Confession Time (I've been away for a week!)

[Steve Gibson]

Gang...

I have a confession to make: I was pulled away from this project one week ago and it's still going to be a few more days before I can come back... though I'm desperate to!

While reading through the Security Now! mailbag for last week's Q&A podcast, I encountered a listener's idea and request that REALLY caught my attention.  It was so important that I was forced to suspend all of my work on the uC-based pulse-density-modulation sine wave generation.  Since then, I have been working on the development of the first significant new security-related service to be offered by GRC in... well... a guess since the Password Haystacks concept.

On the other hand, it's only because of GRC's site traffic, and the occasional purchase of SpinRite, that I'm able to play here as I have been.  So I guess I have paid my dues for the several months I have spent so far on this side project.  I'll be back in a few days!... and I can't wait!  :)

/Steve.

[Kindanyume]

No worries Steve.

Bills never quit sadly.. so I'm sure we all understand in spades!

> --
>
>

[Steve Gibson]

UPDATE...

I nearly finished implementing the new GRC service today.

But after 12 uninterrupted hours, I'm exhausted.

So it's going to be sometime tomorrow.

These things never finish "cleanly", so I know there will be some trailing off of work on loose ends, typos, etc.  There always is.  But I do plan to get back to the TrebleShooter work while pre-release feedback is coming in.  :)   And I can't wait!!!

/Steve.

[Steve Gibson]

Gang...

I have completed all of the work on GRC's forthcoming SSL Certificate Fingerprinting facility.

The site is too busy right now (during the day) for me to put the new technology online, since I need to dump everyone off, abort all underway downloads, abort all running instances of ShieldsUP!, and so forth.  So I'm going to wait a few hours for things to slow down before I shut down to reload the server and bring it back online.

In the meantime... I am going to switch back to the v2.2.2 project design in order to resolve my burning questions about the best inverter for that self-oscillating design to use.  I have the feeling that eliminating input hysteresis would be a good thing.  I've had five or six different inverters sitting there that I've been dying to experiment with.  :)

More soon!

/Steve.

[Steve Gibson]

A Minor Setback...

So I put the new "SSL Connection Fingerprinting" system online last night.  It survived for a few hours, but pretty quickly collapsed under the load of GRC's traffic.  :(   Unfortunately, what was worse was that it also took down our eCommerce processing back-end, since I have been using the same cryptographic library (which collapsed) for years to securely connect to the merchant service provider who processes our customer's credit card transactions.  Consequently, the new service is offline and I'm back to the drawing board this weekend to build a new and more robust solution.

In case anyone is interested, here's a large and long PNG snapshot of a typical web page generated by the system:

http://www.GRC.com/SSL_Fingerprints_Technology.png

So it's going to be a few days more before I'm able to return here full time.  And I am envious of those of you who are playing with "resonant tubes" and get to be having the fun of first discovery!!

I won't be the least bit surprised if a month from now we have all moved past the "tweeter" stage and onto our own designed and built resonating tube acoustic projector technology.  I know that I need to provide the auto-tuning power amplifier and driver for that... so I'm going to get back to it as soon as possible!

/Steve.

[Kindanyume]

Ahh some days you're the hydrant

[Steve Gibson]

Gang...

As of an hour ago, two out of three priority GRC projects are completed.  I have one to go before I can come back here full time and write the variable-frequency uC firmware.

GRC's new SSL connection fingerprinting facility is finished.  As you may recall, that's what originally yanked me away from here several weeks ago. It's not yet live on the site because GRC's main server has been acting SO flaky lately (that's project #3) that I dare not touch it when it's up and running. But the next time it crashes, the new code with the SSL Fingerprinting technology will go live.  If anyone's curious, here's a long .PNG image of the new service's page:

https://www.GRC.com/SSL_Fingerprints_Technology.png

(You'll need to zoom-in since it's LONG and thus THIN if your browser attempts to show you the whole image at once.)

Then, as any of you who follow the podcast will already know, Tuesday before last HD Moore (of Rapid7 & Metasploit fame) revealed his research showing that 81 million home and small office routers were exposing their UPnP management interfaces to the public Internet.  That was so horrible that I suspended the work on the fingerprinting and quickly added a test for that UPnP exposure to GRC's existing ShieldsUP! system.  Once that work was completed a switched back to wrapping up the SSL Fingerprinting addition... which is now done.

But all the while, GRC's aging server has been generating errors like never before.  I believe it's date related since it began about a month ago out of the blue after the server had been running error-free since last June when I last tweaked some bits.

I have had replacement server hardware here since December of 2011 -- yes, more than two years.  But there was always something more interesting to do that build up and configure new servers.  So the hardware just sat.  <<sigh>>  But the good news is... I'm ready to do with replacing GRC's servers immediately.

So THAT is what I'll be working on until it's done... THEN -- and I really can't wait! -- I'll be back here to work out the details of a slick variable-frequency sine wave driver for use in further experimentation and development of the resonating chamber devices.

Thanks for everyone's patience!

/Steve.

[Kindanyume]

Nice to hear.. Might get to the latest podcast today/tomorrow if I'm lucky.

And 2 yrs? holy crap.. too bad you're not located closer of I'd
have done it for you ages ago!
However since I'm on the opposite side of the continent.. makes the
commute a bit of a bitch :P

> --
> You received this message because you are subscribed to the Google Groups
> "Portable Sound Blaster" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to portable-sound-bl...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Steve Gibson]

Gang...

The day of my return is approaching!

Last night I brought the shiny new replacement GRC server online... and it's a thing of true beauty:  Four highly over-provisioned, high-performance Single Level Cell (SLC) SSDs in a RAID 6 configuration which allows ANY TWO of the four to partially or completely die without ANY effect on data integrity.  And drive write-wear is further minimized with an Intel caching RAID controller having half a gigabyte of battery backed up cache RAM, with a "write-back" policy (not write-through) so that multiple overwrites to the same SSD region are retained in RAM and are NEVER written out to the drives until that cache region is needed for some other data.

I'm in love with the new system... though I also pulled an all-nighter last night, since there were some important details to iron out, and I didn't want to be frequently rebooting the machine during the U.S. daytime.  And with the podcast this morning... well... I'll sleep VERY well tonight.

I still have a collection of loose ends, which is always the case after a big project such as this.  But I'm salivating to get back here and play with all this cool stuff!

More soon!

/Steve.

[Kindanyume]

/me swipes that cool raid setup for my personal system! (j/k)

[Steve Gibson]

Hey folks...

I'm still working my way back here.

The new GRC server is up and running and is a sheer joy.  But I had a bunch of remaining loose ends to deal with in order to wrap up all of the changes that I made.

That was before my #1 employee's (sales manager / office manager / bookkeeper) GRC workstation died catastrophically during some sort of freak power surge / outage late last week.  I kid you not.  If it's not one thing it's another.  We had backups, of course, but the separate backup drive had apparently died, separately and silently, last September 3rd.  So the job of putting Humpty-Dumpty back together again has taken the past four days.

So now that's behind me and I'm back to working to wrap-up the work at GRC to stabilize everything.  There are some remaining details (such as something funky with server-side-included files having their ACL permissions changed so that they stop working... and things like that.

I want to get back and get THIS project stabilized, finalized, and documented... but I still have some other things to nail down.  I just wanted to let everyone know that I was NOT going to be dropping this the way I did last summer (before it ever really got going).  We've come WAY TOO FAR for that... and I have too many burning questions that await answers.

So... thanks for everyone's endurance and patience!

/Steve.

[Kindanyume]

No worries SG... most of us have been there.. and understand very well
how shit can hit the fan and all you can do (if you are smart) is
DUCK.. and then continue on ;)

[Steve Gibson]

My status...

Hey Everybody!  I miss this place!  I'm making steady progress, but I have more to do...

This past Sunday afternoon (a day and a half ago) I replaced the new GRC server which I brought online ten days before with a newer GRC server.

For the past 13 years, GRC had been quietly running in a Windows 2000 Server... which was getting older and older (aren't we all.)  Because I didn't want to move TOO far forward in one jump -- I was very concerned about compatibility problems with GRC's large server codebase if I were to make too large a jump -- I chose to move to the FIRST release of Server 2008.  That move did, in fact, cause all sorts of trouble, but nothing that I couldn't work around.

But after familiarizing myself with Server 2008, and specifically its lack of the more recent SSL/TLS security protocols, I decided that I had not moved forward enough.  Since -- and while -- the task of configuring GRC's custom software was fresh in my mind, I decided that NOW was the time to move to the major SECOND release of Server 2008.  So that's what happened late last week and this weekend.

So... GRC is currently running on Windows 2008 R2.

The GOOD NEWS is that all crashing of GRC's servers immediately stopped with the somewhat emergency upgrade to Server 2008 Tuesday before last.

The BAD NEWS is that there ARE still some persisting troubles with the site under the new server(s) -- which is why I'm not already back here. (The move to Server 2008 R2 did not make anything worse (it just made us more future-proof).  These things were also not working under the initial R1 release.) The problems are not huge, but I need to get them fixed before I'm able to turn my back on them and return full time -- as I am still desperate to -- to here.

The trouble, in case you're curious, is that a number of different "variables" are not updating or displaying correctly.  For example, on GRC's main "intro" page, the count of ShieldsUP! users no longer updates:  https://www.grc.com/intro.htm  It shows the value retrieved when the server starts up, but then it never changes, despite the fact that about 11,000 people use ShieldsUP! every day.  At the moment it's showing "92,196,046" and it will until I restart the server.  :(  And the site also shows page counts on most pages... but they aren't working either.  I doubt that these are going to be hard to fix, but I need to figure out what's no longer working, and why.

The flip side of this delay is that once I get back I believe I'll be able to stay until we have wrestled the variable frequency design to the ground.  :)

/Steve.

[Kindanyume]

wb

but I'm surprised you are not using a *nix base instead of winbloze..
esp given your skill level.

[Steve Gibson]

Kindanyume...

but I'm surprised you are not using a *nix base instead of winbloze..
esp given your skill level.

It's the fault of history and investment.  Were I to do it today I would steer as FAR AWAY from Windows for my server platform as I could possibly get.  I would be using FreeBSD Unix and be much happier.  I DO run a FreeBSD Unix server which hosts GRC's very nice NNTP (old school) newsgroups (running INN) and also GRC's master DNS server (running BIND 9).

But I've been doing this from before the Internet. So I became a Windows developer when AT&T's UNIX license was $100,000 and only educational institutions had it.  There was now Linux or other real Unix clone.  It was Windows.  So I used Windows NT4 as my server platform and began writing code for it.  Today I have a MASSIVE investment in "ISAPI" (Internet Server API) code that hangs off of Windows to provide all of the services GRC offers.  I wrote my eCommerce system the same way... and everything else.

And... it's ALL in 32-bit assembly language.

So while I might (and do) wish that I was today less slaved to Microsoft's proprietary operating systems... the cost to switch is unthinkable.  :)

/Steve.

[Kindanyume]

Now that makes sense.. and I've been in IT since long before the
inet as well. though I don't have anything slaved to M$ personally..
other than most clients I have use winbloze. (If I were only doing
*nix I'd be out of a job lol)

as for asm.. nice to hear.. I was never stellar at such for what
coding I did.. but a friend in Europe used to translate my pascal into
I-ASM.. which made it work almost as good. (he is unbelievable in
ASM.. he does that as I do breathing)

As for the investment... sad :(... very sad!!!

Maybe one day that will change :)

Esp given your talents!

[Kyle Smith]

Steve,

Do I recall correctly, that as a consequence of a persistent DDoS attack, you actually wrote your own custom tcp/ip stack?  In assembly naturally.  If yes, do you still employ it at grc.com?  Even on the newer server?

Never stop working with Microsoft software.  You have served the larger community because you had to find your own solutions to compensate for Microsoft's security issues.  Had you been using OpenBSD all these years, as I do, you'd likely have become one of the BSD faithfuls, and consequently, would have had a much smaller impact on the Nation's overall security.  You have to actually use Microsoft servers to be motivated sufficiently to develop solutions that make a difference in a world where Microsoft servers, for good or ill, are the dominate market leader in business. 

As for me, I simply can't sufficiently protect Microsoft servers to let them in my lab.  It's just a matter of numbers.  Since Microsoft is so popular, why would a serious hacker spend their valuable time writing exploits for any other OS? I think the problem with the Microsoft code base represents a real and present danger to National Security.  Unfortunately, there is very little that the government can do to fix the problem, except to produce regulations respecting compliance with security protocols within the government itself. 

The NSA tried to work with vendors to make a secure version of Linux with their contributions to SE Linux, but very few actually use SE Linux in its most secure mode, because it breaks so much software who's authors have failed to write strict profiles for their own programs. Linux, by itself, is simply not a secure OS, despite the general public viewpoint to the contrary.

Well, enough off topic ramblings from an opinionated retired old man like myself.  A new generation of programmers must lead the way now.  We need all the best fresh minds to lead us into the future. I'm afraid we will need quite a few people with the skills you possess, and a proper appreciation for the enormous size and complexity of securing our networked infrastructure to keep us safe.  And then there is the human aspect to security, for which there is little hope of solving with technology.  

Best wishes,

--

Kyle Smith, MS, MD (retired)

--

[sigpoggy]

Steve,

Speaking of before inet, in the small world category I was surprised to hear you mention Bob Bosen on security now. Bob and another guy started a computer security company called Enigma Logic back in the 80's and I was the second employee they hired. They had this idea that you could make a device that would dispense a one time use password for two factor authentication. I helped with the design and programing of the device and server side software. I worked with Bob for many years. He is quite the character - and he does love wearing a white lab coat!

And speaking of machine language, I was tasked with writing fast DES code for the 8086. All I had to work from was the hardware spec for building a DES device. I ended up with code that blew away all the competitors  I was fond of saying my code was faster than the processor since certain sequences took longer than the sum of the discreet machine cycles for each instruction.

Ah, the good ol' days...

[Kindanyume]

ahh.. the history!! And while you were doing that I was busy
cracking c64 games and generally finding interesting ways to make
commodores do things they said couldn't be done back then. LOL

[Steve Gibson]

Hey Gang!

Yesterday, I FINALLY took GRC's latest new service public:  https://www.grc.com/fingerprints.htm

I expect it to be a long-lived service, like ShieldsUP! has been which will grow in popularity and usage as word of it spreads.  It creates a means for allowing users to easily detect when their SSL "secure" connections are being superstitiously intercepted and monitored.  It was VASTLY more involved that I expected... but it's DONE.

/Steve.

[Kindanyume]

sweeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeet :)

--

[JohnB]

Another really cool tool! I look forward to seeing organizations "outed" .
Steve, you may have meant surreptitiously there, but there's probably some superstition involved too:)

[Steve Gibson]

Steve, you may have meant surreptitiously there, but there's probably some superstition involved too:)

Hah!  Right you are!  :)

/Steve.

[sigpoggy]

That's great Steve.

I have a suggestion. Just before the "What's this about" have a link to the how to see a pages certificate fingerprint and brief description of matching the fingerprints with your reference to determine if you are being intercepted. This would be handy for those who understand the issue and just want to make the check. Could possibly be titled something like "How to check if you are being intercepted".

Looking forward to your return here...

[Steve Gibson]

Gang...

Big projects never wrap up in an instant.  And that's the case with the new HTTPS fingerprinting service.  Google is confusing MANY people, since Google is able to sign their own certificates, and they have proliferated certificates all having different certificate fingerprints.  And several site owners have asked if they could have a means of placing a simple link on their site that takes their visitors to my fingerprinting service with THEIR domain name automatically filled-in and fingerprinted.  Since that would be great for our traffic... I need to get that done.  And during the past month I altered my long-running ShieldsUP! service just a bit... in a way that is now showing some ports "Closed" rather than "Stealth" when their ISP is preemptively blocking dangerous ports.  So I need to fix that.

My point is... I'm fighting to get back here, and I will.  I'm closer every day.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

But this is what I have been wanting to mention:

Once I'm able to put everything else behind me again, I am NOT going to pick up EXACTLY where I left off:

You guys may recall that I was deep into the enjoyable challenge of generating a sine wave "pulse density modulator" which would drive a high voltage H-bridge digital switch in order to put a varying (average) AC high voltage across our piezo transducer.

But thanks to some of the initial results from those of you who were playing with the resonant tube concept, I may have been SAVED from what would end up being a significant waste of time.  If the whole resonant tube concept doesn't bear up, then our entire need for a continuously-variable high voltage sine wave source disappears.  And MUCH as I would have LOVED (and was loving) the idea of coaxing our incredibly underpowered microcontroller into generating such a pulse-density stream... the world is really beginning to scream for an update to SpinRite v6.0 (which is now 9 years old).  And I have a bunch of other loose ends that I really hope to wrap up before that.

So...

One of the things I did summer before last, when I first launched this group and created those initial pages, was to acquire a gorgeous high-end lab bench power supply for $830.  It can deliver up to 12 amps regulated continuously variable from 0 to 60 volts.

http://www.acopian.com/store/productdetail.aspx?q=i3335

And I also have several high-power digital switching audio amplifiers which can deliver a high-voltage sine wave from a low voltage (1v), high-impedance, input.

And there's a perfect little app for the iPhone and iPod Touch called simply "Oscillator", which can generate a sine wave with continuously variable frequency and voltage, where you can set the high and low frequencies to move between.

My point is... rather than working for weeks to create a high-volume $4 high-voltage sine wave amplifier (which we might not need)... I am going to spend half a day to quickly assemble a one-off $1200 lab bench sine wave generator solution for use in IMMEDIATELY determining whether acoustic resonant pipes work at all, and IF they work, are they SUPERIOR to the $2 tweeters.

If that ENTIRE concept is a bust, we should know definitively in a few days.  If it is, then a LOT of time has been rescued.  And if it isn't... then I'll have renewed energy for the $4 sine wave generator!  :)

/Steve.

[Kindanyume]

No worries Steve.. we'll be here :)

/Steve.

[Stuart Ward]

On Wednesday, 3 April 2013 19:12:56 UTC+1, Steve Gibson wrote:

Hey Gang!

Yesterday, I FINALLY took GRC's latest new service public:  https://www.grc.com/fingerprints.htm

There is a chink in this page that could allow it to be defeated. In that the page contains the fingerprints and the web-proxy has access to this content. So it could replace the fingerprint strings on the page with it's own fingerprint. You could make this more difficult if the quoted fingerprints were inserted as image files, rather than text. I know this will eark you Steve, turning a few bytes of text into many bytes to make an image, but that would make it much harder for a web-proxy to replace the fingerprint value.

Stuart

[Kindanyume]

an excellent point Stuart :)

--