Sunday, July 17, 2005
Intel to cut Linux out of the content market
First, lets explore what East Fork (EF) is. It is basically a media server PC on steroids with a lot of interesting software. The downside is that it is aiming for you, not aimed at you. The first iteration, due out in Q1 2006, is based on a Smithfield dual core Pentium 4 with the Lakeport and ICH7-DH chipsets, a fairly plain combo. You also need a S-ATA HD with NCQ, and Intel HD Audio, but you can supplement that with anything else you need as long as it is on the board. You also need MS Media Center Edition 2006 (MCE 2006).
This will be replaced shortly after launch with a version based on Yonah, more like late Q1 2006, but since the Smithfield one slipped so much, this one might be delayed as well. It replaces the chipsets with Calistoga and ICH7-DHM, not a big change, and the rest remains the same. How they are going to sell a 64 bit launch and a quarter later an 'upgrade' to a 32 bit version is beyond me, but it isn't my idea. The replacement of the 130W Smithfield by the 31W Yonah won't cause many loud complaints, and the exhaust temperature of your stereo cabinet might go down a few orders of magnitude.
The concept is collectively called EF, and the one key to this all is something called the EF platform driver. It does a bunch of neato things, it will use all the horsepower the CPUs can throw at it, and a lot more. The first thing is that it will transcode content on the fly, and is officially stated as 'Transcodes content that's not supported by Digital Media Adaptor into a supported format'. Sounds cool, except the, and I mean the supported format right now is .WMV. It also can do the same for bandwidth, basically it transrates on the fly. No abject evil here, it is a good idea in every way.
Secure premium content muddle
The problem is something called the Secure Premium Content Module (SPCM), and its reason for being is to decrypt MS DRM fast and 'securely'. It is an open question as to how this security benefits the user though. Anything other than Microsoft DRM is listed as 'possible' for SPCM, but as now, the list of additional supported DRM providers is zero. The transcoding will basically add DRM to anything that touches the box, preventing you from using any fair use rights, and preventing legal sharing. This strategy worked well enough to turn the mighty Sony into an also ran in the MP3 player market.
There are also a few more goodies. One is called Energy Lake, an instant-on technology. It does what it says it does, press the button, and the beast springs to life in short order, think more toward the speed of a DVD player than a PC. This is a good thing for all involved, and hopefully will spread farther than the EF platform.
Last up is the EF online zone, which is one of those portals where you are a captive, and can 'freely choose' to spend your money in the ways they want you to but only on the limited selections they offer. There will be 'exclusive content' for those who appropriately tithe, think the latest Brittney pablum for those with short attention spans. Don't expect anything that you can't find on the web for less, you are captive and you have large corporate profit margins to support.
I say captive because although it will support other shells that are not MCE 2006, it will only support other shells, but not programs. This is not the same as being open in any way shape or form, you are locked in, period. That's not to say that there will not be choices. There have to be at least two providers in each country where it launches to provide the content, but the blessed ones are the only ones. Call me absurdly cynical if you like, but I expect there is a lot of money changing hands here, and it will come out of your pocket in the end.
With the Intel GMA950 GPU, it will decode up to 720p and 1080i, but no guarantees on 1080p. If they allow you to use an Nvidia card, a 6600GT with PureVideo and the right drivers should make 1080p a distinct possibility. That should be 'good enough' for most uses.
In Q1 2006, East Fork will launch in seven countries, the US, Canada, Germany, France, Japan, South Korea and the PRC. Notably absent is the UK, but on the upside, it looks like their buses will be spared the indignity of the ad campaign. At least the iPod ones don't look all that bad.
This advertising campaign is going to be huge, about one third of a billion US dollars. Remember the Centrino campaign? That is what you are in for, an inferior product that sells you out for more money. There will be EF devices, EF branded content and probably EF branded contraceptives to use while watching EF branded porn.
Up the river without a paddle
So, that is what it is, how does it sell you up the river? The first part is DRM. Any DRM on a machine is simply a sign of failure. It signifies that the providers cannot, or will not provide you with a good product at a fair price. People are inherently averse to getting screwed, in the way that Intel is doing mind you, and if you try to screw people, they will avoid you. If you offer them something they actually want, they tend to readily open their wallets. This crushing DRM that is being foisted upon you is the surest sign that you don't want this product, and you will be paying too much for it. Don't like that? Bought legislators are hard at work making sure you will go to jail if you try to exercise your rights on the issue.
Remember there was a time when something called fair use existed? Remember when you could rip a CD to your MP3 player to listen to in your car, or while out biking? That was and is called fair use. Breaking down the term, fair means equitable, and use means to use. Both are about to be stripped from you, but you get to pay for the privilege.
Here's how it works. The record companies, and to a far lesser degree the movie studios, are rapacious greedy bastards that have a failing business model. No, really, look at the numbers, they are on a treadmill where they need bigger and bigger hits to support the 90 plus per cent of projects that don't make dollar one. Each time, they spend more and more money making the latest plastic knuckle dragger seem cool enough so you will part with your money.
It is getting harder and harder to do, mainly because quality is declining so rapidly. So, rather than go for quality and content you want to buy, they are trying to make it so you have to buy, and crying to legislators that you are evil if you don't consume how they want, when they want, in the ways that they want. Pay per play has these cretins drooling.
Add in the fact that they completely missed the boat for digital media, obstructed its growth at every possible turn, and sued their prime consumers when they didn't flock to sup-par offerings at super-par pricing, and you have a recipe for failure. This is exactly what the record companies are doing, failing, and it is richly deserved. Some adapted early, Go-Kart being a prime example, are doing the right thing for the right reasons. The vast majority are not.
In their failing, they are passing laws left and right that make you a criminal for doing things that you were entitled to do up until it did not make several large corporations enough money. Don't like it? How many Congressmen do you own?
Their excuse it that they won't enter a market without what they deem as adequate protection. Silly me, it seems that they define adequate protection as charging more for a download than a physical product that has actual costs to produce, ship, stock and sell. It is a flat out sham, and strangely, people are stupid enough to believe it, and buy the fact that the poor record companies will lose their shirts if they so much as dip a toe in the water without DRM. They can't come in without you giving up your fair use rights.
That is a lie, they voluntarily left, and choose not to enter without you kneeling before them and giving up your civil liberties. It would be laughable if so many people didn't do just that. A good analogy was one I used on a person giving a speech about DRM a few months ago. I said imagine that during his speech, I walk up on stage with a baseball bat, and for no reason, start hitting him. Then, out of the goodness of my heart, I stop hitting him, does this suddenly make me a nice guy? The record companies are hitting you by not supporting the current prevailing formats, and are asking you to call them nice guys when they stop hitting you. I hope you are not that stupid.
East Fork handles
Back to EF though, there are a lot of problems, and it mainly starts with exclusive support for Microsoft DRM. There is no other, and as of the last time I checked, there will not be. Intel refuse to comment on unannounced products, but others have told me there is nothing but Microsoft DRM.
If you look at the history of the public, lets call them sheeple, they take what they are given, grin and bear it. Netscape, Real and others have all fallen victim to the Microsoft bundling machine, and even if EF has the option to include other forms, there will be none in the box to start.
What do you think content providers will encode in, Microsoft or some other format that has a vastly higher probability of not being on the box? By Intel selling out to MS for co-advertising dollars, they basically hand all content over to MS controlled and MS licensed schemes. Not a problem if you are willing to pay MS for the privilege of using their codecs.
How about if you are using a non-MS platform? You can always pay Microsoft for the privilege, and several Linux based devices do, but they charge you for it. They also have handcuffs placed on them as to what they can do after that. Forget 'free' as in beer, 'free' as in freedom just went away with a whimper, not a bang. Also, if you think Microsoft is cheap or altruistic, wait until they are a monopoly here too. History is a great guide.
So, with this single coup, Intel is handing the keys of the digital media kingdom to MS, and content providers will follow like the sheep they are. In almost no time, Microsoft will be the default digital media codec, in the same way that people 'chose' the 'superior' IE and WMP programs. When the content follows, which it will, you are locked in.
But you can always play it on another player, Linux will have something that can read it, right? Not legally in the US anyway, there are laws against circumventing protection mechanisms, and DRM is just that. Fair use and your rights are going to go away when EF comes to town.
Linux is verboten
So, Linux becomes a forbidden for those who want to watch a movie legally. Think this is by chance? Think it won't catch on? There is a $300 million plus ad campaign cooking to make sure you equate digital media with EF, and don't question that you are giving up all your rights to pay for the privilege. People are stupid, and by the time they catch on that the EF machine they bought is the main method that they are being screwed by, it will be too late and you won't be able to buy anything else. Trust me, this really is the plan.
I have asked Intel several questions, and never really got a satisfactory answer to any of them, mainly because I don't think they can answer them honestly. The first one is, 'who is your customer for EF, is it the consumer or the record companies?' That is the round about way of saying, are you doing this for our benefit, or the content providers? When I asked it, I don't think they had considered it enough. Now, Intel's actions speak louder than words, and the answer is that it is not for our benefit.
The second question is how does DRM benefit the consumer? Intel deflects this deftly if you ask it, you get an answer to the question 'why is your DRM version better than theirs?'. Intel replies that a single standard is better than multiple fragmentary standards. Intel won't point out that a single walled garden is no better than several, and in many ways can screw you just as much. If Intel had the guts to push a single free standard, free as in freedom not necessarily as in beer, then I would have no problem with it.
The problem is that there is no theoretical, practical or implementation benefit of DRM for the consumer. It costs money to develop, costs money to implement, and adds hardware and complexity to a device. This all comes out of your pocket while it takes your rights away.
Intel has apparently failed here, and sucked up to the money danglers at your expense. The 'solution' it is offering, EF, only takes your rights away when you write a cheque and so it is the wet dream of every media executive out there. MS is rubbing its hands with glee, it gets a chunk of everything played from 2006 on, and consumers have to just bend over and take it.
If you don't like it, you can live without music, TV and movies, an increasingly appealing proposition to me. You cannot play things without tithing, that would be illegal, and probably you're even a thought crime citizen. The fact that the 'brains' at Intel and Microsoft could not come up with a scheme that makes them money in a way that you and I would want to buy is a shining badge of failure.
Thanks a heap, Intel
This whole East Fork scheme is a failure from the start. It brings nothing positive to the table, costs you money, and rights. If you want to use Linux to view your legitimately purchased media, you will be a criminal. In fact, if you want to take your legitimately bought media with you on a road trip and don't feel the need to pay again for it - fair use, remember - you are also a criminal. Wonderful.
Intel has handed the keys to the digital media kingdom to several convicted monopolists who have no care at all for their customers. The excuse Intel gives you if you ask is that they are producing tools, and only tools, their use is not up to Intel. The problem here is that Intel has given the said tools to some of the most rapacious people on earth. If you give the record companies a DRM scheme that goes from 1 (open) to 10 (unusably locked down), they will start at 14 and lobby Congress to mandate that it can be turned up higher by default.
In closing, thanks Intel for selling us out. Thanks Microsoft, for being Microsoft. Thanks RIAA, MPAA and the other for being shining examples of unbridled greed. You and I, we were sold out, and when East Fork debuts in Q1 2006, there won't be much you can do about it, legally anyway. Enjoy the little freedom you have left.source:http://www.theinquirer.net/?article=24638
Securing Your Network: Removing Unwanted Devices
Pretend you're a network head at some organization, in charge of a couple dozen - maybe a few hundred - network devices, and you're responsible for their operation, maintenance, and security. Or maybe you don't have to pretend; maybe you really are. In any case, you've got a happy little network, all orderly and mapped out, running great. Over time, however, you notice the network's condition start to deteriorate. Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less.
You may currently have more on your network than you think.
Not much attention is given to one of the most elusive aspects of security, that of physical connectivity. The main goal of network security is of course to keep legitimate network users up and running, while keeping the bad ones out completely. Under normal circumstances, where the supposed attacker may be hundreds of miles away, on the other side of your firewall, this is relatively easy enough. However, when unauthorized users have a direct physical connection on your network, the problem can be infinitely harder to solve. Should an intruder ever reach the 'soft side' of your network - the private area behind the DMZ - it is vital to know how to detect them, how to find them, and how to pull the plug (often literally).
Detection
Although every network is different, there are several telltale signs that something fishy is going on. Naturally, the more complex your network is, the harder it will be to sniff out a rogue device. Several clues should be examined in an effort to pinpoint the offending source.
Invalid Source Addresses
Most LANs are comprised of a single address hierarchy, for example a 10.x.x.x class A scheme, or a variety of 192.168.x.x class C subnets. Now assume all legitimate devices on your network are assigned a 10.x.x.x IP via DHCP, so they should all have their own reserved spot in this hierarchy. But when checking traffic logs or a sniff capture, you see traffic to/from a device at 192.168.1.1. Obviously this is not a valid address, and probably not an authorized device, either. This scenario is most often caused by Joe User plugging his personal brouter or similar device intended for home networking into an open port on a user switch somewhere.
Repetitive DHCP Requests
Some smaller networks don't run a DHCP server (though not doing so is rare these days), so devices must have static IP addresses entered into them manually. This would give rise to suspicion if you detect an unknown device constantly broadcasting a DHCP request. However, this isn't always a solid lead, as the same effect will be had by a new PC brought online before having an IP assigned to it.
Uncommon Service Traffic
Suppose one segment of your network is dedicated to the Accounting department, a small group of employees who use the network primarily for Internet, E-mail, and SQL database access. If you notice, for example, HTTP traffic heading into this segment from another part of the network, someone in Accounting might have decided to start up a personal web server.
Bandwidth Hogs
This can be the hardest to detect, depending on what method(s) you use to monitor network throughput. At the very least, you should have some sort of probe at the gateway to measure traffic. Let's say you have a good sized network used for typical Web and E-mail access, and decide to run a protocol survey. Over twenty minutes, you see the following traffic throughput:
HTTP: 824 KB (14 hosts)
SMTP: 112 KB (3 hosts)
FTP: 634 MB (1 host)
Now which one doesn't fit? If you picked FTP, you win! (If not, it would be advisable to stop reading now and go update your resume, as you might be needing it shortly.) Generally speaking, you won't find a user downloading an entire CD's worth of data as part of their daily workload.
Determining the Threat
In most instances, the device in question is one of three things; it can be a 'dumb' device configured improperly (by dumb I mean without a human user operating it), an ignorant user, or a malicious user.
Misconfigured Devices
These are typically more of a nuisance than a threat, but should not be overlooked, as they can often be security risks and stand the chance of being compromised at any time. These are typically things like user-bought LAN devices, such as the Linksys and Netgear brouters you can pick up at Best Buy for $50, useful for turning one switch port into four or five. A word of caution, though: many times, users will plug these into your network to provide themselves with unchecked wireless connectivity, a definite security no-no.
Ignorant Users
The context of the term ignorant here is intent. A user who decides to install Apache on their desktop to play around with is unlikely to do any harm and certainly never had the intention too, yet this sort of thing is usually frowned upon by administrators. As a side note, this is also the number one reason grade school students get in trouble with the administration. God forbid they actually learn something in a place of organized education.
Other users that fall under this ignorant-but-innocent category include employees attempting to bypass a webfilter so they can go to personal sites on their lunch hour, or setting up internal FTP servers to share MP3's with their coworkers. While your administration may find this less than acceptable, it rarely has any adverse effect on network integrity (with the possible exception of bandwidth).
Malicious Users
If you encounter a malicious user, this is where you should start to sweat. Here, a user is anyone with access to your network - authorized or not. This could be some anonymous attacker, either with or without physical access to your network. Worse, it could be a disgruntled employee with a legitimate network account and working knowledge of the network layout. Rare as they are, malicious users take all priority when detected because they are often easier to catch if you can track them in real-time.
Enumeration
So, assume you have some unknown device hanging off your network. How you came to know about it irrelevant. Maybe you noticed some unusual protocols or traffic volume, maybe you suddenly lost connectivity to an entire segment. The next step is finding out what the device is. Is it a regular PC? Some sort of server? A switch, or perhaps a router? Advanced enumeration techniques are beyond the scope of this paper, though a good checklist is handy whenever trying to identify a mysterious device.
Who made it?
One of the first - and easiest - things to find out about a device is who made it. All you need for this is the MAC address (or at least its IP address, for starters), which you can then check against the IEEE's Organization Unique Identifier listings at http://standards.ieee.org/regauth/oui/index.shtml. If you only have the IP address, you can easily obtain its MAC address. Provided you're currently on the same switched LAN and VLAN as your target device, all you need to do is stimulate some traffic between yourself and your target. A simple ping will suffice. Then, retrieve the MAC address corresponding to its IP from your system's ARP cache.
C:\> ping -n 1 192.168.10.16
Pinging 192.168.10.16 with 32 bytes of data:
Reply from 192.168.10.16: bytes=32 time=4ms TTL=64
Ping statistics for 192.168.10.16:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms
C:\> arp -a 192.168.10.16
Interface: 192.168.4.2 --- 0x2
Internet Address Physical Address Type
192.168.10.16 00-0c-41-45-a9-d6 dynamic
Running Service Identification
On a typical host PC, there aren't many services running, and therefore open ports are limited to the default services of the operating system. For example, a Windows XP box by default will have ports 135, 139, and 445 open for TCP, mapped to legitimate system services.
Network devices, however, will often accept connections to port(s) 22 and/or 23, which are used for secure shell and telnet access, respectively. Another one to watch for is 80, which carries HTTP traffic. Some devices by default will have an optional web interface running in addition to its regular command line interface. Ports 21 and 69 are used for FTP and TFTP daemons, often utilized by routers and switches for configuration and OS updates. It is not uncommon to find end hosts running web and FTP servers, though remote shell services like telnet are typically limited to network devices.
Operating System Identification
A more explicit enumeration technique is OS detection. This can be accomplished rather easily with nmap (http://www.insecure.org/nmap/). Although not 100% reliable, this can give you a pretty solid idea of what to expect from the device.
Obviously, the aforementioned enumeration techniques only provide a very general idea of the device in question. This is sufficient, however, as here we are not looking to actually infiltrate the device; we just want an idea to aid us in removing or otherwise separating it from the rest of the network.
The Hunt Begins
Now armed with a MAC address and some background info, we can begin to hunt it down. On a small network in a moderately sized building, this may be easy enough. Unfortunately, when you're managing a network the size of a city - with enough endpoints to match - the task becomes considerably more difficult. Obviously you're not going to physically search a building or buildings for this device; we're going to trace it through the network. This is why it's important to know the layout of your network in great detail. Also, having adequately descriptive hostnames on your network nodes comes in very handy.
Consider the following network topology. In our scenario layout, buildings A, B, and C, each with their own user base supported by one or two switches, contain a trunk to building X and at least one other building for redundancy. Building X contains the only router with a link to the outside world, but the only user currently hanging off the switch there is the admin (AKA you). Keep in mind this is a very, very simple mock topology and real-world scenarios will tend to be much more complex. Anyhow, you suspect the mystery device to reside among the regular users in building A, B, or C.
Switch MAC Tables
Ethernet switches essentially map MAC addresses to the ports they come from. Therefore, they are extremely helpful when tracing the physical location of a host. Let's say our target's MAC address is 00:01:23:45:67:89. Yes, a brilliant example, I know. From the switch's CLI, we can extract the corresponding switch port from switch's MAC table.
Note: The commands shown here are specific to certain Cisco devices, namely the Catalyst family of switches running IOS and/or CatOS. While I understand different networks may use a wide variety of hardware vendors, it would be impractical to list the exact steps required for every switch out there. If the following steps aren't compatible with your device(s) for whatever reason, consult with your vendor for the appropriate configuration.
Starting from the highest level in the switched hierarchy (in this case building X) we trace the physical path to our end user. In our local switch at building X, we perform the following query:
Switch-X# show mac-address-table address 0001.2345.6789
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0001.2345.6789 Dynamic 1 GigabitEthernet0/1
Switch-X#
We see from the result of the MAC query that traffic to 00:01:23:45:67:89 is passed out port GigabitEthernet0/1, one of our trunks to a switch in another building. So, where does it go? One way to find out would be to consult your network map. Duh. But a much cooler way, if you have a Cisco network, is to use CDP and map out your network as you go.
Cisco Discovery Protocol
Naturally proprietary to Cisco Systems, CDP is an extremely useful tool for exploring and mapping a network's 'layer two' topology, as referenced against the almighty OSI model. For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tech_protocol_home.html. For now we'll cover the aspects of CDP necessary to continue our quest.
We can list all connected Cisco devices with one command:
Switch-X# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Switch-A1 Gig 0/1 144 R S I WS-C2924 Gig 0/1
Switch-C1 Gig 0/2 144 R S I WS-C2924 Gig 0/1
Router Fas 0/1 144 R S I WS-C4003 Fas 0/1
Switch-B Fas 0/2 144 R S I WS-C2924 Fas 0/1
Switch-X#
Or, we can specify just the interface we want:
Switch-X# show cdp neighbors GigabitEthernet 0/1
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Switch-A1 Gig 0/1 144 R S I WS-C2924 Gig 0/1
Switch-X#
We learn that the device on the other end of our gigabit link is Switch-A1, the root switch for building A. We can assume at this point that our mystery device is somewhere within building A, but why stop there? Our goal is to get as specific as possible. We telnet to Switch-A1 and perform the same MAC address query as we did before.
Switch-A1# show mac-address-table address 0001.2345.6789
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0001.2345.6789 Dynamic 1 GigabitEthernet0/2
Switch-A1#
Our device isn't connected directly to this switch, either, but passes instead through interface GigabitEthernet0/2, our gigabit link to the other switch in this building. Since there is only one other switch in this building, and the switch we're on now is its only gateway out, it's pretty safe to assume our target is hanging off of Switch-A2. (We could verify this again with CDP, but just take my word for it this time, okay?) But, not only do we want to double-check this, we want to find out exactly what port it's on so we can kill its connection if necessary.
Switch-A2# show mac-address-table address 0001.2345.6789
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0001.2345.6789 Dynamic 1 FastEthernet0/19
Switch-A2#
We've reached the end of the road! Our device is on FastEthernet0/19 on Switch-A2.
Traffic Sniffing
Now that we know where our device is hiding, it is at our mercy. Muahahaha! But, we might not want to pull the plug just yet. In the event an attack has occurred successfully, the damage has already been done. If the attacker is still active on the network, we might as well record some evidence for future use. Of course, common sense is your friend for this one; if an attacker has compromised your company's sales database and is actively pulling credit card numbers from it, it's probably a good idea to just cut him off now.
SPANing, or Switched Port ANalysis, provides a very convenient way to mirror port traffic. Switches are designed so that ideally, a frame enters one port and exists through another. In one, out one. This is the major ideology that makes switches so much more efficient than hubs. SPANing allows us to mirror the traffic on one port to another - in one, out two, so to speak. In our example, we would want to monitor all traffic on FastEthernet0/19 on Switch-A2. What we could do then is attach a sniffer to a port - for instance, FastEthernet0/24 - and monitor or capture the mirrored traffic to see what our target is up to. This is done with commands along these lines (depending on what OS you're running):
Switch-A2# configure terminal
Switch-A2(config)# interface f0/19
Switch-A2(config-if)# port monitor f0/24
Switch-A2(config-if)# end
Switch-A2#
Again, this is Cisco-specific syntax. However, SPAN or an equivalent is available on most Ethernet switches. There is also RSPAN, which allows you to mirror traffic over multiple switches, like mirroring Fast0/19 on Switch-A2 across the network to Admin's port on Switch-X. Check with your vendor for more specific information on using SPAN, port monitoring, or whatever they call it.
As for what sniffer to use, this is always a matter of personal preference. One of the best free sniffers out there is ethereal (http://www.ethereal.com). It even gives some commercial sniffers a good run for their money. There are plenty of choices when it comes to protocol analysis software, but I'll leave it at that.
The Final Strike
Okay, playtime's over. Now it's time to cut off the offending device's connection. We have several options here; the most obvious of course is to physically go to the switch and unplug the cable on port 19. However, this takes time. A quicker, if temporary solution is to shut off the port. On our Cisco switch, this done like so:
Switch-A2# configure terminal
Switch-A2(config)# interface f0/19
Switch-A2(config-if)# shutdown
Switch-A2(config-if)# end
Switch-A2#
If the device was added by an ignorant user (refer back to Determining the Threat), it can be entertaining watching them try to figure out why their wireless access point suddenly stopped working. It's mean, of course, but it's also very funny. Some will even have the balls to call up and complain that they lost their network connection. In this case it's best to make a personal appearance so they can explain where the little blue box came from.
There are also a couple clever ways to isolate the device from the network without the device knowing. These are a bit less secure, and probably not a great idea if there happens to be a human attacker behind the device.
VLAN Segregation
By assigning port 19, the MAC address, or (better yet) both to an unused VLAN, the connection remains but its traffic is trapped. So long as the VLAN isn't routed away from the switch, the device is effectively cut off.
Access Lists
A last resort, if for some reason you couldn't isolate the device by means of VLANs. You can set access lists based on IP or MAC addresses - in this case an explicit 'deny any' would likely be in order. However, be aware that IP and MAC addresses alike can easily be changed by a knowledgeable attacker. It is strongly advised to shut down the port or employ VLAN segregation instead.
Future Deterrence
As long as there are users on your network, 100% security will be impossible to maintain. Fortunately, there are a few ideal practices that will discourage even the most determined attackers from gaining access.
Whatever ports aren't being used on a device should be turned off until they're needed. What ports are being used should be locked down as far as possible. This includes restricting STP and VTP traffic from non-trunk ports, as well as imposing a limit of one MAC address per port, to prevent the addition of hubs or other switches. On Cisco devices, this can be accomplished with the portfast, bpduguard, and port-security entities. And as always, the strategic placement of well-designed firewalls and access lists is crucial to good network integrity.
The lesson here is that information only becomes knowledge when it's implemented correctly; a map is good to have, but knowing how to make a new map when needed is what separates the Net+ cardholders from the true network hackers.
l0gic
http://www.l0gic.net - l0gic.net
http://www.l0gic.net/mentor.php - Project Mentor Dare to learn.
source:http://www.whitedust.net/article/21/Securing%20Your%20Network:%20Removing%20Unwanted%20Devices/
PluggedIn: White lies help stressed computer users
SAN FRANCISCO (Reuters) - High-technology tricks once seen as the purview of hackers are now in the hands of ordinary people.
Gadgets these days are full of surprises, and not just in the 'gee whiz' sense of unexpected possibility, but also in their growing powers to manipulate or deceive.
Simple tricks allow one to appear to be hard at work in the office while actually forwarding calls, e-mails and instant messages to your mobile phone. One can backdate e-mails through rolling back a computer's built-in clock or use background phone noises to concoct convincing excuses not to go to work.
"Instead of being a slave to technology, you can master it, you can make it look like you are working when and where you are not," said Marc Saltzman, 35, the author of "White Collar Slacker's Handbook" published in June.
Saltzman says computer trickery has become mainstream as the not-super-tech savvy people seek ways of coping with a 24x7 work culture and the increasing inability of people to dodge uncomfortable questions in an era of "always-on" broadband, mobile phone and instant messaging connections.
"Just because you can be reached everywhere doesn't mean you have to be in touch all the time," Saltzman said in a phone interview. "The question is how do you turn the tables?"
The book, published by technical publisher Que, provides a how-to manual for computer users to tell little white lies to deceive friends and colleagues.
But the ease with which technology can be used to bend the truth can just as easily be used for criminal activity such as identity theft and other crimes.
"Technology and computers have given dishonest people an ability to pretend that they're someone they're not," said Martin Reynolds, an analyst at technology research firm Gartner Group. "Now, if you have a minute amount of technical savvy you can wreak a lot of havoc."
He cited a recent case of nine-year-olds who scanned dollar bills into a computer, printed out the fakes and used them to buy snacks at their school's cafeteria.
"With an inkjet printer you can create virtually any document that you want to these days," Reynolds said.Missed a deadline? No problem.
One simple trick to "reverse" time is to backdate the clock settings on your computer. E-mails will then appear to have been sent earlier. Of course, workers need to remember to reset their clock to the correct time afterward.
"It will certainly prove that you sent the e-mail when you said you did," Saltzman said. "You can just blame the delay on the network."
In Japan, the land of a thousand "face-saving" apologies, consumers can invent convincing sounding excuses for bosses or spouses by using a small keychain device with prerecorded sounds that allows users to pretend to be where they are not.
"Alibi Intersection," as the device is known, comes with six buttons that generate noises such as driving a car, standing in a train station or hearing a front-door chime. A software version for mobile phones that goes by the name of SoundCover in Europe and Soundster in the United States is available.
The noises lend aural authenticity to excuses when played in the background of a mobile phone conversation.
Users of Microsoft Outlook, the most popular e-mail management program, can make their bosses think they are burning the midnight oil by composing e-mails that they set up to be sent out far later, say at 1 a.m.
In Outlook, under options, the user can check the box for "Do Not Deliver before" option. Then choose the time and each subsequent message will be held in your outbox until the appointed hour.
Another trick is to sign onto instant messaging systems from home to make it look you are already at work. If your boss isn't in the same office as you, it appears as if you are at work early. You can also decide whether to disable the away feature on your buddy list.
If you are really worried your boss may try to contact you, have the IM message forwarded as a test message (a separate mobile phone technology that works in similar ways to IM on computers), Saltzman suggests.
Analyst Tim Bajarin of research firm Creative Strategies said that while computer trickery has become a fact of life, it is concentrated among younger workers who are more comfortable with new technologies.
"The older computer user pretty much lets the computer lie. They won't tinker because they are worried they are going to screw the machine up," Bajarin said. "Most of this group hasn't figured out how to set their videocassette clock yet."
source:http://today.reuters.com/news/NewsArticle.aspx?type=technologyNews&storyID=2005-07-15T184648Z_01_N07344225_RTRIDST_0_TECH-COLUMN-PLUGGEDIN-DC.XML
Rise of the Professional Blogger
source: http://slashdot.org/article.pl?sid=05/07/17/067201&tid=95&tid=98
Home Power Monitoring Hack
source:http://hardware.slashdot.org/article.pl?sid=05/07/16/1626241&tid=232&tid=222&tid=126&tid=159&tid=1
Got Spyware? Throw out the Computer!
source:http://it.slashdot.org/article.pl?sid=05/07/16/180221&tid=126&tid=172&tid=98
