Two things I have a hard time dealing with:

? ? 1. The smell of a fully-loaded commercial airplane
? ? 2. The smell of a hospital

Taken together, they don't make for a overly merry holiday season. I hope things don't become exceptionally un-merry.

I broke into 5 computers today (well, 4 servers and a Cisco router). They weren't my computers. I've never had root on a machine that wasn't mine before (although I have had root on some interesting, if not completely 100% legitimate, places), but today I was encouraged to compromise a bunch of machines in any way I could -- and I was even give tools to do so. It was hellaciously fun and 100% legitimate.

My friend Scott had me and some other local tech folks over at a hands-on presentation/demonstration at his place of work. Since Scott works for a company that "deals with national security", and his job (as I understand it) is to make sure that "people" can figure out how ne'er-do-wells are breaking into their networked computer systems by teaching them how to break into machines themselves, the subject of today's exercise was geared toward throwing us at an array of machines and seeing how many we could crack into. It was a contest, in other words. I didn't do too bad, I guess. Five out of 7 isn't so bad, I figured. For a newbie and all. It's my first time being a bad guy...

Scott's got this entire lab of a couple dozen machines set up with like 9 operating systems, some old workstations running Solaris, and a private network (off the 'Net). We had all these tools, and a 45 minute slideshow overview on network security, what tools people use, etc. Then we were given a host to log into and told to go at it. That's simplifying it greatly, but since I'd seen very few of the tools used, it was all pretty foreign. I'm used to looking at security from a "best practices" point of view. You keep everything patched, keep stuff turned off if you don't need it, look for intrusions on a regular basis, and so on. This was on the other side: we had to be the aggressor and get into these machines, and all we knew was their IP addresses.

So I had a good time today. Mostly it was a matter of nmapping the subnet, then nmapping each host in detail. Then you had to figure out what OS was running on that host (their version of namp doesn't accept the -O flag, so that was sometimes fun), and what exploit was likely given that and some guesswork (hint, hint: even one password is a huge nugget for a bad guy to get, and if they can get one, it's way easier to get others). If you have a user account that can be accessd via a network connection, make sure it a good one.

There's a really good tool called Hydra which will try a dictionary attack against nearly any common service. Everyone was running that today but for some reason, I couldn't get it to work. In fact, I never even saw what it gave as output until the very end of the day when Scott gave us hand-outs about how each machine could be cracked. I ran it and ran it, but never got anything out of hydra. I resorted to nmapping the target and trying all the tools I could think that might apply. It was a little slower, but I got as many machines as everyone except Tony (who got all 7 plus one "bonus" machine that Scott had him go up against) and Kelly (who got one which I probably shouldn't have given up on; see below). In retrospect, I would have immediately ran hydra (using the smaller password list) against every host once I first logged on and found what hosts were active. I'd have had 3 login accounts by the time lunch was done. And once you can log in, well...

The most annoying thing today was that after the you mastered the basics, it got very rote. It boiled down to a fairly straightforwrd matter of correlating which tool worked against which particular operating system and its possible range of services -- you just had to find the tool! For example, if you portscanned a machine and saw that it was running ftp, ssh, finger, and sendmail (plus some other uninteresting junk) running, after some poking, you could find out the OS. And you could do this discovery in a very regular way, machine after machine. And once you regularly discovered what each machine was, and then regularly discovered what was on each machine, you could simply run through the directory of exploits Scott's team has set up for that OS, service by service. See a pattern? It's easily scriptable. Look at every machine, find every service, try every one, easiest first. My frustration was a matter of me wanting to do a brute-forcing of the inscrutability of Scott's tools and their lack of documention (to his credit, all of the tools were written by hackers out in the wild, and so Scott can be forgiven for lack of helpful documentation -- command-line or otherwise). I just couldn't past by the feeling that me typing away trying to find that one certain exploit (which may or may not work) was a waste of a good algorithm.

I *seriously* considered writing a script that would do the above. Why didn't I? Well, I didn't really know the syntax of all the tools they had, although I could have scripted just a few of them of them and gotten good results. In fact, I'd say tool syntax ignorance was the major barrier to productivity (Scott, if you're reading this: Put up a default slide on hypothetical smbclient, nbaudit, nikto, john, hydra and [even] nmap commands). I also wanted to try things in a more hands-on way. You can't automate something very well unless you you know what it is you are trying to automate. And the way I would have written the script, it would have needed way more than the 4 hour window it would have had to run (because while hydra might be cool and all, when it fuckin' segfaults -- for the SECOND TIME -- after an hour of trying to run it, you'd have to worry more about scripting-in some error handling than trying new exploits). I'm not all that fast a programmer, either. And I would have spent too much time looking at the code of the exploit tool (the plain-text ones anyway; I wound up finding a few bugs as it was, and that was curbing my "this-is-how-you-indent" anal-retentiveness). And I'm not getting paid to write code for Scott's company. :-) They have much smarter folks than myself who would have already written those tools if they had needed them, I figure. And (last "and", I swear) hands-on experience is what we were after. Writing custom tools on-the-fly is 1337 and all, but that wasn't the point of the exercise. And (sorry...) Tony didn't need any ad-hoc tools to get root on every possible machine, nor did Kelley need anything but perserverance to get access to every machine but one. I needed to get more Soviet and less German in my "pen-test" engineering.

All in all, I'd say today was one of the more poignant hacker experiences of my life, and I'd repeat it in a heartbeat. It's always good to be around people who know more than you do. Now that I have a half-clue on what their particular environment is like, I'd be all that much more into it.

When I got home, I wound up trying some of the tools I'd been exposed to today. I'm not doing too bad as it turns out) my own hosts are way more difficult targets than what they had us crack today). Although if I go again to a penetration-test workshop again, I'm either bringing my own keyboard and/or my own laptop. My wrists are killing me.

The department chair for the school at the university where I work just came by my office. Dressed as Santa. With a gift in an envelope. On the back of the envelope were two checkboxes, apparently reflecting the recipient's status on Santa's List. It would seem that I've been "naughty". Heh heh. Yeah. Naughty like a fox...

I got a $60 AmEx gift card for anything at UTC (a local mall). Not too shabby. Ain't no turkey, though. :-)

What is the sound of one hand clapping? Action and dialogue, of course.

If you happen to be needing a new font, my brother Trey sends this nice cartoon font. Comes in both "smooth" and "corny".

Enjoy.

It was vaguely surprising to me that the most balanced, level-headed discussion on what to do with Saddam Hussein now that we've nabbed him comes from Arab News. The article makes a lot of sense. That really shouldn't have surprised me. There's no love lost on Saddam in just about any part of the world; hardly anyone is afraid of a bully after he's been beaten. I suppose I'm just not used to expecting rational thought out of any sort of fanatically religious people. (Lest anyone come to the conclusion that I have some sort of bias against Arabs, I don't. I'm making that statement irrespective of the brand of religion in question. It's axiomatic, and non-judgmental: faith denies reason, regardless of whether it's faith in Jesus, Allah, the lottery, rabbit's feet or the Great Pumpkin.)

What to do with him? The answer is pretty clear: Let Iraq have him. If they want to kill him, let them. If they want to imprison him forever, that should be fine as well. If they want to let him go, then so be it (as unimaginable as that outcome might be, for this whole justice-and-peace thing to work we'd have to respect their decision no matter what it turns out to be). They had to live with him for the past generation, so they should get the final say-so as to what happens to him now that his rule is over. It's only right. They paid the price for his leadership.

I don't see the Iraqi being terribly just in meting out their justice. I'd certainly find it difficult to be an impartial juror at his trial, and I was never subject to his tyrannical rule. You'd kind of understand if the Iraqis went a little hard on Saddam. Regardless of whether or not the verdict would be fair, a trial in Iraq by Iraqis seems like the only reasonable thing to do. And it's probably the only way to ensure that we don't have Arab conspiracy theorists stirring up trouble for years to come. Can you imagine what sort of fantastical stories could be invented if we tried Saddam here? Or in Europe? They might as well try Saddam in Israel if they want to try him in the U.S. I'm no expert on Arab relations by any stretch, but it seems to me that there might be a lot of traction in the notion of "He is and has been an Arab problem, to be dealt with -- finally -- by Arabs."

I was no fan of the war to be sure (I think you better have some pretty damn good reasons for attacking a sovereign nation), but letting the Iraqis take care of Saddam will have made our efforts there more like we've done them a service in their interests (as well as ours).

My brother Trey found this cool site called Wee News...

There's this song I really like called "Caravan". It was written by Duke Ellington way back when and it's just a great tune. It's a great song in the same way that the theme to Johnny Quest was a great song. It sounds good on the guitar, piano, harp, mandolin, or the trumpet, with bongos in the background or with a vibraphone accompaniment. It just sounds good no matter what style it's played in, who's playing it, or what it's being played on (even the normally ass-tastic solo flute!). And that's a good thing because it's been recorded by a lot or people over the years. I've got 44 versions of the song so far and I've been meaning to get them all for a while now. As many as I can, at least, without resorting to buying Caravan compilation CDs. (Ha! There's an actual market for variations on the Caravan theme, so I'm not the only one, Tess!) EMusic.com has been very helpful in my searches.

Imagine my joy when my uncle John sent me this list he found of everyone who's recorded a version of Ellington's classic tune:

• First recording: Duke Ellington, Master Records single 131
• Winifred Atwell, The Magic Fingers of Winifred Atwell, Vol. 1, London LL 1246
• The Don Baker Trio, Cocktail Hammond, Capitol T-1099
• Vinnie Bell, Big Sixteen Guitar Favorites, Musicor MS3047
• Vincent Bell, The Best of Vinnie Bell, Musicor MS3192 (reissue of MS3047)
• Stanley Black, Exotic Percussion, London Phase 4 SP 44004
• Art Blakey & The Jazz Messengers, Caravan, Riverside 9438
• Noel Boggs, Magic Steel Guitar, Shasta SH-LP-601
• Al Bollington, Presenting Al Bollington at the Conn Organ, Decca DL 74223
• Kenny Burrell, Ellington is Forever, vol. 1, Fantasy 79005
• John Buzon Trio, Inferno!, Liberty LRP-3108
• Billy Byers, Impressions of Duke Ellington, Mercury/Wing SRW 16397
• Al Caiola and Don Arnone, Great Pickin', Chancellor CHLS-5008
• Candido, Candido in Indigo, ABC-Paramount ABC-236
• Eddie Cano Sextet, Duke Ellington, Cole Porter, and Me, BMG Tropical 3459
• Erdogan Capli, Exciting Rhythms of Piano Pasha, Time S/2074
• David Carroll, Percussion Orientale, Mercury PPS 2002
• Brothers Castro, Recorded Live at Harrah's Tahoe, Capitol T 2015
• George Cates, Take Five, Dot DLP 25400
• Chaquito and his orchestra, Hot Cha-Cha-Cha, Columbia CL 1293
• Roy Clark, The Roy Clark guitar spectacular!, Capitol T-2425
• Buddy Cole, Pipes, Pedals and Fidelity, Columbia CS 8065
• Buddy Cole, Ingenuity in Sound, Ingenuity In Sound, Warner Brothers WBS 1442
• Ray Conniff, You Make Me Feel So Young, Columbia CL 2116
• Jack Costanzo, Jack Costanzo and His Afro Cuban Band, Crescendo GNP-19
• Irv Cottler, Around The World in Percussion, Somerset P-13900
• Lenny Dee, Dee-Lirious, Decca DLP 8165
• Lenny Dee, The Lenny Dee Show, Decca DLP 8913
• Martin Denny, Exotica Vol. 3, Liberty LST-7116
• Glenn Derringer, Plays Great American Music People, Ovation OV 1707
• Ismael Diaz and his Orchestra, Honeymoon in Acapulco, Forum F9036
• Bill Doggett, A Salute to Ellington, King 533
• Tommy Dorsey Orchestra with Warren Covington, The Swingin' Era, Decca DL 8914
• Kenny Drew Trio, Kenny Drew Trio, Riverside 224
• Johnny Dupont, All Stops Out!, Columbia CS 9350
• Kurt Edelhagen, Jazz from Germany, Decca DLP 8231
• El Coco, Caravan, American Variety AVI 1040
• Les and Larry Elgart, The New Elgart Touch, Columbia CS 9101
• Duke Ellington, Duke Ellington Vol. 3, Everest Records FS 266
• Duke Ellington/Max Roach/Charles Mingus, Money Jungle, Blue Note 46398
• John Elliott and his Diatonic 4, Organ Rhythms, Promenade QX1
• John Evans, Exotic Percussion and Brilliant Brass, Directional Sound DS 500
• Fabulous Jokers, The Fabulous Jokers, Monument SLP 18059
• Johnny Farina, Pure Steel, Vol. 1, Aniraf Inc. JF-17
• Ferrante and Teicher, Hi-Fireworks, Columbia CL 573
• Ella Fitzgerald, The Duke Ellington Songbook, Verve VE2-2535
• Tommy Flanagan, The Tokyo Recital, Pablo 2310-724
• Erroll Garner, Erroll Garner, Columbia CL 535
• Marty Gold, Skin Tight, RCA Victor LPM-2230
• Morton Gould, Jungle Drums, RCA Victor LM-1994
• Earl Grant, Yes Sirree!, Decca DL 74405
• Bill Haley & His Comets, Mr. Rock & Roll, Charly CDCD 1080
• Chico Hamilton Quintet, The Chico Hamilton Quintet in Stereo, World Pacific S-1005
• Alfred Hause, Hausball, Polydor 237 129
• Al Hirt, Al Hirt at Dan's Pier 600, Audio Fidelity AFSD5877
• Hollywood Pops Orchestra, Stereo Motion in Percussion, Marble Arch MALS 775
• Freddie Hubbard, The Artistry of Freddie Hubbard, Impulse LP
• Dick Hyman, A Zillion Strings, Everest ELP 1074
• Milt Jackson/Ray Brown/Joe Pass, The Duke Ellington Album, Pablo 2312-117
• Milt Jackson, Mostly Duke, Palbo 2310-944
• Illinois Jacquet, The King!, Prestige 7597
• Harry James, Still Harry After All These Years, Sheffield Labs CD-11
• Gordon Jenkins, Blue Preludes, Sunset SUS 5149
• Jackie Jocko, Like Wow, Strand SLS-1053
• Sir Julian, The Thirteen Fingers of Sir Julian, RCA Victor LSP-2372
• Bert Kaempfert, Love That Bert Kaempfert, Decca DL 74986
• Phil Kraus/Bob Rosengarden, Like Bongos, Time S/2025
• Eddie Layton, Caravan, Mercury SR 60098
• Don Lee, Crazy Rhythm, Jubilee JGM-1067
• Enoch Light, Future Sound Shock, Project 3 PR5077SD
• Enoch Light, Persuasive Percussion 1966, Command RS 895 SD
• Living Guitars, Guitar Man, RCA Camden CAS-2245
• Los Admiradores, Bongos/Flutes/Guitars, Command RS 812 SD
• Robert Lowden, Motion in Percussion, Somerset LP
• Arthur Lyman, Taboo, HiFi Record R806
• Kurt Maier, Plays Encores of Harlem, Allegro 1673
• Herbie Mann, Flautista, Verve V-8336
• Robert Maxwell, The very best of Robert Maxwell, MGM E-4246
• Ralph Marterie, Big Band Themes with 88 Strings and a Golden Horn, United Artists UAS 6177
• Buddy Merrill, The Guitar Sounds of Buddy Merrill, Accent AC 5010 SLP
• Buddy Merrill, Guitars on Fire, Accent SQBO 91997
• The Mighty Accordion Band, They Said It Couldn't Be Done, Capitol T1212
• The Mills Brothers, Swing Is the Thing, Decca MOR 535
• Thelonious Monk, Plays Duke Ellington, Riverside 201
• Hugo Montenegro, Ellington Fantasy, Vik LX-1106
• Hugo Montenegro, Others By Brothers, RCA APL1-0784
• Wes Montgomery, Movin' Wes, Verve 810 045-1
• Art Mooney, Cha-Cha-Cha, Spinorama MK 3079
• Hal Mooney/Gene Lowell Singers, Voices in Song and Percussion, Time S/2008
• Sandy Nelson, Drums Are My Beat, Imperial LP-12083
• Sandy Nelson, Manhattan Spiritual, Imperial LP-12439
• 101 Strings, 101 Strings Plus Dynamic Percussion, Alshire S-5145
• David Parker, Balalaika, World-Pacific Records ST1824
• Joe Pass, Portraits of Duke Ellington, Pablo 2310-716
• Les Paul, Les Paul NOW!, London Phase 4 SP44101
• Les Paul, The Genius of Les Paul: Multi-Trackin', London LC 50016 (reissue of London Phase 4 LP)
• Perez Prado, Our Man in Latin America, RCA Victor LSP-2610
• Pucho and the Latin Soul Brothers, Tough!, Prestige 24138
• Tito Puente, Tito Puente and Friend, Tropical TRLP 5138
• Gene Rains Group, Far Across the Sea, Decca DL 74164
• Rhythm Rockers, Soul Surfin', Challenge CH 617
• Jerome Richardson, Midnight Oil, New Jazz 8205
• The River Boat Five, From Natchez to Mobile, Mercury-Wing MGW-12251-W
• David Rose, 21 Channel Sound, MGM SE4004
• Santo & Johnny, Santo & Johnny, Canadian-American SCALP-1001
• Buddy Sarkissian & his Mecca Four, Soul of the East, Cameo C-1023
• Heinz Schachtner, Trumpet in Gold Vol. 3, Polydor 543.008
• Lalo Schifrin, Piano Espanol, Tico LP-1070
• Dick Schory, Music to Break Any Mood, RCA Victor LSP-2125
• George Shearing, Shearing on Stage!, Capitol T-1187
• The Sheik's Men, The Belly Dancer, Reprise R-6056
• Tak Shindo, Brass and Bamboo, Capitol T-1345
• Felix Slatkin, Fantastic Percussion!, Liberty LST 7150
• Axel Stordahl, Jasmine Jade, Dot DLP 3282
• Art Tatum, The Best of Art Tatum, Pablo 2405-418
• Jimi Tenor, Intervision, Warp Records (UK) WARP CD48
• The Three Suns, Movin' 'n' Groovin', RCA Victor Stereo Action LSA-2532
• Tom and Jerry, Guitar's Greatest Hits, Mercury MG-20626
• Shay Torrent, Shay Torrent at the Hammond organ, Mercury MG-20415
• John Scott Trotter, Escape to the Magic Mediterranean, Warner Bros WS 1266
• The Ventures, Walk--Don't Run, Dolton BST-8003
• Ventures, Live In Japan '65, EMI 7243 8 32820 2 9
• Ventures, Live on Stage, Dolton BST 8035
• Wal-Berg and his Orchestra, Exotic Music from the Far East, Mercury SR 60601
• Walter Wanderley, Perpetual Motion Love, GNP Crescendo GNPS 2142
• Dinah Washington, The Swingin' Miss D, Emarcy 6336 714
• Ben Webster, At the Renaissance, Contemporary 7646
• Frances Wayne, The Warm Sound, Atlantic 1263
• Roger Williams, It's a Big, Wide Wonderful World, Kapp KL-1008
• George Wright, The Wright Touch, Dot DLP 3447
• Si Zentner, Si Zenter and His Orchestra Play Desafinado, Liberty LST-7273

There are some artists missing -- the list doesn't include such greats as Claw Hammer or the Nashville Mandolin Ensemble, for example -- but that should keep me busy for a while.

So I'm trying to re-subscribe to the Gallery project's announcement mailing list from their page of mailing lists. I got this error:

Mailman CGI error!!!

The expected gid of the Mailman CGI wrapper did not match the gid as set by the Web server.

The most likely cause is that Mailman was configured and installed incorrectly. Please read the INSTALL instructions again, paying close attention to the --with-cgi-gid configure option. This entry is being stored in your syslog:

Failure to exec script. WANTED gid 33, GOT gid 48.  (Reconfigure to take 48?)

I've been getting errors on sourceforge.net since this afternoon. Looks like someone has been building new boxes. I hope SourceForge's problems don't involve a compromise.

tess, Toddler, Wy and I all had a great trip to AZ for a Thanksgiving in PHX, plus a shooting trip at the cabin. Todd and Wy liked the shooting quite a bit, and we all had a really fun time. (Pics and movies of them shooting Uncle John's .50BMG rifle are coming soon.) The shooting trip got me to thinking about going shooting in California (which sounds oxymoronic, I know). Tracy and I only went one time, and that was back in the late 90's. I was thinking that it would be fun to go out sometime closer to home.

Well, this was certainly interesting reading. I also got a particular kick out of this page of general "Assult Weapon Characteristics". Sounds like they could also be describing some defense weapons too, but I might just be thinking too clearly.