It's been a long time since I seriously programmed in assembler. In fact, back in the days of the ZX81, I used to know the instruction set so well, I could input raw hex code. I've lost a LOT of braincells since then!


I can largely understand code I review. That said, I find code review one of the most tedious parts of a security assignment (That, and the documentation!) So, understanding C++, C#, java etc are not too much of a problem but I couldn't possibly be a programmer myself. I  have to sit with a command reference when I do the code reviews - probably why I find it so tedious. Thankfully, I don't have to do too much of it.
I aught to brush up on my programming skills, I have thought about contributing to a couple of projects that I have foundto be interesting, useful and lacking in development but there is a lack of time that prevents me from doing so at the moment.

My 2p worth....

I think that a programming board would be a Good Idea.
My experience with programming if fairly limited, I understand assembler to a degree but my only experiences are with Z-80, 6800 and 68000 and a small bit of 8086 back in the mid 80s. Since then, I have only dabbled with a little disassembly/ analysis.
I have used C quite productively, even going so far as to adjusting Linux kernel drivers to support my own hardware. I spent a good while messing about with TurboC under DOS (which I am glad to see that Borland are now giving away!)
Since C++ gained popularity, I have moved away from programming, I found the command set to be so vast as to be off-putting.
I can script to an acceptable level whether bash, csh or dare I say it, batch. I can read and understand to a greater or lesser degree, most scripting languages.

So in short, I can get by, but my skills are lacking and would benefit from some tuition, particularly when it comes to the Windows interfacing side of things.

Many problems. MAC addresses are not usually transmitted across the Internet; you will need an application that will extract it and transmit it. It is possibly your users would not be too keen with what might be seen as spyware.
Users can change their MAC address easily.
Users can use multiple machines/ VMs which would have different MAC addresses.
It is VERY difficult to restric users to a single account for an online service. IP addresses are about the only way that you can hope to even get close to this but with the huge numbers of users that are assigned IP addresses at the time of connection it is in no way foolproof.
Perhaps if you gave us a little more detail of what you hope to achieve, we could help you a little more?

It is worth remembering in order to minimise the impact of a client side attack, it is advised to run with least privilege. I have lost count of the number of times I have seen admins surfing the Internet, reading email etc. with full domain admin access...

Try here...

http://www.wassenaar.org/

But bear this in mind....

http://www.theregister.co.uk/2008/05/01/electronic_searches_at_us_borders/

I have a couple of 'nom de plume' for Internet use, each covers a different topic. Bogwitch is NOT my real name.
I have wondered if NOT having any retrievable information attached to my real name might affect future employment prospects adversely since potential employers are unable to research my areas of interest, save for a couple of 1993 Usenet posts.
Naturally, having a social networking page full of 'I g3t 5toned wiv me mates every week3nd' attached to my real name would be plain stupid, it is the lack of sensible, security-related content that might affect me.

Wouldn't the introduction of a USB device potentially modify some data that will later be used as evidence? I'm thinking file access timestamps, etc. not to mention the possibility of information in the swap file being overwritten.
It would certainly give a lawyer the possibility to suggest that the filesystem had been modified by LEO and at worst, could suggest LEO planted the evidence...

Zedcuk,

Have you had a chance to play with one of these? If so, what did you think?

Quick update for the Sandisk, disappointing, the password requirement is 3 of the four character sets, length 6-16 characters. If we assume a charater set consisting of 76 characters, this gives us an entropy of 6.25 bits. 6.25*16 gives us 100 bits. Pretty much makes the 256 bit encryption redundant, doesn't it!

I'm keeping up with my awareness but I'm not going to choose to use it on a daily basis! I think the jury is still out as to whether Vista is the future - remember ME?

Dear iSmith,

My point is, that Vista is eating more clock cycles/ memory than is necessary for an OS to function. If you want the extras that Vista offers, that's up to you but if you want to crunch numbers, or compute then an alternative OS would be a better choice. Or have I got it wrong? Would Linux/ Win2k run faster on your platform or not?

I have two copies of Vista, one given by Microsoft and one bought for evaluation.
I have a replacement 20GB HDD for my laptop on which I installed Vista.
The performance hit for using Vista was astonishing. My laptop is not the best spec by any imagination, I have a 1.7GHz P4M, 1GB RAM and 64MB video memory so it's no slouch, either.
The performance when running Linux and Windows 2000 is CONSIDERABLY faster as compared to Vista. So, if you want to crunch numbers on your computer system, avoiding Vista would be a Good Idea. If you want pretty effects and slow perfomance, Vista is the way to go.
Bearing in mind, throughout the lifecycle so far for Windows 2000, applying all the Microsoft patches as recommended, the memory footprint has increased by close on 50%, I would expect a similar hit on performance with Vista.
The paranoid cynic in me might suggest that LIMS wasn't about memory management at all, but a conspiracy to ensure hardware always needed constantly refreshing!

Hi Kev, thanks for the link.
I have seen the protego site before but not that device. Unfortunately, the ouput is waaaay too slow. I have seen a 16Mbit generator that retails for just shy of 1,000usd but even 16Mbit would be pushing the limits of acceptability.
It looks like I'm going to have to find a random source that runs faster than 1GHz and build a circuit around that. Ideas for a source, anyone?

Infernox222,

The tgz files are tarred and gzipped, bundled archives effectively, similar to zip or rar files.

You will need to untar them, tar will handle the gzip compression.

With tar you can use the 't' option to test the archive or the 'x' option to extract. Most software will be distributed to unpack into it's own directory although some, usually smaller hacking tools imo, will unpack into the current directory, therefore it is a good idea to test the archive first just to see where everything is going to get dumped.

To test, 'tar tvvofp filename.tgz'
to extract, 'tar xvvofp filename.tgz'

Once you have unpacked them, cd to the directory created (if it did) then you will want to run your './configure' - './configure' reads information about your machine to ensure that the executable is compiled correctly for your system - then the 'make' - 'make' compiles the executable. When you run 'make install' - 'make install' installs the compiles parts of the application into the 'standard' sytem directories - you will need to run as root.

Keeping the thread alive - someone must know of a device, surely?

Doesn't /have/ to be a UK supplier, doesn't /have/ to be CAPS approved!

Any fast hardware RNGs out there?

I've got a free sample of the Ironkey, it is quite nice.
Nice tactile feel, solid metal case. The chap I spoke to made some bold claims about it working after being submerged for 24 hours, once dried off but as the internals are epoxy coated, no big suprise.
Apparently, youtube has a video of one being run over by a bobcat and working afterwards.
It is supported under XP, Vista and MacOS, so saddos like me that stick to Linux and Win2k are out of luck. I have tested in on the wife's laptop and it does what it says on the tin.
There is, apparently, a management verison coming out. This should give to sysadmin the opportunity to set the number of times a password can be attempted before the key is fried. I asked if frying could be avoided completely but the salesman didn't seem to know.
I also visited Sandisk with the same requirements. The sandisk stick seems to be reasonably good, too.
While it is in no way ruggedised like the ironkey it has the benefit (?) of not frying itself. Again, there are two versions, the managed and the unamanaged. Both can be set to block access after 'n' attempts, the managed one will be subsequently recoverable, the unmanaged one will need to be reformatted but is not bricked.
The Sandisk is supported under Win2k, XP and Vista.

The Ironkey and the Sandisk both claim FIPS 140-2. Unfortunately, neither are going through the process of CAPS approval (UK Govt.) For the Sandisk, there is a different version for the FIPS which has an epoxy coating over the crypto chip to prevent analysis attacks.

Both are big (physically) compared to their unencrypted counterparts, about the size of a standard disposable lighter.

The only other difference is that the Ironkey is 128 bit AES and the Sandisk is 256 bit AES.

One thing that bothers me about both devices is that you are stuck with using the key material that the crypto chip holds. I would like to see a device that allows the crypto manager to reprogram the key with a key that they have generated. The reason for this is twofold. If, as with the Ironkey, the key is fried, the data can still be retrieved. Second, and this is the paranoid in me, if the crypto is added by the manufacturer, would they not keep a record of the key, therefore enabling them to retrieve data should the key find it's way back to them?

[Edited for poor typing]