Thursday, December 25, 2008

Geek Christmas

I was a good geek this year, and received a framed Mt. Xinu 'Death Star' poster. 4.2 > V!!

For students of Unix history, this poster is an all-time classic. Featured in the Jargon File (now in print form as the New Hacker's Dictionary, by Eric Raymond).

From the 'Death Star' Jargon File entry:

The AT&T corporate logo, which bears an uncanny resemblance to the Death Star in the Star Wars movies. This usage was particularly common among partisans of BSD Unix in the 1980s, who tended to regard the AT&T versions as inferior and AT&T as a bad guy. Copies still circulate of a poster printed by Mt. Xinu showing a starscape with a space fighter labeled 4.2 BSD streaking away from a broken AT&T logo wreathed in flames.

I received this poster as a young Unix geekling in 1991, when, inspired by the Jargon File, I wrote Mt. Xinu and requested a copy. They were kind enough to send one.

Miraculously, 2 apartments and 1 house move later, I still have it, and asked to have it framed this year for Christmas. Marty Braun did a great framing job. I recently had my home office renovated, and it will make a fine addition.

'4.2 > V' refers to the fact that Unix purists believe that BSD is the one true Unix, and is superior to System V Unix, hence '4.2 > V'. Mt Xinu (which is 'Unix TM' backwards) ran the 4.2 BSD kernel.

I also had a copy of a '4.4 > V' poster (by BSDi, if I remember correctly), but it has gone missing. If anyone has one, please let me know. I'd be happy to make an offer and add it to my collection.

Friday, December 12, 2008


I'm at SANS CDI 2008, and just completed day 2 of the GIAC Security Expert (GSE) hands-on labs. I just got the good news that I passed!!

The prerequisites for attempting the GSE are the GSEC, GCIA, and GCIH certifications with 2 of 3 gold.

Then it requires a 4-hour multiple choice exam, followed by 2 days of hands-on exercises.

The 16 hours of hands-on exercises were tough, but very fair. It's great to be done.

I'll share more thoughts after I return from CDI.

Thursday, December 04, 2008

SANS Certified Instructor

I just got the good word from Stephen Northcutt that I've been promoted to SANS Certified instructor. Just in time for SANS CDI, where I am content chair, and also attempting the GIAC Security Expert (GSE) labs.

Sunday, November 02, 2008

Security Visualization paper

I'm working on the paper I will deliver at SANS CDI, Visualization of Network Attacks.

I decided to visualize the classic Mitnick vs Shimomura attack using DAVIX, Afterglow, and Graphviz' twopi. I generated connection data in CSV format based off Tsimomura's excellent post mortem he posted to Usenet.

This image shows the connection between the source, destination, and TCP sequence number used in the attack. SYN packets are blue, the sole ACK (the forged connection from server to xterminal) is green.

Thursday, October 23, 2008

Out-of-cycle patch from Microsoft

Microsoft released MS 08-067 as an emergency patch today. The Internet Storm Center has more information.

The big question I always ask with any MS patch is: is it 'wormable'? Could a self-propagating worm be written to exploit this vulnerability, and automatically infect remote systems? We haven't had a widespread one in a few years (going back to the Blaster and Sasser outbreaks).

Based on the patch MS08-067 replaces, MS06-040, my thinking is 'probably wormable'. A variant of the Mocbot bot/worm exploited MS06-040.

My advice: patch now.

Monday, October 20, 2008


Just a quick note to say I'll be delivering a talk at SANS CDI this December, titled Visualization of Network Attacks.

Sunday, October 05, 2008

CISSP in Pittsburgh

I just got back from teaching MGT 414 in Pittsbugh, PA. I taught on short notice, didn't book my plane,. etc., until 2 days before my flight.

I had never been to Pittsbugh before, so it was nice to check out the city. Steeler mania is certainly in full swing. I was also lectured on the wisdom of the Jason Bay trade from a cabbie (who took offense when I mentioned I 'missed' Manny). Both have been clutch in the postseason thus far, so I can't argue.

The nice thing about the Community SANS courses is the smaller classes allow a lot of networking between students.

I had a great time with the students; one student happened to live across the street from the hotel, and threw a dinner party for the class on Friday night. I can honestly say that a home-cooked meal is worth its weight in gold while on the road. Thanks, Nicole!

Sunday, August 17, 2008

Security 560 in Minneapolis

I just arrived in Minneapolis, and will be teaching SANS Security 560, Network Penetration Testing and Ethical Hacking, this week.

Tuesday, July 08, 2008

Going Independent

I recently left my full-time employer, and became an independent information security consultant.

Juggling my SANS teaching duties as a full-time employee had become very challenging, and I was faced with turning down teaching opportunities. Not something I was interested in doing, especially now that I've been given the opportunity to teach Ed Skoudis' excellent new Network Penetration Testing and Ethical Hacking course in Minneapolis.

Saturday, April 26, 2008

SANS Security West 2008

I'll be attending SANS Security West 2008 beginning May 11th, teaching MGT 414, SANS® +S™ Training Program for the CISSP® Certification Exam.

Friday, March 28, 2008

Lost Laptops Might Sink Ships

As part of my SANS Technology Institute MSISE degree program I gimp-ed a public domain World War II poster (with the famous catchphrase 'Loose Lips Might Sink Ships') to create an old-school laptop encryption security awareness poster titled 'Lost Laptops Might Sink Ships.'

I enjoyed creating this one, and plan to create a series of four security awareness posters.

Saturday, March 22, 2008

The next SANS CISSP® @Home begins in August

Time flies! I just completed the most recent SANS MGT 414, CISSP® @Home class last Wednesday. I had a blast.

The next @Home class was just announced, beginning August 18th. Same as last time, 14 classes, running Monday's and Wednesdays from 7-10PM Eastern time.

Wednesday, February 06, 2008

Interview with Dr. Anton Chuvakin

Stephen Northcutt has an interesting interview with Dr. Anton Chuvakin regarding system logs, the bane of many a system admin's existence.