Slashdot Mirror

Snort isn't designed as a vulnerability scanner; Nessus is. And don't forget than nmap is pretty useful in the hands of someone who knows what they're doing.

As far as "intrusion prevention", there's not a "tool" that does that. You can firewall off unwanted and unneeded traffic; you still need to patch your public services. If you run public services, someone should be responsible for making certain everything you run is up to date and no unpatched vulnerabilities are public (and if the latter is the case, find a workaround or preventative measure until a real patch is out).

As I watch my server crawl with thousands of spam smtp requests on one screen and read this story on another...I think, let the war begin!

Now sending floods to unsubcribe lists, is not the way to be doing it however.

The attacks should be directed at the injecting IP.

In the example below, I direct a ping flood to: 219.86.51.137
Further, you could parse the body for the web sites actually hosting the spam.

As well, you can have scripts automatically send notifications to blacklisters and abuse departments of the upstream providers.
net.tw ---> http://www.pigo.cn/index.htm gets abuse complaint.
(Now if I could only write in chinese)

Further, you could hack the injecting box:
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-07-18 10:40 MDT
Interesting ports on 219-86-51-137.dynamic.tfn.net.tw (219.86.51.137):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
1025/tcp open NFS-or-IIS

Looks like some juicy ports.

Example Spammer Header:
>From ahzu6.j93m6@yahoo.com Mon Jul 18 10:22:54 2005
Return-Path:
Received: from 142.127.184.144 (219-86-51-137.dynamic.tfn.net.tw [219.86.51.137])
by ns.qualico.ca (8.9.3/8.8.7) with ESMTP id KAA23411;
Mon, 18 Jul 2005 10:22:54 -0600
Message-Id:
From: =?Big5?B?dzahuTahuTYyMzo1MjoyMQ==?=
Subject: =?Big5?B?GwgYsdAUsXoVvHYCpPkDsMURv+gIIRMhEggI?=
T o: "uzhl"
Content-Type: text/html;
charset="BIG-5"
Sender: "w66623:52:21"
Reply-To: ahzu6.j93m6@yahoo.com
Date: Mon, 18 Jul 2005 23:55:06 +0800
X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000

Jeez. I can (theoretically) sniff packets and I don't even need a court order. Just a copy of ethereal, nmap and nessus, none of which I have ever used or have any experience with. But as pointed out, a packet of encoded fluff doesn't do me, or the government, a lot of good, unless one of us has a way of decoding it in near-real time, and my secret decoder ring only goes to 32 bit.

I was surprised to see that nobody had mentioned Nessus and/or Nmap yet. They're excellent at showing you what you're exposing to the outside world. I should however caution you that they're merely a companion on your journey to security, not the path.

This seems to be a duplicate of the June 12 article on HTTP Request Smuggling. I don't see anything new here, as the original paper also talks about Apache being susceptible to this relatively minor (yet still interesting) issue.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner.

He doesn't seem to be going after open source software yet. Maybe he figures that we can't afford to pay him off. My Nmap (Stealth) Security Scanner comes up as result #4 in a Google search for "stealth", higher than the upcoming movie and some other sites he has sued/threatened. Yet I haven't received anything. Not that I feel disappointed and left out or anything ...

-Fyodor (who is now resuming the search for SCO products or marketing messages talking about Stealth ;)

He doesn't seem to be going after open source software yet. Maybe he figures that we can't afford to pay him off. My Nmap (Stealth) Security Scanner comes up as result #4 in a Google search for "stealth", higher than the upcoming movie and some other sites he has sued/threatened. Yet I haven't received anything. Not that I feel disappointed and left out or anything ...

-Fyodor (who is now resuming the search for SCO products or marketing messages talking about Stealth ;)

I haven't read anything but the free sample chapter, but Stealing the Network: How to Own a Continent might fit the bill.

"In this book, [Fyodor of nmap fame] teamed with FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and several other hackers to write individual stories that combine to describe a massive electronic financial heist. While the work is fiction, we tried to portray realistic attacks and technology. For example, my character Sendai uses Nmap, Hping2, Ndos, and similar tools to exploit network configuration and software vulnerabilities commonly found in the wild. Many thanks to Syngress for allowing me to post this online for free."

The defendant then obtained administrator privileges and transmitted codes, information and commands that: (1) deleted approximately 1300 user accounts; (2) installed RemotelyAnywhere; (3) deleted critical system files necessary for the operation of the computer; (4) copied a file containing usernames and encrypted passwords for the computer; and (5) installed tools used for obtaining unauthorized access to computers.

Pshaw -- everyone knows to ignore their bomb making advice. It is Phrack's Blackjack advice you should follow:

Bet big when you want to win big. Lose a big hand? Double your bet. Lose again? Double it again. Lose again? Goto 1 ... Eventually, odds are, you will win all your money back, AND THEN SOME!

But in all seriousness -- Phrack rocks. I released my Nmap Security Scanner in P51 and OS detection in P54. I wish they wouldn't call P63 Phrack final, as I expect it to flourish again under more capable/interested hands. That may even happen soon if they select the next editor(s) well. Let us all hope so. The underground and hobbyist researchers deserve a voice. It is rather refreshing and nostalgic to see portions of the security community that haven't yet sold out.

-Fyodor (Insecure.Org)

Pshaw -- everyone knows to ignore their bomb making advice. It is Phrack's Blackjack advice you should follow:

Bet big when you want to win big. Lose a big hand? Double your bet. Lose again? Double it again. Lose again? Goto 1 ... Eventually, odds are, you will win all your money back, AND THEN SOME!

But in all seriousness -- Phrack rocks. I released my Nmap Security Scanner in P51 and OS detection in P54. I wish they wouldn't call P63 Phrack final, as I expect it to flourish again under more capable/interested hands. That may even happen soon if they select the next editor(s) well. Let us all hope so. The underground and hobbyist researchers deserve a voice. It is rather refreshing and nostalgic to see portions of the security community that haven't yet sold out.

-Fyodor (Insecure.Org)

Pshaw -- everyone knows to ignore their bomb making advice. It is Phrack's Blackjack advice you should follow:

Bet big when you want to win big. Lose a big hand? Double your bet. Lose again? Double it again. Lose again? Goto 1 ... Eventually, odds are, you will win all your money back, AND THEN SOME!

But in all seriousness -- Phrack rocks. I released my Nmap Security Scanner in P51 and OS detection in P54. I wish they wouldn't call P63 Phrack final, as I expect it to flourish again under more capable/interested hands. That may even happen soon if they select the next editor(s) well. Let us all hope so. The underground and hobbyist researchers deserve a voice. It is rather refreshing and nostalgic to see portions of the security community that haven't yet sold out.

-Fyodor (Insecure.Org)

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-05-21 19:44 EDT
Interesting ports on 61.233.18.53:
(The 1640 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
113/tcp filtered auth
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp open shell
593/tcp filtered http-rpc-epmap
623/tcp filtered unknown
941/tcp open unknown
3306/tcp open mysql
4444/tcp filtered krb524
6000/tcp open X11
32770/tcp open sometimes-rpc3
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.55%P=i586-mandrake-linux-g nu%D=5/21%Time =428FC87C%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=34F52E %IPID=Z%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=34F675%I PID=Z%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=350937%IPI D=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags =AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags= AS%Ops=MNNTNW)
T4(Resp=N)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR% Ops=)
T6(Resp=N)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flag s=AR%Ops=)
PU(Resp=Y%DF=N%TOS=80%IPLEN=164%RIPTL= 148%RID=E%RI PCK=E%UCK=F%ULEN=134%DAT=E)

Uptime 5.411 days (since Mon May 16 09:54:39 2005)

Nmap run completed -- 1 IP address (1 host up) scanned in 158.870 seconds

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-05-21 19:44 EDT
Interesting ports on 61.233.18.53:
(The 1640 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
113/tcp filtered auth
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp open shell
593/tcp filtered http-rpc-epmap
623/tcp filtered unknown
941/tcp open unknown
3306/tcp open mysql
4444/tcp filtered krb524
6000/tcp open X11
32770/tcp open sometimes-rpc3
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.55%P=i586-mandrake-linux-g nu%D=5/21%Time =428FC87C%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=34F52E %IPID=Z%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=34F675%I PID=Z%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=350937%IPI D=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags =AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags= AS%Ops=MNNTNW)
T4(Resp=N)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR% Ops=)
T6(Resp=N)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flag s=AR%Ops=)
PU(Resp=Y%DF=N%TOS=80%IPLEN=164%RIPTL= 148%RID=E%RI PCK=E%UCK=F%ULEN=134%DAT=E)

Uptime 5.411 days (since Mon May 16 09:54:39 2005)

Nmap run completed -- 1 IP address (1 host up) scanned in 158.870 seconds

When I was 13, I used to be in a hacking group known as ViRii on Undernet.

Around that time (early to mid 90s), there were several hacker group wars going on Undernet. I remember the +++ATH0 exploit among many dozens of other exploits at the time.

In mIRC, you could do: //raw NOTICE VictimsNick : $+ $chr(1) $+ PING +++ATH0 $+ $chr(1)

And their modem would hangup/reset.

There was a guy name VallaH i knew in my hacker group. He was the one who original discovered The Ping of Death in Windows 95. He also wrote jolt.c and many others. He was among the first people to find remote exploits in Windows 95. (Microsoft actually hired him that year to work on Windows NT network security, I was quite jealous at the time). The funny thing is, he only designed it to nuke Windows, but it also worked on early Linux 2.0 kernels, solaris and mac (since they all used mainly the same BSD tcpip code i'm guessing)

Vallah later lost his job at Microsoft due to his hacking past/present i'm guessing.

Quoted from this archived email:

"My friend, I will call him Vallah. Lost his job at Microsoft working on network interoperability(sp?) for Windows 2000 when the FBI showed up with a warrent for the files on his machine at work. He has still not been charged with anything and most likely wont be... again, mainly becuase he hasn't done anything. Guilty by association and an infamous past."

I wasnt a hacker myself, more of a wannabe (script kiddie) hacker. I mainly just nuked other people on IRC and did channel takeovers, etc.. The fun lasted until I was around 15 (i'm now 22). Alot of the more serious hackers I was associated with ended up getting caught by the FBI. I have literally hundreds of old hacking stories from my early days with IRC. (Note that i'm now into computer security, not destructive behaviours like hacking).

I have one other story about a guy I knew around my age by the name of XaiL. He was 13 at the time, and he hacked nasa.gov using an old phf exploit. I used to talk to him on the phone long distance, he was a funny guy, sounded like a girl, he hadn't even started puberty by the sound of his voice. I do admit that the only hacking I ever did was using this same phf technique, long since patched. I'm not proud of my early days as a destructive script kiddie hacker, but at the time, it was so much fun.

I also had a very small part in writing the mIRC script known as 7th Sphere (my code was included in the last release, version 3.0, not the previous 2.666). At the time it was a hugely popular "war" script used by script kiddies to nuke, flood, do channel takeovers and many other evil deeds on IRC servers. It came with programs made by Rhad using VB, most notably was "click.exe", a program that let you instantly "nuke" any victim. If you do a google search for click.exe or "Rhadware", you will get the idea of how evil his programs were.

When I was 13, I used to be in a hacking group known as ViRii on Undernet.

Around that time (early to mid 90s), there were several hacker group wars going on Undernet. I remember the +++ATH0 exploit among many dozens of other exploits at the time.

In mIRC, you could do: //raw NOTICE VictimsNick : $+ $chr(1) $+ PING +++ATH0 $+ $chr(1)

And their modem would hangup/reset.

There was a guy name VallaH i knew in my hacker group. He was the one who original discovered The Ping of Death in Windows 95. He also wrote jolt.c and many others. He was among the first people to find remote exploits in Windows 95. (Microsoft actually hired him that year to work on Windows NT network security, I was quite jealous at the time). The funny thing is, he only designed it to nuke Windows, but it also worked on early Linux 2.0 kernels, solaris and mac (since they all used mainly the same BSD tcpip code i'm guessing)

Vallah later lost his job at Microsoft due to his hacking past/present i'm guessing.

Quoted from this archived email:

"My friend, I will call him Vallah. Lost his job at Microsoft working on network interoperability(sp?) for Windows 2000 when the FBI showed up with a warrent for the files on his machine at work. He has still not been charged with anything and most likely wont be... again, mainly becuase he hasn't done anything. Guilty by association and an infamous past."

I wasnt a hacker myself, more of a wannabe (script kiddie) hacker. I mainly just nuked other people on IRC and did channel takeovers, etc.. The fun lasted until I was around 15 (i'm now 22). Alot of the more serious hackers I was associated with ended up getting caught by the FBI. I have literally hundreds of old hacking stories from my early days with IRC. (Note that i'm now into computer security, not destructive behaviours like hacking).

I have one other story about a guy I knew around my age by the name of XaiL. He was 13 at the time, and he hacked nasa.gov using an old phf exploit. I used to talk to him on the phone long distance, he was a funny guy, sounded like a girl, he hadn't even started puberty by the sound of his voice. I do admit that the only hacking I ever did was using this same phf technique, long since patched. I'm not proud of my early days as a destructive script kiddie hacker, but at the time, it was so much fun.

I also had a very small part in writing the mIRC script known as 7th Sphere (my code was included in the last release, version 3.0, not the previous 2.666). At the time it was a hugely popular "war" script used by script kiddies to nuke, flood, do channel takeovers and many other evil deeds on IRC servers. It came with programs made by Rhad using VB, most notably was "click.exe", a program that let you instantly "nuke" any victim. If you do a google search for click.exe or "Rhadware", you will get the idea of how evil his programs were.

Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.

That's fine, but he has a point. How much actual real-world good does that do? It does plenty of theoretical good, but so does making the speed limit 10 MPH. By far the better solution is to make sure that the system is safe from remote attacks.

By far the better solution for safe sex is to get rid of all STD's.

Seriously. Answer me this -- do you administer servers?

I run *all* my daemons in chroot jails as non-root users. Why? If someone hacks in through an exploit in Apache, they have compromised a small subset of my system. I notice and react quickly, and they don't actually do any damage. But if I run as root, and someone compromises Apache, my system is not under my control anymore. At least, without a lot of hard work.

Any program run as root/suid root can cause a hole, no matter how small or trivial the program is.

So, As Seen On TV, you now have a new project.

Verify that the code used in a Linux distro on the desktop is secure from all vulnerabilities. I would start with the kernel, then move to the X server and the window manager, and then the applications.

See you in thirty years!

What'll be affected are some of the security tools, e.g. nmap (patch already released) Some Rants about raw sockets here.

For those that don't remember (from Nmap 3.50 Press Release - 2004-02-20):

SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid (and even unconstitutional)! Meanwhile they have distributed GPL-licensed Nmap in (at least) their "Supplemental Open Source CD". In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, Skunkware, OpenServer, and UNIXWare. We have also stopped supporting the OpenServer and UNIXWare platforms.

the method sounds alot like idlescanning
http://www.insecure.org/nmap/idlescan.html

i recently discovered a bug which freezes win95 boxes. here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.

• The fingerprinted machine must be communicating using TCP (or another protocol with timestamps, but there aren't many I can think of other than TCP)
• It must implement RFC 1323 TCP timestamps. For instance, a quick `echo 0 > /proc/sys/net/ipv4/tcp_timestamps` should keep you from being fingerprinted using this technique.
• It must implement timestamps as specified. Filling that option with random numbers, or with timestamps skewed by random amounts, or with timestamps skewed by N number of predetermined time functions (i.e., an offset and a drift, making it appear that you are N different machines) would make it more difficult to do this fingerprinting.

Also, if someone used a decoy scan in nmap, it might be reasonably easy to tell which source addresses were really the same machine. You would probably also get enough information to construct a fairly accurate timestamp/skew profile of that machine. If you ever saw those IP addresses again, then you'd be able to check whether it was the real machine.

But, these are just my own ramblings. At the very least it seems to be interesting work (although the article linked is pretty crummy)

"There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet."

He discovered nmap? http://www.insecure.org/

Quite a good writeup of stack buffer overflows can be found here.

Just a few weeks ago it was reported, but not covered by media, that a over 1.4 million Scottrade (a Stock Broker) had a vulnerability that revealed personal information about customers, their trading habits, and worst of all... allowed an anonymous third party to make actual stock transactions using other people's money.

See http://lists.insecure.org/lists/bugtraq/2005/Feb/0 252.htmlhttp://lists.insecure.org/lists/bugtraq/20 05/Feb/0252.html
and
http://seclists.org/lists/bugtraq/2005/Feb/0254.ht ml

1. It's very frustrating when you find previously unknown and undocumented features in software that you have purchased.

Well, for this situation finding a potential problem is easy: Port scan, security scanner. Two things that you should be doing on every network enabled device.

The time consuming part comes with the follow up where you check the results of the scans on the local machines and determine if you trust that the exposed services are being handled by secure apps. If in doubt, use an encrypted tunnel or yank the service -- whatever is appropriate. (If neither is an option, determine the danger and try and deal with it as best you can.)

Along with that, setting up a filter to check for supposedly unused ports can catch some clever developers.

Not perfect (it doesn't handle piggybacked dynamic connections on port 80 for example), though it is a good initial test.

Ethereal, nmap, and snort always get the job done for me.

Here is just one site found while searching for "linux exploits" on google. There are more exploits for a fresh Linux install than a fresh Windows install out of the box, it's been proven. Once you tighten up security and tweak it out, it's very secure. But on that same note, the same can be said for windows. If you kill all the unnecessary services and firewall it, it's secure.

Your $1500/year assumption also assumes that the price will stay $79/year. Their ad calls this a "special introductory price". The worst thing is that unless you pay enough attention to cancel before hand, they will charge the next non-special, non-introductory fee to your credit card in exactly 12 months without any notification to you. From the Terms and Conditions:

"YOU UNDERSTAND YOUR MEMBERSHIP WILL AUTOMATICALLY RENEW AND YOU AUTHORIZE US TO CHARGE TO YOUR CREDIT OR DEBIT CARD (WITHOUT NOTICE TO YOU) THE THEN-APPLICABLE ANNUAL MEMBERSHIP FEE AND ANY TAXES, UNLESS YOU NOTIFY US BEFORE RENEWAL THAT YOU WANT TO CANCEL YOUR MEMBERSHIP."

They don't provide (AFAICT) any option to buy just one year. By purchasing Amazon Prime you are giving them permission to choose any price and charge it to you next year. They may also "in our discretion change these Terms ... or any aspect of Prime membership without notice to you ... YOUR CONTINUED MEMBERSHIP AFTER WE CHANGE THESE TERMS CONSTITUTES YOUR ACCEPTANCE OF THE CHANGES." So they can change their terms without telling you, then you automatically accept if you don't immediately notice and cancel. Great!

I hate it when companies try to pull this. Forcing an annual set fee on people is bad enough -- but to raise the price arbitrarily and still charge people's card without notification is outrageous. This is the kind of thing sleazy porn sites do (or so I hear :).

There may be some advantages to this program, but I certainly won't sign up until they let me buy ONE YEAR at a known price. None of this blank check nonsense.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner.

* If you do need to access a MySQL server from outside the same network, then you should definitely use something besides 3306.

yes, security through obscurity keeps you asleep at night

because on port 12345 no one will ever find it

Smashing the Stack for Fun and Profit

The original link is here. This was originally published in Phrack #49 on 08 November 1996. It is still a relevant and useful article.

http://www.bayden.com/SlickRun/
goverment protection http://methlabs.org/methlabs.htmsercurity

tools http://www.insecure.org/nmap/nmap_download.html http://www.bluetack.co.uk/
http://www.snapfiles.com/get/activeports.html

thats it for now
should have clicked preview oops..

Incidentally, the same technique is used by nmap's -O option to detect the OS it's scanning.

Nope. The nmap hacker has already been identified. Typical hacker ego; she was more than happy to provide a video of her exploits.

Photos, and indeed a video, can be found on the nmap site itself.

For people who don't know:
In one scene in Matrix Reloaded we see Trinity using Nmap and an SSH exploit to hack into some system. Screenshots here: http://images.insecure.org/nmap/images/matrix/

If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz " from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer".

Verses cut'n' past from a popular Geek website, perhaps?

http://lists.insecure.org/lists/bugtraq/2004/Nov/0 223.html

Unofficial 3rd-party fix for slackware 10:
http://slacksec.info/update_12

The other top tools.

do you mean her?

[ tons of tips and ideas what's possible with a Z follow ]

The 5500 and others are more like little Linux laptops then PDAs. While I am far from a typical PDA user, the absolutely INCREDIBLE stuff I can do with just a 5500 and a wireless card continues to astound me today. To be fair, I never bought a Zaurus with the intention of ever doing typical PDA like stuff, but just wanted an easy familiar environment to hack in.

Years ago I had a USR P1000 (The Palm 1000, before Palm bought it from US Robotics), and while it was a great PDA (for the day), it was underpowered for what I wanted and most importantly LACKED A KEYBOARD, which makes all the difference in the world. One day I worked an ENTIRE day with only my P1000, a ssh client and a (9600 baud) serial link to my cell phone to see just how doable it was. As a unix admin doing security work the P1000 did have SOME uses (serial console to Sun boxes, ssh client for accessing mail via Mutt, etc) but the end result was a less than productive day overall. Trying to edit files on unix boxes with vi using Graffiti was quite painful and I vowed I'd never buy another PDA until it had at least a minimal keyboard to work with.

Fast forward to my (now several years old) 5500. Shortly after getting it I wiped the original Sharp rom and replace it with the actively developed OpenZaurus distribution, and was very happy with the results.

I have a very portable linux box with wireless, nearly all the software I was using on Solaris and Linux, as well as the pretty Qtopia apps and a half-way decent environment. I've been able to get nice tools like nmap, p0f (Passive OS Fingerprinter), Kismet, and other excellent unix based tools working with minimal effort on the Z under OpenZaurus (and the a lesser extent the Sharp ROM). Under OZ I can compile and run MANY common exploit tools like the awesome Metasploit framework, which require perl, and to a less extent Python. Both are no big deal to get going on the Z, especially since the Z is binary compatible with the IPAQ based Familiar distribution, and usually just needs the odd library to get an app working. That's all fine for text based apps, but since OZ (using Opie, at least) is QT and not X based, a variety of GUI based apps don't easily run. There ARE solutions to getting X based apps to run with minimal fuss, including the original x11zaurus package, and more recently the excellent X/QT package, as well as simply running one of the versions of the vncserver for Zaurus which of course allows you to display X not only on your Z, but also on any other VNC compatible device (such such as you cell phone, Linux, Windows, etc).

More recently the GPE environment and projects has become available, and is offers an attractive alternative to Opie, but with X11 compatibility built in.

For me, I joined the Debian religion ~5-6 years ago after experimenting to see what all the fuss on /. was all about. It didn't take long before I was the typical Debian crack addict apt-getting any application I wanted to check out on a whim. After living in Ottawa for years I was very well aware of the Corel (and later Rebel.com (who themselves were called Hardware Canada previously, and were a unix reseller) Netwinder , which was a cool little ARM based PC, which unfortunately suffered under the idiocy of Corel's managem

I also enjoyed Stealing the Continent (and STN) for the way they blend fictional plots with accurate hacking techniques. I particularly enjoyed Fyodor's (Nmap author) stand-alone chapter, which is available online

That's pretty funny, but my favorite is still this one

Is anyone reminded of the antics of Sendai?
www.insecure.org/stc/

I wonder if MS has a secret department dedicated to writing worms for Linux boxes? It seems like it would be a huge publicity boost for Windows if a significant worm or virus broke that affected only *nix boxes.

Linux, Macs and all other OSs are enjoying some degree of protection simply because Windows is a bigger, possibly easier target. But almost any system can be hacked. The attitude that Linux is 100% secure is likely to catch a lot of people with their pants down one of these days.

WTF? By this heuristic, my upcoming O'Reilly book on the Nmap Security Scanner will be a miserable failure. No single security tool, be it Nmap, Nessus, Snort, or any of the other most popular security tools, is a holy grail, but don't judge a book based on what page numbers they appear on. That is almost as bad as making the title words a huge consideration. I do tend to look askance at books with "hacking" or "cyber" in the title, but give them a chance anway. It is often the publisher's marketing department, and not the authors, that have the most influence in the cover. I flipped through NSA, and found it good enough to ask O'Reilly for a copy (I haven't read it yet though).

In any case, NSA does not start its Nmap coverage on page 324. Nmap has its own subsection on page 11, and a peak at the index shows that Nmap is also discussed on pages 39, 47, 58, 69, 192, 322-324, 325-326, and 354. If the location of Nmap coverage is one of your two primary considerations in buying security books, at least check the index!

-Fyodor
PS: Nmap 3.70 was just released last week, with dozens of improvements.

WTF? By this heuristic, my upcoming O'Reilly book on the Nmap Security Scanner will be a miserable failure. No single security tool, be it Nmap, Nessus, Snort, or any of the other most popular security tools, is a holy grail, but don't judge a book based on what page numbers they appear on. That is almost as bad as making the title words a huge consideration. I do tend to look askance at books with "hacking" or "cyber" in the title, but give them a chance anway. It is often the publisher's marketing department, and not the authors, that have the most influence in the cover. I flipped through NSA, and found it good enough to ask O'Reilly for a copy (I haven't read it yet though).

In any case, NSA does not start its Nmap coverage on page 324. Nmap has its own subsection on page 11, and a peak at the index shows that Nmap is also discussed on pages 39, 47, 58, 69, 192, 322-324, 325-326, and 354. If the location of Nmap coverage is one of your two primary considerations in buying security books, at least check the index!

-Fyodor
PS: Nmap 3.70 was just released last week, with dozens of improvements.

WTF? By this heuristic, my upcoming O'Reilly book on the Nmap Security Scanner will be a miserable failure. No single security tool, be it Nmap, Nessus, Snort, or any of the other most popular security tools, is a holy grail, but don't judge a book based on what page numbers they appear on. That is almost as bad as making the title words a huge consideration. I do tend to look askance at books with "hacking" or "cyber" in the title, but give them a chance anway. It is often the publisher's marketing department, and not the authors, that have the most influence in the cover. I flipped through NSA, and found it good enough to ask O'Reilly for a copy (I haven't read it yet though).

In any case, NSA does not start its Nmap coverage on page 324. Nmap has its own subsection on page 11, and a peak at the index shows that Nmap is also discussed on pages 39, 47, 58, 69, 192, 322-324, 325-326, and 354. If the location of Nmap coverage is one of your two primary considerations in buying security books, at least check the index!

-Fyodor
PS: Nmap 3.70 was just released last week, with dozens of improvements.

Forget books. Everything you ever needed to know about nmap you can learn from this woman.

That's not entirely true, there are many tutorials on discovering and exploiting security holes on Linux / Unix platforms.

Everything from the classic Smashing The Stack For Fun And Profit paper to more recent ones.

Bugtraq deliveries daily reports of exploitable flaws in software lots of it for Unix systems - granted that few people use most of the toy packages which people post bugs for, but they still exist and it's still mostly trivial to discover them.

I audit code and it's depressingly easy to find flaws in Unix software.