I've trained in stick fighting, and one of the major objectives is striking the opponent's weapon hand. If you make contact with that hand, the opponent is likely to drop the weapon. Also, a damaged hand is less likely to be able to hold a weapon again during the fight.
A visit to FreeBSDFoundation.org shows that we raised almost $40,000 in five days, to exceed the fundraising goal. Congratulations everyone, and thank you!
If you donate via PayPal, please provide a "shipping address." FreeBSD Foundation treasurer Justin Gibbs has to mail a paper receipt to every contributor, per IRS rules. If you don't give him a "shipping address" at PayPal, he has to email you and request an address. He told me he is dealing with a "flood of donations missing address data."
Why are we looking to an "organization" (aka, corporation) to bail out FreeBSD? Why not have individuals contribute? I sent $100 to the FreeBSD Foundation via PayPal this morning.
$100 is nothing to "pay" for the dozen or so releases I've used in the past four years. I also subscribe to FreeBSD releases, even though I might never remove the wrappings from the CD cases.
I know the FreeBSD community will step up to the plate in the last 10 days of 2004 to help the FreeBSD Foundation meet the IRS' tax rules.
Helevius
If they have skills, they'll find jobs in NoVA
on
Massive Layoffs At AOL
·
· Score: 3, Informative
The job market in northern VA is strong. Check out these unemployment rates:
US (nation) for Oct 04: 5.1%
VA (state) for Oct 04: 3.2%
If these poor souls have skills, they will find jobs here. I doubt most of them have security clearances, but those that do will be immediately re-employed.
Any chance you could publish a list of the Snort alerts and their counts? I think the time to live on the network metric is interesting, but I find the attack counts more difficult to understand. Actually seeing what Snort measured would be more useful. It also seems that you measured what the Snort default ruleset saw, not perhaps everything that touched your test boxes.
Snort isn't necessarily the right tool for this job. You might do better to monitor session data (aka "flows" or "transactions") via NetFlow from routers (as is already done here.) Argus is another option.
Incidentally, Snort isn't "SNORT" or "Snort!" or anything other than Snort. Snort isn't an acronym, it's an IDS.:)
"The spokesman declined to name the target of the hack, but people familiar with the investigation have said authorities suspect the man lifted the source code directly from Cisco's corporate computer network."
How about a specific product endorsement from a disinterested third party? Check out the NR041 from Network Everywhere (some sort of Linksys/Cisco sub-unit). It's the cheapest full-feature SOHO NAT gateway I've found. I recommend them to parents and friends operating Windows systems. You can pick one up at Buy.com for just under $35, and shipping is free.
You seem to be a Tcl wizard. Have you looked at Sguil, another Tcl tool? If you're interested in contributing, I know the project would be glad to have your assistance.
The problem with IDS is not false positives. The problem is knowing what to do with an alert once it appears. If you don't have enough information to make sense of the alert, why bother triggering it in the first place?
Most IDS vendors focus on ever more accurate alerts, but once they trigger they wash their hands of the problem. The end user must decide if the alert is truly significant to their situation and priorities. It's like having an anti-virus product cry wolf but never give any reasons for its identification of malware or background on its findings.
An alternative to the "alert-centric" point of view is "Network Security Monitoring," which concentrates on giving analysts information to conduct at least rudimentary network-based investigation. Where most IDS care only about alerts, NSM-centric operations combine alert, session, full-content, and statistical data to give analysts a chance to identify and escalate incidents.
A tool which uses Snort to generate alert data, combined with session and full content data from other sources, is Sguil.
Anything vendors can do, like Sourcefire's work with Snort, helps with more accurate identification. Just remember creating alerts is only the first step.
All of the IPS fans out there should remember that their "prevention" depends on correctly identifying intrusions. All IDS and IPS products can be bypassed, which drives the need for audit-centric tools (especially using session data) which are content neutral and don't care about triggers, encryption, and so on.
"These members, representing a cross section of the Internet population, give comScore explicit permission to confidentially monitor their online activities in return for valuable benefits such as server-based virus protection, improved Internet performance, sweepstakes prizes, and the opportunity to help shape the future of the Internet.
comScore technology is downloaded to any browser in a matter of seconds and unobtrusively routes each participant's Internet connection through comScore's server network, without requiring any further action on the part of the individual.
The technology allows comScore to capture the complete details of communication to and from each individual's computer - on a site-specific, individual-specific basis. This includes every site visited, page viewed, ad seen, promotion used, product or service bought, and price paid." (emphasis added)
I'd be interested in talking to a view of these "members" to see if they know what they've gotten themselves into.
Many people have posted that they require a proprietary cable to flash firmware. I have the same issue with my Motorola i90c phone, but bought the cable.
Is there a market for including a "universal" firmware upgrade access port, coupled with a cable that connects to a PC's serial port?
Some newer laptops lack serial ports, so maybe something like USB could be used?
Wireless vendors are constantly fixing bugs or adding features or trying to meet specs in flux. Developers struggle to code on this uneven terrain.
For example: I spent a day and a half trying to upgrade the firmware on an otherwise useless SMC "PCI" NIC, the SMC EZ Connect 802.11b 2602W v.1, not to be confused with the v.2 or v.3 models with completely different chipsets. I say "PCI" because the NIC is actually the 2632W v.1 PCMCIA NIC in a PLX "riser."
Thanks only to Jun Sun's mini-HOWTO and "unofficial" firmware caches on the Web, I was able to upgrade the station firmware. Unfortunately, this did not result in the features I needed.
If vendors begin requiring consumers to flash firmware regularly, it needs to come out of the "underground" and be explained by the vendors. I'd also like to see DOS boot-disk-based firmware upgrade tools, like Dell's BIOS flash disks. I didn't like turning to Windows to run SMC's update program. (Linux and DOS attempts failed with this particular NIC.)
Thanks to the openap-ct project's Linux floppy I was able to use prism2_srec to flash a different NIC, though.
You are entirely correct. I should have mentioned mount_ntfs, which has these caveats in its man page:
WRITING
There is limited writing ability. Limitations: file must be nonresident
and must not contain any spaces (uninitialized areas); compressed files
are also not supported. The file name must not contain multibyte characters.
Right now I'm downloading the newest FreeBSD live CD distribution, FreeSBIE, to/mnt, which is a Windows XP share mounted using mount_smbfs.
(The Windows box has the household's only CD burner at the moment.)
I'm using FreeBSD 5.2 REL with a stock kernel. SMB is enabled automatically via the smbfs.ko kernel module. I read and write to this Windows share all the time.
Helevius
Too bad this "story" dates from Dec 2002
on
Hackers Hall of Fame
·
· Score: 0, Redundant
This "list" is way old news. Try this search for "hackers" at TLC.
Slashdot Mirror
Helevius
Helevius
Helevius
If you donate via PayPal, please provide a "shipping address." FreeBSD Foundation treasurer Justin Gibbs has to mail a paper receipt to every contributor, per IRS rules. If you don't give him a "shipping address" at PayPal, he has to email you and request an address. He told me he is dealing with a "flood of donations missing address data."
Helevius
Why are we looking to an "organization" (aka, corporation) to bail out FreeBSD? Why not have individuals contribute? I sent $100 to the FreeBSD Foundation via PayPal this morning.
$100 is nothing to "pay" for the dozen or so releases I've used in the past four years. I also subscribe to FreeBSD releases, even though I might never remove the wrappings from the CD cases.
I know the FreeBSD community will step up to the plate in the last 10 days of 2004 to help the FreeBSD Foundation meet the IRS' tax rules.
Helevius
US (nation) for Oct 04: 5.1%
VA (state) for Oct 04: 3.2%
If these poor souls have skills, they will find jobs here. I doubt most of them have security clearances, but those that do will be immediately re-employed.
Helevius
Hello,
Any chance you could publish a list of the Snort alerts and their counts? I think the time to live on the network metric is interesting, but I find the attack counts more difficult to understand. Actually seeing what Snort measured would be more useful. It also seems that you measured what the Snort default ruleset saw, not perhaps everything that touched your test boxes.
Sincerely,
Helevius
Incidentally, Snort isn't "SNORT" or "Snort!" or anything other than Snort. Snort isn't an acronym, it's an IDS. :)
Helevius
Only DragonFly and now NetBSD have logos.
Helevius
"The spokesman declined to name the target of the hack, but people familiar with the investigation have said authorities suspect the man lifted the source code directly from Cisco's corporate computer network."
Helevius
For the install CD, use:
3 86 /5.3/5.3-BETA2-i386-disc1.iso
3 86 /5.3/5.3-BETA2-i386-disc2.iso
ftp://ftpX.freebsd.org/pub/FreeBSD/ISO-IMAGES-i
Replace "X" with 1 to 14 to use the US mirrors.
For a "live CD" to test hardware compatibility, use disc2:
ftp://ftpX.freebsd.org/pub/FreeBSD/ISO-IMAGES-i
Helevius
Helevius
Enjoy,
Helevius
You seem to be a Tcl wizard. Have you looked at Sguil, another Tcl tool? If you're interested in contributing, I know the project would be glad to have your assistance.
Helevius
How do I fully take advantage of QuIDScor if I'm not a Qualys customer ?
"To try QualysGuard with QuIDScor and Snort, visit http://qualys.com/quidscor and sign up for a free trial."
Great.
Helevius
Most IDS vendors focus on ever more accurate alerts, but once they trigger they wash their hands of the problem. The end user must decide if the alert is truly significant to their situation and priorities. It's like having an anti-virus product cry wolf but never give any reasons for its identification of malware or background on its findings.
An alternative to the "alert-centric" point of view is "Network Security Monitoring," which concentrates on giving analysts information to conduct at least rudimentary network-based investigation. Where most IDS care only about alerts, NSM-centric operations combine alert, session, full-content, and statistical data to give analysts a chance to identify and escalate incidents.
A tool which uses Snort to generate alert data, combined with session and full content data from other sources, is Sguil.
The April 2004 Sys Admin magazine features Sguil and a few other NSM tools.
A book due in July, The Tao of Network Security Monitoring (also at Amazon.com) is all about NSM.
Anything vendors can do, like Sourcefire's work with Snort, helps with more accurate identification. Just remember creating alerts is only the first step.
All of the IPS fans out there should remember that their "prevention" depends on correctly identifying intrusions. All IDS and IPS products can be bypassed, which drives the need for audit-centric tools (especially using session data) which are content neutral and don't care about triggers, encryption, and so on.
Helevius
"These members, representing a cross section of the Internet population, give comScore explicit permission to confidentially monitor their online activities in return for valuable benefits such as server-based virus protection, improved Internet performance, sweepstakes prizes, and the opportunity to help shape the future of the Internet.
comScore technology is downloaded to any browser in a matter of seconds and unobtrusively routes each participant's Internet connection through comScore's server network, without requiring any further action on the part of the individual.
The technology allows comScore to capture the complete details of communication to and from each individual's computer - on a site-specific, individual-specific basis. This includes every site visited, page viewed, ad seen, promotion used, product or service bought, and price paid." (emphasis added)
I'd be interested in talking to a view of these "members" to see if they know what they've gotten themselves into.
Helevius
Is there a market for including a "universal" firmware upgrade access port, coupled with a cable that connects to a PC's serial port?
Some newer laptops lack serial ports, so maybe something like USB could be used?
Helevius
For example: I spent a day and a half trying to upgrade the firmware on an otherwise useless SMC "PCI" NIC, the SMC EZ Connect 802.11b 2602W v.1, not to be confused with the v.2 or v.3 models with completely different chipsets. I say "PCI" because the NIC is actually the 2632W v.1 PCMCIA NIC in a PLX "riser."
Thanks only to Jun Sun's mini-HOWTO and "unofficial" firmware caches on the Web, I was able to upgrade the station firmware. Unfortunately, this did not result in the features I needed.
If vendors begin requiring consumers to flash firmware regularly, it needs to come out of the "underground" and be explained by the vendors. I'd also like to see DOS boot-disk-based firmware upgrade tools, like Dell's BIOS flash disks. I didn't like turning to Windows to run SMC's update program. (Linux and DOS attempts failed with this particular NIC.)
Thanks to the openap-ct project's Linux floppy I was able to use prism2_srec to flash a different NIC, though.
Helevius
WRITING There is limited writing ability. Limitations: file must be nonresident and must not contain any spaces (uninitialized areas); compressed files are also not supported. The file name must not contain multibyte characters.
Helevius
Helevius
I'm waiting to see the "repost" notice next.
Helevius
Helevius
Helevius
Helevius