The Hacker Factor Blog

According to news reports, China is now the world's second largest economy. However, I still equate their exports with cheap plastic, consumables (the opposite of durable goods), and low quality network exploits.

That's right: low quality network exploits. I mean, seriously, if the domain is hosted in China and is not a ".gov.cn" domain, then it is likely a scam site -- spam, phishing, malware, or cheap knockoffs. Sure, there are a few legitimate .cn domains that are not ".gov.cn". For example, www.google.cn, baudu.cn, and kaixin001.com come to mind. However, legitimate sites are the extreme minority. In contrast, I can immediately name hundreds of non-Chinese .com, .us, and even .ru sites that are legitimate (even if I don't include PayPal in the list).

Then again, maybe I just have a biased viewpoint. Having spent decades tracking spam, scams, phishers, and the like -- and constantly seeing China in the loop -- I cannot help but have this bias.

Network Attacks

My web site, like most other web sites, is constantly under attack. Most of the time, the attacks are blind scans. The attacker tries an exploit without first checking if the site is vulnerable. If the attack fails, they move on. If the exploit succeeds, then the automated attacker will quickly compromise the server.

Most attacks use one or two queries. For example, I'll see in my logs a query for "/login.php" and then a second query for the same non-existing file. However, if the attacker comes from China, then I can see 40 or more of the same query coming from an entire subnet of hostile systems. I consider this to be a stoopid attacker: if it didn't work 39 times, then the 40th time probably won't work either.

What likely happened is that some kiddie has a subnet of attack bots and told all of the bots to attack one URL rather than having them each attack different sites. Stupid attack x 40 = very stupid attacker.

Directed Attacks

I've had a couple of groups try to hack my web site for the purpose of stealing my image analysis source code. I know this, because they did blind guesses for things like "sourcecode.zip" and "imagesrc.tar.gz". For the record: I do not keep my source code on this web site. Never have, never will.

Most of these attacks came from China, and I strongly suspect the Chinese government. The attacks began last November, a few months before China was accused of hacking Google. At one point, I uploaded a zip file of hard-core Chinese porn and used a regular expression to match their query and feed them the file. Suffice to say, they stopped their attack for a few months.

The Latest Sad Attempt

I recently had a comment posted to my blog that was so unbelievably obvious as to make me wonder: How much of an idiot do they think I am???

In reference to: http://www.hackerfactor.com/blog/index.php?/archives/317-Backhanded-Apology.html
User IP-address: 205.209.142.173
User Name: louis vuitton
User Email: chenchen21621@hotmail.com
User Homepage: www. louis vuitton handbags. org WARNING: Do Not Visit! Possibly hosts malware. Spaces added to deter people from clicking on it.

Comments:
Thanks for your posting; I really appreciate your ideas. Hope you can keep going.
This is a really great website, and I really like your essay. Thanks for your sharing.

So let's count everything that is wrong:

1. While I have had some big names write into my blog, I kinda think that Louis Vuitton would know how to capitalize his own name.
   
2. I doubt that Louis would use an email address of "chenchen21621@hotmail.com".
   
3. The IP address traces to Fremont, California.

However, it is the claimed homepage that is the true joke. For example, all over the web site they spell the name "Louis vuitton" (forgot to capitalize the surname). The domain for the real "louisvuitton.com" site is registered to "Louis Vuitton Malletier" in Paris, France. But this faker's domain name is registered to some guy in China:

louisvuittonhandbags.org has address 63.223.106.237
Domain ID:D159724340-LROR
Domain Name:LOUISVUITTONHANDBAGS.ORG
Created On:23-Jul-2010 09:43:49 UTC
Last Updated On:23-Jul-2010 09:43:53 UTC
Expiration Date:23-Jul-2012 09:43:49 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:orgfl79878227718
Registrant Name:fang li
Registrant Organization:bai shen ke ji
Registrant Street1:wenshanzhuangzuzizhiqu
Registrant City:wenshanzhou
Registrant State/Province:Yunnan
Registrant Postal Code:663000
Registrant Country:CN
Registrant Phone:+86.8762654874
Registrant FAX:+86.8762654874
Registrant Email:zhucepo9@163.com
Admin ID:orgfl79878228061
Admin Name:fang li
Admin Organization:fang li
Admin Street1:wenshanzhuangzuzizhiqu
Admin City:wenshanzhou
Admin State/Province:Yunnan
Admin Postal Code:663000
Admin Country:CN
Admin Phone:+86.8762654874
Admin FAX:+86.8762654874
Admin Email:zhucepo9@163.com
Tech ID:orgfl79878228397
Tech Name:fang li
Tech Organization:fang li
Tech Street1:wenshanzhuangzuzizhiqu
Tech City:wenshanzhou
Tech State/Province:Yunnan
Tech Postal Code:663000
Tech Country:CN
Tech Phone:+86.8762654874
Tech Phone Ext.:
Tech FAX:+86.8762654874

The web site itself appears to be a functional shopping site, but it is certainly a scam. They say the site was established in 2007, but the copyright says 2008 and the DNS registrations says... last month! (Created On:23-Jul-2010 09:43:49 UTC)

Going through their check-out process is equally fun. The only shipping option is "USPS" (United States Postal Service), and the system seems to hang before transferring you to some third-party web site (that I've never heard of) for handling credit card payments. Unfortunately, the link failed... probably because I use the NoScript plugin and it identified a possible XSS attack.

Even more offensive... Why would a site called "Louis Vuitton Handbags" carry items from competing designers like Gucci, Burberry, Coach, and Prada? And why would Vuitton offer fashion items that are a few years out of style? (This is a fashion faux pas that is criminal!) The IP address used by this site also hosts luxurybags-mall.com, salestiffany.com, saletiffanyjewellery.com, and shoptiffanyjewellery.com.

This site is a scam. Most likely, they will take your credit card information (if they ever fix their link) and go for identify theft. I wouldn't rule out malware. At best, they might actually sell you a cheap, counterfeit knockoff made by some kid in a sweatshop.

Over the last few months I have had friends and associates contact me about hacked web sites. In each case, someone (or something) planted hostile URLs on their web pages. These URLs would redirect visitors to porn sites or serve up viruses. Worse: these URLs would be embedded everywhere -- in HTML, in PHP, and in back-end databases.

The question they always ask me: What should I do?

It is easy to tell people that they should have a disaster recovery plan in place. However, few people have one. Other pre-attack advice, like hardening servers, changing defaults, and installing filters is great advice, but is usually ignored. In my experience, the sites that have taken simple steps and have plans in place are not the ones usually compromised. The common compromises are directed at non-technical users who installed default software and ignored even basic maintenance.

Post-Compromise

So let's say you have a default WordPress or Wiki or Blogger installation. It isn't a question on whether your site will be compromised or infected. The only question is when. And like most people, you haven't maintained your software (applying patches, upgrading as needed), don't have backups (your ISP does that, uh, right?), and haven't removed default files or hardened the system. What should you do after a compromise?

There are plenty of good checklists out there. Some examples include:

• http://www.freehostia.com/blog/webhosting/site-hacked-what-to-do.html
  
• http://www.malwaredomainlist.com/forums/index.php?topic=3122.0
  
• http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html
  
• http://www.antiphishing.org/reports/APWG_WTD_HackedWebsite.pdf
  
• http://codex.wordpress.org/FAQ_My_site_was_hacked
  
• http://www.webdevelopersnotes.com/hosting/website_hacked_what_to_do.php3
  
• http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
  
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

While each of these sites gives good advice, there is no single consensus regarding appropriate steps. My own checklist is a little more detailed and extreme.

Neal's Post-Compromise Checklist

Nobody wants to have their site compromised. However, like auto accidents, bad things happen. If you were not paying attention (like texting while driving or not applying system patches) then bad things are more likely to happen to you.

Here are the steps that I usually recommend to people with compromised web sites:

1. Stay calm. Only the WordPress checklist included this advice, but it is very valuable. Now is not the time to panic, place blame, or get angry. Compromises and exploits go hand in hand with technology. Don't panic, deal with it.
   
   
2. Check your own systems for malware. There is no point in fixing the server if your own workstation is infected. It is actually very common for a home computer to be infected and used to gain access to your public blog or web server.
   
   
3. Take the site offline. Most e-commerce companies really don't like this idea. However, which is more important? Making a sale, or compromising your customer's credit card and tarnishing your reputation because your site was hijacked? Shut it down. Put up a temporary "We're upgrading, back in 48 hours" message.
   

   
   After you take your site offline, check to make sure it really is offline. Some attacks actually hijack your domain name (DNS entry) and not the server itself. If your site still looks online, has the DNS server been compromised? Your DNS registrar and/or domain hosting provider can usually help you in this situation.
   
   

4. Make a full backup. This includes all files, scripts, and database records. Yes, it is infected. But if you don't have backups then this is your only option.
   
   
5. Grab your logs. You will need these to identify how the attack was done, when it happened, and who else might have been infected. This includes system logs, web logs, and any other kind of log file. Grab it first and see if you need it later.
   
   
6. Evaluate the compromise. What kind of attack was it? Were they after "a site" or "your site"? Was the attacker looking for low hanging fruit or was it personal? Most malware, like the kind that inserts links, are automated. They scan for known vulnerabilities and infect anyone they find. If you were compromised this way, then it is likely because you have a default configuration with a known vulnerability (known to the attacker).
   
   Defacements may be automated or semi-automated. They scan for sites with known vulnerabilities and then they either automatically or manually deface the site.
   
   E-Commerce theft is usually associated with an initial automated vulnerability scan. The scan is followed by a manual compromise that is customized for the site. However, if you use a very common e-commerce package, then the compromise may be semi or fully automated.
   
   Personal attacks are always manual compromises.
   
   It is important to recognize that automated attacks are almost never against custom code. They look for known vulnerabilities in default installations. If you change the defaults, move default files, or otherwise filter and harden the site, then automated attacks are very unlikely to succeed.
   
   
7. Look for similar attacks. Are other people running the same software getting attacked? Perhaps you need a patch. Is it everyone on the same server or in the same hosting environment? Maybe someone should maintain the system. Is it all of your accounts? Perhaps your computer has a virus.
   
   
8. Change passwords. Between taking the server offline and changing passwords, attackers will be kept out while you repair the system. (Hopefully.)
   
   
9. Wipe the system. There is only one thing people hate more than being told to turn off an e-commerce site, and that's being told to wipe the system and reinstall from scratch. But seriously, the inserted URLs and malware may only be the part that you notice -- much more may have been done to the system. There could be backdoor software, trojans, or embedded viruses that cannot be removed by a simple system restore. By wiping and reinstalling, you ensure that all malware is gone.
   
   
10. Patch. Bring the system up to the current state of the art. While you're at it, harden the system and change all system defaults.
    
    
11. Restore. You do have backups from before the compromise, right? If not, then install basic software (like blogs and wikis) and harden them first. Then place custom software on the system. Finally, restore content. Be sure to validate that the content is not infected. You can do this by reviewing the content before uploading it. (What? Review your 10,000 blog entries? Yes. There is no point in removing the malware from the server if you're just going to upload it again.)
    
    
12. Change passwords again. Passwords before the patch and restore could have been compromised.
    
    
13. Watch. Now you can turn the system back on. If the attackers come back, then you didn't patch or restore something. (And now you have experience to recover much faster!) Watch your logs and IDS and try to determine how they exploited your site. If the logs show nothing, then you know which parts of your site were not responsible for the attack.
    
    
14. Blame. This is everyone's favorite part. If you don't have logs, don't regularly patch or update, and don't maintain the system, then you cannot blame anyone except yourself. Security is a moving target -- software that was secure yesterday may not be secure today. Unless an administrator did something completely stupid, such as posting login credentials in a public forum or actively assisting the attacker, then there probably is nobody else to blame. Blame the management.
    
    Too many times I have seen management blame developers or software for compromises. For example, if your old version of WordPress was the source of the compromise, then they will blame WordPress even when newer versions are available. (Let's blame the software instead of ourselves for failing to maintain and harden the systems.)

Having your site compromised isn't fun, but it isn't the end of the world either. Stay calm and address the problem. Treat it as you would any other learning experience.

A couple of days ago I wrote about my need for wireless network capabilities when traveling, and my fear of becoming an early adopter of new peripherals. The feedback I got back was amazing. A few people posted comments but nearly a dozen people wrote to me directly with advice, suggestions, and horror stories.

The feedback identified three classes of solutions:

Standalone hubs. There is a class of 3G router that connects to the network and acts like a local WiFi hotspot. As long as your computer can talk regular 802.11 (a/b/g/i/whatever), it can connect to the hub. The hub connects to the 3G network, giving you Internet access. Dr. Silk recommended the MiFi 2200 from Verizon. I gotta agree with him -- this looks like an excellent solution, especially for residences that cannot get cable or DSL but with 3G coverage (like my friend who lives a few miles outside the city limits). The downsides are not too extreme: claimed 4 hour battery life (forums make it sound like 2 hours with heavy use) and tied to Verizon's 5GB limit for an expensive $60/month. Again, if you can keep it plugged in and have a couple of people at home using it, then $60/month isn't bad at all.

Tethered. A tethered solution is where you have a USB cable going from your computer to your cell phone. The cell phone provides the modem/router support and connectivity to the 3G/Edge/4G/etc. network. As long as your cell phone works, you should have network connectivity. This is a great solution for anyone with a smartphone (like the iPhone or Android) -- particularly since you are probably already paying for the bandwidth and you're just not using it.

Every now and then I looked into smartphones. Right now the battery life isn't acceptable for me. My current phone can go nearly a week with heavy use (well, heavy use for me) before needing a charge. It can go nearly 2 weeks if I rarely use it and leave it turned on. My EeePC gets about 7 hours per charge and that includes heavy use (programming and compiling and networking). In contrast, most smartphones last 4-8 hours at best.

In my case, I don't have a smartphone. While I do have a cell phone, it is almost always turned off. (I don't like cell phones and I only use it when traveling.) I'm actually on a pay-as-you-go plan and I usually spend about $100 a year on the phone. For my use model, the prepaid option is a great and inexpensive choice. For this reason, I cannot justify getting another phone (a smartphone to replace my Motorola v195) for the sole purpose of having network access when I travel.

Frankly, I'm griping about paying $10/day for Internet use at hotels. For the $60/month plan, then means I need to stay at hotels more than 6 days per month for this to be a viable option. And this doesn't take into account the $50-$200 price of the smartphone with a 2-year commitment. (Some smartphones are free with a 2-year contract, but they are either not iPhone/Android, or are running older operating system versions.)

USB Dongle. At first glance, these USB dongles seem perfect for me. The calling plans are usually not as expensive as a smartphone, there's no extra power supply (it runs off the USB power), and the use model is intended for laptops and travelers. However... these dongles are not just regular modems.

My Bad Experience

After a lot of soul searching, I finally settled on the T-Mobile webConnect USB dongle. As I understood it, there is a 200MB plan with overage fees and a 5GB plan with no overages for $40. And best yet, T-Mobile is having a sale, so the webConnect is only $20 instead of $45 (with 2 year contract). While the device only says that it supports Windows and Macs, there are plenty of people in the forums who say that have it working for Linux.

Well, spoiler alert: nothing is as it appears.

Remember the old days when modems spoke that Hayes "AT" control code stuff over a serial port? It didn't matter what kind of computer you had as long as you spoke RS232 and used the standard AT command sequences. That's not the case today. +++

Today, the USB dongles do speak the AT command set (with additional commands for broadband negotiation). However, there is nothing standard about how you access the modem. There are three types of devices on the market right now, and if you choose wrong, you'll get screwed.

Plain modem or NIC. There are a few USB dongles that plugin and look either like a serial modem or like a network interface card. These have out-of-the-box support by most Linux distributions. Unfortunately, these seem to be limited to the older devices. Some don't support 3G and most have no means for supporting the new 4G and HSPA+ networks.

Dual device and ZeroCD. The description from the usb-modeswitch package for Linux describes this very well:

Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

Most versions of the T-Mobile webConnect device are in this category. If you put it in and it doesn't work as a serial modem, then install the usb-modeswitch package. This will temporarily turn off the ZeroCD feature and allow you to access the modem.

Total software solution. Beginning last December, a few manufacturers began to roll out "lite" versions of these USB modems. From what I can tell, they totally removed most of the firmware and do most things in software. I suspect that this was done more for cutting hardware costs than for any actual performance or flexibility gain. Unfortunately, there is unlikely to be any Linux support unless the manufacturers port their code to Linux.

Hear No Evil

At the time I was doing the purchase, I specifically asked about Linux support. The woman who was helping me at the T-Mobile store wanted to make sure too, so she called their technical support. The first two people she spoke with didn't know what Linux was. (OMG! Are you kidding me? It's 2010! My Grandmother knows what Linux is! Every sales person in the store knew about Linux! And this is the T-Mobile technical support?)

She finally reached one technical support person who basically said, "Does it work under Linux? I should know the answer to that, but I don't know and there really isn't anyone else if I escalate this." Since the Linux forums had many success stories with the webConnect (before I knew about the "lite" versions), I decided to risk it. Bad choice on my part.

As it turns out, the $20 "on sale" device from T-Mobile is actually a Huawei UMG1691 (also called the E1691). The 1690 and 1692 are ZeroCD devices and appear to be supported by usb-modeswitch. The 1691 is a lite version and only has software for Windows and Mac. After a few days of fighting with it, doing much more homework, and even calling tech support, I finally learned about the UMG1691 -- it is a total software solution and will never work under Linux (without additional software that doesn't exist today).

See No Evil

At this point, I had two options: return it or exchange it for a different version. As long as your CPU isn't running at a full load, the performance between the ZeroCD and Lite devices should be similar. I gave it a quick try in my Mac desktop system to see if it was worth exchanging. I ended up noticing two things.

First, the bandwidth was limited to 200MB. Huh? I paid for the 5GB and no overages for more than the advertised $40 price. Well, the offer on the web site doesn't match the offer in the store. In the store, it is 200MB with or without overages. The store does not offer an Internet-only plan for $40 with 5GB and no overages.

After you go over your monthly limit, they either charge you $0.05 per MB or nothing (no overages). In the latter case, they simply reduce your bandwidth.

So how fast is the bandwidth? My Mac's benchmark reported at about 400KB per second down, and much less up. Uh, I deal with computer forensics. I'm usually transferring very large files -- CDs or DVDs or on some occasions, multiple DVDs. For me, 1MB per second is slow and 400KB/sec is unacceptable.

T-Mobile is Evil

The upside is that I was allowed to return it to T-Mobile within the 2-week window for a refund. (I was 3 days into the contract.) No connection fee, reimbursed for the hardware, and they waved the 1MB of bandwidth I used (no prorating service since I couldn't get it to work on the desired system). However, they did keep a $10 "restocking fee" that was buried in the fine print. (Had I known that there was a chance of failure and a $10 restocking fee, I would have passed on this experiment.)

So to summarize: (1) Stay away from the UMG1691 like the plague -- it is the 3C501 of the USB wireless broadband world, (2) watch what they are selling and make sure it matches their offers on the web site, (3) if you have the option to use a hub or tethered solution, do that instead of the USB dongles, and (4) ask about any restocking fees -- even if they tell you that you will get a full refund within a 14 day grace period.

Finally, I have to think that there is something seriously wrong with the mobile phone market. Every store I went into (T-Mobile, Verizon, AT&T, and Sprint) had a huge number of customers hanging around. T-Mobile, Sprint, and AT&T each had a person adding names to a waiting list. In each case, the majority of customers were not there to buy -- they were there seeking returns, refunds, or corrections. The last time we saw something like this, the housing market collapsed and huge numbers of people defaulted on loans. Are we heading toward a communication breakdown since the phone companies are investing in an acceptable level of service?

When I was much younger (and had hair), I was an early adopter of new technologies. I had a touch screen on my computer back when this meant affixing a semi-transparent plastic sheet to the monitor and plugging it into the joystick port. I had one of the first Apple ][c computers (with amber monitor), I remember the excitement when EGA superseded CGA graphics, and I actually bought AMI Pro when it first came out for OS/2.

Unfortunately, there are three big problems with being an early adopter. (1) New technology is usually buggy, (2) new technology lacks support, and (3) new technology will probably become outdated quickly. The plastic touch screen didn't work very well and was very hard to program. Touch screens didn't become popular until the technology matured -- two decades later. EGA was quickly replaced by VGA and SVGA. And AMI Pro was so buggy that I ended up writing my dissertation in WordPerfect. (I still think that 1992's WordPerfect 5.2 is better than today's Microsoft Word.)

Due to my past experiences, I'm rarely an early adopter of new technologies. For example, I didn't buy my first DVD player until years after DVDs came out. Shortly after DVDs came out, there was a rumor about a better technology. Just as records were replaced by CDs overnight, I didn't want to start buying DVDs when everyone was switching to HD DVDs. I waited until I was sure that DVDs were not superseded. And I'm glad I waited; BluRay beat out HD DVDs, but the slow adoption rate tells me that my DVDs won't be outdated in the near future. (I know two guys who spent a small fortunes on their betamax and laserdisc collections.)

Wireless Broadband

More and more, I'm finding myself in situations where I need network access. Hotels, for example, either have very slow access for free, or no access at all. I hate driving 10 miles to find a bookstore or coffee shop that has free WiFi, and I cannot justify spending $12 to $25 per day for a hotel's paid Internet service. Besides the outrageous prices, there are limitations regarding when the 24-hour period ends. Some hotels are 24-hours from purchase, others are noon-to-noon or midnight-to-midnight. And if you shutdown your computer, then you may forfeit your paid 24-hour service.

More than once, I've found myself in an airport or parking lot and needing Internet access. I almost missed a contract because I couldn't get Internet access during a two-hour layover -- I had to wait 5 hours before I could get online.

Because of this, I've finally decided to break down and buy one of those wireless broadband services. Oh, what a nightmare! Right now, I'm just pricing and comparing services. Some of the things I have found so far:

• Unless you go with one of the big four (Sprint, Verizon, AT&T, or T-Mobile), you will likely not have coverage outside of a limited number of metro areas. Cricket's coverage map, for example, says that they don't offer 3G over most of Silicon Valley.
  
  
• Most either want a 2-year contract (with a $200 - $400 cancellation fee) or offer a no-contract option. Currently with T-Mobile, the only difference is the cost of the device (no contract means paying full price for the device), but there is no difference in the monthly rate. Verizon has a no-contract rate that is really expensive. They want as much as $15 per day for the days you use it (that matches most hotel's $12-$25 rate, and I don't have to buy a special device for hotel Internet access and hotels usually don't have a bandwidth limit).
  
  
• They all seem to offer two to three levels of Internet access. The lowest level is usually 50MB to 250MB per month. The mid range is 3GB to 5GB per month (a DVD is 4.7GB, so you can do the math -- it's 2-3 Hulu feature films per month). A few providers offer "unlimited" bandwidth, but then you're talking $60-$80 or more per month. That's really expensive for something that I really would only use when I am not in the office.
  
  
• Every single one of them says that they support Mac and Windows. Uh, what about Linux? I have that "Early adopter means buggy code" fear...
  
  
• While nearly all wireless broadband providers support 3G networks, some provide support for newer networks. For example, Sprint is rolling out their 4G network. T-Mobile is offering "HSPA+". And WiMax isn't dead yet. To me, this sounds like DVD vs BluRay vs HD DVD all over again -- but with a two-year contract that will lock me into the loser. I really want to wait until this settles out, but I'm hitting a business necessity.

Measuring Network Usage

Each of these services charge based on bandwidth usage. However, they don't really tell you much about it. For example, is 250MB per month a lot or a little -- for checking email, surfing the web, and doing basic business tasks (not downloading videos or playing online games).

While there are many programs for measuring real-time network usage, I couldn't find a program to tell me the cumulative total usage. Command-line programs like 'netstat -i' show the total number of packets, but not the total number of bytes. 'ifconfig' and 'nload' show the current byte totals, but that's from the start of the network interface and not from when I say "start measuring now!"

Anyway, using nload, I decided to monitor my network usage. Checking email, reading the web sites I usually read (CNN, USA Today, Photoshop Disasters, Facebook, and typical Google searches), and running VNC over SSH to access my office systems.

The net result? I consumed 50MB in the first 30 minutes. That's half of the allocation of Verizon's $15 pay-by-day plan and 25% of T-Mobile's monthly 200MB allocation. Over the course of the day, I will probably use between 200MB and 750MB of bandwidth. (I'm not always surfing the web.) Any plan offering less than 1GB per month is an expensive rip-off. (Your mileage will vary based on how you use the Internet.)

Fortunately, I'm only going to need this type of service for 1-2 hours per day and not more than 10 days per month. That comes out to about 20 hours at 100MB per hour, or 2G per month. However, that's based on today's usage. I'm very likely to see overages as I approach the middle of a 2 year contract and my needs expand.

Defcon!

Defcon is coming up next month. One of the big problems with Las Vegas is that there really is no good, free Internet on the Strip. Krispy Kreme (in Excalibur) and Coffee Bean and Tea Leaf (Planet Hollywood) offer hit-and-miss free WiFi -- when it works, it works well enough, but when it is down, they rarely know how to reboot the router. All of the Starbucks (in every hotel) only offer fee-based services -- if they offer WiFi at all. The Apple Store in the Fashion Mall has free WiFi, but that isn't exactly convenient. None of these free locations are open 24-hours a day.

Nearly all hotels offer fee-based Internet in your room. Some are wireless only, others have wired but you might need to bring your own cable. (I've been in too many hotel rooms where the in-room network cable was busted.)

Defcon does offer free WiFi to attendees, but I won't go near it. It is an actively hostile network. Even if you are not worried about someone hijacking your SSH or SSL connection (with client-side certs), they can still DoS your connection and attack the server's IP address. Oh, and don't think that Tor or SSL (without client certs) will save you -- last year, I heard that the Wall of Sheep ran their own Tor node as well as used man-in-the-middle attacks on SSL.

With Defcon coming up, I'm looking for a solid, reliable, secure-enough solution for Internet access. If I go 3G, I still won't use it at the conference... but back at the hotel room should be fine. (Right?) Is 3G the way to go? Are there other options? Which providers are best and include support for Linux? Hopefully this year I will guess correctly and choose well for the duration of a two-year contract. Oh, and what do people use in other countries? I might travel in the future and BlackHat in Europe sounds fun!

Last week was entertaining. I had the opportunity to assist in an interesting project -- part development, part forensics, and part penetration testing. Fortunately for me, I had a couple of Firefox plugins that really made the work easier. All of these plugins can be found by using the Tools -> Add-Ons menu under the Firefox web browser, or by going to https://addons.mozilla.org/en-US/firefox/.

NoScript

The NoScript plugin is an absolute must-have. As far as I am concerned, it should be part of the default Firefox installation. This plugin stops all JavaScript, Flash, and other objects from automatically starting. You can also block access to some web servers, or if you really like a site, then you can add it to a white-list of permitted, trusted sites. If there happens to be something you want to run, you can permit it on a case-by-case basis.

From a user's viewpoint, this is awesome. You don't have to worry about an unknown site sending malware to your browser. In my case, I didn't want to download videos, Java, and other stuff that would waste my CPU cycles and bandwidth.

Httpfox

When evaluating any kind of web-based service, either as a developer or as an auditor, you need to know what is being transmitted across the network. Usually I use Wireshark or Snort. The problem is, these only work well if you use HTTP and not HTTPS. With HTTPS, you cannot see the traffic inside the tunnel (without compromising the tunnel).

Fortunately, I had Httpfox. This plugin is like having Wireshark in the browser! It shows you all data that the browser sends and receives -- the URLs, request and response headers, cookies, post data, and query parameters.

This plugin is great for auditing, but does have a few minor limitations. Specifically, if any of the values are longer than the visible fields, you don't get scroll bars. You can work around this by copying values to the clipboard, but that isn't an ideal solution.

Firebug

While Httpfox shows the network traffic, Firebug shows the HTML content. And this isn't just the HTML that was sent to your browser... it is the HTML that is displayed. If the web page includes JavaScript or active CSS content that alters the web page, then Firebug will show you the rendered values.

Besides viewing the page, you can also edit the currently-displayed web page. If you are testing parameters, playing with web forms, or trying out different style sheet settings, then this is a must-have.

Finally, you can click on the little arrow icon and it enables an inspector. As you hover the mouse over various elements on the web page, Firebug displays the active HTML elements (both HTML code and style sheet values). As a web developer, you've probably had times where you wondered "Where do I define that border?" Well, the inspector quickly answers this.

Add N Edit Cookies

This plugin is an oldie but goodie. Httpfox shows you queries, but does not allow you to edit. Firebug allows you to change the active HTML, so you can edit query parameters and URLs, but you cannot alter cookies. The "Add N Edit Cookies" plugin completes the set by allowing you to view and edit cookie values. (There are two versions of it. One is for older browsers and the other is for newer browsers.)

There are a couple of other plugins for editing cookies. However, I like this one because it is simple to use.

All Together

With these four plugins, we were able to easily access our web services, debug the network traffic, view and test dynamic web content, and even validate cookie settings. With NoScript, we were able to restrict the content that the server sent to the browser and control exactly when different calls were made.

In the old days, we would need to hack the SSL tunnel and use custom scripts to manage queries. Today, we can evaluate and modify the system in real-time and with just a few plugins.