on the first three bytes is a significant CPU saver.
5. BTW -- Don't do the above example, as you will essentially match on every single GET request on your network, turning your IDS into a brick.  This is just an example.  Besides this is what http_method is for, which i'll cover in a later blog post.

3. Distance

Distance is defined in the Snort manual as:

The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.

(Emphasis added by me) Distance says to us, "okay, relative to the end of the previous content match, when should I start searching for the second content match?".  So bringing back my previous example:

content:"GET"; depth:3; content:"downloads";

If I were to do this:

content:"GET"; depth:3; content:"downloads"; distance:0;

That by itself would force the content match "downloads" to occur after the "GET" content match.  Doesn't matter where (distance:0;), just as long as the pattern match is AFTER the first one.  However, if I wanted to be more specific and more specifically match on the screenshot that I provided above:

content:"GET"; depth:3; content:"downloads"; distance:10;

This says to the Snort engine, "match on GET, in the first 3 bytes of the data payload of the packet, then move 10 bytes relative to the end of GET and start looking for "downloads"". Notice I said start looking.  Not limited to.  Kinda like putting an offset without a depth there... so we have within.

4. Within

Within in described in the Snort Manual as:

The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword.

Within allows you to specify a range between content matches, it also allows you to tell a second (relative) content match where to stop.

So, using the content matches we've built already:

content:"GET"; depth:3; content:"downloads"; distance:10;

The only problem here is "downloads" is being searched for in the entire packet, except for the first 13 bytes, essentially.  How can we make downloads only be searched for at that specific spot?  Within.

content:"GET"; depth:3; content:"downloads"; distance:10; within:9;

"Match on GET, in the first 3 bytes of the data payload of the packet, then move 10 bytes relative to the end of GET and start looking for "downloads", however, "downloads" must occur wholly within the next 9 bytes." Could I say "within:10;"? Yes, I could, and then downloads could be in it's present position, or if there was another byte in front of the actual content match. Also notice that within, like depth, also works in positive integers (distance starts counting at "1")

5. nocase

Finally, let me discuss "nocase";.  nocase, or "No case" simply means, for the content match specified, do not pay attention to case sensitivity.  "nocase" doesn't make the Snort engine work any harder in the grand scheme of things, and it's very handy for being able to make sure your rules do not get bypassed. Example? Let's say I wanted to match the above screenshot, no matter what.  Well, if I was an attacker, and I came to your webserver trying to access your "downloads" directory, as the rule is written, I could pass my "GET" string as lowercase "get" or mixed case "GeT", and depending upon your webserver, it might accept it, and I have effectively bypassed your rule. The easiest thing to do with this type of evasion is to use a nocase; statement.

content:"GET"; depth:3; nocase; content:"downloads"; distance:10; within:9; nocase;

So, I want you to notice a few things:

1. We went from very generic to very specific, your use case will vary.
2. Modifiers to contents come AFTER the content match.  Not before, they won't work, don't try it.
3. Offset goes with Depth, distance goes with within.  Don't mix them.

Hopefully this helped someone clear up any confusion surrounding these keywords.  For further information, please refer to the Snort Users manual. http://www.snort.org/start/documentation
--

SNORT and Sourcefire are registered trademarks of Sourcefire, Inc.

Apple sues HTC for alleged infringement of 20 iPhone patents

AppleInsider | Apple sues HTC for alleged infringement of 20 iPhone patents.

...And so it begins...  I was beginning to wonder when this was going to happen, of course, HTC, the makers of many phones, the most notable being the Google Nexus One, and the G1.

We'll have to wait and see how this one shakes out.

Plugins add grunt to Google’s Quick Search Box

Plugins add grunt to Google’s Quick Search Box « Hawk Wings.

If you are a user of Google's Quick Search Box (similar to QuickSilver), and is in active development, you can download and use these series of scripts in order to interact with the rest of your OS.  (Things like sending a file through email in Mail.app).

Or, you can just stick with QuickSilver.  It does all these things already.

Hogging the Snort Host Attribute Table

Hogger is a new Snort supportive tool written in Perl.  It takes Nmap output and makes a Host Attribute Table.

via Security - The Global Perspective: Hogging the Snort Host Attribute Table.

I talked about the above here.

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:

Now, let us look at the second question: “We have “aol” as the id and Import method name. Should we use “aol” along with “Import”?”. Just because we narrowed down to “clsid:” followed by CLSID number, does not mean that we have to narrow down in this case too. Just like how the Shellcode will change, the attackers might change the ID too, to just find out if they could evade the IDS/IPS. Why give them a chance? Hence, we should broaden our search to just the import method: content:”.Import(“. The reason why we have “.” and “(” around the key “Import” is to narrow the chances of triggering the signature on some term “Import” and to concentrate on the vulnerable method.

This post is about ActiveX and CLSID detection with a Snort rule, trying to detect an AOL 9.5 ActiveX 0day.  Okay, fair enough, so the above paragraph is trying to find the Import command to call the javascript.  So I kept reading.

Then I got to this part:

In here, I would like to position the CLSID before the method. This would help me trigger the signature specific to “AOL 9.5 ActiveX 0day Exploit (heap spray)“. I can do this ordering by using “Offset”. We cannot set the “Depth” in this case, since the position of CLSID or Method in a packet will change according to the packet size or the way in which it is sent. Hence, the content of final signature would look something like this:

content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase;content:”.Import(“; nocase; Offset:0;

The writer is correct in a couple things.

• First, they say they want to position the CLSID before the method, so they want to do with using offset.
• Second, they say they cannot set a "depth" because the position and method in the packet will change according to the packet size, which is partially correct.

However, the problem with this above signature is that the offset is placed after the second content match.

So here's what would happen with the above signature so far.  The CLSID content match is the longest, so it would be fed into the fast pattern matcher.  If the fast pattern matcher came across a packet that matched the CLSID that is specified in the rule, <leaves stuff out>, then the packet would then be run through the detection engine (rule) for detection.  Contrary to popular belief, unless an offset/depth/distance/within modifier is specified, there is no order for the packet to match.  So if I were to write the above as this:






content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase;content:”.Import(“;nocase;




Snort doesn't care which order the content matches are in.  As long as both the contents are in the packet, then the rule will fire.  So putting a content:".Import("; nocase; offset:0; does absolutely nothing.  You can kind of think of offset:0; being implied, but if you don't have any relative content matches, then it really doesn't matter unless you are trying to be specific to a position match.  However, as the author already stated, you can't add a depth statement to the rule, so it plain, just doesn't matter.  I see this kind of thing all the time, so I figured common mistake.  So I kept on reading:

Now, let us look into the direction of traffic. Client-side exploits generally flow from server to client: “flow:to_client,established;“.

The author explains that "Client-side exploits generally flow from server to client".  Okay, correct in this instance, but not always, so let me explain:

Flow has four direction operators you can specify:





• to_server
• from_server
• to_client
• from_client



What happens is when I hear from people is that they think "server" as that 2U thing back in the server room (hence the name), and client being "you".  But that's not how Snort thinks about it.  Snort thinks about client server in the "who initiated the conversation" term.  So, at the beginning of a TCP conversation there is a 3-way handshake.  SYN, SYN-ACK, ACK.

1. CLIENT ->  SYN -> SERVER
2. CLIENT <- SYN, ACK <- SERVER
3. CLIENT -> ACK -> SERVER

The client is who initiated the conversation, the server is who is responding. So, in this case, since we are attempting to catch a web browser accessing a webpage and downloading a webpage which contains this CLSID, the flow would be to_client.  (Or from_server) Correct.  However, what if someone downloaded a PDF, and upon opening the PDF the PDF went and grabbed something off the internet.  This is a client side exploit, however, the flow would be reversed.  So, the author is correct in saying that "Client-side exploits are generally..." I wanted to explain to make sure no one was confused.  The "established" keyword means the the session is established.  So beginning on the 3rd part of the 3-way handshake.

In this case some folks might believe that CLSID is already in the “content” part of the signature, and that this is a repetition if we use it in PCRE once again. We are not using this PCRE to repeat the value in the content, but to ensure that we do not miss any possibilities of matching this exploit. Let us look into the PCRE part of this signature:

pcre:”/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si”;

In here, the signature is telling the PCRE compiler that there is “< object” followed by strings and “>” with multiple-strings possibly following it followed by “classid” & “=” with the “clsid”, “:” and “{“. The true classid is then inserted into the PCRE. The PCRE ends with /i to indicate the case-insensitive nature of this regular expression.

The first paragraph is partially correct.  If you check for a content match, you can use a pcre to clarify what you are looking for.  This is done for a couple reasons.  One, as the author states above, is to not miss the possibilities of matching the exploit, but more accurately, it's to avoid obfuscation of the exploit.  So for example, let's go back and take a look at the content match before we look at the pcre portion.






content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase;




Problem with this content match is, well, I wouldn't have put the specific "clsid:" in there.  Reason?  If I was an attacker and I wanted to bypass your rule, I would put "clsid: A105BD70-BF56-4D10-BC91-41C88321F47C”. (Notice the space after the colon.)  Which completely bypasses the content match.

So let's come back to the pcre and take a look at it.

Now, this PCRE format was written by the VRT and a lot of people have copied it blindly without understanding what it does.  So let me explain, as what the author wrote in the second paragraph quoted above, is wrong.  As I said, I'm not trying to be mean or whatever, I am simply trying to teach.

So, the pcre is this:

/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si

(I am going to put double quotes around the things we are trying to match that are explicit, the quotes don't actually exist in the regular expression unless specified)

So we are looking for "<OBJECT"

Then a whitespace (\s).  That's what "\s" is.  (It says 'followed by strings' in the above quoted paragraph).  Whitespace is a tab, (0x09), space (0x20), new line character, or a line feed (0x0A), or a carriage return (0x0D).  The "+" sign after the "\s" means 'any character directly proceeding it as many times, but there must be at least 1'.  So there must be 1 or more "\s" there.

Then you see this "[^>]", which the author says that we are positively looking for.  The thing about character classes "[ ]" is, they allow you to do some nifty things.  Range matching, ([0-9]), multiple matches, [abc] (this will look for either an a, b, or c, for one character), and you can also do negative matches.  Or "lack of" matches.  The way you specify a negative match within a character class is to use the carat within a character class.  So "[^>]" means, "the next character after any amount of positively matched "\s" cannot be a ">".  Directly after that is a "*" character.  The "*" is similar to a "+" but the difference is, while a "+" means you must have at least 1 match of the proceeding character (in this case the negative character class), the "*" means you don't have to have a positive match.  It means "0 or more".

Following that we have a "classid\s*=\s*" match.  So look for classid(maybeaspacehere,it'soptional)=(maybeanotherspacehere)

Then there is a "[\x22\x27]".  In regular expressions, if you want to specify a hex character you have to write "\x" before the hex.  So, you might see a space specified like this: 0x20.  You might see it specified in Unicode like this: %20.  In regular expressions, it would be "\x20".  Since there are two characters within the character class, 0x22 is the hex for a double quote.  "  and 0x27 is hex for a single tick. '

Since this is a run of the mill character class match (not a range or something more complex) this means that the next character that the "[\x22\x27]" pattern match is looking for is either a ' or a ".  Notice the "?" after the character class?  That's a 'lazy optional'.  So without going into a long book about lazy and greedy (which, by the way, if you are interested, I suggest checking out the book "Mastering Regular Expressions" by Jeffery Friedl, it's the bible), the "?" basically means "The Character that is directly in front of the "?" is optional".  So, it essentially means, when all put together the match is either a ' or a " or not at all.

Then we have (maybesomewhitepacehere)clsid(maybesomemorewhitespacehere):(maybesomemorewhitespacehere){(optionally)(maybesomemorewhitespacehere)A105BD70-BF56-4D10-BC91-41C88321F47C.

Notice that I translated "\x3a" and "\x7B" (the latter of which has the "?" behind it, so it's optional) above.

Then the modifiers of the whole Regular Expression at the end are "/si".

"s" means "include new lines in the dot metacharacter".  However, there are no "." metacharacters in the regular expression, so that was probably put there by habit (and good practice), and the "i" means "anything within the regular expression treat with case insensitivity"  similar to the "nocase;" keyword in Snort's regular rule language.

So the final signature that the writer comes up with is:






alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ActiveX Exploit Signature Sample”; flow:to_client,established; content:”clsid:A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase; content:”.Import(“; nocase; Offset:0;pcre:”/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si”; reference:url,www.exploit-db.com/exploits/11204; rev:1;)




Which I am going to rewrite:






alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ActiveX Exploit Signature Sample"; flow:to_client,established; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:".Import("; distance:0; pcre:”/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.exploit-db.com/exploits/11204; rev:2;)




So, what did I do different?  Removed the "CLSID" content match, it won't speed up detection, and it checked for in the pcre anyway. So, if you are going to fire up the pcre engine to check the content match on the long content match, just knock out two birds with one stone.

What's with the "distance:0;" stuff?  I made the content match directly proceeding that relative to the previous content match.  Since I don't have a within, I don't constrain the match.

Why did you keep the ".Import(" stuff?  False positive reduction.  It will do nothing to speed up the match.

So, be careful when writing rules.  Unless you understand all the pieces and parts you can walk yourself right into a dark hole and do it wrong.  You can do that to yourself, but take extra care that you don't walk anyone down the hole with you.

Again, I post this, not to be mean, but to be constructive.

Page for my Mustang

Someone wrote me on Twitter and asked if I had a webpage about my 1968 Mustang, and I said I didn't, although it was a good idea for those that are interested.  So I made a quick page here on my website that I will keep updated with it's progress.

Check out the page here.  Thanks.

You can also find it under the "Pages" links on the right hand side of the homepage of the blog.

Why buying a DVD sucks

This is an image that's been floating around the past couple days on the internet.  I have no idea where it originally came from.

I don't pirate movies, I buy movies from iTunes, which, skips all the nonsense illustrated above and just gives you the movie.  Which, really, is all we want anyway right?

I thought this image kind of sums it up correctly though.

Stop Google Buzz From Showing the World Your Contacts

Stop Google Buzz From Showing the World Your Contacts - google buzz - Lifehacker.

If you are a person who values their privacy and want to secure you Google Buzz contacts, I.E.  Not show everyone in the world who is in your contact book, follow the directions above.

I've done this, just for good citizen's sake, as well as manually blocked some people that I don't trust.  Keep on top of this stuff people!  As an online community becomes more ubiquitous, the more risk you present in revealing too much.

Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk

Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk.

Here is an article I wrote for CSO magazine, thought the readers of my blog might like to check it out as well.

I was asked to write a fairly technical article for CSO magazine about Snort, the problem is, which part of Snort do you write the article for?  An article about Snort can be very technical or not so technical.  One of the advantages of having Open-Source software.

In any case, enjoy.

Will Hack For SUSHI » MiFi Config Hack

Will Hack For SUSHI » MiFi Config Hack.

A post by friend and collegue at SANS Joshua Wright.  Joshua is one of the guys I know that is really proficient at hacking wireless.  Bluetooth, wifi, etc.  He does some really wonderful work at that, and he's fantastic at it.

This post is about him hacking his Mifi (Verizon).  He has two posts on the subject you should check out if you have a Mifi.

The other post is here.

Fun with Firewall Logs

So, after my post about ask.com's network...  Here's another quiz for you.

Feb 15 09:16:39 localhost kernel: IN=eth0 OUT= MAC=00:03:47:f1:52:0d:00:18:01:b6:c1:4d:08:00 SRC=121.242.15.135 DST=192.168.x.x LEN=72 TOS=0x00 PR

EC=0x00 TTL=45 ID=32394 DF PROTO=TCP SPT=52764 DPT=22 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0

What kind of fun is that!

Baby 2.0 picture

Enjoy.

Help Desk sign I wish I had sometimes

Help Desk sign I wish I had sometimes - The Posterior of Randal Schwartz.

From someone at Oddly Specific.

Thanks Shirkdog for pointing this out.

Hey, ask.com, what are you doing?

So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:

Feb  8 14:47:55 localhost kernel: IN=eth0 OUT= SRC=66.235.120.71 DST=192.168.x.x LEN=455 TOS=0x00 PREC=0x00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0x00 ACK PSH URGP=0

The Source is Ask.com, the DST is my webserver, but take a look at the Ports.  SRC port 80?  DPT 58709?  Anyone else see anything like this?  This is being denied at my firewall because of my ESTABLISHED,RELATED line.  So, the connection was not made from here.  It's initiated from the outside.

What's going on over there at Ask.com?

WP Greet Box is back

I took away the WP Greet Box for awhile based on the fact that I didn't really have it configured optimally.  I wanted the Greet Box (which is a little pop up widget that say "Hello, welcome to the site, you can subscribe here" -- pretty much) because on several of the themes I have been partial to, had no obvious way to subscribe via RSS.  I've fixed that now with, as the blog will advertise that it has a feed in the URL bar now (for most modern browsers), also with a link over in the sidebar that points you to the feed.  But I wanted a little something, non-intrusive, that pointed to the RSS feed when you came from certain sites.  (Digg, StumbleUpon, things like that).  So it's there again, but only if you get directed from certain webpages to my site.  Which, actually, is the majority of the hits I receive.  Basically it's just an experiment.  Bear with me.

A couple snow pictures

Lots of Snow over the past couple days. 2nd biggest snowfall ever for this area.

If Email Signatures Were Honest

Murray The Nut » Blog Archive » Signatures.

Very Funny.

One in five physicians likely to purchase Apple iPad - study

AppleInsider | One in five physicians likely to purchase Apple iPad - study.

This is what I said back here, so I am glad that someone did a study on it.  Very interesting what the future holds for this form factor of device.  I think the early critics are going to be eating their words in a year or so.

If you never knew it occurred, did it occur in the first place?

In my To-Do list, I have a section for Blog topics that I think of in $random_place and I want to jot down for brainstorming later. This topic has been on my to-do list for about a year.

I was standing on a stage giving a speech at a military base, in about 2004.  The people I was giving a speech to were about 200-250 different "network" and "Systems" administrators from all over this military base in tons of different units.  In this audience I had military, civilian, and contractor.  I was asked to give a speech to the system administrators because some of them didn't see the value in security in their systems.  It was an afterthought and people weren't terribly excited about having to follow $regulation that ensured proper lock down of various controls in the operating system and network.

I asked this question:  "If you never knew it occurred, did it occur in the first place?"  I paused for effect, waiting for an answer.  One didn't come.  Obviously they had no idea was I was talking about.

I proceeded to explain the importance of reviewing logs, system and network information, explaining to them the importance of what I had found that week upon a security audit I was doing of their Army post.

Hundreds of compromised machines, botnets, poor security controls, inadequate permissions, etc.  This was all from about 3 days of work.  I didn't even get into the trenches trying to find things, this was just surface level scanning and network monitoring.  Not even penetration testing, just scanning.

They didn't know.  They thought their network was perfect.  They thought it was clean.  They didn't need to review logs.  They thought wrong.

If you aren't going to review logs, if you aren't going to look at the system logs, the firewall logs, the IDS/IPS logs, then why collect them?  The problem is, we have things like SOX compliance now that mandates that we have some kind of logging system.  Which is fine, it's a great idea, but people are missing the point.  The point of the SOX compliance and log review is for people to REVIEW the logs.  Otherwise what is the point?  So you can go back and see when you were compromised?

Some people will agree with me here and say "Yes, I'd like to have historical information so I can go back and see when the intrusion occurred."

That's fine, I don't disagree, but stop for a second while reading this and meditate on this question "Why?"  What are you going to do about it?

If you are going to look at your logs and dismiss them, instead of looking at your logs and doing something about the mistakes that you find, then what's the point in looking at the logs.  Don't waste your time.

It's your JOB to be looking at these things, if you aren't going to DO your job, then quit.  We don't need you in our industry because it's people like YOU that are messing things up for the rest of us.

I'm going to do it...  I am going to use APT (Advanced Persistant Threat).  APT was found by looking at logs.  APT has been around for a long time.  Before I worked at Sourcefire, I worked for the Department of the Army in computer security, and we were dealing with APT (only it wasn't called that back then) then.  We didn't have an advanced term for the threat, we used terms like 'rootkit' and 'trojan'.  We were looking at hacks that we had never thought possible offloading information to countries that weren't ours.  Some of the techniques were so interesting and secret, they haven't been made public to this day, so I can't talk about them here.

But we found the compromises by looking through logs.  I've said this before, and I'll say it again, what's the point in having a security device that keeps logs if you aren't going to LOOK at it?

Review: Jawbone ICON Bluetooth Headset

I am not trying to jump on you like a bully and pummel you with reviews for a few posts recently, but I feel, as a geek, I have the need to tell my other geeky friends if something sucks, or if something is good. That way, not everyone spends money on things that are complete pieces of crap.

For those of you seeking a Bluetooth headset, you may want to look no further than the Jawbone ICON headset. Little bit of background before I proceed.

I've had all three versions of the Jawbone now. The Jawbone One, was big, bulky, but it did it's job right, however, it did not survive the trip through the washing machine. The second version fixed that, (not the washing machine part, the big and bulky part). Same awesome noise cancellation technology, much much lighter, the only problem was, it wasn't very solid in your ear, and it fell out of my ear a lot, simply because it just felt like it was Stallone in Cliffhanger, hanging on for dear life. The only other thing I didn't like about the second generation jawbone was the buttons. I could never find them. There were two buttons, one on the side and the other on the back, kinda. They were next to impossible to find with your fingers, as they didn't have any raised indication that said "hey, this is a button!"

But let me tell you what, with this new one, they have really outdone themselves. The Jawbone ICON comes in six different designs. "The Hero", "The Bombshell", "The Catch", "The Ace", "The Thinker", and "The Rogue". All are various colors and designs, but they all have the same key features.

The NoiseAssasin® technology is awesome. On by default, it uses a sensor that presses against your cheek to sense when you are talking, it compares that vibration with the mic's input, and thusly uses the difference to cancel out all the remaining background noise. It's awesome for wind, trains, or whatever. You can be in a noisy room and talk to someone on the phone, and the only thing that the people on the phone can hear is you. It's incredible. For a video demonstration of how this works, go to Jawbone's website and click on the lower right area. Check it out.

This version of the jawbone adds a few awesome features:

1) If you are using the jawbone with the iPhone, the battery indication is on the screen of the iPhone up next to the battery indicator for the iPhone itself. If you ever bought the iPhone bluetooth headset (which I didn't), you'll recognize what this indicator looks like.

2) But that doesn't matter cause you can reach on the back of the jawbone, press the button once, and it announces in your ear how many hours of talk time you have remaining.

3) When you receive a call, the ICON will read the caller id into your ear. Just the number. Not any names or anything, which kinda stinks. I wish it would at least try to pronounce some of my coworkers and friends names just so I could get a laugh out of it. But the number is just fine. It's a heck of a lot better than scrambling for your phone when the thing rings just to see who called. I mean isn't that the purpose of a bluetooth headset? So you don't have to fumble for your phone?

4) It doesn't have any blinking lights on the outside. Which is nice, because then you aren't sitting on a train or something and have an annoying blue blinking light on your ear. Or even better, when you are in a hotel room and the blue blinking light is so bright it lights up your whole hotel room every 10 seconds or so.

5) Voice control. The Jawbone has always had voice control, but now, coupled with the iPhone 3GS that I have, I can hold down the button for two seconds and say "Call Wife", which the iPhone then asks "Home, Mobile, or Work?" And I simply say what I want. I like the fact (and this is more on the iPhone than the Jawbone) that I don't have to hit ANOTHER button to say "Work". I just say it after the little 'beep'.

6) It has an on-off switch. I don't have to hold down a button that I can't find to turn this thing on and off. The button is a toggle sliding switch on the inside (faces your face) side of the jawbone. Flick it on or off, and you KNOW which one it's doing.

7) Redial is a double tap of the button on the back. The Jawbone then says "Redialing" in your ear

8) When the battery does get low, it will tell you in your ear. No more guessing.

9) You can connect this thing to multiple phones. YES SERIOUSLY. You can even manage calls from two different phones at the same time. Are you kidding me? This is 2010 right? We aren't in 2020 or anything?

10) They converted from their annoying proprietary charger attachment to a Mini-USB plug. Very standard and easily replaceable if you lose it.

So, overall, I'm very satisfied with this thing, and if you are looking for a new one, or if you are happy with your old one... this one is better, it's smaller Oh and one more thing?

This thing stays in my ear! No loop around the top of my ear, I just put it in my ear and it stays there.

Go, run, don't walk, to the nearest Best Buy/Apple Store/AT&T store. This thing is new, so it may not be in all the stores yet (so it's available online via their website) your milage may very. Check the websites.

I got mine at a Best Buy.

Review: Capitol Hilton, Washington, D.C.

This week I had to come down to Washington, DC to work with a customer.  Now, I've been to loads and loads of Hotels, and most of the big ones in Washington, DC.  This week I decided to stay at the Capitol Hilton.  It's about three blocks North of the White House.

So, being the traveler I am, I am a Diamond member with Hilton, for the past three years, which is the highest you can get as a "premier traveler" with Hilton Rewards.  I'm not saying that to brag, I'm saying that to illustrate a point.  As a diamond member, you automatically get certain things.  Free Gym access, free breakfast, free newspapers, and free room upgrades just to name a few.

So, and you might call me spoiled, but whatever, I'm not trying to act that way, I'm giving a review.

So, I get my room.  No refrigerator, shower was dirty, shower head sprayed water every which way (indicating that you have hard water, and the shower head hasn't been cleaned), and no electrical outlets in the bathroom.

Now, how do you not have electrical outlets in the bathroom?  God forbid I should be a woman and need to plug in the hair dryer!  Where was the closest outlet? Behind the TV. Which was on a TV stand, which was immovable. So, there was no way to dry your hair (and curl it, with a curling iron, cause I think of stuff like that for my wife) anywhere close to in front of a mirror. Matter of fact, the only place you could have plugged it in, was behind a TV stand in the middle of the room.

There were four outlets available in the whole room. Two on the lamp on the desk, and two behind the night stand. So, if you are technical person like me, you have stuff plugged in all around the room. Fairly annoying.

The TV was ancient, you couldn't hook up any external media to the TV, which, is also annoying.

Room service food was so-so. The menu consisted of things like foi-gras and the like. Seriously? Who is going to eat food of "that" caliber from the room service menu? People that order room service want things like wings, and quesadillas, pizza. Room service is like, a last resort and you just want something good. Oh, and by the way, a sandwich for 19 dollars? So, you add delivery fee onto that, drink.. You have a 30 dollar dinner? A bit much for a regular sandwich. I order room service fairly often (because I get tired of prowling through a city trying to find food -- you travel as much as me, you'll know what I mean) and the average price is around 19-25 bucks. 30+ dollars for dinner is overpriced for simple food.

Internet. The Internet speed was pretty good actually, but it was something like $15 dollars a night. Again, not what I am used to, and not comparable to the other hotels in DC. The room rate per night was reasonable, (for DC), but the other things they charge you for a the hotel was overpriced.

Now, saying all that, there was a note on the desk of my room saying that the hotel is currently undergoing a 36 Million dollar renovation. So let's hope they fix some things. The biggest request I have, of all hotels, is: PUT MORE OUTLETS IN THE HOTEL ROOMS. Accessible. Easy. In the Desk or something.

So, until the renovations get done, I recommend the Marriott Metro Center.  It's nice (without going higher to the Mandarin, W hotel, or JW Marriott), or either of the Hyatt's.  They are nice, but they have the 'lack of outlet' problem as well.

So, my review is pretty unhappy.  Now, finally, as I said in the beginning, I'm a Diamond member.  Would you like to see my view out of my hotel window of the lovely Washington DC?



Lovely eh?

I stay in a lot of Hilton's.  Most are nice.  This one is obviously old, and we'll forgive them for that.  So, maybe I'll try them again after they complete their renovation.

Steve Jobs: The Rolling Stone Interview : Rolling Stone

Steve Jobs: The Rolling Stone Interview : Rolling Stone.

This is an older interview (2003) with Steve Jobs.  This is shortly after the iTunes rollout on Windows, iPods were just taking off, before the iPhone, before the App Store, before the iPad.

This is an interesting interview and you can see where Apple was at the time as far as Steve's thinking was concerned, and how that thinking has come to shape Apple.

Great Anti-Email post

Jeff Atwood, blogger and coder over at Coding Horror, one of the many blogs I read, had this post up sometime last year, and I thought it was such a good post that I've recommended it to a couple friends, but I realized I never actually blogged it.

Jeff discusses a similar topic to what I've discussed in the past.  Checking email less often, shutting your email off for periods of time, turn off the "new message" ding.   All great points.

Go check out his post here.  Jeff, great job!

YouTube in html5, enable it now

I received this link on one of my mailing lists and thought it was the greatest thing since sliced bread.  Following up on my "Flash is dead" post, you can enable Youtube.com to work in HTML5.

Go to: http://www.youtube.com/html5 and you can "opt-in".  I assume it places a cookie in your browser so that every time you try and view a video, the video plays in html5 instead of flash.  My browser doesn't run at 100% CPU or anything.  It's awesome.  Go do it now, help kill flash.

Google to kill off IE6 support in 2010

In a big move by Google I just received an email letting me know that Google will be phasing out support for IE6 in Google Apps in 2010.

"In order to continue to improve our products and deliver more sophisticated features and performance, we are harnessing some of the latest improvements in web browser technology. This includes faster JavaScript processing and new standards like HTML5. As a result, over the course of 2010, we will be phasing out support for Microsoft Internet Explorer 6.0 ​as well as other older browsers that are not supported by their own manufacturers."

I think this is a phenominal move by a company as big as Google to say "not anymore". I wish other companies would take such a firm stance against my other pet peeves. You know, ActiveX, Flash, and Silverlight.

Snort Ruleset tuning, by the VRT

Awhile back here on this blog I wrote about PulledPork 0.3.4 being released and about the VRT making the "Connectivity, Balanced, and Security over Connectivity" policies.  Also about how you can use PulledPork to automate the updating of your open source Snort rules to take advantage of these recommendations.

Around about the same time VRT put a post up entitled the "VRT Guide to IDS Ruleset Tuning".  It was a good post, and I didn't really highlight it.  They post some really great examples towards the bottom of the post.  If you run a Snort installation and you've read some of my posts about Snort tuning, and "I've installed Snort, now what".  This is a good read as well.

Check it out here.

Flash, time for you to die

I've been reading a lot of hubbub about the new Apple iPad not having the capability of displaying Flash.  Of course!  It stands to reason that it can't, it has the same OS as the iPhone, which, also can't display Flash.  Which leads me to think, why do we need flash?

Answer is, we don't.  Not anymore.  90% of Flash usage is for audio or video on the Internet and HTML5 can handle <audio> and <video> tags.  It can do Canvas. (Oh and a TON more, I'm just illustrating a point.)  Some of the major browsers have adapted most of these technologies.  Webkit (Invented by Apple, powers Safari, Webkit, and Google Chrome [amongst others], and Presto (The rendering engine that powers Opera) have supported more than the other two majors (Gecko -- The engine that powers Firefox and all of it's kin), and Trident (The engine that powers Internet Explorer).  The last being the worst adopter.  Surprisingly.

I read somewhere (I can't find it now), about most browser crashes come from plugins.  Flash, Java, etc.  Why can't we eliminate these plugins and go with the native protocols?  That's what HTML5 is attempting to do for the most part, and I, for one, am glad for it.

Apple has always been about killing off technologies and moving onto what is on the horizon (killing off serial, going for USB, killing of Diskettes, going to CD, Killing off CD's (Macbook Air), moving more wireless (Airport), Killing off displayport, hdmi, dvi, vga, going with Mini Displayport).  They have never been afraid to just "move on" to the new thing.

I believe they said to Flash, die, HTML5 is here.  Then they turned to web developers and said "fix your stuff".  How did they do that?  Rolled out the iPhone, which has become the largest mobile browsing platform on the planet now.  Slowly and surely, what's happening?  Websites are changing away from Flash.

Unless, you know, of course, you are a band or a restaurant.  (Seriously?  What is with bands and restaurants and your use of Flash?)

I don't even need to get into the security issues of Adobe's Flash.  Look, there is one small part of Adobe working on Flash.  The entire internet is working on HTML5.

Flash (and Silverlight) is dead.  Get over it.

--

100% of the statistics in this post are made up.  ;)

One thing I forgot to mention about the iPad

People are already criticizing it because it doesn't have Flash on it (it runs the iPhone OS). I say to those people, GOOD.

Flash is, as the last year has shown us, a horrible piece of programming and it needs to die. HTML5 will kill it off for the most part, and it needs to stay dead. I don't think that Flash will be around much longer, and frankly, I'm not sad about it.

In the next few years, now that the iPhone is as big as it is, iPad will be all over the place (I think), flash will be dead, and developers will be rewriting their webpages to use things like H.264 and HTML5. There will still be things like the "Punch the monkey" banner ads that need to use flash (and various other games), but those people that develop those games, welp, looks like it may be time to move on.

iPad, why it's interesting

Yesterday, as everyone -- including me -- expected, Apple introduced their first big foray into the tablet computing market (if you don't count the iPhone as a tablet) called the iPad.

Which, even I, as an Apple fan, has to admit-- is a stupid name.  iSlate, or even "Tablet" would have been better, but, whatever.  (Plus, Fujitsu owns the "iPad" trademark, so we'll see what it winds up being -- remember "iTV" changed to "Apple TV" at launch.

Am I interested in one?  Yes.  I am interested because it's just enough for me to NOT have to carry around my laptop bag anymore.  Potentially eliminating the need to carry anything outside of a jacket. (Using a jacket like the Scottevest line: http://www.scottevest.com/ -- which is just handy, all those pockets.)  90% of my work could be done a device like this, and I'm just happy about that.

I don't think people are overwhelmed by it right now in this iteration because people feel it's just a big iPod Touch.  Well, fine.  I have to kind of agree with that idea, but look at how far the iPod Touch has come along since it's release.  It's not about the platform people, it's the APPS.  We'll see what happens in 60 days before it's release.  We'll see what happens in a year.

There is going to be a completely different class of Apps developed for this thing.  I fully expect even people like Microsoft to develop a version of Office (or maybe use the online office) for this thing.

Think of the possibilities for a couple markets:

A) Schools.  Imagine school children, colleges, high schools, etc with this thing as a standard issue device.  Think of what is going to come about as far as accessibilities to text books, not having to carry them around anymore.  Think about taking your quizzes and tests online, doing your homework online.  The elimination of the wasteful use of paper is coming in a big way.

B) Medical application.  Think of a doctor being able to walk around a hospital, every patients records, xrays, results, insurance cards, everything.  Accessible with their fingers.  Think about the Doctors being able to make notes right into the patients online chart.

These are just a couple examples I can think of off the top of my head about the possibilities for a device like this.

Security

Now, how should we treat this device from a security perspective?  It's a mobile device, but it's not a phone, it can't make phone calls.  (Native phone calls, not through Skype.)  It's not a laptop, it's more mobile than that.

I would have to say that'd we'd need to treat this device as a phone.  For the most part, it's a platform that has near ubiquitous access to the internet.  Any Starbucks, Barnes and Nobles, etc.  Then with the cheap 3G access available on it, I think there is going to be a whole class of people (maybe the sub-20 year old demographic) that would use this as a computer.  They don't need anything else for the most part.  My wife doesn't need anything more than this device.  Will you be able to print from it?  Probably not, but that's really the only thing I see that needs to be added from a software point of view for this to replace most computers.  My parents would use this instead of regular computer, most people would, if all they did was process email and read web pages on it.

This is the perfect couch device, this is the perfect "train" or "plane" device. There are a ton of possibilities for this thing, not necessarily at launch, but in a year/two years from now, this may be the computing platform that we are all using.

I'm really only disappointed in one thing.  No face forward video camera for teleconferencing?  Hm.  Well, let's think of this thing sitting on your lap.  Ideally the camera would need to be up higher, level with your face, otherwise people on a video conference with you would be looking up your nose the whole time.  Yes of course you could prop it up, but that's not going to happen all the time.  That's really my only disappointment.

We'll see..

This week was busy

This week, we at Sourcefire had our annual Sales Kickoff meeting. Basically a good look backwards at 2009, and what we did right and wrong, a look ahead and goals for 2010.

Obviously most of what we talked about is corporate confidential, but I think we all left with a good idea about where we are going this year. That we should be pumped up, because we are doing good things and will continue to do so.

Also this week I was placed on a list of people to call for radio stations about the Haiti relief scams, this has been quite an adventure as well.

I've done about 20 interviews, some live, some recorded, for all kinds of radio shows, morning, evening and day shows all around the United States.

All the interviews were about 5-10 minutes long, and I've been repeating myself a lot, but it's been fun. Hopefully that will wind down this week and things will get back to normal.

Haiti domain registrations on the rise

Over the past couple days I've been reporting over on the Internet Storm Center about the number of domains that have been registered (either legitimately for good use, or for malicious use) concerning the Haitian Earthquake disaster.  Read the original article here.

Like I said in that article, we're assuming that these domains are being registered for legitimate and helpful use, but we try and keep our eye out for the illegitimate ones, just in case someone wants to put some malware on a site, or try and trick you into giving up your credit card numbers or donating money via Paypal to a "cause" that never donates the money to Haiti on the backend.  We saw this with Hurricane Katrina, we saw it with the Tsunami disaster, and now, we are seeing it with the Haitian Earthquake.  (See the article here.)

But the number of registered domains is on the rise.  We saw 38 on Wednesday, 445 on Thursday, and today we saw 680.   (So, well over 1,000) It's practically impossible to check these domains by hand, so we are working with a couple partners in the Internet Space to take a look at these domains with us to ensure that they are clean.

Please exercise caution when visiting these sites, and please, donate money for the cause.  But please be extra cautious about who you are donating money to.  You know you can donate to legitimate sites like the RedCross, but do you also know you can donate to these other organizations:

• CARE: http://www.care.org/


• International Red Cross:  http://www.icrc.org/


• Medecins Sans Frontieres/Doctors Without Borders: http://doctorswithoutborders.org

(Thanks Kevin for those links)

Haitian earthquake news

Today, I posted an article on the Internet Storm Center about the fact that sometimes domains are parked and used for malicious use when a disaster occurs.

Domains like haitiearthquake2010 and haitiearthquakerelief and various names like that.

Well, because this is of such a large concern, I was contacted by no less than 5 news organizations today. Newsweek, ABC news, CBS news, SCMagazine, and Foxnews.com. All wanted comments and news about the Haitian disaster and the monitoring that we have taking place in order to protect people from getting scammed.

A couple of the articles I was mentioned in can be found above at my "in the media" link.

I think it's great that news organizations are taking an interest in protecting the World against these predators.

Always remember, the safe bet is to donate money via an outlet like redcross.org.

Please donate.

Article about Sourcefire's 4.9 release

Recently Sourcefire (the company I work for) released the newest version of our system.  Version 4.9.  While I have personally enjoyed working with it over the past few months (in beta, and now in production), it seems others out there have a great view of it as well.

Check out an article about it here.

Firefox 3.6rc1 is out

Mozilla has put out Firefox Release Candidate for version 3.6 of the browser, and as always, it's publicly available via their website.  Just a reminder that this is an RC, not a full version upgrade or anything, and it's essentially beta code, so your milage may vary.

http://en-us.www.mozilla.com/en-US/firefox/3.6rc1/releasenotes/

The list of bugs that go into 3.6 that are fixed are pretty significant, even several security updates.

https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:final-fixed

Which tells me that the release of 3.6 isn't far behind.

Firefox keeps up upgrading, and while it's by far the favorite browser of my blog readers, I can't help plugging Chrome, even in it's Mac Beta/Dev status, it's a great browser.  I am of the opinion that Chrome is much faster than Firefox.  Firefox still feels bloated and slow to me.

One of my favorite features is that Firefox will warn you of out of date plugins, while it did this pretty reliably to begin with, I can't help but think this is better.  This is pretty important for things, obviously, like Flash.

Go to the first link above, check out the release notes, give it a download.  See how it handles, and if you feel like it, report back here and let me know your results.  I'll stick to Chrome for now.

PulledPork 0.3.4 released

I know plenty of you that read my blog are interested in Snort Rules, and are always open to the management of Snort rules in an easier fashion.  Often, in the past our (our being the 'Snort Professionals') recommendation has been "Oinkmaster".  Perl program, pretty stable, kept rules up to date and such.  Well, Oinkmaster kind of died in terms of support so one of our own guys at Sourcefire stepped up for the community and put out, for free, Pulled-Pork.  (Originally called "Baconator", but we asked him to change the same so that Wendy's didn't sue.)

Anyway, JJ, the author of Pulled-Pork, a fellow Sourcefire employee, and the guy that runs openpacket.org released version 0.3.4 of Pulled-Pork today.  It has some very significant updates that we hope Snort users will be keen on.

For some time, within the Sourcefire interface, you can start off the creation of your policies (and the further updating of your policies) from one of three "bases".  Connectivity, Balanced, or Security.

Connectivity focused on Connectivity over security, less interruptions from the IPS and more dropping of traffic that is obviously evil

Balanced focused on a good balance of the above and below.

Security focused more on the Security of the network the Sourcefire sensor was providing more than people getting to Facebook.

VRT makes these categories up, and they make up which rules go into which categories.  In the Sourcefire product, if you are "inline", each one of these above standard bases have a certain number of rules that are set to drop by default.  Obviously, less at the Connectivity over Security, and more set to drop in Security over Connectivity.

The way that we get this information out to the Sourcefire customers is through "metadata" within a rule.  If a rule is written as so:

"alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:4;)"

See the section I have in bold above?  That's the metadata, it tells, in which of the three categories I named above, what the rule should do in that instance.  In this case, since this rule is looking for traffic that is exiting the network and going back to an attacker, we want to drop this at all costs.  So that's what the metadata says.  First the name of the policy, then the state.

This feature has been reserved for the automated (notice automated) use for our Sourcefire customers, but has always been available for our open-source Snort users.  Until now.

Pulled-Pork 0.3.4 allows the Open-Source users to use these three policies automatically, of course, you have to choose which policy you want to use with the "-I" command parameter.

If you were using pulled-pork in the past, you can't just copy over the pulledpork.conf file into this new instance, you'll need to use the new .conf file that comes with this release, but, in a matter of about 5 minutes, I had the new pulledpork up and running and my Snort instance is now running the "-I security" policy, PulledPork generated a changelog for me, and restarted Snort via a HUP (which you can specify in the pulledpork.conf file).

So, someone that is familiar with Snort, and .conf files, you should be up and running a great security policy in about 5-10 minutes.

Good job JJ and the VRT!

For further information, please go to JJ's blog post on the release and download it at the link he has there on his blog.

iPhone compatability

When I moved to the current theme, I received a couple emails telling me that the theme is hard to read on an iPhone.  So I fixed that.  If you browse to the blog on an iPhone you will now receive a completely different screen and interface, one that is very iPhone compatible, user-friendly, and still allows you to use all the features of the site (commenting, emailing, etc) as you normally would.

So here's what it will look like now when you navigate to the site on an iPhone:

You notice the drop down at the top right of the screen?  This allows you to view the site via RSS, sort by category, even Email me directly from the blog.

If you don't like how the page looks on the iPhone, you can turn this feature off by scrolling down to the bottom of the page and flicking the switch, as seen below:

This is all made possible by the WPtouch theme.  Thanks Wordpress.

Reviewing ModSecurity 2.5, the book

Currently, I am reviewing a book for Packt Publishing, it's entitled "ModSecurity 2.5: Securing your Apache installation and web applications" by Magnus Mischel.

Consequently, I am playing with ModSecurity a bit, and I will try very hard to NOT break things on the blog.

So far it's a good book and it's been quite awhile since I've used ModSecurity (back in the 1.x days) and the configuration has completely changed.  So I'm on a quick learning curve as well.

Verizon Wireless's Fail

Several months ago I ditched my AT&T 3G Card that I was using for mobile Internet and bought a Mifi from Verizon.

A) Verizon has better connectivity in New York (I was spending a lot of time in New York)

B) Verizon has better connectivity on trains than AT&T.  (Not faster, just a more persistant connection.)

Well, in order to manage your account, you have to sign-up for a website called myverizon.com, which, in order to complete the sign-up, asks to text message you your pin/password to verify your identity.  So, I laugh to myself, as the Mifi doesn't have a screen or any way to receive a text.  So, I get a hold of Verizon, and they tell me that their VZwireless software allows you to see the txt's send to the Mifi, okay, fine..

I fire up the software, no "txt".  It's not in the Mac Software, it's only on the Windows VZWireless software.  Hilariously irritating, so the alternative is, they mail you a pin number.  Physically mail you, using snail mail, a pin number.  What a waste of trees.  Anyway..  I arrive today at getting my pin number via the mailbox, I sit down, type in the temporary password (pin number) on my login page, and finally, I get to reset the password.

So, there's 3 blanks on this page, and a drop down.  First -- New password, second -- as you guessed it -- verify new password.

Now, here's where it gets good.  Drop down "Select the phrase to remind you of your password".   Your typical "Challenge/Response" thing right?

Here's the drop down:



Yup, seriously.  No questions for the "Secret Question" -- I mean, if the questions are secret...

Last drop down was the answer to the "Secret Question".

Okay, so, what have we learned here?  Verizon.  You are making life extremely painful to me.  FIX YOUR SIGNUP METHOD.

Oh, and your webpage.  You are DOING IT WRONG.

140-seconds.com

A friend of mine and fellow co-worker at Sourcefire started something pretty exciting this year.

Brad Pollard decided this past year to write 140 songs, each 140 seconds long (his inspiration was Twitter) in a year.  So far he's doing pretty good and I've been subscribed to the podcast on iTunes in order to grab them all.

If you like Indie music, or if you don't, either way, go check out Brad's stuff and give him some feedback.  Good job Brad.  Check out the website here.

SSH keys, my how I hate you sometimes.

So, earlier today I was setting up some SSH keys to be able to connect back and forth between various machines in my network.  Seems like a normal thing for a guy with a bunch of Unix machines around the house to do right?  Well, apparently it was more painful than I thought.

I had:

PubkeyAuthentication yes

I had the permissions right on all the files, on both the client and the server, yes, I checked this, and that.

So, here I am racking my brain, "why isn't this working", darn it.. what am I overlooking?  So I IM'ed a friend of mine, Richard Harman, who is the master of a bunch of things, one of the things is Linuxy, Unixy stuff -- at this point I'm at my wits end, and trying to figure it out, I am racking my brain.

Richard connects up to my computer, and he has the same problem (can't connect via SSH key), so it's obviously a server problem.

We start daemons in debug mode, looking at RPM packages (this particular server was running Fedora 10), heck, I was even looking at bugs in SELINUX as the culprit.  Nothing.

We noticed one line in particular that was bothering us..  every time someone tried to connect to sshd on the SERVER's SSHD debug line, it was trying to access /root/.ssh/authorized_keys.  No matter what the user.  Obviously, this isn't right.  I tested this out by moving my authorized_keys file to root's /.ssh directory and it worked right away.

After poking around a bit, Richard found the problem:

AuthorizedKeysFile     ~/.ssh/authorized_keys

Because, when SSHD starts up, the sshd_config file was expanding "~/" to the home directory, and since sshd starts as root..  the ONLY directory it was going to look in was /root/.ssh/authorized_keys

Richard changed this to:

AuthorizedKeysFile      .ssh/authorized_keys

It worked and life is fine now.  Two characters.  TWO.  (That I didn't put there, or at least don't remember putting there.)

Thanks Richard.

Getting Urlview to work on Snow Leopard

I've been using Mutt lately.  (I'll post more later on how I overcame my objections to it.... and how to make it work with multiple Gmail accounts forwarded to each other -- which was my major headache actually).  Unfortunately, urlview crashes if you download the source (ftp://ftp.guug.de/pub/mutt/contrib/) and compile it natively on Snow Leopard.

Well, after a ton of searching, posting to the Mutt Mailing list and what not, Brenden Cully (The maintainer of the fink package for OSX) posted this patch to urlview.c.  The code will make urlview compile correctly and run on Snow Leopard (10.6).  I still haven't figured out the bugs with lbdb and ABQuery on Snow Leopard yet, but once I get that patched up, we'll be good to go.  Then I'll post why I've finally reverted back to using Mutt (instead of Gmail) for my desktop email.

@@ -506,10 +506,11 @@                                                                                                                    

          free (url[current]);                                                                                                           

          url[current] = strdup (buf);                                                                                                   

          endwin ();                                                                                                                     

+         quote (scratch, sizeof (scratch), url[current]);                                                                               

          if (strstr (command, "%s"))                                                                                                    

-           snprintf (buf, sizeof (buf), command, quote (scratch, sizeof (scratch), url[current                                          

]));                                                                                                                                     

+           snprintf (buf, sizeof (buf), command, scratch);                                                                              

          else                                                                                                                           

-           snprintf (buf, sizeof (buf), "%s %s", command, quote (scratch, sizeof (scratch), ur                                          

l[current]));                                                                                                                            

+           snprintf (buf, sizeof (buf), "%s %s", command, scratch);                                                                     

          printf ("Executing: %s...\n", buf);                                                                                            

          fflush (stdout);                                                                                                               

          system (buf);

 

Review: Vtech DS6322 w/ Bluetooth

My wife bought me this for Xmas, and it's probably one of the best ideas ever.  The Vtech DS6322 w/ Bluetooth, is a 3 or 4 phone kit with bases (with an answering machine) that has Bluetooth capability.  Buy.com has it here.  So, after I paired my wife and I's cell phones to the base, now, when we come home our cell phones connect to the base, and then calls that come in our cell phones can be answered via the regular phone.

The regular phone has all the regular cordless phone buttons that you'd expect to see, plus one additional, a "Cell" button.  Whenever a phone call comes in on the cell phone, we just tap this button and we can answer it, all without having to run all over the house to try and find our cell phones.  It's convenient, as we have the base station (w/ Answering Machine) and our cell phones plugged into this piece of handiness from Pottery Barn (ours is black). The cell phones stay put in that area, along with the base station, and now we don't have to sprint all over the house looking for phones when one rings.

You can even import the phone books of the phones into the base station.  (Nice!)  You can set a static ringer, per phone line, so you know exactly which line someone is calling in on.

I recommend it.

Bottom Posting

Recently was chastised for Bottom posting on a Mailing list, so I thought I'd write a few words about it.

I bottom (or inline post) mostly because I like the email to be a message. You read a message or a letter from top to bottom, from left to right. It wasn't until email clients started top posting (looking at you Outlook/Lotus Notes) that email was written in the top-posting format, forcing you to read an email backwards.

So I looked it up, basically looking at two different information stores.

Wikipedia -- http://en.wikipedia.org/wiki/Posting_style
RFC1855 -- http://www.ietf.org/rfc/rfc1855.txt

These two places will define how to write email and how email should be written, on mailing lists, use groups, or any other email transaction.

The particular part to pay attention to is in RFC1855 --

"- If you are sending a reply to a message or a posting be sure you
summarize the original at the top of the message, or include just
enough text of the original to give a context. This will make
sure readers understand when they start to read your response.
Since NetNews, especially, is proliferated by distributing the
postings from one host to another, it is possible to see a
response to a message before seeing the original. Giving context
helps everyone. But do not include the entire original!"

Summarize the email at the top, and post below it. In other words, bottom-posting is the correct way to write email, as per RFC.

Instapaper is so great

I am not sure if Instapaper has apps for anything other than the iPhone, and I kind of doubt, if that exclusivity exists, that it will last any amount of time.

Instapaper is one of those new 2.0 companies that is web/app based. They provide you a free log in to their website, which by the way, by default, had no password. Past this login you get a bookmarklet, similar to the "readbility" bookmarklet I talked about earlier, which, upon use, allows you to turn any article you are reading into a saved article of sorts.

For example, earlier today I was reading an entry on a blog, it was rather long, and I wasn't going to have time to finish reading it as I was about to head out to go to the dentist.

So, with this combination of app/website, I tapped my instapaper bookmarklet, which takes whatever you are reading, and puts it up in the "cloud". Which, provided you then have the Instapaper app on your iPhone, can sync this content down to your mobile device.

Now, whatever article I was reading, just by tapping one button, is now formatted in nice big text on my iPhone, and I can take with me.

I don't know the size limitation of the file you can put on instapaper, I don't know, for instance if you can put a whole book up there or something, but for now, while I am in the dentists waiting room, I have articles to read instead of the weeks old copies of  "Newsweek".

Why don't I use something like Google reader? Well I can, except for those websites that shorten their rss feeds to force clickthroughs. It's another couple steps, who knows how it is going to be formatted, and who knows what kind of connectivity you are going to have.

Which, also by the way, is why I removed the "shortened rss" clickthrough thing for my blog. It annoyed me, so I figured it was probably annoying you.

Thank you Google Cache

I was able to pull the posts that I lost back from Google Cache. So, back to normal. Thanks.

Facebook User? Might want to check your settings.

Many of you that use Facebook may have clicked right through it.  But recently Facebook made a couple changes to their privacy settings that you may want to take a look at.  You can read about the settings that they have changed here.  Basically Facebook did two things, first, if you have never made any changes to your privacy settings in the first place, Facebook altered your default privacy settings so that everyone can now read your postings, your status, your friends.

I have a feeling that most of the readers of my blog may value their privacy and may have realized that these settings were taking place.  But you might want to double check that these settings are up to your standards.  Basically, there’s two points that I’d recommend that you check.

Log into Facebook, click Settings in the top right, then click Profile Information.  Review each one of the items for the correct settings, the most important one being the “Search” section.

When I clicked on it today, I was presented by this pop-up:

So, weigh that statement against the “rather safe than sorry” thought process, and make of it what you will.  I still clicked on “Search”, then unchecked the “Index” button.

I moved the Snort Drinking Game

I moved the Snort Drinking Game from it’s old domain over here to this blog now:

http://blog.joelesler.net/the-snort-drinking-game

Moving to Wordpress

I just wanted to put out that moving to Wordpress, from Blogger, is probably one of the more painful experiences in my life so far.  But I found out a few things.

First things first, I found out that Wordpress, is actually, a really good platform for webpage creation.  Notice that I didn’t say blogging, it does that too, but it does a really good job for just basic webpage creation.  Probably the easiest “plug and play” system there is.

Problem is, I can easily see how there are so many security issues with Wordpress.  With plugins, themes, different pages, tools, etc..  This thing is php all the way through, which means, who knows that problems there are in the back of the system.  No more than any other blogging platform though I guess.

So, all my posts from Blogger have been moved over here now, and through the magic of mod_rewrite, things are working well.  I am going to be implementing mod_security as well, which is perfect because I recently received a new ModSecurity 2.5 book that I am reviewing.  So I’ll use the book as a chance to really evaluate the techniques to secure this website.

Currently I have two websites.  This blog, and another domain that I maintain, which I am going to be pointing over here as well.  Since I am basically consolidating all my content into one page.  I think this will make my life slightly easier, and really, that’s what moving to blogger was ultimately about.  Total customization in a nice neat package.

However, for now, there are still some 404’s that I am seeing.  Not sure why they are appearing, but I am going to have to fix those.

So for now, stay flexible, as I am still playing with the site.  I’ll get it squared away as soon as possible.

The Magic of Mod_Rewrite

After several large headaches dealing with Mod_Rewrite over the weekend, I finally have about 20 different ways to subscribe to the RSS feeds of this website all redirected over to Feedburner (and what do you know, I had about 400 subscribers that I didn't know anything about! Welcome!).

Here's a couple examples of things I had to do:

RewriteRule /feed$ http://feeds\.feedburner\.com/RandomThoughtsFromJoelsWorld [R=301,L]
RewriteRule /feeds/posts/default?alt=rss http://feeds\.feedburner\.com/RandomThoughtsFromJoelsWorld [R=301,L]
RewriteRule /feeds/posts/default http://feeds\.feedburner\.com/RandomThoughtsFromJoelsWorld [R=301,L]
RewriteRule /finshake/Blog/rss\.xml http://feeds\.feedburner\.com/RandomThoughtsFromJoelsWorld [R=301,L]

Hopefully everyone didn't experience (*many*) problems.  Thanks.

Just a couple Snow pictures

Just a couple pictures of the big Snow storm we had over the weekend...  For those of you that live in Snowy sections of the country, this is probably not exciting.  However, for Delaware, this much Snow happens about every 10 years (1996 was the last time it happened.  We had 4 ft back then)

The official measurement for my area is 26 inches.  I had that in the below picture.  But I had some areas on the sides of the house that were over four feet.

How to totally screw up a Wordpess blog...

Do whatever I just did.

I lost about 4 posts. Sorry about that. I'm so awesome.

If you happen to have those last few posts of mine, feel free to email them to me.

Things I wish about Email

Someone asked me:

"Joel,


I read your last post on Thunderbird and noticed you said [...] that you were "over client based email".  I use Thunderbird.  Why do you say that?  What don't you like about [...], client based applications?"  -- Yes I paraphrased.  But spelling is intact.

Mail.app
-- I would like the ability to shut off Spotlight indexing.  Meaning, I don't want Mail.app to download all of my Mail locally.  It's IMAP, that means keep it up in the cloud.  I don't want it here.  Also?  Very slow when dealing with Gmail.
-- I would like the "new" ability to "archive" an email with a keyboard shortcut.  In Thunderbird 3.0, I can mash the "a" key and the Email that is currently selected is archived.
-- Threading.  Threading is awful.  It works GREAT in Gmail, and is perhaps Gmail's best feature, bar none.
-- No way to bottom post.

Thunderbird
-- Same as Mail.app as far as the Spotlight indexing goes, except, I can shut it off in Thunderbird (awesome!).  But I don't want the client to download my email.  Period.  I want it kept in the cloud with no local copy.
-- Slow.  SLOW.
-- Threading, same as Mail.app, Threading sucks.  Again, Gmail has this down.
-- Too much CPU
-- Too much RAM.  (600 Megs?  Are you kidding me?)

Mutt
-- Slow
-- Can't open attachments, (yes, I know what you Mutt guys are going to say, but still, I would like the ability to just click (or tap a shortcut key) and open an attachment.  Not having to do a bunch of crazy nonsense to tie apps together.
-- Threading, I rather like the threading that Mutt has, and the customizability of Mutt beats everything else, bar none.

Outlook
-- Seriously, Outlook sucks.
-- Why am I including it here?
-- No way to bottom post
-- Inconsistant GUI
-- Slow
-- No way to bottom post.  Check out this fix (http://home.in.tum.de/~jain/software/outlook-quotefix/)
-- No addons
-- No archiving
-- PST size limits
-- Bad rule granularity.


I solicited feedback from Twitter, regarding the above, and these are the responses I got.

"Lack of keyboard for control wrt to moving from folder to folder.. GMail makes that very easy." -- @jasonish


"The difficulty in working with the OS address book - Thunderbird vs Windows 7 contacts comes to mind (complicates my iphone sync)"
-- @tomsellers


"haven't found one with a conversation view on par with gmail."
-- @jjarmoc


"1) Folders < Labels (ability to 'symlink' emails to multiple tags) 2) i use 3-4 devices to check mail 3)Gmail's thread handling"
-- @jamesjtucker

and in the interest of fairness.  I'll get on Gmail too.

Gmail
-- I want the ability to mark two conversations and make them thread together.  For instance, let's say there is a thread, then someone answers that thread, but the mail client for that person adds "UNCLASSIFIED" to the thread.  The Thread is then broken, visually, but it is still the same.  I want to be able to combine them.
-- Your IMAP implementation really sucks.  Bad.  Oh, and it's slow as hell too, almost artificially.  Seems like you really don't want people using any other email solution except for the web.
-- Drag and drop of attachments.  This should be possible in HTML5, or at least with Google Gears
-- Lack of Google Gears (and thusly, no offline gmail support) for Safari/Snow Leopard.  Can we get rid of Gears and be HTML5 compliant please?
-- Lack of Bottom Posting option.  No, addons through Greasemonkey do not count.  Want to really impress me?  Reformat an entire email (when I hit reply), to flip the thread around based upon indexing, (come on, you guys can figure that out), to read top to bottom.
Check this out Google.  Do THIS and all would be awesome -- http://home.in.tum.de/~jain/software/outlook-quotefix/
-- GPG/PGP support.  I don't use it, simply because it's a pain.  So I don't.  I probably would if I could.
-- The ability to filter on more headers.  Ideally, I'd love to be able to perform regex on headers.  Similar to procmail.
-- Label based signature blocks.  Or at least account based.





Please leave comments below.

Things I wish about Email

Someone asked me:

"Joel,


I read your last post on Thunderbird and noticed you said [...] that you were "over client based email".  I use Thunderbird.  Why do you say that?  What don't you like about [...], client based applications?"  -- Yes I paraphrased.  But spelling is intact.

Mail.app
-- I would like the ability to shut off Spotlight indexing.  Meaning, I don't want Mail.app to download all of my Mail locally.  It's IMAP, that means keep it up in the cloud.  I don't want it here.  Also?  Very slow when dealing with Gmail.
-- I would like the "new" ability to "archive" an email with a keyboard shortcut.  In Thunderbird 3.0, I can mash the "a" key and the Email that is currently selected is archived.
-- Threading.  Threading is awful.  It works GREAT in Gmail, and is perhaps Gmail's best feature, bar none.
-- No way to bottom post.

Thunderbird
-- Same as Mail.app as far as the Spotlight indexing goes, except, I can shut it off in Thunderbird (awesome!).  But I don't want the client to download my email.  Period.  I want it kept in the cloud with no local copy.
-- Slow.  SLOW.
-- Threading, same as Mail.app, Threading sucks.  Again, Gmail has this down.
-- Too much CPU
-- Too much RAM.  (600 Megs?  Are you kidding me?)

Mutt
-- Slow
-- Can't open attachments, (yes, I know what you Mutt guys are going to say, but still, I would like the ability to just click (or tap a shortcut key) and open an attachment.  Not having to do a bunch of crazy nonsense to tie apps together.
-- Threading, I rather like the threading that Mutt has, and the customizability of Mutt beats everything else, bar none.

Outlook
-- Seriously, Outlook sucks.
-- Why am I including it here?
-- No way to bottom post
-- Inconsistant GUI
-- Slow
-- No way to bottom post.  Check out this fix (http://home.in.tum.de/~jain/software/outlook-quotefix/)
-- No addons
-- No archiving
-- PST size limits
-- Bad rule granularity.

I solicited feedback from Twitter, regarding the above, and these are the responses I got.

"Lack of keyboard for control wrt to moving from folder to folder.. GMail makes that very easy." -- @jasonish


"The difficulty in working with the OS address book - Thunderbird vs Windows 7 contacts comes to mind (complicates my iphone sync)"
-- @tomsellers


"haven't found one with a conversation view on par with gmail."
-- @jjarmoc


"1) Folders < Labels (ability to 'symlink' emails to multiple tags) 2) i use 3-4 devices to check mail 3)Gmail's thread handling"
-- @jamesjtucker

and in the interest of fairness.  I'll get on Gmail too.

Gmail
-- I want the ability to mark two conversations and make them thread together.  For instance, let's say there is a thread, then someone answers that thread, but the mail client for that person adds "UNCLASSIFIED" to the thread.  The Thread is then broken, visually, but it is still the same.  I want to be able to combine them.
-- Your IMAP implementation really sucks.  Bad.  Oh, and it's slow as hell too, almost artificially.  Seems like you really don't want people using any other email solution except for the web.
-- Drag and drop of attachments.  This should be possible in HTML5, or at least with Google Gears
-- Lack of Google Gears (and thusly, no offline gmail support) for Safari/Snow Leopard.  Can we get rid of Gears and be HTML5 compliant please?
-- Lack of Bottom Posting option.  No, addons through Greasemonkey do not count.  Want to really impress me?  Reformat an entire email (when I hit reply), to flip the thread around based upon indexing, (come on, you guys can figure that out), to read top to bottom.
Check this out Google.  Do THIS and all would be awesome -- http://home.in.tum.de/~jain/software/outlook-quotefix/
-- GPG/PGP support.  I don't use it, simply because it's a pain.  So I don't.  I probably would if I could.
-- The ability to filter on more headers.  Ideally, I'd love to be able to perform regex on headers.  Similar to procmail.
-- Label based signature blocks.  Or at least account based.

False Alarm -- No more Thunderbird

Probably belongs in a tweet, but since I blogged about it here, I'll write it here.

Stopped using Thunderbird.  After it consumed 20 Gigs of space downloading my email, constantly kept my CPU at 80-100% and the hardware fan busy, consuming 500 Megs of RAM...  I ditched it and went back to Gmail on the web.

It did have some very nice features, however, basically, I am just over client email programs.

That is all, you may return to your regularly scheduled programs.


Please leave comments below.

Thunderbird 3.0

I know you've read from me time and again that I am a big proponent of Google's Gmail interface.  However, ever since Mozilla put out Thunderbird 3.0, i've been trying it.  It combines the best of both worlds, offline (even though Gmail just released that non-lab), client access, OSX integration.  But perhaps the best thing is that they have an archiving system now.

You read a message and you mash "a" and the message is placed into an archive by year-month timestamp, and is no longer in your inbox.  The simplest way, client side, to maintain Inbox-Zero.

Take a look at all the new features here.


Please leave comments below.

Thunderbird 3.0

I know you've read from me time and again that I am a big proponent of Google's Gmail interface.  However, ever since Mozilla put out Thunderbird 3.0, i've been trying it.  It combines the best of both worlds, offline (even though Gmail just released that non-lab), client access, OSX integration.  But perhaps the best thing is that they have an archiving system now.

You read a message and you mash "a" and the message is placed into an archive by year-month timestamp, and is no longer in your inbox.  The simplest way, client side, to maintain Inbox-Zero.

Take a look at all the new features here.


Please leave comments below.

New Blog for your enjoyment

Friend of mine, Mike Mishou, started a new blog over at http://mishou.org.  So far he has some great posts, and I envision him to continue having great posts.  Head on over to Mike's website and check it out.


Please leave comments below.

New Blog for your enjoyment

Friend of mine, Mike Mishou, started a new blog over at http://mishou.org.  So far he has some great posts, and I envision him to continue having great posts.  Head on over to Mike's website and check it out.


Please leave comments below.

Google Chrome for the Mac has reached Beta

Happy to see this, because I know several friends of mine have been working on this in the background at Google, and what a good job they have been doing as well.  I have visions of these guys in dimly lit rooms sitting around keyboards, their faces awash in the white glow of XCode, furiously figuring out the bugs and features to put into the Mac version of Chrome.  Okay, enough of that visual.  (you know, keyboards surrounded by cans upon cans of Mountain Dew...)

This morning Google released the Beta version (this is as opposed to the Alpha version that I talked about here) of Google Chrome for the Mac.  (and Linux as well..)  The biggest thing that I noticed that it supported was that it imported all my bookmarks from Safari for me.  Switching to Google Chrome was like,  basically a kid waiting to be put in the big game in school.  Standing on the side lines, sometimes used, sometimes not.  Safari being my primary resource for anything web-related.  Now, with full pads on, helmet in hand, my Quarterback for surfing the information superhighway is now Google Chrome.   I've handed the playbook of imported bookmarks over to Google Chrome, and my new browser has taken the field.

It's quick, it's stable, and each tab launches in it's own process, or thread.  This is priceless, as a crash in one tab does not mean the whole browser will die.  Just that tab.  Well, that's the theory anyway.

Give it a shot.

http://www.google.com/chrome?platform=mac&hl=en

Please leave comments below.