• SSL certs – probably not worth the bits they’re printed on…

    This failure of the trusted Certificate Authority (CA) “Comodo”:


    highlights something that is becoming more apparent:

    SSL certificates probably aren’t worth the bits they’re printed on.

    Forgetting that there is a fairly regular stream of issues with the authorities, companies like GoDaddy issue certificates for all of $12 with nearly instantaneous issuance. That is, clearly there’s not much validation going on. Way back when it took days to get certificates issued, involved real paperwork, actual calls from issuers, and DUNS lookups, etc.

    This may still be the case with organizations like Verisign, but given that for most browsers GoDaddy is equally trusted and that pretty much no one looks at the certificate signers, one weak authority essentially compromises the whole system.

    The answer?

    Certainly Extended Validation (EV) certificates help, though those are generally overpriced and end users for the most part don’t actually care (that is, for most of us, you’re still going to use non-EV sites regardless).

    No, probably the answer is to not trust SSL certs as a metric of “identity”. Just because a site has a valid cert doesn’t mean that it’s a legitimate company or even actually is who it says it is. Instead you need to use other techniques – like Google searches to see if the site is a scam.

    It should be otherwise, but essentially the keys have been given away. In many ways unfortunately at this point (at least for non-EV), signed certs are simply a “jab fee”. The browser may as well silently accept self signed certs – the cert’s true value is mostly for enabling encryption (and that doesn’t require a trusted authority).

  • Zone Firewall TCP reassembly size

    If you get something like this in your Cisco’s IOS firewall log:

    Mar 12 15:05:33 3129: 003121: *Mar 12 15:03:03.195 EST: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:525214740 1415 bytes is out-of-order; expected seq:525170856. Reason: TCP reassembly queue overflow – session to on zone-pair ccp-zp-in-out class ccp-protocol-http

    sometimes accompanied by hangs in downloads, then what is happening is you are blowing out the buffers used to reassemble TCP segments when the segments have arrived “out-of-order” (also abbreviated “OoO”).

    The problem for a stateful firewall or IDS/IPS is it often needs to see more of the packet stream than just the initial segment to make a forwarding/block decision. Thus it has to collect these segments together, however sometimes the segments don’t arrive “in order”. This can particularly happen when VPN is used.

    In order to get around this, it essentially collects the streaming segments going by in a queue until it can find the missing segment (assumed to be “out-of-order”). It queues those packets in memory, but for obvious reasons it cannot have infinitely sized queues – it would run out of resources. In fact if it did, this would offer a very effective DoS (Denial of Service) attack.

    Thus, there are defined limits set to the TCP reassembly queue. Those limits are actually fairly small to start (16 entries and 1 mb), thus you may want to adjust them if you are regularly seeing messages like above.

    Using the old CBAC method of inspection, you could insert the following command:

    ip inspect tcp reassembly {[queue length packet-number] [timeout seconds] [memory limit size-in-kb] [alarm {on | off}]}

    However with the newer Zone Firewall inspection methods don’t use the same settings. Instead the new command format is:

    parameter-map type ooo global
    tcp reassembly alarm {on | off}
    tcp reassembly memory limit
    tcp reassembly queue length queue-length
    tcp reassembly timeout

    To note the defaults are as follows:

    parameter-map type ooo global
    tcp reassembly alarm off
    tcp reassembly memory limit 1024
    tcp reassembly queue length 16
    tcp reassembly timeout 5

    So, if say you wanted to quadruple the default queue/memory lengths:

    parameter-map type ooo global
    tcp reassembly memory limit 4096
    tcp reassembly queue length 64

    Note it’s not clear if a dropped segment appears the same as an “out-of-order” segment to the router – that is with a dropped/lost segment the router keeps expecting it to arrive, just out of order. Thus the error could be telling you more that you’re dropping packets than you’re blowing out your “out-of-order” queues. Unfortunately I cannot find documentation one way or another on this.

    Also to note if you’re increasing the queue length, you might want to increase the timeout (“tcp reassembly timeout time-limit-secs“), however 5 seconds is an awful long time for a segment that might be out-of-order not to arrive. As bandwidth increases, while it is likely that more packets/bytes might come in to blow out the queue, it’s unlikely they would take more time to do so (quite the opposite – an out-of-order packet at higher bandwidth is if anything likely to show up sooner, not later), thus I wouldn’t expect this to need adjustment.

  • Dear Vendors…

    I have to say one of my pet peeves is when vendors, and a lot seem to do it today, send emails or leave voicemails acting like we’ve known each other (often sounding like years) when we in fact haven’t even exchanged greetings before. I don’t know if that works for others, but for me it, well, creeps me out and frankly immediately makes me disinclined to work with you.

    A recent example (one of many sadly):

    I cannot “catch up with” someone I have never met and don’t pretend you’re “trying to reach” me when this is the first email I’ve received from you (ok, it is vaguely possible I’ve received another and “filed” it appropriately as well).

    Seriously, does this work with other potential customers? Because opening with deception does not seem like a way to start off on a good foot.

    Needless to say, I won’t be speaking to this particular vendor “soon”.

  • Converting VMware virtual disk to “eagerzeroedthick”

    Pretty simple from the console really:

    vmkfstools -d eagerzeroedthick -i <virtual-disk-source>.vmdk <virtual-disk-target>.vmdk

    Note that this will completely expand the size of the filesystem (ie: it will no longer be “thin”).

    I needed this not to convert a “thin” filesystem to “thick” filesystem, but a “thick” filesystem to a clusterable “thick” filesystem. The default of “zereodthick” for thick filesystem does zeroing as needed on the fly, whereas “eagerzeroedthick” zeros out beforehand (which takes longer). The former, “zeroedthick” isn’t compatible with clustered filesystems, or more particularly, the required setting of “SCSI Bus Sharing” to “Virtual” while “eagerzeroedthick” is.

    “eagerzeroedthick” corresponds to the vSphere Client setting when creating a hard disk of “Support clustering features such as Fault Tolerance”. It is incompatible with “Allocate and commit space on demand (Thin Provisioning)”.

    More about clustering on the same VMware machine (though aimed at Microsoft unfortunately) can be found here:


    To note, renaming virtual disks is equally as simple via the CLI (which the vSphere Client will not allow):

    vmkfstools -E <original-virtual-disk>.vmdk <renamed-virtual-disk>.vmdk

    Note that in the case of any of the “thick” versions actually have two files which can be confusing, a file that doesn’t have “-flat” and one that does. In that case choose the one that lacks “-flat” for the operations and “vmkfstools” will automatically handle the “-flat” version as well.

  • Larry Ellison on “Cloud Computing”

    Via SwissInfo:

    “The computer industry is the only industry that is more fashion-driven than women’s fashion,” Oracle founder Larry Ellison commented on cloud computing recently. “Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane.”

    I think there’s more to it than just gibberish – stuff like Google Apps is a great and usable example, however it’s true everyone is jumping on this and my mailbox is absolutely blown out with “cloud computing this” and “cloud computing that”. Half of it is in fact pure gibberish.

    Not surprising, Stallman hates it:


    He makes some good points about why you should be wary. I think what you should take away from his comments is that if you are thinking of using cloud computing, go in with your eyes open (as opposed to it’s just plain “stupid”).

  • The kitchen sink of security tools…

    This seems to be a useful location to find security tools:


    Everything including the kitchen sink!

  • Apparently George Romero was right…

    That a deadly virus would escape from the military possibly causing zombies:


    He was just wrong that humans would be the target.

  • How to build a SLES minicd boot image…

    Sometimes you’ll have a system that doesn’t have a DVD drive and/or it’s more convenient to use the network.  Making a “minicd” to boot from network is fairly simple:

    1. Set up Apache and copy the DVD media to a subdirectory of “/srv/www/htdocs”. At least in my case I ended up with two directories:
      • /srv/www/htdocs/SLES11SP1/SLES-11-SP1-DVD-x86_64.0432..001/
      • /srv/www/htdocs/SLES11SP1/SLES-11-SP1-DVD-x86_64.0432..002/
    2. Copy the boot images to seed a minicd:
      • mkdir /tmp/minicd
      • cp /srv/www/htdocs/SLES11SP1/SLES-11-SP1-DVD-x86_64.0432..001/boot/x86_64/loader/* /tmp/minicd
    3. Edit “/tmp/minicd/isolinux.cfg” and add an entry like:
    4. label slesinstall
      kernel linux
      append initrd=initrd splash=silent showopts install=http://MY.SERVER.COM/SLES11SP2/SLES-11-SP1-DVD-x86_64.0432..001

    1. Make the ISO image:
      • mkisofs -o /tmp/minicd.iso -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table /tmp/minicd
    2. Burn the ISO using whatever software you have available (eg: Nero, Roxio, etc.).

  • Another case of “With friends like these…”

    Well, researchers have devised a way around most modern anti-virus software. Yet another example of, “With friends like these, who needs enemies.”

    Again, I know “security by obscurity” is false security, but it’s not like the bad guys need as much help as they’re getting!

  • Beware of Outlook…

    Just to save you the embarrassment I thought I would warn Thunderbird users about a little something I discovered today if you use HTML formatting with Thunderbird while interacting with users of Outlook 2007.

    Attached are two views of the same email created in Thunderbird and sent out. One view is from Thunderbird, the other from Outlook. First as Thunderbird sees it:

    Thunderbird Version

    Now as Outlook sees it:

    Outlook Version

    As you see, Outlook has essentially stripped all the formatting. This is actually for two reasons:

    1. It expects, wrongly I think, for the sending email client to change the color of the quoted text. So instead of showing “>” or a blue “|” in front of the text, it throws that part away and uses the HTML color specified in the email, which defaults to black – the same color as non-quoted text. Outlook always sets the color, so it doesn’t care.
    2. For indents it ignores, wrongly again, the absolutely standard HTML construct of “<blockquote>” and instead expects a CSS DIV offset margin, which Outlook uses.

    If you’re a person who sometimes has to send replies to C-level executives like myself, and aren’t aware of the issues, this can yield some embarrassment – you’ve essentially sent them unintelligible gobbly-gook where your reply text is indistinguishable from the text you’re quoting.

    It appears that it is possible to fix this through something like this:


    Though it’s not clear if it really works and I’m not sure if it’s worth the effort.

    Interestingly, if you use “text only” email with Thunderbird, Outlook correctly shows the “>”.

    Anyway – just an FYI.

    ust to save you the embarrassment that I am now feeling, I thought I would warn you Thunderbird users about a little something I discovered today if you use HTML formatting with Thunderbird.

    Attached are two views of the same sent email, one from Thunderbird, one from Outlook. First Thunderbird:

    Now Outlook:

    As you see, Outlook has essentially stripped all the formatting. This is actually for two reasons:

    1. It expects, wrongly I think, for the sending email client to change the color of the quoted text. So instead of showing “>” or a blue “|” in front of the text, it throws that part away and uses the HTML color specified in the email, which defaults to black – the same color as non-quoted text. Outlook always sets the color, so it doesn’t care.
    2. For indents it ignores, wrongly again, the absolutely standard HTML construct of “<blockquote>” and instead expects a CSS DIV offset margin, which Outlook uses.

    The reason this is embarrassing to me (though I actually already knew #2) is because I sometimes have to send quoted text to executives and what they’ve been seeing is probably next to unintelligible when I quote stuff.

    It appears that it is possible to fix this through something like this:


    Though I’m not sure if it’s worth the effort.

    Interestingly, if you use “text only” email with Thunderbird, Outlook correctly shows the “>”.

  • 1 Reason Why Microsoft Bing Is Gaining on Google

    eWeek has this “fluff” piece on why Microsoft Bing is “gaining” on Google:

    10 Reasons Why Microsoft Bing Is Gaining on Google

    I don’t usually like to go this far, but frankly it’s pretty shameless pandering.

    Bing may or may not be a good search engine, personally the results it pulls just don’t cut it for me, but it’s quality or not has little to do with why it’s gaining market share (if it is in fact doing that – there’s good reason to believe it’s mostly cannibalizing Yahoo!).

    No, instead it has one and one reason only for any increasing market share:

    Microsoft made it the default browser for Internet Explorer.

    Simple as that.

    Coming up with 9 other reasons, mostly cobbled from Microsoft PR talking points, is a sad excuse for journalism and eWeek can (and often does) do better.

    If Bing wins here, the fact that it’s the better search tool (which is dubious) is ultimately secondary. Just like Microsoft killed Netscape by making IE the default browser, Microsoft aims to do the same to Google via Bing. If Microsoft truly believed in the product, then they wouldn’t make it the default and would let the user decide up front what search engine to use.

    Unfortunately, regardless of any positives that Microsoft brings to the industry, this is another example of its anti-competitive, no holds barred, behavior.

  • How to kill a session on a Cisco PIX/FWSM

    Completely different from Cisco IOS, so hard to remember:

    Log into the PIX/FWSM and go to “enable” mode. Do a “who”:

    Choose the IP of the session you want to kill and grab the number. In this case I want to kill the “” session, so I want “2”. Then kill it:

    The target session will then drop.

    Note if you’re coming from the same IP it may make it harder because the sessions will reference the same IP. In that case, just assume the later session has a higher number (or conversely, the earlier session has a lower number).

    Be careful. I have no idea what this does is you’re in mid-access-list update.

  • A good Blackberry security primer…

    ComputerWorld has published a good Blackberry security primer here:


    I highly recommend all Blackberry owners read it.

  • Why Internet Explorer rules…

    This article about the growth of Chrome has a little gem in it that shows just how anti-competitive installing IE by default as the only browser on Windows is. It says:

    NetApplications reported, Microsoft’s [Internet Explorer’s] 61 percent is a record low for the company as its market share continues to decline.

    A key reason for that is the European Union’s recent enforcement of a rule that requires Microsoft to give European Windows owners the opportunity to choose between several browsers upon boot-up, rather than require them to use Internet Explorer out of the box. Although the program just started, that ruling could have a profound effect on which browser will lead the way going forward.

    So the European Union requires browser alternatives to be offered and surprise, surprise, IE drops in usage. If IE really were the better mousetrap, the one everyone would want regardless, then you wouldn’t expect to see a drop. Also, if it’s so easy to download say Firefox or Chrome, as is your only choice in the States, then one wouldn’t expect the numbers to change either.

    No, as Microsoft well knows, if you put it on as a default, it’s likely that no one will change it because it’s easier not to – that’s why their numbers got so high. This is also why it’s also concerning that the default search provided for IE is now Bing. They know damn well they can take the market from Google through this technique.

    Frankly IE isn’t a bad browser and for some Bing is probably a passable search engine (personally I can’t stand it, but we all have our preferences), however my concern is more about the anti-competitiveness these efforts represent. It really is playing hard ball with the market. If you doubt that, remember the Netscape had a viable for-pay browser that Microsoft effectively killed through bundling the extremely buggy IE at the time.

  • Blackberry Profiles

    I’ve recently received a Blackberry Curve 8330 from my workplace. Unfortunately the documentation seems a little thin on a number of aspects, one of which is “Profiles” which is what controls alerts and ring tones. Below is my attempt to document a few of the settings based on Google searches (this appears to apply to OS 4.5 and below – the newer 4.7 code seems to use a “Sounds” setting that is more granular).

    • Browser: push messages from your network provider (eg: Verizon). You can sign up for things like weather alerts at “mobile.blackberry.com” that get pushed this way.
    • Calendar: calendar appointment alerts
    • Level 1 Messages: email messages that you mark as “Level 1” in your email filters. In short by using a filter, you can make sure you get a notice that certain messages cause alerts. This may also include “PIN” messages (that is BlackBerry to BlackBerry) messages.
    • Messages[Desktop]: enterprise mail notification if your BlackBerry is using a BES (BlackBerry Enterprise Server)
    • Messenger – Alert: when someone joins or becomes available to BlackBerry Messenger.
    • Messenger – New Message: a new BlackBerry Messenger message has arrived.
    • MMS: alert of an incoming “Multi-Media” message (eg: photos or video)
    • Phone: incoming phone call
    • PI Event Alarm: an alarm for a scheduled “PocketInformant” event. This option will only show if you use WebIS’s excellent “PocketInformant” tool.
    • PI Task Alarm: an alert of a “PocketInformant” due task (see “PI Event Alarm” above for more).
    • SMS Text: alert of incoming Short Message System message. SMS messages are what are typically known as “text messages” for most phones (including non-smart phones).
    • Tasks: alert when a task is due.

    Under each of the above alert types, you can set how it is handled, for instance whether it vibrates, rings, etc. The alerts are divided between “Out of Holster” and “In Holster”, the former meaning that the BlackBerry has been put in its case (ie: is probably on your hip) and the later meaning it has been taken out of it’s case. Note that “In Holster” only applies to those holsters that can set off the magnet switch (generally OEM holsters).

    The handling options are:

    • Out of Holster/In Holster: indicates whether to make a (ring) tone for this alert, vibrate, both, or none.
    • Ring Tone: the ring tone to use for this alert. Does not apply if vibrate only or “none” for above alert.
    • Volume: volume level for playing the ring tone. Again does not apply if vibrate only or “none” for above alert.
    • Number of Beeps: number of beeps (tones) to make on the notification. Things like “Browser” types where you’d want a single beep etc. use this. Apparently to see this you have to set the “Ring Tone” to an alert sound or a short, short, ring tone.
    • Repeat Notification: whether to blink the BlackBerry light if you didn’t respond to a notification. Unfortunately can’t do audible repeats (supposedly there is a 3rd party solution for this called “WebMessenger Alerts”).
    • Number of Vibrations: how many times to vibrate the BlackBerry on an alert. Only applies if “vibrate” is turned on (as opposed to “Tone” or “None”). The vibrations appear to occur before the tone (as opposed to coincidental with it). This allows you to service the alert before disturbing anyone.

    NOTE: It’s kind of more complicated than the above might imply on an incoming phone call. Basically the BlackBerry(or rather your wireless network), gives 30 seconds for you to answer a call. If say you set “Vibrate+Tone” and then have “3” vibrations, well it will do 3 vibrations, your ring tone, then if there is still time left, 3 more vibrations, then if there’s more time, your ring tone, and so on – all up to 30 seconds. The fewer number of vibrations and the shorter the ring tone, the more iterations (repeats) you’ll get of the vibration then ring sequence (similarly if it’s ring only, then the shorter the ring tone, the more repeats of the ring tone).

    Hope that helps as there doesn’t seem to be a generalized document for this nor is this in the BlackBerry manual.

    By the way, here is a good manual on how to add per-contact ring tones.

  • Bash TCP programming hack!?

    I had never heard of this until I ran into working on a recent project. In “bash” you can open sockets:

    exec file-descriptor<>/dev/tcp/IP-or-hostname-here/port

    so for example:

    exec 3<>/dev/tcp/

    would open port 23 (telnet) to IP “” for read and write (the “<>”) on file descriptor “3” (remember descriptors 0, 1, and 2 are used by default for stdin, stdout, and stderr respectively, so you probably don’t want to step on them). Or if you prefer easier to read:

    exec 3<>/dev/tcp/myhost.mydomain.com/telnet

    and thus it’ll also do host and service lookups.

    You can then write to the socket:

    echo “mylogin” >&3

    or read from the socket:

    cat <&3

    If you don’t use “<>” but rather just “<” or “>” you can open the socket only for read or write respectively.

    You can also close the socket (as all good programmers should):

    exec 3<&- # Close for read
    exec 3>&- # Close for write

    Bash – it shakes, it bakes, it does socket programming.

    To note this is an entire bash-ism, you can’t simply do:

    echo “hello” >/dev/tcp/

    “bash” is intercepting the “/dev/tcp” stuff and fudging it.

    And I thought Perl was the only one with ugly hacks.

  • Rubber Or Glue, It Still Sticks…

    This brings up a sort of interesting if not chilling thought in the world of security, particularly for large organizations:

    Mozilla shuts online store after security breach

    The title of this entry, which I’ve included verbatim, is important.

    To me when I read it, I’m reading “Mozilla has a problem”, or “Mozilla isn’t secure”, or most painfully, “Mozilla is a place I want to avoid because of its lack of security.”

    However Mozilla didn’t screw up and this is in fact no reflection on Mozilla’s security whatsoever. If you actually read the post, you’ll see:

    The Mozilla Foundation has shuttered its e-commerce store after confirming a security breach at GatewayCDI, the third-party vendor that handles the store’s backend operations. [emphasis added]

    Thus it isn’t Mozilla’s “fault” after all, it’s GatewayCDI’s.

    So, what’s the point?

    The point is, even though it isn’t Mozilla’s fault, the headline sure makes it sound like Mozilla’s fault, My guess is any large or influential organization will be reported similarly. That’s going to leave the first impression, which many people never get past (either because of human nature and/or not reading past the headline) that those organizations are insecure, rather than their arrant 3rd party resource.

    Or to put it another way, if your company is using a 3rd party and feels all safe because things like PCI aren’t your concern, think again. Shuffling it off to a 3rd party doesn’t insulate you from the softer liability of public opinion. A liability that can turn out to be nearly as expensive as many of the more traditional ones, like getting sued.

    So it’s incumbent on us as organizations and security teams to make sure our vendors are up to snuff. Signing agreements isn’t sufficient – some hands on, potentially including self conducted audits (if possible) may be required.

    Most of all this brings into question assumption that moving to a 3rd party really provides you the insulation you might think it does. Choose carefully, are you may get nearly as burned if you had done it yourself.

  • Outlook email verbosity…

    I write HTML in Thunderbird because I like some rich formatting (an area I am sad to admit Thunderbird is weak on). In particular I do a lot of indented stuff, which Thunderbird translates to simple “<blockquote>” tags. However, when I moved to Outlook 2007 (which I don’t use for mail, but was just checking) and looked at my mail, I saw the “<blockquotes>” were ignored, instead Outlook, which uses “Word” for its HTML formatting, expects to see these done through CSS “<div>” tags (yikes!).

    So, I got to looking and sent myself a simple one line, “Hello world” email from Outlook. Here’s what Outlook rendered it as:

    Yikes again!

    I’ll grant you Word offers a lot more in terms of formatting, but that’s out of control. I guess these guys may have a point!:



  • Eating ourselves alive…

    Here is yet another example of how the “good guys” are figuring out ways to subvert security to “help” us:


    Basically Peter Kleissner, a young and clearly very smart university student, has figured out how to inject a bootkit in front of TrueCrypt (an excellent and free encryption product) to subvert its protections.

    While I understand that “security by obscurity” is ultimately a flawed paradigm, I really don’t think the bad guys need any help. While some claim the bad guys would ultimately figure this stuff out, I’m not convinced. A lot of the malign stuff out there has at it’s basis attacks developed by “good guys”.

    While I entirely support the right to do and publish such work (unlike a number of large corporations that have sued to keep these hacks quiet), I do feel in many cases the publishing of these exploits is an act of ego and narcissism, a sort of destructive “showing off”.

    Anyway, down goes another.

  • Apple iPhone “Jailbreak” FUD

    Apple may well have good and fair reasons to keep users from “jailbreaking” their iPhones, however the arguments as presented in the article are just FUD:


    If AT&T’s cell network is this vulnerable, we have far greater worries than a little iPhone hacking. After all, Apple’s argument is essentially to keep jailbreaking out of the hands of otherwise honest iPhone users (most likely people who would like to install non-Apple approved apps and/or move their iPhones to another carrier than AT&T).

    Unfortunately all that is going to do is just that – keep jailbreaking out of the hands of the honest. Those with nefarious intent will still jailbreak their phones and if the networks are as vulnerable as indicated, will happily attack these shortcomings.

    Frankly it’s just dumb. Clearly other phones can be hacked as indicated so if these were real issues, we’d already see the fallout.

    In short that makes it FUD, or speaking more directly, a lie.

    Again Apple may have every legitimate right to protect their iPhones and intellectual property (I’ll leave that to others to argue), however it really irks me when people or corporations stoop to lies to attain their agenda. If they can’t stand on the truth, then maybe they ought to lose to the EFF anyway.