Network Security Blog

The presentation Michael Lynn gave at the Black Hat Briefings has been taken down and a cease and desist order has been put up in it’s place. But as the folks over at WebActive say, the genie’s already out of the bottle. Considering the number of security professionals and hackers that downloaded the presentation before the cease and desist order was put up, there’s no way they’re going to be able to find all the copies of the presentation and ask the site owners to take them down. If you can’t find it anywhere else, Cryptome had a copy, at least as of this morning.

I grabbed a copy off of the Infowarrior site Friday morning before it went down, but I currently have no plans to host it on my site. First, I don’t have the resources to fight even a small legal battle if someone in the ISS legal department was to get on my case. Second, I don’t have the bandwidth to host the file for download. Of course, there’s nothing stopping me, or other site owners, from linking to sites that do have the resources. Ah, the beauty of a distributed computing environment like the Web.

lynn-cisco.pdf (application/pdf Object)

Well, we didn’t have to wait until next week after all. Here’s a link to a PDF of the Michael Lynn’s presentation at Black Hat on the Cisco router vulnerability.

So, for all of the legal wrangling, bad publicity and sheer obnoxiousness Cisco displayed this week, the information they wanted to hide got out any ways. Go figure. You had hundreds of talented hackers in the hotel, and you thought for a moment you could stop the dissemination of this information? Shame on Cisco for being incredibly naive.

I’ve been making some changes to the site this week. The first, was to install AWStats to track the traffic coming to the site. This was an eye opener. Even if 90% of the hits AWStats is showing are false positives, the traffic on my site is 2-3 times what I previously thought it was. Not that I place much importance on these sort of statistics, but it is fun to look at the numbers and see where the traffic is coming from. And, yes, I do have a strange idea of what’s fun.

Second, due to percieved increase in web traffic, I decided to check out Google’s AdSense to see what, if anything, I can gain by adding their product to the site. If you’re using Internet Explorer, you’ll see the AdSense bar on the right side of the page right under the About Me section. I chose a fairly smail banner 250×250, and so far it appears to be pretty unobtrusive. Unluckily, it looks like AdSense doesn’t work too well with FireFox. Neither the AdSense ads nor the AdSense home page work right with FireFox, or I have something misconfigured in my installation. I have a problem ticket open with Google, so I hope this can be fixed in the next few days.

Anyone have any experience with AdSense? I’m a little disappointed that FireFox isn’t working with it yet, but that will hopefully be a minor issue. I’m curious about what their payment schedule is like, how accurate you feel their tracking is, and what, if any, problems you’ve had with it. I’m not looking at this as a way to make a lot of money, I’m just hoping to maybe make enough to pay for the DSL line and my ISP bills.

Cisco, Security Researcher Settle Dispute

Well, it looks like Michael Lynn isn’t going to have to go to jail after all. He, ISS, Cisco and the Black Hat organizers all reached an agreement whereby they all pretend the presentation never happened. Lynn has promised to never speak of the incident again, Black Hat is turning over all videos of the presentation, and all other evidence of the presentation is going to disappear.

On one hand, I’m happy for Mr. Lynn in getting off without having to go through a long legal battle, though I think he’s still unemployeed. On the other hand, Cisco has successfully blocked the information from getting to the public. Hopefully next week one of the people who attended the presentation will publish their notes to the web and all the efforts by Cisco will be for naught.

Cisco, ISS file suit against rogue researcher

Cisco tries to silence researcher

Black Hat: The Latest on Lynn and Cisco

Just in case you didn’t know, Black Hat is going on in Las Vegas this week. Michael Lynn, a security researcher, formerly of ISS, gave a presentation yesterday on a new vulnerability in the Cisco IOS, which could possibly be used to create a worm or virus that could affect routers world wide. Cisco and ISS were not amused, and are pressing legal action against Mr. Lynn.

I have to give Mr. Lynn major kudos; he quit ISS two hours before the presentation, knowing full well that he’d be facing legal action. But he felt that the vulnerability was too serious to hide, and that companies like Cisco shouldn’t be allowed to hide security vulnerabilities. He wants to help set a legal precedent for security researchers, defending their ability to publish their research.

I admire Mr. Lynn’s morals. I mentioned the incident to my wife, who asked what I’d do in his situation. Lynn mentioned in one interview that he is going to have a hard time making a car payment in the future; I could live with that. I have a wife, two kids, a house payment and all the other things that go with a family. If I was in his position, I would have had to let the presentation go. I hope the Electronic Frontier Foundation will be able to help him.

Anti-Spyware Coalition Definitions and Supporting Documents

The Center for Democracy and Technology has published a paper defining spyware and is looking for feedback. The entire paper is only 13 pages long, and only the first four are actually defining spyware. The glossary is actually longer than the definition. The last two pages are suggestions for avoiding spyware, and is worth the time it takes to download the whole file.

Keeping Your PC Healthy–ExtremeTech Feature

Any computer article that starts off by telling you to clean the dust bunnies out of your computer is alright by me. That’s one of the things I hate most about working on computers for friends and family: the big cloud of dust that comes out of a computer that’s been sitting under a desk for the last two years.

Zero Day Initiative | 3Com | TippingPoint, a division of 3Com

I’m going to have to mull this one over for a while. 3Com and their subsidiary, Tipping Point, have started a program where they pay ’security researchers’ for finding flaws in programs. Of course, just because a large portion of these ’security researchers’ will be hackers, doesn’t mean that there is anything intrinsicly wrong the program. I’ll be curious to see what sort of vulnerabilities ZDI gets turned in to them.

Will this have any affect on the hacking community as a whole? I doubt it. You have three levels of hackers out there. First there are the ’script kiddies’, the people who are smart enough to use a tool, but won’t necessarily understand what it is they’re doing. None of these guys are going to be taking advantage of ZDI, unless they get real lucky.

Second level is where the real hackers start, people who understand programming, vulnerabilities and how to use the first to take advantage of the second. As I see it, this is probably who the program is aimed at. These are the people who are going to be digging into the programs and finding the majority of the vulnerabilities

Then you have the top ranks of the hackers, the guys who do it because it’s their passion, because it’s part of who they are. The guys who are in it for the money can probably make more working for the Mob or doing their own thing, rather than turning in their discoveries over to ZDI. They probably wouldn’t report anything until they’ve had a chance to use the vulnerability themselves.

Until vendors start acting responsibly to fix the vulnerabilities presented to them, something like the ZDI will need to exist. I think it was Oracle who recently sat on several serious vulnerabilities for over 6 months. Microsoft is getting better, but they still have problems getting patches out in a timely manner. It’s one thing for my systems to get compromised by a real zero day vulnerability, but when systems get owned because of a vulnerability that the vendor is sitting on, it’s the vendor’s fault.

Here’s another article on the the ZDI initiative from Eweek.com: Paying for Flaws: Undermining Security or Rewarding Good Deeds?

I’ve been running this blog for almost 2 years now. In the beginning, it was just for me. Then I started getting a little feedback from readers and decided to start tracking who was coming here and from where. At the time I didn’t have the spare cycles to find and install a web counter, so I found CQ Counter and started using this free web service to count the number of visits to the site. CQ works by having a small icon on the site that is automatically downloaded with every hit to the main page. It’s been nice not having to worry about the mechanics of traffic tracking, but I’ve never really trusted the CQ Counter statistics, especially lately. Several times lately I’ve gone to site myself and the CQ icon hasn’t come up, meaning that at least one hit wasn’t being counted.

In any case, this morning I discovered Advanced Web Statistics. AWS is a perl script that parses the access_log and creates a database from all of the wonderful information contained within. I had to make a few minor changes, like changing the logging to ‘combined’, and there were several permissions issues to overcome, but in general, it was an easy setup. I started seeing data immediately, and was able to make sense out of it in short order. And the first thing that became clear is that CQ had not been doing the job I’d hoped for in quite some time.

Let me give you a hint of the difference between what I’m seeing in CQ vs. AWS. In the last 15 months that I’ve been using CQ, it’s recorded nearly 11,000 unique hits and another 3000 other hits. This averages out to some 25-30 hits per day, with some days hitting twice that. Considering how often I post and the subject matter, I didn’t consider that to be a unreasonable number. Now, on to AWS: Between when I installed it this morning and now, AWS shows 118 unique visitors, 150 visits, 585 page hit and a whole lot of other traffic. Given that AWS is getting this information directly from the access_log file, I’m willing to give it a lot more weight that I am the CQ counter. This means CQ has been under-reporting the hits to my page by a factor of 2 or 3, maybe more.

Part of the issue is how they measure hits, I’m sure. I somehow think that most of the robots that hit the site continually aren’t counted by CQ, as well as a number of the other hits that aren’t from people. And any browser that blocks the gif file used by CQ is probably not counted either. But that still leaves a lot of traffic CQ hasn’t been counting. Which is why I’m making a conservative estimate concerning the differences in programs.

I just wish I’d found AWS earlier. Apparently earlier versions of the program had some vulnerabilities, but the current version doesn’t have any known vulnerabilities. I hope. It will be interesting to see some of the trends that show up because of AWS. I’ll keep CQ around for a while, just because of the historical data, but I love the amount of digging I can do in AWS. Heck, you can look at the data yourself if you’re at all curious.

Someone from Google called me last night and was trying to interest me in their ‘incrimental payment for ads’ system. They were telling me how I could increase the traffic to my site and make some money at it at the same time. Sounds great, sign me up! Or at least it did until I mentioned to the Google rep that I only get 30-40 hits a day, only do it for my own entertainment, and the whole thing was running on a PII 266. Somehow, that suddenly made the Google rep a lot less interested in talking to me. After all, I don’t think my hardware is up to the strain of much more traffic.

I put up this site as a experiment, and keep it running for fun. And to be honest, there is a little bit of ego tied up in the site too; after all, it is a stroke to your ego to be able to say anything you want and have others read it. But I want the site to remain fun, and not become something I have to start worrying about on a daily basis. And if money was to become involved, writing would become less fun and more stressful.

So, thanks to Google for thinking I’m worth your marketting time. But I’m just here to have fun.