fun with cat

| No Comments | No TrackBacks
No, not the feline kind.

I was reading a good book the other day ( Hacking: The Art of Exploitation) when I ran into something that I hadn't thought about before:

cat foo - | program

Such a simple little thing, and immediately I want "Oh!  How come I didn't make that connection before?"  It makes perfect sense, first it shoves the contents of foo to program and then hands control back to the user.  How utterly useful at times.

It got me to thinking, could I get away with:

cat - - foo | program

And sure enough, that works too!  Utility, I think there might be a use or two, but so far the ones I've come up with are sort of contrived.

And finally, an alternate method:

perl -e 'stuff(); while(<>) { print;} ; other_stuff()' | program

Also works quite sufficiently (not that it would be any surprise.

Now why hadn't I thought of this before?  I'm not sure, but now I have and it's added to my toolkit.

Chat spam fail

| No Comments | 1 TrackBack
I tend to leave my chats signed in, just throw up a 'not here now' sort of message. Or just walk away from the computer and forget about them. Sometimes, this leads to amusing things. Recently, I've been getting hit with tons of one-line spammers telling me to chat particular yahoo accounts. Yeah, sure, that's going to happen. This morning though, I got this amusing tidbit:

(04:38:36 AM) honneybunss22: hihi! you're from chat right?
(04:41:40 AM) honneybunss22: cool, sorry i type a little slow. 18f in college here, what are you up to?
(04:47:38 AM) honneybunss22: u wanna se more? i'm feeling kinda wild right now
(04:50:37 AM) honneybunss22: i'm gonna send you a cam invite here k?
(04:53:34 AM) honneybunss22: ok sent, did you get it?
(04:56:32 AM) honneybunss22: hmm.. let me try again, hang on
(04:59:35 AM) honneybunss22: what about now?
(05:02:39 AM) honneybunss22: ugh, this is stupid, this always happens to me when i use yahoo
(05:11:42 AM) honneybunss22: k, you just need a CC or debit to verify ur over 18, even an expired one works. we can't have little ones seeing what im about to do lol
(05:14:35 AM) honneybunss22: let me know when u make ur username, so i can link u to my cam profile
(05:20:34 AM) honneybunss22: ok you're good to go
No, I didn't redact or change anything. Let me count the fails: 1) It's acting as if I sent it messages in response... no messages were sent. 2) It takes it almost an hour to go through the whole sequence (I wonder if it would have gone quicker if a cat had walked on the keyboard) 3) They don't ever tell me where the site is, just that I should go there. 4) Granted, I suppose court cases have decided that providing a CC is proof of age? But I'm sure that if little Johnny wanted to be a brat, he could snag a CC from a wallet or purse, especially at 5am in the morning. 5) Grammar, I know mine is sometimes a little off, but at least a bot could be kind enough to use complete words instead of sms-speak. I know, boring, but it amused me this morning as I was vaguely waking up.


| No Comments | No TrackBacks

RSA, as many of you may have heard in other blogs was a silly rehash of vague promises of 'securing your enterprise' and 'vertical security' without anyone actually being willing to put on their material what their products did and didn't do. I don't like it when I look at a booth and I see nothing that indicates what technology or technologies are being sold. If you're a VPN product, tell me you're a VPN product, don't advertise as "securing your remote users". It's way too vague, and on top of that, it's probably not true.

Tomorrow I depart for Blackhat and defcon. I expect to see no fluff, no vague promises of security as a service, or other over-generalized hogwash as an attempt to lure me in and waste my time on a product space that either I've already bought, already discarded, or have been told I have no budget to purchase. I do expect some vendors, providing parties (yay!) and useful information about their products. I expect some excellent talks (anyone that hasn't heard that Dan Kaminsky will be talking about the DNS flaws at blackhat has been living under a rock for too long) on a wide range of topics, some of which will not be of interest and some of which will undoubtedly be way over my head (but I like the feeling of drowning in information technology overload).

For the first time, one of my co-workers will be in attendance, and my boss. Oh joy.

My plan is to post some highlights of things that especially catch my attention. Hopefully you'll find them as interesting as I do or did when I see them. (What is the correct tense when talking about things in the future that will be in the past when you will be talking about them?)

Robust Programming

| No Comments | 1 TrackBack

I was perusing some job descriptions recently, and ran across the interesting phrase "robust programming".

The manner in which it was in the job description seemed to indicate that it was likely more than my immediate thought on the topic. Robust meaning that it has a quality of being sturdy and able to withstand change, I took this to mean that it was a form of fail-safe programming. That it was the concepts that you program to gracefully and properly handle errors, and try to write programs in a fashion that they were difficult to break. Being curious, I went out into that great big research resource (aka The Internet) and did a couple searches to see if I could find more information.

Of course, I did.

First stop, wikipedia:

In computing terms, robustness is the resilience of the system under stress or when confronted with invalid input. It is the ability of the software system to maintain function even with the changes in internal structure or external environment. For example, an operating system is considered robust if it operates correctly when it is starved of memory or disk storage space, or when confronted with an application that has bugs or is behaving in an "illegal" manner, such as trying to access memory or storage belonging to other tasks in a multitasking system.

Ages ago, when I was learning object oriented programming for the first time, I recall learning about Parnas' Principle which states:

  • The developer of a software component must provide the intended user with all the information needed to make effective use of the services provided by the component, and should provide no other information.
  • The developer of a software component must be provided with all the information necessary to carry out the given responsibilities assigned to the component, and should be provided with no other information.
  • So, both sides of an object, a function, a method, a procedure, a program, etc. should give the other side all the information they need to take the expected action, and only the information needed. This fits in very well with security models, only tell them what they need to know to do what they are supposed to do, and only accept the information that is necessary for the action but only the information needed for the action.

    In my searching, I ran into what seems like a very thorough covering of the topic of robust programming by Matt Bishop at UCDavis

    It's interesting reading, and makes you realize how fragile the typical programming really is. One thing that I hadn't thought about previously, when you get a data structure as part of an interface to a library, how much can you mangle the structure by filling it with inappropriate values and get 'unexpected results' which can be used to your advantage.

    Hopefully, with more use of test-driven developement, pair programming, robust programming, and people focusing on writing bomb-proof code, we will see fewer security issues in software.

    Honestly, I'm not holding my breath because everyone seems to think that their code is either invulnerable, or not important enough for someone to care about how secure it is.

    Orzo Pasta Salad

    | No Comments | No TrackBacks

    I recently had a party for a bunch of friends, and while I like pasta salads they have in the past gone largely untouched. This makes me sad, so I decided to throw together a different kind of pasta salad, thinking that possibly that was the problem. (Not everyone likes the typical mayonnaise-coated pasta salads, though I admit to being similarly picky.)

    i decided on something vaguely mediterranean themed, but without the olives (because I can't stand them). The ingredient list I came up with was:

    • Orzo
    • Olive Oil (Good quality extra virgin)
    • Garlic, minced
    • Basil, chiffonade
    • Salt and Pepper, ground
    • Artichoke hearts, sliced
    • Feta, sliced (a good feta, please)
    • Prosciutto, sliced into thin strips
    • Lightly Roasted Pine Nuts
    • Optional: Olives, also sliced.

    Chop the garllic and basil and dump into a bunch of olive oil and let sit as you cook the orzo per the directions. You can work on prepping the artichokes, the feta, the prosciutto, and shudder the olives while the orzo is cooking. (Honestly, I also did the olive oil, garlic, and basil while the pasta was cooking as well.) Pour the hopefully seasoned olive oil, with all the seasonings over the orzo and stir. Use a big bowl with lots of room, think of it as similar to making sushi rice where you want to get it nice and fluffy. Add more olive oil and basil chiffonade as appears reasonable. Dump in the artichoke hearts and stir through. Salt and pepper some, remember that there the feta and prosciutto are going to add to the flavors. Once the orzo has cooled sufficiently (this may be aided with a refrigerator) add the feta and the prosciutto, again stir through. Do a final taste and season with salt and pepper, and if anything else in the spice rack looks like it should be added feel free to improve(-ize). Chill for a couple hours and serve.

    Mounting at an offset

    | No Comments | No TrackBacks

    A couple days ago my officemate had a computer blow up. The typical "oh I smell the ozone" sort of power supply death syndrome. No big deal, he's a good computer guy, yank the hard drives out, throw them into external enclosures, and bring them up on another machine to grab the desired data.

    Unfortunately, the disk with the work data on it decided that it didn't like this tactic at all, and said no to mounting. He worked at it a little bit, and then handed it to me.

    Now I'm sure all of you have been handed a reasonably big disk to deal with forensically, you copy the disk so you can work on a copy of the copy and have a copy to copy to start work on again when you totally bork the situation and want to start over from scratch (which is why you copy from the original to start off with, and why did you copy the copy? Cause an external Firewire or USB 2.0 isn't going to be as fast as an internal disk-to-disk copy of that same 200+GB.)

    Hit it up with the usual tools, mmls1 to show me what the partition table looked like in the file, then fdisk to go in and look at it again:

    fdisk image.dd

    The number of cylinders for this disk is set to 378602.
    There is nothing wrong with that, but this is larger than 1024,
    and could in certain setups cause problems with:
    1) software that runs at boot time (e.g., old versions of LILO)
    2) booting and partitioning software from other OSs
    (e.g., DOS FDISK, OS/2 FDISK)

    Command (m for help): p

    Disk /dev/sdd: 250.0 GB, 250059350016 bytes
    86 heads, 15 sectors/track, 378602 cylinders
    Units = cylinders of 1290 * 512 = 660480 bytes

    Device Boot Start End Blocks Id System
    /dev/sdd1 * 1 208090 134217727+ 4 FAT16 <32M

    After changing the partition type to 0x07 (NTFS), it was time to rip that partition out again, and mount it up. Start 'dcfldd if=image.dd of=image.c.img bs=512 skip=1 status=on'2 (this time it's not a forensics case I'm just trying to get some files for a friend so who cares about MD5 hashes). Sit back and wait, and wait, and wait.

    I admit it, I'm not patient a lot of the time. When I start something like this I want it done, I don't want to have to wait, so I tend to keep fiddling with something while the long process is running. This time it definitely paid off.

    I went looking for what the bits were that indicated the start of an NTFS filesystem, and found a little write-up ( ) that told me precisely what I wanted to know. With a little bit of knowledge and knowing a few tools you can get into a lot of trouble :), I whipped out head, and hexdump, and less, and put together:

    head -500k image.dd | hexdump -C | less

    And started looking for the header, and found it 0x7e00 ... which with a little math one figures out is 32k bytes into the file. You'll also note that this is not where I started to cut the file apart with dd, you'll notice that I started at byte 512. Now that I've been letting the earlier dd run for most of the day while working on other things, I didn't really want to restart it at the new offset so I went looking for an alternative... and found it!

    mount -t ntfs -o loop,ro,offset=0x7e00 image.dd /mnt

    Yup, that's right, you can mount starting at an offset. If you happen to know where the filesystem header is, just point mount at it and let it figure it out. Having figured that out, and it worked great, the entire contents of the filesystem were there, and I started tarring off the files from it that my officemate wanted. But now I had a thought, if I can do a fix to the partition table of the original disk, then I can hand him the external disk in an enclosure and it gets even easier. A little trip into fdisk again, and I am able to again try to mount the actual drive... and it doesn't like me. I think it had something to do with that starting sector being set to 1. On a whim, I decided to try:

    mount -t ntfs -o ro,offset=0x7e00 /dev/sdd /mnt

    and discovered that it will do the same thing with hardware as with a loop interface. I don't think I'm fearless enough that I'm willing to try to mangle the partition table to point it at the right location. I'll let the tar finish, and give my officemate the tar so he can have the files he cares about back, and we can wipe the drive and start over entirely.

    [1] mmls is part of The Sleuthkit, available at:
    2 dcfldd is an 'improved' dd, which includes things like status, and hashing of the data transfered. It's available at:

    Thank you Blackhat, again

    | 1 Comment | No TrackBacks

    A couple years ago Blackhat ( was embroiled in a legal battle between Cisco Systems and Mike Lynn about a presentation he was giving on breaking into Cisco's IOS. We won't go into the details about that here but you can go read Jennifer Granick's journal for the details.

    And now Blackhat looks like it might be in the middle again. InfoWorld report that HID, the proximity RFID card maker may be going up against IOActive, Inc. to stop a similar presentation that targets their technology, as well as similar technology from other vendors in the same field.

    What really gets to me in this case is a quote attributed to HID from InfoWorld:

    "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.

    Where is the responsibility in a security company selling a product that they know has a vulnerability in it? That their customers might be susceptible to an attack which is mostly public already? That apparently one researcher took less than a month to put together?

    I'm tired of this, I'm tired of hearing about security companies that fail in some major aspect of securing their own devices, working with customers to alleviate or understand problems with the technology they are selling or have sold. Security in a black box of "trust us this will work" is worthless to the customer. Why am I tired of this? Because I see to many examples of it, including:

    Default installations of security web applications that leave themselves open to the world.
    Security appliances that converse via SSL that you can't update the certificate.
    Security appliances that offer no secured communications channel for device management.

    I think, if you're are selling or creating any security device you need to at least hold yourself to a higher standard for protecting it and protecting your customers. Though I hate to create new legislation, perhaps we need some in this arena. I envision something where a researcher that finds a flaw is protected by whistleblower style legislation (even if they don't work at the company) and the company must to a notification to customers affected by the problem.

    Can I get a hell yeah?

    -- decaf out (poor editing and writing attributed to my current fever)

    Another Macaroni and Cheese

    | No Comments | No TrackBacks

    Collect the following ingredients:

    1/2 cup of butter (mmmm)
    1 tsp mustard
    salt and pepper
    1 chopped onion
    1 chopped green pepper
    2 cups elbow macaroni
    3 cups water
    2 cups of cheddar, grated

    In a large saute of frying pan, melt the butter. Add onion and green pepper and saute for until soft. Add salt, pepper, mustard, salt, and pepper, then stir to combine. Add macaroni and fry in butter for 3 to 5 minutes making sure to stir and coat with butter. Pour in 2 cups of water, cover, let boil. Stir occasionally until the water is almost gone and then sample. Use additional water to keep boiling/steaming macaroni as needed until the pasta is cooked. Remove from heat and add cheese, stir through and serve.

    Optional: Add 1 to 2 cups of cubed cooked ham to macaroni a few minutes before removing from the heat.

    Takes approx. 15 to 20 minutes and serves up to 6 depending on portion sizes :)

    Macaroni and Cheese

    | 1 Comment | No TrackBacks

    12-16 oz elbow pasta
    4 Tbs flour
    4 Tbs butter
    2 cups milk
    16 oz cheese (2:1 Monterrey Jack:Cheddar but use whatever you like) grated

    Preheat oven to 400^F
    In large pot of boiling water cook pasta until super al-dente, drain set aside pasta

    While the pasta is cooking, in a separate pan, melt butter over medium-high heat. When the bubbles start to subside, whisk in the flour and cook until golden brown and there is a distinct nutty aroma. Whisk in milk and cook until thickened. (This is a good time to add additional seasonings such as white pepper, Tobasco sauce, cayenne pepper, dijon mustard etc etc etc). Once the sauce has thickened, turn off the heat and slowly mix in the grated cheese, reserving some for topping the final dish. Mis together the sauce and the pasta and pour into an oven-safe casserole. Sprinkle the remaining cheese on top and bake until the top is brown and crisp. Remove from oven and allow to set for 5-10 minutes and serve.

    [Alas no pictures, I really should fix that]

    On Making Sauce

    | No Comments | No TrackBacks

    Words to the wise from The Ethicurean:

    Ideally, the flour is whisked into the liquid and thickens it, but does not clump. If you see clumps of flour, you have too much flour. A little butter will thin the mixture, but don't overdo it, or you will enter a vicious cycle of butter- and flour-adjustment. I once ended up with three gallons of turkey gravy through just such a mistake, having started with a mere quart of liquid.

    August 2010

    Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5 6 7
    8 9 10 11 12 13 14
    15 16 17 18 19 20 21
    22 23 24 25 26 27 28
    29 30 31