Rapid7 acquires Metasploit

well that was unexpected....

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1371945,00.html

still digesting the article...

SecTor Followup

I was privileged to be able to attend SecTor again this year, my third year in a row and it was overall a great experience. Brian Bourne from CMS (SecTor's founding father) and the rest of the SecTor advisory board did a great job (again) pulling this all together.

For me, this was the best year so far in terms of the quality of both the keynotes and breakout talks. My only complaint was that the talks were so good, I didn't really get to spend any time in the lockpick village or with the hardware hackers. Oh well, drowning in riches. :)

Some Highlights (in order of appearance):

- Chris Hoff's opening keynote "Cloudifornication". The Hoff is a great presenter, his content is solid and his deck flows well. I was seriously under-caffeinated during this talk, and still managed to take a lot of good points surrounding the risks of cloud infrastructure.

- Jon Rose's talk on hacking Flex servers and his deBlaze tool. Eye opening, well presented. Really enjoyed.

- Both of Andrés Riancho's sessions on w3af. Great tool. Mind blowing amount of thought and work has gone into that "little" project. Really strong presentations.

- The SSL fail panel with Jay Graver, Tyler Reguly, Mike Zusman, and RSnake. Everything a panel discussion should be, lots of good information, good audience interaction. The conversation just didn't want to stop.

Can't wait for next year. :)

Make a Difference?

I hardly ever believe that one person can make a difference in the world... but when enough people get together...

I've written Harper, Ignatieff, Clement, and my local MP and signed this petition: http://www.competitivebroadband.com/make-a-difference.aspx

If, like me, you want to see the continued presence of competitive services in the ISP market, I suggest you consider doing the same.

TDD vs ADD

So first off let me be very clear. I don't actually have ADD or ADHD (as far as I know). But sometimes I feel like I do have the attention span of a chipmunk. God knows that between email/teh interwbs/chat/multiple projects/client requests/friends/family/hardware issues/politics/natural disasters and upcoming weather it's pretty easy to get distracted these days.

For a programmer, getting distracted is bad, bad like "that's baaa-aaaad umkay?", bad like crossing the streams bad, bad, bad, and bad. Distraction == mistakes. Distraction means lost time. Distraction means doing things over because you did something subtly stupid that looked okay on the first glance but contained a really boneheaded bug buried deep inside it. I hate getting distracted. I would really rather work in focused, multi-hour blocks. A block for work, a small block for lunch and exercise, another block of work, a block of family time, and a double block of sleep. Of course, it rarely works that way.

A big part of the reason that I left my last job was distraction. I had six to eight meetings a week, I was getting 20 to 40 emails requiring a response every day (outside of spam and automated messages), and I had to investigate and respond to a couple of customer inquiries every day, all while being expected to design and implement fairly complex software. After the nth month of little progress and lots of frustration I realized it wasn't working out and moved on. I need to feel effective to be comfortable with my work, and to be effective, I need to be able to concentrate on a task for more than 5 minutes without interruption.

One of my favourite techniques is to fight distraction with distraction, that is, I find that while I'm working on something, particularly code, my mind sometimes wanders and sometimes the wandering track takes over. The best way to keep on track is to control the wandering, and for me, what works is music. Particularly music with a regular repetitive beat and few to no lyrics. Helllllloooooooo techno. DnB works too. Trance can get distracting, depends on the set.

Anyways... music doesn't always work. Sometimes you just have to get up. That trip to the bathroom can only wait so long, it doesn't matter how close to fixing that bug in your stream class you are, sometimes you have to get up. Or the phone rings. Or the client wants a status update. Or whatever. When that inevitable interruption does happens, the key to getting back into the groove (for me) is to have a clear entry point, and that's what I love about Test Driven Development (TDD). When I get back to my desk, whether I've been away for five minutes or a week, the first thing I do is run my test suite. Whatever test fails is what I'm going to look at first.

If I'm going to be away for a longer period, like overnight or more, I make sure to craft my next test before I depart, that way, the feature I should be working on is right there waiting for me to finish it when I get back. It's repeatable, it's reliable, and it draws me in mentally, even when I'm tired, frustrated and under-caffeinated. I know this isn't really the goal of TDD, it's just a fringe benefit and it really works for me.

Off Topic: Political Double-speak

Look, I expect politicians to lie. And I expect them to contradict themselves. And quite frankly, I consider the abilities to change your mind, recognize mistakes, and consider contradictory notions to be signs of intelligence. But I have very little respect for people who contradict themselves from one sentance to the next.

Regarding the Canadian woman detained in Kenya and charged (and subesquently cleared) of identity fraud, Liberal leader Michael Ignatieff is being quoted saying: "Canadian citizenship is indivisible. [She] is a citizen in good standing and she should never have to prove her citizenship with a DNA test."

Iggy, Iggy, Iggy... if citizenship is indivisible, then how are you distinguishing between citizens in "good standing" and otherwise? I'm sure what you meant to say was "Canadian citizenship is indivisible, she should never have to prove her citizenship with a DNA test." ... because we certainly wouldn't want to raise questions about what makes a "citizen in good standing", eh? Maybe "bad citizens" could write books about their true patriot love to gain "citizenship points" and become "good citizens" again? Okay... I took it too far.

This story gave me a chill. I once travelled overseas for eight months, when I left I had a passport photo which showed my shaved head, a goatee, very pale skin, and made it pretty clear that my weight was hovering just under 240 lbs. When I came back I was clean shaven on my face, sported a "normal" 3 or 4 inches of hair, was tanned, and had dropped to a much healthier 180 lbs. I was pulled out of line at Charles de Gaulle airport in Paris and grilled by... well, I don't know who. They had maple leaf lapel pins and their accent was more Quebecois than Parisienne. They never identified themselves, but they let me board the flight and come home after some questions and pouring over every piece of ID in my wallet. I have to wonder, if under the same circumstances I, a white male with an anglo-saxon name, would have had the same treatment as Ms. Suaad Hagi Mohamud got from Canadian consular officials.

Dang... did I take it too far again?

Wait What?

Ahhhhh the double speak around opt-out, opt-in clauses.

I get that when you're signing up for a free service or product, the company is very eager to stay in contact with you in the hope that you someday become a paying customer. But when you are *ALREADY* a paying customer, why go out of your way to be confusing? It's simply unethical.

This gem is from the checkout page I completed while purchasing VMware Workstation 6.5 directly from VMware Inc.:

"We'd like to keep you informed via email about product updates, upgrades, special offers and pricing. We will not pass your details onto third parties. If you do not wish to be contacted via email, please ensure that the box is not checked."

I actually checked the box, then caught myself... wait, what? went back, re-read and unchecked.

There's no need for legitimate businesses to engage in this type of behaviour. I love VMware products, I use them everywhere, always speak highly of them, and more importantly, I went out and spent my own money to acquire their premium workstation offering. But instead of blogging about what a crucial tool this is, I'm blogging about how the whole experience left a bad taste in my mouth on Monday morning. Fail.

Shoulder Surfing at the Toronto VMWare Users Group

I was lucky enough to attend the first official Toronto VMWare Users Group (VMUG) meeting last week. And by "lucky" I mean I was invited via email because I actually register my VMWare Server downloads and had the time, and by "official" I mean it was the first one sponsored by VMWare, I gather there have been "unofficial" ones previously.

Overall it was a pretty good event. The talks were competent, but almost entirely focused on the newest features of the highest end of the latest generation of features in ESX and vSphere, which are cool and powerful products, but I've never used them or worked anywhere that used them. I plan to attend the next meeting (which I think they mentioned would be in September).

However, one thing in the presentations really grabbed my attention. I was lucky enough to catch Chris Hoff's presentation "The Four Horsemen Of the Virtualization Security Apocalypse: My Little Pwnie Edition" at SecTor 2008 (if you followed the first link, the picture Hoff is using on his front page is actually him speaking during a panel keynote at SecTor 2008 - not that you care). In that presentation Hoff's #2 Horseman - Death - was the virtualized switch and OMG OH NOES!!! WHAT IF you vMotion a VM away from the physical network switch on which you have configured ACLs, routes, VLANs, and all that sort of fun stuff. Now don't get me wrong, I'm not downplaying that as a problem, it really sounds like it is one. It just seemed like one of the features presented here was specifically built to address that very situation, the Cisco Nexus 1000v Virtual Switch.

I am not qualified to really assess this product as a complete security solution, and Hoff's objectivity may have been compromised of late. I know he's blogged about the performance and other features of the v1000 a few times, but I'd be interested to hear his take.

Anyways, the downside of the v1000 is to use it, you have to be licensed to the highest level of vSphere... Enterprise Plus or something, which is a pretty high price tag. No Enterprise Plus? Then sorry, your version of vSphere doesn't have the API enabled to allow v1000 to do it's thing. What that means for you and me is that even IF the Cisco Nexus line is the virtual switch John Conner to Hoff's death pwnie, it's only here to save the top tier of enterprise customers and the rest of us are still screwed and had better repent. :/

On another note, the surf was UP at the VMUG and I hung ten off a couple of BB junkies who couldn't stop leaking information the whole morning. To the guy in front of me during the second talk: I'm not sure when your netbook demo is coming in, lucky you for having the Enterprise Plus license already, and I'm sorry that they got doughnuts for you office when you weren't there, maybe they saved you some? I caught your email address and phone number, but I was bored and don't care, so I didn't write them down.

I changed seats between each talk and learned that touch screen devices (iPhones, BB Storm's) are harder to read over someone's shoulder because their fingers are in the way of the screen. Security by accident?

VMWare Server 2 on Gentoo

The ebuild for VMWare Server 2 is (finally) in the main portage tree on Gentoo. I've been running

app-emulation/vmware-server-2.0.1.156745 via the layman overlay for several months now without issues, but I'm happy to see this going more main stream on my linux distro of choice. The new version is app-emulation/vmware-server-2.0.1.156745-r1. The changelog seems to indicate that if you didn't have the latest via layman, you would have seen this package a couple of weeks ago.

This package is (of course) still masked, so to get this package you have to have app-emulation/vmware-server and app-emulation/vmware-modules in your /etc/portage/package.keywords file (like so, or with the appropriate arch tag):

app-emulation/vmware-server

app-emulation/vmware-modules

The upgrade was relatively painless via:

emerge -Du world

However, I did a (as instructed but possibly cargo cult) run of:

/opt/vmware/server/bin/vmware-config.pl

immediately after the install. I don't know if it was needed. But because I had not stopped the vmware services prior to the upgrade, I could not successfully stop them now, and had to reboot in order to successfully run vmware-config.pl.

If you still want to run the version via layman, or want to stay on the bleeding edge when the next version comes out, I worked from the directions here and here.

Résumé Mistakes

When applying for a job in IT/IS or really anywhere technical, don't lie or exaggerate on your résumé. Skilled people will find out and you will likely not get the job. Or worse, you will get a job that you are not qualified to do and from which you may ultimately get fired, thereby ruining your career, your reputation, and possibly your life.

Quite frankly, it's better to underplay your skills and impress people then to exaggerate and disappoint.

My favourite memory of this is a long stream of candidates answering job postings which specified "experience with Unix and Linux systems" in the required skills. If you are going to put "extensive experience with Unix and Linux" on your résumé, then you should, at the very, very least, be able to name at least one Unix variant.

And "uhhhh..... Red Hat?" doesn't count.

Principle of Least Astonishment - Fail

I've been thinking a lot about design lately. Mostly because I'm entering the design phase of my thesis and I've reviewing the better chapters of Richardson & Ruby's "RESTful Web Services" and other material. But beyond web services, I've been thinking about "good design" and "bad design" as general principles. I really appreciate it when I encounter a system or service (in the real world or online) and I can come away with a sense that I have just experienced the benefits of good design. Just as strongly, encountering poorly designed systems really leave a sour taste in my mouth.

I won't do business with a company that has what I consider to be a poorly designed or poorly implemented web presence. Just my choice. I'd prefer to support good design by directing my business to organizations that, at the very least, share my aesthetic for design principles. I realize this is often a subjective evaluation and I'm not apologizing for it. But I think certain aspects of design can be widely recognized as very poor, outside of any aestheticical tastes.

The example I have in mind is the system at my local library. Now don't get me wrong, I love my local library and have a tremendous respect for libraries in general. But across my city, the library has rolled out a self service checkout system which badly violates the principle of least astonishment. I'm a pretty tech savvy person. I love to figure out new systems. But I end up misstepping every time I try to check out library materials. And I'm not the only one. As far as I have seen, everyone stumbles with this system because it combines familiar interfaces with unfamiliar uses.

The system works like this, there is a bar code reader, a touch screen interface, and a glass plate. The expected use case appears to be scan the card in the bar code reader, then touch the screen to confirm that the card read was correct, place items on the glass plate where they are identified "magically" (magnetic strip?), confirm the items are correct, once all the items are scanned confirm that you are done, your "receipt" prints out and you leave. Sounds good, right?

Well, it doesn't quite work out. This system is actually replacing another self serve system that was entirely bar code driven. I don't know why they ditched the other system. It worked fine, as far as I could see, and all library materials, including new materials already have a library issued bar code sticker. People are familiar with bar code readers, everyone in the western world has had a lifetime of barcode training by watching items be scanned in at the checkout, and by now most people have experienced self serve checkouts where you scan your own. So what's the first thing that everyone does when checking out books? They hold them up to the bar code reader! When that doesn't work, they try to swipe the barcode over the glass plate and place it aside, which results in the item appearing then disappearing from the confirmation touchscreen.

So what happens? People are generally capable of figuring this out and they learn, right? Nope. Doesn't seem to happen for two reasons: 1) Inevitably the helpful librarians who have been hovering inches away now swoop in and do it for you, oblivious to all protests and completely negating the value of self service checkout; and, 2) Weak technology. The scan plate is touchy, too many items on it and it gets confused - four items is okay, five sometimes, but a sixth item inevitably causes it to decide that only three are on the plate and all must be removed and the process restarted. The bar code reader requires that the library card be place on the desk for it to work, the natural behaviour of holding it up the reader fails. And the touch screen is unclear about where to press and when and how many times (in fact, it requires an unprompted, second press of "No" at the end of the process for it to ever conclude the session).

At the end of the day, it's not a big deal. No one dies. Everyone gets their items. People will eventually adjust and the technology can be upgraded to remediate some of the touchiness at the cost of only a few hundred thousand dollars more spending in a city with multi-billion dollar deficits. But it irks me. And I think it illustrates something that all designers should take as a lesson, understand the expecations of your users and work with them. It will be to your benefit and theirs.

2010, the year of Vista?

Sigh. I guess I should make good on my stated intent to write about things that annoy me and/or interesting technology, or failing that technology that annoys me. So on that note I've got something to say about Windows Vista. Yes, I am aware that it is no longer 2007 and no one cares about Vista anymore. Windows 7 is in RC with a slated RTM date of late October 2009. Vista is old news for everyone, except me.

When Vista came out I took one look at UAC, read a few articles about how slow it was, and swore never to use the OS. I figuratively pulled the blankie of corporate hardware and licensing over my head. At the time I had an employer supplied Thinkpad running XP that no one had ever got around to putting on the domain and a pretty kick-ass corporate desktop running Gentoo x64. I was happy with what I had and all I knew about Vista was that I didn't like it.

That was then. Now I'm on my own without the luxury of someone else paying for volume license keys. I had to buy my own laptop and live with the available OEM options. Sure I could drop the MSFT products and run Linux, I have no problem with Linux on the desktop and for the most part I can live without MS Office. I could do that, but can I afford to? I'm running my own business, I can't afford to have technology problems which might interfere with my ability to work. Specifically, I need to be able to run IDA. I asked around and was warned I'd spend more time fighting with WINE than reversing and I can't afford to fiddle with settings and hope it works. Forage Security's second computer will run Gentoo, but for better or for worse I'm now a Vista x64 Business Edition user. And you know what? It's not that bad.

I'm running SP2, UAC is enabled, aside from the perplexing and pointless relabeling of familiar control panel items, the experience (no pun intended) is much like that of XP, only smoother. Maybe it's the visual effects. Only problem so far has been that SSLTunnel doesn't seem to be supported on x64 and I don't have the expertise (or the time) to port the driver files. Oh well.

If you're still reading, you may be wondering if all this rambling about Vista being "not that bad" has a point. It actually does. I was at my bank the other day and couldn't help but notice that all the teller's machines were running Windows 2000. Fine and dandy for them, I'm sure, but last time I checked extended support for Windows 2000 is expected to cease July 13, 2010. That means just over a year from now there will be no more publicly available security patches and it's way past time to retire those boxes.

Nevertheless, a large enterprise can afford and may choose to pay for continued support even after the end of generally available extended support. But let's face it, the end is nigh for the one of the most popular operating systems in history. Now, if you're a "for-real" cyber criminal and you are sitting on a remotely exploitable buffer overflow in Windows 2000, what do you do? Exploit it now and see it patched within a couple of months? Probably. MS08-067 showed that even when the patch is available, hundreds of thousands of systems can still be compromised. But maybe you'll wait until July 14, 2010 knowing that most of the people still running 2K at that time will never see a patch. I guess you'd do whatever seemed the most profitable, I don't know which way that is.

On the other side, if you're running the IT department of a fortune 500 company, and you've (hopefully, finally) just finished migrating all you NT4 hosts to Server 2003 and are now faced with the costly prospect of an even larger migration of Server and Desktop 2000 hosts... what do you do? Well, look at the timing, it's obvious that this has occurred to MSFT too. Windows 7 promises to improve on the lessons learned with Vista, but there is not going to be a Window 7 Server, instead we'll get Windows Server 2008 R2 at about the same time Windows 7 hits the streets. All of this before 2K expires.

But is it soon enough? By now, IT departments have learned to wait for SP1. And quite frankly, 9 months isn't long enough for a major organization to adopt a new desktop operating system. Those with a lot of foresight are already testing their applications with the release candidate and training their users. Those that haven't started yet will probably take a long hard look at the matured Vista SP2 offering for their desktops.

Welcome to the Forage Security Blog

So... I'm blogging. And not only am I blogging, I'm blogging from the international departures lounge of Laguardia airport in NY, NY whilst awaiting my now-delayed-by-more than an hour flight home from my first ever business trip. How exciting. So what if I'm about eight years late to the blogging party? At the pace at which I'm adopting social media technologies you can expect my Twitter feed to launch sometime in 2015 and my facebook page sometime after the sun has burnt down to a cold dark cinder.

Technically this isn't my "first" ever blog post, but it is TEH FIRST POST!!! (sorry - had to) on this site, the Forage Security blog. I intend to use this blog to talk about things I'm working on and rant about whatever is getting under my skin today. Maybe it'll be therapeutic. What sort of things do I work on? Well, as the title might have suggested to you, this blog will largely be about IT security. I've spent the last three and a third years as a researcher for a major North American vulnerability and configuration management company. That's where I did what little previous blogging I have done. It wasn't much. Forage Security is my new gig. I'm trying to go it alone as an independent security researcher and security consultant, wish me luck - I'll need it.

IT Security is a big field and there's enough interesting things going on in the space to keep a lot of bloggers busy, but it's not the only work I do. I'm also a student in the process of wrapping up my Master's "integration project" (hereafter referred to as "my thesis"). So you can expect this blog to touch on a number of specific topics, including Programming Techniques, Software Engineering, Semantic Web Technologies, Ontologies, Python, Django, RESTful architecture, Virtualization, Gentoo Linux, and whatever else happens to pop into my head on any given day.

Well, my flight seems to finally be boarding, so I'll wrap this up.... or not. Apparently this is a game, where the closer it gets to boarding time, the further back the actual boarding time will be pushed. The latest round featured me getting to T -3 minutes, before the flight was pushed back another hour and a half.

BTW there are flies and ants all over the place in Laguardia's Terminal B, it's unpleasant.

Sigh.... got within 10 minutes of departure time and they bumped it back another 15. Finally made it out of there more than three hours late.