Monday, January 16, 2017

Talking To The Future

We are able to talk to our children, not as they are today, but tomorrow. Google, Microsoft, Alexa and Amazon, whatever search engine out there, the data of the web is being archived in permanence. In 30 years this blog will be searchable as an archive. My children will be able to read it and glimpse into their father's present, a time that is their present.

Today also marks the day that I realized how to do this. How to communicate "privately" with them. Just know that your kid will be able to communicate, one-way, with your kids by publishing messages to them in a blog. Just keep the blog active.

If you see wacky messages on this blog then you will see me communicating with the future. I know they are reading them.


Friday, January 13, 2017

Knock Knock

There was a girl, her name was Lucy. She was a samurai.


Although, my favorite Deep Purple is Hush:


Wednesday, December 14, 2016

Joined #TOKUGAWA

The first track-back (reversal) I did was on some Japanese hackers who staged out of South America. Here's an excerpt from the log of the server they attacked:

200.165.33.242 - - [18/Jun/2006:19:16:50 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 51
200.165.33.242 - - [18/Jun/2006:20:32:28 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:32:34 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6568
200.165.33.242 - - [18/Jun/2006:20:33:04 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:08 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6564
200.165.33.242 - - [18/Jun/2006:20:33:14 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:19 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:33:25 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:00 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:16 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:32 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:34:36 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 56
(***) 200.165.33.242 - - [18/Jun/2006:20:34:43 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
(***) 200.165.33.242 - - [18/Jun/2006:20:34:59 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:35:24 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:35:41 -0500] "GET /cartaoUOL/ HTTP/1.1" 200 43611
200.165.33.242 - - [18/Jun/2006:20:39:47 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:39:55 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:40:00 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 52
200.165.33.242 - - [18/Jun/2006:20:40:09 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:21:07:48 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:21:08:25 -0500] "GET /cartaoUOL/ HTTP/1.1" 404 133
Note the tell-tale "ikonboard" which in 2006 had all sorts of security problems. What you should immediately see in this listing is the test of "cartaoUOL" with a 404, then some CGI work, then suddenly "cartaUOL" exists. That was the start of the exploit.

They went on to add their IRC bot for the C&C and start exploring the file system. They defaced the web site and caused all sorts of embarrassment. Their target was an athletic association that helped kids. Way to go h4x0r! 1337 skillz with milkshakes.

200.165.33.242 - that's a Brazilian IP, naked just like a brazilian. The IRC bot called back to irc.irchighway.net and connected to the #TOKUGAWA room. There it looked like the bot was trying to upload some 30MB file:

** 2005-11-08-20:38:29: DCC Send Accepted from Named: [animesquest]_imyme01.rm (30622KB)
** 2005-11-08-20:38:29: Upload Connection Established
** 2005-11-08-20:38:32: Upload: Connection closed: Connection Lost
All of this was happening on:

** 2005-11-08-20:37:55: NOTICE: :Named!named@76b3cfb.3d716d1f.telesp.net.br NOTICE TK|Sasuke :DCC Chat (200.158.244.210)
200.158.244.210 was also Brazil. It's Telefonica now.

The ISP hosting the site ran a scan of the virtual host and found some compromised files. 

www/cgi-bin/
  bindz : Backdoor.Trojan
  php : replacement script for PHP executable
  sn : unknown script/executable
  sitevars : help script
www/
  new.cmd : Infostealer.Bancos
They were able to do this because the web process was running elevated and had permission to write over itself. Something more common in 2005 than in 2016, thankfully.

They left their "snarf.c" and its compiled executable. Mostly these were amateur hackers who were just experimenting with a site that was very unsecured. I remember digging into their irc traffic and finding some irc logs published on the internet. That's where I learned that they were Japanese and had been using another relay "jump" node out of Uruguay. I don't have records on that anymore.

The owners of those IP addresses back in 2006:

inetnum: 201.14/16
aut-num: AS8167
abuse-c: BTA17
owner: Brasil Telecom S/A - Filial Distrito Federal
ownerid: 076.535.764/0326-90
responsible: Brasil Telecom S. A. - CNRS
address: SEPS 702/092 Cj. B - Bl B 3 andar Gen. Alencastro, S/N,
address: 70390-025 - Brasilia - DF

inetnum: 200.165/16
aut-num: AS7738
abuse-c: CGR13
owner: Telemar Norte Leste S.A.
ownerid: 002.558.134/0001-58
responsible: Marlemar Telgon
address: Rua Humberto de Campos, 425, 7ยบ andar
address: 22430-190 - Rio de Janeiro - RJ


Monday, December 12, 2016

Guesswork

Dear Mr. Perez, the CIA does not engage in "guesswork." To say on national news (CNN 12/12/2016, 12:02PM Pacific, COX channel 1031) that the CIA used "guesswork" to conclude that "Russians" were engaged in cyber-espionage to influence our electoral process is insulting to an army of people who have dedicated their lives protecting your right to say that they are engaged in "guesswork."

This national concern with the FBI and CIA and their "counter" analysis of the cyber activity around the DNC/RNC "hacking," is a clear show of how the American public has lost trust in its intelligence community. I wonder when the mistrust of these organizations started. Could it be the way in which Hollywood has depicted them? I can't remember the last movie I saw where FBI cyber operations was portrayed in a positive manner.

The FBI investigates crime. For crime to happen there has to be a victim. You could argue "liberty" and "freedom" being the victims in the DNC hack. Yet, that's not what FBI is investigating. It appears they are approaching this from a "Clinton Campaign" as the victim of a retaliation attack. [1][3][5]

On the CIA side, investigations are centered around influence and misrepresentation. For them to conclude anything there has to be a case of broken trust and influence. That is why they appear to be focused on the "Trump Campaign" as a victim. [2][5]

In both analysis, though, the same intelligence is at work. The same analysis has happened. An unauthorized entity, with high likelihood of connection to Russian interests, has engaged in felony cyberterrorism against a private political entity with national level influence. While a private entity hack, it is still a great concern and should be dignified with a similar level of outrage by our governing representatives.[7]

Yet, I can't be me without the conspiracy theory, right? So there is a conspiracy angle to this, and that's the IC is the source of the DNC/RNC hack, and the RNC hack was likely just a me-too. [4] You told me "your government is not trying to deceive you," and I believe you. Yet, the greatest tool of deception is plain sight.

As for those electorates who think they are entitled to see classified intelligence reports? I have to wonder about their motivations. Maybe they are trying to smoke out CI's? You need to trust the IC when it tells you it has conclusive evidence. Intelligence reports are hundreds of pages of back story and interrogations. You don't have the IQ to ingest that data and make use of it in a productive manner.

[1] http://www.redstate.com/absentee/2016/12/12/trump-cia-fbi-russia-dnc-rnc/
[2] https://www.washingtonpost.com/world/national-security/obama-orders-review-of-russian-hacking-during-presidential-campaign/2016/12/09/31d6b300-be2a-11e6-94ac-3d324840106c_story.html
[3] http://www.politico.com/story/2016/07/clinton-putin-226153
[4] http://www.zerohedge.com/news/2016-10-22/nsa-whistleblower-us-intelligence-worker-likely-behind-dnc-leaks-not-russia
[5] https://www.washingtonpost.com/business/economy/russian-propaganda-effort-helped-spread-fake-news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b712-716af66098fe_story.html
[6] http://www.usatoday.com/story/opinion/2016/10/24/russian-hacking-dnc-podesta-clinton-passwords-column/92647858/
[7] http://chicagoist.com/2016/12/12/joe_walsh_donald_trump_third_grader.php

Merry Christmas you guys. Maybe we'll see each other at Islands again.

Wednesday, December 07, 2016

Tyranosaurus'rex'

Today I discovered REX. This is the regular expression extract tool for splunk. As I stared at these syslog records I wonders, how can I get the IP addresses of that shiznit? rex was the answer.

A simple rex for a WatchGuard log to get the allow/deny on a report:

[the search] | rex field=_raw ".(?Allow|Deny)."

Yes, that's a pipe, because you are piping the results through rex. Splunk just gets more and more fantastic.

Alas, I am at 82% of my license. I'm going to have to fork over another G-note to expand my collection. It's worth it because I love to bask in the orgy of denial.

Thursday, December 01, 2016

Chrome and Google DNS

You should lock down your DNS. No machine should be calling out to the DNS upstream. You should setup a local DNS relay so that all DNS goes through that, and that machine can then relay upstream to the ISP DNS.

That said, you may find one day that your box is calling out to DNS on 8.8.8.8 or 8.8.4.4. A quick ARIN lookup on those and you see it's Google. Turns out, if you are using Chrome, then you will see these DNS requests appear in your logs.

Chrome calls up to 8.8.8.8 and 8.8.4.4 to check "internet" health. If it can't get a connection to those IP addresses then it boldly proclaims there is no internet connection.


Tuesday, November 29, 2016

401K and IRA

You asked why I don't like to invest money into 401K and IRA funds. Well, I do. The problem with a 401K is in the government management and oversight. The small business I own is designed for heavy weight at the top of the salary scale as it's a Subchapter S corporation. That means all of the profit passes through to the principal shareholder at the end of the fiscal year. That pushes my income to very high levels sometimes, much higher than the employees. As a result, the audit on the 401K causes a reimbursement of funds to make it "fair."

Every year I get a fat check back out of the 401K that I don't want. So what' the point of investing money into a retirement fund that refuses to grow past an arbitrary limit. it's a waste for me and so I don't put excess money into it.

The IRA is another fun vehicle. There are limits on how much you can put into that type of fund. Then you have to hope that it grows. I have a Legg-Mason IRA and for about 5 years it did nothing. It lost some money and then finally started to get some life. I'd rather not put money into an idle account like that when I have more fun things to do with it.

The best investment for your money is yourself. I like to use my money to invest in curious business plans, new pursuits with technology, and keeping myself from getting bored. I've spent a good amount of money over the years creating mobile games, experimental web applications, and new business ideas. Some of those ideas were met with government resistance and so I am burned out on them. The mobile games were expensive, but fun. There's very little opportunity in the mobile space. You have better luck playing black jack with your money.

Instead of taking more money from my clients, I choose to throttle the money machine and slow down the burn. Helping my clients to maintain their cash flow means there is longer-term cash flow for my business too. Sure, I could take more money and put that into a 401K or IRA and get that reimbursement check every year. That doesn't really help me though. We all need long term cash flow opportunities, and we can get those only by taking what we need instead of taking all that we can get.

I hope that answers your question da, tineh, john, lucy ...