DeadBeefCafe

I tend to leave my chats signed in, just throw up a ‘not here now’ sort of message. Or just walk away from the computer and forget about them. Sometimes, this leads to amusing things.

Recently, I’ve been getting hit with tons of one-line spammers telling me to chat particular yahoo accounts. Yeah, sure, that’s going to happen.

This morning though, I got this amusing tidbit:

(04:38:36 AM) honneybunss22: hihi! you’re from chat right?
(04:41:40 AM) honneybunss22: cool, sorry i type a little slow. 18f in college here, what are you up to?
(04:47:38 AM) honneybunss22: u wanna se more? i’m feeling kinda wild right now
(04:50:37 AM) honneybunss22: i’m gonna send you a cam invite here k?
(04:53:34 AM) honneybunss22: ok sent, did you get it?
(04:56:32 AM) honneybunss22: hmm.. let me try again, hang on
(04:59:35 AM) honneybunss22: what about now?
(05:02:39 AM) honneybunss22: ugh, this is stupid, this always happens to me when i use yahoo
(05:11:42 AM) honneybunss22: k, you just need a CC or debit to verify ur over 18, even an expired one works. we can’t have little ones seeing what im about to do lol
(05:14:35 AM) honneybunss22: let me know when u make ur username, so i can link u to my cam profile
(05:20:34 AM) honneybunss22: ok you’re good to go

No, I didn’t redact or change anything.

Let me count the fails:

1) It’s acting as if I sent it messages in response… no messages were sent.
2) It takes it almost an hour to go through the whole sequence (I wonder if it would have gone quicker if a cat had walked on the keyboard)
3) They don’t ever tell me where the site is, just that I should go there.
4) Granted, I suppose court cases have decided that providing a CC is proof of age? But I’m sure that if little Johnny wanted to be a brat, he could snag a CC from a wallet or purse, especially at 5am in the morning.
5) Grammar, I know mine is sometimes a little off, but at least a bot could be kind enough to use complete words instead of sms-speak.

I know, boring, but it amused me this morning as I was vaguely waking up.

RSA, as many of you may have heard in other blogs was a silly rehash of vague promises of ’securing your enterprise’ and ‘vertical security’ without anyone actually being willing to put on their material what their products did and didn’t do. I don’t like it when I look at a booth and I see nothing that indicates what technology or technologies are being sold. If you’re a VPN product, tell me you’re a VPN product, don’t advertise as “securing your remote users”. It’s way too vague, and on top of that, it’s probably not true.

Tomorrow I depart for Blackhat and defcon. I expect to see no fluff, no vague promises of security as a service, or other over-generalized hogwash as an attempt to lure me in and waste my time on a product space that either I’ve already bought, already discarded, or have been told I have no budget to purchase. I do expect some vendors, providing parties (yay!) and useful information about their products. I expect some excellent talks (anyone that hasn’t heard that Dan Kaminsky will be talking about the DNS flaws at blackhat has been living under a rock for too long) on a wide range of topics, some of which will not be of interest and some of which will undoubtedly be way over my head (but I like the feeling of drowning in information technology overload).

For the first time, one of my co-workers will be in attendance, and my boss. Oh joy.

My plan is to post some highlights of things that especially catch my attention. Hopefully you’ll find them as interesting as I do or did when I see them. (What is the correct tense when talking about things in the future that will be in the past when you will be talking about them?)

I was perusing some job descriptions recently, and ran across the interesting phrase “robust programming”.

The manner in which it was in the job description seemed to indicate that it was likely more than my immediate thought on the topic. Robust meaning that it has a quality of being sturdy and able to withstand change, I took this to mean that it was a form of fail-safe programming. That it was the concepts that you program to gracefully and properly handle errors, and try to write programs in a fashion that they were difficult to break. Being curious, I went out into that great big research resource (aka The Internet) and did a couple searches to see if I could find more information.

Of course, I did.

First stop, wikipedia:

In computing terms, robustness is the resilience of the system under stress or when confronted with invalid input. It is the ability of the software system to maintain function even with the changes in internal structure or external environment. For example, an operating system is considered robust if it operates correctly when it is starved of memory or disk storage space, or when confronted with an application that has bugs or is behaving in an “illegal” manner, such as trying to access memory or storage belonging to other tasks in a multitasking system.

Ages ago, when I was learning object oriented programming for the first time, I recall learning about Parnas’ Principle which states:

The developer of a software component must provide the intended user with all the information needed to make effective use of the services provided by the component, and should provide no other information.

The developer of a software component must be provided with all the information necessary to carry out the given responsibilities assigned to the component, and should be provided with no other information.

So, both sides of an object, a function, a method, a procedure, a program, etc. should give the other side all the information they need to take the expected action, and only the information needed. This fits in very well with security models, only tell them what they need to know to do what they are supposed to do, and only accept the information that is necessary for the action but only the information needed for the action.

In my searching, I ran into what seems like a very thorough covering of the topic of robust programming by Matt Bishop at UCDavis

It’s interesting reading, and makes you realize how fragile the typical programming really is. One thing that I hadn’t thought about previously, when you get a data structure as part of an interface to a library, how much can you mangle the structure by filling it with inappropriate values and get ‘unexpected results’ which can be used to your advantage.

Hopefully, with more use of test-driven developement, pair programming, robust programming, and people focusing on writing bomb-proof code, we will see fewer security issues in software.

Honestly, I’m not holding my breath because everyone seems to think that their code is either invulnerable, or not important enough for someone to care about how secure it is.

I recently had a party for a bunch of friends, and while I like pasta salads they have in the past gone largely untouched. This makes me sad, so I decided to throw together a different kind of pasta salad, thinking that possibly that was the problem. (Not everyone likes the typical mayonnaise-coated pasta salads, though I admit to being similarly picky.)

i decided on something vaguely mediterranean themed, but without the olives (because I can’t stand them). The ingredient list I came up with was:

• Orzo
• Olive Oil (Good quality extra virgin)
• Garlic, minced
• Basil, chiffonade
• Salt and Pepper, ground
• Artichoke hearts, sliced
• Feta, sliced (a good feta, please)
• Prosciutto, sliced into thin strips
• Lightly Roasted Pine Nuts
• Optional: Olives, also sliced.

Chop the garllic and basil and dump into a bunch of olive oil and let sit as you cook the orzo per the directions. You can work on prepping the artichokes, the feta, the prosciutto, and *shudder* the olives while the orzo is cooking. (Honestly, I also did the olive oil, garlic, and basil while the pasta was cooking as well.) Pour the hopefully seasoned olive oil, with all the seasonings over the orzo and stir. Use a big bowl with lots of room, think of it as similar to making sushi rice where you want to get it nice and fluffy. Add more olive oil and basil chiffonade as appears reasonable. Dump in the artichoke hearts and stir through. Salt and pepper some, remember that there the feta and prosciutto are going to add to the flavors. Once the orzo has cooled sufficiently (this may be aided with a refrigerator) add the feta and the prosciutto, again stir through. Do a final taste and season with salt and pepper, and if anything else in the spice rack looks like it should be added feel free to improve(-ize). Chill for a couple hours and serve.

A couple days ago my officemate had a computer blow up. The typical “oh I smell the ozone” sort of power supply death syndrome. No big deal, he’s a good computer guy, yank the hard drives out, throw them into external enclosures, and bring them up on another machine to grab the desired data.

Unfortunately, the disk with the work data on it decided that it didn’t like this tactic at all, and said no to mounting. He worked at it a little bit, and then handed it to me.

Now I’m sure all of you have been handed a reasonably big disk to deal with forensically, you copy the disk so you can work on a copy of the copy and have a copy to copy to start work on again when you totally bork the situation and want to start over from scratch (which is why you copy from the original to start off with, and why did you copy the copy? Cause an external Firewire or USB 2.0 isn’t going to be as fast as an internal disk-to-disk copy of that same 200+GB.)

Hit it up with the usual tools, mmls[1] to show me what the partition table looked like in the file, then fdisk to go in and look at it again:


fdisk image.dd

Device Boot Start End Blocks Id System
/dev/sdd1 * 1 208090 134217727+ 4 FAT16 <32M


After changing the partition type to 0×07 (NTFS), it was time to rip that partition out again, and mount it up. Start ‘dcfldd if=image.dd of=image.c.img bs=512 skip=1 status=on’[2] (this time it’s not a forensics case I’m just trying to get some files for a friend so who cares about MD5 hashes). Sit back and wait, and wait, and wait.

I admit it, I’m not patient a lot of the time. When I start something like this I want it done, I don’t want to have to wait, so I tend to keep fiddling with something while the long process is running. This time it definitely paid off.

I went looking for what the bits were that indicated the start of an NTFS filesystem, and found a little write-up ( http://www.ntfs.com/ntfs-partition-boot-sector.htm ) that told me precisely what I wanted to know. With a little bit of knowledge and knowing a few tools you can get into a lot of trouble :), I whipped out head, and hexdump, and less, and put together:

head -500k image.dd | hexdump -C | less

And started looking for the header, and found it 0×7e00 … which with a little math one figures out is 32k bytes into the file. You’ll also note that this is not where I started to cut the file apart with dd, you’ll notice that I started at byte 512. Now that I’ve been letting the earlier dd run for most of the day while working on other things, I didn’t really want to restart it at the new offset so I went looking for an alternative… and found it!

mount -t ntfs -o loop,ro,offset=0×7e00 image.dd /mnt

Yup, that’s right, you can mount starting at an offset. If you happen to know where the filesystem header is, just point mount at it and let it figure it out. Having figured that out, and it worked great, the entire contents of the filesystem were there, and I started tarring off the files from it that my officemate wanted. But now I had a thought, if I can do a fix to the partition table of the original disk, then I can hand him the external disk in an enclosure and it gets even easier. A little trip into fdisk again, and I am able to again try to mount the actual drive… and it doesn’t like me. I think it had something to do with that starting sector being set to 1. On a whim, I decided to try:

mount -t ntfs -o ro,offset=0×7e00 /dev/sdd /mnt

and discovered that it will do the same thing with hardware as with a loop interface. I don’t think I’m fearless enough that I’m willing to try to mangle the partition table to point it at the right location. I’ll let the tar finish, and give my officemate the tar so he can have the files he cares about back, and we can wipe the drive and start over entirely.

[1] mmls is part of The Sleuthkit, available at: http://www.sleuthkit.org/sleuthkit/index.php
[2] dcfldd is an ‘improved’ dd, which includes things like status, and hashing of the data transfered. It’s available at: http://dcfldd.sourceforge.net/