- 3rd Annual IFIP Working Group 11.9 Intl. Conf. on Digital Forensics
- Secure Linux Appliances in Your Enterprise
- Google Analytics is Worth a Look
- Computer Security Explained for the Masses
- Plantronics Voyager 510 BlueTooth Headset
- Inexpensive manageable desk switch
- So where do those GPS maps come from?
- The NOC Pet
- Web Tablets, is smaller really better?
- I have the Blue Tooth Blues
January 30, 2007 | Comments: (0)
3rd Annual IFIP Working Group 11.9 Intl. Conf. on Digital Forensics
Held in Orlando, Florida at the National Center for Forensic Science at the University of Central Florida this IFIP Working Group is one part of the larger organization whose mission is:
Parts of IFIP consisist of TCs (Technical Commitees) and WGs (Working Groups) contribute to, and often lead,
progresses in the state-of-knowledge andstate-of-the-art: voluntary work of its WG members is catalysed into creative synergy, with societal relevance.
I got the chance to co-author a paper on the Role of Calibration in Establishing the Foundation for Expert Testimony with Barbara Endicott-Popovsky (University of Washington Center for Information Assurance and Cybersecurity) and Deborah A. Frincke (Cybersecurity Directorate Pacific Northwest National Labs). In a nutshell, we did a bunch of testing using a Spirent Test Center regarding the actual performance issues surrounding an aggregating tap typically used for Network Forensics. In this case we started with a NetOptics 10/100 copper aggregating tap with 1Mb of buffer. The point we're trying to make is that aggregating taps can't be used blindly and investigators need to be aware of their proper use and limitations.
So anyway, our opening keynote was given by Peter "Mudge" Zatko now with BBN Technologies, former CEO and Chief Scientist, L0pht. So while his keynote covered quite a bit of territory he did raise some VERY interesting thoughts:
- Functional Fixation:
- Given the example of holding up a quarter, he would ask a group what it was. He related how he would get statements mostly along the line of "monetary exchange item" or such. Normally he would NOT get suggestions of how it is a:
- Decision maker, ie. flip a coin
- Door stop
- screwdriver
- etc
- He also mentioned how a new vulnerability could appear in a major operating system, what would you do?
- Wait for the vendor to release a patch with a set of system possibly open to attack?
- Read that the vulnerability was in the dcom routines and just desensitize these machines to dcom attacks?
He also asked the group how many processors a typical laptop has in it? Most of us only counted CPU's. He pointed out that something like a new Mac Laptop might have upwards of 50 processors in it. Heck, the old Gateway keyboards could store 128 characters per key that was intended to be used for macros. What he was really trying to do was to get us to stop fixating on traditional functions and look at how IT gear could be used for malicious means.
Well, it was a great talk and we got to talk about some of the issues that the forensics community is going to have to deal with in the future. So while this is good news for malicious hackers, it's bad news for companies actually interested in protecting itself from litigation and regulatory scrutiny.
Look for more summaries on talks from the conference by forensic professionals from around the world.
Posted by Brian Chee on January 30, 2007 08:43 PM
January 28, 2007 | Comments: (0)
Secure Linux Appliances in Your Enterprise
By now you've either seen them or read about them. Companies are selling all kinds of useful appliances based on embedded Linux. Some are for small tasks like wireless APs, mobile devices, or cell phones. Others are geared towards enterprise needs like load balancers, routers, and NAS (network attached storage) and SANs (storage attached network). They all run some version of Linux or BSD. You know you have a couple of Linux geeks working for you in the IT department. Why aren't they coming up with some of these cool Linux appliances for your own company to use? The excellent Debian Router project by Vadim Berkgaut is the help that your Linux admins need to develop their very own Linux appliances.
At my company, q!Bang Solutions, we provide all types of IT solutions, but our strong suit is our solutions built upon Open Source software. Our employees have used the Debian Router Project (which we refer to as "DebRouter") to build numerous solutions, including firewalls, OSPF and BGP routers, DNS servers, and even VoIP servers. DebRouter is a cornerstone of our technology solutions.
What's great about DebRouter is that you get a fully functional Debian Linux installation. So you can add whatever software packages you want to extend the functionality of the DebRouter. This is implemented through the usual Debian package management utilities, which means that you can change a DebRouter's functionality on the fly and in the field after it's been deployed.
Another important feature of DebRouter is that it boots from a flash device like a compact flash card (via an IDE adapter) or a USB flash drive. So if there are any problems with changes you've made, a reboot takes you back to the previous known-good version of your running system. Does this mean that you lose changes you've made when power to the DebRouter goes out? No. DebRouter implements a "write to flash" function much like a hardware router or manageable switch. So you can install and configure new packages, test them out, and write your changes to the flash-based boot media if everything went well in testing. If your tests revealed there was a problem, then just reboot without writing the changes to flash and you will roll back to the same state of the filesystem that you had before your changes. This makes it extremely easy to test potentially unstable software and configuration changes. If things don't work, just reboot, and voila! Your working system is back within seconds.
This also means that the machines are harder for crackers to abuse if they succeed in infiltrating the DebRouter. If you discover that your DebRouter has been compromised, you can reboot and be rid of the cracker. Then you check for security updates from Debian, install them, write your changes, and you're back up and running. I can tell you from experience that eradicating a cracker's presence from a normal machine with hard drives whose data persists across reboots is not this easy!
The boot process of the DebRouter provides another nice benefit. DebRouter boots from flash media, creates a RAM disk, copies the flash media's filesystem to the RAM disk and then unmounts the flash media filesystem and runs from the RAM disk. RAM is fast - lot faster than any hard drive. So now your filesystem I/O speed is absurdly fast. So if you install the Apache web server and put up some HTML and image files, you now have one of the fastest web servers available - without the hassle of a special configuration to load your pages into a ramdisk. It can also run web scripts (such as PHP, Perl, Python, Ruby, etc.) as fast as your normal hard drive based servers do.
What can you build with a DebRouter? Here are a few ideas to get you started:
- Add the Quagga routing software package to make an OSPF/RIP/BGP router
- Install the Apache web server with Perl/PHP/Python/etc scripting environments
- Use the Asterisk software for a cheap VoIP server for a remote office
- NAT/Firewall
- Web content filtering via the Squid proxy package
- Make a captive portal system for wireless networks in cafes or other public access areas
- DNS server using the venerable and always popular BIND software
- Create a network sniffer with the tcpdump utility which writes data to a remote NAS or other storage device
- Combined with a NAS (Network Attached Storage) or an NFS server, a DebRouter can do most anything.
Since most enterprises will try to install all machines in racks, I checked a couple of online vendors to see how much it would cost to build a good 1RU DebRouter machine. I found that a 1RU machine far above the minimum specs can be had for $500, including shipping. This includes a 1RU case, motherboard with all essential functionality on board, a P4 2.8GHz CPU, 1GB ram, and a 512MB CF card and IDE-based CF reader.
So how about a $500 router that can do RIP/OSPF/BGP? Consider both the business and technology reasons that your company might want to use a DebRouter instead of a router from Cisco or one of the other routing big boys. The business side is easy. The hardware is cheap, even for a system with generous amounts of RAM and CPU. For the price of a typical router support contract, you can buy a couple of extra DebRouters to have sitting around as spares ready to jump into action if you have a hardware failure on your primary DebRouter. Subsequent years of support contracts you don't need to buy equal money that remains in your coffers helping to fatten up your Christmas bonus next year. Of course, let's not forget that most router vendors charge extra for the advanced software like OSPF or BGP routing, or encryption software so that you can use the more secure SSH instead of the gaping security hole called Telnet to remotely connect to your router. DebRouter has all that (and so much more) for free!
On the technology side, with the screaming fast processors available today, a DebRouter can pretty well hold its own against most of the major router vendors' offerings. And it's the versatility of the DebRouter that will likely interest your techies. Did I mention that Linux does 802.1q VLANs? How about an OSPF router that does double duty as a slave DNS server? Or perhaps an edge router that also acts as a VPN concentrator with strong encryption for hundreds of tunnels?
So walk on down to IT and find those two Linux guys tucked away in their cubicles and let them loose on a Debian Router project. They should be glad to have an interesting project to work on instead of trying to recover emails that Marge from Accounting accidentally deleted the other day, and you just might get some nifty devices from them that save you some cash on your bottom line. Your Linux admins are welcome to reach out to me if they need some help or just want to share their ideas on a new use for a Debian Router.
In the future, I'll touch on embedded Linux in extremely cheap devices that are excellent for smaller tasks.
[My q!Bang Solutions co-owner Josh Kuo beat me to the punch. Read his article "Beef Up Your Wireless Router", here on the Geeks in Pardise blog.]
High Mobley
Co-Owner of q!Bang Solutions
January 28, 2007
Posted by Josh Kuo on January 28, 2007 08:46 PM
January 27, 2007 | Comments: (0)
Google Analytics is Worth a Look
Have you checked out Google's Analytics package yet? No? Why not? It's a strong web analytics package and is offered for free from Google.
Let's first address the definition of "web analytics." Wikipedia offers the following explanation which fits the parameters of this article quite well:
Web analytics is the measurement of the behaviour of visitors to a website. In a commercial context, it especially refers to the measurement of which aspects of the website work towards the business objectives; for example, which landing pages encourage people to make a purchase.
Google Analytics is not a web log file analyzer - which is a good thing. Log file analyzers are dependent upon the web server to execute the analyzer scripts on a regular basis and can get a little resource intensive for a busy site. Plus, what happens if you lose those log files due to a disk error or filesystem corruption before they are analyzed and put into the web statistics database? And what good is your log file analyzer data when you're moving to a new server platform? You would most likely have to start from scratch with your data collection.
Enter Google Analytics. It works based on small snippets of code embedded in your web pages which cause the user's browser to call a script on Google's servers which culls the pertinent information from the user's browser. So web analytics doesn't take place on your servers or use your bandwidth! There is nothing for the IT staff to monitor or maintain.
Just in case anyone is entertaining thoughts of massive Google conspiracy theories, don't fret! The data which is being noted by Google Analytics is the same data that your web browser freely and happily gives up every time it hits any web site. This includes things like what type of web browser you're using, which operating system your computer uses, etc. It's pretty innocuous stuff, and every other web site that you visit gets the exact same information from your browser, so Google's not doing anything nasty.
Don't think that a free analytics package doesn't come with serious features. In addition to the standard statistics you would expect from a good web log file analyzer, Google Analytics provides you with the ability to view trends over time with user-definable date ranges. For your marketing department, Google Analytics has user-defined goals which are reported separately. You can also define the "funnel" or chain of URLs that the user is expected to follow to reach the goal URL. This enables you to track the effectiveness of your marketing campaigns individually and see which ones are really paying off.
And if that feature sounds attractive, then you will like the fact that Google has integrated its AdWords advertising program with the Analytics program. Your AdWords keywords are automatically imported into your Analytics account. And from within the AdWords interface, you can see ROI and other metrics for each keyword you bought on AdWords. Google Analytics plays nice with the competition too. The keyword campaign comparison reports show all your keywords from all the search engines.
Like any good analytics package, Google Analytics will track a user's navigation through your web site. However, Google's package has an additional feature that I expect many people will like. You can view an overlay of your site. For each clickable link on your web page, you will see a small bar graph representation of how many clicks that particular link gets. The longer the bar, the more clicks that particular link got during the time period for which you are viewing results. Sure, it's kind of eye candy, but some people work better with visual representations, and here they have it. Speaking of eye candy, I'm partial to the Geo Targeting feature which shows a world map and places colored dots based on where your web traffic is coming from. The dots get bigger for a region which has more traffic coming to your site.
Google Analytics has a lot to offer. It's packed with useful features, and it's free. Well... kind of free. You get up to 5 million page views per month. That's a lot of page views though, and if your site will go over the 5 million views per month, then all you have to do is open an AdWords account to get unlimited page views for your Google Analytics. It's still a darned cheap option. And if your site gets that much traffic, you could pay for the AdWords account by putting up Google's AdSense advertisements on your busy site, but that's another article...
High Mobley
Co-Owner of q!Bang Solutions
January 27, 2007
Posted by Josh Kuo on January 27, 2007 10:29 PM
January 26, 2007 | Comments: (0)
Computer Security Explained for the Masses
It is often cited that the biggest issue in the fight against worms and viruses and other such malware is uneducated users. If a person doesn't understand why it's a bad thing to open email attachments from people that he doesn't know, then you can bet that he will open every attachment which comes to him. Several email clients (not just MS Outlook!) will happily open and execute any Visual Basic or batch file that a user clicks on. Then wham! - You've got an infected machine that's probably already calling home to the nasty individual who wrote the malware and now "owns" the user's computer - which you as the IT department have to go and fix...
Of course the various network security and bug tracking sites are great about announcing the security flaws and exploits that are found, but arguably their audience is only people who are already pretty savvy about security issues. So I was pleased to see an article written more for public consumption at howstuffworks.com today, entitled "What's the problem with Microsoft Word?". The author, Julia Layton, does an excellent job of explaining some computer security jargon and bringing the layman up to speed with the MS Word zero-day flaws which were recently announced. I hope that this is a sign of a new trend of educating the end user in a comprehensible language.
When I was a full time sysadmin and helpdesk tech responsible for a few hundred users and 50 servers, I struggled to explain the same topics to the many end users individually. So instead, I sent out ocassional messages via email with some helpful tip on how to use their computer or a link to a web article that contained some useful information on a subject that I knew would tweak their interest. So I always had these sorts of articles bookmarked to send out to my users. They appreciated that I was trying to educate them and I appreciated that I had fewer infected machines to reformat and reinstall.
High Mobley
Co-Owner of q!Bang Solutions
January 26, 2007
Posted by Josh Kuo on January 26, 2007 02:33 PM
January 25, 2007 | Comments: (0)
Plantronics Voyager 510 BlueTooth Headset
Voyager 510 BlueTooth Headset and optional desk phone adapter.
So I've been frustrated by wanting a headset that fullfilled the promise that I saw at some of the early BlueTooth(BT) conferences. I had in mind that I should be able to have a single headset that would work with both my laptop and my mobile phone. I first heard about such a device from Paul Humfries of Avaya and then made contact with Dan Race of Plantronics while at CES 2007. The Voyager 510 comes with a very lightweight utility (Windows only dang it) that will utilize the API for several softphones (Skype, Avaya, etc) and a large list of mobile phones. A nice touch is an interactive compatibility guide that compares your equipment with their ever growing list of tested devices.
I first tried to pair it with my Lenovo X41's internal bluetooth, but was convinced by Dan that I really ought to use the dongle so that I could get their "advanced" feature set. Thanks Dan, now I get a soft beep whenever I go in/out of range and when I first fired up my Skype client I got a prompt asking me if I wanted to give the Plantronics software access to the Skype API. Little features like Skype autodetecting my headset, being able to answer and hang up using the Call Control Button have made my move a pleasure.
Another enterprise feature I just have to point out is called Adaptive Frequency Hopping (AFH) to allow the BT headset to hop out of the way of existing WiFi resources. I have to say that this is a piece of my kit that will travel with me at all times.
So as convergence rears its head in your organization, take a good hard look at the Voyager instead of the simple BT headsets that your mobile vendor is pushing on you. Just being able to choose the soft foam ear piece to better match the variety of human ears has made wearing this headset all day possible.
My only regret is that I should avoid bragging about this headset to my friends running Mac OSx...considering just how many Mac users do Skype and BT headsets, it seems like someone is ignoring a very fast growing market.
So now my only wish is that I could have multiple headsets able to use the same phone at the same time. A demo at a very early BlueTooth meeting had three headsets paired to a phone and we all got to use the same phone as part of the same conversation. So even in a noisy exhibit hall, the folks wearing the headsets were able to participate in the same call...might not be a bad feature for enterprise users or very definately the construction industry.
/brian chee
Addendum from Dan Race of Plantronics:
The Voyager 510-USB integrates with enterprise softphone software from companies including, Avaya, Cisco, Nortel and Skype, among others, to offer call notification and remote call answering via the headset.
The Voyager 510-USB is also compatible with consumer Internet telephony services, including AOL, MSN and Yahoo!, but remote answer/end and call notification are not yet offered.
Just FYI...here's what I'm using now, the Bluetooth USB dongle gives me connectitity into my Lenovo X41 PenTablet for Skype and I'm now using it with a T-Mobile Dash (aka HTC S620) EDGE+WiFi phone.
Posted by Brian Chee on January 25, 2007 03:41 PM
January 18, 2007 | Comments: (0)
Inexpensive manageable desk switch
Just when I was ready to give up hope of finding a small manageable gig desk switch, I got a sample unit sent to me by my university HP rep.
HP ProCurve 1800-8G:
8 ports of 10/100/1000 copper auto mdi/mdi-x switching
12volt wall wart power supply
Environmentals: 23F to 104F and 15-95% humidity non-condensing
Froogle price range: $172 to $200 MSRP: $209
So while this is a managed switch, there isn't the normal serial console port on it. In this case you're expected to set your IP address within the 192.168.2.0/24 subnet and browse to 192.168.2.10 to get into the ProCurve web management interface.
So while you shouldn't expect alot of advanced features, it at least does 802.1p vlan tagging so that you can feed a trunk line to the cubical and then break out your VOIP vlan from your data vlan and so forth. Considering that HP's new line of switches all have POE on them, it sure would have been nice if this sucker could have been powered by POE...
Here's some specs off the HP Site:
Layer 2 switching
VLAN support and tagging: support up to 64 port-based VLANs and dynamic configuration of IEEE 802.1Q VLAN tagging, providing security between workgroups
Resiliency and high availability
802.3ad Link Aggregation Control Protocol (LACP): provides link-level redundancy with support for up to 4 trunks on the ProCurve Switch 1800-8G and 12 trunks on the ProCurve Switch 1800-24G, each with up to 8 links (ports) per trunk
Quality of Service (QoS)
IEEE 802.1p prioritization: delivers data to devices based on the priority and type of traffic
Broadcast control: allows limitation of broadcast traffic rate to cut down on unwanted broadcast traffic on the network
Connectivity
Jumbo packet support: supports up to 9,216 byte frame size to improve performance of large data transfers
Monitor and diagnostics
Port mirroring: enables traffic on a port to be simultaneously sent to a network analyzer for monitoring
All in all I would have to agree with HP that this is a great way to transition away from dumb switches, and get you the ability to manage all the way into the cubical. Combine that with HP's ProCurve manager and you're got a winning combination.
Posted by Brian Chee on January 18, 2007 11:05 AM
January 12, 2007 | Comments: (0)
So where do those GPS maps come from?
So while the Global Positioning System (GPS) definately was born of military applications; GPS applications in the civilian sector has expanded beyond anyones wildest imagination. Heck, I normally have a GPS navigation system when I travel and have consistently able to cut several hours off driving time when making my way around an unfamilier city. In most cases I'm no longer afraid to cut it a bit close on appointments since I'm confident I won't be spending hours lost.
The folks at TeleAtlas have had a long list of milestones on their way to becoming one of the most popular map sources for consumer GPS & GIS products. Through the combination of using inertial navigation in combination with GPS data, TeleAtlas vans have been crisscrossing the world to create maps accurate within 5 meters in some key urban areas.
Interestingly enough this accuracy is apparently being used for some E911 (enhanced 911 emergency services) in parts of the US.
Another big change in the world of GPS is how long older GPS's take to find enough sattelites to get a position fix and that while radio signals penetrate buildings just fine (just like AM or FM radio) the weakend signal isn't always enough to get a position lock. Sirf Technology tackled the weak signal problem and has become one of the most popular GPS engines on the market today. Last year I got confused stares when I asked around about SIRF based GPS systems, but this year all the major GPS vendors has SIRF based systems.
On a geeky note, I'm hoping to get my hands on a Sirf development kit to see if I can get the open source NTP server software running with the new Sirf GPS engine so that I could possible provide super accurate NTP sync indoors.
Brian Chee is a Senior Contributing Editor with InfoWorld Magazine and is a researcher with the University of Hawaii's School of Ocean and Earth Science and Technology (SOEST).
Posted by Brian Chee on January 12, 2007 04:16 PM
January 12, 2007 | Comments: (0)
This smart WiFi bunny can read RSS feeds, websites, blog, get your attention about an incoming email or IM. Created by Violet of France the Nabaztag at first feels like a new cult toy like the pet rock, but could hop into the NOC as an unobtrusive network status indicator. Using a community based toolkit this rabbit has an extensive API extending it beyond pet rock status into a real troubleshooting tool. Heck it even has a Mac OSx dashboard widget. Yeah it all sounds silly, but a Nabaztag is a lot cheaper (and smaller) than dedicating a PC for network status. (ie. 1st LED is WiFi association, 2nd LED is DNS lookup, 3rd LED is external connectivity) Using the available Ruby or PERL toolkits you can have the LEDs, voice or ears indicate just about anything about your network you want. I'm thinking I should have my rabbit get my attention for upcoming meetings, and have my bunny read me SMS messages from the wife. Hmm.. maybe I could combine a nabaztag with Violet's DAL to indicate WAN activity levels?
My only wish is that the Nabaztag web site would fix some of the broken links on their website under tools and API.
/brian chee
Brian Chee is a Senior Contributing Editor with InfoWorld Magazine and is a researcher with the University of Hawaii's School of Ocean and Earth Science and Technology (SOEST).
Posted by Brian Chee on January 12, 2007 03:14 PM
January 12, 2007 | Comments: (0)
Web Tablets, is smaller really better?
Web tablets seem to be split into pocket size like the Sony Mylo, and the Nokia 770/800 which are a bit too big for a pocket but still pretty small. I feel both seem to compromise on screen size while both being a bit too big to fit into a pocket comfortably. If I'm going to suffer with such a small screen, why not just stay with a smart phone like the S620 (aka the Dash from T-Mobile) from HTC. More to my liking was a web tablet being shown off by Pepper Computer, inc. in their booth at CES. Pepper Linux is a Fedora variant used by Hanbit for the PepperPAD, the Minibox by FIS and a touch screen LCD by DT Research.
What makes the Pepper Linux different is the level of integration they've done for you. Instead of going through the learning curve on concepts like toolchain, cross compiling and flash write cycle conservation; Pepper is offering an easy to integrate web device for kiosks, and other specialized internet access devices. So with relatively little effort you can have a web appliance easily customizable for your specific application.
If you really are willing to spend the time to eat the learning curve on building your own embedded application, make a visit to the folks at Linuxdevices.com
Brian Chee is a Senior Contributing Editor with InfoWorld Magazine and is a researcher with the University of Hawaii's School of Ocean and Earth Science and Technology (SOEST).
Posted by Brian Chee on January 12, 2007 02:28 PM
January 10, 2007 | Comments: (0)
It's the 40th anniversary of the Consumer Electronics show and two years since the first Blue Tooth proximity virus reared its head; and it's still too common to find mobile devices willing to accept a file transfer from anyone in the vicinity.
So while I was waiting in the press room my curiosity got the best of me and I did some simple scanning with my old iPaq H3900 with the older v1.0 Blue Tooth radio. (limited distance) With at least 2 dozen devices in range, 80% of these were willing to talk to me, 80% of those were willing to accept business cards and 10% were willing to accept a file. The sad part is that 100% of the Symbian devices in view were willing to accept a file, which would make them vulnerable to the Caribe virus specific to that mobile platform.
Information from CERT on the Caribe Virus:
So wake up folks, it's time to do just a few keystrokes to turn off the anonymous trust on your Blue Tooth devices. It's only a matter of time before someone tosses a nasty virus into the wild that targets your mobile device. It would be all too easy to cobble up a Java program that takes pictures at random times and upload them someplace. Or turns off the ringer, and turns on the auto answer speakerphone so that your employees carry the proverbial bug into your meetings.
I may have only been scanning for devices with an ancient iPaq, but a simple Pringles can antenna with a Bluetooth finder kit and you have a recipe for some long distance mischief. So time to update those phones and to at least make sure your phone prompts you if someone sends a file at you.
Posted by Brian Chee on January 10, 2007 11:08 AM
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Virtual Test Lab Automation: Manage development infrastructure
- Improve Resource Utilization and Lower Operating Costs
- Protect Your Data with SSL
