State Department Developing Cyber Toolkit

"An anonymous reader writes "The U.S. State Department, known for its recent
RFID passport embarassment, seems to have developed a key tool in the
Department of Homeland Security's cyber toolkit for federal agencies.
There's not much out there on it other than mention of a tool called
SandStorm in a recent press release from State's Bureau of Diplomatic
Security. According to the site, "SandStorm simultaneously collects,
correlates, and analyzes data on multiple computer systems and departs,
leaving no trace of its activities. The White House is championing this
cyber tool and the Department of Homeland Security has selected it as a
cornerstone application for a cyber toolkit being made available to all
Federal agencies." Sounds scary to me, but may be a step in the right
direction."

Press release meantioning SandStorm: http://www.state.gov/m/ds/rls/56504.htm

If this is true, it is pretty f'd up...

http://it.slashdot.org/

Imhotep

 

</paranoia>

TBH, one could describe Ethereal (or even more accurately, [Win]PCap) in
exactly the same terms..

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

P.S. I'd probably pee myself laughing if this was a branded Unicenter
(etc.)... note that the article differentiates between the "tool" and what
the prize was awarded for!

P.P.S. After defining "MPs" - whatthehell is the "Bureau of Diplomatic
Security"? Someone who stops diplomats from being shot, or someone who
explains - in a very nice way - /why/ they're about to be shot unless they
keep their hands in plain sight...

 

perhaps, perhaps not....

Ethereal does not self install and deistall itself for steathly
purposes...and it is PCap...just because it was ported to Windows does not
mean it needs a "Win" in front of it :-o

Imhotep

Imhotep

 

True (I'm assuming that you know more about the "tool" than was mentioned in
the link). Although the library *is* known as WinPCap.

Has even got its own, rather posh, web site these days, as opposed to a
"personal" Italian site (http://www.winpcap.org/)

H1K

 

Yea, use it quite frequently (indirectly by a couple of security programs).
I always have referred to it by libpcap. I believe it's history was in *NIX
and later ported to Windows...

Im

 

Yup. Correct.

H1K

 

I've always wondered why it was in the *NIX to begin with. I thought raw
sockets were native to *NIX/BSD.

 

It was so you could "do things".

In olden times*, C was considered little more than a high-level assembler.
Lack of "What Happens If" assembler techniques have led to most of the
carnage we see in modern shiteware.

C was due to have died out in the onslaught of 4GLs.. about 1990, if memory
serves.

"A stone bridge still takes load, even after the invention of CFRP" ;o)

H1K

* Somewhere between Babbage and C21. It's amazing what you can do with
pointers; and depressing what you can do if you don't understand the
consequences ;o)

Never saw B (although BPL allegedly was based upon it), but A must have
kinda.. sucked )

 

The only reference to C21 I could find was "Century 21". Where you
speaking of CDR or one of the other dwarfs?

You talked about Babbage, I usually use Ada (Lady Lovelace) for similar
references. I wonder if Linda (the WaterGate breaker) is related to her?

As I read your 2nd statement. I was thinking about how useful pointers
are to hackers/crackers.

I only saw it mentioned in Dr Dobbs. Back when it was a small
newsletter. I think it was 6 or 8 pages stabled together.

 

In the Usenet newsgroup alt.computer.security, in article

C exists, despite the invention of thousands of prospective replacements
exactly because it still works quite well TYVM

It was developed for use by people with clue - a commodity in shockingly
short supply over the past 30 years.

(stolen from another newsgroup)

Oh, sweet innocence of youth - you never saw the 1972 pr0n flick? Let's
just say that a few seconds at google would correct your misunderstanding.

I think you really mean BCPL, as 'BPL' is a late invention based on Basic.
According to Dennis Ritchie, B was created as a 'cut down' version of BCPL
because they only had 4K of memory on their PDP-7. BCPL (Basic Combined
Programming Language) dates from 1967.

Old guy

 

Not so exactly... ;o)

You caught my typo (slaps head!*), but it stood for "British Computer
Programming Language". 'Twas more B than C (apparently), and published by
whoever did ProText under CP/M.

Remember, this was in the days before (e.g.) YACC! No since ADA has anyone
had to do so much, so unwillingly, for so little effect ;o)

H1K

*Just re-read - /my/ head! ;o)

 

In the Usenet newsgroup alt.computer.security, in article

I dunno - C was originally written with some slackness - but who do you
blame for buffer overflows? K & R for writing instructions that allowed
this, or the programmers who refuse to use improved instructions or at
least check the crap they get handed to avoid overflows? It's not as if
this were discovered only in the past ten years. Yet we are seeing the
same attack concepts exploiting overflows year, after year, after year.

That's the problem with acronyms - it really is to easy to confuse things.

Old guy

 

Agreed.. but it's not an attack against a given platform, but an attack
against consistently sloppy programming practices. (We could probably go on
all week about how C - in particular - makes this easier to do, but let's
not ;o)

In my own code, I have a "standard" socket read routine, that I know works;
in a "past life" at a news agency, I remember chopping some 500 lines (from
an 1100 line eventual program!) that were simple repeats, rewrites, and
"oopsies". Took about two hours.

FFS! Here I am, with a routine that has continued pretty much unaltered
since Delphi 1. And /definitively/ unaltered since Delphi 4. (I'm currently
adjusting to D2005. And sort of missing D6 ;o)

The problem isn't in the platform, it's in the programmers. There are more
Windows programmers out there (and bad ones - let's not complain about
people using the registry badly, but more about people ignorantly using it
incorrectly!), but it certainly isn't a platform thing. But you're much more
likely to get random fires from petrol/gasoline spillage than from, say,
mammoth-oil . It's all in the platform.

Someone writing Open Source certainly doesn't make them an instant Guru. Or
necessarily mean that their code is - in any meaningful way - peer-reviewed.

Cards on the table - my particular, Delphi-specific, SMTP server module has
been downloaded 2107 times, at time of writing. I don't claim it to be the
be-all and end-all. After all, you need to be a pretty serious server
programmer to even take note.

But I *will* happily contrast it with stuff that I *have* reviewed, such as
the FireFox IDN implementation.

By all means, protest (this isn't aimed at you, Moe!), but give me the means
to judge you - submit your own code, or code that *you* have reviewed. If I
don't find error, then by all means have a nice warm feeling )

And vice versa...

Reap/sow/submit (common UK phrase is "put up or shut up")

H1K

 

In the Usenet newsgroup alt.computer.security, in article

No, but if their code is accepted in a project, it certainly isn't the
stuff they teach in "Intro to Computer Programming Languages". Last
time I looked, I didn't see "hello, world" in the source for Apache
or Sendmail, or the FreeBSD (or Linux) kernels. ;-) With most open
source projects, the author usually has a choice of a number of chunks
of code written by others. Even if the author selects a piece of goat
droppings, someone else is going to come up with a replacement that at
least isn't quite as horrible. Presented to the author properly, it has
a chance of being adopted.

I suspect that Open Source code is peer-reviewed a lot more often than
closed source simply because it's possible to do so. Eric S Raymonds
wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
October 1999, but available on the web)

8. GIVEN A LARGE ENOUGH BETA-TESTER AND CO-DEVELOPER BASE, ALMOST
EVERY PROBLEM WILL BE CHARACTERIZED QUICKLY AND THE FIX OBVIOUS TO
SOMEONE.

Or, less formally, "Given enough eyeballs, all bugs are shallow."

Want to review the entire distribution of a *BSD or Linux release? Not,
a problem (other than the enormous volume), because it's there. Fedora
Core 4 is a current Linux release and comes on nine CDs - 4 of binaries,
one is a rescue disk, and the other 4 are source (2.67 Gigs of binaries,
2.57 Gigs of bzip2 compressed tarballs), so it might be a daunting task.

But I don't think anyone would review an entire source tree. Someone
might look at a section pertaining to something they know about, or
when they are trying to figure what it was that caused the massive
explosion in the printer, or out of plain curiosity, but that's about it.

Glad you aren't asking me - my C skills are properly defined as "emergency
use only". I'm a networking admin, and while I do Bourne shell stuff, I'm
not paid enough to program ;-)

Old guy

 

While I have no knowledge of the cite posted, what I *will* say is that,
when I've personally checked (the FireFox IDN thing is a recent example),
I've seen examples of coding "oopsies" that even a remotely sane individual
would have noted and flagged. If such peer review were a fact.

Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
(and that can be even simple ones, let alone the convoluted nonsense that
one gets in a "mature" codebase). I can even voulenteer the simlest of the
most obvious - one of our major products still proclaims a copyright date of
2004. Trivial, yes. On every bloody screen, yes. And missed by everyone (I
asked for it to be changed a mere 2 months into this year... we're now days
from 2006). We're not talking of a trivial userbase, either - it might be
low on the list of things to fox (but hasn't been flagged, that I know of),
but - of the multi-millions of users that out product has, who has seen fit
to report the problem?

Noone.

Yes, it's hightly trivial, but.. what about the [proposed] legions of
programmers that "everyone" puts forward as having checked OS code? I
deleted the FireFox source a while back, but there's an entry in the
now-recommended-disabled code that basically says "must remember to comment
this out". But it isn't. And, TBH, who the hell noticed?

Used to be that one peer-reviewed on a module fashion (can't say if it
happens now, but that was certinaly the vogue when I started coding
profrssionally in the late eighties)

My experience indicates that it's damned difficult to actually catch a bug -
you can catch a style that indicates a liekly proliferation of bugs ("Ravi
Patel", sometime before 1990; I have never before seen more GOTO labels in
FORTRAN than there are working lines of code. And, thank Dog, never since.
Fortunately, "nothing important" - /just/ the C2 system used by several
British county Police forces)

More's the shame - once upon a time, cutting code was viewed in a similar
way to architecture (a merging of art and engineering); then the HR weenies
got involved, and it became an engineering discipline without the
engineering structure. Bad move.

Dunno about where you live, but in the UK programming is paid in a similar
way to Dickensian clerks - I happened to luck-out in getting two very
technical jobs that allow me to keep up to date, while avoiding that whole
drift into Management (although, that said, the last couple of days was the
first time that I've built an ActiveX control)

<Shudder>.

There's also a lot more documentation on the Net than there was three years
ago.. but not for Delphi and building - rather than using - ActiveX.

In a frankly rather pathetic moment of pride, I'd like to think that I was
in some way still "up there" for learning a wholly new bit of methodology in
less than a day. Not that, you understand, the control is any good - I'd
/like/ it to take an LDAP call, Base64 decode it and *remember* what it's
done. Instead, I submit the retrieved string, decode it *every damned time*,
and /then/ report. Choice was get the job done and go on holiday to Spain
tomorrow [today!], or finesse the code.

Did I mention that I trained as a practical engineer? D

H1K

 

In the Usenet newsgroup alt.computer.security, in article

Has anything in the product changed this year? (I know, I see that one
fairly frequently.)

That might be one reason right there.

But how big was the code base? There's a heck of a difference trying
to stay aware of something in a program of 100,000 lines verses several
tens of millions. Late 80s? Heres a simple comparison:

73091 Aug 17 1991 linux-0.01.tar.gz
1259161 Mar 12 1994 linux-1.0.tar.gz
2354612 Aug 1 1995 linux-1.2.13.tar.gz
7269221 Nov 16 1998 linux-2.0.36.tar.gz
19343412 Mar 25 2001 linux-2.2.19.tar.gz
37009983 Jan 5 2003 linux-2.4.24.tar.gz
49087256 Nov 11 05:39 linux-2.6.14.2.tar.gz

You get quite a few lines in a 49 Megabyte tarball, and this does not
include the GNU C libraries this depends on.

I know what you are saying - but by the same token, it's not impossible.
I don't have a cite, but in November 2003, but someone "got to" the
Linux source tree, and inserted a backdoor. The file change was detected
by the versioning system (Bitkeeper), and my understanding is that the
flaw was detected AND UNDERSTOOD by several of the maintainers rather
quickly... try www.freedom-to-tinker.com/?p=472 according to google.

Well, as long as it wasn't important.

Any time HR gets involved, things tend to go down the tubes. We've had
similar problems here trying to work around the hoops. They wanted us
to install windoze on a couple of systems (we're totally *nix) so they
could use some resume parsing application that gets for buzzwords in Word
documents, and didn't understand that the people we're looking to hire
don't own a windoze box, and won't be using it to write the resume. Still
fighting that one.

Management doesn't promote technical types into their "lofty" realm. You
need "more appropriate training".

There is merit in that.

But then, there _are_ priorities.

No, but enjoy the trip to the Sunny South - winter is coming. In another
two or three weeks, I'm going to have to turn on the heaters in the
morning - temperature only got up to 30C today.

Old guy

 

(Sorry - not ignoring you, been away!)

Yep - semi-major releases every six months, temporary-fix [t-fix] releases
with either a bugfix or new functionality every week or two.

Hmm. Good question. probably in the region of 100-150k in toto, of which
only one section was something I hadn't touched at some point.

Thing is, though, this is was system for performing a specific task - the
Linux example above would include - I assume! - all of the layered stuff,
rather than just be the OS? In other words, lots of different things, whose
only common trait is that the sit on the same platform.

Oh, I've caught bugs that way myself - many, many times. My argument is that
it's simply not very efficient - and usually only works if you're looking
for a known specific bug.

You'd have to do it for love, rather than money. Unless you freelance, or
split out into management, there aren't a lot of openings for highly-paid
techies over here. I "got lucky" in my last two roles, after spending six
whole weeks being bored rigid as a Business Analyst. Wanted to get rid of
three-four hours on the train each day, commuting to work in a City of
London firm.

Just got back from Stanstead - yesterday I was sitting on a beach; a couple
of hours ago I was standing on the apron in 1C... brrrrr! )

H1K

 

Sounds like something fell off the checklist

Even a hundred thousand lines isn't something you can remember where
this or that function, or some information, might be hiding. Recently,
I had to fumble my way through a source looking to see if a variable was
hard coded or not. The only way I succeeded was because I can use a tool
named 'grep' to locate strings in a file. There were no less than 159
files in 14 subdirectories, totalling 78285 lines of C. And regarding
copyright data - each file had one, and if my scripting it right, five
files have been changed this year, but don't mention 2005 in the
copyright lines. You're not alone.

No, that 49 Meg tarball is just the kernel of the O/S. There is a lot more
needed to get the computer to even boot - never mind the the tools needed
to do anything. For one example, the source files for 'Fedora Core 4' (a
current Linux distribution) total 2.57 Gigabytes of tarballs. You don't
need all of that stuff - probably a mere 750 Megs worth would do. But I
also remember when a "distribution" was 50 or 70 floppies worth of source
which you downloaded over the phone.

Looking on Bugtraq, you'll occasionally see something that was discovered
in an audit of the source code. But thousands of times more often, it's
been discovered by someone looking to see why this or that happens.

In reality, it's like that most everywhere. I did hear that Google is
looking, and offering new grads a starting salary of six figures plus
stock (and the location 40 miles South of San Francisco - three miles
from where I used to live - is pretty good), but the burn out rate is
rather high too.

Can't say about the job, but the idea of working in the City is not all
that appealing. A commute that far (especially by train)... no, thank you.

Today's a holiday here, and this is the biggest travel weekend of the year.
I used to visit family on the East coast (six hours by air, not including
a plane change somewhere), but it's to cold for me any more. I go back
in mid-summer. My sister indicated temps in 5-10C range today. Heck,
my un-heated swimming pool is warmer than that, and I'm not going near it
because it's to cold.

Old guy

 

Agreed.. if OS. This was (extremely!) proprietary. Think "next competitor
catching-up, nail the b***ard!". That was pretty much our mission statement,
which was why we got the job instead of Development. Still remember the
comment from the Marketing chap when he discovered that it's not a good idea
to show high-level prospects their own page on a Development system. The
address of the insurance company was "underhanded", unstead of "Underhill".
One of the lasses had an outstanding claim on her car insurance...)

If one can be proud that one's software has been turned-off, then I'm fairly
damned happy that mine lasted just over ten years.. a big chunk of it is
still in operation, from 1992, but that particular bit was something that I
considered uniquely, well, /mine/. Won't bore you with the details, but
took 32k lines of code, beat it into around 5k of code that - in the overall
system - worked slightly in excess of 15 times faster, and was far more
resilient to boot.

Who gives a **** if you are entirely hack-proof (cough!), if one twat of an
Operator can delete the live database by mistake, and then do a runner?
Although I was denim-wearing Development, and not permitted to touch
Production (or, at the end, even Staging) systems, this is the origin of my
conviction about good backups.

TBH, I doubt that one soul on this planet noticed - but it's why I *always*
include backups in any general definition of "security". As an aside, the
xCI code (the one bit I didn't get involved in) was the bit that had..
issues.. when driven at high speed. Although I wouldn't be human if I said
that I didn't rather enjoy Chris' squirming at finding his software
crapping-out every three minutes or so.

I wouldn't recommend it for a life's ambition, but "evil" can but fun at
times.. or at least entertaining, hovering over someone's desk, asking "has
it crashed yet?" ;o)

Oh, and the reason that it crashed? You'll love this - buffer overflow.
Despite the obvious, the progger in question hard-coded a 16-unit queue. I'm
not Jewish, but.. schmuck!

"Variables won't, Constant's don't". C assumptions about cAPS-lOCK are still
a little frightening to an (cough) "alternative" language progger. Although
I don't do COBOL. Life's too short.

Yikes!

(And I /truly/ mean that).

WTF happened to the Mach kernel that everyone was on about a decade or so?
Did everyone get bored, or simply stop bothering?

Fads and fashion are one thing, but a kernel is.. well, just *is*. Bloody
NT4 all over again... let's face it - if IBM can do it on a Mainframe and
(stands to be corrected) hands the whole lot over to OS developers, then
someone's got a serious PITA. Their head.

Not sure I'd agree with that, at least in the UK. Last experience with
employing new grads was back (oh sh**, I /now/ feel old...) ten years ago.
Arrogance to ability ratio around 8:1; the latest types I've seen attain a
much higher number (!), but seem to fold into spin-speak when questioned.
Met Office reckon on a cold Winter. Could probably burn them for fuel, or
something ;o)

Anyway. Let's call a decent progger (as opposed to Developer = Systems
Analyst/Progger/Project Manager/PHB Victim) at around GBP12-18k. If you're
good at it, you'd earn more stacking supermarket shelves.

The Developer is more your burn-out candidate.. the good ones are *very*
good (I'm fortunate that several work for the same company; I'm now "field
sales" which - roughly translated, according to a colleague and good
friend - means "I make the lies come true" ;o)

'Twas the only way to make decent money. In the unlikely event that the
comment didn't translate too well, British "City" == USAian "Wall Street".

<snip bit about nice weather and Thanksgiving 'cos I'm feeling jealous>

<Dick van Dyke>
Avagudun..!
</Cor blimey, Mark Poppins>

H1K

 

Not sure how to read that - remember what microsoft did to Digital Research.
But then, Gary Killdall had a reason to be antagonistic.

Nah, that never happened in the "real world"... Surely.... <runs around
the corner and tries to stop snickering to loudly>

Leaving aside the "hack-proof" concept, I don't know of any company that
hasn't had an operator (or even root) take careful aim, and put a .45
caliber (11 m/m) chunk of lead squarely through the wobbley bits. Someone
in another newsgroup (yesterday) identified a similar problem as
"testicular malletosis".

The person was lucky - I still recall one of the 'registrars' who was
cleaning up after the Summer interns had left, deleting their old home
directories. People who wield UID 0 really need to look two or three times
before pressing that <Enter> key. Usual problem - an extra space in the
worst possible location - rm'd an entire hard drive (not just a directory
or partition - no, let's go for the whole d?mn thing) instead of a single
(ex-)users directory. Hey, there were only 250 users on that drive, and
they only lost everything between last nights backups and about 10 AM
when she hit the <Enter> key - and we were able to restore to last-night's
backup by about noon or so... I really thought we were going to have a
major incident then, as some of the users were somewhat more than "miffed".

"I am root. If you see me laughing, you better have a backup."

Top 100 things you don't want the sysadmin to say:
45. Was that YOUR directory?

I am constantly amazed that after (what) 33 years, this is still a problem.
This can't be news to the instructors of programming language classes, For
_years_ we've been screaming about checking/validating input before even
looking at it - yet someone asks in a newsgroup this morning asks what can
go wrong if allowed to pass unchecked user supplied variables to a PHP
script. "Nothing, of course - what could _possibly_ go wrong?"

"These are not the variables you are looking for... move along"

But then, how many programmer types are still calling whole d*mn modules
"test"?

One of the Linux FAQs still talks about running Linux on an 80386 with
4 Megs of RAM, though I think it recommends swap files to bring the total
up to 8 Megs of virtual memory. In fact, my home firewall is a 386SX-16
with 8 Megs of RAM (and 8 of swap), but most distribution installation
programs won't even start with less than 128 Megs.

That's straying into advocacy, but let's just say that Linus did a better
PR job, and has a clue about getting free programmers to work together.
Look at the ChangeLog file on a 2.6.x kernel, and you'll see literally
thousands of names. Mach never had a chance in that environment.

We still get new grads annually. Slight advantage - most of them did time
here as interns, so we know something about them. On the other hand, the
interns gain real-life experience, but are rarely in a position to do much
harm.

Don't those types normally end up in Sales/Marketing?

Problem with that is when you need to burn them, the state environmental
protection agency frequently has declared it a 'no burn' day because of
air quality. (Joking aside - many of the houses here have fireplaces, but
we rarely can use them. When it would be desirable, we usually have a
temperature inversion, trapping pollutants in the air, so the State Air
Quality Board bans fires, and recommends waiting until dark to refuel
cars, etc.)

Fsck! That's down near the Federal Poverty level. Flipping burgers is
another way to make more.

The poor sod who's got to deliver (at something remotely resembling the
schedule) that something that marketing sold, at a bottom line cost that
doesn't destroy the company. That's why I'm happy to be in an R&D
facility. Yes, we've got to deliver exciting new products, but inventions
don't have schedules.

A likely excuse.

Know it well enough. A neighbor (used to be?) a subscriber to the FTL.

This is the time of year we get the visitors - we call 'em "snow birds" -
from the North. You can spot 'em on the streets easy enough - they're the
ones in scanty clothing. The residents are the ones wearing jackets and
heavy coats. The real estate people love 'em, as they buy houses in this
place with the lovely weather. Come May when the thermometer hits 40C (or
July, when it hits 50), it's a different story for some reason.

Thankee, Guv'nr

Old guy