codeblog code is freedom — patching my itch

April 13, 2006

Bruce Schneier on attack trends

Filed under: Blogging,Security — kees @ 9:20 pm

On Wednesday I attended Bruce Schneier‘s short talk about the trends of online attacks. I figure I need to take his talk with at least a small grain of salt. While he has a reputation to maintain, he also works for a security outsourcing company. That in mind, I still like reading his blog, and I enjoyed hearing him talk.

The main take-away from his talk was that attackers are more rarely “hobbyists”, and more commonly criminals. (i.e. there is profit motive rather than an interest in boasting rights.) In the same vein, worms are becoming more sophisticated, quieter, and increasingly effective, while losing their cleverness. (Criminals don’t care if their worm is lame, they don’t care if they ripped off someone else’s worm, they care that their worm is staying undiscovered and is making them money. As a result, whole families of slightly different worms are appearing.)

One thing he said, that I have a hard time believing, and if true is pretty scary, is that cyber-crime profits are now exceeding drug profits. I would love to understand what the sources for that statistic are. Beyond just phishing, beyond worms waiting for you to authenticate to banks before emptying your wallet, there is even small-scale Denial-of-Service extortion. Generally, it’s against places that are themselves on tenuous legal ground, like offshore gambling sites. “If you don’t pay us $X, we’ll DoS you again!” It’s protection money online. Wild.

The market for blackhat exploits is growing. This is reducing the time between vulnerability announcement and exploit usage. Unfortunately, in the Microsoft world, an opposite trend is happening: patch speed is slowing due to their needing to test more and more configurations, staying infinitely backward compatible. At least this has an upside that their patches are generally better and corporations are learning to trust auto-update systems. (And I think this kind of brain-share is actually good for all OS vendors.)

The commoditization (and therefore homogenizing) of hardware and software means that everyone runs the same stuff. Even the criminals. Before, generally only the various corporations had old AS/400 machines and no one really wrote attacks against them. Now stuff runs on PCs.

Overall, the attacks online are becoming increasingly more damaging financially (“criminals are good at what they do”). The volume of attacks come from the open Internet, but the more successful attacks come from inside a private network. More worms are simply waiting for opportunity instead of beating on a network.

While some of the crime organizations have been taken down, there are still large bot networks that are continuing to grow in size even though they have no controller any more. This is truly something out of dystopic sci-fi. I don’t know why, but while I find the idea of full AIs reasonable, and totally non-intelligent systems reasonable, I find half-AI systems really creepy. They just keep doing some semi-smart thing over and over waiting until mommy comes back to tell them to do something else now.

He wound down discussing his worries for the future. He wants people thinking about VoIP security now. (Worms sniff your typing and packets already, soon they can sniff your voice.) He hinted at Digital Restrictions Management without actually saying DRM. (“Who owns your computer?” To which I thought, “I do. This is why Free Software is so important.”)

In closing he talked about security being more about usability than technology. I took that to mean “the Art of security is more about usability than technology.” I can have infinite security by just unplugging something. But that’s not very artful. Towards the goal of successful (artful) security, he wants to see service providers be ultimately liable for the financial damage. He figures this puts the motivations in the right place. It seems like the right thing to me (if credit card companies want to avoid it, it must be good for me) but I suspect there is something hidden deeper that may cause greater harm. I can’t put my finger on it, so for now, I’ll agree. :)

At one point he gave a nice view into his own world, in which he has to go twice a year and disinfect his own mother’s computer of worms. The cobbler’s childrens’ feet…

The end of the session was a book signing (Counterpane gave out gratis copies of Schneier’s new book “Beyond Fear“). I showed my geek by having brought a copy of “Applied Cryptography” for him to sign too. For which he was geek-prepared, and tossed in a cryptogram. Even though he does this for lots of people (Google told me later), it was fun to see it in my book; I wasn’t expecting it.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 2, 2006

in honor of DST: SW

Filed under: Blogging — kees @ 7:56 am

Since I’ve lost an hour to Daylight Savings Time, I thought I’d record a list of links to Alternate Star Wars Theories.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 27, 2006

presenting at OSCon 2006

Filed under: Blogging,Multimedia — kees @ 6:43 pm

Woohoo! I got accepted to present at OSCon again! I’m really excited about this one, too — I get to present about something non-work-related. The title of my presentation is “DVR Happiness: Gluing MythTV and TiVo together with Galleon“. Here is my proposed outline:

  1. Intro to DVRs
    • TiVo: have you been under a rock?
    • MythTV: learn all about video standards.
  2. TiVo Gets You A Lot
    • Hacked TiVos can do great things
    • Is your TiVo a tool or a toy?
    • Stock TiVos can do cool stuff too
    • ToGo: move video from TiVo to PC
    • GoBack: move video from PC to TiVo
    • MP3s: streaming from anywhere
    • Image Galleries: beyond just snapshots
    • Galleon Gets You More
    • Implements the server-side of TiVo features
    • On-the-fly format conversion
  3. MythTV Gets You The Most
    • Making Tivo recordings available to MythTV
    • Format conversion
    • Making MythTV recordings available to TiVo
    • Mounting a MythTV filesystem with FUSE
    • Making your MythTV remote make noises
    • Short-cuts with the Linux IR daemon

EDIT: WordPress pisses me off so very much when it comes to lists, indenting, and code snippets. Some day, I will switch to something that just lets me type in HTML and doesn’t try to “fix” it for me afterwards. *fume*

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 5, 2006

sci-fi crew

Filed under: Blogging — kees @ 8:30 am
You scored as Moya (Farscape). You are surrounded by muppets. But that is okay because they are your friends and have shown many times that they can be trusted. Now if only you could stop being bothered about wormholes.

Moya (Farscape)
Babylon 5 (Babylon 5)
Bebop (Cowboy Bebop)
Millennium Falcon (Star Wars)
Serenity (Firefly)
SG-1 (Stargate)
Deep Space Nine (Star Trek)
Nebuchadnezzar (The Matrix)
FBI’s X-Files Division (The X-Files)
Enterprise D (Star Trek)
Galactica (Battlestar: Galactica)
Andromeda Ascendant (Andromeda)

Your Ultimate Sci-Fi Profile II: which sci-fi crew would you best fit in? (pics)
created with

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 18, 2006

mecha gone wild

Filed under: Blogging — kees @ 9:28 am

This has got to be the coolest use of an animated GIF ever:

walking mech

Even crazier, in Firefox, if you right-click to “View Image”, the favicon shown in the tab is animated too! I smell code re-use! That kicks ass. I wonder what level of hell I’d burn in if I made the favicon for my site animated.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 30, 2005

80mph blogging: 41.75095N 89.85223W

Filed under: Blogging,Networking — kees @ 11:39 am

Technology is a beautiful thing. Right now, I’m on the passenger side of a vechile purchased in Pennsylvania, over EBay. The new owner is driving. This post is being made via a transparent proxy (via iptables) to Squid running locally on my laptop. Squid then forwards the proxy on to the SSH tunnel I’ve got up, which lands on a server in Texas, where another Squid is waiting for it, and handles the request. The SSH tunnel is set up over a PPP connection on top of Bluetooth to the driver’s cell phone, which is sending traffic via GPRS to his provider. I can hardly believe it works, but it’s actually rather quick.

Additionally, I’ve got my wireless card scanning for networks in kismet, with a USB-to-serial converter plugged into my GPS, with gpsd running, and gpsdrive telling us where we are. (And, of course, we’re downloading maps for gpsdrive via the previously mentioned abomination of a network connection.)

We just finished searching for hotels on the western edge of Nebraska that have free wireless Internet access.

Kick ass. I am such a geek.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 27, 2005

review of Serenity

Filed under: Blogging — kees @ 10:40 pm

I should admit first that I’m biased. I loved Firefly, but having seen the movie twice now, I think I can attempt to talk about the movie from the perspective of someone who doesn’t know the whole back-drop of the Firefly universe.

The number of characters seems like it would be overwhelming, but I think their unique aspects quickly become clear. Simon’s transition from escape artist to ship’s doctor seems a little jarring, but I think it’s easily overlooked. The interactions between the rest of the characters are quickly developed with strong dialog. I’ve seen other reviews that say the characters are “too thin”, but I’d argue that they’re much better than that because they follow classic stereotypes without common interactions. For example, the First In Command is married to The Pilot, The Captain can barely control his crew, The Doctor and The Mechanic are endlessly avoiding their shared sexual tension, etc. The relationships may be stereotyped, but the matching of relationship to the specific character type, I think, is novel.

The story is quick, and develops in easy-to-understand steps, picking up a smooth speed right through the end of the movie. It was kind of like falling, with a “wheee” turning into “whoaaa” turning into “oooh shiiiit”. But at the same time, all the tension was always marked with humor to bring you back and make you enjoy the characters. After the first intense confrontation and edge-of-your-seat high-speed escape from certain death, the crew is trying to catch their breath and someone says, “Is everyone okay?” River responds, “I swallowed a bug.”

I will see this movie over and over. I love it, the score made me nearly cry, and I got shivers at least 4 separate times. If I reviewed a lot of movies, I would rate things in “shivers” not “stars”. A scene so good that it gives me the creeps, or fills me with awe. That’s why I go see movies, and Serenity gave me plenty of good shivers.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 23, 2005

a week of serenity

Filed under: Blogging — kees @ 11:23 pm

Looks like I’ve been given a chance to screen the final cut of Serenity on Monday! In exchange, I’m posting the synopsis they’re using:

Joss Whedon, the OscarĀ® – and Emmy – nominated writer/director
responsible for the worldwide television phenomena of BUFFY THE VAMPIRE,
ANGEL and FIREFLY, now applies his trademark compassion and wit to a
small band of galactic outcasts 500 years in the future in his feature
film directorial debut, Serenity. The film centers around Captain
Malcolm Reynolds, a hardened veteran (on the losing side) of a galactic
civil war, who now ekes out a living pulling off small crimes and
transport-for-hire aboard his ship, Serenity. He leads a small, eclectic
crew who are the closest thing he has left to family — squabbling,
insubordinate and undyingly loyal.

I think a much better synopsis would simply be:

Oh my god! Go see this movie! Don’t walk, run!

To help blogviewers write up stuff on Serenity, we’ve been given access to a TON of images too. There’s some great stuff in here. Half of it is in .sit files, the other half in giant .psd files. Here’s some cool snaps of Summer I’d never seen before, and an early logo design. Nothing beats my backgrounds [1920×1200, 1600×1200], though.

early logo

I’m going to have to dig through all this stuff. There are movie posters for bus shelters, LCD panel screens, Dark Horse comics logos, all kinds of stuff. Even mechanical drawings, I think. Too bad there aren’t any native .sit expanders for Linux that handle the modern .sit formats. I’d love to see what’s in the mechanicals directory.

On Saturday, I’m headed to the PDX Browncoat’s Firefly Episodes Benefit. Monday is the Serenity screening, and then Friday the full release! Yay! :)

© 2005 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 26, 2005

scene diving

Filed under: Blogging — kees @ 6:05 pm

If it hasn’t already got a name, I’m going to coin the phrase “Scene Diving”, because that’s the best way I can describe it. By “scene“, I don’t mean an arrangement of furniture and people on a stage. I mean a group of people interested in a certain common idea, and all the things associated with their communication and productivity. By “diving”, I mean “information diving”, which was probably best outlined in Neuromancer. This is just another “involvement” analogy that uses water (“get your feet wet”, “in over your head”, “jump in at the deep end”, etc). I like this because it makes information a tactile thing that you have to navigate. With all the cyberpunk I’ve read, “diving” into information has such a romantic feel to it. Also, the idea that you’re out of your natural element, and that you’ll have to return to the surface at some point is very apt. It sets this apart from joining a scene.

Scene diving is something I’ve noticed I do a lot of, since there are so many subcultures in the online world. It may just be stating the obvious, but I think it feels like a specific skill. I’ve had people ask me in the past to find things for them, and I tried to show them how I’d go about it, but they weren’t interested in it, or didn’t have the patience. At it’s core, scene diving is just research. It’s really a form a applied research, but it isn’t something that could be done very easily prior to the Internet because of one critical element: communication.

The communication (or rather, language) of a scene is very specific. For example, it’s not immediately obvious to the average person what “BSG” stands for. But if you’re researching the backstory differences between the original and new Battlestar Galactica television series, you’ll find this acronym a lot, and the meaning becomes obvious. If your subculture isn’t online, there is no way for an outsider to observe your language without joining the subculture. This kind of communications research is much more voyeuristic.

Continuing the example, I really like a lot of Science Fiction. I’m a big fan of Star Wars, Star Trek, Doctor Who, BSG, etc. However, I don’t really have a lot of time (or, honestly, interest) to dedicate to these individual subcultures. I’ll watch Star Trek religiously, but I can’t tell you any of the character’s middle names, and I don’t know starship registry numbers off the top of my head. I used to think that meant I didn’t like these shows as much as other people, and that somehow meant I was missing something. It took a while for me to realize that I’m not missing anything, for the very reason that I’m not interested in that level of involvement.

However, there are some things I want to get out of a scene. I have always been fascinated by Star Wars Stormtroopers. Several years ago, I scene-dove and found out how to get myself some white armor. It’s very cool. Recently, I got it into my head that I wanted my very own TARDIS, and scene-dove until I had measurements, parts lists, etc. I still don’t have a TARDIS, but I think that’s because I can’t foresee having the time to build one. I really wanted to see the new Serenity movie from the Firefly series. Again, I scene-dove, and came away with the tickets I needed. My level of involvement in any of these subcultures is rather low, but this kind of diving doesn’t seem to be something a lot of people do. Other people tend to join just a few scenes and maintain a very high level of dedication and time investment. Perhaps I’m just too scattered to stay interested in one thing. Whatever the case, it seems that there is a skill to scene diving, and I enjoy using it. I’ve also met some extremely cool people as a result.

For me, the basic outline for successful scene diving is:

Research the top layer via Google
– “Public information” sites
– Discussion forums
Learn the language
– Abbreviations
– Build your own FAQ — answer any questions you have on your own
Find stuff not out in the open
– Share resources
– Be a useful to other members of the scene

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 6, 2005

my first podcast

Filed under: Blogging — kees @ 4:55 pm

I got invited to talk about Device::SerialPort on the weekly PerlCast. I discuss a little bit about the purpose and history of Device::SerialPort, as well as some cool things I know it’s been used for. I get to tell my favorite (short) story about the person in the furthest geographical location from me I’ve ever been in contact with. I had a lot of fun making my 4 minute talk. :) It kind of gives me some practice with what I’m going to be doing for OSCON. Except that OSCON will be several orders of magnitude longer, and I won’t be able to edit out my glaring mistakes.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

May 6, 2005

O’Reilly OSCon ’05

Filed under: Blogging — kees @ 7:32 am

I am so excited! I’m going to be a speaker at OSCon this year. I’ve never been a speaker anywhere! I’m gonna be so nervous it’s insane. I really hope it all goes well, but I still think it’s intimidating to be surrounded by so many experts in so many fields. I know I have a lot of email/spam/filtering experience (and a little Python), but there are plenty of other people who have more. I just happen to be talking about it. I hope they don’t beat me up during my talks. :) If I teach one thing to one person, I’ll see it as a success. I’d suspect I’m going to learn a lot too. “Why didn’t you do it this way?” “Uh, because I didn’t think of it! Thanks!”

Oh, so nervous. Yeow.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 21, 2005

officially an RSS junkie

Filed under: Blogging — kees @ 6:23 am

Well, I think I’m officially an RSS junkie. I had ignored RSS for so long, I nearly forgot about it, but when I was shown, I was reminded how powerful RSS is. Figured it was once again time to look around for an aggregator I could use. (Although I still think polling is a bad design for event management.)

Most of the reason I had ignored RSS was because every aggregator I had tried was buggy or had a frustrating interface. I guess enough time has passed, and when I tried straw a few days ago, it worked perfectly well. So, I started collecting all the RSS feeds from all the websites I’d been collecting on my firefox tab bar. It was getting pretty big, and I hated having to reload every tab each morning.

I realize I’m way late to the party on this, but I still think it’s great fun. I even hunted down a little RSS writer for my Photo Blog and got it built in so I could aggregate it too. :) (And it’s really cool to add Creative Commons tags to each and every thing in the RSS feed.)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 3, 2005

Blog Switchero

Filed under: Blogging — kees @ 11:02 pm

Well, the rewrite rules for drupal started pissing me off, so I’ve switched again! This time, I’m back to WordPress. I must have been crazy when I first looked at it. The SSL trouble I was having was my own fault (which, I’m sure is true of Drupal’s rewrite rules too). The reason I’m really switching, though, is that WordPress, I think, has a much cleaner interface to the editing and template editing. I need to find a better skin for it, but for now, the default will do just nicely.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 1, 2005


Filed under: Blogging,Security — kees @ 11:56 pm

Well, after messing around with WordPress for a little while, I switched to Drupal. WordPress is pretty cool, and all I really wanted was a nice Blog system. Drupal is a bit of overkill for that, but it seems more mature. WordPress really didn’t like being put onto an HTTPS server, so that made it a pretty poor choice for me.

Before getting a huge list of Blogs from the folks on the inkscape channel (thanks guys!) I had briefly tried Simple Blog System, and ran screaming from it. There were at least 3 types of security holes in it. I only noticed because I saw one within the first 10 lines of index.php. I’m not sure how far I trust Drupal, but at least it correctly deals with PHP magicquotes.

Check out Open Source CMS for a list of all the various CMS software out there. Kinda handy if you have an entire day to blow looking through all the stuff.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer Posts

Powered by WordPress