Active measures, like those employed by Nmap, are unfortunately not available when doing passive analysis of live traffic or when analyzing previously captured network traffic. Passive analysis requires much more subtle variations in the network traffic to be observed, in order to identify a computer’s OS. A simple but effective passive method is to inspect the initial Time To Live (TTL) in the IP header and the TCP window size (the size of the receive window) of the first packet in a TCP session, i.e. the SYN or SYN+ACK packet.
Tag Archives: tech blog
The Eternal Mainframe
The Internet and web applications have been enablers for these server farms, for these mainracks, if you will. People use these web apps on smartphones, on notebooks, on tablets, and on the fading desktop. The client paints pixels while the server farm — the mainrack — does the backend work. More than a dozen iterations of Moore’s Law later, and the Wheel of Reincarnation has returned us to terminals connected to Big Iron.
And there’s the rub. The movement to replace the mainframe has re-invented not only the mainframe, but also the reason why people wanted to get rid of mainframes in the first place.
The City of Chicago is on Github
This means that projects like OpenStreetMaps will be able to add over 2GBs of Chicago data to their site. This also means that companies and Chicago startups who would like to leverage this data are able to as part of daily business.
via The City of Chicago is on Github – The Changelog.
I downloaded the crime data dataset that supposedly includes all reported crimes from 2001. The CSV file was 1G in plain text. They could have compressed it but it doesn’t matter. It contained over 4 million records. Now I have to figure out how to slice and dice this dataset and for what purpose I don’t quite know yet.
Untethered iOS 6.1 evasi0n jailbreak arrives for iPhone, iPad, and iPod touch devices
An untethered jailbreak means users can install it on their device once and for all. They don’t have to worry about a dead battery or restart requiring them to hook up to a computer and jailbreak the device again.
via Untethered iOS 6.1 evasi0n jailbreak arrives for iPhone, iPad, and iPod touch devices – The Next Web.
If you ever need to do this this article would be a good place to start your journey.
DVR Insecurity
tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.
via consolecowboys: Swann Song – DVR Insecurity.
Interesting read. Obviously, a device like a DVR should be placed inside a NAT and possibly have its traffic monitored at the firewall. Then if port 9000 is open for telnet you just have to worry about an attack from with access to the LAN — not the entire Internet.
NTLM Challenge Response is 100% Broken (Yes, this is still relevant)
According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses! While these lists leave out server OSs, 2003 Server still sends NTLM responses by default. Yes, every MS OS since NT 4.0 SP4 has supported NTLMv2, but NTLM and LM were not excluded by default until Vista.
via Mark Gamache’s Random Blog: NTLM Challenge Response is 100% Broken (Yes, this is still relevant).
Well, here it is: I’VE BROKEN NTLM.
From the wiki definition of NTLM:
Microsoft no longer recommends NTLM in applications:[6]
“Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms (RFC1321) for integrity, and it uses RC4 for encryption. Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.”
While Kerberos has replaced NTLM as the default authentication protocol in an Active Directory (AD) based single sign-on scheme, NTLM is still widely used in situations where a domain controller is not available or is unreachable. For example, NTLM would be used if a client is not Kerberos capable, the server is not joined to a domain, or the user is remotely authenticating over the web.[1][3]
Mass-blocking IP addresses with ipset
It has been shown, the hash approach as implemented by ipset clearly beats traditional mass-rule-blocking. It extends netfilter in a very useful way by decreasing the average response time. In the average over all samples made, IP sets are over 11 times faster. To conclude, let me show you another plot, this time I compared the ipset and iptables approaches within the same graph. The yellow bar shows ipset delays, the red bar does so for iptables.
via Mass-blocking IP addresses with ipset » daemonkeeper’s purgatory.
Syrian Internet Is Off The Air
Starting at 10:26 UTC (12:26pm in Damascus), Syria’s international Internet connectivity shut down. In the global routing table, all 84 of Syria’s IP address blocks have become unreachable, effectively removing the country from the Internet.
via Syrian Internet Is Off The Air – Renesys Blog.
These five offshore survivors include the webservers that were implicated in the delivery of malware targeting Syrian activists in May of this year.
GNOME (et al): Rotting In Threes
I have never gotten into the KDE vs GNOME debates, so this is not GNOME bashing, nor, as you’ll soon see, are these systemic development problems limited to GNOME. Yet what I’m hearing is that with GNOME v3 the goal is to promote their “brand” and make it dominant, in part by greatly limiting what users can change on their own systems, and partly by breaking or simply removing whatever support they’re no longer promoting as ‘The Way’. The reach of this selfish and narrow-sighted development goes beyond GNOME and affects GTK apps in general.
via GNOME (et al): Rotting In Threes « IgnorantGuru’s Blog.
What follows is a sampling of quotes from various places and assorted devs which paint a picture of a growing culture of anti-user, conformist philosophies. There’s a bit of text to review here, but I think it’s worth it to hear what GNOME devs have to say about their intentions and goals, in their own words, and what others are saying about that!
Why Google Went Offline Today and a Bit about How the Internet Works
Unfortunately, if a network starts to send out an announcement of a particular IP address or network behind it, when in fact it is not, if that network is trusted by its upstreams and peers then packets can end up misrouted. That is what was happening here.
I looked at the BGP Routes for a Google IP Address. The route traversed Moratel (23947), an Indonesian ISP. Given that I’m looking at the routing from California and Google is operating Data Centre’s not far from our office, packets should never be routed via Indonesia. The most likely cause was that Moratel was announcing a network that wasn’t actually behind them.
via Why Google Went Offline Today and a Bit about How the Internet Works – CloudFlare blog.
When I figured out the problem, I contacted a colleague at Moratel to let him know what was going on. He was able to fix the problem at around 2:50 UTC / 6:50pm PST. Around 3 minutes later, routing returned to normal and Google’s services came back online.