pckswarms.ch - interesting uncommon events

While the below research into computer security is still interesting I am also spending time on EarthSwarms.

This was inspired by the International Digital Earth 3-D Visualization Challenge. Why? I've always been interested in Earth data, and, this pushed me to actually do something about it. I strongly believe that without a deeper appreciation of climate change and the Earth spread across more people (ie, not just YOUR friends) we will not get very far in terms of a reasonable solution. EarthSwarms is one of my ideas as to how to engage less technical people.

More details under the Earth Swarms link but the basic idea is that this needs to run as many places as possible, and, not require fiddly 3d library installation and/or annoying graphics card/GPU installation. If you have something cool it runs faster, otherwise it just runs.

This is all written in The Squeak Environment Squeak since nothing else is so good at cross platform portability. Java? Yea, not on any system I actually own and run...

At pckswarms.ch I research techniques to find interesting, but uncommon, events. For example, I have developed a program to scan ethernet packets for uncommon connections in order to discover spyware and bots. More information can be found under the Packet Swarms link on the side bar.

30 Apr 2007


I've always liked the WorldChanging website and their article Make This Earth Day Your Last! is excellent.

The 4th Intergovernmental Panel on Climate Change Report.

Visible Earth


Yet again I reminded as to how nice open source software is. I have a friends PC which hasn't really been backed up, running Windows XP, which now has a bad disk. Windows doesn't boot. The error message is quite bad -- ie Stop: c0000218 {Registry File Failure}. The recovery is hard, and, NetBSD can boot and I can copy the files from the NTFS partition across NFS to a Linux system. Fast, simple, and easy.

26 Apr 2007


Ah, a targeted virus. In this case a divorce case and the email installed a keystroke logger. Cost the husband 7000 pounds month.

I wonder how many others are out there? For 7000 pounds a month it can't be hard to find people to do this.

20 Apr 2007

Home Network

After a nice vacation near Lago Garda in Italy I'm back.

After a bit of reflection I decided to switch away from OpenBSD and to Debian Linux. Don't read too much into this. I still think that OpenBSD is technically better, and, way more secure. What I do think is that Windows Vista is going to bomb. Yes, it will sell well since you don't have much choice, but, I shudder at trying to support the folks who I currently support on XP on Vista. Therefore I see folks moving to Linux and I thought I'd go back and give it a try and see how it's going.

Basically pretty well. I choose Debian for no other reason than I have Sun Ultras and Mac PPC systems, and Debian seems to support those well. The install went as follows:

Overall pretty positive. Icedove (Mozilla Thunderbird) and IceWeasel (Mozilla Firefox) work well. Gnome desktop is pretty and it runs ok on the 300mhz systems.

Now that I have Linux SBCL runs. So, step next is to port pckSwarms. I have some new ideas, and in watching the sorts of break-ins which are happening I believe it's even more useful.


It looks like the papers at HotBots 07 might be quite interesting


Wow, someone scanned the BlueBook

6 Apr 2007


Some more thoughts on the MS ANI problem

First it looks like breaks of this class could be grepped out of MS's documentation because MS is strict about naming of variables. Given the example structure here the important bit is:

struct tagANIHeader {
DWORD cbSizeOf; // Num bytes in AniHeader (36 bytes)

It would be quite easy to write a regular expression and parse the MS documentation to get a list of file types which might break in a similiar way

It was bad design to have a size of a structure, and, have it basically hard coded to a max length. This is asking for trouble

One has to be careful not to:

All of these were probably true when the code was written 10 years ago.

The one final thing that struck me was that the files on disk (or network) are oddly coupled with the version of the OS. This is very fragile.

Basically you can't ever change an ANIHeader anywhere on disk or the net without upgrading ALL copies of the OS. Plus any new ANIheaders that exist will crash (at best) older versions of the OS.

Much better is a version number of the header (and just reject versions you don't know about), a variable length header with some sort of terminating value, or a header length, and as new fields are added to the end and you skip them and ignore them with older software.

These things are gifts to hackers.

5 Apr 2007


Now back to security

There have been several stories this week about MS's ANI problem. Now, it's all fine and good to poke fun at MS but I think this points out a more basic problem in computer security. We, the folks trying to keep systems secure are always at a disadvantage. First, it seems that those breaking into systems have loads of free time. Second, ALL of our patches have to work, only ONE of their break ins has to succeed. Finally we have years and years of shoddy programming to work around, they have years and years of shoddy programming in their favor.

We won't win doing what we have done in the past. In fact we'll be lucky not to keep falling further and further behind at this rate.

One idea that I have is talked about in more detail in Packet Swarms is that while Intrusion Detection Systems (IDS) are very important, you have to have a known signature for them to work well. And while it's true that the ANI bug could be caught with a previous signature you would have been out of luck had the stack overflow been from a different source.

The second type of security problems we are good at catching are the ones which jump up and bite us hard. You might remember the SQL slammer worm. Another example is a DDOS attack. In both cases you can't help but know that you've got a problem. You might not know what it is, but you you do know it exists.

My third thought about this is that with traffic analysis you can catch jumps in types of network traffic that stand out. But why should an attack produce a lot of traffic. Why couldn't the attack have your accounting and/or sales and marketing departments slowly send the contents of "My Documents" to some dodgy site somewhere in the world.

In all of those cases is that you tend to have a binary system. Ie, The network connection/packet/traffic is good, or it's bad. It only moves from good to bad when someone makes some sort of decision.

These togther pushed me to a slightly different solution, ie, pckSwarms. I've thought more about the problem since the paper was published so over the next weeks I'll write a bit more of these thoughts down.

4 Apr 2007


Everything is uploaded and done. John M McIntosh did a quick fix to the Mac Intel Squeak VM so that the colors are pretty. This made me very happy...

Bruce O'Neel

Last modified: Thu Apr 5 13:42:07 MET 2007