View Ron Dilley's profile on LinkedIn


2021-05-29 SSH Canary(sshcanary) v0.6 has been released!

I just pushed an updated version to sshcanary with some random ssh banners and minor improvements. This is a handy way to see who is banging on your ssh servers including the usernames and passwords they are using.

2021-01-14 Log Templater(tmpltr) v0.10 has been released!

I just pushed an updated version of tmpltr with performance improvements (thanks Tom)!

2018-12-10 Log Pseudo Indexer(logpi) v0.6 has been released!

Searching through a large dataset was taking too long, so I updated and released a small utility that will index addresses in arbitrary formatted text data. Once a pseudo index has been generated, finding interesting data is pretty quick. Very helpful when you want to find the bad guys.

2018-01-03 Wirespy(wsd) v0.6 has been released!

I spent some time over the holiday to finish the new version of wirespy. It now supports off-line mode using PCAP files, logs more metadata including TCP flows and can save flow state across executions.

2016-07-06 Difftree(dt) v0.5.8 made it into a trade journal!

Difftree earned 5 stars in Linux Pro Magazine's July issue #188 with a nice quote "Difftree is convincing due to its speed, flexibility, and simple operation. Numerous examples on the project site and man page help out with the first steps."

Difftree Review

* Image included with permission from linuxpromagazine.com

2016-03-27 PDF Carver(pdfcarve) v0.7 has been released

I had a need to extract a malicious binary from a PDF file at CanSecWest this year and was inspired to dust off my PDF carving code and fix some bugs.

2015-12-29 Difftree(dt) v0.5.8 has been released

I just finished updating difftree to play nicely with ATIME and to report on changes. This come in handy when you need to see when a file was accessed across a series of time periods. Run difftree every day and it is simple to see what has happened in a directory tree over time.

2015-08-23 Difftree(dt) has moved from SourceForge to GitHub

I have started moving the many of my projects that could benifit from more community involvement to GitHub. Difftree is the second project to make the trek and I can't wait to see how it improves over time!

2015-08-23 Log Templater (tmpltr) has moved from SourceForge to GitHub

After being forced to use GitHub to help port passivedns to OpenBSD, it is clear that GitHub is far better than SourceForge.

2015-07-26 Freshening The Wiretappers Toolkit (TWT)

I have been modernizing The Wiretappers Toolkit (TWT) and just finished standing up a new packet vacuum for my home office. CappuccinoPC makes a nice small form factor fanless machine.
The machine includes an Atom D525, 4Gb Ram, 4xUSB, 4x1Gb Ethernet, RS232 and room for one 2.5" HDD:

Packet Vacuum

I added a 2TB HDD for $110 and an extra external heat-sink for $8. Out the door for $440.

2014-12-03 Selling Packet Vacuums Door-to-Door

Thanks to the IANS Faculty for inviting me to speak about my second most favorite incident response tool (Packet Vacuums)!

2014-09-18 Enough with the BSoD!

I gave up in frustration at my Intel Extreme MB with the BSoD, hangs, thermal events and on and on. So, time for an upgrade! I switched to an ASUS Rampage Black Edition. Along with the MB, CPU and Ram, I upgraded my SDD and HDD configuration. Boot speed times are as follows:.

2 x 500Gb Samsung 840 EVO SSD (Raid-0) Sample 1 Sample 2 Sample 3 Average
Boot to Login 27.70 sec 25.80 sec 27.00 sec 26.30 sec
Login to Desktop 3.40 sec 2.50 sec 2.70 sec 2.70 sec
Login to Chrome Open/Page Loaded 4.50 sec 4.10 sec 4.10 sec 4.20 sec

Now the really important thing is how does this new computer run for gaming? Well, here is the benchmark for the default motherboard confuguration (no overclocking):

Firestrike Benchmark

The 2 x RAID-0 Samsung SSD performed much better than the 4 x RAID-0 drives I had previously used:

SSD Read Graph

An additional surprise was how well the 4 x RAID-5 Samsung 2.5" HDD performed:

HDD Read Graph

2013-12-31 Log Templater (tmpltr) v0.6 is now available

I have been laying some ground work for implementing log chain templates in the next version of Log Templater. Part of that work includes adding support for more field types (IPv4, IPv6, MAC Address and HEX numbers). These changes clean up the templates and make it simpler and faster to find some key data when responding to a threat.

2013-04-03 Geeking out with Marcus Ranum - Take 2

My last session with Marcus in February may have lacked "Marcus", but there was enough participation and positive feedback that he asked me to come back and have a more detailed discussion. This time, we had a chance to dig much deeper into the topic and came up with a couple of interesting ideas that we are now percolating on. Perhaps this will lead to a new tool in our kit.

The webcast is available and who knows what may come next.

2013-02-19 Geeking out with Marcus Ranum

I was looking forward to spending some quality geek out time with Marcus today talking about logging and log analysis. Unfortunately, Marcus fell victim to the Webcast gremlins at a hotel in Germany and was not able to join me. I still had a good time talking with Allan about all things "logging" but I am looking forward to geeking our with Marcus some other time.

The webcast has been posted along with some takeaways.

2013-01-20 Hosting ISOI 11

I had the honor and privilege of hosting ISOI 11 in January. There was an amazing array of speakers and topics. I can't wait for ISOI 12!
Special thanks to Dragos for the use of the secure WiFi gear.

2012-06-27 Upgraded GPU Cracker

With the recent breaches of authentication credentials around the Interwebs, I decided to upgrade my GPU Cracker and see how it performs and how hot my office can get all at the same time. I replaced my aging Radeon 5xxx boards with three Radeon 7970's and one Radeon 6970. SHA1 is now running at almost 6T computations per second using oclHashCat-Plus. Time to port Nightengale (BaraCUDA) to OpenCL and see how she runs!

2012-02-04 Passive Proxy Daemon (pproxyd) v0.2 is now available

I have been procrastinating about building a libpcap based sniffer that reassembles web traffic and generates Squid proxy logs for years. I tried to use Mike Poor's "development via osmosis" trick with a couple of buddies but in the end, I was forced to put it together in the last couple of weeks to help solve a vexing web application problem. So, in a pinch, I pulled out the paper clips, rubber bands and chewing gum. Then I read the docs on libnids.

2012-01-17 Log Templater (tmpltr) v0.5 is now available

After some very helpful and specific feedback about the last version of tmpltr, I have added a few additions including faux clustering for the occasion when it is handy to know what on a given log line has not changed. There is a performance penalty for this extra processing, but not as much as I had originally expected. The table below shows average performance metrics on a Linux VM running on an i7 @ 3.2GHz.

Log size and type Avg. Line Len Avg. Arg Count Args Stored Avg. Lines per Min
18M Line Cisco FW Log 180 32 0 12,004,023/min
18M Line Cisco FW Log (Clustered) 180 32 24,009 4,093,802/Min
11M Line Apache Access Log 246 44 0 9,453,905/Min
11M Line Apache Access Log (Clustered) 246 44 21,666 5,563,009/Min
4M Line Windows Event Log 793 90 0 2,854,123/Min
4M Line Windows Event Log (Clustered) 793 90 70,361 1,183,226/Min

In addition, I have added a greedy mode where the templater will ignore double quotes. This is very useful when processing web server logs. In non-greedy mode, tmpltr will assume most things in between a pair of double quotes are a single string. In greedy mode, all data will be handled the same.

2011-10-17 SSD-Spindle Hybrid

I picked up a couple of Seagate MomentusXT 500Gb Solid State Hybrid drives to see how they stacked up to my four 120Gb SSDs running RAID-0. I pulled out the very handy HD TunePro and the sad fact is, configured as a RAID-0, they were no where near as fast as the pure SSD RAID-0. The linear read and the seek speed was also unpredictable. Even worse, they did not out perform a couple of 1TB spindle drives running RAID-0 as the chart below shows.

2011-10-01 Log Templater (tmpltr) v0.3 is now available

During the last security incident that I worked on, I needed to grind through 20gb of log files looking for any odd log lines that would indicate the point where the bad guys got in. If I had done it manually, I would still be looking at log data. Instead, I built a tool that converted logs into pattern templates and looked for templates that I had never seen before. This allowed me to zero in on just a few hundred log lines out of all the data.

2011-07-29 Quick Parser (quickparser) v0.5 is now available

After re-implementing some parser code in difftree with bug fixes and improved bounds checking, I have ported those changes back to this tool. So, I now present the new and improved quick parser with less bugs and more bounds checking. Re-energized after touching the code, I am working on the template based version, which will not be limited to syslog style, key=value formatted logs.

2011-07-27 Directory Tree Differ (difftree) v0.5 is now available

I have released a new version of difftree with more features and less memory leaks. This new version adds the ability to save directory tree state and to compare both directories and archives of directory trees that were previously saved. In addition, you can hash and compare files if accuracy is more important the speed.

2011-07-16 Directory Tree Differ (difftree) v0.4 is now available

While working on a security incident and fighting with tripwire and Osiris, I gave up and wrote a fast directory diff tool to allow me to do simple comparisons between SAN snapshots.  To tool was so handy for me, I figured I would share it.

2011-07-03 SSD Redux

After fighting with the RAID chassis that I picked up to house my new clutch of SSD drives I returned them all in a fit of nerd rage and downgraded from a RAID enclosure to a simple JBOD and larger SSD drives.  I have not been disappointed:

4 x 120Gb OCZ SSD (Raid-0) Sample 1 Sample 2 Sample 3 Average
Boot to Login 27.30 sec 27.50 sec 27.28 sec 27.28 sec
Login to Desktop 3.50 sec 3.10 sec 3.60 sec 3.40 sec
Login to Firefox Open/Page Loaded 6.90 sec 5.40 sec 6.05 sec 6.12 sec

Using the very handy
HD TunePro utility, I was able to get a bit more imperial data about the difference in performance between my old configuration and the new SSD smoke-fest.  Here is the read throughput and access time graph for the 4x120Gb OCZ Vertex II SSD (Raid-0):

SSD Read Graph

That may not look too impressive, but if you compare it to the same read throughput and access time graph for my old 2x1Tb 7200RPM SATA II HDD (Raid-0) configuration you will see a bit of a difference and why my grin is from ear to ear:
2X1TB HDD Raid-0

2011-05-21 Power supply failure leads to faster boot times

In the spirit of tricking people into reading what I write, I have given in to temptation and deliberately misled you.  Yes, my old power supply on my Windows development system died and I was forced to replace it today.  In addition, I have improved my boot times considerably.  But the only correlation between the two is that I figured I would do a bit of upgrading while I had my case open to replace the power supply.  So, out with the old 850W and in with the new 1200W Thermaltake.  Additionally, out with the old 2 x 1TB Raid-0 boot drives and in with the new 4 x 64GB Raid-0 SSD.   All this "high speed, low drag" boot hotness in a fancy 5 1/4" chassis by Patriot.  Boot speed times are as follows:.

2 x 1TB 7200RPM HDD (Raid-0) Sample 1 Sample 2 Sample 3 Average
Boot to Login 58.00 sec 87.80 sec 87.80 sec 77.87 sec
Login to Desktop 72.50 sec 51.40 sec 32.10 sec 52.00 sec
Login to Firefox Open/Page Loaded 78.70 sec 63.80 sec 69.80 sec 70.77 sec

4 x 64Gb Patriot TRB SSD (Raid-0) Sample 1 Sample 2 Sample 3 Average
Boot to Login 32.60 sec 29.40 sec 26.70 sec 29.57 sec
Login to Desktop 5.20 sec 3.40 sec 4.40 sec 4.33 sec
Login to Firefox Open/Page Loaded 8.30 sec 6.20 sec 6.90 sec 7.13 sec

Turbo Powered Boot Speed

2010-11-24 Generate password lists using Markov chains

In preparation for adding additional password plaintext generators to my GPU password cracker, I prototyped a simple Markov chain plaintext generator (pwMarkov.pl).  I added it to my John scripts for good measure and am testing to see if there is a measurable improvement in cracking efforts now.

2010-05-18 Say goodbye to my liquid cooling system

After my second coolant leak, it was time to remove my liquid cooling system.  It worked really well at keeping my system cool.  It was not as effective at keeping it dry.  It would not have been as annoying if I did not have an air cooled system running two dual GPU graphics cards and a Tesla super computer sitting under my desk at the same time.  My GPU password cracking box just hummed along without any overheating issues while my game system learned how to swim in low conductivity cooling solution.  So, I upgraded my case to an Antec 1200  to match my GPU cracker and replaced my pair of ATI 4895's with two ATI 5970's and I am back to the races.  The 3DMark numbers speak wonders about both the video cards and the difference between running Windows XP and Windows 7. 

3DMark Performance Score for New Graphics Cards

2010-05-12 LogReporter v1.5 is available

In response to some feedback from Santiago Zapata, I have updated the LogReporter.c code to enumerate and report on all active MAC and IP addresses.  Irrespective of the size of your Windows environment, you probably struggle with mapping actions in your firewalls or IDS logs back to users.  Stick this program in your login scripts and it will provide syslog records for each login including NETBIOS computer name, username as well as all active MAC and IP addresses.

2010-03-19 Mining A/V logs continues to extract gold

After updating my simple Symantec A/V log parser I used it to convert syslog Symantec A/V logs to CSV files and loaded the data into Advizor Analyst. This type of graph shows interesting re-infection patterns for individual hosts (horizontal lines), signature updates following malware blooms (vertical patterns with the same colors) as well as others.

Symantec A/V detects over time

The y-axis is a list of all infected machines so each horizontal line is a single system (Host names clipped for anonymity). The color coding is based on the name of the malware with similar names having similar colors on the pallet. Analysis of the four solid verticals outside of the weekly schedule scan pattern (the consistent vertical pattern across all the plots) were four different outbreaks of a network scanner where signature updates were loaded across all systems and the IPS started detecting and blocking immediately. The analysis was done to evaluate the effectiveness of an A/V deployment. The initial impact was a clear determination that the A/V system needed some attention and over time, the analysis was used to re-enforce the value of enabling additional options in the A/V system. Ongoing analysis shows the tempo of malware detects and changes to the A/V environment.

2009-10-13 LogReporter v1.4 is available

I needed to add support for unicode in my simple login tracker.  While poking around in the source, I added a few more features to make is a bit easier to use.  If you have a small, medium or large Windows environment, you probably struggle with mapping actions in your firewalls or IDS logs back to users.  Stick this program in your login scripts and it will provide syslog records for each login including NETBIOS computer name, username, MAC address and IP.  The new version does a better job with long and unicode netbios names and allows you to specify your loghost by name or IP address.

2009-09-21 A/V logs can help you find troubled systems

I was culling through the logs on one of my systems the other day and realized that I was getting a fair amount of alerts from my Symantec A/V servers.  At first, I was not interested in what malware was being detected and cleaned but it got me thinking about what interesting patterns existed.  I suspected that the majority of malware infections were caused by a minority of users as most malware these days require some user action.  To test this theory I wrote a simple parser to convert the logs to something that I could push into a visualizer and started looking for interesting patterns.

A/V detect histogram

Above is a histogram plotting A/V detects over time.  Each dot is an piece of malware color coded by host.  Horizontal patterns are a large quantity of the same piece of malware and vertical lines show patterns in the A/V detections indicating a schedule for scanning.  This was helpful in deducing the infection and detection patterns but not very useful for mapping infections to individual hosts.

A/V Heat Map

This heat map is much more interesting as it shows that a small number of systems have a disproportionate number of detected infections.  About 50 systems have more than 3,000 detected pieces of malware while the rest average just two.  This gives the admin teams a short list of systems that they can focus on both with technical as well as awareness based remediation.

2009-05-21 I just switched from air to liquid cooling

After many years of dreading summer and the system over temp lock-ups I just made the leap into liquid cooling.  I had resisted for the last couple of years because the cost of entry in money and time was just too much.  After a couple of days to reading on the net I decided that it was too simple and cheap, that waiting any longer was silly.

Liquid Cooling

So far, I am running 32c on my CPU and 35c on both of my GPUs on fan speed 4 of 10.  This is not bad considering ambient is 46c and my CPU averaged around 50c on air.   I will play with this for a couple of weeks while I over clock this and that.  Once I have gathered more data, I will switch from a serial to a parallel flow configuration and see if that makes any significant difference.

After running the Intel over clocking utility and installing 3DMark I have a snapshot of what my new performance is with little tweaking.

3DMark Performance

2009-04-07 QuickParser (quickparser) v0.4 released

I just posted an updated version of QuickParser to SourceForge.  There are some minor bug fixes and changes to the parser to better support generic logs with key=value pairs.

2008-12-27 Projects on my short list 

Of the long list of projects that I am ignoring most of the time and banging on when I have a free moment, there are a few that I am putting on my resolution list to get finished in 2009!

There are also a few ideas that I need to flesh out on paper in 2009 (we shall see how I do).
  • "Distrust Engineering", finding the bad guys without signatures.
  • "The State of Information Security Data Visualization", a Marcus style rant.
  • "The 11th Domain of Information Security", how to achieve long term improvement of the security of your organization by creating a sustainable information security practice.

2008-08-21 QuickParser (quickparser) v0.3

In the spirit of sharing and in the hopes of prodding a co-conspirator into finishing *his* better, stronger and faster parser, I have released the source to my regex-less log parser specifically for Juniper (Netscreen) firewall logs.

2008-07-01 PiRAT v0.2

I just upgraded my Nokia N800 to a N810 and it is time to update my tool chain for OS2008.  The new version will sport all of my favorite tools including NMAP, AMAP, xprobe2, NBTScan, NetCat, Hping2, dsniff, p0fhydra, John the Ripper, Snort, TCPDump, Metasploit, Kismet, Wireshark (a real pain to build) and many more.

2008-06-19 Transitive Distrust

I have watched our capability to detect threats degrade year after year as our adversaries invest more and more time and effort in the pursuit of stealthiness. As with all arms races, the winner is the faction with the deepest pockets and lowest overhead.  In the corporate world, that is a guarantee that the adversaries will always win.  I have been toying with a different paradigm to identifying threats called transitive distrust, or as a good friend of mine commented, trust engineering.


Internal systems that interact with "bad" systems on the Internet are less trustworthy than internal systems that do not.  "Bad" systems on the Internet exhibit repeating and detectable properties.  A system that exhibits these properties is less trustworthy than a system that does not.  A system that interacts with an untrustworthy system is itself less trustworthy.

To test this, I am building with the help of some friends, a system of instrumentation that applies a simple set of 30-40 rules to all systems that interact with a given network.  Once the rules are applied, a trust/distrust map is compiled.  This is a very effective filter to separate the trusted, and therefore not interesting, from the untrusted

The system can run constantly, correcting the evaluated trust/distrust as the data points change. Distrust degrades over time so a system that was previously untrusted but no longer exhibits these traits will become more trusted.

2008-05-31 Monitoring and logging removable media access with OS/X

I wrongly assumed that it would be simple to find an intellectual property (IP) leakage monitoring tool for removable media on OS/X.  It is unfortunate that the abundance of this type of tool on Windows has not rubbed off on Mac.  That said, I hacked together a volume monitoring daemon (vmd) to provide logging of file activity on removable devices on systems running OS/X.  It is the poor mans solution to the problem.  It uses syslog, so it is possible to have all of your Mac's point to a central syslog server and gain arms length auditing of removable media across all of your OS/X based systems with this little daemon.  A word of caution, I used the fsevents functionality of  10.4 and 10.5 which is not a standard hook for applications.  So don't be surprised if this stops working in a future version of OS/X.

2008-04-26 Malware detection through data visualization

Raffael over at secvis.org has been working to improve the overall state of information security data visualization.  Along with logging, data visualization has been a pet project of mine for several years.  I have, from time to time used visualization to filter through large volumes of data looking for intruders, malware and data breaches.

I have been trying to find a way to go through firewall logs at a large corporation where a days worth of traffic equates to 25Gb of uncompressed logs and mapping portions of the logs to simple 2D graphs helps to point out obvious and sometimes subtle anomalies.
When you plot the destination IP address as an integer over time, many interesting patterns are highlighted.Dest IP over 24 hours  Even more interesting than the horizontal patterns indicating continuous traffic to specific IP addresses are the vertical clusters with regularly repeating frequencies.
Next, a plot of the same data using the destination port number over time points to obvious port scanning in the form of  diagonal lines as well as odd patterns that sync with the previous destination IP address plot. Dest port over 24 hours

The last plot of source ports over time points to crafted packets.  Normal sockets allocated through the operating system will have positively incrementing source ports for each new connection.  Look for the horizontal lines and you have most likely found tools that are not using the operating system to instantiate new sockets.  To me, this screams packet crafting. Source port over 24 hours

All of these graphs were created by parsing firewalls logs using a perl script and loading them into Advizor Analyst.

Web server logs are another source of interesting data if you are able to separate the wheat from the chaff.  Apache2Dot.pl is a small script that makes clear diagrams of website interactions.

2008-03-19 Sumo vs. Judo

Over the course of my career, it has become clear to me that Japan's national sport offers a perfect analogy for the current state of information security.


2008-03-18 Is it time for Computer  Access License Agreements?

Anti-Forensic EULA

Now that the US Federal Government is regularly seizing, coping and snooping into the computers of US Citizens returning home, what can we do to protect the privacy that we hold dear?  The most obvious response is to encrypt your drives using whatever tools you deem appropriate.  I had considered a "FiST US Customs" campaign, but I suppose that would not be very professional.  I had also considered implementing some anti-forensic countermeasures on my computers.  A simple change to one of the many open source disk wipers could fill your unallocated and slack space with billions of partial GIF images.  That sure would make going through the preview in EnCASE a bit more tedious.  And I suppose there are even more 'active' countermeasures available to those who are not squeamish about fighting back.  After all, I have nothing to hide, and its not my job to make it easy for Law Enforcement to do theirs.  Then it occurred to me as I was ranting to a fellow infosec practitioner.  What we need is the equivalent of a EULA for our computers.  Something that warns off would-be snoopers who decide to look at our computers without a warrant.  I suppose putting one of these stickers on your computer and your hard drives is just asking for them to be confiscated, never to be seen again.  But it sure would make a great story.

2008-03-14 DPS for life!

MoE Jimmy Spike Spock Turbo Kitty

Distance makes the heart grow fonder.

2008-01-24 Passive syslog monitor v1.2.1 (psmd) has been released

After many days of pushing hundreds of gigabytes of data through it, the new version of psmd offers many bug fixes and a new TCP reassembler which notes lost log data due to dropped packets.  Along with the new features, psmd still offers many others:

  • Passive syslog monitoring (no listening ports)
  • Support for syslog over UDP and TCP (syslog-ng)
  • Archiving of all log data with proper time stamps, source and dest MAC and IP address
  • MD5 and SHA1 hashing of all archived logs
  • Forwarding of syslog data with or without forged source IP addresses
  • TIMEMARK insertion to handle time zone and time skew issues

2007-09-25 Sending a shout out to my com padre

Further continuing the South Park theme, I bring you yet another image of a fellow student of Sun Tsu and InfoSec practitioner.  Can you guess who it is?

Image of Mike Poor, South Park Style
I just want to know one thing, where is my cut of the shirt action Tom?

2007-09-22 Regexless log parsing (quickparser)

A co-conspirator and I have been building some log analysis tools.  To feed data to the tools, we needed to convert log files into a pseudo XML format.  I built a couple of regex log parsers in perl but they were very slow.  We have spent some time talking about other ways of parsing logs and I cannibalized a log compression tool that I had built using regexless parsing and found out that it is pretty fast.  By fast I am talking 2.6M lines per minute on a single processor 2.5GHz PC running linux and 950K lines per minute on a SunBlade 2000 with 1GHz processors.

Check out my quickparser, it chews up syslog data from Netscreen firewalls.  It should work properly with any syslog source that uses key/value pairs separated by a '='.

2007-08-17 "Better out than in, that's what I always say!" -Shrek

InfoSec is from Pluto, NetOps is from Jupiter

As the tenth largest body orbiting our sun, Pluto has in recent years been center stage to heated discussion about what makes a planet.  Living on Pluto as it spins around its eccentric orbit at a chilly 29 AU to a really chilly 49 AU from our Sun would be quite a challenge.  It's cold and lonely and most people don't even consider Pluto a planet including the IAU which on August 24th, 2006 relegated Pluto to 'dwarf planet' status.  It is surprisingly similar to the life as an InfoSec professional.  They are center stage to heated discussions about the significance, priority and impact of information security on organizations.  Aside from government and financial circles, InfoSec is at best an ugly stepchild and at worst is the bastard child of an adulterous relationship. To the rest of the world, information security is the curse of 'due diligence and care' that is resisted, ignored and hated with vim and vigor likened to paying taxes.  In short, information security is the group that tries to make organizations do silly things that cost too much and delay projects for no good reason because "security breaches only happen to the other guy, not us".

The fifth planet from our Sun, Jupiter, stacks up as the largest body in our solar system at 2 ½ times more massive that all the other planets put together.  Jupiter keeps showing up in the press with missions like Voyager, Cassini and Galileo.   If that was not enough of a spotlight, consider the Shoemaker-Levy 9 Impacts in July of 1994.  Jupiter is big, bright and full of hydrogen.  Everybody knows what Jupiter looks like and we thank Jupiter for its gravitational pull, we all prefer to have things hit Jupiter instead of us.  Network operations, like Jupiter, gets lots of visibility, is generally large in comparison to other operational bodies and is full of an amazingly diverse class of gases.  And we all know to make a bee-line to NetOps when we can't surf the Internet.

Putting aside the above analogies, there are some fundamental differences between InfoSec and NetOps and over the years I have struggled to understand those differences as a way to improve my interactions with my family on Jupiter.  At its most fundamental level, the difference between "network" people and "security" people is that one is focused on ensuring that packets move and the other isn't.  I will leave ascribing the correct labels to you, the reader.

This fundamental schism is surprisingly wide and deep.  And, we are talking astronomic units (AU) here, not Grand Canyon distances.  Countless times, I have gone to my brothers and sisters on Jupiter asking for help in reducing the 'attack surface' of a problem and time and time again, I have received feedback and lumps.  With each tongue-lashing and stroke I have heard "We don't have time or resources".  For a long time, I assumed that part of my family was just lazy.

The Epiphany came to me last week, NetOps is from Jupiter, not my home town over on Pluto.  When I ask network operations to install an ACL or firewall, they resist.  Not out of laziness but as an instinctive response built into the very fabric of each resident of Jupiter.  Asking to block traffic is like asking them to move to Pluto, which is far too small and cold.  When I look at the problem, I see it through the eyes of a happy resident of Pluto where blocking traffic is just a matter of simple changes to router and firewall configurations.  Add in a little audit trail and some monitoring for giggles, and it is a happy place for all.  But when someone from Jupiter looks at preventing packets from reaching their final destination, it is like preventing a packet from reaching it's pre-ordained and rightful place in the universe and the ramifications will topple everything.  Not to mention making a mess in the holiest of places, the change control archive.

So, consider this, the next time you endeavor to make the journey from Pluto to Jupiter to request a packet filter, start the conversation with "Every packet is sacred", and bring lots of photos of home to reassure them that Pluto is not all bad, because a network operator who turns up a firewall is actually a Plutonian on vacation in a warmer climate.

Ron Dilley

2007-07-31 Blatant C.a.S.E.

I am sorry Marcus, I just can't keep it to myself . . .
"You hit the nail on the head" -mjr

2007-07-30 Passive syslog monitor v1.0 (psmd) has been released

Thanks to mjr for suggesting an interesting solution to the problem of how to handle broken time in logs.  By broken I mean logs from systems without accurate time, mixed time zones and the most annoying of all . . . daylight savings.  The new version of psmd inserts time marks which record the time skew between log time and the time that the log is sucked off the wire.

2007-03-22 Yet another project (PiRat)

I just picked up a Nokia N800 with the intent to port all of my InfoSec related tools to this ultra-small computing platform.  There is a pretty well put together development environment and a strong open source development community branded as Maemo.

2006-09-25 ÜberAdmin has a new website

After several years of a really plain website, I decided to give up using vi for web development and switched to a more modern tool which was capable of making really fancy websites.  Though I opted not to make this site much fancier than the vi version, I at least used more than one font this time.

2006-09-18 Passive syslog monitor daemon has a new home at SourceForge (psmd)

After tweaking on my code an hour at a time over the last year, I have finally been pushed and prodded enough to actually release it to the public.  As I am not a programmer by trade and know just how much gum and how many rubber bands are used to hold it together, I do so with a bit of reservation.   With all the messages on the logs mailing list about signing syslog, what else could I do?

Please report issues to webmaster@uberadmin.com

Last Updated: 2021-05-29 @ 10:03pm