State Department Developing Cyber Toolkit

Discussion in 'Computer Security' started by Imhotep, Nov 10, 2005.

  1. Imhotep

    Imhotep Guest

    "An anonymous reader writes "The U.S. State Department, known for its recent
    RFID passport embarassment, seems to have developed a key tool in the
    Department of Homeland Security's cyber toolkit for federal agencies.
    There's not much out there on it other than mention of a tool called
    SandStorm in a recent press release from State's Bureau of Diplomatic
    Security. According to the site, "SandStorm simultaneously collects,
    correlates, and analyzes data on multiple computer systems and departs,
    leaving no trace of its activities. The White House is championing this
    cyber tool and the Department of Homeland Security has selected it as a
    cornerstone application for a cyber toolkit being made available to all
    Federal agencies." Sounds scary to me, but may be a step in the right

    Press release meantioning SandStorm:

    If this is true, it is pretty f'd up...

    Imhotep, Nov 10, 2005
    1. Advertisements

  2. </paranoia>

    TBH, one could describe Ethereal (or even more accurately, [Win]PCap) in
    exactly the same terms..


    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!

    P.S. I'd probably pee myself laughing if this was a branded Unicenter
    (etc.)... note that the article differentiates between the "tool" and what
    the prize was awarded for!

    P.P.S. After defining "MPs" - whatthehell is the "Bureau of Diplomatic
    Security"? Someone who stops diplomats from being shot, or someone who
    explains - in a very nice way - /why/ they're about to be shot unless they
    keep their hands in plain sight...
    Hairy One Kenobi, Nov 11, 2005
    1. Advertisements

  3. Imhotep

    Imhotep Guest

    perhaps, perhaps not....
    Ethereal does not self install and deistall itself for steathly
    purposes...and it is PCap...just because it was ported to Windows does not
    mean it needs a "Win" in front of it :-o


    Imhotep, Nov 11, 2005
  4. True (I'm assuming that you know more about the "tool" than was mentioned in
    the link). Although the library *is* known as WinPCap.

    Has even got its own, rather posh, web site these days, as opposed to a
    "personal" Italian site (

    Hairy One Kenobi, Nov 11, 2005
  5. Imhotep

    Imhotep Guest

    Yea, use it quite frequently (indirectly by a couple of security programs).
    I always have referred to it by libpcap. I believe it's history was in *NIX
    and later ported to Windows...
    Imhotep, Nov 11, 2005
  6. Yup. Correct.

    Hairy One Kenobi, Nov 12, 2005
  7. I've always wondered why it was in the *NIX to begin with. I thought raw
    sockets were native to *NIX/BSD.
    fluidly unsure, Nov 14, 2005
  8. It was so you could "do things".

    In olden times*, C was considered little more than a high-level assembler.
    Lack of "What Happens If" assembler techniques have led to most of the
    carnage we see in modern shiteware.

    C was due to have died out in the onslaught of 4GLs.. about 1990, if memory

    "A stone bridge still takes load, even after the invention of CFRP" ;o)


    * Somewhere between Babbage and C21. It's amazing what you can do with
    pointers; and depressing what you can do if you don't understand the
    consequences ;o)

    Never saw B (although BPL allegedly was based upon it), but A must have
    kinda.. sucked :eek:)
    Hairy One Kenobi, Nov 14, 2005
  9. The only reference to C21 I could find was "Century 21". Where you
    speaking of CDR or one of the other dwarfs?

    You talked about Babbage, I usually use Ada (Lady Lovelace) for similar
    references. I wonder if Linda (the WaterGate breaker) is related to her?

    As I read your 2nd statement. I was thinking about how useful pointers
    are to hackers/crackers.
    I only saw it mentioned in Dr Dobbs. Back when it was a small
    newsletter. I think it was 6 or 8 pages stabled together.
    fluidly unsure, Nov 15, 2005
  10. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup, in article
    C exists, despite the invention of thousands of prospective replacements
    exactly because it still works quite well TYVM

    It was developed for use by people with clue - a commodity in shockingly
    short supply over the past 30 years.
    (stolen from another newsgroup)
    Oh, sweet innocence of youth - you never saw the 1972 pr0n flick? Let's
    just say that a few seconds at google would correct your misunderstanding.

    I think you really mean BCPL, as 'BPL' is a late invention based on Basic.
    According to Dennis Ritchie, B was created as a 'cut down' version of BCPL
    because they only had 4K of memory on their PDP-7. BCPL (Basic Combined
    Programming Language) dates from 1967.

    Old guy
    Moe Trin, Nov 15, 2005
  11. Not so exactly... ;o)
    You caught my typo (slaps head!*), but it stood for "British Computer
    Programming Language". 'Twas more B than C (apparently), and published by
    whoever did ProText under CP/M.

    Remember, this was in the days before (e.g.) YACC! No since ADA has anyone
    had to do so much, so unwillingly, for so little effect ;o)


    *Just re-read - /my/ head! ;o)
    Hairy One Kenobi, Nov 15, 2005
  12. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup, in article
    I dunno - C was originally written with some slackness - but who do you
    blame for buffer overflows? K & R for writing instructions that allowed
    this, or the programmers who refuse to use improved instructions or at
    least check the crap they get handed to avoid overflows? It's not as if
    this were discovered only in the past ten years. Yet we are seeing the
    same attack concepts exploiting overflows year, after year, after year.
    That's the problem with acronyms - it really is to easy to confuse things.

    Old guy
    Moe Trin, Nov 16, 2005
  13. Agreed.. but it's not an attack against a given platform, but an attack
    against consistently sloppy programming practices. (We could probably go on
    all week about how C - in particular - makes this easier to do, but let's
    not ;o)

    In my own code, I have a "standard" socket read routine, that I know works;
    in a "past life" at a news agency, I remember chopping some 500 lines (from
    an 1100 line eventual program!) that were simple repeats, rewrites, and
    "oopsies". Took about two hours.

    FFS! Here I am, with a routine that has continued pretty much unaltered
    since Delphi 1. And /definitively/ unaltered since Delphi 4. (I'm currently
    adjusting to D2005. And sort of missing D6 ;o)

    The problem isn't in the platform, it's in the programmers. There are more
    Windows programmers out there (and bad ones - let's not complain about
    people using the registry badly, but more about people ignorantly using it
    incorrectly!), but it certainly isn't a platform thing. But you're much more
    likely to get random fires from petrol/gasoline spillage than from, say,
    mammoth-oil . It's all in the platform.

    Someone writing Open Source certainly doesn't make them an instant Guru. Or
    necessarily mean that their code is - in any meaningful way - peer-reviewed.

    Cards on the table - my particular, Delphi-specific, SMTP server module has
    been downloaded 2107 times, at time of writing. I don't claim it to be the
    be-all and end-all. After all, you need to be a pretty serious server
    programmer to even take note.

    But I *will* happily contrast it with stuff that I *have* reviewed, such as
    the FireFox IDN implementation.

    By all means, protest (this isn't aimed at you, Moe!), but give me the means
    to judge you - submit your own code, or code that *you* have reviewed. If I
    don't find error, then by all means have a nice warm feeling :eek:)

    And vice versa...

    Reap/sow/submit (common UK phrase is "put up or shut up")

    Hairy One Kenobi, Nov 17, 2005
  14. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup, in article
    No, but if their code is accepted in a project, it certainly isn't the
    stuff they teach in "Intro to Computer Programming Languages". Last
    time I looked, I didn't see "hello, world" in the source for Apache
    or Sendmail, or the FreeBSD (or Linux) kernels. ;-) With most open
    source projects, the author usually has a choice of a number of chunks
    of code written by others. Even if the author selects a piece of goat
    droppings, someone else is going to come up with a replacement that at
    least isn't quite as horrible. Presented to the author properly, it has
    a chance of being adopted.
    I suspect that Open Source code is peer-reviewed a lot more often than
    closed source simply because it's possible to do so. Eric S Raymonds
    wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
    October 1999, but available on the web)


    Or, less formally, "Given enough eyeballs, all bugs are shallow."

    Want to review the entire distribution of a *BSD or Linux release? Not,
    a problem (other than the enormous volume), because it's there. Fedora
    Core 4 is a current Linux release and comes on nine CDs - 4 of binaries,
    one is a rescue disk, and the other 4 are source (2.67 Gigs of binaries,
    2.57 Gigs of bzip2 compressed tarballs), so it might be a daunting task.

    But I don't think anyone would review an entire source tree. Someone
    might look at a section pertaining to something they know about, or
    when they are trying to figure what it was that caused the massive
    explosion in the printer, or out of plain curiosity, but that's about it.
    Glad you aren't asking me - my C skills are properly defined as "emergency
    use only". I'm a networking admin, and while I do Bourne shell stuff, I'm
    not paid enough to program ;-)

    Old guy
    Moe Trin, Nov 17, 2005
  15. While I have no knowledge of the cite posted, what I *will* say is that,
    when I've personally checked (the FireFox IDN thing is a recent example),
    I've seen examples of coding "oopsies" that even a remotely sane individual
    would have noted and flagged. If such peer review were a fact.
    Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
    (and that can be even simple ones, let alone the convoluted nonsense that
    one gets in a "mature" codebase). I can even voulenteer the simlest of the
    most obvious - one of our major products still proclaims a copyright date of
    2004. Trivial, yes. On every bloody screen, yes. And missed by everyone (I
    asked for it to be changed a mere 2 months into this year... we're now days
    from 2006). We're not talking of a trivial userbase, either - it might be
    low on the list of things to fox (but hasn't been flagged, that I know of),
    but - of the multi-millions of users that out product has, who has seen fit
    to report the problem?


    Yes, it's hightly trivial, but.. what about the [proposed] legions of
    programmers that "everyone" puts forward as having checked OS code? I
    deleted the FireFox source a while back, but there's an entry in the
    now-recommended-disabled code that basically says "must remember to comment
    this out". But it isn't. And, TBH, who the hell noticed?
    Used to be that one peer-reviewed on a module fashion (can't say if it
    happens now, but that was certinaly the vogue when I started coding
    profrssionally in the late eighties)

    My experience indicates that it's damned difficult to actually catch a bug -
    you can catch a style that indicates a liekly proliferation of bugs ("Ravi
    Patel", sometime before 1990; I have never before seen more GOTO labels in
    FORTRAN than there are working lines of code. And, thank Dog, never since.
    Fortunately, "nothing important" - /just/ the C2 system used by several
    British county Police forces)
    More's the shame - once upon a time, cutting code was viewed in a similar
    way to architecture (a merging of art and engineering); then the HR weenies
    got involved, and it became an engineering discipline without the
    engineering structure. Bad move.

    Dunno about where you live, but in the UK programming is paid in a similar
    way to Dickensian clerks - I happened to luck-out in getting two very
    technical jobs that allow me to keep up to date, while avoiding that whole
    drift into Management (although, that said, the last couple of days was the
    first time that I've built an ActiveX control)


    There's also a lot more documentation on the Net than there was three years
    ago.. but not for Delphi and building - rather than using - ActiveX.

    In a frankly rather pathetic moment of pride, I'd like to think that I was
    in some way still "up there" for learning a wholly new bit of methodology in
    less than a day. Not that, you understand, the control is any good - I'd
    /like/ it to take an LDAP call, Base64 decode it and *remember* what it's
    done. Instead, I submit the retrieved string, decode it *every damned time*,
    and /then/ report. Choice was get the job done and go on holiday to Spain
    tomorrow [today!], or finesse the code.

    Did I mention that I trained as a practical engineer? :eek:D

    Hairy One Kenobi, Nov 18, 2005
  16. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup, in article
    Has anything in the product changed this year? (I know, I see that one
    fairly frequently.)
    That might be one reason right there.
    But how big was the code base? There's a heck of a difference trying
    to stay aware of something in a program of 100,000 lines verses several
    tens of millions. Late 80s? Heres a simple comparison:

    73091 Aug 17 1991 linux-0.01.tar.gz
    1259161 Mar 12 1994 linux-1.0.tar.gz
    2354612 Aug 1 1995 linux-1.2.13.tar.gz
    7269221 Nov 16 1998 linux-2.0.36.tar.gz
    19343412 Mar 25 2001 linux-2.2.19.tar.gz
    37009983 Jan 5 2003 linux-2.4.24.tar.gz
    49087256 Nov 11 05:39 linux-

    You get quite a few lines in a 49 Megabyte tarball, and this does not
    include the GNU C libraries this depends on.
    I know what you are saying - but by the same token, it's not impossible.
    I don't have a cite, but in November 2003, but someone "got to" the
    Linux source tree, and inserted a backdoor. The file change was detected
    by the versioning system (Bitkeeper), and my understanding is that the
    flaw was detected AND UNDERSTOOD by several of the maintainers rather
    quickly... try according to google.
    Well, as long as it wasn't important.
    Any time HR gets involved, things tend to go down the tubes. We've had
    similar problems here trying to work around the hoops. They wanted us
    to install windoze on a couple of systems (we're totally *nix) so they
    could use some resume parsing application that gets for buzzwords in Word
    documents, and didn't understand that the people we're looking to hire
    don't own a windoze box, and won't be using it to write the resume. Still
    fighting that one.
    Management doesn't promote technical types into their "lofty" realm. You
    need "more appropriate training".
    There is merit in that.
    But then, there _are_ priorities.
    No, but enjoy the trip to the Sunny South - winter is coming. In another
    two or three weeks, I'm going to have to turn on the heaters in the
    morning - temperature only got up to 30C today.

    Old guy
    Moe Trin, Nov 19, 2005
  17. (Sorry - not ignoring you, been away!)

    Yep - semi-major releases every six months, temporary-fix [t-fix] releases
    with either a bugfix or new functionality every week or two.
    Hmm. Good question. probably in the region of 100-150k in toto, of which
    only one section was something I hadn't touched at some point.

    Thing is, though, this is was system for performing a specific task - the
    Linux example above would include - I assume! - all of the layered stuff,
    rather than just be the OS? In other words, lots of different things, whose
    only common trait is that the sit on the same platform.
    Oh, I've caught bugs that way myself - many, many times. My argument is that
    it's simply not very efficient - and usually only works if you're looking
    for a known specific bug.
    You'd have to do it for love, rather than money. Unless you freelance, or
    split out into management, there aren't a lot of openings for highly-paid
    techies over here. I "got lucky" in my last two roles, after spending six
    whole weeks being bored rigid as a Business Analyst. Wanted to get rid of
    three-four hours on the train each day, commuting to work in a City of
    London firm.
    Just got back from Stanstead - yesterday I was sitting on a beach; a couple
    of hours ago I was standing on the apron in 1C... brrrrr! :eek:)

    Hairy One Kenobi, Nov 24, 2005
  18. Imhotep

    Moe Trin Guest

    Sounds like something fell off the checklist
    Even a hundred thousand lines isn't something you can remember where
    this or that function, or some information, might be hiding. Recently,
    I had to fumble my way through a source looking to see if a variable was
    hard coded or not. The only way I succeeded was because I can use a tool
    named 'grep' to locate strings in a file. There were no less than 159
    files in 14 subdirectories, totalling 78285 lines of C. And regarding
    copyright data - each file had one, and if my scripting it right, five
    files have been changed this year, but don't mention 2005 in the
    copyright lines. You're not alone.
    No, that 49 Meg tarball is just the kernel of the O/S. There is a lot more
    needed to get the computer to even boot - never mind the the tools needed
    to do anything. For one example, the source files for 'Fedora Core 4' (a
    current Linux distribution) total 2.57 Gigabytes of tarballs. You don't
    need all of that stuff - probably a mere 750 Megs worth would do. But I
    also remember when a "distribution" was 50 or 70 floppies worth of source
    which you downloaded over the phone.
    Looking on Bugtraq, you'll occasionally see something that was discovered
    in an audit of the source code. But thousands of times more often, it's
    been discovered by someone looking to see why this or that happens.
    In reality, it's like that most everywhere. I did hear that Google is
    looking, and offering new grads a starting salary of six figures plus
    stock (and the location 40 miles South of San Francisco - three miles
    from where I used to live - is pretty good), but the burn out rate is
    rather high too.
    Can't say about the job, but the idea of working in the City is not all
    that appealing. A commute that far (especially by train)... no, thank you.
    Today's a holiday here, and this is the biggest travel weekend of the year.
    I used to visit family on the East coast (six hours by air, not including
    a plane change somewhere), but it's to cold for me any more. I go back
    in mid-summer. My sister indicated temps in 5-10C range today. Heck,
    my un-heated swimming pool is warmer than that, and I'm not going near it
    because it's to cold.

    Old guy
    Moe Trin, Nov 24, 2005
  19. Agreed.. if OS. This was (extremely!) proprietary. Think "next competitor
    catching-up, nail the b***ard!". That was pretty much our mission statement,
    which was why we got the job instead of Development. Still remember the
    comment from the Marketing chap when he discovered that it's not a good idea
    to show high-level prospects their own page on a Development system. The
    address of the insurance company was "underhanded", unstead of "Underhill".
    One of the lasses had an outstanding claim on her car insurance...)

    If one can be proud that one's software has been turned-off, then I'm fairly
    damned happy that mine lasted just over ten years.. a big chunk of it is
    still in operation, from 1992, but that particular bit was something that I
    considered uniquely, well, /mine/. Won't bore you with the details, but
    took 32k lines of code, beat it into around 5k of code that - in the overall
    system - worked slightly in excess of 15 times faster, and was far more
    resilient to boot.

    Who gives a **** if you are entirely hack-proof (cough!), if one twat of an
    Operator can delete the live database by mistake, and then do a runner?
    Although I was denim-wearing Development, and not permitted to touch
    Production (or, at the end, even Staging) systems, this is the origin of my
    conviction about good backups.

    TBH, I doubt that one soul on this planet noticed - but it's why I *always*
    include backups in any general definition of "security". As an aside, the
    xCI code (the one bit I didn't get involved in) was the bit that had..
    issues.. when driven at high speed. Although I wouldn't be human if I said
    that I didn't rather enjoy Chris' squirming at finding his software
    crapping-out every three minutes or so.

    I wouldn't recommend it for a life's ambition, but "evil" can but fun at
    times.. or at least entertaining, hovering over someone's desk, asking "has
    it crashed yet?" ;o)

    Oh, and the reason that it crashed? You'll love this - buffer overflow.
    Despite the obvious, the progger in question hard-coded a 16-unit queue. I'm
    not Jewish, but.. schmuck!
    "Variables won't, Constant's don't". C assumptions about cAPS-lOCK are still
    a little frightening to an (cough) "alternative" language progger. Although
    I don't do COBOL. Life's too short.

    (And I /truly/ mean that).

    WTF happened to the Mach kernel that everyone was on about a decade or so?
    Did everyone get bored, or simply stop bothering?

    Fads and fashion are one thing, but a kernel is.. well, just *is*. Bloody
    NT4 all over again... let's face it - if IBM can do it on a Mainframe and
    (stands to be corrected) hands the whole lot over to OS developers, then
    someone's got a serious PITA. Their head.
    Not sure I'd agree with that, at least in the UK. Last experience with
    employing new grads was back (oh sh**, I /now/ feel old...) ten years ago.
    Arrogance to ability ratio around 8:1; the latest types I've seen attain a
    much higher number (!), but seem to fold into spin-speak when questioned.
    Met Office reckon on a cold Winter. Could probably burn them for fuel, or
    something ;o)

    Anyway. Let's call a decent progger (as opposed to Developer = Systems
    Analyst/Progger/Project Manager/PHB Victim) at around GBP12-18k. If you're
    good at it, you'd earn more stacking supermarket shelves.

    The Developer is more your burn-out candidate.. the good ones are *very*
    good (I'm fortunate that several work for the same company; I'm now "field
    sales" which - roughly translated, according to a colleague and good
    friend - means "I make the lies come true" ;o)
    'Twas the only way to make decent money. In the unlikely event that the
    comment didn't translate too well, British "City" == USAian "Wall Street".

    <snip bit about nice weather and Thanksgiving 'cos I'm feeling jealous>

    <Dick van Dyke>
    </Cor blimey, Mark Poppins>

    Hairy One Kenobi, Nov 25, 2005
  20. Imhotep

    Moe Trin Guest

    Not sure how to read that - remember what microsoft did to Digital Research.
    But then, Gary Killdall had a reason to be antagonistic.
    Nah, that never happened in the "real world"... Surely.... <runs around
    the corner and tries to stop snickering to loudly>
    Leaving aside the "hack-proof" concept, I don't know of any company that
    hasn't had an operator (or even root) take careful aim, and put a .45
    caliber (11 m/m) chunk of lead squarely through the wobbley bits. Someone
    in another newsgroup (yesterday) identified a similar problem as
    "testicular malletosis".
    The person was lucky - I still recall one of the 'registrars' who was
    cleaning up after the Summer interns had left, deleting their old home
    directories. People who wield UID 0 really need to look two or three times
    before pressing that <Enter> key. Usual problem - an extra space in the
    worst possible location - rm'd an entire hard drive (not just a directory
    or partition - no, let's go for the whole d?mn thing) instead of a single
    (ex-)users directory. Hey, there were only 250 users on that drive, and
    they only lost everything between last nights backups and about 10 AM
    when she hit the <Enter> key - and we were able to restore to last-night's
    backup by about noon or so... I really thought we were going to have a
    major incident then, as some of the users were somewhat more than "miffed".
    "I am root. If you see me laughing, you better have a backup."
    Top 100 things you don't want the sysadmin to say:
    45. Was that YOUR directory?
    I am constantly amazed that after (what) 33 years, this is still a problem.
    This can't be news to the instructors of programming language classes, For
    _years_ we've been screaming about checking/validating input before even
    looking at it - yet someone asks in a newsgroup this morning asks what can
    go wrong if allowed to pass unchecked user supplied variables to a PHP
    script. "Nothing, of course - what could _possibly_ go wrong?"
    "These are not the variables you are looking for... move along"

    But then, how many programmer types are still calling whole d*mn modules
    One of the Linux FAQs still talks about running Linux on an 80386 with
    4 Megs of RAM, though I think it recommends swap files to bring the total
    up to 8 Megs of virtual memory. In fact, my home firewall is a 386SX-16
    with 8 Megs of RAM (and 8 of swap), but most distribution installation
    programs won't even start with less than 128 Megs.
    That's straying into advocacy, but let's just say that Linus did a better
    PR job, and has a clue about getting free programmers to work together.
    Look at the ChangeLog file on a 2.6.x kernel, and you'll see literally
    thousands of names. Mach never had a chance in that environment.
    We still get new grads annually. Slight advantage - most of them did time
    here as interns, so we know something about them. On the other hand, the
    interns gain real-life experience, but are rarely in a position to do much
    Don't those types normally end up in Sales/Marketing?
    Problem with that is when you need to burn them, the state environmental
    protection agency frequently has declared it a 'no burn' day because of
    air quality. (Joking aside - many of the houses here have fireplaces, but
    we rarely can use them. When it would be desirable, we usually have a
    temperature inversion, trapping pollutants in the air, so the State Air
    Quality Board bans fires, and recommends waiting until dark to refuel
    cars, etc.)
    Fsck! That's down near the Federal Poverty level. Flipping burgers is
    another way to make more.
    The poor sod who's got to deliver (at something remotely resembling the
    schedule) that something that marketing sold, at a bottom line cost that
    doesn't destroy the company. That's why I'm happy to be in an R&D
    facility. Yes, we've got to deliver exciting new products, but inventions
    don't have schedules.
    A likely excuse.
    Know it well enough. A neighbor (used to be?) a subscriber to the FTL.
    This is the time of year we get the visitors - we call 'em "snow birds" -
    from the North. You can spot 'em on the streets easy enough - they're the
    ones in scanty clothing. The residents are the ones wearing jackets and
    heavy coats. The real estate people love 'em, as they buy houses in this
    place with the lovely weather. Come May when the thermometer hits 40C (or
    July, when it hits 50), it's a different story for some reason.
    Thankee, Guv'nr
    Old guy
    Moe Trin, Nov 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.