« December 2004 | Main | February 2005 »

January 28, 2005

So you want to be a consultant... ?

I am asked frequently about the consulting business, and for years I'd touched on the same brief advice, but for some months now I've been working on a much more detailed Tech Tip that describes my experiences and advice.

It ended up much longer than I expected, but it's been well received by other consultants who've reviewed it. It's not "complete" in the sense of being an all-in-one guide - there are actual books out there for that - but I think it gives a pretty good overview of how a successful consultant conducts himself. I've had no formal business training, but doing it for 20 years has to count for something.

Unixwiz.net Tech Tip: So you want to be a consultant...?

Posted by steve at 06:06 PM | Comments (1) | TrackBack

January 23, 2005

Watching children at play

Almost all residential cable services include terms of service that forbid running of servers (though I have never figured out why this is the case, because DSL providers generally allow it). When hanging around at BroadbandReports, it's common to run across those who nevererthess try to do it anyway, and there are varying levels of response. In practice, many ISPs don't really care that much if the usage is light and not too brazen.

But once in a while we run across a real doofball who really does not "get it", and it becomes a project: we have found such with Sytrino Networks. This guy offering "Free 3GB Email", with a very professional/clean front page, but the real service was on a Shaw residential cable modem circuit.

Brazen violations of TOS bother a lot of us, but this wasn't the real concern here. This guy is advertising a service which he has no hope of actually deliverying upon, so innocent victims are going to be left high and dry when this "free email service" disappears because the ISP shuts him down for ToS violations.

This led to this thread where we encouraged Shaw technicians to investigate. That, and this thread led to at least two shutdowns of the circuits he kept moving it to.

You'd think that the kid would learn, but nooooo. This turned the "project" into a "quest".

He instead moved the main page to a place that apparently offers legitimate hosting, but it contains a FRAME that points to the "real" server at site.sytrino.net:82, and DNS shows that it now points to a Telus connection. That it uses :82 makes it clear that he's actively intending to evade the terms of service, so we followed him here.

I got some pushback from others who say "it's no big deal", "he's just trying to get his service started", etc. This is all rubbish.

There is a lot to be said for "starting small", and there is certainly something about thinking creatively, but one ought not start one's business by violating a contract. But what's more, this evinces a complete and utter lack of clue regarding the resources required to support a service like this.

It is guaranteed that this guy is going to sooner or later face the bracing air of "adult reality", and this will leave his users high and dry.

So we're going to make a point to follow this clown around for a while.

Posted by steve at 01:40 PM | Comments (157) | TrackBack

January 22, 2005

Self promotion for the technical consultant

I've been a self-employed consultant for just shy of 20 years now, and I'm often asked how I promote my consulting practice, and for years the answer was "Nothing, really, it's just word of mouth".

But the internet has changed this: though there are many avenues for promotion - banner ads, Google adwords, etc - for consultants this is an expensive way to go, and not always so effective. "Consultants" are often regarded in the same strata with "lawyers" or "used car salesmen", and it's very hard to counter that with "advertising".

I believe that the most effective way for "just one guy" to promote himself is really clear:

Produce and publish original, technical content.
The goal is to generate "exposure", whether it be writing for a technical publication or simply creating content on your own website. This is a long, slow process - writing "just one paper" doesn't do much - but over time, a substantial body of quality work creates the perception of competence that's much more powerful than creating a flashy banner ad or a slick marketing piece.

I've been publishing my own Tech Tips for years now, and as of this writing have 45 papers of varying degrees of depth and quality. A few are considered some of the best sources of information in their (narrow) area on the internet, and I'm gratified by the occasional email saying "Thanks for writing the paper on $TOPIC - it helped me solve a problem".

What's important is that these are technical papers, not marketing papers: my goal is to create a free resource that helps others solve a problem I had once, and I don't make references to "I sell my time for a living" on them.

Curiously, my primary target audience is "Google". Though occasionally I will post a paper in a specific forum (for instance, malware research usually gets posted to BUGTRAQ (and always announced in my weblog), but most of the time I just post the papers and wait for Google to index them.

Eventually they get picked up, people find them, and occasionally others link to my work. This increases the my PageRank the right way: by allowing the internet to vote "that's a good paper". I have never done any specific search-engine targetting.

Even today, the great majority of my work comes from existing customers, but more and more people are contacting me with what amounts to "You seem to know a lot about $SUBJECT - are you available for hire?" This certainly doesn't always result in an engagement, but it's nice that Google is doing my marketing for me.

"If you write it, they will come."

Posted by steve at 10:27 AM | Comments (1) | TrackBack

January 19, 2005

Whitehats, Blackhats, and Asshats

In the news recently was a discussion of security vulerabilities in Mac OS X, and it was the same kind of thing we see from time to time on any product. The technical details of the vulnerabilities aren't that important, but the method of discovery was.

from the article:
The company [ImmunitySec] originally found the flaws in June and published them to a private list of customers but did not notify Apple. It published the flaws on Monday, after presenting them at a seminar. (emphasis mine)
Though I don't share it entirely, there is a principled case for immediate, DJB-style full-disclosure without vendor notification on the grounds that it most rapidly achives "fixing the software" and "creating incentives to be secure".

But I cannot think of a principled reason to privately circulate vulnerabilities - and presumably their associated exploits - and then go public without any vendor notification.

ImmunitySec are Asshats.

Posted by steve at 08:49 AM | Comments (0) | TrackBack

January 17, 2005

Win32 CRITICAL_SECTION efficiency and overhead

Today a discussion came up regarding the overhead of a Win32 CRITICAL_SECTION object, and I did some digging to find out how they actually work. These objects are used for synchronization by threads in a single process (they don't work across process boundaries), and they are very fast in the absense of contention because no context switch is required.

But they're still not free: In addition to the 20 bytes or so taken up by the CRITICAL_SECTION object itself, I'd always knew that a kernel object was used somehow, and the structure member LockSemaphore (a HANDLE) certainly suggested that it's a Semaphore.

But it's not: It's an Event object, and it's only allocated the first time actual contention takes place. This means that it's fast and lightweight in the usual case, and only when contention occurs is the overhead of an additional kernel object allocated. Then it's a matter of WaitForSingleObject() to get access to the critical section.

This suggests that the slowest operation is the first time a critical section object has contention, when the event object must be allocated, but after that it's smooth sailing.

I'd not seen this anywhere and thought it ought to be memorialized.

Posted by steve at 11:03 AM | Comments (0) | TrackBack

January 08, 2005

Malware analysis: Troj/Winser-A

Earlier this week, Lawrence Baldwin of myNetWatchman provided me with a malware binary, and it was later identified as Troj/Winser-A by Sophos. I dug into it with my usual tools, and the result is a paper:

Unixwiz.net Research: Analysis of the Troj/Winser-A Malware

I've done reverse engineering before, but have never waded into the world of IRC - this one joined a botnet - and the process was quite an eye opener for me. I had long believed that IRC is nothing but a sewer, and this recent experience has done nothing but confirm it.

Ultimately, the DNS name that the bots "phoned home" to was removed - for unknown reasons - and because it not a worm, it didn't spread very far as far as we know.

Posted by steve at 02:12 PM | Comments (2) | TrackBack