I thought I'd share these pictures of my "computer room" as it currently sits.

The panoramas were taken with my cell phone (UTStarcom 6700 Pocket PC) and the "close-ups" were taken with my Kodak EasyShare CX6200.

Panorama #1

Panorama #2

Close-Up #1

Close-Up #2

IT, Personal

Anyone who's worked with CVSS knows that it has some serious flaws... Today we can change that statement to had some serious flaws, at least until we find problems with CVSS v2 which was announced today (via SSAATY). The incorporated changes from v1 are fairly substantial and a huge step in the right direction.

They include:

• AccessComplexity changed from a high/low rating to a high/medium/low rating.
• ImpactBias moved from the base metric to the environmental metric.
• Vulnerabilites giving root (or equiv.) access means each CIA component is set to 'complete', while user access would be rated as 'partial'
• AccessComplexity rewritten to indicate that it means difficult to exploit with working exploit code, not difficulty to generate exploit code.
• In the environmental metric, TargetDistribution has changed from none/low/high to none/low/low-medium/medium-high/high
• AccessVector has changed from Local/Remote to Local Access/Local Network Access/Network Access
• In the environmental metric, CollateralDamagePotential has changed to none/low/low-medium/medium-high/high.
• In the base metric, AccessVector/AuthenticationVector now include No Auth/Single Auth/Multiple Auth
• Wording changes to indicate that CVSS should always be applied to the service that is directly vulnerable and not any secondary systems or indirectly affected users.
• Wording changes to indicate that CVSS should always affect the configuration that is most likely used ("most probable"), not the best practice. The example given is a web browser. More often than not browsers are owned by administrator when best practice would tell us otherwise. If you can't determine "best probable", then the default configuration should be used.
• Explanation of proper method of handling multiple methods of exploiting a vulnerability. The score should be calculated for each method and the highest score should be used.
• CIA measurements for ImpactBias are now Low/Medium/High
• The Difficulty and Impact sub-equations are now combined with a waiting of .4 for Difficulty and .6 for Impact.

The detailed version change history can be found here.
Full CVSS v2 Documentation can be found here.

IT, Security

I was just taking a quick look at my RSS Feeds and, specifically the Security Bloggers Network. I enjoy having a compilation feed, so that I don't have 50+ feeds to go through. I came across the latest post from the Technology Security Blog and was appalled. Half of the post was Tags for various services... del.icio.us, livejournal, technorati, icerocket, etc... Because it's an RSS feed, the HTML formatting that decreases the font is lost and we're left with these in the same font size as the article. Now, even with the font size is decreased, they are still overkill. I look at the website for the blog and it's these lists of links. Now maybe I don't get tagging... I don't mind Alan Shimel's list of like 10 at the bottom of every post (but his blog spans a good portion of the page so the line is longer, making for fewer lines used)... but I can't stand seeing a page where there are more Tags than content? Is anyone else finding this trend ridiculous?

Personal

I figured I'd scan the majority of IP enabled devices in my apartment and see what they came up as...

Devices Excluded:
Sony Clie
UTStarcom 6700 PocketPC
Nintendo DS Lite
Sony Playstation 2
Vonage VoIP Gateway

Options: nmap -sT -O --osscan-guess

Scan Results

192.168.1.1 (m0n0wall 1.22)
Device type: firewall
Running: m0n0wall FreeBSD 4.X|5.X
OS details: M0n0wall FreeBSD-based embedded firewall version 1.22 - 1.23b1
Uptime: 3.644 days (since Sat Jun 16 09:15:21 2007)
**Actual uptime is 103 days**

192.168.2.1 (LinkSys BEFW11S4)
MAC Address: (The Linksys Group)
Device type: broadband router
Running: Cnet embedded, Linksys embedded
OS details: Cnet CNIG904B Internet Broadband Gateway firmware version 1.11, Linksys BEFW11S4/WRT-54G Wireless Broadband router or BEFSR41 Cable/DSL router

192.168.2.10 (HP LaserJet 4MV)
All 1704 scanned ports on 192.168.2.10 are closed
MAC Address: (Hewlett Packard)
Too many fingerprints match this host to give specific OS details

192.168.2.50 (Ubuntu PPC 6.06.1 LTS (2.6.15-28) )
MAC Address: (Apple Computer)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.19
Uptime: 52.910 days (since Sat Apr 28 02:20:49 2007)
**Uptime Correct**

192.168.2.101 ( Windows XP SP2 Home )
MAC Address: (First Internat'l Computer)
Device type: general purpose
Running: Microsoft Windows 2000|XP|2003
OS details: Microsoft Windows 2000 Server SP4, Microsoft Windows XP SP2, Microsoft Windows XP SP2 or Windows 2003 Small Business Server

192.168.2.102 ( OS X 10.4.9 (PPC) )
MAC Address: (Apple Computer)
Device type: general purpose
Running: Apple Mac OS X 10.4.X
OS details: Apple Mac OS X 10.4.8 (Tiger)

192.168.2.103 ( OS X 10.3.9 (PPC) )
MAC Address: (Apple Computer)
Device type: general purpose
Running: Apple Mac OS X 10.3.X|10.4.X
OS details: Apple Mac OS X 10.3.9 - 10.4.7

192.168.2.104 ( Vector Linux (2.6.18-5) )
MAC Address: (Foxconn)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17.8 SMP i686 (custom compiled)
Uptime: 0.020 days (since Wed Jun 20 00:02:55 2007)
**Uptime Correct**

192.168.2.105 ( Windows Vista Home Premium )
Unable to scan localhost

192.168.2.106 ( OS X 10.3.9 (PPC) )
MAC Address: (Apple Computer)
Device type: general purpose
Running: Apple Mac OS X 10.2.X|10.3.X|10.4.X|10.5.X, FreeBSD 4.X
Too many fingerprints match this host to give specific OS details

192.168.2.107 ( Ubuntu PPC 5.10 (2.6.12-10) )
All 1704 scanned ports on 192.168.2.107 are closed
MAC Address: (Apple Computer)
Too many fingerprints match this host to give specific OS details

IT

Generally I enjoy reading the SecuriTeam blog, yet lately I'm not seeing a point in reading it. This article is a great example of why I don't see a point... It's a blog post that says nothing. It's not even stating the obvious. I believe that the author is attempting to use the referenced Google post to say IIS is insecure. That's not what the Google post says, nor even close to what is being discussed. It's discussing malware distribution, which could be due to botnets, personal servers, or anything else... The author is attempting to take a shot at Microsoft and failing miserably... it's like trying to see logic in an argument between children. Between this and the 'useless' Safari post the other day I'm getting dangerously close to deleting SecuriTeam from my RSS Feeds.

IT

I had ordered these a while ago and have them on my bookshelf... every now and then I even pull out out to consult the information they contain. What are these? They're a series of 6 books published by Intel that you can have shipped to you free of charge (US and Canada anyways... I'm not sure about their worldwide shipping policy). I thought of this now because I was telling a friend to call and get a set of them, so I wanted to share this with anyone else who might be interested in them.

The series is entitled: 'IA-32 Intel Architecture Software Developer's Manual'

Volume 1: Basic Architecture (SKU: #253665)
Volume 2A: The Instruction Set Reference (A - M) (SKU: #253666)
Volume 2B: The Instruction Set Reference (N - Z) (SKU: #253667)
Volume 3A: System Programming Guide (SKU: #253668)
Volume 3B: System Programming Guide (SKU: #253669)
Volume 4: Architecture Optimization Reference Manual (SKU: #248966)

To Request these books simply call:
United States: 1-800-548-4725
International: 1-303-675-2148

*Something tells me that the 800 number works in Canada as well, at least that's what I remember calling.

For more information, or to obtain these in PDF format, check here.

IT

An interesting link came across one of the mailing lists I'm on earlier tonight. It seems that a man in Nova Scotia inadvertently became a peeping tom. You might ask how you inadvertently do this... well follow these simple steps.

1. Purchase a WiFi-enabled security camera, that emails pictures every time motion is detected.
2. Set it up at home, configuring your email address as the address that it uses.
3. Decide the camera isn't for you, repackage it and return it to the store.
4. Wait for another person to purchase the camera.

That's it... The article mentions that Staples warns stores to ensure that the device is fully erased before reselling it, however in this case the store owner insists that it is the original purchasers responsibility to ensure that data is wiped from the device. It raises an interesting question, however I don't think that you could, in any way, find the original purchaser responsible. I would highly suggest that they wipe the data (unless they want their email address available to someone else), but I don't think they could be forced to... Take a scenario where an elderly couple buys the camera and their grandchild deploys it for them... The grandchild goes home, the couple finds they don't like the camera, so they unplug it and box it up to return it... It may never cross their mind to reset the configuration... That should be the first step taken in the store.

Either way, let this serve as a lesson for anyone who has purchased an "Open Box" special and just plugged it in... Someone, somewhere may be watching you.

IT

Once again we see a post addressing Apple's Safari for Windows beta and the bugs found in it. I'm not really understanding this... Web Browsers are prone to vulnerabilities... everyone knows that... Safari for Windows is a Beta everyone knows that. Beta's are known to contain bugs, the entire idea is that the bugs get ironed out in the beta stage so that a final release ships "relatively" bug free.

So my question... Who really cares that Apple isn't rushing and fixing every reported bug in Safari... It's a beta, as long as they are fixed by the official release that's all that should matter. This is getting childish.

IT, Security

I've had Vista on a laptop for a couple months now, and a few weeks back I bought a desktop with Vista. So far I've been fairly happy with it... I don't understand a lot of the complaints that people have been making. Well a few weeks ago I needed to console into a Cisco switch. I've done this just a few times before, so I go about my business as I normally would -- Start -- Programs -- Accessories -- Communications -- Wait a second... No HyperTerminal. So I do some searching online and I find the answer. Vista doesn't ship with HyperTerm anymore. They suggest using the command line telnet for telnet connections, and completely forget about serial communication. So I had to go find a freeware option on the net. The option I found was Poderosa. Which supports telnet, ssh, local cygwin shell and serial communication.

Now, a week or so later, I wanted to telnet into a pop3 server (I wanted to test credentials) and I don't have netcat on this box yet. So I go to the command prompt and I type telnet. I'm rather surprised by the result:

C:\Users\Tyler>telnet
'telnet' is not recognized as an internal or external command,
operable program or batch file.

I don't get it... The Microsoft help page told me to use command line telnet. I do a bit more searching and find this page. Telnet was removed as a default install option for Vista, you have to go into Programs and Features --> Turn Windows Features on or off and install it. So Vista ships without a single telnet client installed, while previous versions shipped with two and that's it... that's my first beef with Vista.

IT

It's fairly well known that I'm quite the Microsoft advocate... right now they still produce the superior product. However, that's not what I want to discuss... I want to discuss this blog post that keeps appearing on the SecuriTeam RSS feed as new (various little things are updated in it), that other websites have picked up as well. It discusses "cracking" Windows with the DVD.

Now I think there's a language issue here, as I in no way, shape or form consider this cracking or anything remotely close to cracking; nor would I use the word cracking to describe the process occurring with third party software. What bothers me is that anyone, anywhere, with even a shred of technical background would attempt to make a big deal about this. We're talking FUD and nothing but FUD.

So what is this FUD exactly? Well, when you boot with the Vista DVD and use the System Recovery feature, you can get a high privilege command prompt. Why is this FUD? Well, Mr. Rousku, this discoverer of this "crack", states, "This is the first time when cracking Windows operating systems is really easy and needs no deeper technical knowledge." I'm confused here... downloading knoppix requires no technical knowledge. I suppose you could make the argument that you have to navigate Linux but it's a GUI... I'd say the Windows Command Prompt is more difficult to navigate than a Linux window manager. What about a BartPE disk or ERD Commander? Both of these give you nice, easy to use GUIs again easier than a clunky command prompt.

The defense against this is to change your boot order (removing your optical disk) and set a BIOS password. Home users don't need to take this action... why would they, generally home users share a single account so there's no need to worry about this. This applies to business, and in most businesses you should already have secured your computers against the possibility of boot disks. If you haven't then you were already at risk to the software I listed above.

I also don't see how this is different than Linux and lilo's 'init 1' or grub's 'single'. A process that is still used in the Red Hat Enterprise Linux 4 Manual.

Solaris, AIX, and HP-UX also have methods of booting a single user mode. So why did Mr. Rousku beat up on Microsoft? Did he want to see his name in the paper? A better question is why does SecuriTeam, a group of experienced security researchers, continually push this as a security issue... updating and maintaining the post so that it continually reappears in their RSS feed. This is nothing more than unfairly attacking Microsoft and spreading FUD.

IT, Security