It doesn’t matter if it’s open-sourced, if you have to use Google Toolkit to make anything decent, that’s “Google is here to define what can be done” for you.

Given the exhaustive list of services Google provides, I’d say this is actually a rather realistic path we’re trudging down. However, I feel like there is one force for freedom that will swoop in and save the day (and no, it’s not Richard Stallman). It’s open standards for data. If open formats exist and are used to the letter and the ability to export and import from Google services are provided, then things will ultimately find a balance. Sure, billions of people will still flock to their amazing services (myself included), but having that freedom to have your own data with you gives you more than just peace of mind. It gives you the ability, on a whim, to pick up and move to another service in a snap. Of course, I’m also aware that standards are often not followed to the letter. Just look at proprietary additions to HTML and CSS by different browsers and what Microsoft has been doing with ODF.

In any case, back to the ideal world where standards are followed. As an example, let’s say Google Calendar starts doing some freaky tracking of where you go and you don’t like it (clearly I’m starved for creativity). Even now, you can go in, export your calendars, and dump them into, say, Yahoo. Or perhaps iCal on your Mac, or some other Desktop application. The point is, that you are not one bit tied to Google’s services, except to the extent that you make yourself tied to them (with the exception of email, where addresses are particularly annoying to change).

And then you may say, “well what if no alternatives exist?” And I say, alternatives will exist. Always. Perhaps they’ll be a bit slow-coming. Perhaps they won’t be as shiny. But sure as hell they’ll exist. Because there will always be people out there, like Dion , that are watching the current web Giant(s) with a watchful eye. And that’s where the “power of community” (cliche, right?) comes into play. Google may have thousands (is it thousands?) of developers, but any given project, seen as an important enough need, can garner many, many talented developers to contribute to the cause.

So while it’s good to keep an eye out, I won’t be stressing too much about the future of the web. I’ll just keep my data safe, accessible, and ready to move on a moment’s notice.

However, after spending a day on it, I felt the need to get started with Linux. However, Vista isn’t that bad when you have a quad-core processor and 8 gigs of RAM. My problem is as follows:

• I need to be able to play games
• I want my games to run well
• I need a Linux environment
• Ideally, I’d run Linux natively

This leaves me with the obvious option of dual-booting, but I’d really rather not. I find it so… traumatic, if you will, to have to reboot my computer every time I want to change what I’m doing. And since I tend to fire up Team Fortress 2 rather frequently, I’m afraid I’d sit in Vista most of the time because of it, and only go to Linux when I need to. And that’s exactly the opposite of what I’d want. So what to do?

I don’t know what I’m going to do. In addition, while I’ve always had fun with Gentoo, the new installation I started has been proving challenging. The basic system was easy, but the framebuffered console and a desktop (with Compiz-Fusion) has proven difficult. This is in large part, I believe, because of the now-scattered documentation due to the data loss of our beloved Gentoo Wiki. And then I pop in an… an… Ubuntu (sorry, it just feels dirty to me) CD, and everything works. But it’s not quite right. It’s not perfect, and I don’t have portage, and I can’t use my shiny new computer to compile things all the time! (that was part of the reason I wanted such power ).

So I’m left with a dilemma. And because of my tendency to get paralyzed by indecision, I’ll probably stick with Vista for a while, until I figure out my solution, which will still probably involve dual-booting, since Wine doesn’t seem to be up to the task. If anyone’s got a similar situation/setup/solution, I’d love to hear about it. I love my Linux, but I also love my games.

I just moved into a brand new apartment. Unfortunately, my wired internet isn’t going to be installed for another week and a half. Naturally, I turn to wireless (other peoples’ wireless, that is). So I do a quick scan to check out what’s around, and to my surprise, all the networks (minus the municipal one which doesn’t seem to work) had some kind of security, at least WEP.

After making sure that none of the networks were open, I busted out airodump, scanned, and saw only one network with any traffic going over it. This was necessary to get some packets so I could crack the key. I spent 54 minutes and 52 seconds (well, my computer did) sniffing enough packets to break the encryption. Turns out 367,366 IVs did it in this case. In any case, I come over to the computer with glee, seeing the network was cracked, and what do I see?

Wow.

That’s right, the key was found! And it was… 12:34:56:78:9A. Seriously? I sat there for a minute laughing and actually thinking that couldn’t be it. I mean, that’s the equivalent of “password” as a password. I tentatively try to connect with my newly-found WEP key and without a delay, I was connected to the network. Wow.

Lesson learned: try out simple WEP keys before going through the effort of cracking the network. You just might get lucky. I mean, if the person is using WEP anyway, they probably don’t know all that much about security.

On Saturday, myself and 7 of my classmates from GWU had a chance to head up to Lancaster, PA to the home of White Wolf Security for the 4th Annual Mid-Atlantic Collegiate Cyber Defense Competition Qualifying Round. At this round of the competition along with GWU were George Mason, Jameson Madison, and Millersville Universities. For those who aren’t familiar, the competition puts the students in the roles of system administrators who were recently hired to secure and maintain a company’s network. The whole affair is pretty exciting, and the pressure can get very intense. While attempting to prevent and root out attacks from an all-volunteer (but skilled) red team sitting in another room, a white team also throws business injects at us that have us do things like install wikis, set up PKI, and create office templates for our company. We get scored separately on attack prevention, injects, and service uptime, and at the end of the day the top two teams move on to the next round. The whole competition ran for about 7 hours, and we were getting pounded from minute 1.

The Plan

After experiencing the chaos last year, we put together a list of basic things to do as soon as everything started that would keep out the easiest attacks. After blocking all external traffic with our firewall (for a few minutes so we could have some “safe time”), we set out to do these things in the first 15 minutes or so. This was just changing all the passwords on the boxes, killing extraneous services, setting client firewalls, and backing up important data and configuration files. I only managed to get to changing passwords on the boxes I was handling. They gave us 4 Linux boxes, and those were the ones I was in charge of. They weren’t the newest versions of the OS’s, and for the life of me I can’t understand how our Nagios box (Fedora, I believe) didn’t come with lsof, but I did my best to get everything locked down.

The First Problem

Well, the best plans of mice and men blah blah blah, and in the few minutes it took our firewall guy to figure out where the admin console was, the red had team managed to get onto two of the Linux boxes and leave their mark before I had a chance to change the root passwords. After about an hour, I noticed the intrusion on one of the boxes as I attempted to set up iptables and noticed that there were a bunch of identical ACCEPT rules in there that I didn’t put there. It was go time.

The Source

I called over our team captain to let him know there was a problem, and I set out to figure out just what was going on. I flushed the tables, set the firewall policies to DROP, and hopped over to /sbin to take a look if anything seemed weird. After checking iptables again, I noticed some more ACCEPT rules were in there. I cleared them out and opened the crontab to see if anything was running; it wasn’t. Not sure what was going on, I took a moment to restart SSH to boot off any active connections, just in case. Upon examining the files in /sbin, there were some that were world-writable. I knew that wasn’t quite right. One of those files, however, was iptables. At cappy’s suggestion, I viewed the contents of the file, and sure enough it was a perl script instead of the iptables binary. Since I was under the gun I didn’t quite deduce what the script did, but it called the real iptables (which they renamed) with ACCEPT commands, instead of the ones I kept giving it. While the real iptables was mentioned in that perl script, I didn’t quite catch on right away, so I looked at the size of iptables on another computer and looked for a binary in /sbin with a similar size, and found it. After that, I chmod-ed all the files in /sbin to remove world-writability, to prevent any further problems in case of non-root intrusion.

The Solution

At this point, I had found intruder access, a malicious script, and a moved iptables. However, more and more ACCEPTs kept being added to my chains. Once again at cappy’s suggestion, I moved the real iptables to another name, and left their script in place as “evidence,” and in case they had any mechanism for replacing it. This seemed to finally stop the problem. At this point, I just needed to figure out where our attackers came from. The rules of the competition say we can’t completely block any IP addresses without approval from the white team, which will come if we have details proving that the IP is malicious. I believe the reasoning for this is so that we can’t just block any IP range, as well as the fact that the scoring bot shifts IPs, so we could also screw ourselves if we just blocked lots of them.

The Culprit

I needed to find out the intruder, but I didn’t know how. I took a look in /var/log and saw a bunch of files, more than I usually see, so apparently I don’t log enough on my own computer. My first look was at /var/log/messages, but that didn’t yield anything of value. Next, I stumbled across /var/log/secure, which seemed to be a log of SSH activity. I hit the jackpot, because I found logins about an hour and a half prior by two specific IP addresses. I was ecstatic. This was our culprit. I was surprised that they didn’t delete such logs, but perhaps they didn’t think of it, or were instructed not to by the white team, as not to make our jobs of tracking them impossible. In any case, I saved the log to a file, filled out an incident report, and sent it over to the white team. They looked over the report and checked on something (I honestly don’t know what) and then let us block the IPs. Mission accomplished.

The Wikis

Well, at least that mission was accomplished. I felt pretty good a little after 11am when this all was wrapped up, but that quickly faded as business injects got annoying. We had to install wiki software, which gave us infinite problems. We first tried MediaWiki, which was a bust because our database server was using MySQL 3.x. 3.x? What the hell? I’ve never seen that anywhere before. My impeccable sources tell me that it’s about 9 years old! Yeah, pretty egregious, but there wasn’t too much we could do about it under the circumstances. So we looked for other softwares, of which there were many. However, after failing to find Tigerwiki (apparently it’s discontinued) and having ridiculous troubles with MoinMoin and TikiWiki, we ended up running out of time and failing the inject. That wouldn’t have been so bad if it weren’t for having another inject which built off of that one later in the day. So that sucked. In the end, we found an older version of MediaWiki (why didn’t we think of it earlier?) and installed that for the second inject, but we ran out of time and failed. And in that last bit when I say “we,” I mean two of my teammates, because I was sick of wikis and had to step away before bashing the computer with a chair.

The Cable

The rest of the day was relatively less pressure for me, just keeping a check on my systems, handling another inject, and trying to get our damn Nagios box to actually work. For some reason, it wasn’t connected to anything. We couldn’t explain it, though we thought our routes were a bit screwy. After a lot of investigation, one of my teammates brilliantly found that there was no network cable in the computer. I know, I know, that’s normally the first thing to check, but we were given computers and were allowed to assume that there’d at least be cables in everything! And it’s not like it had come loose or fallen out or anything; there was just no cable for that box. So we went to the white team and they remedied the problem, but we all had a good laugh over that. In the afternoon there was also another intrusion that I helped get logs for, but it wasn’t nearly as exciting as the morning breach.

The Nagios Box

Amidst everything else I was doing, I took a good shot in the afternoon to configure our Nagios box. I remembered from the last competition that the IPs were wrong, so that seemed to be what I’d probably have to do again, just fix up the network portion to that which we were assigned for all the entries. Simple enough with sed. However, I found enormous difficulties getting into the web console, considering they didn’t give us the username and password, and they weren’t any kind of defaults. Well, in the end, it turns out they were. “nagiosadmin” is apparently a standard username, and the password was the standard one for the competition. It just took way too long to figure that out. Once I fixed the IPs and logged in, I realized that all most of the checks were failing. Not good. That generally meant that the scorebot also would be counting those tests as failures. I talked to our firewall guy, who had egress filtering on (blocking outgoing traffic), which he suggested would give such results. We argued, he got busy, and I never got to see the beautiful green colors of Nagios that come with a fully working network. Oh well. At around 4, the competition ended, we packed up our computers, and we headed over to another room for a debrief.

The End

All tired, hungry, and anxious to hear the results, we waited and were fed pizza while the event organizers talked to us for a while. Then they let the red team have a go and both tell us what they did to us over the day, as well as query us about our strategies and give us some tips for defending. I actually got to talk to the guy who put that perl script on the Linux boxes, and he asked “did you find the others?” We laughed, and then realized that we hadn’t even looked for others. It didn’t even occur to us for some reason. So he pointed out that if you find something malicious, there’s almost certainly something else there, and you should make some effort to find it. He suggested grepping all the files in /sbin for “perl”, while I probably would have used “find” to find any files modified in the last few hours. Either way, it’s something solid that I learned and will most certainly apply at the next competition. Which leads to the most awesome part: GWU got 2nd place, and we’ll be competing at the regionals in Baltimore in March! We’ve got a lot of work to do, myself included.

All in all, I found the whole thing very worthwhile for the third time, and recommend any college students in the US with an interest in computer security to look at creating a team and competing in a regional competition. The whole affair, while stressful, is not only fun but a great experience for anyone interested in information assurance. As a matter of fact, I’m not particularly enthralled with security and I found it a great experience too. In past events (but not this one, because of the inauguration), we had Secret Service agents there as well to talk to us a bit and have to consult regarding some of the legal issues with intrusions, to discuss our incident reports with, and have drinks with afterward. I can’t wait until March. Maybe we’ll make nationals!

External Links

• White Wolf Security
• Mid-Atlantic CCDC Information
• National CCDC Website
• Nagios Website

<?php do_action('comment_form', $post->ID); ?>

In the same breath, it was mentioned that most themes do in fact have this in there. Well, to my luck, the theme I’m currently using (iNove) doesn’t have that line in the comments.php file. So I had to add it. Unfortunately, I only realized this after going through a few other plugins to see if I could solve the problem by switching it up. I guess all these plugins rely on the same line, since they all seemed to have a similar issue. Finally, I’ve settled on Raven’s Antispam plugin, mostly because that was the plugin I was trying when I decided to add the above line to my comments.php file. Seems to do the trick (at least it lets users post), and it’s supposed to be transparent unless Javascript is disabled. Seemingly ideal! So anyway, hopefully that will end my problems for good with this issue.

Also, I realized I don’t make it all that apparent what my email address is, so in case anyone wants to contact me regarding my blog (or anything else for that matter), that can be at dan@danfego.net.

External Links

• Wordpress MyCaptcha Plugin
• Wordpress iNove Theme
• Raven’s Antispam Wordpress Plugin

The email I received was as follows:

Hello <username>,

You’re receiving this email because you have the account ‘<username>’ on the SilenceIsDefeat public access unix system.

Silenceisdefeat now runs at this address:

* silenceisdefeat.com

Please note that the old address no longer works, and use the new address for mail, web, and shell access.

You can greatly assist this change by blogging about the new address, replacing any old links to SD with the new address, and even putting up a new link.

As always, you can get in touch with other silenceisdefeat users and administrators in #sd on irc.oftc.net.

Thanks!
The SD team

I thought I’d take this opportunity to spread the word about the change, as well as give a plug to silenceisdefeat. They provide a great service that has come through in a clinch for me on more than one occasion when I’ve needed a public shell to work from (that didn’t suck). My primary shell for university uses SunOS and has some weird quirks, so it’s nice to have an alternative.

Short version: silenceisdefeat.org is now silenceisdefeat.com, and they’re still awesome!