While I was working yesterday, I got a message from a friend down in Phoenix. He mentioned that his workstation at work had been cracked. This intrigued me (how in the heck can that happen?!?) so I asked for more details. It seems that their office - a web development office which shall remain nameless - has no network security whatsoever. Multiple T1 lines into the business, and no firewall. None. No restriction from hitting any box in the office, workstation or server. None. Zip. Nada.

My friend (we'll call him "John Doe") didn't seem overly concerned by this. Now granted, John's a developer. A good one, one of the best I know, but a developer nonetheless; computer security and systems administration are not his strengths, nor should they be, really. Unfortunately, computer security and systems administration don't seem to be strengths of the company's administrator, either. So after hearing some of the details of the attack (nothing fancy, it's an ordinary Windows 2000 Professional workstation - essentially unpatched, too) and the security system or lack thereof, I asked John to do me a favor - take his chair, find the sysadmin, and beat him with it until either the chair or the admin broke. I know, we can't all be experts at everything - hence the reason I don't expect John to know everything about security or networks. His job is to write code, something he does much better than I ever could. The administrator though... how in the hell do you pass yourself off as a professional systems administrator without understanding basic security practices?

So, anyway. We comtinued to talk casually about various issues, and he asked me if I could help diagnose a problem with his home machine. Sure, no problem. Symptoms are that the hard drive occaisionally locks itself solid with activity, it's more sluggish than it should be (a nice dual-600 MHz machine, I believe) and - coincidently with the hard drive problem - his broadband network connection gets very slow.

Uh-oh.

"John, what's your home IP?"

He tells me... I ssh to my home workstation (since the AT&T firewall blocks ICMP and most TCP/IP) and fire up nmap. Let's see... nmap -v -sT should do the trick. (Normal TCP/IP scan as opposed to a "stealth" or other sneaky scan, in verbose mode) Fire it off at John's home IP address and wait. Hmm. SMTP, IRC, Listen, nntp, netbios, and a bunch of other ports. Check back with John - no, they shouldn't be open. Unfortunately, John's been hit two-for-two. Possibly three-for-three, since his wife's machine is similar to his and just as exposed. Oh, John. Sorry, pal, it happens to the best of us... but it's time for a little primer on network security, some cash for a firewall (probably the LinkSys everyone seems to like so much) and some time getting comfortable with our friend Mr. FDISK. Sorry, John.

The good news is, John didn't lose anything valuable - all his data and code were backed up in other places, and the cracker appeared to be mainly interested in obtaining another DDoS slave, not in gaining information. He also didn't cover his tracks very well, and before John fdisks his drive he's going to create a Ghost image of it and send it to me. So, that's what I'll be doing shortly - picking through the files, tracing things back and piecing a few things together. The other good news is that John's learned his lesson cheaply - and next time, it won't be so easy for the bad guys.

Gotta run - we're off to attend a wedding. Bye...

Wednesday, June 20 - Busy, Busy, Busy

Long day today. Three meetings, two of them via telephone, a couple of problems, some hardware evaluation (technical term for playing with a Compaq DL360) and a fire drill. (Seems the company is concerned because our procedures were not well developed when we had the earthquake earlier this year, so they decided to practice.) So it's been a long day, and Keri and I have decided we're going to take some time on Sunday to go canoeing. Where? On the open ocean, of course. <G> Well, not exactly, although we will be paddling on salt water. The straight between Camano and Whidbey Islands is reported to be an excellent, fairly low-traffic area for paddling kayaks and canoes, plus there's a handy state park with beach and picnic area on Camano there, so we'll probably play there for a while. We'll see.

For the next few weeks, I'm going to be in training. Next Thursday and Friday, I'll be taking a class in a new Microsoft product, MIS. Two days, $2500. Sometime in the next month, it looks like I'll be travelling to take another class, this time in a program called "NetIQ", which is a monitoring software package for Windows. It has a lot of power behind it, and I'm looking forward to learning more about it.

Let's see, what else... oh, I have another new computer. An old Packard Bell "Legend 790" 486, upgraded with a DX4-100 processor I had in the spare-parts pile. 16 MB of RAM, and a 1.6 GB hard drive. I'm going to use it as a development server for a few things, including Fido and a few other progects kicking around in my head. Haven't named it yet; I've got the hardware running, but I haven't gotten around to installing an OS. We'll see how that goes; I need to find spare time before I can actually do anything with it, and that's a pretty rare thing these days. Sorry the log's been so dull lately; I haven't had much time for deep thoughts or exciting projects. However, I can recommend a couple of links that are at least worth the time to read them. The first is at LinuxPlanet.com, an article on writing about Open Source. The second is an odd story on Guerrilla News Network, which I'm not quite sure I believe - but I'm not quite ready to dismiss it, either. That one's very long and very, very densely packed with information; don't read it unless you've got lots of time to spare. Last but not least, for a bit of humor, try this one for size:

And that's enough for me for the night. I have to get up and do this again tomorrow...

Tuesday, June 19 - Decisions

I've decided to discontinue the weekly columns. I know, I haven't been doing them for very long, but unfortunately I don't have much choice. When I started doing them, my weekends were mainly free and unscheduled; it made it easy to write the column, since I could come up with an idea early in the week, then just find a few uninterupted hours on the weekend to write it up. Now, however, my weekends are fairly full; family, friends, events, and temperatures 40 degrees lower than what I was experiencing this time last year are all conspiring to keep me away from the computer and out of the house. Which, in the long run, is probably a good thing, although I need to find a way to explain that computers don't cause me stress - work causes stress. Computers are a part of work, but they are not the stressful part, usually. So when I come home and work on a computer, that doesn't mean I'm not relaxing. Honest. <G>