While tracking the origin of some spam I received, the following
traceroute output appeared on my screen:
16 205.171.19.38 224.784 ms 223.649 ms 224.101 ms
17 205.171.4.90 216.65 ms 223.748 ms 230.425 ms
18 202.97.48.10 1334.633 ms 1345.566 ms 1328.528 ms
19 202.97.33.21 1746.357 ms 1774.31 ms 1754.341 ms
Welcome to China, the land of high-speed networks. I think miracle will be
refusing mail connections from some parts of the world. Tough if you happen to
live in such a part.
Sent rude email to Danish "security" company Virus112. Whoever they hired to
do their website does not understand how to perform correct input validation.
A handful of their staff went to take a look at my CV, but I received no
response to my email.
Virus112 is the same company which once broke into the networks of 3 schools
in Denmark, without permission, as a publicity stunt. They
were consequently sued by all three schools. I have no idea how the matter
ended. If you can read Danish, take a look at the full
thread on Google Groups.
Virus112 were so concerned with the state of information security in Danish
schools that they took it upon themselves to perform unauthorised security
assesments. I am really concerned about incompetent providers of security
products and services. I wonder what I might do about it. Oh,
snakeoil.dk. Right.
Only a few people showed up tonight. We had fun.
Those who said they would show up but did not will have to live
with the shame for the rest of their life. Muawahaha.
Departure celebrations, part 1. Monday, 29 April (tomorrow). 6pm. Darker
Kelly's. If you do not know where that is, meet me on temple bar square at
5.50pm. Let me know beforehand whom I should expect on the square. I reckon
we will go for food around 7pm and then continue drinking afterwards.
Woke up at 6am. Being able to snooze on weekends, I love. Yoda I am.
I had new email when I got up. It was from Nathan Binkert. He fixed a problem
in OpenBSD which applies to the Serverworks chipset in my Poweredge. He wanted
someone to test before it goes into -current. Compiled a new kernel and it runs
well. Now, if someone would only fix the ahc driver on Adaptec AIC-7899 boards that
would be nice.
I do not listen to the news anymore. Did I tell you? I used to listen to the
radio each morning, but it made me depressed. I stopped a few months ago. Less
to worry about.
Woke up at 4am again. I got breakfast from Spar and late lunch from Pizza Hut.
My departure celebration tonight and tomorrow evening has been postponed
due to lack of participation (where have I seen this before?). If you want to
join me on Monday at 6pm, drop me a note.
Went to bed at 7.30pm and slept all night.
Woke up at 4am.
Installed secondary HD and installed OpenBSD from one of my 3.0 sets I did
not lend to somebody. I have not gotten around to fixing XP's loader to load OpenBSD
yet, so I cannot use it yet.
Uffe has written a boulderdash clone for his site. I suck at it. I
wonder if he would be upset if I cheated and put my name at the top score.
I have been listening to Melissa Etheridge's self-entitled album which is
some years old. She is getting under my skin. Tony called her "Bruce Springsteen
with a cunt."
Went to bed around 7pm I think.
Went to Aroma (in the Epicurean Food Hall) for lunch with Tony. If you want to
have your lunch while gazing at beautiful women, go to Aroma for lunch.
One of my anonymous benefactors has donated a harddrive to me. It will become the
secondary harddrive in my workstation, which means I will be dual booting between
XP and OpenBSD (read: only boot into XP when I want to play games).
I took miracle home and I will ship it off to Denmark tomorrow. Until
it is back online I will be using c-tower for IRC.
Most of my computer accessories and banking papers fit into two crates.
Date: Fri, 05 Apr 2002 15:41:10 -0600
From: "Ted Lee, Minnetonka, MN"
Subject: This is scary
I had reason to question the denial of a claim on our dental insurance.
I called the appropriate 800 number and ended up choosing the menu item
for their "automated services." The first thing they asked for was my
subscriber identification number, which the voice then said "is usually
your social security number." I punched it in. The voice repeated it
back to me -- and then went on to spell out my name (yes, they had it
correct; OK, no middle initials, but first and last name were fine)
*and* give my birthdate. Need I say more?
I want to go live on a remote island.
I am still having problems sleeping. I stayed up all night, went to bed at 11am and got
up at 5pm.
I wondered where Jerry went the last couple of days. Turns out he is in the hospital
with something other than a sports injury. Send happy thoughts, everyone.
The CMOS in oldasdirt still refuses to recognise the 10GB disk, and the disk
overlay software I installed is messed up.
Oorh, Martin got his website up. It looks nicer
than my site, but he has yet to learn that cool URIs do not change: "cgi-bin" and ".cgi" occur
on his site often. Apache's ScriptAlias and and Rewrite engine can prevent many headaches. He
also uses the same title on every page. I guess he did never realised how that will look in a
search engine listing or in someone's bookmarks. Let me know if you need help, M :)
Is it a sign of madness if you decide to shave your head at 5am? Answers on a postcard,
please.
Another security bug in OpenSSH. Yay. It only effects sshd's which have Kerberos and AFS
ticket forwarding enabled. Get OpenSSH 3.3 to be safe. (For some reason, openssh.com still
lists 3.1 as being the current version). It appears that Kurt Seifried, of all people, found
the problem. I was under the impression that he was clueless. Now he is an expert code
auditor all of a sudden?
oldasdirt has decided it does not want to boot up anymore. This is
the price of hacking old motherboards to use disks it was never meant to support. It also
means that my efforts on various projects will be at a standstill until I get the system
booting again, as my CVS working directories are all stored on the primary disk in the
system.
This update is being written on my XP system. Good thing I use CVS for everything.
If anyone wants to make me a donation of a 486 laptop with 16MB RAM, 700MB harddrive and
a PC Card slot, I would appreciate it. If you happen to have a better laptop around that you
do not need, that would be even better.
Ugh. I picked the wrong year to leave Ireland:
HiverCon 2002 - Call For Papers - issued 17/04/02
Papers and presentations are now being accepted for HiverCon 2002,
which is being held from 26th-27th November, 2002 at the Conrad
Hilton Hotel, Dublin, Ireland.
HiverCon is a security conference. I
will be attending, adding a few days to get drunk with
everyone.
Ok, my departure celebration is officially on Saturday,
April 27th. 7pm. I have yet to decide where, but keep your night free.
Somewhere uncrowded. I will dispatch a note with details to the worthy few when
I make up my mind. Is the Thing Mote near Grafton Street any good?
In addition, if any of you are on for a quiet pint on Friday 26th, let me
know.
Went to see K-PAX tonight, which was all right. It never really
captured my full attention.
If you have ever used the cdio utility in OpenBSD to play CDs,
you will be delighted to note that it now has CDDB support, so it will fetch
the title of the CD and songs you are listening to.
Robert Graham (of ISS -- formerly
Network ICE) has lost his mind. I think he might actually have lost it some
time ago, but only today did I bother reading his site. He says:
"I'm out of touch with the security mainstream. Most in the community think
that security is a benefit. I think it is a cost -- one that sometimes
overwhelms the real benefits."
Uh, hello? Can you say "risk management"? If the cost of your security is
greater than the benefits, take your bean counters out back and shoot them. I
am shocked. He just does not get it.
The best part was this:
I was reading an article on programming that had a section on "The Costs of
Insecure Code", and was surprised that there was no matching "The Benefits of
Insecure Code".
To quote Jerry: !
If you want, you can read his full article, "Security is
superstition".
If any of you decide to LART old Robert, please bcc me on the email. If
I get around to composing one, I will post it on my site.
I booked my flight to Denmark. Leaving Dublin on May 8th at 6.25pm, arriving
in Aalborg late. I will have to arrange my departure celebration next week.
Hey snuggles, you know how I wanted an Apache attack helicopter for my
birthday? Well, scratch that. Can I have one of these
instead?
Speaking of the Spirited One, she suggested I name my consultancy company
"HB Security". HB is short for "Honey Bunny", which is what she calls me. Why
the hell are you staring at me like that?
Starting with OpenBSD 3.0, the CD contained an audio track. 3.1 will also
come with an audio track, and I just listened to the release song. It
rocks. The music is under BSD license (i.e. do with it as you
please, just don't claim you made it). Get the lyrics and MP3 files for
both songs.
3.1 is due for release May 19th.
Uffe and spod read the spy game article on cryptome. Or so they claim.
I seem to have an issue with putting the right dates on my diary entries, or
I just forget that certain days existed. I am not sure which one is the case.
Perhaps I should switch to a more automatic diary?
On the 12th, 285 unique IP addresses made a HTTP request against the
Dominion. On the 13th it was 277, on the 14th it was 389(!), on the 15th it
was 304 and today it was 367. These are not pageloads. These are unique IP
adresses. Madness. Who the hell are all those people? Further log analysis
show that 76 IPs accessed my diary on the 16th, 63 on the 15th, 68 on the 14th,
51 on the 13th, 81 on the 12th. Holy shit.
And out of all those people, only TWO read the cryptome
article.
Received a complaint about the frequency and substance of my diary
updates, so here is a real whopper. I feel a rant coming on.
I am willing to bet not many of you are going to read this article mirrored on
cryptome.org about the future of citizen tracking, all in the name of
fighting terrorism. Jerry might because that is just the kind of guy he is,
and just to prove me wrong, Dave might read it too. But that is about it. The
reason you are not going to read it, is because you think giving up a little
privacy will help combat terrorism. You do not understand the problem. The
world is going to hell in a handbasket, all thanks to you. Well done!
In 1999, the L0pht gave an interview with Slashdot readers. I found one of
the answers quite interesting, so I have reproduced it below:
Question: Which do you consider more dangerous to personal liberties on the
Internet, national governments or multinational corporations, and why?
Answer by the L0pht:
While both Governments and multinational corporations are detrimental to
personal liberties on the Internet, one must not overlook the greatest danger
of them all. The uninformed citizen. In democracies, this is problematic, where
governmental policy typically follows public opinion. In the case of the
Internet, one will find that most citizens of the world are willing to give up
personal liberties in exchange for perceived safety and piece-of-mind. For the
safety of the children, is cited commonly.
Many people believe that anonymous access to the Internet is criminal
behavior. Government would like you to think privacy is an "anti-social"
behavior. You should have nothing to hide, should you? You wouldn't be reading
up on the consecration of explosives, looking up security holes in various
operating systems, or possibly downloading the latest crypto software, would
you? Only terrorists do that.
Governments are lobbied by uninformed citizens, or citizens which are easily
manipulated and swayed by various groups across the gambit of our modern
civilization. Multinational corporations have their hand in the fray by funding
these groups or by participation in Associations which provide counsel to
government officials on technical matters. Often recommending legislation which
will better the profit taking over the sanctity of "personal liberties."
Multinational corporations are problematic in that they operate in a
proprietary world. Often outside parties will scrutinize the technological
fabric of a communciations service being provided. Should a flaw be found, and
published, the corporation claims that the flaw itself is detrimental to the
service being provided and litigation is dispatched on the party disclosing the
flaw. This has been the case in the Cellular communications venue. Cloning a
cellular telephone was a real thorn in the side of the Cellular Industry. They
took their gripes to the US Government. The CTIA and their ilk successfully
swayed Washington to pass legislation to combat the cellular fraud. Result: A
portion of the radio spectrum was made _forbidden_ to reception. Possession of
an eprom programmer, a computer, and a cellular telephone became a crime.
Meanwhile, the cellular network REMAINS open to eavsdropping. Money is power,
and with power comes influence. However, in the end it was the Government,
sucking up to industry, which passed the law.
Law Enforcement and Intelligence gathering communities dwell within the
governmental domain. Both are lobbying lawmakers to pass laws to give them
greater powers to combat crime in this high tech world. Surveillance is
paramount. They will convince the lawmakers that without the keys to all
communications, a bomb may be set outside Parliment or Congress or .
The government pursuades the people, the people pursuade the government. Who
planted the seed first? Those who understand the technology are too busy
working on the next cool widget. Meanwhile the technological world rushes
toward a global dictatorship and the populace embraces it under the guise of
security.
How is that for a solid diary entry, and you just skimmed right through it!
Oh well. If you want to read the full
interview you can.
Oh yeah. Echelon is
actually real.
Went to see Queen of the Damned. It uses snippets of plots from all
of the Cronicles, which twists the plot oddly. It is not fantastic, but it is
not shit either. The soundtrack is fantastic, however. In my
opinion, it is second only to the soundtrack for The Crow.
I went and got a copy of the soundtrack and have been listening to it
constantly. Volume on max.
You might notice a new section was added on the splash page. It is called
"Clueful."
Spent some time working on the website and services for the consultancy
company I will be starting when I move to Denmark. It will be interesting to
see how things turn out when I am really my own boss.
Met Dave for lunch and got my arse kicked in whatever soccer game was loaded
on his PS2.
Unfortunately, I broke my sleeping pattern. Good thing I get to keep both
pieces. For the last week I have been going to bed early, getting a
full nights sleep, and getting up early. Last night I went to
bed at 11pm and now, at 3am, I cannot sleep. Sulk. I think perhaps the alcohol
I consumed with dinner has something to do with it.
I added a few comments about incompetence to the notes about the Dominion.
I swear, some of the songs The Wolf plays when it is late (in the US) are
best suited as backing tracks in garbage (is there another kind?) porn movies.
Can we drop the obsession with my beard? With the exception of sports, it is
the least stimulating topic of conversation I can think of. Yes, I know you
would like me to shave it off, but in this particular instance none of your
opinions matter, whatsoever. Various individuals have been
giving me that same advice for the past ~8 years or so, and I have been
ignoring it because I can. What makes you think I will crumble now? Perhaps, if
the Spirited One was horribly bothered by it, I would
reconsider, but she appears indifferent on the matter.
Please find something else to occupy your time.
(In the following, the identity of $PERSON obscured as he may not want the
world (or his girlfriend for that matter! :) to know he will do anything for
money.)
During a brief conversation with $PERSON earlier this evening, we touched on
a subject that I also discussed with the Spirited One very recently. $PERSON
was doing a penetration test of a customer's Windows 2000 server. I offered
that penetration tests were a waste of time, as they may identify current
problems but do not give the customer any assurance that future problems,
however similar, are avoided. Building policies and processes to handle
installation and patching is much more rewarding for both the security
consultant and the customer.
(I am getting to my point, stay with me). He said he
agreed, but that he would cheerfully do whatever the customer was willing to
pay for, however pointless it might be. And that is my problem (and my point):
I will not engage in activities unless they are correct and worthwhile
("correct" being my definition alone). Experience shows that when I am
instructed to engage in a certain activity I do not agree with, I simple cannot
get it done. If that bothers you, do not hire me; hire a monkey instead.
Met up with Mick. He magically produced a substantial number of moving
crates, which totally rocked. My immediate future shall be spent packing. We
went for dinner (italian), and because it was half an hours drive away, I
introduced him some more to The Cure on the way. He liked the track called
"Secrets" on Seventeen Seconds.
You know, Mondays are not that bad when you do not have to go to work.
This afternoon I was waiting for Jerry to arrive, as we were going to get
started on a software project we will be doing together. I was getting hungry,
and I could not find the leaflet from Apache Pizza with their number, so I went
to their website. I saw they had online ordering, so I figured I would try it.
I typed in my order and my address and clicked "Send order."
Then I waited. The Pizza place is 2 minutes walk away, so when my pizza had
not arrived 45 minutes later, I figured their online order did not work. For
security reasons, I have JavaScript and other fancy crap disabled in IE's
Internet zone. I added their website to my list of trusted sites in my browser
and reload the page. A big-ass JavaScript popup window appeared stating
that online orders are only taken between 6pm and midnight. That explained why
my order had gone into a great big void. I found their number and ordered a
pizza for pickup. I went to get my pizza and Jerry showed up 20 minutes later.
I told Jerry about my little adventure as we ate the rest of the pizza, and he
said: "I wonder if you'll be getting a pizza delivered at 6."
Just as we touched on the subject of portability requirements, the doorbell
rang. The time was 6.15pm. I jokingly said "Here's our pizza now," and went to
get the door. It was the pizza delivery guy. You know us evil software security
people, we are always hungry, so I paid for the pizza and we ate that as well.
Yum.
Listened to The Wolf some more: "Wolf FM. Crank it up and rip
the nob off!" -- I nearly chocked. There will be no ripping of nobs
here, thankyouverymuch!
Dave called me around 4pm and informed me that as per the leavers policy, I
will not be let into company buildings again, due to the business risk. I agree
with this policy (I wrote it, actually) so I am not about to object.
I will have time to pack my things without stressing like an idiot. Dave
requested that I find time to complete some CVS documentation and donate it to
the company. I might release it under the BSD license, so unless they rewrite it
completely, my copyright notice must remain in the file forever. :)
I am told the following has been posted to my team's internal website:
04/04/2002
The original boom-bastic, totally fantastic, instigator, originator and
founding member of the Computer Incident Response Team - Mr Alex "Fear my
Beard" Holst has sadly resigned, much to the team's and I'm sure the company's
regret.
It has been both a privilege and a pleasure to have worked with this
Great Dane, whom I'm sure we have all come to love and admire over the last
two years. For reasons of his own he is returning to his home land. What a
lucky country.
He is a great loss and will be sadly missed. We salute him.
Alex Holst
Team Leader
Mentor
Gumbo Eater
Friend
27th Feb 2000 - May 1st 2002
I am doing something with Mick this evening. We have yet to decide what;
perhaps dinner and moderate amounts of beer?
Having to return my employers mobile phone, I purchased my own today. I got
a Nokia 3310 (Westlife Promotion), for those of you who care about such
pointless details, and it was bundled with a Westlife CD (you know, the crappy
boy band) and a Westlife phone cover. Dave claimed his sister wanted it, so I
gave him both items. I am not sure I believe him, though. I fear he is secretly
mad about Westlife.
Took part in a sorry excuse of an exit interview. My interviewers seemed
surprised that I was so unhappy. I cannot imagine why. I feel like I spent the
last year complaining about the things that made me unhappy. When I was asked
if there was anything they could do to make me stay I mentioned a figure and
the response was "That's impossible."
Mick and I went to Eastern Tandori for dinner tonight. I had about 17
orgasms; that is how good the food was. Tender chicken in a mild buttered sauce
with pilau rice and nan bread. Fucking hell. Laughed with Mick and talked
about that I would need to come back to Ireland every once in a while.
Snuck to bed without waking the Spirited One as I was completely
shattered. I am sure she will demand that I make up for that. Roar.
I handed in my resignation today. One can only
take so much bullshit in any given period. Jerry recently told me: "With the
way you're feeling, Alex, you should have left 8 months ago."
To celebrate my upcoming peace of mind, I ate some chocolate muffin
thingies. I also purchased a copy of "Writing Secure Code" which was nice. As
of tomorrow I can only be contacted via email.
You remember last year, do you not? It still
applies.
I have been getting spam over the past few days. 2 or 3 copies of each. Not
from an open mail relay, of course. I may have to investigate more extreme
measures.
Under Rug Swept has really gotten under my skin. Well done,
Alanis.