Tuesday, April 28, 2009

One shoot remote root for Linux?

While I am the first, I am sure soon I will just be one among thousands blogging this.

Sometimes news finds us in mysterious yet obvious ways.

HD Moore set a status which I noticed on my twitter:

@hdmoore reading through sctp_houdini.c - one-shot remote linux kernel root - http://kernelbof.blogspot.com/

I asked him about it on IM, wondering if it is real:
"looks like that
but requires a sctp app to be running"

Naturally, I retweeted.

I left a comment on the guy's blog:
It's always nice to have good and talented people show us how we forget the obvious, continually. This somehow brings memories of Ciscogate to mind, but just by similarity of the original DoS vulnerability story.

Thanks for your work and for keeping full disclosure alive and well (where responsible). Everyone should be patched by now, unless they don't believe DoS vulns to be "important enough".
Signed,

@gadievron

Sunday, April 26, 2009

Debugging for Medical Doctors

Today I wrote a blog post named: Debugging for Medical Doctors. In retrospect, I think it shows the difference between handling technology and handling humans, performing the same action.

Debugging for Medical Doctors
http://gevron.livejournal.com/18191.html
What's debugging you ask? When you know there is a bug in your program, you find it by the process of debugging. How do medical doctors do it? And how they may be doing it wrong.
I hope you find it useful.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Monday, April 20, 2009

Proposal: This House Will Legalize Spam

I sent this today to the newly formed debate mailing list. While this is not necessarily my opinion, I am picking a side and running with it.

In other words, the opinions presented in this debate are not necessarily my own. People will either support this proposition, or tear it apart.



Proposal: This House Will Legalize Spam

Spam is a service answering a demand. Making the product legal will will inject our suffering economy with much needed currency and allow our government to tax this billions of dollars industry.

We have seen this happening with alcohol during the prohibition. Alcohol is no longer illegal, and great benefits resulted from that decision with a booming world-wide industry and disappearance of the black market economy.

Spam is a black market economy. Medicine is sold for high prices in the US, so black market spam operations answered the demand and sell drugs from Canada for a lower price. Many of these are fake and result in poor care in the best of scenarios.

Economically, the pharmaceutical industry is suffering and the government is losing potential taxation revenue. More importantly, if spam was regulated controls could be put in place to protect public health.

We have been waging a "war on spam" for two decades now with no victory in sight. More than that, the email system is under continued threat of no longer being usable.

Similar misuses have been addressed by legalization in the past. This includes post spam and fax spam, which today have clear regulation.

Most of the email traffic on the Internet today is spam, resulting in:
1. Increased operational costs for networks and service providers.

2. Clogged mail boxes, user annoyance and legitimate email being lost, resulting in loss of productivity.

3. A support infrastructure for other criminal activity ranging from phishing to child pornography.

Our respected opposition may claim that legalizing spam will open the door for other sorts of legalization. We believe this claim is a logical fallacy, falsely claiming a slippery slope to muddy the waters.

We believe that taking this route on spam is positive, other directions with other "products" should be considered on their own merit. It is a fact that the end of prohibition did not result in legalization of drug usage.

In support of my case I bring before you a case study (below), written by me two years ago for a zdnet blog. I demonstrate how an unrelated legalization caused a large percentage of spam to stop and spam operations to collapse, when the demand ceased.

Gadi Evron,
ge@linuxbox.org.

---

Taking down spammers: Successful spam fighting via legalization, regulation and economics

Original URL:
http://blogs.zdnet.com/security/?p=720

By Gadi Evron

Working in the Israeli city of Netanya, next door to our offices was a spam operation with roughly 30 employees. One day they weren’t there anymore.

They were blog comment spammers, but officially were doing Search Engine Optimization or SEO. Instead of optimizing content, they posted illicit comments on many blogs with commercial or misleading messages leading to their clients’ web sites, mainly for the purpose of increasing their clients’ web sites visibility in search engines such as Google. They would do this using an illegal tool such as botnets, and make quite a bit of money.

The reason for their disappearance soon became clear; nearly all their clients were gone. A law was passed in the United States which addressed online gambling operations (”Unlawful Internet Gambling Enforcement Act” - UIGEA). As a result, the public gaming industry ceased accepting online wagers. More than that, UIGEA addressed processing payments to and from Internet gambling sites. In a day, most of US-based gambling web sites ceased to exist (others moved over-seas, although quite a bit of the world’s credit processing is done by US firms). This effectively caused
the death of numerous black hat SEO companies–comment spammers. Perhaps the UIGEA measure against processing of payments proved too difficult to overcome. Not being a lawyer I can’t say exactly how UIGEA caused this death. No matter, US online gambling operations were effectively destroyed.

Spam decreased. The underlying cause for that was that the clients weren’t there due to the inability to process payments because of the online Casinos law.

....
More...

Follow me on twitter! http://twitter.com/gadievron

Friday, April 10, 2009

Debate and general discussion mailing list, with good arguers

Hi all,

Do you want to participate in a debate and general discussion mailing list which will have members who are good and intelligent arguers?

Please contact me if you do.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Thursday, April 09, 2009

Reimage named "Cool Vendor" by Gartner. They are COOL

My friend Zak Dechovich started a startup named Reimage and I am very exited because Reimage was just named by Gartner as a "cool vendor".

While I was a disbeliever at the very beginning, I saw the light. I am VERY excited Reimage does. They are COOL.

The original idea behind the company was to help US, the computer savvy folk who have to fix our family's computers all the time, by creating easy to use software that does it for us.

While it originally was unintentional, they remove a lot of malware while they are at it. Making it a very useful security product to boot.

Reimage's web site:
http://www.reimage.com/

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, April 08, 2009

Fascinating Omegle Chat Logs

I have been chatting on Omegle all night, and some of the chats are absolutely fascinating. I don't want to flood this blog like I do my fun one. I will summarize here with links.

So far, I spoke with a dirt-road worker from Australia and a 15 years old sophomore girl tennis player from Maryland (trying to explain without sounding parent-yy about not sharing private information on the net).

I have been sharing these logs with a group of social scientists in an email thread. This is so intriguing.

The more interesting chat logs:

1. NSFW, very funny log where you see how anonymity lets people let loose.

2. A guy (apprently) coming out of the closet on Omegle.

3. Seeing social responsibility as base for good and evil
You may find this one boring, but I found it absolutely fascinating seeing how a person views the world in a way I find fscked up.

The person's social identity is what builds her (my guess) view of good and evil. I am thinking 17 years old.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Omegle: An Impressive "Web 2.0" Chat Service

[syndicated from my "not professional" blog: http://gevron.livejournal.com/15256.html]

Are you interesting enough at first impression? Do you introduce yourself well? On Omegle if you don't you're disconnected.

Reading the funsec mailing list discussion about twitter, David Chess referred to a new web site called Omegle. Dave wrote about it here.

Omegle allows you to start real-time chats with random anonymous people who can disconnect you at any time. Fascinating stuff.

My friend Imri Goldberg checked it out and convinced me I should look as well. On funsec he said:


My impressions:
1. Technically, it works really well.
2. What it is: web-based chat with random strangers.
3. Reminds me of my early days on IRC. You meet new people that are guaranteed to be at least somewhat interested in talking.
4. There is full anonymity, in the sense that you don't have a consistent identity that's kept from one conversation to another.*
5. There is no cost to disconnecting, if you don't like the conversation.
6. It's very much like speed-IRC, as in "speed dating" as opposed to regular dating.
7. Since you get a very specific IRC-like experience (meeting new people you'll never meet again anonymously), you can practice like Socrates did on the beach (Imri corrected this to Demosthenes: http://itotd.com/articles/319/demosthenes-stones/). You have only a few minutes and a few sentences to convince someone you're interesting, or they just disconnect, and you both move on.
8. You still have a lot of the IRC-like stuff, as in being asked "a/s/l" and so on. [age/sex/location]
9. I wondered how secure it is, who is logging the conversations/ip addresses involved etc.

All in all, a cute service. Also nice to know it was written by an 18-year old that's just finishing high-school, and as I said, it works well.

Cheers,
Imri.

* I was reminded of a very good discussion of online identities here: http://www.juliandibbell.com/texts/bungle.html. Old, but thought-provoking read. The relevant quote from that text is:
"Inside the MOO, however, such thinking marked a person as one of two basically subcompetent types. The first was the newbie, in which case the confusion was understandable, since there were few MOOers who had not, upon their first visits as anonymous "guest" characters, mistaken the place for a vast playpen in which they might act out their wildest fantasies without fear of censure. Only with time and the acquisition of a fixed character do players tend to make the critical passage from anonymity to pseudonymity, developing the concern for their character's reputation that marks the attainment of virtual adulthood."




My take on it is similar, I was very excited:

Omegle has a simple interface. No complex functionality at all. You can chat, and you can disconnect. You are anonymous unless you choose to tell the other person who you are.

I just finished my first chat there, and it was fun. It seems like a waste to me to be able to chat with people and yet not necessarily keep in touch, but the experience with the types of people you meet makes all the difference.

Unlike Imri, I was not reminded of Demosthenes meeting random people on the beach, but rather of the old classic movie adaptation for the novel Logan's Run where random people who match you exactly are transported to you so you can have non-committal sexual relations. Only in Omegle's case, not sexual.
This won't turn into a dating service (I'll probably be proven wrong).

The experience felt like a shot in the dark. You find someone random, defying the whole idea of the Internet where interest groups on every subject meet each other and become a marketing force based on that affiliation.

More interesting, this service as Imri mentioned with the Demosthenes story, raises the subject of how one introduces oneself to be interesting. Also, it allows us to talk to people without any prior knowledge or prejudice on who they are, which normally affects our social engine--how we treat other people and get treated.

The story of Omegle once again shows us that the cost of developing on computers is small to non-existent. If an 18 years old guy can create this, anyone can learn how to.

Update:
Chat bot for Omegle:
http://robotstranger.com

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Sunday, April 05, 2009

Obama and Afghanistan: "Predict Success and You May Fail. Predict Failure and You Will Fail"

[syndicated from my non-security blog: http://gevron.livejournal.com/]

I read an article this week which made me think. It took a generic phrase for success right out of a business self-help book, and covertly showed how it applies to current events with specific examples from politics and international relations. Tying it together at the end to show President Barack Obama where the author believes he went wrong. While the phrase was not specifically mentioned I was inspired and impressed. I am not sure this was intentional, but non-the-less "ME like".

In this post I will examine both what the article said (part which inspired me, anyway) and why I usually tend to disrespect others who say the same thing. If you want to read just about Barack Obama, skip to the right section below. Hint: it's the same as the title of this post.

It was in the last Economist (March 26th, 2009). There was a section examining President Obama's progress during his two months in office. I can't find the precise link online at the moment (I will look for it), but these were the two main articles.

"Just Think Positive"
When someone spits out a buzz sentence for instant success as a Tao of living one's life, I get suspicious. Most of the time these would be people who learned to believe in these buzzwords and take them to be The Tao of Life. Copy-cats who went to some workshop for three days and believe they discovered the answer to life's mysteries, religiously. They didn't learn how to think, only how to default to a "safe" programming routine which shows them what they should do, and where they went wrong.

No matter the circumstance (particular incidents or events which may be special cases) and never mind perspective (truth changes depending on point of view). It's all The Truth. Replacing one religion for another.

Useful, and pathetic. Yes, at the same time.

"Always Look Forward. Never Look Back"
You know the type. This is not to diss on all "workshops" or self-help courses and books, only on the Fad of The Month ones, and the people who get reprogrammed there.

I first encountered the phrase "Fad of The Month" when I purchased The Thin Book of Appreciative Inquiry (very thin at 63 pages. Packaging cost me more than the book, and of course Amazon put it in a new box before mailing).

In it the author mentioned that when the developer of this organizational development and change method (I believe David Cooperrider of Case Western Reserve University) was asked why he didn't write any popular article or book on the subject, he replied he didn't want it to become yet another Fad of The Month (my addition: think most self-help books and workshops).

Always Keep Trying
Question these folks who believe this is their truth and they will retort with the same buzzwords, in a circular logic. They may also blame you for being unenlightened (or an a-hole).

Try and accept their premise to be able to hold a discussion, trying to show them how always thinking positive is OKAY, but doesn't apply to this specific case, and you get more of the same. Logic escapes them. Strike that, thinking escapes them.

"Predict Success and You May Fail. Predict Failure and You Will Fail"
Barack Obama is starting to waver on Afghanistan. He was referred to as saying that the war may not be winnable. Through-out his campaign he mentioned how Afghanistan was a Just War (Casus Belli) and a Must War, as that's where the enemy is. To illustrate why this is important, Iraq he treats as a war of Choice.
Disclaimer: All of the above is my understanding of what he said, in my own words.

It is true that NATO and the United States are not winning in Afghanistan. It is also true the strategy employed there does not seem to be working, and that while said strategy is currently under review, [apparently] no one has any idea how to win it.

While the above can be acknowledges, saying it is not winnable is far from advisable:
1. If you don't want to get out, don't show signs of weakness to an enemy that watches for them with the strategy of "out-live the West's (or the American's) will to fight.
2. If you want to get out, don't tip your hand.

Further, as President Obama is currently looking for support to conduct war in Afghanistan, at his own party, in both houses (especially Congress?) and in Europe, displaying such a poor outward appearance is appalling.

Beyond not showing leadership, it shows those you want to commit to your cause with soldiers who may die fighting for it, that you don't really believe in it, or that they may get stranded without you.

Appearances aside, what's missing is called Resolve, and it is called Leadership.

Showing this example of diplomacy and international relations and tying it with the quoted phrase
"Predict Success and You May Fail. Predict Failure and You Will Fail", makes it one of the most inspiring articles I read this year. I wish that the Economist mentioned author names so I could email with thanks.

Any entrepreneur and business major, MBA and CEO, should read the articles in this section.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, April 01, 2009

GhostNet and computer spying on Tibet. It's just Spear Phishing.

Gary Warner covers the recent GhostNet story, where the New York Times told of academic research, uncovering a computer spy network using Trojan horses to spy on Tibet and the Dalai Lama, with fingers pointed at China.

While interesting as a case study and the researchers did good work... It's not new, it's really just old news called Spear Phishing. Using a "technology" called RAT.

You can read more about what Gary has to say here:
http://garwarner.blogspot.com/2009/03/ghostnet-or-gh0st-rat-cyber-persecution.html

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron