Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

The Spinning Cube of Potential Doom 161

An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."
This discussion has been archived. No new comments can be posted.

The Spinning Cube of Potential Doom

Comments Filter:
  • by CreamOfWheat ( 593775 ) * on Tuesday June 01, 2004 @03:12PM (#9307500)
    When the eventual goal of having this data displayed in a real time setting the applications of usefulness will be startling. Data that had to be updated manually during the conference, will be available to researchers to do tci-square analysis to approximate the optimum network efficencies. Even use in the business sector and th ability to analyze huge databases will be quite amazing, although at least a half-decade down the road. Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security. Really fascinating stuff.
    • by Laxitive ( 10360 ) on Tuesday June 01, 2004 @03:27PM (#9307737) Journal
      Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security.

      Yes. The Cube knows all. It will make everything all right again. The Cube has been sent to help us. We must trust the Cube.

      All hail the Cube.

      -Laxitive

      Sorry, absolutely nothing of value to add to this. I just liked the way you referred 'the Cube' using proper-noun capitalization, and spoke of it as a single entity.
  • Too bad... (Score:4, Funny)

    by kdougherty ( 772195 ) on Tuesday June 01, 2004 @03:12PM (#9307504)
    Too bad Cisco didn't have this a couple weeks ago when they needed it!
  • dude! (Score:5, Funny)

    by eegad ( 588763 ) on Tuesday June 01, 2004 @03:13PM (#9307521)
    I live in the spinning cube of potential doom. At least that's what my co-workers call it.
    • In fact, I was just talking to a coworker earlier about my new product idea. They need sanitary cube covers like those half ply protect-o toilet seat rings to protect the next victim from my blood, sweat and tears.
    • Re:dude! (Score:4, Funny)

      by orthogonal ( 588627 ) on Tuesday June 01, 2004 @03:34PM (#9307829) Journal
      I live in the spinning cube of potential doom. At least that's what my co-workers call it.

      It sounds like something "Robert S." [wikipedia.org] Rumsfeld would use to "persuade" "designated terrorists" in Abu Ghraib to talk.

      I guess the use of "potential" in the title reminds me of so-called "Rumsfled Poetry" [wikipedia.org]:
      "As we know,

      There are known knowns.
      There are things we know we know.
      We also know
      There are known unknowns.
      That is to say
      We know there are some things
      We do not know.
      But there are also unknown unknowns,
      The ones we don't know
      We don't know."
      --Rumsfeld, at a February 12, 2002, Department of Defense news briefing
      • Re:dude! (Score:3, Insightful)

        by DerekLyons ( 302214 )

        I guess the use of "potential" in the title reminds me of so-called "Rumsfled Poetry":

        If you've ever taken a logic or philosophy class, or seriously studied science, or have been formally trained in troubleshooting real mission critical hardware/software (by that I mean the Space Shuttle, or a nuclear submarine, or a nuclear weapon, not your sales database)... Then that 'poetry' makes perfect sense.

        Matter of fact, I used to say something much like that to the techs I was training to work on nuclear tippe

    • Spinning, eh? That shouldn't be. Perhaps they should take away your swiveling chairs.
  • by stratjakt ( 596332 ) on Tuesday June 01, 2004 @03:13PM (#9307526) Journal
    Sounds like the Time Cube. [timecube.com]

    But then, you stupid ignorant mind-traitors cant understand time cube having been manipulated by your word god.

    • by Anonymous Coward
      I'd rather just play GameCube.
    • Still the greatest webpage on the Internet.

    • I thought of this too, but I thought of it become of this Bonus Stage [jeffreyatw.com] episode called "Cube" (warning: direct Flash file link).

      I figured I could live with plugging this, as it's slightly on topic under context, and it is one of my fav. Flash toon series. (If you're interested, High Score [highscoreonline.com] is the website)
    • Actually, it sounds more like what happens when you get too close to the the Cube [google.com] when walking around the University of Michigan. It makes one wonder if the developers went to UM.

      As an aside, try to remember to stay away from the Cube when drinking in Ann Arbor. It seems your ability to estimate the danger of a large spinning mass of metal goes down when you're inebriated.
    • I immediately thought of this site as well.

      This guy's schizophrenic. He has no idea how odd he sounds. To him, everybody else around him is just oppressing him. And the more of that he gets, the more convinced he is of a conspiracy to hide the "hidden truth" he's found. It's really kind of sad.

  • by nizo ( 81281 ) on Tuesday June 01, 2004 @03:14PM (#9307531) Homepage Journal
    Now we need tools that scan in a pattern that causes little devil faces to appear inside the cube, just to freak the sysadmin out. Words could be fun too.
  • by The Human Cow ( 646609 ) on Tuesday June 01, 2004 @03:14PM (#9307539) Homepage
    Man, when I heard it could display data along 3 axes I was hoping for a error message featuring a little projection of somebody saying "Help me Obi-Wan Kenobi, you're my only hope."
    Sad.
  • Okay, so I see the pretty pictures, but what do they mean. Can anyone explain how to interpret that data?

    --AC
    • Okay, I'm a tool. It helps if you click on all the links in the post, not just the pictures. I thought it was weird when I saw the cube picture twice . . . .

      --AC
    • I think this goes without saying: RTFA.

      But for the lazy. The vertical axis is port and the horizontal axis is IP. So the vertical line is a port scan, a horizontal line is a scan across all IPs for a specific open port. The "barber pole" scans show an interesting technique in which a scan increments both IP and port with each attempt, obviously in order to fool detection mechanisms. The "lawnmower scan" is a multi-IP port scan, which creates a rectangle.
    • by upside ( 574799 ) on Tuesday June 01, 2004 @03:27PM (#9307732) Journal
      It sets three variables onto three axes to show network traffic between your network and the net:

      1) Your IP range
      2) The entire IP range
      3) Destination port

      It's useful for things like picking up semirandom port scans that you might not detect based on textual data (see "barber poles").

      Entire para:

      "The Cube takes this connection information stored in the Bro files and displays it in a graphical format which can be more readily understood by people who are unfamiliar with networking and computer security techniques. The 'X' axis of the display (shown in red) represented the SCinet address space, which ranged from 141.221.128.0 - 141.221.255.255. The 'Z' axis (shown in blue) represented all possible IP address space (0.0.0.0 - 223.255.255.255). Multicast traffic (224.0.0.0 and above) was not displayed. The 'Y' axis (shown in green) represented the port number number (0-65535). Some well known port numbers include 22 (ssh), 25 (smtp), 80 (http). "
      • by SiliconEntity ( 448450 ) on Tuesday June 01, 2004 @05:33PM (#9309484)
        Let me give a little commentary about what's in the sample cube pic [nersc.gov]. (BTW, does anybody have a mirror of the animation?)

        We have a 3 dimensional cube shown on a 2 dimensional display, so the image can be a little confusing. Every dot represents a connection attempt to a machine at the conference, presumably mostly laptops being used by attendees. Successful connections are shown in "white" supposedly, but on my display they look gray. The colored dots are all unsuccessful connections, connection attempts where the machine did not respond. The presumption is that the vast majority of these are attacks and scans.

        The left to right access represents the IP address of the machine at the confernece being attacked. Back to front is the IP address of the machine doing the attacking, from out on the internet. Bottom to top is the port number. To aid in viewing, the unsuccessful connections are shown in a color that represents the port, i.e. their height in the cube. That's all the color means. Red and orange are at the bottom for low numbered ports, then through yellow, green and blue in the middle ports, up to purple and back to red at the top for high number ports.

        Now let's take a look at the picture. The main feature that jumps out is that most of the dots are colored; there are a lot more attacks than successful connections. Presumably these laptops are not hosting many legitimate servers. Second, we see that most of the dots are orange, meaning that they are attempts to connect on low numbered ports. That makes sense, as most services listen on standard low numbered ports of 1024 or less, or a bit more. That's why we see so many orange dots. Those are attempts to connect to web servers, mail servers, various Windows services that are known to be vulnerable, etc.

        Another feature of the orange dots is that they are largely clustered towards the back, which would mean that the attacks are coming from Internet addresses which are relatively low in the address range. Looking closely, I make it out to be about 1/4 of the way from the back to the front, which would correspond to IP addresses of around 64.X.X.X. If we look at the first field of IPV4 addresses, ARIN (North America) has 24, then 63-70; APNIC (Asia/Pacific) has 60-61; RIPE (Europe) has 62, then 80-84, and all of them go on up from there. I'm not sure of the worldwide distribution of IP addresses but I suspect that accounts for the fact that many of the attacks and scans are coming from the 60-80 range or so, on the graph. There's another cluster of IPV4 address assignments in the 198-222 range, and that corresponds to a weak cluster of orange dots near the front of the cube, at the bottom.

        Another feature we can see is some vertical structure in the blue and cyan dots, especially to the left and the right. These represent port scans, where a particular host machine is making connection attempts to a series of port numbers on a particular target machine. Such scans show up as vertical lines. Here we don't have a full line but only aligned dots, so we may be missing some packets, or the scan may be accessing only selected ports.

        Well, that's about as far as I can go with my analysis. But you can see that if you had a real-time display of the last N minutes or seconds of activity, it would show you a visual picture of scans into your network. Probably be pretty hypnotic. Of course I'm not sure it makes sense to pay somebody to stare at it all day... you'd probably want to run a sped-up version at the end of the day and see if anything untoward leaped out.
    • by Have Blue ( 616 ) on Tuesday June 01, 2004 @04:40PM (#9308808) Homepage
      The cube displays 3 pieces of information (assuming you know how TCP works):
      • The X axis represents the local IP. Every computer on the LAN is at a unique location on this line.
      • The Z axis represents all possible IP addresses. Every computer in the *world* is a unique location on that line, so every possible connection that can be made between a SCinet computer and an external system is somewhere on the "floor" of the cube. Think of it like an old phone switchboard.
      • The Y axis represents the port number, so as two computers establish multiple TCP connections to each other they "stack" and move up towards the top of the cube.
      The upshot of all this is that all network activity on the LAN during a specific time period can be placed in this cube. And once it's here in visual form, it becomes easy for a human operator to apply our brain's pattern recognition abilities to the problem of noticing unusual activity, which is hard to do with just a text dump from a normal IDS. Normal Internet usage would be a single point, or a small vertical line, which would represent a single persistent TCP connection for a specific service (for SSH or something) or a small number of TCP connections established momentarily (for a stateless protocol like HTTP), and this can be seen in the example as a lot of random dots scattered throughout the cube.

      If there was an attack in progress, it would be some sort of procedural scan from one external system (a single Z location, or a constant depth in the example) across the LAN address space (going left to right) and/or the ports on a single LAN system (going up and down). A simple port scan would be a solid vertical line, as the attacker hit each port on a single system in sequence (Z and X constant, Y varying). I think there's one of these visible in the example, in the back; this short vertical line would be an attacker hitting all the privileged service ports between 0 and 1024. A more advanced attack pattern would attempt to randomize the ports it scanned or hit several different IPs - in a text log, this would be very hard to pick out from the "random" connections that a normal busy LAN is also handling, so the attacker could go undetected for some time. But on the Cube, this would appear as a filigree of closely packed dots all at the same depth (Z would be constant, X and Y varying), and would be immediately obvious to a human viewer.

      This isn't really meant to convey detailed information, it's just supposed to let the admin see at a glance that something suspicious may be happening, by making the data easier to examine as a whole.
  • this [pon.net] cube of doom?
  • bah (Score:2, Funny)

    by mrtroy ( 640746 )
    This is old news.

    Security companies are just reacting to Swordfish...which used the opposite tool...it was spinning cubes that joined together when you successfully exploited the system.
    • Re:bah (Score:2, Funny)

      by DoctorDeath ( 774634 )
      Swordfish brought to life was my first thought. A poor graphic representation of programmers code is now a reality. What's next flip open communicators? Oh wait...
    • uuuh, swordfish!

      I want my n-monitor system with that funny IDE that lets you code exploits with on-screen spinning lego and gets you fine wines and a hot babe like Halle Berry.

  • I wonder.... (Score:5, Insightful)

    by telstar ( 236404 ) on Tuesday June 01, 2004 @03:15PM (#9307559)
    Wonder if they've got one of these monitoring DOS attacks now that they've been posted on Slashdot.
    Here's [nersc.gov] the 31 meg AVI if you want to make it spin faster.
  • If this continues... (Score:5, Interesting)

    by Kirijini ( 214824 ) <[moc.oohay] [ta] [inijirik]> on Tuesday June 01, 2004 @03:16PM (#9307561)
    If this becomes a trend, and "Secutiry Visuallization Tools" become widespread... then people will begin to say that movies like Hackers and such were just "before their time."

    Do we really want that?
    • by TigerNut ( 718742 ) on Tuesday June 01, 2004 @03:41PM (#9307918) Homepage Journal
      It's pretty inevitable. There will always be extensions to today's technology, and likewise there will be visionaries (authors and screenwriters) who will try to imagine what that extended technology will look like and what it will feel like to use it. The visual scanning is pretty cool. What if you took a port-access logger output and assigned to each port a particular note, duration, or loudness? You'd hear white noise for the most part, but any nonrandom access would quickly be evident as a chirp, whistle or popping.
    • I remember when I used to think that people would be driven nuts by stupid, unnecessary animations all over their desktop. Well, *I* still am, but there are plenty of people that use Aqua.

      Of course, Apple didn't put in "per keystroke sounds", so maybe it isn't as bad as one would think.

      OTOH, Aqua+AIM with clicky keystroke mode enabled *is* equivalently annoying.
  • by Anonymous Coward
    Now I have to figure out how to get in and out while it's spinning?

    And it's a good damn thing I've got a wireless LAN connection, so my cat5 cable won't get all twisted up.

  • The Spinning Cube of Potential Doom?

    That sounds like a tool used by the Irken Armada.
    • Wouldn't that be the Spinning Cube of Impending Doom II?
    • At the very least, it's something Zim would think of to rain doom down upon his doomed enemies.

      I'm gonna sing the doom song now. Doom, doom doom, doom, doom, doomy doomy doom...

  • I beg to differ (Score:5, Insightful)

    by broothal ( 186066 ) <christian@fabel.dk> on Tuesday June 01, 2004 @03:18PM (#9307601) Homepage Journal
    "Definitely a step towards the new types of tools we will need to secure hosts and networks."

    I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.
    • What about attacks that *don't* produce extraordinary behavior but might be visible in the logs with the right filter (visualizer?)

      Kind of like the shadowy figure snooping through the halls while the security guard dozes at the monitor. The alarms are only going to ring if he lobs a grenade....

    • I think the point of this interface is that the data is more easily interpreted, allowing the human-user to notice patterns that automated scripts would miss. This could be done either in real time, or as a visualization tool for historical files. The latter usage seems like it would be of interest if you're trying to determine the source of a break-in.

      For real-time monitoring, your point about mutliple systems is very valid, but what if this approach could be scaled up to allow you to visually inspect the whole system for a number of problems? Perhaps an entire array of cubes, each for a subnet or an individual system, focusing on those that pique your interest.

      This idea may be able to mesh with the glanceable objects [wjla.com] idea (just the idea, not their chicken egg specifically). If it is informative enough, it could allow you to periodically check some aspects of your whole system for things that you either can't write scripts to do, or don't have time to write scripts for.

      -Zipwow
      • Precisely. Using the human mind as a filter is the whole point. There is also a project called peep [auralizer.com] that does this with sound.

        Peep - Allows real-time aural monitoring of network information Peep aims to represent network information in real-time (and therefore eliminate searching through large logs of information to find problems) by using sound to represent the vast amount of available information about network status and to help identify network problems and irregularities.

        The project looks a bit stall

    • Re:I beg to differ (Score:5, Insightful)

      by Minwee ( 522556 ) <dcr@neverwhen.org> on Tuesday June 01, 2004 @03:33PM (#9307800) Homepage
      The daily life of most admins include something called "Talking To Managers".

      Having a shiny toy with brightly coloured lights on it is a vital part of that excercise for many of us. We NEED this. We NEED it to have the Fisher-Price logo on it and play short musical bits when you push on the buttons. We NEED to be able to say "Here is a pretty picture. You like pretty pictures, don't you? The brightly coloured parts show bad people. Oooh, brightly coloured. Look at the picture. Do you like the picture? Good, now there are a few things we need to discuss about next year's budget..."

      Automated monitoring systems that handle problems for you make you (and themselves) look unnecessary. Pretty pictures with lights can be used to show everybody you work for just how important you really are.

      • " The daily life of most admins include something called "Talking To Managers". Having a shiny toy with brightly coloured lights on it is a vital part of that excercise for many of us. We NEED this. "

        Sounds like what you need is to learn communication skills and how to actually communicate complex ideas in terms people can understand. And yes, visualizations go a long way in this regard, but you need to be able to communicate verbally in a manner they can understand as well.

    • I wonder about this sometimes. There are so many port scans and intrusion attempts they aren't worth getting you knickers in a twist about. All the non-necessary ports are blackholed anyway.

      What I do worry about are the connections that take place with actual open services. They are the ones that ought to be monitored for foul play. Log checkers and proactive HTTP request sanitizers are more use there.
    • I think you've missed the primary use of pretty pictures and animation. A BOFH with prominently displayed active graphs and a device that goes "ping" every so often can greatly optimize IRC/Nethack time by responding to all queries by management in the following manner.

      Manager: "Where are your TPS reports?"
      BOFH: (pointing at large, flat screen display of Cube of Potential Doom with one hand while typing jjjjjjjjjj with the left) "TPS Reports! My God can't you see we're under attack. Quick! Call facility ma
  • The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower).

    "So Cube...do you see anyone invading us from the 201.163.x.x range?" "YES"

    "That's Tron. He fights for the Users."
  • virtual ICE? (Score:4, Interesting)

    by dashersey ( 751215 ) * on Tuesday June 01, 2004 @03:21PM (#9307642)
    This is evocative of william gibson's concept of ICE -- in a massively distributed computing environment with a direct-brain virtual-reality interface as primary, you interact with security systems visually.

    They appear as complex crystalline structures with no obvious holes other than the known authentication interfaces.

    Those who hack/defeat them are called "icebreakers" and they use software which has its own visual attack signature to distract or deflect(overload/DNS attack) the ice or to find hidden cracks (exploits)

    Visionary stuff (pun partially intended).

    • Re:virtual ICE? (Score:4, Informative)

      by scrytch ( 9198 ) <chuck@myrealbox.com> on Tuesday June 01, 2004 @03:41PM (#9307924)
      Give Gibson's work another read: it's just the "cowboys" who got an interface that direct, it required very expensive and specialized neurosurgery to install, and it required quite a bit of special firmware to create the visualizations, some of which would probably have been simply visual flair ala "skins", perhaps created in order to harness psycological reactions to perception (e.g. make the stuff you scan as "dangerous" look really baaaad) .

      He also mentions that ordinary people got something a good deal more pedestrian, more like the Metaverse than Gibson's Matrix (or as we might say now, more like the Matrix than the funky green overlay Neo got ... I'd stay away from using those movies for parallels tho).
    • Re:virtual ICE? (Score:3, Insightful)

      by James Lewis ( 641198 )
      I disagree. Gibson's whole description of icebreaking was interesting science fiction, rather than something that was really attempting to make an informed guess on how future computer systems would work. For one thing, users could be killed by the security systems through their connection. It seems increadibly unlikely to me that this would ever occur, since any system connected to the internet should be able to handle disconnections, and so one could be produced on purpose the moment trouble showed up. Bu
  • what a great name (Score:3, Interesting)

    by surreal-maitland ( 711954 ) on Tuesday June 01, 2004 @03:21PM (#9307643) Journal
    it looks like a great tool for ferretting out new styles of attack, even though it's use to an individual trying to protect his/her network is rather limited. the automated system that someone else mentioned sounds much more useful.
  • by teamhasnoi ( 554944 ) <{teamhasnoi} {at} {yahoo.com}> on Tuesday June 01, 2004 @03:30PM (#9307759) Journal
    I was hacking teh Gibson, *I* would have gotten in Acid Burn's undies. :(
  • I wonder... (Score:4, Funny)

    by daemonc ( 145175 ) on Tuesday June 01, 2004 @03:30PM (#9307765)
    I wonder what the 3D graph of a Slashdotting looks like...
  • Remember! (Score:5, Funny)

    by telstar ( 236404 ) on Tuesday June 01, 2004 @03:31PM (#9307786)
    Warning: Pregnant women, the elderly and children under 10 should avoid prolonged exposure to the Spinning Cube of Potential Doom.
    Caution: the Spinning Cube of Potential Doom may suddenly accelerate to dangerous speeds.
    the Spinning Cube of Potential Doom Contains a liquid core, which, if exposed due to rupture, should not be touched, inhaled, or looked at.
    Do not use the Spinning Cube of Potential Doom on concrete.

    Discontinue use of the Spinning Cube of Potential Doom if any of the following occurs:
    Itching
    Vertigo
    Dizziness
    Tingling in extremities
    Loss of balance or coordination
    Slurred speech
    Temporary blindness
    Profuse sweating
    Heart palpitations

    If the Spinning Cube of Potential Doom begins to smoke, get away immediately. Seek shelter and cover head.
    the Spinning Cube of Potential Doom may stick to certain types of skin.

    When not in use, the Spinning Cube of Potential Doom should be returned to its special container and kept under refrigeration...

    Failure to do so relieves the makers of the Spinning Cube of Potential Doom, Wacky Products Incorporated, and its parent company Global Chemical Unlimited, of any and all liability.

    Ingredients of the Spinning Cube of Potential Doom include an unknown glowing substance which fell to Earth, presumably from outer space.

    the Spinning Cube of Potential Doom has been shipped to our troops in Saudi Arabia and is also being dropped by our warplanes on Iraq.

    Do not taunt the Spinning Cube of Potential Doom.

    the Spinning Cube of Potential Doom comes with a lifetime guarantee.

    the Spinning Cube of Potential Doom

    ACCEPT NO SUBSTITUTES!
  • by green pizza ( 159161 ) on Tuesday June 01, 2004 @03:33PM (#9307814) Homepage
    Back in the "what possible use would anyone have for 3D?" days, Silicon Graphics made gobs of 3D utilities such as this. Many exist today as viewers for their (awesome) Performance CoPilot system for IRIX and Linux. Over time they learned that most admins perfer text most of the time. But man, fddivis on a large monitor sure does make the NOC look way more productive to the suits!!

    They even had a 3D intra-website link manager at one time!
  • by Hythlodaeus ( 411441 ) on Tuesday June 01, 2004 @03:39PM (#9307892)
    Did someone just discover that data can be graphed? What is the innovation here?
  • by stratjakt ( 596332 ) on Tuesday June 01, 2004 @03:42PM (#9307927) Journal
    Got some slick, nobody's fool sysadmin you need to get past?

    Well, cook up a portscan that will look like a giant, spinning Mr Goatse, or some racial slurs, etc..

    Boss walks past, geek gets fired, replaced by bosses moron nephew who is more than happy to give you the keys to the server when you call and identify yourself as the Hamburglar.
  • Reminds me of the "screen display" system teh Borg had in ST:TNG. They had several external images of the starship battles arranged on a rotating cube. Fits their ship.
  • Old stuff, new usage (Score:4, Interesting)

    by bellwould ( 11363 ) on Tuesday June 01, 2004 @03:47PM (#9307989) Journal
    Visible Decisions (acquired by Visual Insights in 2000) has been doing graphical visualization for 15 years - check this [advizorsolutions.com] out for a demo.
  • This and the orb? (Score:4, Interesting)

    by novakane007 ( 154885 ) on Tuesday June 01, 2004 @03:56PM (#9308142) Homepage Journal
    Remember the ambient orb [ambient411.com]?
    Thinkgeek used to sell them, but I couldn't think of something I would find it useful for. This would be perfect. Just have a globe on your desktop that changes colors based on the data provided by the cube matrix. If the orb starts turning crimson, you know that that your network is in need of administrative attention.
  • by Digital Avatar ( 752673 ) on Tuesday June 01, 2004 @03:57PM (#9308159) Journal

    ...I can see it now:

    I know this... this is UNIX!

    Would you like to play a game>

  • by freelunch ( 258011 ) on Tuesday June 01, 2004 @04:00PM (#9308192)
    About 18 months ago, Slashdot posted an article The Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release [slashdot.org] with a nice collection of unconventional networking tools.

    Included was a very cool tool, Phentropy, for visualizing arbitrary data using Strange Attractors. You may recall a paper [coredump.cx] on TCP/IP Sequence number analysis that highlighted the usefulness of Strange Attractors for data visualization.

    Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS [sourceforge.net]. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space.

    OpenQVIS is a neat package and could fill a lot of arbitrary data viz needs.. But damned if I have been able to get the thing to build under Linux. The project could really use some help, and I think a lot of good could come of it. The Phd types [uni-erlangen.de] who wrote it seem to have mostly moved on..

  • by PaulBu ( 473180 ) on Tuesday June 01, 2004 @04:00PM (#9308193) Homepage
    ... After all the $$M spent on cute visualization and PR promotion of the technology, evil authors of port-scanners just add two lines:

    pseed=urand(); iseed=urand(); /* this */
    for(port ...)
    for(ip ...){
    port ^= pseed; ip^=iseed; /* and this */
    probe(ip,port);
    }

    or use some fancier one-to-one mapping and the dots in your cube are again "random" to the naked eye.

    (On a side note, why whoever implemented that "barberwire"-producing scanner did not do this at the time, I can not understand).

    Paul B.
    • The time is NOT a display variable in the Cube. Your "enhanced" scanner would produce the same pattern as it would without the randomization. The order in which the scan's packets reach its target, and the dots are put on the display does not even change the resulting picture.

      Now, the "barbwire" scan tries a port on each host. This could be made less distinguishable by randomizing the port, rather than using linearly increasing port numbers for the IP range, which produces the evel-looking diagonal slas
    • You can't spoof your own IP if you expect to get any results from a port scan, so all your connections will be in the same Z plane. I expect that would show up quite well, especially if the cube was viewed from several different angles. Also, it displays a fairly large period of time simultaneously, so randomizing the connection order wouldn't be all that helpful.
  • by painehope ( 580569 ) on Tuesday June 01, 2004 @04:10PM (#9308342)
    I busted out my laptop and sat down and started port-scanning some friendly IPs in front of the screen, only to be disappointed that I'd have to wait something like 10 minutes to see my spray coming out.

    It was still pretty cool, and I'm sure half of the traffic on it was people like who kicked off port scans just to see themselves on the screen ;p
  • Mirror? (Score:3, Interesting)

    by ktulu1115 ( 567549 ) on Tuesday June 01, 2004 @04:32PM (#9308676)
    Could someone who has downloaded the movie please post a mirror? All of the existing links posted are already 404.
  • And all you fools said that Hackers wasn't a realistic computer movie... Shows what you know!

  • by Slau ( 784731 ) on Tuesday June 01, 2004 @05:07PM (#9309195)
    Thanks for the /. and the comments folks, although I'm not sure if the web admins are gonna talk to me anymore. :-/ I got paged about the /. while I was watching Shrek 2. What happened to Fiona's Dad? Missed that part...oh well... The Cube is still a work in progress. I originally developed it to keep wandering jaded conference attendees mesmerized by pretty moving colors. Hopefully it'll inspire people to develop new ways of educating the wormy masses that they need to take security seriously.
  • by Isomer ( 48061 ) on Tuesday June 01, 2004 @05:21PM (#9309345) Homepage
    I work for a network research group ("WAND") at Waikato University in New Zealand. We have a similar visualisation which you can see various stages of evolution here [wand.net.nz], there are also some animations [wand.net.nz].

    The universities internal network IP range is mapped onto the left hand face of the cube, the rest of the world is mapped onto the right face. They are mapped so similar addresses are clustered together and addresses further apart are uh, further apart. A box represents one packet, the volume of the particle is proportional to the size of the packet, and the colour is based on port number.

    Also we "light" each end of the connection for a bit after the packet has been sent. So machines appear to be glowing in the colour of the traffic they are sending.

    We use it to show off "networks" to people who think we just sit at computers and type into stuff, however it has been very useful to detect attacks and broken machines since they provde distinctive patterns. Portscans are a series of "sparkly" packets. Network scans are a row of marching lines. Virii infected machines appear as a cone centered on the infected machine.
  • Am I the only one who get an error saying invalid cert? If so, maybe they should spinning cube of doom themselves!
  • My favorite... (Score:3, Interesting)

    by Nugget ( 7382 ) * on Tuesday June 01, 2004 @08:34PM (#9310829) Homepage
    Much lower tech, but my favorite example or a conference's realtime security monitoring is this whiteboard [soupnazi.org] from the 2000 Monterey BSDCon.

    It's a brutal but compelling reminder that we should all avoid unencrypted telnet/pop3/imap.

    Consider spending some time today getting STARTTLS running on your mail server. Or consider getting IMAP/SSL going. Or consider figuring out GnuPG or S/MIME email once and for all. Don't be part of the problem.

  • If I recall right (and have the spelling right), then to see it, all you need is a Star Trek Original Series episode called "The Corbomite Maneuver" [ericweisstein.com].
  • I just hacked up a script that will port scan their IP space in just the right port/ip/time pattern to form the goatse guy in all of his 3-d glory rendering this security tool useless because people will refuse to look at it. If that doesn't deter them I'll hit 'em with tubgirl. They'll be able to rotate it in 3-d and see the whole stream suspended in mid-air and everything. My next task is to hit them with successive animated images so if they play it back fast enough they can see the cavern opening and cl
  • I just skimmed through the site and looked at a couple of the images; and it brought to mind the imagery I've seen from the graphic presentation piece you can use with their box. http://www.sourcefire.com My slight disclaimer - we use several brands of network sensor including SourceFire and have a couple RNA boxes to play with right now.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...