HR Geeks

In addition to his previously mentioned 2600 Magazine publication, Matt has been published in the (arguably more prestigious) Dr. Dobb’s Journal. You can find his article, detailing a multi-threaded PRNG implementation, here.

Congrats!

Erik and myself headed down to CarolinaCon in Durham a few weeks ago. Have to say, it was fun! It’s a very small con, perhaps 100 people. There were some great presentations ranging in subjects from the McColo story (a co-location facility that housed a large number of servers used by people committing fraud and spamming).  The story included how people got them de-peered so they were disconnected from the internet and why it’s gone. TXS spoke on reverse engineering subjects, and some other talks that slip my mind at the moment. Sorry for the late update, but I had to say it was fun! Had hoped to make NotACon this year, but once  again missed it. Perhaps more locals will make Carolina Con next year?

Setting up a new workstation with Ubuntu and Firefox to use a DoD CAC is suprisingly easy.

These instructions work for Ubuntu 8.10 on my hardware.  My card reader is built into a USB Dell Keyboard.  It takes only a couple of steps to enable it for use in Firefox.

1. Install libccid (which requires pcscd as a dependency)
2. Install coolkey
3. Tell Firefox to use coolkey’s pkcs11 library
4. Profit!

To cover these steps in more detail:
(continue reading…)

After the recent Apple update, which included ’security fixes’ for Safari, Little Snitch popped up a warning message when I attempted to visit my banks website.  A process called ocspd wanted to visit “EVSecure-ocsp.verisign.com”.  Needless to say, I was instantly curious as to what in the world ocspd was, and why it was trying to talk to Verisign when I was visiting my banks webpage.

It turns out, ocspd is part of Apples new ’safe surfing’ update to Safari.  Online Certificate Status Protocol (OCSP) is the functional replacement for the old school PKI Certificate Revocation List (CRL).  It allows the Certificate Authority (CA) (in this case, Verisign) who signed the websites certificate, to authenticate the presented certificate in real time.  This is a much more ‘elegant’ solution than the old, crummy CRL, which had to be manually updated (or pushed down with OS patches, etc) and did not allow certificates to be rejected in anywhere near realtime if they were deemed fradulent.

Despite being a more elegant solution, it also creates a number of new problems.  

First, it places a big new load CAs, who went from being trusted certificate issuers to being real time certificate verifiers.

Secondly (and more importantly), it seriously breaches the privacy of every user using the service.

(continue reading…)

I would like to announce the initial release of the 757Labs’ PDFResurrect tool:

PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also “scrub” or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.

This tool and accompanying whitepaper can be found over at the labs:
http://www.757labs.com/projects/pdfresurrect

Special thanks goes out to all the hr-geekers, and 757labs. Many were consulted on this and provided suggestions. including Tele, Derez, Remad, Count, Sunpuke. Special thanks to Brent, not really part of the 757 crew, but aided in proofreading the paper. Thanks Guys!

-Matt (enferex)

So due to some really bad coding on our part, googlebot managed to wipe out a bunch of web content on one of our webpages today. The webpage is setup so that the individual pages all include a small piece of php code that pulls it’s content out of an SQL database and spits it out. We set this up for particular pages so that the user can make changes to the content with an HTML editor in a /admin sort of setup. It’s not the fanciest, but it’s simple, efficient and reliable.

Well the customer calls me this morning and tells me that all their content is missing, which I quickly confirm to be fairly accurate. I fire back an e-mail saying that the pages must have been deleted through the admin interface because the missing pages have been removed from the database. I then go off to read logfiles with the intent of finding evidence that this customer blew up their own webpage and that it’s not my problem, because that’s how I think. Here’s what I find in my logs:

66.249.73.92 – - [02/May/2008:13:48:47 -0400] “GET /admin/website_pages_delete.php?id=25 HTTP/1.1″ 200 4642 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

66.249.73.92 – - [02/May/2008:13:52:39 -0400] “GET /admin/website_pages_delete.php?id=26 HTTP/1.1″ 200 4760 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

66.249.73.92 – - [02/May/2008:14:10:44 -0400] “GET /admin/website_pages_delete.php?id=42 HTTP/1.1″ 200 4642 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

So for those of you who may have had strange Cox outage issues in the HR area this fine Wednesday (04/02/08) morning, I have some good news. I think I know what was going on. At about 9:30 it would appear my network at work was on the painful end of a DoS attack from somewhere on the internet. At the peak we were getting about 40,000 packets/sec through one provider and 70,000 through the other, bringing our router to it’s knees (normal load for us is about 3000/sec). It would appear that this attack caused some pretty major problems for Cox as well. It just stopped all on it’s own at about 11:00 and neither provider has any reliable information about where it came from. It was still Apr 1 in China at 9:00 AM right?