Tcpreplay progress

First the good news… I’ve upgraded Trac for the Tcpreplay website which now supports built-in spam filtering. This means I’ve opened up the ticketing system to people who haven’t yet registered an account. Hopefully people will find it easier to open tickets for bugs and feature requests.

The bad news is that rewriting the L2/DLT code is even more complicated then I originally thought. Right now I’m spending my time working on the design, trying to make sure it’s flexible and easy to extend over time. Anyways, if you’re reading this, why not go check out that ticket, read the design document (realizing it’s a work in progress) and let me know what you think?


Is it live or is it Memorex?

About 15 years ago an audio tape company challenged people to figure out if it was live or if it was Memorex. It seems that in the networking security space we’re at the same place, trying to figure out if live tools like Metasploit can be replaced by replay tools like tcpreplay.

Now, it would seem obvious that the answer, like most things is that “it depends”, but there seems to be people who are convinced that if it’s not live it’s not a real test.

Probably the best argument against replay tools is GIGO (garbage in, garbage out). If you don’t properly vet your test samples (often in libpcap format) then you’re going to have a bad day. Generally speaking, live tools like Metasploit are easier to validate- they either break into the target or they don’t. Replay tools don’t actually attack anything, and thereby require you to trust that the test case is correct or require you to do more strenuous validation.

The second reason which seems to come up against replay tools is that somehow it’s not really like a live test. Nobody has ever actually been able to give me a case where a libpcap capture of an exploit was different from what was actually on the wire or why resending those captured packets created any differences, but people still claim that it is. They’ve argued that replay tools don’t “emulate the state of the client and server” or that “live tools adapt to differences in the server runtime” but both these arguments miss the point. A IDS/IPS doesn’t know the state of the client or server, it only guesses at the state by watching the packets on the wire. Hence, a replay tool doesn’t need to emulate the state of the client/server, just repeat the externally visible process of those state changes. And that’s something that replay tools do very well.

So are there any advantages or situations where replay is better suited? I think so:

  1. Comparative tests. If you’re comparing two products (like two IPS’s) then it’s important to use the same test cases. Live tools, due to their dynamic nature tend to auto-magically adapt behind the scenes.
  2. Regression tests. The key behind regression tests is that they don’t change.
  3. Single solution. While tools like Metasploit provide a good framework for developing a wide range of attacks, they have a limited number of attacks. This means you often need multiple tools with different interfaces to provide the coverage you’re looking for. Replay tools like tcpreplay provide a unified and protocol/attack agnostic approach to any network based attack.
  4. Simple environment. Running live tools requires you to have a victim to attack. Often this means running VMware on a 2nd system, installing multiple operating systems and configuring countless applications to attack. Replay tools on the otherhand are virtually self-contained since they emulate both server and client side of the connection.

What do you think?


Sometimes you just get luckly…

Decided to finally make the jump to HDTV. Lots of reasons really (quality up, prices lower, etc). Did all my research, and narrowed it down to the Sony KDS-55A2000 55″ SXRD rear projection set.

Did a lot of price shopping:

On Amazon: $2,500
On Crutchfield: $3,000
At Magnolia: $2,700
On Best Buy’s website: $3,000
At the Best Buy down the street from my house: $2,000 <--- Woah! Turns out the CompUSA around the corner was going out of business, and had a huge blowout sale on the 55" Sony (but not the 50 or 60") so Best Buy with their price match guarantee was actually selling it BELOW COST. The 55" was actually $500 cheaper then the 50". Sale ended that day. I bought one (duh). Then I saved another $100 by agreeing to upgrade to HD cable with Comcast which I was going to do anyways. So anyone want a Sony 32" Trinitron on the cheap? Nice solid wood entertainment center cabinet too.


Why methods shouldn’t replace a language

There’s been a big push for OO scripting languages like Python and Ruby over older procedural languages like Perl. While I used to be quite the Perl bigot, lately I’ve learn to appreciate other languages like Ruby. But while OO techniques can make some things much much easier, strict adherence to the OO concepts can be more trouble then it’s worth.

Take for example this common case of a for loop:
for ($i = 0; $i < = 10; $i++) { &lt;do something with $i&gt; }
In Ruby you’d use:
1.upto(10) { |x| &lt;do something with x&gt; }

I’ll give the win to Ruby here for being more concise, even though those people coming from most procedural languages will be taken back by the syntax. Now lets make a simple change and increment by 2 instead of 1:

If you read the first Perl example, this should be obvious:
for ($i = 0; $i < = 10; $i += 2) { .... }
Ruby, however isn’t quite so obvious:
1.step(10, 2) { |x| ... }

Wtf? It’s a different method? For the record, I had to ask 3 people who write Ruby code how to do that because the first two didn’t know the magical method name. Sure it’s a small thing, but it’s really fustrating when the “obvious” solution isn’t correct and doesn’t lead you to the answer.


No more head-hunters please.

Usually when I’m talking about head-hunters I’m either ranting or making fun of them… or in some cases both.

But this post isn’t about that. This post is about something simple. If your company is interested in me, then contact me yourself. Do not under any circumstances use a head-hunter. I won’t talk to them.

You’d be surprised how many head-hunters call me with statements like, “My client has specifically asked me to contact you about an opportunity with them. I can’t tell you who they are, but trust me they’re great. Please send me your resume so I can give it to them to start the process.”

Now occasionally (once) they’re being honest. But most of the time, they’re full of shit since this is one of the oldest ploys in the book to get your resume in their system so they can call you every 6 months about “great opportunites” which suck.

So instead of paying a head-hunter 30% to call me and setup an interview… just contact me yourself.


Not even I thought the number was 14,000

According to this AP article on Yahoo, 14,000 is the number of people being held without access to a lawyer or being charged with a crime that are being held against their will in U.S. run overseas prisons. 13,000 of them in Iraq.

One such example is of Bilal Hussein, an Iraqi citizen and AP photographer.

[Update: Here’s another great example of the “enemy combatants” who are so dangerous they must be held in Gitmo.]

Already, over 18,000 people have been released because they were deemed innocent. But one wonders after being held in a prision for months and even years, how this endears us to them after they are set free. More then likely, those that already hated us, hate us even more and those that were on the fence now see us as their tormentors. While “radical islamists” are telling the world we are evil, we go out of our way and prove it. In effect, our own actions only serve to create more of the enemy.

Bush tells us this is to protect us from those evil-doers who wish us harm. But you can’t fight evil by becoming it. The “war on terror” shouldn’t be fought by instilling terror in the hearts of innocent people. We as Americans need to stand up for what is right before the world can’t tell which side are the real terrorists.


OpenPacket a reality?

Well looks like Richard may have actually gotten OpenPacket off the ground. A public pcap repository is something I’ve often thought about doing since starting work on tcpreplay, but I’ve never had the time.

Limited access to quality pcaps has always been a limitation for users of tcpreplay, so this project may be the perfect companion. I’ll be keeping a close eye on how it develops. Hopefully they’ll have something to look at in a few weeks.


1,000th comment!

Just reached the 1,000th attempted comment spam which was picked up by Askimet. So I guess the good news is that Askimet is very effective at combating comment spam. I guess the bad news is the near complete lack of actual comments. :)

On a side note, I tried signing up for a class over the web. Filled out the form, gave them my CC# and everything. Then I got an email saying that the class was full. After being put on the waiting list, I suggested they change their website to indicate which dates have availability… not something I would consider difficult nowadays. Imagine my surprise when I got this in reply:

Unfortunately because our availability changes constantly it
would likely be a full time job for someone to update the school
availability on the site and we just can’t do that. This is why there is
a note that comes up after you register that says you aren’t actually
registered until one of our staff contact you.

Hello? Is it still 1998?


Flying in the post-liquid bomb world

So I had the missfortune of picking last thursday to fly on vacation. For those of you living under a rock, last thursday was when the news broke out that some terrorists were plotting to blow up planes using explosives in the form of liquids and/or gels.

The solution was obviously to stop anyone from flying in their carry-on any liquid, gel or simular substance such as chapstick. Apparently now, you can’t even have gel inserts in your shoes.

As someone in the security world, these planned attacks and our response are somewhat interesting to me. Anyways, a few observations:

  • Some people traveling really are living under a rock. One woman who was trying to go to Disneyland was shocked that she needed some form of a government issued ID to fly.
  • TSA is obviously incapable of determining who is a terrorist and who is not a terrorist, hence everyone is now treated as a possible terrorist.
  • The terrorists are constantly coming up with new ways to blow stuff up.
  • The TSA responds by constantly banning perfectly harmless things which resemble dangerous things in an attempt to prevent terrorists from blowing things up because it is unable to efficently distinquish things like drinking water from nitroglycerin.
  • The impact on perfectly honest citizens who aren’t terrorists seems much larger then the impact on the terrorists (not just the people traveling, but the owners of duty-free stores, wineries who’s customers don’t buy as much wine, causing the price of oil to skyrocket, etc)
  • If the terrorists goal is to just strike fear into the average traveller, cause havoc with our economy, etc then the terrorists are meeting their goals. My guess is that actually blowing up a plane would be bonus points. It also explains why we call them terrorists not “random murderers of many people who take themselves out in the process”.
  • How long before the terrorists figure out how to embed exploisives into clothes and the TSA requires everyone to fly naked?