SEMiSLUG Notes

12 August 1999

Question & Answer Sessions

Is [UUNET] a permanent location?

Yes, the UUNET building is our latest permanent home.

Looking for an MPEG2 encoder for the PC. For a real OS.

Look for a board. If you're lucky, it'll have drivers for some sort of un*x.

The weirdest network problem Steve Arlow has seen: WFTK to an NT box (IIS?) behind a Cisco NAT, the initial control connection is terminated by a reset packet, presumeably from the Cisco. Promiscuous mode on the NIC card lets it work once. httpgw figures into the chain of events, somewhere. What's up?

Lots of speculation, but too many comments at once to try to sort them all out. Upshot: nobody really knows. Perhaps someone with a Gauntlet can try hitting the same site and track what happens.

Immediate job openings?

If so, contact Troy. If you get any e-mail from head-hunters, forward it to Troy.

Cult of the Dead Cow and BO2K are off the net. What's up?

Nobody knows. Maybe they switched to NT. Someone looked at their pager during the meeting and announced that BO2K is back.

Any pointers to DVD encryption specs?

Well . . . no.

What the hell is Mike Bernsen up to?

Making the digital equivalent of a VCR.

Sources for high-end Intel (something more than a desktop), fully configured, boxes (i.e. server boxes.)?

ASA, TESYS.

What's with the giant phallic symbol across the street?

It's an ancient $120,000 fertility symbol.

Has anyone else seen miserable packet loss on AT&T net lately?

Mike Wayne has seen it, but not everywhere.

Do are wonderful hosts have anything to do with MCI Worldcom frame relay going nuts at the stock exchange?

Nope.

Anyone got any references for discussions of domain name pollution?

Outside this room, not really.

Is anyone who is using the MediaOne cable modem seeing really terrible performance?

Yes. They're having buffer loading patterns.

Any recommendations for good, free ssh clients? (For NT)

Terraterm. Mindterm (some folks in Sweden) has a Java SSH client. Jay will post the

Anyone in Ann Arbor or Ypsilanti going xDSL?

Ameritech will not sell ADSL to anyone. Period. No matter what their publicity says.

There are other competitive carriers coming in, though.

What kind of Linux for playing around and learning?

Mandrake just got best product of the year. Caldera's installation is probably the best, and is usually pushed as a commercial product. Red Hat is also good, but avoid any of the x.0 releases. SuSE is very good if you speak Deutche.

Java development for the above?

Not very well supported at the moment. The easier would be the Visual Cafe tools.

Cyrillic?

Huh?

Presentation

Defcon 7: All the News That Fits (Becki Kain)

www.defcon.org

Flew in Thursday to the worst flooding they have had in at least 15 years, if not 100. It was of biblical proportions. The water was up to my knees in the streets, rushing by with all kinds of dust, dirt, and construction material in it. Very not cool. Ate at the very scary people buffet in the hotel where this couple next to us ate about 15 plates full of food and the man's shirt looked like it was going to bust off at any minute.

The organizers were completely unorganized and there was no registration Thursday. The other problem is a lot of people did not have their presentations together and said "It will be on the web site". Well, they aren't. The other thing to remember is whenever there was a crowd of more than one hundred in any one room, people would launch into "Spot the Fed" which was a very funny game. You yelled out that you spotted a Fed, of any kind, dragged the person or persons up onto whatever stage there was in the room, and usually Priest, the emcee, had to be there, and you and the audience got to ask the "Fed" questions to see if you're right. Some people were, some weren't, and Priest was real good about being cool about it. If you didn't want to say who you worked for, you just had to show your stuff to Priest and he would tell the audience, yes, this person was a fed. If you spotted a Fed, for real, you got a T-shirt that I said "I spotted the Fed" and the Fed got a shirt stating, "I am the Fed". Priest had a thing going where Fed's, in exchange for paraphernalia from their office, could go up to him, prove they were a Fed, just to get a t shirt. One guy, who worked for Naval intelligence was so dumb he basically gave out his home address. Here's a hint, if they are American Fed's, ask if they can carry a gun across state lines, legally.

Friday, there was finally registration and the conference started with Kevin Poulson and Jennifer Grannick discussing issues in Interrogations. She's his lawyer. They showed this cheesy "Unsolved Mystery" television clip of him getting busted as a teenager for stealing Ma Bell's equipment as a demonstration of giving up your fourth and fifth amendment rights during an interrogation. Bascially, the fourth says you have to have a lawyer, the fifth says you have the right to not incriminate yourself. She highly recommended, no matter what, even your as innocent as the driven snow, that if you are arrested, get a lawyer and say nothing until they show up. Nothing. The interrogators may lie to you and say that you have to talk, or you can't have a lawyer, or whatever, but don't listen to them. Now, and this part I'm a little fuzzy on still, you don't have to be read your Miranda Rights unless you are arrested. If you are brought in for questioning, you do not need to be Miranda'd, if I'm remembering this right, so you might not think to have a lawyer. Have ONE! Oh, and don't anyone in without a warrant. Read that warrant to see exactly what they are allowed to search/seize/etc..., don't just assume it's for anything they find.

Next thing was Daremoe talking about Appliance Firewalls. My notes are sketchy and his are none-existent. There will supposedly be a white paper at the end of this month at www.microsolved.com. He suggested simple stuff like Firewalkd, netcat, nmap and queso to port scan an appliance firewall.

Mojo, who was drunk off his behind, tried to talk about hacking windows shares. His notes are supposed to also be up on the web site, they aren't. I got a little from the talk. Win 95/98 cuts off passwords at 8 char. To look for drive keys, use nbstat and look for $. The LanManKey is blank, normally, if you can get into the system, you can turn it on. His personal, and somewhat obvious take on hacking machines was get a machine yourself of the OS you want to hack and break it. He suggested running regmon and looking for the keys in HTLocalMachine and HTLocalUser while you're installing software to see what changed in those keys. If a machine does not enter information into the registry, it stores it in an INF file. He suggested not installing anything in the default directories in a security through obscurity move for scanners and looking at ww.shadowco.org for a list of Master Keys.

Next was cyber forensics by Peter Stephenson. He was not a geek as much as a very stressed out investigator. He gave a lot of suggestions for computer security before and after a hack.

Saturday, we weren't let in for like an hour. Now, imagine a whole bunch of computer geeks, sweltering in the Nevada heat. At this point, the schedule began to fall completely apart.

Rooster talked about insecurities in networking devices. Simplistically, if something answers on layer 3 of the OSI model, it is a router, layer 2, it is a switch, where a router is defined as something that sits between 2 networks, and a switch segments the same network. SNMP messages are sent in clear text and community strings are usually not changed on most people's switches, routers, csu/dsu's and other network hardware. Even if you change read write, read only still means anyone can read anything on your equipment, just not change it, like your ip->mac table. There are enterprise MIBS, Cisco's #9 in the tree, you can ftp to ftp.cisco.com to get a list of the possible MIBS and do an SNMPwalk to traverse the tree on a piece of equipment. He suggests ACL lists and offhost logging since most network hardware does not come with enough memory to sufficiently log a big event, such as a hack. Segment your network, set your read only community string so that you can't be SNMPwalked. His email is rooster@resentment.org.

Dead Addict talked about SET and why it's not dead yet. He recommended egold.com for a talk on how currency works now. I didn't really pay much more attention than that.

DJ's/Bands started playing at noon in one of our three rooms so even though they were running behind, we lost a room anyway.

Peter Shipley did an introduction to TCP/IP exploits, which everyone was in. It was odd that so many people attended what was supposed to be a introduction and he was surprised. He went over the four types: Theft of Information, Destruction of Data, Alteration of Data and Denial of Service. To block a smurf attack, do not allow inbound broadcast packets. Shut off port 7, the echo port, to stop udp echo spoofing (in fact, shut off all ports you don't need. I was very unpleasantly surprised when someone on the DEC Alpha mailing list told me to leave time, daytime, echo, etc... open because they are just "internal use only"). Most of the current OS's are immune to syn flooding, block all fragmented packets at the firewall as there is no reason to allow them in. There are also micro packets that are too small to contain a full TCP header, block those. Get rid of clear text protocols and replace with ssh/secure crt... l0pht heavy industries has an arp cache poisoning program that a smart switch would block, but he wouldn't recommend what a smart switch is. Advantage to using an OS where you have the source is it's easier to remove promiscuous mode out of the kernel. Arpwatch is a program that lets you watch your arp table. he suggested hardcoding your mac addresses of your servers in the arp table to keep from having spoofs and the software to do that is on phrack. Don't allow packets from your site that don't originate in your network (which breaks email forwarding, so I just found out from Ford) and the RFC's on SNMP are 1155, 1157, 1901-1910.

Somebody did a speech on nmap, that you can get from insecure.org. it was pretty lame, since he just went over what was in the man page, but it did show you how to scan for back orifice.

Bruce Schneier just took questions from the audience. Anyone who has not heard him needs to. He's one of those people who are so smart that it hurts, but at the same time, tries to draw everyone around him into crypto. He shot down any idea that a true "good" algorithm could not be published for peer review and was hopeful that the 16 year old girl in Ireland, once her algorithm was known and probably cracked, would still need trying because she probably was very good. Every bit you add to a key doubles the time/work it takes to crack it. 90 bits is good enough for now. He recommended a book called Cryptonomicon by Neal Stevens (?).

On Sunday, the scheduling was just non-existent. everything was switched from rooms and times and most things were cancelled. It was good to just drink beer and hope for the best.

A guy from Zero knowledge spoke about this incredibly cool service they offer where they have a bunch of servers set up everywhere (and you can sign up to be a server) and each server only knows about the next server, not anything else on the network. The set of routes through these servers is changed every half hour so it's not traceable and it's common for servers to just drop off for a while. You sign up, pay them some amount of money for tokens, and you can route your traffic through them, anonymously. You also get a set of routes, for your traffic, and you can choose who to use and who not to use. They even accept credit cards, but verify in a way that they don't have the knowledge associating the tokens back to the cards, the expiration date of the token is built into it.

There was a huge and ongoing thread of anger against the Church of Scientology shutting down the big Finland anonymous server.

Jonathan Wignall spoke about extra border hacking, like posting false data about companies in news groups, searching whois records for data about companies and employees, searching dns records for machine names, poisoning dns caches.

Priest said "Feds are like Canadians, they walk invisibly among us."

The wearable computer dude Steve Mann video conference into the show after they fixed the DOS that someone did to the defcon outside router. one of the big side effects from his work on wearable computers is he's working with battery manufacturers on long life yet light batteries he can wear and wants to set up a wearable 16 cpu beowolf cluster.

The big news, of course, was Cult of the Dead Cow and their BO2K announcement. It was showy and big and Vegas styled, but their software is really cool. The web site is www.b02k.com, but right now, it and cultdeadcow.com is down. (anyone know what happened to them?) You can goto www.bo2k.org for a mirror site of most of the stuff. The very cool things, from a system administrator point of view of the software is:

The bad, or at least interesting issue with it is exploits a known hole in WinNT where you can piggyback the BO product onto a running process by starting another thread onto the first process and hide, if you want, the BO product. This exploit is also used by at least one of the commercial products. BO can also run a tcp/ip session over ICMP, thus making it harder to block.

*whew*

Rumor & Innuendo (No names, please)

[ Return to the SEMiSLUG minutes page ]