Slashdot Mirror
The Spinning Cube of Potential Doom
An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."
When the eventual goal of having this data displayed in a real time setting the applications of usefulness will be startling. Data that had to be updated manually during the conference, will be available to researchers to do tci-square analysis to approximate the optimum network efficencies. Even use in the business sector and th ability to analyze huge databases will be quite amazing, although at least a half-decade down the road. Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security. Really fascinating stuff.
Too bad Cisco didn't have this a couple weeks ago when they needed it!
The best way to predict the future is to invent it. -Alan Kay
I live in the spinning cube of potential doom. At least that's what my co-workers call it.
Sounds like the Time Cube.
But then, you stupid ignorant mind-traitors cant understand time cube having been manipulated by your word god.
I don't need no instructions to know how to rock!!!!
Now we need tools that scan in a pattern that causes little devil faces to appear inside the cube, just to freak the sysadmin out. Words could be fun too.
I Am My Own Worst Enemy
Man, when I heard it could display data along 3 axes I was hoping for a error message featuring a little projection of somebody saying "Help me Obi-Wan Kenobi, you're my only hope."
Sad.
The Human Cow - bringing you scrumtrelescence since 1995
Okay, so I see the pretty pictures, but what do they mean. Can anyone explain how to interpret that data?
--AC
this cube of doom?
The Technonaut
This is old news.
Security companies are just reacting to Swordfish...which used the opposite tool...it was spinning cubes that joined together when you successfully exploited the system.
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Wonder if they've got one of these monitoring DOS attacks now that they've been posted on Slashdot.
Here's the 31 meg AVI if you want to make it spin faster.
If this becomes a trend, and "Secutiry Visuallization Tools" become widespread... then people will begin to say that movies like Hackers and such were just "before their time."
Do we really want that?
And it's a good damn thing I've got a wireless LAN connection, so my cat5 cable won't get all twisted up.
"Definitely a step towards the new types of tools we will need to secure hosts and networks."
I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.
The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower).
"So Cube...do you see anyone invading us from the 201.163.x.x range?" "YES"
"That's Tron. He fights for the Users."
I have a theory that the truth is never told during the nine-to-five hours. -- Hunter S. Thompson
They appear as complex crystalline structures with no obvious holes other than the known authentication interfaces.
Those who hack/defeat them are called "icebreakers" and they use software which has its own visual attack signature to distract or deflect(overload/DNS attack) the ice or to find hidden cracks (exploits)
Visionary stuff (pun partially intended).
You are in a maze of twisty little passages; all alike.
it looks like a great tool for ferretting out new styles of attack, even though it's use to an individual trying to protect his/her network is rather limited. the automated system that someone else mentioned sounds much more useful.
-ninjaneer
Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security.
Yes. The Cube knows all. It will make everything all right again. The Cube has been sent to help us. We must trust the Cube.
All hail the Cube.
-Laxitive
Sorry, absolutely nothing of value to add to this. I just liked the way you referred 'the Cube' using proper-noun capitalization, and spoke of it as a single entity.
I was hacking teh Gibson, *I* would have gotten in Acid Burn's undies. :(
I wonder what the 3D graph of a Slashdotting looks like...
All that we see or seem is but a dream within a dream.
I think the point of this interface is that the data is more easily interpreted, allowing the human-user to notice patterns that automated scripts would miss. This could be done either in real time, or as a visualization tool for historical files. The latter usage seems like it would be of interest if you're trying to determine the source of a break-in.
For real-time monitoring, your point about mutliple systems is very valid, but what if this approach could be scaled up to allow you to visually inspect the whole system for a number of problems? Perhaps an entire array of cubes, each for a subnet or an individual system, focusing on those that pique your interest.
This idea may be able to mesh with the glanceable objects idea (just the idea, not their chicken egg specifically). If it is informative enough, it could allow you to periodically check some aspects of your whole system for things that you either can't write scripts to do, or don't have time to write scripts for.
-Zipwow
I don't know which is more depressing, that 2/3 didn't care enough to vote, or that 1/2 of those that did are crazy.
Warning: Pregnant women, the elderly and children under 10 should avoid prolonged exposure to the Spinning Cube of Potential Doom.
Caution: the Spinning Cube of Potential Doom may suddenly accelerate to dangerous speeds.
the Spinning Cube of Potential Doom Contains a liquid core, which, if exposed due to rupture, should not be touched, inhaled, or looked at.
Do not use the Spinning Cube of Potential Doom on concrete.
Discontinue use of the Spinning Cube of Potential Doom if any of the following occurs:
Itching
Vertigo
Dizziness
Tingling in extremities
Loss of balance or coordination
Slurred speech
Temporary blindness
Profuse sweating
Heart palpitations
If the Spinning Cube of Potential Doom begins to smoke, get away immediately. Seek shelter and cover head.
the Spinning Cube of Potential Doom may stick to certain types of skin.
When not in use, the Spinning Cube of Potential Doom should be returned to its special container and kept under refrigeration...
Failure to do so relieves the makers of the Spinning Cube of Potential Doom, Wacky Products Incorporated, and its parent company Global Chemical Unlimited, of any and all liability.
Ingredients of the Spinning Cube of Potential Doom include an unknown glowing substance which fell to Earth, presumably from outer space.
the Spinning Cube of Potential Doom has been shipped to our troops in Saudi Arabia and is also being dropped by our warplanes on Iraq.
Do not taunt the Spinning Cube of Potential Doom.
the Spinning Cube of Potential Doom comes with a lifetime guarantee.
the Spinning Cube of Potential Doom
ACCEPT NO SUBSTITUTES!
Back in the "what possible use would anyone have for 3D?" days, Silicon Graphics made gobs of 3D utilities such as this. Many exist today as viewers for their (awesome) Performance CoPilot system for IRIX and Linux. Over time they learned that most admins perfer text most of the time. But man, fddivis on a large monitor sure does make the NOC look way more productive to the suits!!
They even had a 3D intra-website link manager at one time!
Did someone just discover that data can be graphed? What is the innovation here?
For great justice.
Got some slick, nobody's fool sysadmin you need to get past?
Well, cook up a portscan that will look like a giant, spinning Mr Goatse, or some racial slurs, etc..
Boss walks past, geek gets fired, replaced by bosses moron nephew who is more than happy to give you the keys to the server when you call and identify yourself as the Hamburglar.
I don't need no instructions to know how to rock!!!!
Same thing, but hosted by Akamai9 (faster).
this one
Technoli
Visible Decisions (acquired by Visual Insights in 2000) has been doing graphical visualization for 15 years - check this out for a demo.
those web sites didn't work. The urls have been Slashdotted already.
.gov top domain!
Yup. And they're
Given the PATRIOT act, does this mean we're all terrorists now?
I'll get the "Free Taco!" campaign started right now, just in case. We can only hope the general public will misunderstand.
(I'm hungry, so?)
Remember the ambient orb?
Thinkgeek used to sell them, but I couldn't think of something I would find it useful for. This would be perfect. Just have a globe on your desktop that changes colors based on the data provided by the cube matrix. If the orb starts turning crimson, you know that that your network is in need of administrative attention.
WURD!!
...I can see it now:
I know this... this is UNIX!
Would you like to play a game>
All hail the Cube.
from "Deep Space Homer"
Buzz: Homer Simpson was the real hero here. He jury-rigged the door closed using this.
Man 1: Hey, what is that?
Man 2: It's an inanimate carbon rod!
Everyone: Yay!
Time magazine cover: "In Rod We Trust"
Carthago delenda est!
About 18 months ago, Slashdot posted an article The Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release with a nice collection of unconventional networking tools.
Included was a very cool tool, Phentropy, for visualizing arbitrary data using Strange Attractors. You may recall a paper on TCP/IP Sequence number analysis that highlighted the usefulness of Strange Attractors for data visualization.
Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space.
OpenQVIS is a neat package and could fill a lot of arbitrary data viz needs.. But damned if I have been able to get the thing to build under Linux. The project could really use some help, and I think a lot of good could come of it. The Phd types who wrote it seem to have mostly moved on..
... After all the $$M spent on cute visualization and PR promotion of the technology, evil authors of port-scanners just add two lines:
/* this */ ...) ...){ /* and this */
pseed=urand(); iseed=urand();
for(port
for(ip
port ^= pseed; ip^=iseed;
probe(ip,port);
}
or use some fancier one-to-one mapping and the dots in your cube are again "random" to the naked eye.
(On a side note, why whoever implemented that "barberwire"-producing scanner did not do this at the time, I can not understand).
Paul B.
I busted out my laptop and sat down and started port-scanning some friendly IPs in front of the screen, only to be disappointed that I'd have to wait something like 10 minutes to see my spray coming out.
;p
It was still pretty cool, and I'm sure half of the traffic on it was people like who kicked off port scans just to see themselves on the screen
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Could someone who has downloaded the movie please post a mirror? All of the existing links posted are already 404.
# fuser -v
#
The time is NOT a display variable in the Cube. Your "enhanced" scanner would produce the same pattern as it would without the randomization. The order in which the scan's packets reach its target, and the dots are put on the display does not even change the resulting picture.
Now, the "barbwire" scan tries a port on each host. This could be made less distinguishable by randomizing the port, rather than using linearly increasing port numbers for the IP range, which produces the evel-looking diagonal slashes in the picture.
Thanks for the /. and the comments folks, although I'm not sure if the web admins are gonna talk to me anymore. :-/ I got paged about the /. while I was watching Shrek 2. What happened to Fiona's Dad? Missed that part...oh well...
The Cube is still a work in progress. I originally developed it to keep wandering jaded conference attendees mesmerized by pretty moving colors. Hopefully it'll inspire people to develop new ways of educating the wormy masses that they need to take security seriously.
I work for a network research group ("WAND") at Waikato University in New Zealand. We have a similar visualisation which you can see various stages of evolution here, there are also some animations.
The universities internal network IP range is mapped onto the left hand face of the cube, the rest of the world is mapped onto the right face. They are mapped so similar addresses are clustered together and addresses further apart are uh, further apart. A box represents one packet, the volume of the particle is proportional to the size of the packet, and the colour is based on port number.
Also we "light" each end of the connection for a bit after the packet has been sent. So machines appear to be glowing in the colour of the traffic they are sending.
We use it to show off "networks" to people who think we just sit at computers and type into stuff, however it has been very useful to detect attacks and broken machines since they provde distinctive patterns. Portscans are a series of "sparkly" packets. Network scans are a row of marching lines. Virii infected machines appear as a cone centered on the infected machine.
It's a brutal but compelling reminder that we should all avoid unencrypted telnet/pop3/imap.
Consider spending some time today getting STARTTLS running on your mail server. Or consider getting IMAP/SSL going. Or consider figuring out GnuPG or S/MIME email once and for all. Don't be part of the problem.