I spent last night playing with Symantec Client Firewall version 7.1.2.1021 including our corporate SCS2 Baserule set 9 (so it seems to be a creation of our brilliant IT department).

First of all, even though I cranked the Symantec Firewall security level up to the High, I was still able to access TCP ports greater than 1024. This means that for example the MS SQL Server (1433/tcp) is wide open. And of course unpatched MS SQL Server has some known vulnerabilities.

Also, I was able to perform a port scan to several interesting TCP ports without the firewall reacting at all.

Symantec Firewall provides a mechanism for detecting possible intrusions by checking if someone is performing a port scan and banning the IP address in question for about 30 minutes. But if you do a port scan by trying to open ports normally (so, no SYN scans or anything like that) and slowly enough, then the Symantec doesn't detect anything. I was able to do a port scan by scanning a port every 30 seconds and the firewall didn't react at all. (By the way, this "slow attack" is described at a SciFi book called Neuromancer, by William Gibson.)

Finally, I created a situation, where I opened a third-party proxy connection with SSH tunneling to the port 8000 at my work laptop and allowed remote connections (I was using PuTTY). Then I launched a port scan from a remote location (ie. over the Internet). With the scan I was able to detect that the port 8000 was open and I created a connection through the port to the third-party proxy server. So, I was able to surf the Internet anonymously by using my "Symantec secured" machine. All the time the Symantec Firewall settings were at "High".

Biggest flaws, I'm able to point out are:

• No warning, when letting the PuTTY to access the Internet.
• No warning, when a port scan has been performed.
• No blocking of incoming connections. Not even a warning!

Note that there isn't anything fancy in what I was doing. The above is just a proof of concept, which shows how easy it is to work around the software firewall, if the settings aren't set correctly.

With Symantec Client Firewall it was just a matter of running a simple wizard to create a "Deny All" rule to the firewall software, which prevents any incoming connections from the Internet. I can't understand, why our IT department haven't done this. It seems that they are willingly leaving the machine wide open.

Anyway. Why am I writing this? I just want to let some steam out, because this has been the stupidest thing from our IT department so far. There are so many things wrong with this scenario that I even have a hard time remembering all the details and situations where things have gone wrong and how much damage can be caused both inside of our local network and from the public access Internet.

Finally, here's my quick hack for a port scanner, written in TCL:

# List of ports to be scanned.
set portlist [list 13 20 21 22 23 25 80 110 113 135 139 443 445 1433 6667 6881 8000 8080]

# Returns true, if port can be opened. Otherwice returns false.
proc check {host port} {
if {[catch {socket $host $port} s]} then {
return false
}

close $s
return true
}

# Scans a list of ports and reports results to the standard output.
proc portscan {host list} {
puts "Scanning $host..."

foreach i $list {
set port [format %5d $i]
if {[check $host $i]} then {
puts " Port $port is open."
} else {
puts " Port $port is closed."
}
after 30000
}
}

proc main {argv} {
if {[llength $argv] < 1} then {
set host {127.0.0.1}
} else {
set host [lindex $argv 0]
}

portscan $host $::portlist
}

main $argv

(How wonderful is that? No intendation. Thanks Slashdot!)

I have to say that the IT department of my employer doesn't have a clue at all.

They forced a new installation of a Symantec Firewall package to my computer (thanks, AD!). This new installation disables automatically the built-in Windows firewall. Well, that's fine except there seems to be a teeny tiny problem with the Symantec rule set. It doesn't block anything at all from the outside!

Well, of course my machine was hit immediately when this happened. Now I have the Windows firewall re-enabled and I hope that the Symantec application doesn't disable it again.

The worst part of this story is that there seems to be no way to tell this situation to anyone so the rule sets could be fixed. At the moment I'm writing this, the IT department is happily installing this defected rule set to all of our computers. Nice to know, that there will be tens of thousands machines vulnerable in our own local network. It will take just one contaminated machine to bring down the entire company.

Mandrake 10.1 is just awesome.

I'm a die-hard Slackware fan and it has been the distro of choice for me the last 10 years. But last night I tried Mandrake 10.1 on my HP laptop and I'm just stunned.

The HP ze4423 has some quirks and sometimes a Linux installation is quite an adventure, when I have to dodge all APCI/APIC/LAPIC/USB/PCMCIA stuff and try to find my way to successful installation. The laptop itself is nice and it works great, but unfortunately most of the Linux distributions have a kernel with some very specific kernel options turned on, which will make them incompatible with my laptop. But Mandrake... well, it seems to have everything set up correctly for my machine. Right out of the box. Amazing.

I didn't even know that there is Xorg driver for ATI Radeon IGP 320 chipset available.

Wow! I learn new things almost daily, when I'm using the Opera browser. I just noticed that it's possible to check spelling in Opera by installing Aspell.

Aspell, by the way, is a great open-source product.

In just 36 lines of code (including comments) I created an mp3 streaming server, which can serve multiply clients and stream multiply mp3 files one after another from given source directory. I'm using it for my private talk-show "radio station".

Tcl as a scripting language just doesn't stop amazing me.

Last weekend I upgraded my Linux firewall from Slackware 9.0 to Slackware 10.0. The problem was, I don't have a monitor. And this upgrade process included replacing a harddrive and partitioning and formatting it, so upgrade over the network connection wasn't an option. Only tools I had at hand were a keyboard and a CD-ROM drive. So, what to do?

1. Plug in the keyboard.
2. Get a bootable Slackware CD.
3. Insert the CD and boot the machine with it.
4. Get and install the Bochs at your other machine.
5. Create a disk image for Bochs with identical geometry information as your new hard drive.
6. Start Slackware installation from the CD ISO image at the Bochs.
7. Do all required steps at the Bochs environment and mimic all key presses with your headless box.
8. Remember to carefully configure the network connetion and leave the sshd on.
9. Reboot and log in to the freshly installed Slackware box over the SSH connection.
10. Finish the installation and configuration over the SSH.

And that's it. Smooth installation, which reminded me, why command line user interface is so cool. With graphical installer this kind of thing would not be as easy to pull through.

Afterwards I realised, that it would have been so much easier to just plug in the new hard drive as a slave and partition it and install the base system and then switch the drives and finish the configuration. Oh well, at least the experience was cool and I learned a lot how to use and configure a computer blindly.

Isn't this just great? I tried to exclude all stories about U.S. politics from my homepage and that stupid Homepage Preferences page doesn't work. I tries every possible combination of settings and I'm still able to see all Republican/Democrat/Politics/United States stories at the Slashdot Homepage.

All I want is news about technology (and other geek stuff) but now I'm force feeded with politics by Slashdot. It seems that the only option to avoid politics overload is to stop to read Slashdot at all until the presidential election is over.

* * *

Update (2004-11-02): It seems that the Homepage Preferences page has been updated and now I'm able to select sections for my homepage. Oh, the irony! Today is U.S. presidential election day and this kind of filtering is not so important for me anymore. Oh well...

What the hell is wrong with people? Isn't the normal English enough anymore? Or is it somehow "cooler" to use words like "boxen", "unices" or "virii". Last time I checked the English grammar, using the -s/-es suffix was still acceptable.

With this new "logic", the plural of the word "cactus" would be "cactii". Or "hoax" would become "hoaxen" or "hoaces". Now that sounds really stupid...

Worst thing is that there are no scientific or linguistic basis on any of those fucked-up plurals. Even if these geeks or hackers who use these do normally love to rely on rules and logic.

Damn. I shouldn't have posted a link to the Bloglines. I think that the slowness is because of me and my comment at the What is Your Favorite RSS Reader? story :( Now it's slow as hell and I wanted to start my day with a big cup of coffee and some juicy RSS feeds.

Hmm... That's odd. Last journal entry seems to be from "02 May 2003" which is over a year ago. Well, it's time for a little catch-up.

Happened since the last episode:

I spent six months at the military training. It was interesting, intensive and frustrating experience. But I learned a lot about phones and telecommunication stuff (among other things). But I don't want to talk about that or anything related to this subject.

I bought a new laptop. With Windows XP Home Edition. And I'm still using the XP at the machine. Which is pretty creepy. I'm worrying myself. Fortunately, I still have my good old Linux box, so there is still hope.

I'm still working at the same old "big bad corporation" as a software engineer. This time my job is to examine old C code and improve it and make some house-keeping (bug fixes, cleaning up, documenting). I could write a whole rant, how terrible it is to try to read other peoples code. But I won't, because I've ranted enough.

The last year or so has been extremely hard both physically and mentally. A lot of bad things have happened to people around me and I have had to re-evaluate my values and views of life. I think, that now I can truly appreciate life itself and my loved ones. And I have realized, that work isn't everything. Fortunately, things seem to be getting better step by step and hopefully the summer will be great and everything will be OK again.

Slashdot seems to be the same old nest. Some things don't ever change, I suppose.