Slashdot Mirror

http://www.google.com/search?hl=en&q=ssl+protocol+analyzer
http://sourceforge.net/search/?words=ssl+protocol&type_of_search=soft&pmode=0&words=ssl+protocol+analyzer
http://www.wireshark.org/

Must have been hard to copy/paste, huh?

"If the government gets involved with Windows development"

What do you mean if, I figure the current backdoor is a little better hidden. It would be interesting running Wireshark on a Windows network and seeing where it's sending packets. At least before they make it illegal.

Under Windows, there is no sure way of detecting malware once it's already installed, as it takes steps to hide itself.

The only sure way is a clean install or re-imaging from a hidden partition at boot. Something that would be a pain to set up and probably wouldn't even work with the current incarnation of Windows.

Your bet bet is to get your friend to install these Sysinternals ">utilitys and see if they can detect the keylogger by its activity. Monitoring activity at the firewall is also a good place to detect suspicious activity.

What is it about Windows that your friend absolutly needs to use. Are there alternatives out there.

If you absolutly can't survive without Microsoft applications then why not use a version of Linux that comes with CrossOver, this allows Windows applications to run natively on Linux, without the the same level of malware threat. Eg, by clicking on an URL or opening an email attachment.

I used to use this one.

Eweek: Most important OpenSource Apps of All time

Infoworld 2007 BOSSIE award

But what was added to make it 1.0? What is new?

Ah I thought you wanted a general outline. To see what changed check out the release notes:

http://www.wireshark.org/docs/relnotes/wireshark-1.0.0.html

You can add Wireshark to the list.

It occasionally decides that one of the other machines has dropped off the LAN even though all other machines can see it and connect to it. When that happens, the only recourse is a reboot.

I found a bug like that once in eCos. Sometimes the embedded system would see other machines on the net, sometimes not. Turned out it was a bug where they had some union for sockaddr* structures in the driver and the space they were allocating for the structure wasn't the max size of all the union's parts, so the ARP table got corrupted. No ARP table entry for a machine, no way to talk to that machine. Apparently, it wasn't a problem if you used DHCP, but since our Linux Priesthood declared that /etc/hosts must be used ("a DHCP server would just be another thing that can break"), so nobody else ever caught it. (It was fun writing an /etc/hosts equivalent function, since eCos doesn't assume a filesystem, but I digress.)

You could fire up wireshark and see if your iCandy machine is sending out ARP packets asking for the machine it claims has disappeared. That's what nailed it down for me.

Of course, since eCos was open source, I had it fixed with the help of some forum posters inside of a week. No problems since. Wonder how that would work out with closed-source stuff, like VxWorks or uC/OS-II. Oh, yeah, they'll charge me $50k or so to get the source so I can fix it myself, or they'll make me send a complete set of test hardware and source code to them for them to look at, and they'll find it in a couple months, and the bug fix will be in the next version six months to a year after that. Can't say I miss those days.

Read up on it here: http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html

Checksum offloading often causes confusion as the network packets to be transmitted are handed over to Wireshark before the checksums are actually calculated. Wireshark gets these "empty" checksums and displays them as invalid, even though the packets will contain valid checksums when they leave the network hardware later.

I'm not a regular slashdot poster and can never remember my nick/pass, so my apologies on the AC. The tool the EFF suggests you use is Wireshark. You can get the source. If you don't trust the EFF but want to verify yourself you can make an independent inspection of the tool they recommend and draw your own conclusions about the results.

Wireshark has the ability to reconstruct RTP streams, and has been able to for some time. "SIPtap" is doing the same thing. Hyperbole indeed.

Running Linux will simply make you a greater suspect - in the current environment, you obviously must have something to hide.

Open the SDK, Apple. Allow the legal unlocking,

Opening the SDK doesn't necessarily imply legal unlocking, given that "unlocking", when talking about a mobile phone, refers to allowing it to work on arbitrary networks, not to allowing third-party apps on it.

and make it easy for people to write apps

...and hard for Apple to change UIKit, for example, if they decide that the version of UIKit in the current release of Handheld OS X needs cleaning up in ways that break binary compatibility with that version.

and then sell them for them on iTunes.

At least one application I would have liked to have had on my iPhone yesterday, to try to figure out why its connection to the Wi-Fi network at the restaurant I was at wasn't working, isn't "sold" (and, yes, there have been earlier versions of it that ran on handhelds, and, yes, somebody did ls -l /dev on a jailbroken 1.0.2 iPhone and the usual four initial instances of my favorite device were there).

Easy way to find out. Download wireshark -> http://www.wireshark.org/
Run a capture on the ip of one of the hosts you're trying to send to.

So, for example, if you're trying to the address 66.41.193.0, click Capture -> Interfaces -> Prepare button on the network interface you're using, then type in the filter field "host 66.41.193.0" (w/o quotes) then click start.

Watch your p2p client until it disconnects, then switch back to Wireshark. The last few packets should show [RST] if it's comcast being comcastic and hindering your bittorrent.
The final test is to go to www.dnsstuff.com (Or use the program SamSpade) and plugin the ip address to see if it's inside or outside of Comcast.

Except for the fact that you cannot read someone's email as a routine matter of simly handling it, as in a mail carrier. It takes extraordinary effort to access/read someone's email, akin to steaming open an envelope. Ergo, your assertion is wrong.

Ethereal is now called Wireshark

what you're saying SOUNDS right - so what's the point of this which is always at the top of the wireshark FAQ

If wireshark can capture all of the layer 2 traffic then thats cool - and I might go back and try it again. the last time I tried I didn't get anything lower than layer3 and even then I didn't get anything apart from my own stuff (i.e. not promiscuous).

Are you getting something different?

Wireshark does waaaaay more than 25 protocols.

Wireshark does waaaaay more than 25 protocols.

Errata Errata has developed another network sniffer that looks for traffic using 25 protocols

Wire Shark Hundreds of protocols are supported, with more being added all the time.
Wireshark's most powerful feature is its vast array of display filters (over 51000 as of version 0.99.5).

Something isn't adding up for Errata having more.

Normally people complain that Wireshark looks at too many protocols and presents a network vulnerability.

TCP/IP stacks don't lie - but they also don't tell the whole objective truth. They are subjective to the point of interception. If you trap network traffic inside your network using, say, Wireshark, you see the stack before the router and/or server. If you view the same packet from outside the network, it will look different (TTL will change, destination, etc...) after each 'hop'.

I guess the thing to do is to stop Tor spewing out the plaintext: "TOR 1.0 Proxy Connection Attempt" which any half-assed network admin could detect. Run wireshark and watch how Tor gives itself away. I suppose that they could then block people trying to get to known Tor entry nodes, but with enough of them then that becomes foolish.

Wireshark (formerly Ethereal) has been pretty popular despite getting very little coverage from the industry trade press.

FYI in case anyone needs to know and can't find it. It is available for a bunch of OS flavors. Highly recommended.

http://www.wireshark.org/
http://tldp.org/HOWTO/TransparentProxy.html

'nuff said.

When my kid figures out how to properly encrypt his traffic, then I figure he's mature enough to take proper precautions when dealing with strangers (and you folks on the 'net are stranger than most).

Still, I find it deeply troubling how I find that I'm understanding right-wing leanings more and more after being a parent. But then again, I'm almost over 30, so I guess I'm allowed to "mature" into a lying conniving misleading figure of authority anyway :P

having been on the payroll at the time of the contract signing with MS....does this mean he's got any sort of restrictions now dangling on his neck, at least from the point of view of microsoft?

A contract to which Novell and Microsoft are parties cannot bind him personally. It can obviously affect him in his capacity as a Novell employee. I suspect that he has not committed any changes to the Samba tree since the agreement was enacted, nor will he until next month, just to be sure that he isn't opening that particular door. He probably is familiar with how Gerald Combs had to change the name of Ethereal to Wireshark because his former employer had legal claims over the prior name. This one isn't a trademark issue, of course, but the same principle applies.

Unfortunately, I have to ding them on this - if the password is wrong, it hides the error message from you (you get something generic like "connection failed").

Well, yeah, but that's because it's Good Security Practice (TM). If J. Random H4x0r knew that the username was correct but the password was wrong, then he knows he's already halfway there. You're not supposed to give away that some of the information is right, but some is wrong. You're just supposed to say, "No. Try Again."

I agree that it's a good security practice for the server to say "Authentication failed" instead of "Wrong user" or "Wrong password". But he's talking about the client saying "It failed" instead of "The server said 'NO Authentication failed' after I sent credentials", "my connection to mailserver:143 was refused", or any number of other error messages that would actually be helpful.

There is no security value in the client (which is under the user's control) throwing away information instead of presenting it to the user. It's just poor error handling, and unfortunately many of Apple's client/server applications are guilty of it. I generally resort to using Wireshark when diagnosing problems with them, which is not something you can teach the average user to do. Address Book is the worst - it just stops returning results after you change your password! No error message at all! How horrible is that?

For any windows problem to which you do not know the answer immediately or through a quick google search.

Visit http://www.sysinternals.com/

Look through all the categories and short descriptions until you find a tool that could provide a diagnostic clue.

In your case Process Explorer will do the trick, just turn the highlight time up and you should see process creation (provided it is caused by a process).

If no new process is spawning, an existing one is launching the window, so compare the process listing against a similarly configured pc without the problem or a clean one and slowly remove processes until the one causing the problem is destroyed.

If all the processes listed are valid, then you may have a compromised exe or dll, so use the dependency walker to find all the files used, then use md5sum or similar to hash them and compare the hashes against a clean machine.

If you think the problem may be using a network connection you get additional options; you can use tcpview & process explorer to find the process in question and then kill it. You can also use wireshark (formerly ethereal) from http://www.wireshark.org/ either on the machine itself or another machine to monitor the network traffic.

If all these steps are ineffectual, you may have a rootkit, so run rootkit revealer also from sysinternals.

If you suspect a virus/spyware then it can be difficult to use the machine itself to diagnose; instead grab a copy of Barts PE with Mcaffee/Sophos & lavasoft adaware and the registry redirector to scan the local machine. This usually will allow you to get the machine to a state where other tools can be effective.

Check out the Windows Resource Kits from Microsoft; they have a wealth of tools that may not be immediately useful, but can prove invaluable.

On domain machines, the first step is always to check any logon scripts/group policy.

Funny how I shrugged at the rash of thumbdrives out there, that is, until recently. They keep getting cheaper and cheaper and I kept buying them. I have since, stopped, however, it was only after the 12 step program.

Now, what do I keep on mine? Slax - Kill Bill, of course it really has brought me the level of standardization that I need from one computer to the next and it can do all (like many other small distros) the things that I need. I would however recommend something like Truecrypt for ensuring the security of your information. I would also recommend that you back your drive up on a regular basis, these things can be a bit unforgiving.

I could go on and on about the various apps, it really all depends on what you are doing. I do find the following though, very useful: Wireshark (Ethereal), Open Office and the usual suspects, samba, Etherwake, NVU, Thunderbird, rdesktop, various vnc flavors and other well known management utilities.

If I did not emphasize enough earlier, if you are going to rely on these little gems, I think you should always have an identical spare, and additionally, perform a backup on a regular basis. You might want to get creative and build a library of tools which could be easily accessed remotely to keep your drive lean. I would also highly recommend encrypting data you wouldn't want public.

Funny, I also carry a thumb-drive with a removable memory card slot. It's this generic one floating around online: http://www.supermediastore.com/supermedia-handy-4i n1--usb-20-flash-memory-card-reader-yellow.html

I think they're a great idea, because I can move with the SD card market as flash memory becomes denser and denser. Speed hasn't been a problem, either. The thumbdrives support USB 2.0 and my SD card seems to be capable of a very decent data transfer rate.

I have a collection of Windows tools on the drive. Not Linux tools, because I can usually accomplish whatever it is I'm doing in the Linux environments I encounter day to day.

Network Tools:
* Raw TCP/IP transfer -> netcat ( http://www.vulnwatch.org/netcat/ )
* SSH/Telnet -> putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty/ )
* Port Scanner -> SuperScan4 ( http://www.foundstone.com/resources/proddesc/super scan.htm )
* Classic Port Scanner -> nmap ( http://insecure.org/nmap/download.html )
* Packet Capture and Analysis -> WireShark setup ( http://www.wireshark.org/download.html )

Editors:
* General -> vim 7.0 ( http://www.vim.org/download.php )
* Hex Editor -> xvi32 ( http://www.chmaas.handshake.de/delphi/freeware/xvi 32/xvi32.htm#download )

Development:
* Tiny C Compiler ( http://fabrice.bellard.free.fr/tcc/ )
* nasm ( http://sourceforge.net/project/showfiles.php?group _id=6208 )

Misc:
* Lightweight Windows md5sum -> md5summer ( http://www.md5summer.org/download.html )
* Process Explorer ( http://www.sysinternals.com/Utilities/ProcessExplo rer.html )
* MP3 Encoding -> RazorLame with lame ( http://www.dors.de/razorlame/download.php )
* Terminal Emulator -> TeraTerm Pro ( http://hp.vector.co.jp/authors/VA002416/teraterm.h tml )

The folder is 26.7MB.

I'd just be happy if they wouldn't turn up so many false positives.

Bloody hell!

They managed to squeeze both PER and also H225/235/245 into just 20kbyte of object code?!
(why implement h235? thats crypto and wouldnt work unless you know the keys?)
That is VERY impressive.

My PER decoder alone ( http://anonsvn.wireshark.org/wireshark/trunk/epan/ dissectors/packet-per.c ) is way larger than that, and that is just aligned PER decoding (ok with some unaligned PER additions recently) and that one itself is >>20kbyte. Adding 225/245 into the mix. Impossible!


I am very impressed. Very impressed.