I had lunch with my friend Mixa the other day, who works in the same building I do (for another week or so). While he's a network geek like me, our lunch conversation revolved almost entirely around Vietnamese history (he's Vietnamese, and minored in Vietnamese history while at university in the US!), and how ignorant it was for a Vietnamese restaurant to call itself “An Nam” (Peaceful South).  Apparently “An Nam“ is what the Chinese used to call Vietnam while they had it under their boot, so many Vietnamese find the moniker offensive. I was fascinated, of course, because I love history as...

So I stumbled across Quentin Tarantino's new blog while I was waiting for the sleeping pills to kick in tonight.  There seems to be some doubt as to its authenticity, but let me offer a brief snippet from a post regarding the ongoing question surrounding the possibility of a 3rd installment of Kill Bill, which would probably follow the efforts of Vivica Fox's daughter to avenge her mother's death at the hands of The Bride: If I get the chance...fuck yeah I'd do it...but basically right now I've got my whole career for the next twenty years planned out. I want...

I inadvertently broke comments when I enabled the site search functionality.  It's all fixed now.

I saw a very bad case of child abuse tonight, and couldn't do anything about it.  And it makes me ill. After hooking up with a friend from work to pick up a 24u enclosure for my home office (I'll blog about that some other time), I shot over to the best Italian restaurant on the Eastside, Cafe Veloce, for some of their legendary fettuccine alfredo.  After dinner, I was leaving the parking lot and spotted a very angry guy standing outside his Honda in a very agitated state.  He tossed something that looked like a diaper into his trunk, then...

So I decided to upgrade my primary firewall here at bmonday(dot)com to ISA2004.  I've been running ISA2000 for a long time, and I've been really happy with it.  But there were some new features available with 2004, so I figured I'd upgrade and check it out. The installation went pretty smoothly until about halfway through my installation process it had a problem reading a file off my CD.  So I ended up aborting the installation and copying the CD to the local disk before trying the installation again. The abort seemed to go alright, it even said it was backing out all...

Just a quick note of a couple changes to the site here: Site Search is now enabled, thanks to Google.  You can search the site using the Site Search section at the bottom of the right-hand column. I changed the way the images are displayed in the Image Galleries.  I really was not a fan of how the captions didn't display when looking at the thumbnails.  Apparently I wasn't alone, because another .Text user made a custom .aspx file that displays the caption underneath each image's thumbnail, which is much more useful.  I have a lot of cool pics in the Image...

Microsoft put out a new command-line tool called the File Checksum Integrity Verifier (FCIV) earlier this year.  FCIV allows you to compute file hashes system-wide, and compare them to previous results using XML databases: The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification. I am going to play around with this a bit, and see if it can be worked into FirstOnScene.  Regardless, I will...

I couldn't help but laugh out loud when I was looking through my referrer logs and discovered that a Google search for “faster data transfer rates” will suggest my post about the surprising speed of the pigeon protocol.

Sorry for the number of updates I have made to FirstOnScene since I released it 2 weeks ago.  The truth is, I use it myself almost daily, and I am finding a lot of ways to improve it.  I think once I add registry dumps in the next version, development will slow down a little.  I still haven't decided whether I am going to dump the registry manually, or use an existing tool. FirstOnScene 1.3 adds support for detecting scheduled tasks, both those configured as “at” jobs, and those using the modern Scheduled Tasks facility.  This check will always be performed, no...

Arthur Chrenkoff has posted an update in his series Good News From Iraq.  His series is now also being published in The Wall Street Journal's Opinion Journal. It's always worth the time.

Articles are starting to appear on the Internet about how silly Windows XP's upgraded firewall is, since it focuses almost entirely on blocking inbound connections and doesn't really care much about outbound. The most loyal of my readers will remember me cautioning Microsoft against doing anything about outbound traffic.  Why?  Because the ability for a user to do what they want to do with their computers will ALWAYS trump security.  Read my arguments from last November. Couple that with the unwillingness of software developers to write software that can be properly secured, and support departments all too eager to tell customers to...

Just a quick post to announce the immediate availability of version 1.2 of FirstOnScene, the 10-second forensic data gatherer (actually it runs in about 3 seconds on my servers at work, in the default configuration). I have added an option to scan the local file system for files changed in the last n hours (use the /modified: option).  There are a couple of command-line tools that do this already, but they are kind of a pain to work with.  So I ended up writing the majority of this myself, with help from a couple of timely file system parsing algorithms from the...

Dana Epp took it upon himself to produce a quick patch that will get NMap back in operation, without using Raw Sockets. Score one for open source!

Microsoft has recently published a detailed paper about the major changes in functionality introduced by the final version of Service Pack 2.  It's a must-read, especially if you are on the hook to roll this out across an enterprise.

According to this article in USA Today, 19-year-old Jeff Parsons plead guilty in a Seattle courtroom today, to charges of taking the original Blaster worm, modifying it, and re-releasing it back into the wild.  His variant infected an estimated 48,000 systems before it was contained. Young Mr. Parsons is expected to receive 18-36 months in prison, in addition to paying millions of dollars in restitution.  His life is ruined.  Hope he had a good time. Sound harsh?  Nope, not in my book.  We need to set a few examples.  Maybe the thought of a few years of “pound you in the ass” prison will make these...

My friend Mixa was kind enough to forward me a post made by Fyodor on the nmap-hackers mailing list about SP2's removal of Raw Sockets support breaking most of NMap: Date: 8/11/2004 12:31:23 -0700 From: Fyodor To: nmap-hackers@insecure.org Subject: Windows XP SP2 incompatible with Nmap All headers This is just a heads-up that most Nmap functionality will not work on the just-released Microsoft Windows SP2. Why? Microsoft apparently broke it on purpose! When an Nmap user asked MS why security tools such as Nmap broke, MS responded[1]: "We have removed support for TCP sends over RAW sockets in SP2. We surveyed...

Every once in a while (if you're lucky, more often if you're not), you come across someone pointing out such a fundamental flaw in reasoning that it makes you smack your head and wonder why you've been doing it for 10 years.  It's such an obvious flaw when it's pointed out, but you've done it for so long out of habit that it never occurred to you to question it. Such an epiphany came to me while reading Richard Bejtlich's new book, The Tao of Network Security Monitoring (awesome book, by the way). The crime? For 10 years now, in every single firewall installation I've been...

Last week, the Kerry campaign threatened to sue any media outlets that aired a series of commercials produced by the Swiftboat Vets for Truth, an organization made up of hundreds of swiftboat crewmen who served with John Kerry in Vietnam. The SwiftVets responded with a devastating open letter to the media, detailing evidence supporting every claim they make in the commercials. I think Kerry is going to regret making his 4 month stay in Vietnam a centerpiece of his campaign. If you haven't seen the commercials, you should.

I'm downloading Service Pack 2 for Windows XP as we speak, from MSDN. 

I added auto-run scanning support to version 1.1 of FirstOnScene, which is now available here.  The auto-run feature scans the registry and file system for known auto-run facilities that are commonly used by trojans.  It's an option that you have to invoke by specifying “/autoruns” on the command line.  For more information about this feature, see this blog entry.  AutorunScanner is a stand-alone version of the /autoruns feature in FirstOnScene.  The core code is identical. I also changed the execution order when calling for a dd image of the system memory with the /m option.  It now runs first thing, when requested.  This way, the...

I couldn't find a good command-line autorun scanner for FirstOnScene, so I went and wrote one in vbscript.  Yes, that's why I'm still up at 2AM in the frickin' morning.  You know how many ways there are to get a trojan to automatically launch itself these days? Features: Scans dozens of registry entries, in HKLM and HKCU Checks startup folders in every user profile on the disk If there is anything in Autoexec.bat or Config.sys, it will warn you It checks various win.ini and system.ini files for RUN and LOAD directives It checks for out-of-place explorer.exe files (man, that's a bad one) Checks some other stuff too You can...

Arthur Chrenkoff's latest edition of Good News From Iraq is a must-read, as it always is.  Take a half hour and read about all the great things that have happened in Iraq recently, instead of the doom and gloom you get from the horrifically-biased media outlets.

The “exciting project” I've been working on has finally reached a point where I can release it in good conscience. Over in the Security Articles section of the site, you can read about the new script I have written called FirstOnScene. FirstOnScene is the solution to my growing problem of how to get good forensic information off a system before it needs to be put back into production to satisfy SLAs and other uptime commitments. The result is FirstOnScene, which generates output from about 20 different tools in under 10 seconds, correlates them into a single report, and pushes that report up to...

Added: Caprice Pine Greg Hoyle George Chiu Update: John Crawford Macgill Lynde Scott Barrow As always, you can find the Alumni Page here.