Slashdot Mirror

Read & Learn, And Legalize Marijuana

Since the article is often pulled from websites, the first article you should read and burn into your mind is this, Google for the title and archive a copy for yourself:

"A break-in to end all break-ins"
"In 1971, stolen FBI files exposed the government's domestic spying program"

It's an amazing story, and in 2008, how much has this expanded into every corner of our lives? The majority of Americans are brainwashed sheep consumers with a limp wet noodle for a brain, thrashing around with their Wii and Paris Hilton media like a fat dinoasaur in a tar pit. Stay informed, we have no privacy, encryption is good but useless with acoustic monitoring, reflections in the eye and objects in your environment, etc.! If it's electronic, there's always a loophole. You shine brighter with each electronic device you use, in many ways. Don't trust Hushmail or any web based mail service to keep anything of yours secure or to provide any reasonable degree of security. Secure your computer room and rig your computer to shut down if you use encryption like Truecrypt or other when your environment is entered by someone other than you or those you permit and trust (you shouldn't trust anyone, everyone has a price)

Compromising Reflections or How to Read LCD Monitors Around the Corner
http://www.infsec.cs.uni-sb.de/~unruh/publications/reflections.pdf [uni-sb.de]

And more:

http://www.eff.org/wp/detecting-packet-injection
http://en.wikipedia.org/wiki/Anonymous_remailer
http://cryptome.org/tempest-law.htm
http://seclab.uiuc.edu/pubs/LeMayT06.pdf
http://www-users.cs.umn.edu/~dfrankow/files/lam-etrics2006-security.pdf
http://cryptome.org/nsa-vaneck.htm
http://www.alobbs.com/macchanger
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php
http://www.nononsenseselfdefense.com/five_stages.html
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
http://csrc.nist.gov/itsec/guidance_WinXP_Home.html
http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf
http://all.net/books/document/harvard.html
http://www-128.ibm.com/developerworks/library/l-keyc.html
http://www-128.ibm.com/developerworks/library/l-keyc2/
http://www-128.ibm.com/developerworks/library/l-keyc3/
http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.wiley.com/legacy/compbooks/mcnamara/links.html
http://lifeha

Since the article is often pulled from websites, the first article you should read and burn into your mind is this, Google for the title and archive a copy for yourself:

"A break-in to end all break-ins"
"In 1971, stolen FBI files exposed the government's domestic spying program"

It's an amazing story, and in 2008, how much has this expanded into every corner of our lives? The majority of Americans are brainwashed sheep consumers with a limp wet noodle for a brain, thrashing around with their Wii and Paris Hilton media like a fat dinoasaur in a tar pit. Stay informed, we have no privacy, encryption is good but useless with acoustic monitoring, reflections in the eye and objects in your environment, etc.! If it's electronic, there's always a loophole. You shine brighter with each electronic device you use, in many ways. Don't trust Hushmail or any web based mail service to keep anything of yours secure or to provide any reasonable degree of security. Secure your computer room and rig your computer to shut down if you use encryption like Truecrypt or other when your environment is entered by someone other than you or those you permit and trust (you shouldn't trust anyone, everyone has a price)

Compromising Reflections or How to Read LCD Monitors Around the Corner
http://www.infsec.cs.uni-sb.de/~unruh/publications/reflections.pdf

And more:

http://www.eff.org/wp/detecting-packet-injection
http://en.wikipedia.org/wiki/Anonymous_remailer
http://cryptome.org/tempest-law.htm
http://seclab.uiuc.edu/pubs/LeMayT06.pdf
http://www-users.cs.umn.edu/~dfrankow/files/lam-etrics2006-security.pdf
http://cryptome.org/nsa-vaneck.htm
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php
http://www.nononsenseselfdefense.com/five_stages.html
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
http://csrc.nist.gov/itsec/guidance_WinXP_Home.html
http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf
http://all.net/books/document/harvard.html
http://www-128.ibm.com/developerworks/library/l-keyc.html
http://www-128.ibm.com/developerworks/library/l-keyc2/
http://www-128.ibm.com/developerworks/library/l-keyc3/
http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.wiley.com/legacy/compbooks/mcnamara/links.html
http://lifehacker.com/software/home-server/geek-to-live--set-up-a-personal-home-ssh-server-205090.php

The funny thing is that AV software has been almost totally useless ever since we moved from floppy disks to Net connections - long before they started whitelisting malware from major corporations. As soon as it became possible to distribute malware more quickly than AV updates, AV software was dead in the water. And even before then, the writing was on the wall: the problem of detecting a virus is undecidable and you can't change the laws of math.

Good luck convincing your boss that AV software is snake-oil though. Best carry on paying and taking a performance hit every time you open a file.

Deception Toolkit. Learn it, love it.
http://all.net/dtk/download.html

Here is Fred Cohen's take on the general subject:

http://all.net/resume/bio.html

http://all.net/journal/newsletter/index.html

http://all.net/Analyst/index.html

Ref.

http://all.net/

Paper:
An Undetectable Computer Virus

http://www.research.ibm.com/antivirus/SciPapers/VB 2000DC.htm

Could this be the end of the Mac - PC flamewar?

Logic:

"... we can't stop here, this is bat country."

Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
Hunter S. Thompson

Here is Fred Cohen's take on the general subject:

http://all.net/resume/bio.html

http://all.net/journal/newsletter/index.html

http://all.net/Analyst/index.html

Ref.

http://all.net/

Paper:
An Undetectable Computer Virus

http://www.research.ibm.com/antivirus/SciPapers/VB 2000DC.htm

Could this be the end of the Mac - PC flamewar?

Logic:

"... we can't stop here, this is bat country."

Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
Hunter S. Thompson

Here is Fred Cohen's take on the general subject:

http://all.net/resume/bio.html

http://all.net/journal/newsletter/index.html

http://all.net/Analyst/index.html

Ref.

http://all.net/

Paper:
An Undetectable Computer Virus

http://www.research.ibm.com/antivirus/SciPapers/VB 2000DC.htm

Could this be the end of the Mac - PC flamewar?

Logic:

"... we can't stop here, this is bat country."

Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
Hunter S. Thompson

Here is Fred Cohen's take on the general subject:

http://all.net/resume/bio.html

http://all.net/journal/newsletter/index.html

http://all.net/Analyst/index.html

Ref.

http://all.net/

Paper:
An Undetectable Computer Virus

http://www.research.ibm.com/antivirus/SciPapers/VB 2000DC.htm

Could this be the end of the Mac - PC flamewar?

Logic:

"... we can't stop here, this is bat country."

Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
Hunter S. Thompson

MacForensicsLab

http://www.macforensicslab.com/

http://www.macforensicslab.com/mfl_analysis.html

If you are a super criminal you have state protection, See:
Attorney General Alberto Gonzales:

http://politics.slashdot.org/article.pl?sid=07/05/ 16/0137205

http://tedscolumn.blogspot.com/2007/05/more-from-d epartment-of-injustice.html

http://news.com.com/8301-10784_3-9719339-7.html

But if you've got something [below] this insidious, you're just screwed:

http://www.securityfocus.com/cgi-bin/index.cgi?c=a rticlecomments&op=display_comments&ArticleID=11372 &expand_all=true&mode=threaded

You'd need Fred: [site is run off a locked volume - DVD]

http://all.net/

He also has, White Glove Linux, LE is for law enforcement only. [click "prices" on left]

http://all.net/WG/dist/index.html

Fred's, The Man(TM)

MacForensicsLab

http://www.macforensicslab.com/

http://www.macforensicslab.com/mfl_analysis.html

If you are a super criminal you have state protection, See:
Attorney General Alberto Gonzales:

http://politics.slashdot.org/article.pl?sid=07/05/ 16/0137205

http://tedscolumn.blogspot.com/2007/05/more-from-d epartment-of-injustice.html

http://news.com.com/8301-10784_3-9719339-7.html

But if you've got something [below] this insidious, you're just screwed:

http://www.securityfocus.com/cgi-bin/index.cgi?c=a rticlecomments&op=display_comments&ArticleID=11372 &expand_all=true&mode=threaded

You'd need Fred: [site is run off a locked volume - DVD]

http://all.net/

He also has, White Glove Linux, LE is for law enforcement only. [click "prices" on left]

http://all.net/WG/dist/index.html

Fred's, The Man(TM)

Teach Yourself Programming in Ten Years

http://norvig.com/21-days.html

Fred

http://all.net/books/IP/evolve.html

GNU Source-highlight 2.5

http://www.gnu.org/software/src-highlite/source-hi ghlight.html

Another approach is shown in the Deception Tool Kit. DTK is a collection of scripts which connect to unused ports and appear to be various servers. When many servers use it, a forest is created which helps hide individual trees.

The art of War - Sun Tzu

No stupid e-mail viruses. Security is much easier in a proper UNIX environment.

Er, pardon? I'm currently reading A Short Course On Computer Viruses by Cohen (the father of mathematical viral theory), and I'd have to beg to differ. He's proven _mathematically_ that you can't absolutely get away from viruses without _severely_ limiting the system. Period. Unixes are vulnerable, DOS is vulnerable, Windows is vulnerable, even Bell-LaPadula-based systems. So, as you can guess, Linux will be vulnerable to viruses as well.. But regardless of all that, e-mail viruses can infect regardless of the OS (assuming it's still usable.) If less than intelligent people continue to execute attachments, then e-mail viruses will spread. E-mail viruses are an end-user issue, not an OS issue.

P.S.: While this book is almost ten years old, I'd sincerely suggest that anyone interested in viral theory check it out. As an example of his work, you can see one of his 1984 papers on viruses here.

Anyway, there were probably worm/virus prototypes before 1983. Anyone know of them?

In 1981-1982 the first computer virus, Elk Cloner, started spreading in the wild but it was not until 1983 when Fred Cohen finally proved that the concept of a computer virus was viable. To my best knowledge the first worm spreading in the wild was IBM Christmas Worm in 1987 and the first Internet worm was Robert T. Morris' Worm in 1988.

The part I find ironic about this article (most of which I agree with) is that some of the world first viruses were written for, and designed to run on, UNIX.

At least the early work by Dr. Fred Cohen was certainly done on a variety of boxes, and UNIX figured prominently.

The shell viruses were particularly interesting to me.

His book A Short Course in Computer Viruses, ASP Press (1991) is a fantastic read, even for it's age.

You can't boot from a USB device, can you?

I tend to carry a small collection of bootable media with me such as tomsrtbt on a floppy, LNX-BBC, White Glove, PLAC and a few others. (yes, even a DOS boot disk) They can be very helpful in cases such as upgrading a mobo for a Win98 machine, where the mobo can't see the CD-ROM until you install a driver... from a CD-ROM.

I've yet to see an explanation (other than "It's Magic!") of how a Palladium/TCPA/Fritz-chipped computer will end up more secure against viruses and worms. For starters, note that the most prevalent viruses for the last several years have affected *macros*, and assume that the "worms" they talk about are things like Klez, SirCam and etc, basically Outlook viruses.

Certainly in a Fritzed Palladium computer, software like Word and Outlook will have "certification". I mean, MSFT will certify their own software, right? The Word macro virus just gets interpreted by the certified Word executable. Similarly, Klez would just cause the "certified" Outlook executable to do certain things.

Given that any computing system that is Turing-complete can support viruses, how does Palladium make a system resistant to them? Is a Palladium system just not Turing-complete? Will "certified" executables not have features like scripting languages, macros, etc built into them?

Read Fred Cohen's paper Computer Viruses - Theory and Experiments published in 1984. The original experiments that demonstrated the threat of viruses were done on Unix.

'cause VMS scared the hell of the hackers.

do you mean hackers like Mitnick?

White Glove Linux is another similar distro. Ajay

While your point is well taken, another major advantage of LCD displays (other than the space savings as noted by another poster) is the power and cooling savings. Fred Cohen had his students in the CCD do a power and heat analysis of all their equiptment in the wake of the CA power crisis. They found that a 17" LCD monitor only drew 1/10 the power and generated 1/4 the heat of a 17" CRT monitor meaning that the higher cost for the LCD monitor would pay for itself after just a couple years of use.

-"Zow"

Thank you, Mo, finally a voice of reason. (And to answer your question, it was probably around 250,000.) Notable example: Dr. Fred Cohen, who works at the Sandia National Laboratories, is very likely in possession of classification levels whose very names are classified, and is also one of the most outspoken critics of Carnivore and the FBI in general.

Once again, Slashdot showing the fact that just because you have a forum doesn't make you an expert in, well... anything. (I don't claim to be one either for that matter, just an informed amateur.)

Does this mean massive international man-hunts for the infamous "Carlos the Hacker"?

Best encrypt with ScramDisk (Windows 95/98 version here) locally, and with GnuPG for transmission, all your CueCat code and use anonymous remailers for version releases to Freenet, or be prepared to live out your life in a shadowy realm of underground coders dwelling in the hidden spaces between the giants of the United Corporations of the World.

• First, here are lecture notes from a college course on operating system design.
• Second, some more meterial from another university (it's not clear to me that this is from a course).
• Third, a terse document detailing broad set of features common to operating systems of different periods (also part of an operating sytems course).
• Fourth, another page, which seems to be part of college course, with a section on the history of operating systems.
• Fifth, a web-slideshow on the topic.
• And Finally, a smattering of other links to the same topic by even more authors: another lecture from a college course, chapter 3, section 1 from the book Introductory Information Protection by Fred Cohen & Associates, Operating Systems - Yesterday, Today, Tomorrow, and Evolution of Operating Systems User Interface Design

This is different from mostly-passive traps like teergrube (FAQ; jargon) or Deception Toolkit or spider traps which sit around waiting for Bad Guys to attack them and react unexpectedly when attacked (e.g. ...res.p...o...n...d....v...e...r...y....s..l..o.. o...ooo...w...l...y.... while logging stuff or sending back odd replies). ("mostly passive" doesn't exclude leaving lots of inviting copies of your address around for harvesters or script kiddies to find.)

The Deception Toolkit is a tool for building honeypots, but with a twist. It listens at port 365 and just says something like "Smile, you're on candid camera". The idea being, that if enough DTK boxes are out there, if someone sees a port open at 365 they will aim their scripts elsewhere.

Ain't decoy's grand?

One other point is that honeypots are not 'lightening rods,' but are part of your last line of defense. Like Tripwire and other intrusion detection systems, they exist to let you know the game is going badly after your other countermeasures have failed. Certainly the majority of a security effort should be spend on making sure no one gets past security controls in the first place, but if they did you'd like to know abut it, wouldn't you?

Hit http://all.net/dtk for the goodies.

-- Jonnie

99.9% of the people who consider putting honeypots on their networks should instead spend that time securing their vunlerable networks, checking for and applying the latest patches, and reading up on security trends and issues.

that said, honeypots are a really cool concept, nevertheless. but a network or security admin needs to focus on more fundamental security issues though. those NT network admins, for instance, should be deploying a second, or third, or fourth firewall on BSDi or Linux, instead of wasting time and compromising their security with a misconfigured NT honeypot. honeypots are best left for IT security research environments, or for people who have too much time to waste.

a notable exception is NAI's Cybercop Sting. Sting emulates Cisco IOS 11.2, Solaris 2.6, and WinNT 4, running common services. with Sting, you can pipe all of your legitimate traffic thrugh Sting, and utilize the excellent logging capabilities of Sting for an added layer of security. additionally, Sting can be, should be, and often is utilized to monitor employees (i.e. internal hacking/cracking attempts). since most of the security incidents will be from internal sources, honeypots are an excellent way to monitor for suspicious LAN activity.

there was an excellent discussion recently of the honeypot concept, with a wide range of opinions and views from all sectors of the Net population, on the Security Focus Incidents mailing list. the thread was entitled "Cracked; rootkit - entrapment question?", and was back in late February and early March.

for those who have more interest in honeypots, check out the following:

To Build a Honeypot - article by Lanace Spitzner

CyberCop Sting - product by NAI

dtk - Fred Cohen's Deception Toolkit

NFR's BackOffice Friendly - product by Marcus Ranum and L0pht

and finally, a cool new product that i saw at RSA2000
ManTrap - product by Recourse Technologies that is based on Solaris 7

The best thing to do with a honeypot is to have it set up behind your firewall. If someone breaks through your firewall and scans your internal network, they will be attracted to your honeypot first. This will probably give you enough time to see the intrusion taking place and take appropriate measures. Check out the Deception Toolkit for a decent program to handle the honeypot.

Before you even begin to work on setting up a honeypot, you should first secure your network as well as you can. The honeypot should only be used as a second(or third) line of defense.

The Deception Toolkit might be something you'll find useful for your honeypot.

The DTK is for poisoning the well. If you really have the time to watch what a cracker is doing, by all means put in a honeypot. But then you have to monitor it, figure out what is happening, and apply similar fixes to your production machines.

No matter what you do, you should have a firewall or two anyway. The main firewall should block everything that you don't need to let through. There can also be a DMZ firewall between your Internet server machines and the Internet which has weaker limitations, if needed by your services. (The standard configuration is a separate DMZ net for your Internet servers and a net for your internal company LAN, with a very strict firewall/proxy between the LAN and the Internet).

Sounds a lot like An Evening with Berferd.

Sorry for the hyperlinked version, there's a PS file out there that makes for better reading IMHO.

Is there a Deception Tool Kit script for Trinoo? May as well waste the time of Trinoo monkeys...

Let's not forget the machine Turing Test: The Deception Toolkit lets machines try to convince machines (and script kiddies) that they're a machine with weak security.

One the more interesting Intrusion Detection concepts I've seen in recent times is the Deception ToolKit. What this program does is "fakes" a bunch of commonly exploited security holes on your system - even though those holes aren't actually there. This is could prove to be very good at catchin script kiddies who run sendmail break-in scripts, etc. A very interesting concept, indeed - I don't know how well it works, though. Anybody out there with any opinions on this piece of software?


Dear IRS,
I am writing to you to cancel my subscription.

Remember that you can wire your unused services to a network honeypot, a collection of things which are attractive to an intruder. This could be as simple as running The Deception ToolKit on all servers, configured to give DTK the services which that server is not using. Or your network may be configured to redirect all requests for improper server/service combinations to honeypot machines. You can alarm the honeypots to alert you to what is happening. At the same time you're wasting the time of the attackers.

• If you really want to monitor safely, put a hub on your Internet link outside the firewall and have a separate box doing the monitoring. That box does not need to send anything, so if you want you can use an AUI adapter and don't connect the Transmit part of the cable. You can have its reports sent through a serial cable to one of your other boxes (avoid networking for this).
• Install the Deception ToolKit on your unused IPs. These are scripts that make scanners think there is something open, and let humans waste their time attempting to find data which is interesting. Give the script kiddies something interesting to waste their time on while your alarms are sounding.

Also put the Deception Tool Kit on an old machine, preferably in a DMZ, and let the script kiddies think you're running a single machine and that it behaves differently than it really does. They have time to waste, so let them waste more time.