Network Security Blog

The horror! These guys should never be allowed to show their faces! Teasing aside, Rich, Adrian and Mike do a great job of laying out the three basic themes you should expect to see at RSA this year.  Cloud computing, Advanced Persistent Threat and Compliance are going to rule the floor at RSA.  Cloud computing and APT are this year’s big buzzwords that are poorly understood by the majority of the industry, therefore vendors and their marketing departments hop on the bandwagon in an attempt to define these new terms in their favor.  And compliance is going to be big because it’s what everyone has to do, whether they want to or not.

Given what I do by day, don’t be surprised that most of the podcasts coming out at RSA are going to be about compliance.  But I hope to step outside my little box at least a little and bring you some other interesting interviews.  I may even get a chance to catch up with Rich for a few moments or at least grab one of his Securosis cronies for next week’s podcast (I’ll probably hear it for calling them that).  Zach can’t make it, he muttered something about finances and his birthday. 

This is brilliant, but it contains language that you don’t want playing at any volume from your cube.  Samj6n created a hypothetical conversation between a Cloud Computing Consultant and his victim … er… client.  It’s a little harsh, but it does highlight how much confusion there is surrounding Cloud Computing.  And I’m going to have to take some time to check out xtra normal when I have some spare time.  As if that will ever happen.

Some encounters are almost too strange to believe.  That doesn’t make them any less real.

I was walking down the street in San Francisco at lunch time Friday afternoon.  As I came up to a busy street corner I saw a paper grocery bag sitting on a bench with no one around it.  I walked up to the bag and peeked in to find three external hard drives, one Maxtor and two brands I didn’t recognize.  The drives looked like they were either well used or the product of a dumpster dive.  I knocked on the door of the one business nearby, but no one answered.  After a few minutes someone came out who worked in the building; he said there’d been a break-in recently but that he didn’t know anything about the drives.  I tried to call Rich for advice, but he was busy so I decided I’d finish my walk to lunch and think on the situation for a little while.

One burrito later, I walked up on the scene again.  This time a homeless man in dirty, ripped slacks was surveying the bag of hard drives.  He looked around much like I had done thirty minutes earlier, then scuttled up to the bag and pulled out one of the external hard drives.  After sniffing it for a second, he licked one side of the drive and put it back in the bag.  He then ran over to a parking meter and licked it, licked the taillights on both sides of an SUV and vanished from my sight behind the car. 

I lost any interest in the hard drives at that point.  That takes mom’s caution of “you don’t know where that’s been” to a whole new level.

Saliva incident aside, what would you do if you found a bag of hard drives in a park or public place?  Calling 911 didn’t seem appropriate, though there is a slim possiblity of explosives.  Taking the drives home and performing some forensics research on them crossed my mind; I have the technology if not much skill in the area.  I tried to turn them in to the business, but there was no one there.  I guess the gentlemen with the inquisitive taste buds saved me from a moral dilema. 

What would you have done?

I haven’t had much time or energy to write lately, so I thought I’d get back into the groove with something light (or is that lite?) to start with.

Lawyers for Alaska Governor and ex Vice-Presidential candidate Sarah Palin have taken exception with the owner of the domain name crackho.com for redirecting her domain to the Governor’s own web site.  Apparently they have a) little or no sense of humor and b) absolutely no understanding of how DNS works.  And they’re really slow to catch on to this since the site’s been redirected to their site since some time last year.  The lawyers have sent a cease-and-desist order, claiming that the redirection was a copyright violation.  The reality that this was redirecting traffic to the Governors site and all content was being hosted by the official site seems to have escaped the lawyer’s notice. 

Sometimes it’s easier to walk away from the issue when lawyers get involved, which is apparently what the owner of crackho.com decided to do.  Of course, she left a nice picture of  Governor Palin with some interesting commentary.

It’s only 6:00 am PDT and I’ve already overdosed on April Fools jokes today.  All it took was a couple of minutes on the TechCrunch site and reading several emails from vendors and I’m April Fooled out!  It’s bad enough that I have to spend a significant portion of my day trying to wade through marketing emails and PR offers, but when you add the need to figure out if an IM/email/site is real or a prank on top of that, it’s more than I feel like dealing with. 

April Fools day is a lot of fun when it’s being played on family, friends and co-workers, but when it becomes one of the biggest marketing frenzies on the web (Look at us, aren’t we funny!), I decide to bow out of the whole experience.  I don’t have the time or energy for it.  So if you’ve sent me an email about how your company bought Twitter or is flying security analysts to Uranus (well, that would be funny) I take appropriate action: I round file it.

Thanks for participating.  I’ll be back to my normal online haunts tomorrow when the worst of the ‘me too’ flurries are over.

I don’t watch reality TV shows, especially ones that can really embarrass people, like Dancing with the Stars.  But I’m sure my wife will want to keep me informed of Steve Wozniak’s showing for the two or three weeks he’ll be on.  Apparently he made a truly atrocious first showing.  I’ll have to remember this line, “It was like watching a Teletubby going mad…”

If you were awake and online this morning, you may have seen a storm of tweets about Google marking every site on the Internet as potentially harmful to your computer!  Any searches returned the normal response, but also included the warning “This site may harm your computer.”  By the time I saw it the link to the explanation page had been flooded with requests and returned a 503 error, but it was basically a warning that the site might contain malware that could infect your computer.  Now Google has come out with an official story of what happened.  Apparently someone indicated that the ‘/’ directory for every domain might contain malware, effectively identifying every site on the Internet as a potentially dangerous site.  Just a little human error and 45 minutes later the whole thing was fixed.

I guess the official story is better than the truth:  every site on the Internet really may harm your computer!  Anyone could be compromised in this day and age and you never know for certain a site is safe.  That’s why we use little tools like NoScript, isn’t it?

3 of 4 cables between Europe and the Middle East were cut this morning.  Or something, no one seems to know yet.  At this point I can’t even see a link that show whether or not these cables have any physical proximity, so I don’t know if it could be one incident or three separate incidents.  This is the second time this year that major cables have been cut between Europe and the Middle East, so even if there is no conspiracy involved, it’s still a major problem.  After all, who ever put these in place needs to explain why they’re so delicate that they could accidentally bet broken en mass.  The SANS Internet Storm Center is trying to keep us up to date, so keep an eye on their site for further updates.

You want to know what’s really causing all the cable breaks?

Congratulations to Jason, the winner of the free pass to CSI.  Here’s his story about how a minor change to a script almost caused a major disaster.  I have my own war story about scripts I’ll share later this week.  Here’s a hint:  Always make sure you’re in the proper directory when running your scripts.

This happened when I was first learning to admin UNIX boxes. Another
SysAdmin and I were working on a shell script to lowercase the file
names of 30-40 million image files. They were on an NFS mount that was
used by several servers. These images were part of detail listings of a
relatively busy web site and we were right in the middle of the day.

Now that the background of the mess are fully explained, the story
gets going. We went through several revisions and were testing against
a directory on a desktop system. Nothing destructive happened during
testing and we were getting fairly comfortable with the “safety” of the
script.

We finally thought we had a working script, so we moved it to the
prod server. Then we noticed a “minor” change that needed to be made on
it. We made the change then decided that since this was a such a small,
little tweak we could run it on the live NFS mount without any further
testing. Fire in the hole!

The script took off and we watched it run. All was well. Then my
phone rang from the NOC. A panicked operator was on the phone saying,
“Hey what’s happening with listing images from xyz.com? They are all
coming up as 404s!” I killed the script while thinking some thing like
“oh crap, oh crap, oh crap!” Sure enough the script had wiped out about
50% of the images. Amazing how fast a shell script can delete when it
goes haywire.

We pointed the web servers to a backup copy of the images, then
started to recover to the production mount. The backup was a couple
days old, so our image processing guys had to re-upload the missing
work. I was lucky that the online backup was there. I had taken it for
reasons unrelated to this event. The next day I got to explain to the
CIO what had happened.

The moral of the story was backup first and test your script until
it is golden before going live. Then test it again and again and again.
Make sure you are doing at the proper time, then go to production. We
didn’t have change control, so I’d add get all the approvals now too.
Cover your butt.

It was a good lesson. I’ve never done anything like that again in the last 7 years.

Imagine popping in your Cisco VPN installation CD only to have Mexican music start playing rather than having the installer start.  That is apparently exactly what happened to Dave Fumberger yesterday.  Someone at the plant who makes the Cisco CD’s apparently burnt his or her mix tapes to the CD rather than the Cisco software that was supposed to go on it.  At least it wasn’t Barney’s Greatest Hits!