I know a bit about this. Basically, the idea is to correlate and overlap information from several individual exposures, while "dewarping" the variations caused by the target rotating during the scan. David Hilvert has written an open source tool that implements some basic methods for doing this kind of work; it's called ALE. Google for "Superresolution" for further information; everything that goes from the temporal domain to the spatial domain ends up using techniques like this.
One of the first tasks of any individual joining a group is to determine the pecking order within which authority is distributed. This is a critical task that humans have been doing since before they were human.
What's being talked about here is reverse engineering trust heirarchies, algorithmically, simply from a discussion corpus extracted from Usenet.
This is very, very cool stuff. It is a hard application of a soft science, and if its results match empirical data, it represents a greater level of understanding about the human mind.
This is something to celebrate and take interest in, not malign simply because it's Microsoft that's behind it.
I do remind the security paranoid that reputation management remains one of the few characteristics obsessively protected in otherwise anonymous systems.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Oh, it's different than all the x86 machines, obviously. I could learn.
How do I control which services start at launch?
Oh, it's different than both Linux and Windows, but I could learn.
How do I compile standard Unix apps on this machine?
Oh, I have to acquire fink, but I could learn how. It's like installing a Solaris machine -- you do it once, and then again "for real".
There's alot of learning, alot of new process, alot of stuff to do. And for what gain? A more expensive system that, at the end of the day, is just a commodity?
Certainly there are more rational reasons to standardize than "Well, it keeps me working." Hell, even Thomas Aquinas recognized that it was worth staying with a suboptimal system if the pain of switching exceeded the benefit of the switch.
Hate to belabor the point, but if cell phones didn't work _at all_ on planes, you wouldn't need to ban them, because people wouldn't use them, because people don't use things that don't work.
Apparently the voice quality was decent enough to have minute-long conversations. Of course, the demand for service was...rather inelastic. But I'm really getting tired of engineers claiming impossibility with a preponderance of the evidence against them. Yes, the planes may have been at non-cruising altitude, but guess what -- planes spend alot of time there.
Regarding pointing down -- I'm sure you've heard of multipath. I know you're aware that concrete reflects Ghz-level signals relatively well. Have you considered that the ground itself reflects RF? Sure, there's a _huge_ dB loss...but so what, cell phones deal with trees and how much do those suckers sap signal strength?
Anyway, it's most likely that cell support will be granted by throwing a GSM base in the plane itself and using a dedicated long range downlink frequency to carry the calls. This will keep signal strength relatively low (since the phones will be unusually close to the base station) yet remain profitable (either by jacking up the rate, or by the fact that certain users have nothing else to do _but_ use their cell.)
Remember how we're supposed to remember 9/11, and not forget things like the dozens if not hundreds of passengers who successfully got final calls through?
And just to technically debunk yet another cell phone myth, you're completely ignoring the fact that it's pure line of sight straight up, and the farther up you are, the less change there is (you move fewer degrees from the tower, regardless of your speed).
Hell, even noise isn't that big a deal; jets are LOUD, human voice doesn't carry well in such an environment.
You are the new editor of the New York Times, the "Newspaper of Record" for the United States, if not the world. You are, of course, the new editor because the previous editor had to resign, taking the blame for an individual reporter's flagrant disregard for the awe-inspiring credibility of your institution. In the process of rebuilding your credibility, should you:
A) Insist that unaffiliated digital libraries restrict access to or simply eliminate all records of your "Newspaper of Record", or B) Realize that maybe right about now is not particularly the best time to be saying to the world, "Please forget what we published last week."
I don't think people grasp just how slow the Apple IIgs was.
I, of course, didn't. Middle school for me was defined by the l'il bugger, minus about six months of its power supply choking if I did something excessive like use the floppy drive (800K, and _no_ hard drive).
I have fond memories of flaming people for using ZIP when an obviously superior format, SHK(Shrinkit), was common for the IIgs.
Yeah -- my 2.2mhz speedster had a better algorithm than a PC *giggles*. Right.
Seriously, though -- graphical web browser? For IIgs? GIFS TOOK AN HOUR APIECE TO RENDER, line by godforsaken line...
That being said, did that machine have a bad ass sound synth or what...took like five years for PCs to even come close with the GUS, and a while longer before SB Live became common enough to surpass the synth capabilities of the trusty IIgs...
80's music? You mean MODs?
Oh yeah, ProTERM made for a great Unix dumb terminal...
2.4ghz (microwave) tags are actually quite rare; the RFID's I'm investigating now operate at 125 _kilohertz_, with next-gen models clocking in at 13.56mhz.
"It takes the same pathway as our drugs of abuse and pleasure."
Pleasure is not a disorder.
Love is not a disorder.
Feeling joy, experiencing satisfaction, the simplicity of happiness is not a disease to be stamped out, stressed over, or guilt tripped.
And the talents of others are not to be ridiculed, for all of our talents are ultimately meaningless by some standard.
Yours Truly,
Dan Kaminsky
DoxPara Research
http;//www.doxpara.com
X11 Forwarding Is For Weenies
on
X11 in ASCII
·
· Score: 3, Funny
So the local coffee shop smartly provides free WiFi, in exchange for geeks like me spending all day there buying coffee and food. I'm sitting there, 1600x1200 screen w/ a maximized ssh session into my devbox, watching parsed packet traces blaze across my screen as fast as MySQL could select them.
An unknown voice behind me laughs. "Whatcha doin' man, lookin' at porn?"
Perfunctory hello. Evil grin. "Don't you know it." A few minutes later, mplayer's compiled on the FreeBSD system, and what else can I do but...
ssh effugas@devbox "mplayer -vo aa Dark_Angel.avi"
SSH, Mplayer, and AALib: When you absolutely, positively, maybe even desperately need something to watch.
"Excuse me. I have something you might want to see."
It even drew a bit of a crowd:-)
Of course, you might have noticed the Dark Angel avi. Triple-DES or not, I wasn't about to drop Debbie does ASCII in the middle of a coffee shop. So I settled for the next best thing, the Fecal Tootsie Pop...sweet on the outside...absolute crap once you bite in.
Yeah, yeah. Too little sleep, too much Gord. It's all about having a bit of fun with things...ain't nothin' wrong with that.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The following story is second hand; I make no claims as to its absolute veracity. Now, that being said:
Several years ago, it became feasible to use many, many cameras to monitor the movement of cars via their license plates. Long before the Brits deployed one of these systems to control traffic in the core of London, Burma (aka Myanmar, one of the more oppressive regimes out there) dropped a decent amount of cash to acquire a traffic management system for their own country.
Except Burma doesn't actually have traffic to manage. At least not vehicular...show up to a protest, though, and all that automatic, large scale image capture, compare...capture...becomes really interesting.
Did you at least see bidirectional traffic from the IP that resolved to cia.gov? If not, it might have been spoofed decoys.
Did you store the IP? They may have controlled the IP range, and simply returned a relatively cruel address space.
The CIA was funding Safeweb some time ago, so you _couldn't_ detect it was the CIA poking around. Of course, if they were coming in through an internal connection, that might be different.
Overall, though, I call shenanigans. Down to your claim of posessing magic secret tools, and the oh-too-obvious date, ummm, yahright.
Actually, I'm kind of digging their single, Paint Peeling. Of course, I've got a thing for female leads, but I can't exactly ignore TEN YEAR OLD DAN JUMPING UP AND DOWN SAYING D00D D00D WIZ0RD CHIX0R COMING TO YOUR HOME TOWN IN THREE WEEKZ Y0.
If nothing else, San Francisco's Great American Music Hall is a fantastic small venue. Yeah. No "bottomless pit of geek fandom" sensation of dread here, no siree Dobbs.
It's discontinued because it's insecure beyond all that is holy...FX brutalized it to create a whole new class of network attack (using printers against the rest of the network).
Funny...my chapter has this entire section where a defender can break through a set of decoys by comparing all the sources of packets against all the sources of DNS lookups, while an attacker can detect his own detection by monitoring reverse lookups of his own IP.
Thought it'd be fun to talk about some of the more interesting material we put together throughout the book:
--HTTP-only access to the outside world doesn't actually pose much of a barrier...httptunnel (the original web service) may not be as mindbending as IP-over-DNS or mailtunnel, but damned if it doesn't punch ssh sessions bidirectionally through web proxies;-) This gets mentioned in Dubrawsky's attack tree analysis -- an extremely systematic breakdown of attack selection across pretty much every platform an attacker might find.
--Worm analysis. Guys, Code Red and Nimda were astonishingly successful; there's not-so-idle speculation that Nimda was a test run from a foreign intelligence service. One of my good friends did almost nothing for a year but manage Nimda recovery. Just because it left the press doesn't mean it left the network. Reverse Engineering is never trivial (unless you're Halvar Flake and dream in x86); throw extreme time sensitivity, malicious design, and financial implications and you get an idea of the world virus fighters and worm smashers have to face. Kudos to Tim Mullen and Ryan Russell for their nuts-and-bolts breakdown of this process.
--Joe Grand. Software-based RF Analyzer. Pre-GSM/GPRS Blackberry transmissions. Mobitex.exe. And if that wasn't enough, "Creating a fake gelatin finger to bypass a biometric fingerprint sensor.", complete with photographs.
--Ah, FX. Leave the poor Cisco alone, man:-) And of course, it wouldn't be FX without seeing those HP Laserjets as covert outposts:-)
--Security and Functionality tend to play in opposition...as Paul Craig points out, maybe those step-by-step guides to getting through the VPN shouldn't show up on Google:-)
--WiFi. Dead horse. But it's nice to see it anyway.
--Password cracking by calling up administrators and listening to them type in their password -- nice, Mark. I'd like to see some of the stats code to manage that. Also good to see Windows Proxy Autodetection getting some misexposure.
--Auditors are given lots of leeway. No, let Ken Pfiel clarify...those who claim to be auditors are given lots of leeway.
--OK, I'm a protocol geek. For a good time, switch to root and type:
"tcpdump -w - -s65535 | strings --bytes-8"
If it's ugly, it's SMB. If it's scary, you're probably at Network Interop, where there's 220 access points and you're sniffing across all of them.
--Scanrand docs! Portscan detection on switched networks by watching the router spew an ARP storm! "If your SMTP server has teleported 15 hops closer than the rest of your host, perhaps it's being hijacked by your hotel." And more NAT games.
--Collaborating on tracking down an attacker, while the attacker can read your email...fun.
Heh. STN made Slashdot. Scanrand on the shelves...cool:-)
Stealing the Network is a relatively unique book. Remember Swordfish? Remember Antitrust? Wish there was a cheap procedure to repair that psychic damage? Because that's what got me involved. Syngress was as tired of the hype as we were. Spindly kids playing with 3D modelers to make worms was not reality. Syngress had a basic request: Show us what really happens. Make it interesting, tell a story, but at the end of the day, take the gloves off.
Most of us had worked with Syngress before -- we'd done Hack Proofing Your Network for them, which was actually pretty well received. It was a strange experience, travelling half-way round the world to Black Hat Asia and seeing my Defcon talk on sale in a Singaporean bookstore:-) So when Syngress said they wanted to do this -- we put this together.
We've actually put together a surprisingly good package. Everything from dumpster diving to printer abuse to some of the first real documentation of my personal scanrand techniques shows up. If there's interest, I'll put together a summary of some of the cooler things in here. And of course, if there's any questions, bug me here or in email:-)
Slashdot Mirror
Marco--
I know a bit about this. Basically, the idea is to correlate and overlap information from several individual exposures, while "dewarping" the variations caused by the target rotating during the scan. David Hilvert has written an open source tool that implements some basic methods for doing this kind of work; it's called ALE. Google for "Superresolution" for further information; everything that goes from the temporal domain to the spatial domain ends up using techniques like this.
--Dan
You don't remember being 14, do you :-)
--Dan
One of the first tasks of any individual joining a group is to determine the pecking order within which authority is distributed. This is a critical task that humans have been doing since before they were human.
What's being talked about here is reverse engineering trust heirarchies, algorithmically, simply from a discussion corpus extracted from Usenet.
This is very, very cool stuff. It is a hard application of a soft science, and if its results match empirical data, it represents a greater level of understanding about the human mind.
This is something to celebrate and take interest in, not malign simply because it's Microsoft that's behind it.
I do remind the security paranoid that reputation management remains one of the few characteristics obsessively protected in otherwise anonymous systems.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Er, it's all about process.
How do I image an XServe?
Oh, it's different than all the x86 machines, obviously. I could learn.
How do I control which services start at launch?
Oh, it's different than both Linux and Windows, but I could learn.
How do I compile standard Unix apps on this machine?
Oh, I have to acquire fink, but I could learn how. It's like installing a Solaris machine -- you do it once, and then again "for real".
There's alot of learning, alot of new process, alot of stuff to do. And for what gain? A more expensive system that, at the end of the day, is just a commodity?
Certainly there are more rational reasons to standardize than "Well, it keeps me working." Hell, even Thomas Aquinas recognized that it was worth staying with a suboptimal system if the pain of switching exceeded the benefit of the switch.
--Dan
This makes me want to play with mainframes just so I witness the error myself.
Wow.
--Dan
Peter,
:-)
Does it speak SMB or not?
I don't really care how we're discovering the thing...do we get to treat it as a hard drive or not?
I'd be mildly amused if Samba built correctly on eCos
--Dan
Uhm, 802.11 specs are hard to find, actually.
They're not RFCs, they're IEEE docs. Especially the drafts are a real pain to get a hold of.
--Dan
Hate to belabor the point, but if cell phones didn't work _at all_ on planes, you wouldn't need to ban them, because people wouldn't use them, because people don't use things that don't work.
Apparently the voice quality was decent enough to have minute-long conversations. Of course, the demand for service was...rather inelastic. But I'm really getting tired of engineers claiming impossibility with a preponderance of the evidence against them. Yes, the planes may have been at non-cruising altitude, but guess what -- planes spend alot of time there.
Regarding pointing down -- I'm sure you've heard of multipath. I know you're aware that concrete reflects Ghz-level signals relatively well. Have you considered that the ground itself reflects RF? Sure, there's a _huge_ dB loss...but so what, cell phones deal with trees and how much do those suckers sap signal strength?
Anyway, it's most likely that cell support will be granted by throwing a GSM base in the plane itself and using a dedicated long range downlink frequency to carry the calls. This will keep signal strength relatively low (since the phones will be unusually close to the base station) yet remain profitable (either by jacking up the rate, or by the fact that certain users have nothing else to do _but_ use their cell.)
--Dan
In theory, theory is the same as practice.
In practice, it isn't.
Remember how we're supposed to remember 9/11, and not forget things like the dozens if not hundreds of passengers who successfully got final calls through?
And just to technically debunk yet another cell phone myth, you're completely ignoring the fact that it's pure line of sight straight up, and the farther up you are, the less change there is (you move fewer degrees from the tower, regardless of your speed).
Hell, even noise isn't that big a deal; jets are LOUD, human voice doesn't carry well in such an environment.
--Dan
You are the new editor of the New York Times, the "Newspaper of Record" for the United States, if not the world. You are, of course, the new editor because the previous editor had to resign, taking the blame for an individual reporter's flagrant disregard for the awe-inspiring credibility of your institution. In the process of rebuilding your credibility, should you:
A) Insist that unaffiliated digital libraries restrict access to or simply eliminate all records of your "Newspaper of Record", or
B) Realize that maybe right about now is not particularly the best time to be saying to the world, "Please forget what we published last week."
I don't think people grasp just how slow the Apple IIgs was.
I, of course, didn't. Middle school for me was defined by the l'il bugger, minus about six months of its power supply choking if I did something excessive like use the floppy drive (800K, and _no_ hard drive).
I have fond memories of flaming people for using ZIP when an obviously superior format, SHK(Shrinkit), was common for the IIgs.
Yeah -- my 2.2mhz speedster had a better algorithm than a PC *giggles*. Right.
Seriously, though -- graphical web browser? For IIgs? GIFS TOOK AN HOUR APIECE TO RENDER, line by godforsaken line...
That being said, did that machine have a bad ass sound synth or what...took like five years for PCs to even come close with the GUS, and a while longer before SB Live became common enough to surpass the synth capabilities of the trusty IIgs...
80's music? You mean MODs?
Oh yeah, ProTERM made for a great Unix dumb terminal...
--Dan
www.doxpara.com
2.4ghz (microwave) tags are actually quite rare; the RFID's I'm investigating now operate at 125 _kilohertz_, with next-gen models clocking in at 13.56mhz.
--Dan
www.doxpara.com
"It takes the same pathway as our drugs of abuse and pleasure."
Pleasure is not a disorder.
Love is not a disorder.
Feeling joy, experiencing satisfaction, the simplicity of happiness is not a disease to be stamped out, stressed over, or guilt tripped.
And the talents of others are not to be ridiculed, for all of our talents are ultimately meaningless by some standard.
Yours Truly,
Dan Kaminsky
DoxPara Research
http;//www.doxpara.com
So the local coffee shop smartly provides free WiFi, in exchange for geeks like me spending all day there buying coffee and food. I'm sitting there, 1600x1200 screen w/ a maximized ssh session into my devbox, watching parsed packet traces blaze across my screen as fast as MySQL could select them.
:-)
An unknown voice behind me laughs. "Whatcha doin' man, lookin' at porn?"
Perfunctory hello. Evil grin. "Don't you know it." A few minutes later, mplayer's compiled on the FreeBSD system, and what else can I do but...
ssh effugas@devbox "mplayer -vo aa Dark_Angel.avi"
SSH, Mplayer, and AALib: When you absolutely, positively, maybe even desperately need something to watch.
"Excuse me. I have something you might want to see."
It even drew a bit of a crowd
Of course, you might have noticed the Dark Angel avi. Triple-DES or not, I wasn't about to drop Debbie does ASCII in the middle of a coffee shop. So I settled for the next best thing, the Fecal Tootsie Pop...sweet on the outside...absolute crap once you bite in.
Yeah, yeah. Too little sleep, too much Gord. It's all about having a bit of fun with things...ain't nothin' wrong with that.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
That's what I refer to this as.
The following story is second hand; I make no claims as to its absolute veracity. Now, that being said:
Several years ago, it became feasible to use many, many cameras to monitor the movement of cars via their license plates. Long before the Brits deployed one of these systems to control traffic in the core of London, Burma (aka Myanmar, one of the more oppressive regimes out there) dropped a decent amount of cash to acquire a traffic management system for their own country.
Except Burma doesn't actually have traffic to manage. At least not vehicular...show up to a protest, though, and all that automatic, large scale image capture, compare...capture...becomes really interesting.
Welcome to the Burmese Traffic Problem.
--Dan
www.doxpara.com
graf0z, if you ever get this, can you forward me your traces?
This is the author of scanrand...I've got an idea.
--Dan
www.doxpara.com
Nodes capable of transmitting packets with spoofed IPs are used to connect two hosts behind firewalls (by issuing handshake responses "for" them)
:-)
Hi
Mail me.
--The guy from Defcon
Yeah. Welcome to the web. We do things a little differently around here. 'round these parts, source code release isn't novel.
--Dan
I call BS. Or demand further details.
Did you at least see bidirectional traffic from the IP that resolved to cia.gov? If not, it might have been spoofed decoys.
Did you store the IP? They may have controlled the IP range, and simply returned a relatively cruel address space.
The CIA was funding Safeweb some time ago, so you _couldn't_ detect it was the CIA poking around. Of course, if they were coming in through an internal connection, that might be different.
Overall, though, I call shenanigans. Down to your claim of posessing magic secret tools, and the oh-too-obvious date, ummm, yahright.
--Dan
You mean the Sony Ericcson P800, which does everything you describe, and according to most people, does it well (sans megapixel sensor)?
Definitely not the Nokia 3650 which I have, which has all the features but just can't do MP3 justice yet...
--Dan
Actually, I'm kind of digging their single, Paint Peeling. Of course, I've got a thing for female leads, but I can't exactly ignore TEN YEAR OLD DAN JUMPING UP AND DOWN SAYING D00D D00D WIZ0RD CHIX0R COMING TO YOUR HOME TOWN IN THREE WEEKZ Y0.
If nothing else, San Francisco's Great American Music Hall is a fantastic small venue. Yeah. No "bottomless pit of geek fandom" sensation of dread here, no siree Dobbs.
--Dan
It's discontinued because it's insecure beyond all that is holy...FX brutalized it to create a whole new class of network attack (using printers against the rest of the network).
--Dan
Funny...my chapter has this entire section where a defender can break through a set of decoys by comparing all the sources of packets against all the sources of DNS lookups, while an attacker can detect his own detection by monitoring reverse lookups of his own IP.
--Dan
All--
;-) This gets mentioned in Dubrawsky's attack tree analysis -- an extremely systematic breakdown of attack selection across pretty much every platform an attacker might find.
:-) And of course, it wouldn't be FX without seeing those HP Laserjets as covert outposts :-)
:-)
:-)
Thought it'd be fun to talk about some of the more interesting material we put together throughout the book:
--HTTP-only access to the outside world doesn't actually pose much of a barrier...httptunnel (the original web service) may not be as mindbending as IP-over-DNS or mailtunnel, but damned if it doesn't punch ssh sessions bidirectionally through web proxies
--Worm analysis. Guys, Code Red and Nimda were astonishingly successful; there's not-so-idle speculation that Nimda was a test run from a foreign intelligence service. One of my good friends did almost nothing for a year but manage Nimda recovery. Just because it left the press doesn't mean it left the network. Reverse Engineering is never trivial (unless you're Halvar Flake and dream in x86); throw extreme time sensitivity, malicious design, and financial implications and you get an idea of the world virus fighters and worm smashers have to face. Kudos to Tim Mullen and Ryan Russell for their nuts-and-bolts breakdown of this process.
--Joe Grand. Software-based RF Analyzer. Pre-GSM/GPRS Blackberry transmissions. Mobitex.exe. And if that wasn't enough, "Creating a fake gelatin finger to bypass a biometric fingerprint sensor.", complete with photographs.
--Ah, FX. Leave the poor Cisco alone, man
--Security and Functionality tend to play in opposition...as Paul Craig points out, maybe those step-by-step guides to getting through the VPN shouldn't show up on Google
--WiFi. Dead horse. But it's nice to see it anyway.
--Password cracking by calling up administrators and listening to them type in their password -- nice, Mark. I'd like to see some of the stats code to manage that. Also good to see Windows Proxy Autodetection getting some misexposure.
--Auditors are given lots of leeway. No, let Ken Pfiel clarify...those who claim to be auditors are given lots of leeway.
--OK, I'm a protocol geek. For a good time, switch to root and type:
"tcpdump -w - -s65535 | strings --bytes-8"
If it's ugly, it's SMB. If it's scary, you're probably at Network Interop, where there's 220 access points and you're sniffing across all of them.
--Scanrand docs! Portscan detection on switched networks by watching the router spew an ARP storm! "If your SMTP server has teleported 15 hops closer than the rest of your host, perhaps it's being hijacked by your hotel." And more NAT games.
--Collaborating on tracking down an attacker, while the attacker can read your email...fun.
We've had some fun, to say the least.
Yours Truly,
Dan Kaminsky
Heh. STN made Slashdot. Scanrand on the shelves...cool :-)
:-) So when Syngress said they wanted to do this -- we put this together.
:-)
Stealing the Network is a relatively unique book. Remember Swordfish? Remember Antitrust? Wish there was a cheap procedure to repair that psychic damage? Because that's what got me involved. Syngress was as tired of the hype as we were. Spindly kids playing with 3D modelers to make worms was not reality. Syngress had a basic request: Show us what really happens. Make it interesting, tell a story, but at the end of the day, take the gloves off.
Most of us had worked with Syngress before -- we'd done Hack Proofing Your Network for them, which was actually pretty well received. It was a strange experience, travelling half-way round the world to Black Hat Asia and seeing my Defcon talk on sale in a Singaporean bookstore
We've actually put together a surprisingly good package. Everything from dumpster diving to printer abuse to some of the first real documentation of my personal scanrand techniques shows up. If there's interest, I'll put together a summary of some of the cooler things in here. And of course, if there's any questions, bug me here or in email
Yours Truly,
Dan Kaminsky