Monday, August 04, 2008



Tweet, or something.

Monday, July 21, 2008


I've been wasting a bunch of time on, a MTWWTOSNS (massively time-wasting web-two-oh social-networking site.) If you'd like to descend into madness with me, click here join join for my personal gain:
Be Ryan's Friend

Several interesting aspects to this one, for security people. First, the are many sociological aspects. For example, what happens if you tell people they can't post naked pics? Second, there is a play money currency, which drives everyone's behavior. Finally, they are getting phished left and right from within the site.

And the staff there appears to be so woefully unprepared to deal with it. When I saw the phishing, I thought I might mail their abuse contact info (only email address I found published), and see if they needed info, if I could put them in touch with a takedown group, etc. I got bounces from gmail. Um, your abuse email at your own domain depends on gmail?

The site is absolutely begging for someone to start using XSS. The game model they have basically demands it. For example, your popularity depends on profile views. And I can post a pretty wide range of HTML to someone in about 20 different ways. I haven't tried to see if I can find any XSS. Mostly because I don't trust myself not to abuse it.

But my favorite thing about MyYearbook that I just realized, while sitting in JFK coming back from HOPE. This site is teaching millions of people how to do simple HTML. And nearly half of these people are below average intelligence.

Edutainment, indeed.

Friday, July 18, 2008

Politics, $8.34 worth

This post is about politics, which I normally would avoid. But humor me this one time.

Click on the pic to have your geek heartstrings pulled. Short version: If he's willing and able to put this up, that's all I need to know. Don't care if he's pandering.

Yeah, I gave him $8.34.

Long version: Doesn't matter if he's in Kansas, I want people like this to succeed. Doesn't matter if I agree with all of his policies, you never get a candidate that matches exactly, and you can't count on them to implement them once in office. Plus, he appears to be able to change his mind based on feedback, holy crap.

If you want more candidates like this, consider giving him the token donations (US only), and blog him up.

Tuesday, July 15, 2008


I'll be in NYC for HOPE, starting tomorrow. Any of you going to be there?

Sunday, June 08, 2008

Little Brother

I just finished reading Little Brother by Cory Doctorow while on a plane to Seattle for a Windows Secrets meetup.

There are a few audiences one might rate this book against. Probably the only fair one is the one Cory wrote for, young adult readers who need an introduction to electronic civil rights (and civil rights in general, for that matter.) For that audience, I think he has succeeded admirably. I will make my copy available to my kids, and see if any of them have an opinion.

To be sure, the book tries to indoctrinate readers to the cyber libertarian way of thinking. Since I happen to agree with that doctrine, I have no problem with that. (And yes, I gave up fighting the use of "cyber". I lose.)

Another audience I might rate this book against is the one I put myself in. Middle-aged infosec people. Perhaps with a little amateur writer thrown in. I still recommend the book, but now I have to start breaking out caveats and picking nits.

Spoilers ahoy.

First off, how's the tech? This is a sliding graph. Compared to the vast majority of the books in the world, Cory's technical accuracy is quite high. There are extreme ends of this scale. For example, Dan Brown (The Da Vinci Code author) writes with basically zero tech accuracy. Amazingly good, page-turning drama. Horrible tech. So Dan's down at the great writing, lousy tech corner.

If I may give my ego a backhanded stroke for a moment, I place myself up at the opposite corner. In the Stealing the Network series, I went way out of my way to make my tech 100% accurate. I also acknowledge that my writing probably sucks, so I like to think of myself as the anti-Dan Brown. Mercifully, my books are shelved in the Computer section of book stores.

Cory's writing in Little Brother is good and his tech is very good. (For a not-specifically tech, non-hacking book). So he's in the upper-right quadrant of the graph.

But of course I'm compelled to point out specific problems. Cory sacrifices some accuracy for plot in a few key places. And appropriately so, I think. The plot flows better this way. Biggest example is the RFID rewriting. The majority of the tags are not rewritable. Cory has kids running around doing non-contact rewrites of FastTrak and other cheap RFID tags. Doesn't work in real life. Nor, I believe, in the near future.

Speaking of time, I can't recall spotting anything in the book that would indicate a specific year. I'm sure that's intentional. I've had my books described as being 10 minutes into the future. I think Cory's at 60 minutes. It reads like now plus 5 to 10 years.

Cory's writing also snags in a few places. (Keep in mind, just because I can spot someone else doing it doesn't mean I can avoid doing it myself.) One of his purposes is to instruct. He doesn't assume the reader knows what an RFID tag is in the first place. This is where there's a big difference between random YA reader and someone like me who has been doing security for years.

For me, he's way over-explaining, and the story grids to a halt. It's mostly first-person, and so are the explanations. But the first person goes from being aimed at someone in the story to being aimed at the reader. It's as if the main character turns to look straight out of the page at you. For someone who knows these things, it's like saying "money can be used for goods and services." So this lessened the enjoyment of the story aspect for me somewhat. But again, probably a tradeoff he made.

I also am already caught up on all the technical and political aspects the book covers, so I didn't learn anything new there. But then I read Boing Boing, was around when the EFF was founded, have been going to various hacking conferences for over a decade, and know half of the people Cory used for source material.

In my case, that leaves the story. On to the parts I did like. I find the overall plot, sadly, believable. It's almost entirely set in San Francisco and the Bay Area, where I live. So he gets local color points. He came up with a number of characters I care about. He made me angry about what was happening in the story. After the first couple of chapters, I had to spend all my spare time reading it.

Let me see if I can help you categorize yourself as a person who would agree with the politics of this book, and would be ok sharing with a YA reader. Do you get mad every time Thomas Hawk links to a story about a photographer getting hassled by the police or a security guard? Do you want to call up and scream at a school board or principal when Fark links to a story about some kid getting expelled for a t-shirt or haircut? Do you have nothing but contempt for the TSA every time you find yourself removing your shoes at the airport?

If the answer is yes, then you will probably "enjoy" the plot and be right on board with the political implication. Be prepared to spend the first half of the book angry.

You know what else I liked? Cory didn't shy away from the other points of view in the discussion. He goes ahaead and points out how his main character is just like a terrorist. He gets screwed over by his parents for most of the book. Some of his own friends give up on him. Some of his trusted circle betray him. He doubts constantly. He suffers for it. It's not like Cory's position still isn't clear, but I appreciate him exposing all the costs.

The big moral of the story is that intrusive government sucks. But the smaller moral is that you have to stand up for your own rights, and it's going to hurt.

Little Brother download page
Little Brother posts
on Boing Boing
Cory's review of one of my books
(seems only fair)

Saturday, May 31, 2008

Race to Zero

The Race to Zero contest.

So, people are going to write some new packers? OK, no problem then.

Friday, May 30, 2008

Is Microsoft dropping Apple 0-day?

Just saw this link show up in my RSS reader:
Microsoft Security Advisory (953818) Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

From the advisory:


What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.



Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Change the download location of content in Safari to a location other than ‘Desktop’

Launch Safari. Under the Edit menu select Preferences.

At the option where it states Save Downloaded Files to:, select a different location on the local drive.

So... that sounds a lot like if I were to download a desktop.ini file or something like that, I'd get my Windows all 0wned. As in, if I cared to, I probably wouldn't have to work too hard to figure out how to exploit this from Microsoft's description and workaround.

Is this being exploited in the wild or something? Otherwise I kinda would have expected Microsoft to keep quiet until it was patched by Apple.

I guess Apple pushing Safari on Windows iTunes/Quicktime users isn't looking so hot about now?

Aha, pointer from Slashdot and The Register. The carpet bombing seems to be the genesis, but that's not the whole story, since he doesn't talk about executing code.

There it is, it was found by Aviv Raff.

Saturday, May 03, 2008

Tweaking content (administrivia)

I have a tendency to write full essays, and only when I'm aroused enough to spend the time, and then only when I can afford the time at that moment. I've also avoided more personal and trivial stuff, because the blog is part of the Security Blogger's Network and because most of you read this because of security-related things.

Well, those are problems that have an easy technical solution. I've created a security-only feed. If you only want the security-related stuff (things I tag "security"), then change your subscription to this feed.

If you want all the other crap I decide to come up with, continue to use the full feed.

I titled the blog "ryanlrussell", I planned to have it be an egofest from the beginning, I just got sidetracked. So what have I been holding back on? Attempts at short fiction, things about my kids, other technology stuff, more things I want to keep a pointer to, and so on. You know that thing that thing that bloggers do that people complain about where they just point to some article and have a short comment without a lot of insight and value add? I'm going to do more of that.

There will be a tsunami of content. Relatively speaking. Prepare for boarding.

I'm going to go tweak old posts, which I'm sure will cause old articles to hit your readers again. Apologies in advance. Should be mostly a one-time thing.

Saturday, March 22, 2008

Arr! VMWare is driving me nuts.

Several random VMWare things I want to throw out there that bother me.

At this point, I have used and continue to use most of VMWare's products. This started with Workstation back to 3.x.

Oh, at let me get my biases out of the way; I run a QA department, and we use VMWare for everything we can. Nothing better than being able to restore to a know state or save off a machine exactly where it is when exhibiting a problem. BigFix, where I work, also makes an agent that runs inside the management partition on ESX 3.x boxes.

VMWare Workstation - Great product, great price point. You can run multiple machines (a few), manage whole snapshot trees. Only really useful if you're in front of the box Workstation is running on. Gets the bleeding-edge features. VMs running under Workstation don't perform great, but are adequate if you give them enough physical RAM. Pretty much exactly matches expectations, but then it's the first product and is the one the others vary from. So in a very real way, this is what sets my expectations for the other products.

VMWare Server - The first larger VMWare purchase I made was GSX Server, somewhere around $3,000US for the software, and a $6,000 Dell 2U running Windows to put it on (BigFix's money, not my personal budget). Not bad, performance is still not great, slightly worse than Workstation. Might be because of remote access latency. Shareable, remote access built-in, which is key. Only one snapshot though, which is an immediate problem. I can manually backup machines at the expense of 30 minutes instead of 60 seconds, and disk space per copy is the same as the original rather than a fraction like a snapshot. But I found I could have a library of 30 machines, and run around 15 simultaneously, depending.

I originally assumed they had just left it out of GSX so far... or maybe, that was their hook to get people to go to ESX? I hadn't looked into ESX yet at the time. It's not a casual evaluation. That's about when VMWare made Server free. Hey, great right? No. There go my hopes of ever getting multiple snapshots on Server. Because VMWare would be insane to put that feature in the free product. For someone in my position, multiple snapshots are probably 40% of the advantage of ESX over Server. And I use ESX now, so why do I care? Because I can't give up Server! I have to keep using this intentionally crippled product. I'll get to why in a sec.

VMWare ESX Server (family) - At this point BigFix has standardized on ESX for as many QA machines as possible. (We have stuff that runs on Mac, Solaris SPARC, AIX PPC, HP-UX PA-RISC and Itanium, Windows Itanium, Windows Mobile on ARM. The x86 virtualization doesn't help much on those. It could with Mac, but Apple only just recently allowed OS X Server on VMs. When I'm trying to qualify our product on OS X, I can't go the hackintosh route. Also, I have a DLP product and some Wake-on-LAN functions I need real machines for. Oh, and I have an agent that runs IN ESX. I can't run ESX in ESX....)

But back to what I LIKE about ESX for a sec. It's the fastest of the bunch, scales better, has better remote access, better machine cloning, migration between physical ESX hosts and drives, and has MULTIPLE SNAPSHOTS. I put my team on ESX, and some of the install matrix stuff instantly takes half the time because of the snapshot feature alone. There's also a almost real infrastructure management. For my purposes, this means I get all my VMs in one window with one login. If you have more than one Server, then you log into each one separately (as far as I know. More on that in a sec, too.) I have as many as 30-40 machines running simultaneously per physical ESX box, out of a library coming up on 100, and it does a fantastic job at resource sharing the 8 cores and 16GB of RAM per physical box. It loves it some disk space, but that sort of thing happens when you build a hundred VMs averaging around 10GB each.

Sure, it's a little pricey. I think I'm paying $3000-4000 per ESX box, plus something for Virtual Center, and I'm not sure what else. I'm buying $9,000 Dell 2Us now, because ESX can actually make us of the resources. And I'm in for an external Dell SATA drive array, 15 400GB drives RAIDed, giving my 1TB on one ESX box, and 1.4TB on the other ESX box. I think we paid $15,000-$20,000 for that. I get less clear on the costs at this point, because I can now just budget for more capacity, and my IT department is buying it. We're in the process of picking on a 40TB SAN for the big cutover, where I bring some other groups into production on ESX who have been suffering with Workstation and piles of external 500GB USB hard drives. We have a tiny bit of production virtualization that VMWare constantly touts, but 90% of my ESX use falls under QA-style use.

Great, right? So one day, I grab the VMWare Converter tool (awesome tool!) to convert the last of my Server images over to ESX... and it balks. OK, no big deal.. I can make them again, they're just a few Win9x boxes, some Solaris x86 10... Hey, the Win9x OSes are missing from the list of standard OSes in the UI. I do some digging, and...

Windows 9x is not supported on ESX.

What? That can't be right... do some investigation... supported on Workstation... supported on Server. Not supported on ESX.

The Solaris x86 10 doesn't seem to work so well on ESX either, though support is claimed. But only starting at a particular patch level. Uh, I kinda need to test compatibility all the way back to no patches, guys. But I haven't finished my heroic effort getting it running on ESX yet. (Not that I should have to work that hard, of course.)

So in one shot, ESX has now forced me to maintain some number of Server machines. Sure, I already had to have piles of physical boxes for the random non-x86 unices. But I was so close on the Win9x. It should work. VMWare just doesn't want to. Can I have multiple snapshots on Server? No. Can I have Win9x on ESX? No. And I can't pay them for it, they don't want to.

While I'm complaining, there's one more thing I don't like about ESX (besides the usualy incremental stuff). I have no idea what the various ESX pieces do, or if I have them, or if I want them, or what kind of setup I need for them. I know I have ESX, Converter, and Virtual Center. I think I want VMotion. I think it does cool stuff with automatically balancing loads and migrating machines. I think I need a SAN for that. I sure hope my IT guy who spec'd that and the SAN out has it straight. I think there are bundles that have some of what I want. And I don't know what else I'm missing.

Like, I have Virtual Center. Does that help with my requirement for Server still? I don't think it does. I could be wrong. There's some ACE authentication product or something too, right? Why would I want that? What does it do?

Why did you buy Determina?

Now, if you actually know what you're doing with VMWare, you are assuming I haven't done my homework and haven't been to training and haven't been reading the docs and whitepapers. And you're right. But I'm the customer. I have entitlement issues. I define good products as ones that I can figure out without much work, that don't make me read the docs. I've been doing this for 25 years now, I like it this way. If I have to read your docs, then I lose for some reason. So when I can't figure out your product line a differentiation, that's ultimately our fault and you have made me bitter and/or sold me less. Make it simpler.

And then when I HAVE figured out your product differentiation when you didn't really want me to (i.e. your artificial limitations), that's not so hot either.

OK, I feel better thanks. And yes, for those of you who actually know the VMWare stuff in depth, PLEASE correct me.

BTW, what brought on the rant? I've got a presentation next week on malware analysis. I need Windows for that, and I'm carrying around a MacBook Pro with Leopard lately. So I bought a copy of VMWare Fusion straight from VMWare for about $70 yesterday. That's about half the cost of Workstation (Windows/Linux host only.)

It only does single snapshots.

Could I give you the extra $50 for multiple snapshots, PLEASE?! I only need this on my laptop when I'm traveling. I will use just as much ESX when I'm at work, I promise.

Tuesday, March 04, 2008

My D&D

Let me show you it.


Set here