Internet shut off switch?

Reports are saying cell phones and Internet connections are off in egypt at the moment. Can a country really shut off its Internet connection?

China, who has placed restrictions on its Internet infrastructure from day 1 (meaning, the whole infrastructure for connecting to the Internet was built with government control in mind) and that develops a lot of its own networking equipment, is unable to really block users. When I’m in China, twitter and facebook are blocked in the hotel and in the office, but not on the blackberry. Most anonymizers work, and some twitter-over-instant messenger bots work as well. Most of the time, I can find the new list of working anonymizers on google, while I’m there – so there’s no special preparation involved. On my last visit I was introduced to a free VPN service that enables unrestricted access to facebook, twitter and other blocked sites, that seems to be quite popular in the country.

Egypt is not as big and certainly not as advanced as China, but is fairly big. As anyone who worked for a large company knows – it’s difficult if not impossible to track all incoming and outgoing connections. We know the DNS servers are refusing to resolve .eg domains – but what if we go into the inner-works. Are some of the IP’s inside Egypt reachable?

One glaring example is the Egyptian stock exchange. Its IP rotates, but at least some connections point to  217.139.183.2, which belongs to the ISP “the Noor group”, in Cairo. Other times it points to 41.222.175.2 that belongs to “Misr Information Services and Trading” in down-town Cairo. Both are clearly reachable and pingable; is every router on the way configured to route communication only to those IPs? Are there other routers, IP’s or servers that are still open for communication? I would imagine that some emergency lines run on IP-based infrastructure that must be kept on; some devices – military ones perhaps – might rely on IP infrastructure. Dial-ups might still exist. Speaking of which: can one dial from Egypt into a modem in Germany?
Also, one has to wonder about internal communication. Blocking the country’s gateways is one thing; but blocking all internal communication is extremely hard to do. If internal communication is available, is there a way to piggyback into those few holes in the dam to get external communication? Taking the egyptse.com example: if the perimeter routers only allow communication to/from the Noor network, can I route my connection through them?

We all know the Internet was designed to be resilient; and forty years after its initial deployment, it’s proving to be very hard to kill, even by those who believe they have their hand on the cut-off switch.

Share

Back on the AMTSO wheel

The next AMTSO members’ meeting is at San Mateo, California, on the 10th-11th February, just before RSA.

I’m not sure how many supporters of the Anti-Malware Testing Standards Organization there are reading this blog, as opposed to those who regard AMTSO as a club with which to beat the anti-virus industry. However, I’m pretty sure that even those who find the generation of testing guidelines documents (which constitutes most of the work at AMTSO meetings) excruciatingly boring will find some interesting material coming out of the organization in the next few weeks.

There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.

David Harley CITP FBCS CISSP
Small Blue-Green World

Share

Non-Functional Email (or Blog) System Disclaimer

Herewith, forthwith, and thereunto, all my postings and email messages, past, present, and future, shall be subject to the following disclaimer.  (Some parts of this disclaimer may be familiar to you, but then, some of the best of human literature is familiar.)

Confidentiality, Integrity, and Availability Notice (or Disregard):
The information, misinformation, or vacuity in this document and attachments (including viruses) is, are, were, or have been confidential and may also be legally privileged or illegally handicapped.  It is intended only for the use or misuse of the named recipient, such as “To Whom It May Concern.”  Internet communications are not secure (unless you consider availability part of security) and therefore does not accept legal responsibility for the contents of this message, including tar and nicotine levels.  If you are not the intended recipient, please notify us immediately so that we can add you to the distribution list.  Violation of this notice may be unlawful, immoral, or fattening.  This email is fully disclaimed, but may still be dangerous.  It is not legal, medical or engineering advice.  It is not even questionable advice.  (If used as legal, medical, computer security or engineering advice please pay additional moneys to the sender.  LOTS of moneys.)  It is under-privileged.  It is made from 85.4% post harangue opinions, green ideas, and not less than 15% recycled electrons.  It should be taken with a large pinch of salt (but remember, this is not medical advice).  Union written.  (By committee.)  Shade grown concepts.  Fair trade characters.  Low sodium (but high silicon).  25% lower (than our regular humour).  Trans-fat free.  Environmentally friendly.  Lite.  New.  Improved.  Low calorie.  High energy.  Self-starter.  High fibre optic.  Reduced.  Please consider the environment before printing this out, unless you are American or Chinese in which case what the heck it’s all baloney that greenhouse gas stuff.  (If non-American or -Chinese, then remember that paper is a renewable resource made from trees, and that working forests not only provide habitat for wildlife, but actually help with carbon sequestration as long as you recycle the stuff and don’t burn it.)  THIS DISCLAIMER IS ALL IN CAPITALS TO AVOID LOWERCASE TAXES.  AND TO MAKE YOU THINK THIS BIT IS REALLY IMPORTANT.  If you aren’t the person to whom this was intended, we beseech you not to hold the entire corporation liable for the dim bulb responsible.  Please delete and pretend you never saw it.  Thank you and have a nice day.  Delete it now.  NOW!  If you don’t something bad will happen to you involving geese.  Just imagine there is this absolutely humongous and meaningless disclaimer here about how if you aren’t the intended recipient, you shouldn’t read it, inform the sender, seek mind erasing/excess facial hair treatment, destroy this email, the computer it was on and any computers that it might have looked at funny, cut down on the caffiene, move to Nepal where they don’t have all that many computers in search of self-actualization, and so on.  With the occasional really really long line full of legalese twaddle that we won’t try to reproduce here as we don’t have any stunted lawyer training to protect us from injury, malice, dismal speeling, incorrect use of epiphanies or US election rhetoric or idiocy.  Just in case it might be spam, we also include a reference to a little known law from 1736 about artichokes outlawing their use in combat unless they are explicitly declared royal leafed vegetative maces weighing no more than 6,000 grains and have an unsubscribe address printed on them in the widely derided Comic Sans, with a pitch size of at least 3 point, and the views of the cracker dip expressed here is totally fallacious.  This message is intended only for the use of the intended recipients, who may, in  fact, be legion, given that this is an autoresponse.  It may contain information  that is privileged and confidential, but, given the mindless nature of the mailing, that isn’t very likely, is it?  If the reader of this message is not the intended  recipient, or someone else on the mailing list, or someone else on another mailing list that mirrors some of the traffic on this mailing list, or an employee or  agent responsible for delivering this message to the intended recipient, or a mail user agent, or a mail transfer agent authorized to handle such message, or a spam filter  authorized to examine the content of such message, or a casual browser looking over the shoulder of someone who is reading this message on their screen, then the statistical odds of you seeing the message are really wild, but anyway, such reader is hereby notified that any review, retransmission, conversion to hard copy, copying, circulation, restriction, bundling into small balls of paper for the purpose of firing over at your friend three cubicles away to tell him (or, preferably, her) that it is break time, or other use of this message is strictly prohibited and may be illegal.  If you have received this communication in error,  please immediately notify us by replying to the message and deleting it from your  computer, but don’t read it first to see if it was truly in error.  This email is confidential and privileged.  That’s right, confidential.  Even though I sent it to a mailing list, it’s still confidential.  Not only is *it* privileged, but so are you, you lucky user, since you’ve gotten a message from *me*!  This email and any, all, or no attachments are confidential (as long as you don’t read them) and may also be privileged.  (They’re an elitist bunch …)  If you are not the addressee, addressor, writer, or reader, do not disclose, copy, circulate, bend, fold, make into paper cranes (not the small ones that any Japanese kid can make, the really elaborate ones that even have feathers on), mutilate or in any other way use or rely on the information contained in this email or any attachments.  (Using or relying on the information contained in this email may, in any event, be hazardous to your health, particularly mental.)  If received in error (the message, not you), notify the sender immediately, if not sooner, and delete this email and any, all, or viral attachments from your system.  Failure to delete this email and any attachments from your system may result in … in … well, gosh, darn it, just do it, OK?  If you are not the intended recipient please accept our apologies.  On second thought, why are we apologizing?  You’ve accepted the message.  If you aren’t the intended recipient, or a person responsible for delivering it to the intended recipient, or the intended recipient’s lawyer, or someone with power of attorney for the intended recipient, or a police officer with a duly authorized warrant, then you are likely someone who is far too nosy to mind their own business and stay out of other people’s email-shame on you! what are you, some kind of spy?!?  Please do not disclose, copy or distribute information in this e-mail.  [Sigh.]  You’ve already copied it, haven’t you?  You downloaded it from the server, so you copied it onto your machine.  Then your mailer made another copy in memory, just to display it to you. Don’t do it anymore, alright?  Don’t take any action in reliance of on its contents: to do so is strictly prohibited and may be unlawful.  It’s also ungrammatical: if anyone ever figures out what that previous sentence meant, please let us know.  Please inform us that this message has gone astray before deleting it.  What can you do?  You try to bring email up right, and the next thing you know they’re hanging out on IRC and trying out NetBEUI.  Thank you for your co-operation.  Actually we just added that last bit to pad out the message and keep you reading for the few more seconds it will take our crack anti-cracker team (get it?  Never mind.) to get to your location and terminate your machine with extreme prejudice.  You have been warned.  The content of this message is distributed on an ‘as is’ basis, without surety, warranty, guarantee, pledge, Endust, or assurance of any kind, express, implied, or insinuated, as to accuracy of content, quality of writing, punctuation, spelling, grammar, usefulness of the ideas presented (if any), merchantability, liability, correctness or readability of concepts, or correspondence of (a) the ‘To:’ line with the actual distribution, (ii) time stamp references in the header (if any) with the time of sending, (4) any subject line with any associated thread, (V) the definitions with the actual terms used, (dubya) domain name references in the URL (if any) with the actual site used, and (whatever) any reference link with where the link ends up.  Illustrations may have been originally necessary to understand this material: neither the author, the ISP, nor any MTA en route accept any responsibility for the fact that ASCII doesn’t support them.  Any resemblance of the author or his or her likeness or name to any person, living or dead, or their heirs or assigns (even if grandchildren), is coincidental; all references to people, places, or events have been or should have been fictionalized or at least randomly chosen from the Quesnel phone directory and may or may not have any factual basis, even if reported as authentic.  Similarities to existing works of fact, reference, art, literature, song, dance, puppetry, reality television program, radio talk show, random conversation, or movie scripts is pure fluke.  References have been chosen at random from the author’s own written works (for purposes of self-promotion) or fertile imagination.  Neither the author(s) nor the publisher (if the Supreme Court so deems ISPs to be) shall have any liability whatever to any person, corporation, animal (whether feral or domesticated), mineral, vegetable, or other corporeal, incorporeal, or supracorporeal entity with respect to any loss, damage, misunderstanding, puzzlement, or death from choking with laughter (I wish) or apoplexy (more likely) at or due to, respectively, the contents; that is caused or is alleged to be caused by any party, whether directly or indirectly due to the information or lack of information that may or may not be found in this alleged work.  No representation is made as to the correctness of the IP address or date of publication as our Pentium isn’t good with numbers and errors of spelling and usage are attributable solely to bugs in the spelling and grammar checker in Microsoft Word even though the author does not use it.  If sold without a header, this message will be shorter than those sold with a header.  Slightly higher west of the Rockies.  (The elevation, dummy, not the number of characters.)  You do not own this page or message, but have acquired only a revocable non-exclusive license to read the material contained herein.  You may not read it aloud to any third party, regardless of any ability or inability of that third party to read it for themselves.  This disclaimer is held to be valid under the laws of wherever I can best make it stick.  This disclaimer is a copyrighted work of Robert M. Slade, first published in 2004, bulked up and renewed in 2011, and is distributed ‘as was’, without guarantee, warranty, or attestation as to quality of humour, trenchancy of critique, sharpness of scorn, or aptness of jape.  Any similarity to any email disclaimer by any corporation or actual lawyer is purest accident.  By accepting this message you are accepting the following terms: 1) This message is subject to clarification or withdrawal.  ii) It is freely transferable with no alteration to the original message.  fore) It implies no promise by the author/poster/forwarder to actually implement any of the wishes or information for her/himself or others and is void where prohibited by law, and is revocable at the sole discretion of the author/poster/forwarder.  f) It has been virus-scanned by up-to-date commercial antivirus software and therefore no absolute guarantee can be given that it is free of all malware, virus, worm, Trojan (or other prophylactic), keylogger or rootkit.  By sending any email to any of MY addresses you are agreeing that  1. I am by definition, “the
intended recipient,”  2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good (or bad) joke as it lends itself to.  In particular, I may quote it on Usenet or post it to any wall on Facebook.  3. I may take the contents as representing the views of your company.  4. This overrides any disclaimer or statement of confidentiality that may be included on your message.  5.  I may charge you, at the rate of $350 (or the value of an old college beater, whichever is the greater) per hour for reading your disclaimers.  DISCLAIMER is better than datclaimer, and contains privileged and confidential information in heavily steganographic form and is intended only for an individual named rather than groups of named.  If you are not the named recipient (for example, if you are a numbered, or an ordinaled), you should not disseminate, distribute, store, print, copy or deliver this message.  Therefore, any routers or MTAs that have passed this message along should be taken out and shot.  Please notify the sender immediately by email.  Of course, in order to do that you’d have to read it, and therefore any messages that the sender receives will be held and used as evidence against you before you are taken out and shot.  If you have received this email by mistake, please delete this e-mail from your system.  Which would mean delivering it to the bit-bucket, and is therefore illegal.  Email transmission cannot be guaranteed to be secure, error-free, or even sane as information and any attachments or non-attachments could be intercepted, corrupted, lost, destroyed, modified, found, delayed, flushed away, incomplete, added to, or amended, arrive late or incomplete, contain viruses or be extremely silly.  This message contains information.  It is provided for informational purposes only.  It may contain virtual information.  This message may be confidential, or it may only make sense to the person(s) to whom it is addressed.  It may not make sense at all.  If you find minor spelling or grammatical errors in this message, please do not bother the sender.  Report the problems to someone who cares.  Some pedantic member of the Internet Grammar Police maybe.  The sender, therefore,  does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.  Or for the fact that you tried to do what we actually did want you to do, and lost money as a result.  Or, indeed, for anything at all.  If verification is required, please request a hard-copy version.  So that we can gain more evidence before you are taken out and shot.  If you don’t recognize this message, please commit suicide in order to prevent improper disclosure.  Please note that all incoming e-mails will be automatically scanned to eliminate unsolicited promotional emails about SPAM.  This could result in deletion of a legitimate email before it is read by its intended recipient.  In other words, we can ignore this as long as we want, and blame it on the spam filter.  Warning: email is not 100% reliable, if you are sending time sensitive, critical information please use a read receipt request and also follow up with a phone call.  Otherwise we can ignore this as long as we want, and blame it on gremlins.  If you bothered to read this disclaimer, you *are* a goose.  We may monitor email traffic.  Purely for kicks, you understand.  Our mail server admins get bored easily.  No part of this message, including this, or any other, disclaimer, is to be taken to represent the knowledge, beliefs, thoughts, or opinions of the author, company, Internet access provider, or anyone else involved in the creation or transmission of this message.  In fact, this message was really written in the language of a civilization originating on a planet orbiting the third star to the left (if you don’t go past it and straight on til morning), transmitted in a trinary vector encoding, from the rough vicinity of where the tail of the Horsehead Nebula would be, with the subsequent line noise detected and interpretted as ASCII characters.  The fact that it appears to be in English is only a random artifact.  The original message concerned the quality of lint in the Sacred Belly Button, and this disclaimer was originally line noise from the carrier dropping.  It’s sad that the signal/noise ratio of the Internet is now asymptotically approaching zero because 90% of traffic is SPAM and the remaining 10% is stupid and offensive email disclaimers.  It will
actually go negative as soon as spammers decide that they need long and discursive disclaimers in order to make their stuff look authentic.  All clauses of this disclaimer apply to the disclaimer itself, except for this first sentence.  This disclaimer is provided for informational, misinformational and metainformational purposes only and should not be construed as a solicitation or offer for anything whatsoever.  This disclaimer may contain forward-looking statements, and probably will contain backward-looking statements, too.  Beginning to read this disclaimer constitutes immediate, implicit, explicit and retroactive acceptance of all clauses past, present and future.  All metainformation, HTML tags, photographs, artwork, script, text, opinions, ideas, facts or factoids contained in this email are either my own, and therefore are copyright (c)1954-2011 by the author, or duly licensed from and/or attributed to the writers, owners or copyright holders, or in good faith presumed to be in the public domain, or quotable under some sort of “fair use” clause, or frankly stolen, or the official opinion of the voices in my head.  You’re free to copy, reproduce, expand, excerpt or adapt this disclaimer to your own purposes, at your own risk, as long as you assume all responsibility for doing so, particularly in terms of being called an idiot for enlarging a disclaimer that was already ridiculous in the first place.  Should you agree to all provisions put forth herein, you’re implicitly agreeing with the agreement about the meaning of the words “agree”, “agreement”, “agreeing” and all variations or conjugations thereof, as well as the word “thereof.”  Should you disagree with any one or several disagreements expressed thereunto, your worldline may be caught in a strange recursive loop and spontaneously self-combust.  Again.  All comments published in public forums are the exclusive responsibility of the respective posters and may be subject to separate copyright provisions and disclaimers (please collate and include them here); however, this poster reserves the right to edit, delete, curate or eliminate all replies on personal whim.  All posters to any such forums must implicitly accept the full provisions of this disclaimer; you may assume that I will ignore any claims of ignorance, surprise or indignation.  Text, tags, metatags, scripts, pings, trackbacks or links on my site may have been totally or partially generated by distributed software and/or information gathering and diffusion mechanisms of uncertain location, provenance, jurisdiction or intentions.  All products, brands and company names mentioned will probably be trademarks or trade names of the respective companies and you should mentally insert the appropriate TM, c, r or whatever wherever or whenever appropriate.  Failure to do so leaves you liable, not me.  All rites reversed.  Any links to external sites and any comments about the contents thereof should not be construed as endorsement, tolerance, approval or disapproval of such contents, even if such comments overtly purport to do so.  85.4% of all cited statistics may have been made up on the spot.  In case of error, reinstall universe and reboot.  Sense of humor must be provided by third parties.  Caveat Browsor.  If you do not understand, or cannot read, all these directions, cautions and warnings, do not access this content.  Use, duplication, disclosure or ritual exorcism of this information by the Government (any Government) is subject to the restrictions of physical laws.  It’s also subject to logical laws, but Governments wouldn’t understand those.  There is no conscious attempt made nor desire extant to libel or otherwise cause malicious damage, loss, public contempt, defamation, slander, blasphemy, treason, sedition, or ridicule to persons of any gender or even none, cabals, corporations, governments, matrioshka brains, institutions, corporations, or assemblies of inanimate objects, alien lifeforms, microorganisms, clergy, vegetables, animals, or any collections thereof, unless we find it really, really funny.  No representation whatsoever is made as to the accuracy, political correctness, spelling, syntax, semantics, content or meaning of the graphics, text or downloadable files on this site, or of suitability for use or merchantability or fitness for a particular porpoise.  As far as I’m concerned all information herein consists solely of sequences of zeroes and ones, being presented as either an educational explanation, satire or a parody of other sequences of zeroes and ones (or even of the ones and zeroes themselves) and neither I nor my service provider can be held responsible for any further interpretation, guesstimate, translation, transliteration, compression, decompression, exegesis, deconstruction, memetic emission or absorption, catalysis, curation, brand curation, transmogrification, alteration or forgery of such sequences made by either your hardware, software or wetware, or by any intervening data communications channel, even if previously advised of such a possibility.  Any actions you take based on whatever you saw, or think you saw, in this message or on any realted site are entirely your own responsibility.  So there!  This email is directed at reasonably mature people of any age and if you’re not among them, life will be tough.  Since all of the Internet’s pages are interlinked you will sooner than later come to what you may consider an ugly, silly, stupid, obscene or otherwise offensive site.  Don’t say I didn’t warn you!  Reading this email will not enable you to fly.  No electrons, protons, neutrons, quarks or other sub-atomic particles, or agglomerations thereof, have been knowingly harmed in preparing this massage.  Any use of this email, in any manner whatsoever, will increase the amount of disorder in the universe.  Although no liability is implied herein, you are hereby warned that this process will ultimately lead to the heat death of the universe.  All quantum fields and/or state vectors related to this email may spontaneously collapse, decohere, and/or go all higgedly-piggedly [sic] as soon as you look at them, and I can’t do anything about it.  You may have some rights not detailed in this disclaimer but don’t bet on it.  Although due diligence has been exerted towards ensuring that this note doesn’t make any sense, total incoherence can be approached only asymptotically and thus will never be attained.  Actual size smaller than shown if you use a smaller font.  Apply only to affected area.  Do not use while sleeping, unconscious, or insufficiently caffeinated or oxygenated.  For indoor or outdoor use only.  Not suitable as a personal flotation device.  All models are over 0.568 gigaseconds of age or the local equivalent.  Taking this disclaimer onto an aircraft or reading it aloud in or near any federal facility may be prohibited, and, if it isn’t, it should be.  Some areas may be restricted to members.  We do not define what type of members.  Avoid contact with mucous membranes.  They are really icky.  Do not insert body parts into moving components.  Keep out of children.  This disclaimer does not cover misuse, accident, extraterrestrial impact, war, alien abduction, hurricane, lightning, tornado, tsunami, volcanic eruption, earthquake, flood, and other Acts of God, gods, Godesses (religious or Supermodel type) and/or Flying Spaghetti Monsters, misuse, neglect, leaking batteries, unauthorized repair, authorized repair that we don’t like, damage from improper installation, broken antenna or marred cabinet, incorrect line voltage, missing or altered serial numbers, sonic boom vibrations, electromagnetic radiation from nuclear blasts, chemical reactions, electromagnetic radiation from nuclear blasts, sonic boom shock waves, duplication of terms because we weren’t paying attention, customer adjustments that are not covered in this list, genetic drift, continental drift, tectonic plates (collect the whole set!), random neuronal firing, and incidents owing to airplane crash, ship sinking, motor vehicle accidents, leaky roof, broken glass, falling rocks, mud slides, forest fire, flying projectiles, or dropping the item.  Many mail readers look alike.  Others don’t.  If you can’t tell the difference, I suppose it doesn’t matter, but I’d question your ability to use email.  Use only in a well-ventilated area.  Colours may fade.  May not work while immersed or submerged.  Do not bend, contort, flex, twist, fold, crease, crinkle, rumple, spindle, mutilate, lacerate, dismember, clone, inflate, bloat, distend, deflate, dishearten, imbibe, swill, sniff or chew.  Do not use while operating a motor vehicle, heavy equipment, airplane, hang glider, cellphone, or any powered device inserted into bodily orifices.  If a rash, redness, irritation, or swelling develops, discontinue use.  If condition persists, consult your physician.  If meta-condition persists, consult your philosopher.  No user-serviceable meaning inside.  Articles are ribbed for our pleasure in making fun of them.  Prepositions are barbed for making more vicious insults.  Possible penalties for early withdrawal.  Objects in browser may be closer than they appear, but don’t count on it.  Objects in mirror are probably behind you.  One size fits all.  Quantities are limited while supplies last: after that, they aren’t.  Not intended for highway use.  To be used as a supplementary restraint system only.  Contains a substantial amount of non-tobacco ingredients.  Keep cool, process promptly.  Refridgerate remaining text.  Remove child before folding.  Lost ticket pays maximum rate.  Employees and their families and friends are not eligible.  If any defects are discovered, do not attempt to fix them yourself, but return to an authorized service center.  Not responsible for advice not taken.  Disclaimer subject to change, amendment, modification, obsolescence or stagnation without notice.   May cause temporary dizziness, flatulence, cirrhosis of the liver, inflammation of the brain, heart damage, pancreatic damage, kidney damage, spleen implosion or explosion, thyroid combustion, severe nasal hair growth, blindness, eruptia, pregnancy, infertility, fecal incontinence, feelings of financial inadequacy, impotence, allergies, solipsism, loss of genitalia and/or hermaphroditism, hair loss, skin blemishes, bone deformity, throat cancer, warts, ulcers, hangnails, bladder leakage, Darwinian selection, sores, scabs, ozone holes, panspermia, dystopia, elephantiasis, hepatitis, conjunctivitis, gingivitis, appendicitis, bronchitis, athlete’s foot, and/or the misery of psoriasis.  Your mileage may vary.  All your disclaimer are belong to us.  This supersedes all previous disclaimers.  NOTWITHSTANDING ALL PREVIOUS CLAIMS TO THE CONTRARY THIS DISCLAIMER MAY CONTAIN INFORMATION THAT IS THE CONFIDENTIAL AND PROPRIETARY PROPERTY OF SOMEBODY AND SUCH INFORMATION MAY NOT BE COPIED, PUBLISHED, OR DISCLOSED TO OTHERS, OR USED FOR ANY PURPOSE OTHER THAN REVIEW BY AUTHORIZED INDIVIDUALS, WITHOUT THE EXPRESS WRITTEN NOTARIZED AUTHORIZED AUTHORIZATION OF AN AUTHORIZED OFFICER OF WHOEVER-IT-IS.  Always check your caps lock key before posting.  Reading a disclaimer like this all the way to the end may have caused irreversible but not necessarily malign changes to your neural whatchamacallits.  Your eyes are weary from staring at the CRT.  You feel sleepy.  Notice how restful it is to watch the cursor blink.  Close your eyes.  The opinions stated above are yours.  You cannot imagine why you ever felt otherwise.  To have the secret second part of this disclaimer transmitted to you over a telepathic tight-beam channel (at 300 baud nominal, odd parity), bury a signed non-disclosure agreement and exactly $1000 in consecutively numbered three-dollar bills in our backyard and stand by for further instructions.

This disclaimer will now be repeated in Babelfish versions of French, Spanish, German, Dutch, Latin, Japanese, Arabic, and Ebonic, and, if we can get the Dialectizer to work, Swedish Chef, !33t haXor and ValGal.
(Disclaimers should not exceed the size of the original message, per APP disclaimer dictum.)
Further information: http://www.goldmark.org/jeff/stupid-disclaimers/

http://attrition.org/security/rants/z/disclaimers.html

Share

REVIEW: “Computer Viruses and Other Malicious Software”, Organization for Economic Co-operation and Development

BKCVAOMS.RVW   20100607

“Computer Viruses and Other Malicious Software”, Organization for
Economic Co-operation and Development, 2009, 978-92-64-05650-3
%A   Organization for Economic Co-operation and Development
%C   2 rue Andre Pascal, 75775 Paris Cedex 16, France
%D   2009
%G   978-92-64-05650-3 92-64-05650-5
%I   OECD Publishing
%O   oecdna@turpin-distribution.com sourceoecd@oecd.org
%O  http://www.amazon.com/exec/obidos/ASIN/9264056505/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/9264056505/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/9264056505/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   “Computer Viruses and Other Malicious Software”

The executive summary doesn’t tell us much except that malware is bad, and that this report is seen as a first step in addressing the issue in a global, comprehensive manner.

Part one, entitled “The Scope of Malware,” is intended to provide background to the problem.  Chapter one, as an overview, is a random collection of technical issues, with poor explanations.  Although it is good to see that the malware situation is defined in terms that are more up-to-date than those in all too many security texts, the lack of foundational material provided by the authors will necessarily limit the perception of the issue for those readers who have not done serious research themselves.  Various stories of attacks and payloads (not all related to malware) are listed in an equally disjointed manner in chapter two.  There are numerous errors, including in simple aspects like arithmetic.  (20 million is not “5 times” one million.)   The explanation of why we should be concerned, in chapter three, boils down to the fact that the net is important, and malware imposes costs.

Part two turns to the economics of malware.  Chapter four, while it promises to deal with cybersecurity and economic incentives, merely states that security is hard.  Chapter five does deal with economic factors influencing decisions of key players on the Internet, but does so only on the basis of an opinion survey, rather than any measured costs or benefits.  Descriptions of different types of economic situations are given in chapter six, but a final set of “findings” doesn’t seem to have much background support.

Part three is supposed to contain recommendations about actions to take, or policies to follow, to address the malware issue.

Unfortunately, this work does not have sufficient technical depth on areas of malware to contribute to the literature.  The concept of addressing the economic aspects is interesting, but is not sufficiently fulfilled.  Overall, this text has nothing to add to existing information.

copyright, Robert M. Slade   2010     BKCVAOMS.RVW   20100607

Share

The casting case

No, this isn’t a post on theater :) rather it is an interesting case of how a number gets “casted” from different types effectively bypassing safety checks and finally causing a crash to occur – and possibly the execution of code, as the memmove function is called with an overly large value to use for copying.

It starts of with a program receiving a value of -2147483648 as the length, why is this value important? it has certain characteristics to it which is important:
1) It had to be negative
2) It had to be fairly large as it needs to overflow the a variable of a type of int
3) It couldn’t be too large as there were checks just before it to make sure it was too big

This magic number is not accidental it is actually (if you look at it in hex) it is the 0×80000000 equivalent, i.e. it is the negative representation of this number. So as soon as you cast it to “unsigned int”, it looks positive, and when you cast it to just “int” it looks negative.

So if you programmed your code to do a check, and you didn’t make sure you casted the value when you did the check, for example you did:
if (con->content_len < buffered_len)

Where content_len is an "int", while you are comparing to an "unsigned int" value, the comparison will be flawed and the check will be true, even if the value being passed is negative and should be discarded.

Further, if you then call:
memmove(conn->buf, conn->buf + conn->request_len, conn->content_len);

The memmove’s last parameter is defined as an “unsigned int”, which in turn will cause this code to copy a positive value, rather then a negative value (not sure this would have helped in this case…), and in our scenario a very large memmove copy – which causes of course an Access Violation as the function reads data it shouldn’t be able to access.

This type of vulnerability and others like it can be easily detected by using beSTORM fuzzer, as it has the inherited capabilities of checking the relationships of values and their length, such as in this case.

UPDATE: My mistake on the example, my copy-paste skills were a bit flawed in this… I placed the patched version instead of the unpatched one.. causing the mixup, thanks for pointing it out jduck.

Share

What was your favorite book of 2010?

Wanting something good to read, I found myself reading “Neuromancer” again, probably for the hundredth time now.

Looking around for recommendation for new books in the usual places like “NYT Best Sellers list” turned up fairly dull results. So given that the crowd that reads this blog probably shares the same preferences as me, what book did you enjoy this past year? Any genre.

Share

Crowdsourced Christmas Cwestions

This has nothing to do with security.  But, since it’s the day ofter Epiphany, we are now officially out of the Christmas season, so one last hit before next year.

Then again, maybe it does have to do with security.  Integrity and all that.  The dangers of getting your answers from socnets and Wikipedia.

So, today I’m getting my hair cut.  Our hair stylist (yes, I’ve had to switch from a barber, that endangered species, to a hair stylist.  Who is really good) has become a good friend, and saves up questions to ask me while I’m in the chair.  Today it was why red is a Christmas colour.  (We discussed Clement Clark Moore, and persistent berries in northern climates, etc.)

I mentioned this to Gloria when I got home, and she said that the girls would have just googled “why is red a Christmas colour?”  So, I did that.

Oi, such nonsense I find!  There are lots of non-answers, such as the Christian significance of red and green, but there is Christian significance in other colours, too, so why those?  Answers.com was one of the sites that promulgated that one.

But then I hit yet another answer from Answers.com, and this one just blew me away!  So herewith the answer they gave to it, and my response to the various parts (by the way, I haven’t corrected any spelling, punctuation or grammer within the quotes):

“This has always been the case.”

Oh, thanks awfully!  So helpful!  (This is the “turtles all the way down” answer.)

“Possibly the holly and wreaths,”

OK, I can accept that …

“or contrasting stop and go images-Red and Green lights.”

Of course!  The famous sixteenth-century Tudor traffic lights!  It’s obvious!

“One interesting angle is the Running lights of ships”

Uh, you’ll have to explain that one to me a bit more …

“-and Christmas is transportation oriented,”

Ummmm, are we talking about the three kings, here?

“are , from port to starboard, Red, White(overhead masthead lights) and Green.”

Yes, yes, I see!  The Magi must have travelled on the Orient Cruise Line (the Pacific not having been discovered yet).

“it was said this may have been chosen tohonor Columbus as these are the colors of the Itallian Flag.”

Of course.  Columbus must have been the fourth wise man, and ended up as the Wondering … Wop?

“it is interesting to know the term Christmas tree for the control panel on a submarine”

Yes, clearly this came from early Judean submarines!

“refers directly to the red (hazard, no go) and Green (safe, clear) lights.”

And, clearly, Christmas is something to avoid, as hazardous.

“similar devices have other applications.”

And similar holidays have other colours?

“oddly phone switchboards are usually red and white-busy and clear.”

And this colour scheme has come down to us from the earliest Roman switchboards?

“I hope this is some help!”

No, not really.  (But it was somewhat amusing.)

Share

Is SetFsb a Trojan?

This was sent to me by a friend who wanted to stay anonymous:

There’s a utility called SetFSB which tweaks the clock speed for overclocking stuff.
It was written in Japan, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable.
The batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alarm and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

there’s a uility called SetFSB which tweeks the clock speed for overclocking stuff.
It was written by some Jap, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable,
the batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alaram and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

ME>>>

Dear Mr.

Why after exiting SetFsb, it will create a .bat and new .exe
the .bat will loop to try delete the old .exe, and rename the new .exe to old .exe ?

Thanks!

HIM>>>

Hi,

Yes,

abo

ME>>>

Hello.

Yes… good…

but WHY???
is it a VIRUS?

thanks!

HIM>>> (here comes the good part :) )

I do not have a lot of free time too much.
Why do you think that i support you free of charge?

ME>>>

to make viruses?

HIM>>> (this is the original font color and size he used!!!)

I do not have a lot of free time too much!

ME>>> (trying to hack his japanese moralOS v0.99)

Please, dear Abo,

You must understand. People start to be VERY worried about your software,
because it behave like a virus.
If you will not give a good explanation to WHY it behave like this,
then people will stop using it, and stop trusting you forever.
Then your name will become bad, and you will have a lot of shame.
I only try to help you.

I hope you understand!

HIM>>>

It is unnecessary. Please do not use SetFSB if you are worried.

Personally, I’m not sure who’s more weird: my friend, overclocking his computer in 2011, or the Japanese programmer not willing to explain if his downloadble program is a Trojan or not.

Share

New computers – Mac (nets)

One of my Mac fanatic contacts, when I mentioned that I needed to connect to my old Windows machines, said that it was easy, you just had to open “Networks,” and there they all are!  Well, no, not quite.  Not by a long shot, in fact.  I knew there was something called “Finder,” which was basically the interface to the filesystem on the Mac OS.  I even figured where to find it, going to the icon on the extreme left end of the top of the screen, and figuring that choosing the “Finder” under that option would change the top menu items from the browser that was active at the time.

So, I found Finder, and I even found the Network part of it.  And I asked it to search for servers.  It didn’t find any.  So I asked it to find a specific server.  It didn’t find that, either, but the fact that the name I had specified popped up with “afp:” at the beginning gave me an indication that I had to specify a protocol for Windows machines.  I went searching in the help files, and, eventually, found it.  Not too hard to figure out that it was “smb:”  at least, not too hard once you know it.  I then was able to figure out, on my own, that specifying the machine name with a leading “//” was wrong, because the Mac helpfully and intelligently adds “//” to whatever you type, but is too stupid to figure out that “////” is wrong.

Share