…are the two things that make my day at the moment.
Apart from Anna and my job, that is.

Every free minute goes either to the small guy or to my studies for the CCNA.
Both are making progress at breathtaking speed and keep amazing me.
Anna is making a big effort and tries to provide as many “silent” minutes for me as possible to study – although it is almost a sin not to watch him play and “sing” :)

For the rest, I am feeling suprisingly good (for this time of the year when I usually get depressed and/or moody). It seems to work out that I switch all lights in the house in the morning. At least till I get myself a “wake-up light” that sounds like a great way to wake up instead of a beeping noise. 100 Watt lightbulb that slowly raises to its full power within 30 minutes to simulate dawn.

From a person that found computers “neat” and the internet “fantastic” I am gradually becoming one that sees computers as extensions of his hands (tools) and the internet as nice, functional collection of routers that badly needs an overhaul.
Yesterday I managed to configure my first network.. from installation to testing. And it worked!
the feeling was better than christmas. ;) Ok, it was only three routers and back-2-back cables instead of links but it’s a start and I know I can do this.
The motivation is there (it’s saturday night and I just stopped doing exercises)
I am getting so motivated from the configuring of a couple of routers that – after I stop messing with them – actually come to service and do what they are meant to do. Feels good :) Let’s see how I talk in a year but hey, one has to keep the spirits high ;)

Another thing that confuses me is the “storm worm” or botnet, that is still there and hiding from all ways of detection. See this article from wired.
If there are really millions of PCs connected through a p2p network, waiting to attach simultaneously.. I am scared!

Storm represents the future of malware. Let’s look at its behavior:
Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.

Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.

Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.

Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way.

This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect.

One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won’t work with Storm: An infected host may only know about a small fraction of infected hosts — 25-30 at a time — and those hosts are an unknown number of hops away from the primary C2 servers.

And even if a C2 node is taken down, the system doesn’t suffer. Like a hydra with many heads, Storm’s C2 structure is distributed.
Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called “fast flux.” So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.

Storm’s payload — the code it uses to spread — morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.

Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites — anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.

The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: “A killer at 11, he’s free at 21 and …,” “football tracking program” on NFL opening weekend, and major storm and hurricane warnings. Storm’s programmers are very good at preying on human nature.

Last month, Storm began attacking anti-spam sites focused on identifying it — spamhaus.org, 419eater and so on — and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.