Slashdot Mirror

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

HardcoreGamer writes "The New York Times has a long article on Xbox hacking, why Microsoft hates it, and who does it (Google). 'Xbox hackers are exploiting Microsoft's business model, which is to sell Xbox hardware at a loss...' but Microsoft doesn't make the money back on software -- as it planned to -- if you decide to load up Xbox Linux. Where else can you get a PIII-733 with graphics and audio for $180? The reporter talked to the IDSA; Andrew Huang, author of 'Hacking the Xbox: An Introduction to Reverse Engineering'; a Manhattan exec who hacked his Xbox and said 'The reality is that if you could bypass Microsoft's operating system you would end up with a fairly powerful computer for less than $200;' and others. The article discusses the DMCA, modchips, the Xbox Linux Project and lots more. A good -- if long -- read. A shorter version of the story is at the International Herald Tribune. Best quote? 'Microsoft is a company passionate about innovation and creativity. We are also very committed to respect for others' intellectual property and we request the same respect applied to our innovations.'"

AlwaysTimeForCoffee writes "QCad, a free open-source 2D CAD system for Linux, various Unices and Windows, from RibbonSoft, has been ported to a native OS X version by Gilbert Duivesteijn. A screenshot of the OS X version can be found here. Qcad is a light, GPL'd version of the commercial available CAM Expert. It truely is an outstanding program and has earned 5 out of 5 Penguins on Tucow's Linuxberg and IceWalker review. With this native OS X release, a commercial quality CAD system has been made available to the Apple community."

smd4985 writes "Over at CNET News.com, there's a good coverage of a debate between Ian Clarke of Freenet and Matt Oppenheim of the RIAA." In discussing whether it's "legal and moral to create and use Freenet", which is "a radically decentralized network of file-sharing nodes tied together with strong encryption", the RIAA's Oppenheim suggests: "Other than the fact that most infringers do not like to use Freenet because it is too clunky for them to get their quick hit of free music, it is no more of a threat than any of the popular P2P services."

unmadindu noted that there is a now a gtk shadow patch which does what it says for GTK2 applications. You can see a screenshot, or another or yet another. And if you're lazy, here are some RPMs with the patch. One more piece of eye candy to brighten up your weekend.

Carl Farrington asks: "Do you think you could try to raise public awareness of the importance for an open source replacement for Microsoft Exchange (Outlook/MAPI compatible for shared/public folders). Current offerings are SuSE Linux Groupware Server, Communigate Pro (Stalker Software), Samsung Contact (ex. HP OpenMail) all of which are not open source / free. Kroupware is in development, but there will be no Outlook Connector for it. otlkcon is in slow development as a possible connector for Kroupware. There is also OSER (Open Source Exchange Replacement) which again looks like it needs more help. Is there any chance of getting some people to back this stuff? It's so important and is probably the major problem facing Linux as viable replacements for Win2000 servers." While this seems to be a question that keeps popping up in one form or another, it's always worthwhile to come back and point out alternatives, in development, that might need your help to get off the ground and running. So, if you're looking for an alternative to Exchange, would you be willing to contribute some time to one of the projects listed above? If you've been using Unix as an Exchange replacement, what did you do and how well has it been working?

Carl Farrington asks: "Do you think you could try to raise public awareness of the importance for an open source replacement for Microsoft Exchange (Outlook/MAPI compatible for shared/public folders). Current offerings are SuSE Linux Groupware Server, Communigate Pro (Stalker Software), Samsung Contact (ex. HP OpenMail) all of which are not open source / free. Kroupware is in development, but there will be no Outlook Connector for it. otlkcon is in slow development as a possible connector for Kroupware. There is also OSER (Open Source Exchange Replacement) which again looks like it needs more help. Is there any chance of getting some people to back this stuff? It's so important and is probably the major problem facing Linux as viable replacements for Win2000 servers." While this seems to be a question that keeps popping up in one form or another, it's always worthwhile to come back and point out alternatives, in development, that might need your help to get off the ground and running. So, if you're looking for an alternative to Exchange, would you be willing to contribute some time to one of the projects listed above? If you've been using Unix as an Exchange replacement, what did you do and how well has it been working?

ByTor-2112 writes "If you are like me, you feel like the "next generation" 802.11 technology was leaving the group of people who got the revolution started in the first place -- the Linux/BSD network enthusiasts -- out in the cold. Well No more. With help from Atheros Comunications, Sam Leffler has built a new 802.11 layer for BSD and drivers for the Atheros chipsets (which are found on many of your 11a/g cards). A Linux version of the driver is here. I will certainly make sure to recommend these supported cards to all my friends."

z80 asks: "I'm rebuilding my house and I am thinking about fitting speakers in every room of the house and pulling some massive amount of cables in the walls. I also want to control and send the output to each set of speakers from the same source, and was thinking that a PC, with 4-6 soundcards, would do the trick, and there are of course a couple of questions I have. What kind of hardware would be required to be able to stream up to six different MP3's through six soundcards at the same time ? Can it even be done? What kind of software can be used to do it? Which OS? How can it be remotely controlled? With respect to the last question, I'm thinking about mounting a couple of flat displays around the house connected to old PC's that run some sort of connection (VNC maybe) to the mp3 server." This is a topic Ask Slashdot tackled three years ago. Now, with applications like Ardour showing off the power of Open Source frameworks like JACK, it seems like building such a machine might not be as hard as it once was. For those of you who have managed to build something like this, what did you do and what hurdles did you have to navigate before things were working? How would you set up a machine to run independent audio to 4 or more rooms?

croddy writes "The first beta of the Ardour digital audio workstation has been released. A tarball is available at the Ardour project page on Sourceforge. Packagers are currently preparing binary releases for several major Linux distributions. Ardour is a professional-grade, low-latency, multi-track digital hard disk recording and mixing application designed to replace dedicated HDR systems, and software systems such as ProTools and Samplitude. It supports audio processing plugins via LADSPA. Although it is still a beta, the years of work and dedication by the Ardour development team are very much visible in this release."

croddy writes "The first beta of the Ardour digital audio workstation has been released. A tarball is available at the Ardour project page on Sourceforge. Packagers are currently preparing binary releases for several major Linux distributions. Ardour is a professional-grade, low-latency, multi-track digital hard disk recording and mixing application designed to replace dedicated HDR systems, and software systems such as ProTools and Samplitude. It supports audio processing plugins via LADSPA. Although it is still a beta, the years of work and dedication by the Ardour development team are very much visible in this release."

Slashback with a followup on the perpetual motion DeLorean, a word on RIAA bank-account-jacking, a reminder about the fast-tracked vote on software patents in the EU, the real meaning of "high speed USB" and more. Read on below for the details.

Now even less than a week ... mpawlo writes "As reported by Greplaw, although I am still looking for further confirmation, it seems like the EU vote on software patentability has been moved from the late fall to June 30, 2003. Yes, that is in one (1) week. If you have more information and another source - please comment on this news item."

Mikael writes: "Personally, I find it somewhat disturbing from a democracy perspective that this proposal seems to be fast-tracked in the middle of the summer, when most Europeans want to focus on whether they should have strawberry or vanilla ice cream. In Sweden, we also got our Swedish version of the DMCA this week. I guess the ice cream will have to wait."

DoSthAboutIt points out that "A 'Petition for a Free Europe without Software Patents' has gained more than 150000 signatures. Among the supporters are more than 2000 company owners and chief executives and 25000 developpers and engineers from all sectors of the European information and telecommunication industries, as well as more than 2000 scientists and 180 lawyers. Companies like Siemens, IBM, Alcatel and Nokia lead the list of those whose researchers and developpers want to protect programming freedom and copyright property against what they see as a 'patent landgrab.' The whole article can be found here, including some statistics like signatories by country"

The story of Peng. mantispraying writes "Looks like the college student who settled with the the RIAA for $12,000, his entire life savings, has recouped all of his money thanks to a very generous file sharing community. Also, the search engine he created that got him in trouble is back online, for demonstration purposes only, of course."

Reader T points out that while one of the students who lost his life savings to RIAA has made it back through PayPal donations, "the other, Dan Peng, is still short about $12,000. Brother, can you spare a dime?"

I'd prefer the garrote and the stick, but hey. Mark Ferguson writes: "I attended the FTC spam forum. It seems I was on their call list :-) I parlayed that into getting several others on the panels as well. While there I spoke with bulk emailers and other industry folks. Some people defined Confirmed OPT-IN to mean you sending a confirmation that the email address was subscribed so they were doing double, confirmed OPT-IN.

My heads spins.

What I figured from what I learned was these folks truly refused to accept real definitions the Service Providers have been using for years so I decided to do a site for just this. ... Anyway, reboot, aka Andrew Cockrell myself and another built The Carrot and the Stick to explain email, define the best practices and to get people to abide by them.

Thoughts, comments and/or suggestions?"

Sooner or later, that DeLorean's going to land someone in jail. hackwrench writes "According to channel WSMV news, Alternate Energy Inventor Carl Tilley's compound was raided. Tilley was previously mentioned on Slashdot here."

Tilley had announced the then-upcoming demonstration of his perpetual-motion DeLorean.

My nanodots can fit inside your nanodots! Rocky Rawstern writes "I recently had the distinct pleasure to interview one of my favorite authors, Wil McCarthy. Upon completing three of his latest books - two sci-fi and one work of non-fiction - I realized that others would probably enjoy his ponderings as much as I. The questions for this interview stem from my own interest in programmable matter, and the awe-inspiring possibilities raised by Wil in his book Hacking Matter."

How to succeed (not necessarily) in business. jameshowison writes "A few months ago Ask Slashdot published Kevin Crowston's question on what makes open source software successful ... well the results are in and the paper typed. We ran the responses through a funky content analyser (called Grad Students). The metrics that academics and the industry have used for years simply don't work for OSS.

More and more it seems that we'll need to survey the number of job offers developers get and the size of the community to get at this one ..."

You sound very familiar to me. Interested Observer writes "Thanks to a slashdot article discussing false positives using Soundex I thought if Soundex can be used for something as important as "no-fly" lists then certainly we should be able to get some entertainment value out of it! See if your Soundex last name-counterparts show up in a Google News search."

A member of the USB-IF Administration writes to dispel the confusion raised by the seeming conflict between many USB products' labels and their actual data-transfer speeds:

"The source of confusion derives from the fact that USB specification revision numbers and data-transfer rates are often being used in place of the logo on consumer packaging, a purpose for which they were not originally intended. The USB-IF's recommended nomenclature for consumers is 'USB' for slower speed products (1.5 Mb/s and 12Mb/s) and "Hi-Speed USB" for high-speed products (480Mb/s), as signified in the USB logos that were introduced in late 2000. In short, consumers wishing to be certain they are getting the performance they paid for in their USB products can use the logo for clarification.

The USB-IF's naming and packaging recommendations for low- or full-speed USB products, as listed at the website http://www.usb.org/developers/packaging, state that such products can carry only the basic version of the USB logo, which simply states "Certified USB." We state clearly that manufacturers should avoid using terminology such as USB 2.0 Full Speed, Full Speed USB or USB 2.0. These formal recommendations were published to the USB-IF membership and posted on the website in August 2002.

The USB-IF is a nonprofit industry organization. We do not and cannot control how manufacturers label their products. We do work continuously with system and peripheral manufacturers, striving to provide consistency in the use of this nomenclature and the logos. The logo indicates that a product's performance against and conformance with the standard have been tested, and that the product has passed the USB compliance program.

Anyone having questions about the performance of a product should contact the manufacturer for clarification.

For a brief Q & A on this topic, please visit our website at http://www.usb.org/info/usb_nomenclature."

sethadam1 writes "Due to customer feedback, Phish, who have served as pioneers in the pay-per-download online music arena with their livephish.com site, have recently converted to FLAC compression for their high-quality download offerings. Could this be an indication that FLAC may be adopted as the de facto lossless audio compression standard?" And fans were using it long before ;)

Ant writes "KnoppixMAME is a bootable arcade machine emulator with hardware detection and autoconfiguration. It works automatically on all modern and not-so-modern hardware, including gameports and joysticks. It is powered by Knoppix Debian GNU/Linux, X-MAME, and gxmame." Update: 06/19 23:18 GMT by S : Although there are earlier versions in the release directory, looks like V1.0 hasn't made it onto the FTP just yet. Meanwhile, Jim points out the AdvanceCD image, which is "..also a bootable ISO image of a minimal Linux distribution containing MAME, but weighing in at 16 MB rather than 200 MB so there is more room for ROMs."

ColonelForbin74 asks: "While some may assume that most larger server clusters run advanced / custom software(i.e. Beowulf, cfengine, OSCAR), many of those stuck in the not-research-this-site-runs-production world know this simply isn't the case. Many people like myself are working with medium-to-large scale clusters with little help other than shell for() loops and some SSH trusted keys. What application-level tools are out there that might help SysAdmin / AppSupport types like myself run commands across a given cluster, push files out, etc? In my desperation to have some sort of tool in my toolbox, I've actually created one. However, I have a hard time believing this is the best thing out there, and would appreciate all the ideas and links I can get!"

ColonelForbin74 asks: "While some may assume that most larger server clusters run advanced / custom software(i.e. Beowulf, cfengine, OSCAR), many of those stuck in the not-research-this-site-runs-production world know this simply isn't the case. Many people like myself are working with medium-to-large scale clusters with little help other than shell for() loops and some SSH trusted keys. What application-level tools are out there that might help SysAdmin / AppSupport types like myself run commands across a given cluster, push files out, etc? In my desperation to have some sort of tool in my toolbox, I've actually created one. However, I have a hard time believing this is the best thing out there, and would appreciate all the ideas and links I can get!"

h0tblack writes "At long last the Mac OS X demo of Neverwinter Nights has been released. We now have a torrent running to get the demo distributed and take the load of off the official servers (macgamefiles should have the demo soon). Download the BitTorrent for Mac OS X client if you don't already have it. Then grab the torrent file for the tech-demo from bytemonsoon.com. After downloading the demo, PLEASE leave your BitTorrent window open, this will mean that the load is shared amongst us all and more people can download faster."

Bootsy Collins writes "This evening on C|Net contains three new items. First, they've upped the damages they're seeking to $3 billion. Second, they claim that by making SMP technology generally available through Linux, IBM violated federal export controls and thus breached their contract with SCO through committing an illegal act. Finally, they elaborate on one specific technology they claim rights to which IBM inserted into the 2.5 kernel series -- the read-copy update memory management features which went in at 2.5.43. Unclear is why SCO thinks they have the rights to RCU, since the technology was originally developed by Sequent in the early 1990s."

Ron Harwood writes "As a developer of an open source game - and having zero artistic talent - I find one of the biggest challenges is finding graphics (and potentially sounds) that can be distributed freely. Are there any good repositories of game assets (tiles, sprites, 3D meshes, sounds, music, etc.) out there?"

jcr13 writes "konspire2b is a new content distribution system that essentially turns the standard p2p model upside down. This simple change gives the network several nice properties, including log-bounded distribution times (logarithmic in the number of nodes that receive a file) and a refreshingly different (and somewhat blog-like) user-interaction model. Comparisons have been made to other systems, including BitTorrent (with in-depth analysis), but k2b stands alone as a unique system tackling a different problem than other p2p systems. Recent Slashdot attention gave the network an effective stress test and provided the first real-world measurement results. The new beta1.2 release contains fixes for all of the issues encountered during this traffic surge."

jcr13 writes "konspire2b is a new content distribution system that essentially turns the standard p2p model upside down. This simple change gives the network several nice properties, including log-bounded distribution times (logarithmic in the number of nodes that receive a file) and a refreshingly different (and somewhat blog-like) user-interaction model. Comparisons have been made to other systems, including BitTorrent (with in-depth analysis), but k2b stands alone as a unique system tackling a different problem than other p2p systems. Recent Slashdot attention gave the network an effective stress test and provided the first real-world measurement results. The new beta1.2 release contains fixes for all of the issues encountered during this traffic surge."

jcr13 writes "konspire2b is a new content distribution system that essentially turns the standard p2p model upside down. This simple change gives the network several nice properties, including log-bounded distribution times (logarithmic in the number of nodes that receive a file) and a refreshingly different (and somewhat blog-like) user-interaction model. Comparisons have been made to other systems, including BitTorrent (with in-depth analysis), but k2b stands alone as a unique system tackling a different problem than other p2p systems. Recent Slashdot attention gave the network an effective stress test and provided the first real-world measurement results. The new beta1.2 release contains fixes for all of the issues encountered during this traffic surge."

jcr13 writes "konspire2b is a new content distribution system that essentially turns the standard p2p model upside down. This simple change gives the network several nice properties, including log-bounded distribution times (logarithmic in the number of nodes that receive a file) and a refreshingly different (and somewhat blog-like) user-interaction model. Comparisons have been made to other systems, including BitTorrent (with in-depth analysis), but k2b stands alone as a unique system tackling a different problem than other p2p systems. Recent Slashdot attention gave the network an effective stress test and provided the first real-world measurement results. The new beta1.2 release contains fixes for all of the issues encountered during this traffic surge."

jcr13 writes "konspire2b is a new content distribution system that essentially turns the standard p2p model upside down. This simple change gives the network several nice properties, including log-bounded distribution times (logarithmic in the number of nodes that receive a file) and a refreshingly different (and somewhat blog-like) user-interaction model. Comparisons have been made to other systems, including BitTorrent (with in-depth analysis), but k2b stands alone as a unique system tackling a different problem than other p2p systems. Recent Slashdot attention gave the network an effective stress test and provided the first real-world measurement results. The new beta1.2 release contains fixes for all of the issues encountered during this traffic surge."

goombah99 asks: " I'm trying to view protein molecular models in 3D in my Mac OS X equipped office. I've demo-ed StereoGraphics CrystalEyes glasses and could not get them to work: I tried them with both a G4 (ATI rage 128 pro graphics adapter) and with a 800MHz Powerbook G4 with an external CRT. I've considered the NuVision (AKA MacNaughten) passive display system but it wont work with my preferred Molecular Graphics application PyMOL, which uses a 'blue-line' frame synchronizer rather than an 'over/under' synchronizer or Quad-buffer scheme. PyMOL is hardware accelerated so provides nicely rendered and shaded molecular images. Then there's the question of what graphics card to use--preferably one that does not require special drivers (that could break on an OS upgrade). I've tried several discussion groups but without success. Can anyone provide a success story for viewing molecular graphics in 3D on a Mac? Can anyone discuss the merits of different schema (blue line, quad buffer, stereo-ready card, etc), and suggest other molecular graphics programs for Mac OS X."

stinky wizzleteats writes "Ever wondered why a space flight simulator never really got off the ground in the PC simulation scene? The answer is that it needed to be free. Dr. Martin Schweiger started the ball rolling a few years ago with Orbiter, a freeware Win32 DirectX based space flight simulator, in which you can fly orbital rendezvous, lunar landing, and even interplanetary missions. The current version has excellent graphics, including atmospheric descent and re-entry effects. There's also a burgeoning community of add-on developers, creating everything from sound add-ons and interplanetary navigation aids to complete working Apollo/Saturn 5 spacecraft. Virtual space agencies have even sprung up, using Roger Wilco and remote telemetry software (virtual mission control) to do Orbiter missions online. You can find the basic Orbiter files at Avsim or Sourceforge."

Drawoc Suomynona asks: "After settling into Mac OS X over the last four months, I'm generally impressed. However, due to the sort of development work I do, I spend a great deal of my time in a terminal. Unfortunately for me, decent terminal emulation seems to be one area where Mac OS X is quite lacking. What's your answer to the state of terminal emulation on the Mac?" Drawoc summarizes the currently available offerings and their drawbacks, below.

"Take, for instance, the following options:

• Apple's Terminal is slow (though performance has been better in 10.2.x), doesn't support xterm mousing, and for some reason refuses to send PgUp/PgDn through to any applications running in the terminal (gah!). Sure, transparency is nice, and with some hacking about (when was the last time you had to force "stty erase"?) you can get decent enough color xterm emulation, but... what's with the lack of PgUp/PgDn?
• The open source iTerm is slightly better, but, it's awfully slow (it grabs as much as 30% of the CPU per terminal instance... now imagine a full-screen vim session at 1600x1200... it's utterly unusable). It also neglects to support xterm mouse reporting.
• The closed source GLTerm ($10) is probably the best of the three "native" options, from a certain perspective. It manages to sidestep the CPU usage/UI responsiveness issue by rendering the entire terminal using OpenGL (yes, the characters are actually textures on GL primatives). It supports xterm mouse reporting. However, font choices are limited, it works only on supported video cards, and it has a very annoying "fuzzy text bug" if you set your terminal to the wrong size.
• Finally, you've got xterm :) But, it means you need to run X11 (either XDarwin or Apple's X11) and it doesn't integrate as nicely into the OS X workflow..."

So, is there a secret terminal port from NeXTSTEP lurking in the pocket of some intrepid young hacker, who is, as I write this, poised to lead us to salvation?"

Dr. Zowie writes "Perl Data Language 2.4.0 was just released; get it here. This release includes even more powerful array slicing, a complete GIS cartography package, API access to the Gnu Scientific Library, and a host of other goodies. Between PDL and its less-mature siblings Numeric Python and Octave, the established commercial languages' days appear numbered."

Suppafly writes "As reported at boingboing, iCommune creator Jim Speth whipped up a little application called 401(ok) that combines a few hacks to restore internet-wide sharing to iTunes 4.0.1. You can download the app from SF.net." As one might expect, it is basically a port redirector.

tizo writes "Robert Britt wrote an interesting article about the discovery of three Earth-sized planets confirmed after ten years of controversy. They orbit a pulsar, a neutron stars spinning very rapidly. Researchers pinned down the masses by watching how the planets affect pulses of energy coming from the star. All other known planets around other stars are much bigger (like Jupiter) and were found using other techniques (Doppler effect of main star moving in a close circle because of influence of the planet or direct transit over line of sight)."

DasZweiten writes "Being a minimalist, I have run across a window manager by the name of EvilWM in which finally my standards have been completely met. Being an ex-fvwm addict, after the recent slashdot post about the ten year birthday of fvwm, I felt the need to share my overwhelming joy of my discovery of EvilWM with the rest of slashdot. The manager is small, efficient, beautifully coded, decorated with one pixel borders - all one needs or could ask for. The authors say it best on the EvilWM main site with "'Minimalist' here doesn't mean it's too bare to be usable - it just means it omits a lot of the stuff that make other window managers unusable." I frankly, could not have said it better myself. It lacks the unnecessary features, memory, and total bloating that most other window managers unfortunately contain. All of you die hard fvwm fans will love it. I'll never go back to anything else."

eval writes "Ever wanted secure access to your files at work or school, but didn't have the necessary permissions or were thwarted by a firewall that allowed ssh access only? The SHFS kernel module allows you to mount directories from machines to which you have shell access. File operations are executed as shell commands on the server via SSH (or rsh). Caching keeps it reasonably fast, and remote commands are optimized based on the server's OS."

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

j0atz writes "The New York Times is running a story today that, while it's a bit redundant in the beginning and a bit short on technical details later, gives a rundown the newest features for ReplayTV (numbered 4000 or above) and TiVO (Series2); basically, you can program your favorite DVR to record a show from a remote computer or from another (same-brand) DVR. Along with that, you can stream MP3's and pictures with TiVo now. Still...I'd much rather use something like FreeVo or MythTV and actually burn my shows to cd, stream whatever I want, etc, etc."

Eric Stats writes: "At one point in the not so distant past, Intrusion Detection Systems (IDSs) were network security applications reserved for Fortune 500 companies with enough IT budget to fork up the Big Dollar, or hard core packetheads willing to grep through tcpdump or shadow output. Over the past few years, a new pig on the block, Snort, has put that notion to rest. Instead of having to spring for hundreds of thousands of dollars for a feature-rich, state-of-the-art, IDS; open source fans now have an IDS that meets and beats most of the performance benchmarks and features of commercial, closed source IDSs. Jack Koziol's new book, Intrusion Detection with Snort, presents a comprehensive guide that those either novice to, or richly experienced with, the field of Intrusion Detection can use to get up to speed quickly on Snort." Read on for Eric's review. Intrusion Detection with Snort author Jack Koziol pages 400 publisher Sams rating 9 reviewer Eric Stats ISBN 157870281X summary Handbook on the open source Intrusion

What Koziol implies throughout Intrusion Detection with Snort, but never states outright, is that Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for each individual deployment to a level not possible for closed source competitors. If you have had the displeasure of working with a rigid, uncustomizable, IDS you already know where this is going ...

In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility. Only Snort can implement something as detailed as "Send a page to the CISO's phone if this particular subnet attacks these Apache servers with the chunked encoding exploit."

With Snort, novices can easily write attack signatures (called rules) enable or disable specific protocol decoders, and detect advanced attacks such as exploits utilizing polymorphic shellcode. Without this level of flexibility, you are likely to be flooded with alerts that are not relevant, or, even worse, miss an actual attack that causes irreparable data loss.

Like many open source applications, Snort's biggest downfall has been documentation. Who wants to write boring user manuals when he can write code, right? Well, that's all fine and dandy for Snort developers, but folks that want to actually use all of the neat features can't, unless you tell them they are there, and how to use them. Intrusion Detection with Snort bridges this gap, and offers a clear, concise, guideline that helps plan, implement and maintain Snort-based IDS.

Another oft-cited problem with Snort that Intrusion Detection with Snort addresses is the lack of Snort features that are not directly related to intrusion detection. In essence, Snort's developers have concentrated on creating the world's best application for detecting unauthorized activity, and left everything else to other applications. If you want to organize and manage the alerts generated by Snort you have to use another application (ACID). If you desire alerts via email or pager you need another tool (swatch or syslog-ng). If you want to centrally manage attack signatures for multiple Snort installations, guess what? You need another tool (IDS Policy Manager or SnortCenter). Finding, installing, and getting all of these tools to work right can be frustrating, so Koziol walks us through these issues, and in the end we have an IDS rivaling the expensive commercial solutions.

On to the nitty-gritty of the book. Essentially, this book is organized into logical three sections, even though the author did not choose to make these demarcations in print. The first section introduces us to intrusion detection in general and features of Snort. The second section is a detailed installation guide, which walks through setting up and installing the various components of a distributed Snort setup. The final section focuses on post-installation and maintenance tasks, as well as advanced topics.

In the first section, the different breeds of IDS (Host and Network) are honestly presented, Koziol acknowledging in great detail some of the major shortcomings of IDS technology. The book then moves to describing Snort in great detail in an unbiased fashion. Other books on this subject written by Snort contributors are less forthcoming with Snort's disadvantages. The inner workings of Snort (such as packet decoders and libpcap) and the largely undocumented preprocessors are described in detail, giving tons real world examples. The examples are somewhat current, and describe exploits commonly found 6-18 months ago. Although the actual exploits found in the wild may change over time, the strategies for discovering them with Snort should remain relatively constant. The book then moves into the activities required in planning for a Snort-based IDS installation. Some of this is common sense for experienced security practitioners, such as establishing an incident response plan (the "Oh shit, I've been hacked, what do I do now!?!?"), but is relevant for novices. Other topics introduced in this section are:

Sensor placement: where to place an IDS from a network design perspective for maximum benefit.

Inserting a sensor into an in place network: covers using taps, span ports, and dedicated hubs.

Specific hardware and OS considerations: basically, why a flavor of Unix is best for Snort.

Creating a unidirectional sniffing cable: allows network traffic to flow in a single direction, minimizing risk to an IDS segment.

The second section is a detailed guide to building a distributed or 3-tiered Snort IDS. Getting the three components, the sensor (where Snort is actually installed), the server (database, alert management, and reporting server), and the analyst console (secure place to access other components and store config files and scripts) up and working on Linux takes up the bulk of this section. The analyst console chapter walks through the ever-popular Analysis Console for Intrusion Databases (ACID). Attention is paid to configuring a secured setup that encrypts traffic between the various sensors, servers, and consoles. Various packages and tools are described, as well as condensing all of the Snort tiers onto one physical box. Installing and configuring on Windows is covered as well, although this choice of setup is not as thoroughly explained as the others. The third and final section picks up where most books that deal with a specific application or software package too often leave off, namely, keeping the damn thing working. A chapter is dedicated to tuning Snort, and what thresholds can be configured to maximize benefit and performance. Getting real-time alerting via email working with ancillary tools, is covered in a dedicated chapter. Developing a targeted ruleset (a set of automagically generated signatures that will only detect attacks that have the potential to be successful) using a custom shell script is described.

A very important topic in Snort administration, writing custom rules (attack signatures) gets its own chapter. The syntax for creating rules is clearly described, followed by concrete examples. The book works through writing rules by reading through raw packet captures (last year's Slapper worm is a particularly good example). This is followed by upgrading and managing rules, which is highly useful if you have a number of Snort installations to manage. Finally, Intrusion Detection with Snort closes with a chapter on advanced topics. The advanced topics chapter primarily covers the latest fad 'Intrusion Prevention.' Snort can be made into an IPS device via packet scrubbing or shunting. For packet scrubbing, the Snort Inline patch is used and the box is placed in between a trusted and untrusted network, dropping packets that match specifically created rules. Shunting is accomplished with SnortSam, which basically sends a request to a border router or firewall to block an attacking IP address for a predetermined period of time.

Overall Jack Koziol's Intrusion Detection with Snort is a viable text for learning Intrusion Detection with the worlds premier open source IDS, even if it is light on diagrams and pictures, but it still comes highly recommended from this reviewer.

You can purchase Intrusion Detection with Snort from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

chronicon writes "Knoppix is the ultimate live CD. No geek-kit should be without it. Now Wim Vandersmissen has taken it a step futher by adding openMosix functionality. Drop the clusterKnoppix CD in your "server", boot up... boot up some networked clients... Knoppix built in LTSP magic kicks in and ta-da--instant cluster!"

An anonymous reader writes "Just noticed over at Boob! that Duke Nukem 3D has had its first non-x86 port - for the Sega Dreamcast. Downloads and other info are available at the SDL-DC Sourceforge page." This port, which was made possible by the Duke 3D sourcecode release we reported a while back, is based on a Linux port using SDL, and requires a Dreamcast keyboard in order to play.

mcbridematt writes "Many of the long time Slashdot readers will remember the Jazilla project to rewrite the Mozilla browser in Java. It went into hibernation in 2000 and I took it over last August. I have completely rewrote the browser which now follows a more Mozilla-like architecture. The Result: Jazilla Milestone 1 has been released. Download it from here. No prizes for guessing that it's Alpha software." Read on below for a list of what Jazilla can do, so far.

"Significant (implemented) features include:

• chrome:// support
• JavaScript implemented for the GUI thanks to the Mozilla.org Rhino engine. HTML Scripting coming.
• GUI in part, uses XUL and W3C DOM
• Written in 100% Java
• Open Source
• Uses the NetBrowser renderer, which is actually based on Jazilla-classic work."

mcbridematt writes "Many of the long time Slashdot readers will remember the Jazilla project to rewrite the Mozilla browser in Java. It went into hibernation in 2000 and I took it over last August. I have completely rewrote the browser which now follows a more Mozilla-like architecture. The Result: Jazilla Milestone 1 has been released. Download it from here. No prizes for guessing that it's Alpha software." Read on below for a list of what Jazilla can do, so far.

"Significant (implemented) features include:

• chrome:// support
• JavaScript implemented for the GUI thanks to the Mozilla.org Rhino engine. HTML Scripting coming.
• GUI in part, uses XUL and W3C DOM
• Written in 100% Java
• Open Source
• Uses the NetBrowser renderer, which is actually based on Jazilla-classic work."

meonkeys writes "What if you could securely subscribe to a trusted P2P file broadcaster? Check out konspire! An interesting concept; implemented in C++ and controllable via a cool Web interface ala Mutella."

Thanks to an anonymous reader for communicating that the Famicompo Nintendo NES music competition is underway. The entry period lasts until the 15th June, and recommended composition tools include the Nerdtracker II 'tracker' for DOS, or even the text-based MCK system. This is pretty arcane but interesting stuff - to check out some more recent NES music (in .NSF format), try The Sounds Of 2A03 page and a player like Festalon.

Dan writes "Stacy Olivas has put together a hack of PicoBSD .500 using the FreeBSD 5.0-RELEASE-p7 source tree. After seeing WarLinux and how it used an embedded version of Linux to get the job done, he started wondering if PicoBSD could be used for the same thing. He calls it WarBSD. Its main intended use is for systems administrators that want to audit and evaluate thier wireless network installations."

falzbro writes "Now Xbox owners (well, modded Xbox owners) can do what the Playstation people have been able to do for years; play PSX games on your console! PCSX has been ported to the Xbox. It's unfortunate that the homebrew Xbox development scene is stuck in a world of pseudo-legality, due to the lack of a usable Legal XDK. A compatibility list is currently being hammered out, and it's limited to only playing games stored on your Xbox HDD."

AltGrendel writes "Bored during those rush-hour traffic jams? An enterprising UK geek has installed an Xbox/Linux system in his car. With a mod chip, Freevo, a LogiTech Wingman, and a 40 gig hard drive, he has access to music, video, and games during drive time. Details and pictures are here."

AltGrendel writes "Bored during those rush-hour traffic jams? An enterprising UK geek has installed an Xbox/Linux system in his car. With a mod chip, Freevo, a LogiTech Wingman, and a 40 gig hard drive, he has access to music, video, and games during drive time. Details and pictures are here."

Adrian writes "I have written a new file system for Linux - to read and write files on the Sega Dreamcast's visual memory unit (VMU)- a small slab of flash memory used by the console to save game files. To see it in action - and see a DC serve some html, go to the Landslide test server - though I have no doubt that micro_http, the web server I am using (said to be the world's smallest), will result in the quickest Slashdotting in history :)" Gentlemen, start your mirrors now.

Roadmaster asks: "Usually, the most effective spam filtering techniques are somewhat resource intensive. Heuristic checkers like Spamassassin, or bayesian filters like spamprobe are processor and storage hungry. This is fine for small setups; I've been using spamprobe to filter spam for 3 users with great results. I'm now however faced with a big challenge: a mail server that will eventually be handling mail for over 50,000 users and needs to have some sort of anti-spam measures. What are some good and computationally cheap spam prevention measures?"

"Ideally, I'd prefer something that does reject the message if it's spam (SMTP result code 550 or something like that), unlike current Spamassassin or spamprobe setups that accept the message and only later decide whether it's spam. Solutions like MAPS RBL, ORBS are acceptable altough commentary on their accuracy would be welcome. Other possibilities I've thought of include checksumming (Vipul's razor or DCC) and simple header checks that could be implemented for instance in a sendmail milter.

Are several quick checks (DCC + RBL) accurate enough and still cheaper than one slow check (Spamassassin, bayesian filtering)? does stacking of similar techniques improve accuracy significantly? (DCC + Razor, RBL + ORBS). How can the good but expensive techniques be made cheaper? (Spamassassin's spamproxyd, hashed wordlists for bayesian filters, and so on). Discussion on all these aspects would yield some interesting conclusions on quick and efficient spam filtering."