Monday, November 30, 2009

The Last Several Weeks

I noticed that I had not written anything since the middle of the month. Since the first of the month, I have been studying via an online course on Network Penetration Testing. It was a relatively inexpensive course, only $550 for 30 days. I needed the Continuing Education credits to keep my CISSP certification. For over three weeks, I studied 10-12 hours per day. I shot myself in the feet a few times. I underestimated how thoroughly they wanted the exercises documented and I had to go back and redo some exercises using an XML editor called Leo. That in itself took two full days. It also took me two days to get through their final challenge. I signed up for the certification exam almost immediately after finishing the course. I had an inkling that their pass rate was low. The exam is also 24 hours long. Out of five systems I was supposed to break into, I succeeded with one and got local access on another. Pretty poor showing. I am awaiting word from them on my results. Since I didn't pass, I will have to take the exam over which is another $60 which is cheap. My question though, is will I need a third attempt, and am I allowed three tries or more in order to pass?

I haven't named the company for fear of driving people away. Their class is worth it even if one fails because you learn a lot of practical hands-on knowledge. Most security classes that I have taken are aimed at high school level intellects and aren't very challenging. They are mostly rote memorization. This course could be considered a practical lab course, and it was possibly graduate school caliber. I could be wrong, since I was never a Comp Sci major in college, but the amount of effort I had to put in was graduate school level.

After I had bombed the exam, I spent Thanksgiving with a friend and his family. I did absolutely nothing the last four days, but relax and read science fiction short stories. I tried to stay away from computers. But with the start of a new week, I have to start preparing for the next attempt. So, I am researching exploits against Linux and Windows systems. I also plan to study for another IT Security exam and take it before Christmas in case I just can't pass this trial. If I had put the amount of effort into the other exam that I put into this course, I'd be done by now with that exam. Oh well, hindsight is 20/20.

Labels:


How Did We Come to This?

To what purpose do we continue to strive? Why for some, do things get harder while for others things get easier? Is it pure luck? Social beliefs would have us believe that the fortunate "earned" everything they have gained. That may be true for the many, but is it true for all? Why is there so much anguish and suffering and fear in the United States of America? We are supposed to be the greatest country on the face of the planet. We supposedly take care of everyone else, but not our own because they are shiftless, lazy, or no-good. Our leaders can't lead and our managers can't, or won't, manage except through fear - the fear of losing your job in a downturn, the fear of losing your home, the fear of starving, or watching your family starve. Will the fear become reality, or is the reality something different? What happened to hope, a good, meaningful job, peace on Earth, goodwill to your fellow Man? Granted that the whole world is never at peace at any given time, but for large swathes, there is peace and hopefully contentment, or used to be.

Labels:


Monday, November 16, 2009

The Horsey is Infected

The Trojan Horse, otherwise known as not listening to your local seer, Cassandra.

Labels:


PaiMei Framework Installation Woes, or Why Some Open Source Projects Give Free Software a Bad Rep

I am a big fan of Open Source Software, or Free Software as the GNU Foundation terms it. But occasionally, it can be extremely frustrating. Here's an example. Yesterday, I decided not to work on an online IT Security course I've been taking for the last two weeks. Instead, I decided that I would try to install a reverse engineering framework called Paimei on a Windows system. What would have been trivial for a Windows, Mac, or Linux install became a nightmare for this particular Windows installation. The first major gotcha is that the installation instructions are not up to date. They call for Python 2.4 to be installed, but the current version of pydbg in Paimei requires the python25.dll which means Python version 2.5 needs to be installed (more on that later). With Python25, one doesn't need the ctypes package. The other software requirements seem to be accurate.

The second gotcha was due to file permissions. My Windows systems would not see the contents of certain folders due to the read-only permissions from the read-only Subversion repository. Now admittedly, the developers set read-only file permissions as a security precaution, but would it hurt to tell Windows users that they might have problems installing the software due to file permission issues since this framework is used almost exclusively on Windows systems? I had downloaded the code to my Linux system previously and it saw all the files. The only way I found that I could get the files to be read by Windows was to burn them to a CD on my Linux system and copy them from the CD to the hard drive. Downloading them directly via a browser from the Google repository is futile. Copying them from Linux to Windows via an SMB share was just as futile even after changing file permissions to read-write. There might be a way to avoid this issue via the Windows version of Subversion, but I am not aware of it.

The third gotcha was the __install_requirements.py installation script. It had not been updated. The first issue with the script is that it downloads the old software whose links are now stale and it doesn't necessarily detect the newer required software even when the packages are installed. The second issue is that the script suppresses standard errors to the console. It would have been nice to know that the reason it couldn't find pydbg even though all the install files were there was that the failure was due to a missing python25.dll, and by implication, the use of the wrong version of Python that was specified by the developers themselves. The third issue was that the script builds version 1.2 of the Windows installer (via a batch file), but looks for and invokes version 1.1 which doesn't exist. Once you fix the batch file and that line in the script, things tend to be easier.

So, here's some tips on installing the Paimei Reverse Engineering Framework (as of November 2009):

1. Install Python version 2.5 instead of Python 2.4 as they state. Make sure you set the PythonPath environmental variable and modify your Path statement accordingly.

2. After you download the Paimei svn files, make sure your Windows system sees all the files. I noticed that the console folder was empty and this led me to realize that the file permissions were causing a problem on Windows. If you don't have a Linux system handy, boot your Windows box off of a Linux Live CD set to "use ram" (load the OS into the ramdisk) so that you can access your CD/DVD burner. Then download Paimei and burn it to CD. Then reboot into Windows, and copy the files to your Windows system.

3. Install all of the required software packages as listed in the installation instructions with the exception of Python24.

4. Fix the error in the __build_installer.bat file from

c:\python\python.exe setup.py bdist_wininst --bitmap=logos\installer.bmp --title=PaiMei

to

c:\python25\python.exe setup.py bdist_wininst --bitmap=logos\installer.bmp --title=PaiMei.

5. Fix the __install_requirements.py script or use the one below. I have not documented my changes, so run a diff on this one and the original if needbe. They may fix these errors some day soon, so check first.

6. Change directories into console and invoke the console like so:

python .\PAIMEIconsole.pyw

Good luck!

#!c:\python\python.exe

# $Id: __install_requirements.py 194 2007-04-05 15:31:53Z cameron $

import urllib
import os
import shutil

# globals.
downloaded = 0

########################################################################################################################
def urllib_hook (idx, slice, total):
global downloaded

downloaded += slice

completed = int(float(downloaded) / float(total) * 100)

if completed > 100:
completed = 100

print "\tdownloading ... %d%%\r" % completed,


def get_it (url, file_name):
global downloaded

downloaded = 0
u = urllib.urlretrieve(url, reporthook=urllib_hook)
print
shutil.move(u[0], file_name)
os.system("start " + file_name)

########################################################################################################################

try:
print "looking for ctypes ...",
import ctypes
print "FOUND"
except:
print "NOT FOUND"
choice = raw_input("\tWant me to get it? ").lower()
if choice.startswith("y"):
get_it("http://superb-east.dl.sourceforge.net/sourceforge/ctypes/ctypes-0.9.9.6.win32-py2.4.exe", "installers/ctypes-0.9.9.6.win32-py2.4.exe")

try:
print "looking for pydot ...",
import pydot
print "FOUND"
except:
print "NOT FOUND"

try:
print "looking for wxPython ...",
import wx
print "FOUND"
except:
print "NOT FOUND"
choice = raw_input("\tWant me to get it? ").lower()
if choice.startswith("y"):
get_it("http://umn.dl.sourceforge.net/sourceforge/wxpython/wxPython2.6-win32-ansi-2.6.3.2-py24.exe", "installers/wxPython2.6-win32-ansi-2.6.3.2-py24.exe")

try:
print "looking for MySQLdb ...",
import MySQLdb
print "FOUND"
except:
print "NOT FOUND"
choice = raw_input("\tWant me to get it? ").lower()
if choice.startswith("y"):
get_it("http://superb-east.dl.sourceforge.net/sourceforge/mysql-python/MySQL-python.exe-1.2.1_p2.win32-py2.4.exe", "installers/MySQL-python.exe-1.2.1_p2.win32-py2.4.exe")

try:
print "looking for GraphViz in default directory ...",
fh = open("c:\\program files\\graphviz2.24")
close(fh)
except IOError, e:
if e.errno == 2:
print "NOT FOUND"
else:
print "FOUND"

try:
print "looking for Oreas GDE in default directory ...",
fh = open("c:\\program files\\govisual diagram editor")
close(fh)
except IOError, e:
if e.errno == 2:
print "NOT FOUND"
choice = raw_input("\tWant me to get it? ").lower()
if choice.startswith("y"):
get_it("http://www.oreas.com/download/get_gde_win.php", "installers/gde-win.exe")
else:
print "FOUND"

try:
print "looking for uDraw(Graph) in default directory ...",
fh = open("c:\\program files\\udraw(graph)")
close(fh)
except IOError, e:
if e.errno == 2:
print "NOT FOUND"
choice = raw_input("\tWant me to get it? ").lower()
if choice.startswith("y"):
get_it("http://www.informatik.uni-bremen.de/uDrawGraph/download/uDrawGraph-3.1.1-0-win32-en.exe", "installers/uDrawGraph-3.1.1-0-win32-en.exe")
else:
print "FOUND"

try:
print "looking for PaiMei -> PyDbg ...",
import pydbg
print "FOUND"
except:
print "NOT FOUND"

try:
print "looking for PaiMei -> PIDA ...",
import pida
print "FOUND"
except:
print "NOT FOUND"

try:
print "looking for PaiMei -> pGRAPH ...",
import pgraph
print "FOUND"
except:
print "NOT FOUND"

try:
print "looking for PaiMei -> Utilities ...",
import utils
print "FOUND"
except:
print "NOT FOUND"

choice = raw_input("\nInstall PaiMei framework libraries to Python site packages? ").lower()
if choice.startswith("y"):
os.system("start C:\\paimei\\installers\\PaiMei-1.2.win32.exe")

print "\nRun __setup_mysql.py to setup database and complete installation. Then run console\PAIMEIconsole.py"

raw_input("\nHit enter to exit installer.")

#---------end of file---------------

Labels:


Thursday, November 12, 2009

Helpful Resources for Those in Debt

I did some research for Yves Smith of Naked Capitalism several weeks ago. I had hoped that she would put these links on her web site, but she's been overwhelmed with finishing her book. So here's most of what I sent her.

New York Times:
Money, Credit Cards, and Debit Cards

Federal Trade Commission:
(Knee Deep in Debt Advice article)
(Choosing a Credit Counselor)

The American Bar Associations Pro Bono Center's Law School List:
Free Legal Services by State

Other Links:
(Cut and Paste Links)
A Google search on "pro bono debt counseling" gave this result:
http://www.cccsstl.org - -Clearpoint Credit Counseling Solutions which is a non-profit

These two were ads from the search page and they are non-profits and community based:
http://www.consolidatedcredit.org/DebtConsultation/cccsShort.aspx (Fla.)
http://landingpages.moneymanagement.org/Debt/default.aspx

Searching for "pro bono debt counseling clinics" (URL of search results:http://www.google.com/search?rls=en&q=pro+bono+credit+counseling+clinics&sourceid=opera&ie=utf-8&oe=utf-8) I got:
http://www.credit.org/ (based in CA, NV, AZ)
www.wileyrein.com/about.cfm?sp=probono (law firm)
www.dallasbar.org (Dallas Bar Association where I live)
http://www.compact.org/syllabi/law/community-based-legal-research/4169/ (Brigham Young Univ. in Utah)

If you live in Georgia, this is your lucky day:

(Cut and Paste these links)
University of Georgia Law School in Athens(pro bono):
http://www.abanet.org/legalservices/probono/lawschools/151.html

List of Non-Profits in Georgia:
http://www.gcn.org/join/Membership/MemberList.aspx

Decatur, Georgia is the closest Atlanta suburb:
Consumer Credit Counseling Services - www.cccsatl.org
1 W Cour Sq, Decatur - (404) 527-7630

Agnes Scott College - library.agnesscott.edu
141 E College Ave, Decatur - (404) 471-6000

Pro Bon attorneys:
http://www.debtproblemsolutions.com/Georgia-free-legal-help.html

Legal Aid by County:
http://lawyers.justia.com/lawyers/consumer-law/georgia/atlanta-sandy-springs-marietta-ga-metro

Georgia State University Law School (pro bono resources):
http://law.gsu.edu/students/current/probono_sites.php

Emory University (pro bono):
http://www.abanet.org/legalservices/probono/lawschools/34.html

John Marshall Law School (Atlanta):
http://www.abanet.org/legalservices/probono/lawschools/198.html

University of Georgia Law School:
http://www.abanet.org/legalservices/probono/lawschools/151.html

Mercer University Law School:
http://www.abanet.org/legalservices/probono/lawschools/62.html

Labels:


Wednesday, November 11, 2009

A Senate Bill I Can Endorse - The TBTF,TBTE Act of 2009

Senator Sanders of Vermont is sponsor of a bill to break up the largest financial institutions. His petition has over 8,000 signatures. The Baseline Scenario blog has a post about it. Please sign the petition. It takes a whole 20 seconds and beats writing a real letter that won't get read by your Congressman or Senator. It will be interesting to see how our Senators kill it or gut it in the Senate, or how Treasury or the Fed spin it. The whole bill is readable by just about anyone. The entire bill is below.

A BILL
To address the concept of ‘‘Too Big To Fail’’ with respect
to certain financial entities.

1 Be it enacted by the Senate and House of Representa-
2 tives of the United States of America in Congress assembled,
3 SECTION 1. SHORT TITLE.
4 This Act may be cited as the ‘‘Too Big to Fail, Too
5 Big to Exist Act’’.
6 SEC. 2. REPORT TO CONGRESS ON INSTITUTIONS THAT
7 ARE TOO BIG TO FAIL.
8 Notwithstanding any other provision of law, not later
9 than 90 days after the date of enactment of this Act, the
10 Secretary of the Treasury shall submit to Congress a list

2

1 of all commercial banks, investment banks, hedge funds,
2 and insurance companies that the Secretary believes are
3 too big to fail (in this Act referred to as the ‘‘Too Big
4 to Fail List’’).
5 SEC. 3. BREAKING-UP TOO BIG TO FAIL INSTITUTIONS.
6 Notwithstanding any other provision of law, begin-
7 ning 1 year after the date of enactment of this Act, the
8 Secretary of the Treasury shall break up entities included
9 on the Too Big To Fail List, so that their failure would
10 no longer cause a catastrophic effect on the United States
11 or global economy without a taxpayer bailout.
12 SEC. 4. DEFINITION.
13 For purposes of this Act, the term ‘‘Too Big to Fail’’
14 means any entity that has grown so large that its failure
15 would have a catastrophic effect on the stability of either
16 the financial system or the United States economy without
17 substantial Government assistance.

Labels:


Friday, November 06, 2009

Heart Goes Out to the Survivors

I found out this evening about the shootings at Fort Hood in Killeen, TX. My heart goes out to the survivors and the victims of this tragedy. The news reports are too preliminary to draw conclusions and my initial assessment was likely dead wrong as to the reason for the crime. I am sorry that this incident has happened and I hope that it doesn't happen again. I thank Peter Coates, a fellow blogger and friend, (Ft. Hood, OMG!) for alerting me. He actually lived there in the 1970s. I also hope that the Army takes steps to discover why this happened and to make sure that if a similar incident happens again, that the loss of life is minimized. One can't stop madmen from taking lives. All one can do is minimize the effects of their killing spree. I'm guessing that some sort of weapons ban will be placed on military bases where only Military Policemen can carry weapons in most places. It's either that, or let everyone carry weapons. Or perhaps, nothing will be done and this incident will be seen as an aberration.

Consider The Gates of Paradise:

A soldier named Nobushige came to Hakuin, and asked: "Is there really a paradise and a hell?"
"Who are you?" inquired Hakuin.
"I am a samurai," the warrior replied.
"You, a soldier!" exclaimed Hakuin. "What kind of ruler would have you as his guard? Your face looks like that of a beggar."
Nobushige became so angry that he began to draw his sword, but Hakuin continued: "So you have a sword! Your weapon is probably much too dull to cut off my head."
As Nobushige drew his sword Hakuin remarked: "Here open the gates of hell!"
At these words the samurai, perceiving the master's discipline, sheathed his sword and bowed.
"Here open the gates of paradise," said Hakuin.

or Killing:

Gasan instructed his adherents one day: "Those who speak against killing and who desire to spare the lives of all conscious beings are right. It is good to protect even animals and insects. But what about those persons who kill time, what about those who are destroying wealth, and those who destroy political economy? We should not overlook them. Furthermore, what of the one who preaches without enlightenment? He is killing Buddhism."

Deaths, real and symbolic, occur around us all the time, but most go unremarked and unnoticed. More people died today driving their cars than died of gunfire, yet no mention of those common deaths in the media. More people starved to death than died in cars or from gunshot wounds. Which is the greater tragedy that could have been prevented?

Labels: , ,


Wednesday, November 04, 2009

The Power of Words

The words we use to describe the world have power whether we know it or not. Such words may or may not be accurate depending upon the motives of the author. In some instances, a tract may be blatant propaganda, yet some will utterly believe such drivel because the messenger has a high status in society, is powerful, or is wealthy. The more lasting messages tend to be from the heart and touch the heart, however. I have no illusions that any of my words will last past my lifetime.

George Carlin remarked that military terminology tends to lessen the psychological impact of the horrors of war until the words no longer describe the actual thing or subject. In WWI, they had shell shock. Pretty accurate description. In WWII, they called the same thing battle fatigue. In Vietnam and today, they call the same thing post-traumatic stress disorder. Huh? Now mine is a noun that describes a deadly explosive device that kills or maims a soldier or vehicle quite well. Mine was used as terminology for an explosive device concealed by ground cover during Vietnam, even improvised ones. Such improvised mines even took out Sheridan tanks. These days, you have improvised explosive device. That sounds like an a piece of crap machine put together at the last minute. It doesn't sound as deadly as a mine even though it is quite deadly, and it is in fact, a mine. But IED doesn't have the psychological impact that the word mine does. This is unfortunate, because such terminology gives noncombatants the idea that war is survivable, when modern war is the most deadly environment modern man can conceive. I wonder if that will be modern man's epitaph on the last headstone of the last mass grave of the last human war.

Here lies Man.
Loved war more than peace.
Now the entire race is at peace.
Because warriors never killed the true foe within themselves.

Labels: ,


This page is powered by Blogger. Isn't yours?