Rants by Chort
What's wrong with everything

In the interest of science, to see just how fast a mobile-class GPU cracks passwords, I run the benchmarks on oclHashcat-lite-0.08 and oclHashcat-lite-0.09. I think pentesters may be surprised by how fast they could crack passwords on a laptop GPU, compared with rainbow tables or (shudder) CPU.

Read the rest of this story...

A coworker once told me he imagined immigration officials handing Chinese immigrants two bags with slips of paper, asking them to pick a paper from each bag and put them together to form the name of their restaurant. This is how he imagined names like "Green Dragon," or "Golden Lotus," or "China Garden" got created. While it might not be a very accurate way to describe culinary establishment marketing, it is similar to how many users choose passwords. I'm calling this method the "Chinese Take-out Attack."

Read the rest of this story...

While we all wear our arms out patting ourselves on the back for the remarkable changing of tides today, let's not forgot why the website blackouts actually worked: Because of the massive number of phone calls to senators and representatives. You can whine on Facebook and change your Twitter profile picture all you want, but no one in Washington D.C. will ever notice that. When a massive number of people jam phone lines and overflow voicemail boxes, THAT gets their attention. If you haven't called your senators and representative yet, your job is not finished. Make sure you call all three before the PIPA vote on January 24th.

Make no mistake, this war isn't over. The MPAA and RIAA will come back over and over again, in sneakier and sneakier ways. It costs them a lot less money to buy congresspeople than it does to take risks by investing in new business models. This is why I'm proposing another course of action: Defeat Lamar Smith in the next election. I made a promise today on Twitter to contribute the maximum legal amount to a candidate with a legitimate shot to defeat Rep Smith, and I intend to follow-through. We need to send a message that not only do we get pissed off when businesses buy laws, we don't forget who facilitated them.

We can't afford to financially assail every pro-SOPA/PIPA congressperson up for reelection, but we can make life miserable for one of them. Rep. Smith has been the most visible and the least rational MPAA/RIAA cheerleader, accepting all their propaganda verbatim, without any attempt to question it. This deliberate any-intellectualism (blocking network architects from even testifying on the ramifications of proposed legislation, and dismissing all amendments without consideration) needs to be punished. It's not OK to legislate out of ignorance. The citizens of Texas should be ashamed of putting this man into office, and they certainly shouldn't keep him there.

Even if you read this months after the posting date (January of 2012), it's almost certainly still relevant. Big, old corporate interests are still going to be attempting to legislate away any competitive or disruptive market forces, to protect their obsolete business models. Educate yourself, fight back. If you some how came to be reading this blog post and have no idea what I'm upset about, here are some references.

EFF action site for SOPA/PIPA.
Long history of content industry takedown powers abuse.
A technical examination of SOPA and PROTECT IP.
Statement by several brilliant, well-known artists against SOPA/PIPA
What Joe Brockmeier wishes sites were saying about SOPA/PIPA.
Learn about corporate money's corrupting influence (and what YOU can do).

You may be aware that the DHS are now sending (opt-in) "Daily Cyber Reports" to IT and security practitioners. The stated purpose of the reports is "to facilitate a greater understanding of the nature and scope of threats to the homeland." I wonder if they're aware of the threat they're creating by teaching people to open PDF documents from unauthenticated email? Well they have no excuse now, because I told them. Here's a copy of the email I sent them on the topic.

1.) Create a DKIM record for hq.dhs.gov and use it to sign the headers of the email, so recipients can verify it was really sent by hq.dhs.gov, rather than a phishing site.

2.) Publish a public key for OSINTBranchMailbox [at] hq.dhs.gov on a website that has a DNSSEC-signed record.

3.) Use the private key (GPG or S/MIME) to sign messages sent from OSINTBranchMailbox [at] hq.dhs.gov

4.) DO NOT INCLUDE ATTACHMENTS, unless they are plain text. Training users to open Adobe and Microsoft documents is the worst thing you can do, when most compromises are initiated with poisoned Adobe or Microsoft documents.

5.) Host the Cyber Report on a website that has a DNSSEC-signed DNS record and an SSL certificate that matches the hostname of the website and chains up to a trusted root.

If you're going to advise organizations on security, you should secure your infrastructure and comms too. Lead through action.

PS you haven't configured your authoritative DNS server properly. The template default value for email address is showing in the SOA.

Recently I was asked for some pointers on creating a security roadmap. Since there's no one-size-fits-all strategy for which programs or technologies to implement, this is a tough question to answer. After thinking about it for a few minutes, I stepped back and put together this abstract, which is really what security boils down to after all. The rest is implementation details.

Read the rest of this story...

In struggling to come to grasp with what the Occupy Wall Street movement really means to society, I realized there had been a serious shift in public perception of law enforcement--at least by the white middle class*. If we think back 10 years, nearly everyone was heralding law enforcement and other first-responders as heroes, for risking their lives at the World Trade Center site. If we look at the press today, we see police, sheriff, and campus security forces being roundly criticized for widely publicized incidents of violence. Public officials appear to have been caught off-guard and their response has ranged from bi-polar (Jean Quan, in Oakland) to defiant (Michael Bloomberg, New York City). What accounts for this change?

Read the rest of this story...

In the last few weeks I've learned a lot about applying GPUs to break password hashes. I'd like to thank @ErrataRob for writing the blog post that got me started in this field. If you haven't read Rob's post, I highly recommend you do that first, because this post builds on it. Don't buy a graphics card until you've read my post though, because there are some important updates.

Read the rest of this story...

You must be living under a rock to not know about the Occupy Together protests that are happening right now in the United States, and other countries around the world. There has been a lot of press coverage trying to come to grips with what it is that the protesters are actually upset about. One of the best pieces on protester sentiments is this one in Rolling Stone. The gist of it is that Wall Street tycoons aren't getting rich by working hard and having better ideas, they're doing it by cheating the system. While I agree with this assessment, there's more to it.

Read the rest of this story...

Unless were living under a rock, you're aware of some public outrage over the acquittal of Casey Anthony on the most serious charges against her. As is usually the case when someone widely believed to be guilty is not convicted, there are all kinds of demands for new laws, criticisms of the jurors, etc. Everyone is so concerned with trying to prevent cases from falling through the cracks that they don't stop to think about how well the system actually does work in general, particularly how rare it is that people are wrongly convicted (rare, but sadly not impossible). It strikes me that this issue is very similar to one I know a lot about.

Read the rest of this story...

For the past 50 days LulzSec has captured the attention of the information security community, the mainstream media, and just about every other kind of media. Has anyone stopped to wonder what it is that causes the LulzSec saga to be so "sticky?"

Read the rest of this story...

Don't you just love those sites that try to make you feel "extra safe" by putting padlock images on everything, even the "next" button?

Read the rest of this story...

I must be the last person in the world reading The Tipping Point by Malcolm Gladwell. The book is full of relatable concepts, but the one that's struck me the hardest so far is how a university professor was able to convince students to get tetanus shots.

Read the rest of this story...

It struck me today that events are in motion for unavoidable cyber-conflicts. This statement won't shock anyone, since sensationalists have been predicting "a digital Pearl Harbor" for years. I don't agree with the predictions. In fact, I don't think it's likely that any warfare-like confrontations between nation states in cyberspace will happen in the near future. Sure there's rampant electronic espionage, but that hardly counts as warfare.

I think we're already seeing the beginning skirmishes in far more important events. We've seen protestors in various oppressed countries fighting to circumvent filtering and outright disconnection. We've seen massive DDoS attacks against draconian "Big Content" companies in retaliation for their heavy-handed treatment of their own customers. We've seen resourceful people overcome collateral damage caused by clumsy and ignorant government attempts to censor the Internet right here in the United States.

I don't see these events as anomalies or outliers. I see them as precursors. I think there's a strong undercurrent of opposition to the increasing attempts by governments and extremely large corporations to infringe on individual rights. In spite of that, It seems executives of these corporations are determined to forge ahead with rights-trampling legislation to restrict how individuals can access the Internet.

So what happens when out-of-touch elites try to enforce their will on the vast unwashed masses? That's when you get cyberwar. The people enacting new surveillance and censorship measures are forgetting that digital is the great equalizer. Any kid with a $200 laptop can take down a multi-billion dollar corporation. The more laws Big Content lobbyists have passed to make life miserable for average citizens, the more Anonymous* members they are going to create. It's difficult, although not impossible (as dramatically shown in the middle east this year) to physically resist power. To digitally resist power is nearly effortless. Those in favor of extreme enforcement of content "rights" are picking a fight they cannot reasonably be expected to win. The only question is how long it will take them to lose.

*To be clear, I'm not now, nor do I ever plan on being a member of Anonymous.

Recently I became involved in a debate with Jacob Appelbaum regarding the legality of US forces killing Osama bin Laden. Jacob contends that bringing bin Laden to justice is essentially a law enforcement matter and as such he is afforded a trial (making his recent death illegal). I disagree. Due to the limitations of Twitter we were not able to have real debate. I'm going to present my side here.

Read the rest of this story...

Thus far, all the speculation I've seen regarding the RSA SecurID breach centered on speculation that if attackers could somehow discover the serial numbers of tokens in use, they could derive the seed and whittle it down to 1-factor authentication. The advice from RSA certainly lends credibility to that theory, since they're essentially telling customers to double the length of the PINs in use, exponentially increasing the difficulty of guessing that factor.

If we accept the claim (and I am not suggesting we should merely for being asked to) by RSA that the attack was sponsored by an arm of the Chinese Communist government (let's drop the diplomatic "APT" BS), then perhaps there is another threat vector we haven't considered. As we know, plenty of counterfeit gear is manufactured in China. There is also speculation that what was stolen was not the seed database itself, but the serial-to-seed mapping algorithm. Imagine if they were able to create knock-off SecurID tokens that actually worked, then pollute the supply chain through resellers, and have them end up in organizations that are later targeted for break-ins.

It's clear from past behavior, the Chinese government and/or military are willing to take the long view on industrial espionage. I'm sure they wouldn't mind waiting for this gear to infiltrate high-value organizations. Besides, imagine if they added a few "bonus" features to the tokens, such as cellular radios, and microphones.

No, I don't have any inside information, this is all speculation on my part. This is just an angle I haven't heard anyone mention yet.

Many security practitioners are familiar with Fail2ban, an application that scans log files for various types of suspicious failures and bans the source IP after too many attempts. Most users implement it to protect their Linux systems (via Netfilter/iptables and TCP wrappers), but it also includes methods for Sendmail and IPFW (FreeBSD and OSX).

What is notably missing from the above list is the wildly popular PF (Packet Filter). It was originally designed by Daniel Hartmeier to replace IPF in OpenBSD, but has since been adopted by FreeBSD, NetBSD, and DragonflyBSD. PF is widely embraced due to the simplicity and clarity of the syntax, and the comprehensive array of professional-grade features available.

Ironically, PF is probably better known now due to FreeBSD than the originating project, OpenBSD. It's somewhat startling that no one has yet included PF support in Fail2ban. It's also disappointing that Apple hasn't switch from IPFW to PF as their packet filtering firewall (hint hint).

In the spirit of the Open Source "submit a patch or GTFO" mentality, here's how you can use Fail2ban to insert rules into your PF firewall.

Read the rest of this story...

I've been noticing a trend lately. The people participating in online "communities" these days are so blinded by the perceived inherent rightness of their beliefs that they are unable to see how their opinions are viewed by others.

This first struck me in an obvious way as I was wasted a perfectly good night on Youtube a few weeks ago. I got sucked-into The Key of Awesome. It's a Youtube channel that parodies pop music (fairly well, in my opinion). The creator often reads feedback on camera, most of which is facepalm-inducing. Most of the criticism goes along the lines of "dear so-and-so, I really love most of your videos, but the one about [my favorite artist] was totally ignorant! [my favorite artist] is awesome, and the fact that you made fun of them shows you don't understand their genius!"

What the hell is wrong with these people that they think any artist could be so perfect as to transcend criticism, or even caricature? They apparently have no concept of the difference between an opinion and a fact. Aside from that, if you can't even chuckle when someone adeptly roasts your idol, you have some real insecurity issues.

Another example of this can be seen in the Retarded Emails section of The Oatmeal comic. Apparently you can pick any arbitrary topic as the basis for your comedy and people will hate you for it, regardless of the obvious lack of seriousness.

This all makes me think: The massive push in the last 20 years to value self-esteem over any objective measure of merit has convinced each kid that their opinions are the only thing in the world that matters, utterly oblivious that every other human being in the world also has an opinion. We need to be teaching kids how to objectively evaluate themselves in the context of the world around them, or we are in for a future that makes Charlie Sheen look like a thoughtful critical-thinker.

Recently I decided to write an application for Twitter to report changes in my friends and followers. As part of the process I went looking for a pre-built library of methods that I could use to interact with the Twitter API. I settled on python-twitter as an actively-developed solution that should keep up with changes to the API.

Due to Twitter's rocky past with SSL/TLS (henceforth simply SSL) support on their web interface, I decided it would be prudent to investigate whether their API used SSL. It turns out that it does, and it has a properly signed certificate. Then I looked at twitter-python to see if it had and option to connect over SSL, and was pleased to notice that it does by default. On a hunch I checked out the underlying library that python-twitter is using to make HTTP requests, and I was shocked at what I found.

Read the rest of this story...

Ready for a shocker? You shouldn't be spending all those resources trying to shore-up your network against attacks. It sounds insane, but this is the conclusion I've reached after spending a week talking to some of the best and brightest minds in Information Security.

Read the rest of this story...

I just took 3 days off from work to attend BSidesSF and the Barracuda Networks Security Wine-out, with an interlude to work the RSA Conference. The following is a rambling summary of the topics and ideas I encountered this week, along with my commentary.

Read the rest of this story...

A few days ago I was using a free DNS monitoring utility called dnstop. I had found a few bugs while trying to build and run it on OpenBSD. I knew one of the authors was active on public mailing lists, so I e-mailed him to report the bugs. To my surprise and delight, he responded quickly and began investigating.

When he was unable to setup a test environment to mimic mine in a timely manner, he asked if he could login to one of my systems to verify the behavior. I gave him access to a virtual machine and a day later, after several e-mail exchanges, all my reported problems were fixed and a new version of the software was available for download. Since the software itself was free, but the maintainer had gone to considerable trouble to fix my bugs in a very responsive manner, I offered him the continuing use of the shell account as payment.

A few days later I was downloading an update to TinyUmbrella and noticed a "Donate" button on the website. I thought about how much potential hassle that utility saves me and decided to donate. It only took a minute to contribute a few dollars to the project through PayPal. These two experiences prompted me to muse on the amazing value that authors of free software deliver, and what proper compensation is. This lead me to create the "WWIPAS" rule. What on Earth is that? I'm so glad you asked, read on...

Read the rest of this story...

Surrendering my 4th amendment rights should not be a condition of travel within the United States.

With strengthening of cockpit doors and revised flight procedures to restrict cockpit access, the likelihood of a hijacking being leveraged to use an aircraft as a weapon has been drastically reduced. Couple that with passengers' realization that compliance with terrorists is not in their best interest, the probability of any future airline attack causing more casualties than the passengers and crew on board is near nil.

This means that airplanes are not unique from sports stadiums, shopping malls, trains, buses, subways, cinemas, or scores of other kinds venues where inflicting hundreds of casualties is possible.

We cannot create a police state where every citizen must be viewed naked or sexually groped in order to venture into public places. Stop the Security Theater with airplanes and the inconvenience to millions of people who must fly for their jobs every week.

Sincerely,
Brian Keefer

You may send your own complaint to the TSA here.

PS Of the last 3 terrorist attempts vs. aircraft going to the United States, only 67% were against passenger planes, none of them were hijackings, and none of them went through TSA security. Given those facts, do you really think drastic and invasive escalations against US citizens are necessary?

Update: Thanks to @georgevhulme for pointing out several typos. Also thanks to @mckeay for reminding me that money talks--I've stopped flying short trips (as of last year) due to TSA hassles, and have been driving instead. That takes money away from airlines, pollutes more, and (statistically speaking) causes more deaths. How is this "security" helping again?

If I were a CSO, I'd go to firms like Securosis for analysis. Why? Because they have a no BS approach. They call out vendors for bogus claims and useless products. People who have been in the security field for a long time and have really looked critically at enterprises and vendors can spot regurgitated marketing spin a mile off. We can also tell when advice being given has no foundation in actual experience.

It seems like the vast majority of "analysis" is simply an indicator of herd mentality. I don't want to know what a bunch of people with no idea are doing; I want to know what intelligent and measurably successful people are doing. The "conventional wisdom" is often wrong. The "best practices" are rarely updated, and usually only with additions of new practices, not subtractions of outdated practices.

That sentiment is echoed by few analysts outside of Securosis, but one of them is Josh Corman from The 451 Group (which has recently hired a few common-sense folks to fill out their ranks). I'm not familiar with The 451 Group's work, but if their hiring practices are any indication (in addition to Corman, they've also picked up Wendy Nather) it's probably solid.

It's about time people started applying healthy skepticism and subject-matter expertise, rather than the modern-day version of "nobody got fired for buying IBM".

If you want to follow the Securosis guys on Twitter they are (in part): Rich Mogull, Mike Rothman, Adrian Lane, and David Mortman.

There has been a lot of press and grass-roots coverage of the TSA recently, specifically revolving around the increased usage of backscatter x-ray devices and more invasive physical inspections. Various DHS and TSA officials have made statements to the effect that they're sympathetic to the complaints, but the new measures are "necessary" and they're "striking a balance" between constitutional rights and security.

When I hear someone say "strike a balance" I visualize a see-saw, or a scale of justice, where the two sides are equally weighted in order to balance them. If we were to take the comments by Janet Napolitano and John Pistole at face value, we might reasonably think they're trying to find a middle ground somewhere between completely acceptable (say, passing through a magnetometer) and totally unacceptable (like cavity searches). The problem is that there is no balance. The scale is so far tilted to the side of violating constitutional rights that even a former Director of TSA Security Operations, Mo McGowan, actually admitted these measures violate the 4th amendment.

Read the rest of this story...

I just finished reading @TanAtHNN's 1999 paper contrasting inspection of electrical devices and safes with software and information security products (thanks toJosh Corman for brining it up). The paper pointed out failings of prominent technology associations in the area of certification, and indicated encryption standards (such as FIPS) as examples of how it could be done right.

Overall I think the paper raises good questions. I think you would be hard-pressed to find people in the industry (especially security researchers) who don't think companies should be held to a higher-than-current standard for information technology. I believe the paper comes up a bit short, however in recognizing the differences between physical productions and digital products.

Read the rest of this story...

I was recently reading excerpts from an interview with Melinda Gates in the New York Times. What struck me is she forbade her children to have iPods when they asked, and instead offered Zunes. This is consistent with past articles I recall reading where Microsoft employees were criticized by supervisors for having iPods or iPhones.

It's easy to use the Microsoft examples, but I'm sure there are many others. Your initial reaction is probably along the lines of "how dare a company try to dictate what their employees use for personal entertainment", but really there is a more interesting aspect: What does it say about your products when you have to force your employees to use them?

Read the rest of this story...

Recently I was talking with an executive about challenges they were having generating revenue from customers. The exec shared that they had some unprofitable customers, and most of the expense was in support. The problem was identified as the customers not having enough education on the product and/or not being smart enough to use it.

Since I have some experience with their product, I asked if the problem might be more due to the complexity of the product and the fact that even a training course isn't sufficient to make an administrator proficient with it. The exec admitted there are some complexities, but insisted they've been "working on it" and cited one example from long ago where they fixed a major usability issue. The exec then went on to point out how many hours the developers have been working and basically had a cheer-leading session for their efforts to roll-out new features.

Click here for the ranty bit.

Read the rest of this story...

Ready for a shocker? A lot of the things your IT/Security department makes you do are stupid. According to Microsoft researcher Cormac Herley quoted in The Boston Globe, many "common sense" security practices are economically unwise. In plain English: You lose more money following a lot of security recommendations than you would by just letting the bad thing happen and dealing with the aftermath.

To continue, flip over the keyboard and read the sticky note...

Read the rest of this story...

As many people know, Apple introduced Parental Controls in Tiger. The current version in Snow Leopard allows administrators to block potentially inappropriate content, specific sites, and access to unapproved applications.

The first two work more or less how you would expect (although the error message when a site is blocked for content has been bewildering in my experience), but the application ACLs are a disaster. They prevent the application from being run if it's not approved for that user (in fact, with Simple Finder enabled you can't even see it), but it's when you try to allow a restricted user to access an application that the fun starts.

I haven't examined it in depth, but it appears that OS X adds some kind of wrapper or extended attribute to an application when you enabled a restricted user to run it. The problem is that this extra layer is extremely invasive, and most of the apps I've tried to use it with simply crash. Not only do the crash for the restricted user, but they also crash for unrestricted users. It's demonstrably the Parental Controls that cause this problem, because if you Trash the app and reinstall it, leaving Parental Controls alone, the app will run fine for unrestricted users.

Parental Controls have been around since Tiger, and this problem existed for sure in Leopard (possibly Tiger, I forget when I started using the feature) and definitely still exists in Snow Leopard. So I have a simple question for Apple: Did you bother to QA this feature at all? I know I've submitted the automated reports at least a few times after OS X detected an app crash and it does include audit trail information showing that Parental Control attributes were changed for the app prior to it crashing.

Today is has yielded a bumper-crop of FAIL from various organizations out there. Here is a sampling of the head-scratching stupidity.

Read the rest of this story...

Apple's operating system has long been considered a refuge for those sick of viruses and malware that plague Windows systems, but this reputation for safety has been widely misinterpreted to mean the design is safe. In fact, as has been widely recognized in the security community, it's the relative rarity of Apple machines on networks that simply makes them an economically uninteresting target.

Apple for their part have enthusiastically encouraged this misconception, and while they've benefited from the positive PR, they haven't actually taken the concept of safety to heart. Much like the corporation in Redmond that they delight so much in mocking, they seem determined to ignore security issues until they affect public perception.

Read on for the ownage ->

Read the rest of this story...

It took nearly 7 hours, that's right SEVEN HOURS to build the GIMP.app port (on a 2.33GHz C2D w/4GB RAM), which inexplicably included a full build of gcc4.3. Is that reeeeeeeeeeally necessary when 4.2.1 is included with Xcode? Did those 5 hours of my life have to be wasted? WHY WAS IT YOU COULDN'T JUST UPGRADE PERL???

That's not even the best part. The best part is it got all the way to the gimp-app port itself (after going through a quarter of a day worth of dependencies), and it failed. Yes, apparently there were incompatible functions, which were found three months ago! Diffs were uploaded 3 weeks ago, and 9 days ago instructions were posted for manually applying them, yet today the port was still broken when I tried to install it. Outstanding. Really nice work guys, seriously. Three months?

In case my warning didn't come in time and you actually tried to build this abomination, you need to go here for the solution. If you're even thinking about trying to install gimp-aDON't! There, it's like I just bought you enough time to say goodbye to half a dozen more relatives on your deathbed.

I've been a long-time user of MacPorts, from back when it was Darwin Ports and I was still using a PowerBook, in fact.

The "upgrade" for Snow Leopard is making me seriously think about looking for alternatives. Originally their site said it might be possible to use the usual selfupdate method, or to be safe do a total uninstall/reinstall. As I've been using it for years and have piles of software installed through MacPorts I didn't exactly want to blow that all away and start over, so I tried the selfupdate method.

It "mostly" worked, with several broken packages that I forced a rebuild on. Today I found one I couldn't work around: PERL. I found bug reports for it on the MacPorts site and their solution was great: rm -rf and start over. Well, that's fun! Couldn't be bothered to roll a PERL rebuild into the update script, huh?

I dutifully generated a list of all my installed packages, backed up all the existing files to an external drive, and did the rm -rf plunge...

Read the rest of this story...

A while back I noticed Cyveillance, Inc were aggressively spidering my site. I found quite a few other references on the web to their anti-social behavior, including links to the recording industry's heavy-handed and borderline illegal tactics. In order to block them from my network, I compiled a list of their IPs.

It's been some time since I've actively monitored my firewall and over time the list had grown stale. I'd also previously been stymied on doing more research by my inability to figure out the nuances of some RWHOIS systems. Happily I made a breakthrough this week and I've been able to update my list, which I'll share for the good of humanity. The link above has the same list.

# Cyveillance @ Cogent
38.99.209.176/30
38.100.3.128/28
38.100.19.8/29
38.100.21.0/24
38.100.41.64/26
38.104.29.36/30
38.104.29.156/30
38.105.71.0/25
38.105.83.0/27
38.105.109.168/29
38.105.109.192/29
38.112.21.140/30
38.118.25.56/29
38.118.42.32/29

# Cyveillance @ Verizon (incomplete?)
65.213.208.128/27
65.222.176.96/27
65.222.185.72/29

# Previous(?) Cyveillance IPs
#63.146.13.64/27
#63.148.99.224/27
#63.213.208.128/27
#65.118.41.192/27

I'll try to update the text file over time to match current reality as best I can, but this blog post will go stale. I'm only putting the IPs here for spiders to find. If you want to use the list on your firewall, download the linked version. The list is admittedly incomplete since I haven't been able to reliably query Verizon for IPs (let alone other possible providers).

Updated 2010-03-28 to add 65.213.208.128/27, which came to me via a comment. Thanks for the tip!

While doing some research last night I finally figured out how to query a WHOIS server for all netblocks owned by a particular organization. For example, to find all netblocks owned by OrgID: NOC, do the following:

$ whois -a '> o !NOC'

In this case I'm using BSD whois, so the '-a' means "search ARIN". The other options are for the server. ARIN's WHOIS server interprets '>' as "show subordinate entries", the 'o' as "query for organizations", and the '!' as "search for handle or ID".

You should get output that starts like:

Resources Used By Organization:
Network Operations Center Inc. (AS21788) NOC 21788
[additional lines removed]

Linux users will need to adjust the flags passed to whois.

You can often get help from a specific WHOIS server by querying for '?'. This needs to be protected from your shell, so either backslash escape it, or wrap it in single-quotes. To get help from ARIN's WHOIS server do this:

$ whois -a \?

Final note: BSD whois doesn't appear to have a flag to force the RWHOIS protocol and different OSs have widely different ideas of what WHOIS ports are "well-known". For instance, OpenBSD has WHOIS and nothing else, while OS X has WHOIS++ and RWHOIS, but not WHOIS. FYI these are the ports:

whois           43/tcp          nicname
whois++          63/udp     # whois++
whois++          63/tcp     # whois++
rwhois          4321/udp    # Remote Who Is
rwhois          4321/tcp    # Remote Who Is

You can specify the port with the '-p' flag on BSD whois.

I've been noticing that since I put up this blog I've been getting scans for common PHP files/site layouts. This is interesting because my main site hasn't been scanned for them at all during the same time period.

I also noticed that the majority of the spider traffic to my blog is from Baidu, in contrast with the rest of my site.

I had forgotten how fun it is to scan my webserver logs for patterns.

One of my current projects at work is to create a pre-packaged virtual appliance that potential customers can install in their VMware virtualization environment to benchmark host performance and report it back to us. The data is used to make sizing and resource allocation recommendations for virtual deployments of our product. The issue I'm stuck on is reporting the data.

Obviously the preferred method would be a phone-home capability that simply ships the data directly from the VM to one of our servers, without the end-user having to do anything. The problem is that a lot of network operators (wisely) block outgoing connections by default. This is compounded by the fact that the appliance automatically gives itself an IP address via DHCP (to make installation easier), which means firewall exceptions are a non-starter.

Since phoning home via SMTP or HTTP probably won't even hit 70% success rate, I decided to not bother wasting time on those. The next idea was to write to a virtual floppy device, which is saved in the datastore as a .FLP file and could easily be downloaded by the end-user and e-mailed to us. A far-fetched idea (thought of by myself and another engineer on my team completely independently) is to use specially formatted DNS queries--á la Dan Kaminsky--to feed base64 encoded data to our server (since DNS queries are much more likely to be allowed though the firewall than say, SMTP connections).

It turns out that VMware Studio apparently cannot create virtual appliances with virtual floppy drives, even if you use the command-line tools (if that's wrong, please e-mail me--the documentation doesn't seem to indicate how to do it).

My next idea was to create an additional, very small, hard disk drive and write the output to that. This actually works in practice, but it's very cumbersome to retrieve data from. We need to import the returned .vmdk to one of our VMs, which then needs to be power-cycled so it can mount the disk and retrieve the data. I went looking for easier solutions for mounting .vmdk files and found references to a VMware Disk Mount Utility, but unfortunately the most recent version was shipped with Workstation 5.5 and appears to not read virtual hardware rev 4 .vmdk files created with ESX(i).

I then found signs pointing to the VMDKmounter utility on Mac OS X, which excited me quite a lot since I use a Mac and this would make the data retrieval trivially easy. Unfortunately this utility relies on MacFUSE, which has not yet been updated to handle 64-bit kernels. I'm running OS 10.6.2 with a 64-bit kernel. Damn.

This basically means my best option for grabbing a plain text file off a .vmdk is to import it to a VM and reboot. WTF? There has to be an easier way to do this.

• Comments (0)
• Tags:   vmware   there should be an app