Friday Squid Blogging: Squid Forensics

Not what you think; it's about forensics of the Squid web/proxy cache.

Note the squid stamp, though.

Posted on April 24, 2009 at 4:36 PM • 12 Comments

Comments

JessApril 24, 2009 6:08 PM

Nice stamp, and I can see squid's use from a logging perspective. It's true that you can find things left in the cache as well, but in my experience servers usually send headers (perhaps valid, but often as a result of too-conservative misconfiguration) that prevent squid from caching as much as it could. Thus most things you might want to examine won't actually be in the cache.

MysticKnightoftheSeaApril 25, 2009 2:48 AM

That particular post on Philosecurity.org has no comments yet. What'll you bet it will soon...

Very interesting...

MKotS

James SutherlandApril 25, 2009 3:00 AM

Jess: As I recall you can tweak it to override those headers. Alternatively, there's a little tool I wrote years ago for regression testing a web application, which dumps the request and response into a file. I had a corresponding replay tool, which would replay the requests and compare the responses, but extracting the response bodies would be quite simple.

(I don't have the original, but I may write and release a tool to do the same job soon.)

Clive RobinsonApril 26, 2009 7:28 AM

@ Bruce,

As this is not the normal "fishy blog" but one that is more "fishy" security wise.

A sugestion for a re-visit to a number of related security subjects you have covered before.

The A/H1N1 virus (Mexican swine flu) looks like it is going to be a bit of a problem. Unlike H5N1 (Asian bird flu) it apears to be easily transmisable from human to human.

Further like the 1918-19 pandemic flu this new variaty of swine flu appears to effect the economicaly productive segment of the population very significantly. The young and the old appear to get little more than mild symptoms.

Although none of those infected in the US have died (due to prompt medical intervenion) the mortality rate in Mexico is rising.

Contary to early reports by Dr Chan of CDC it does not apear to be limited to the southern states as NY apears to have atleast one case.

Further although it has been stated there are no direct links between those infected in the US and Mexico it has been pointed out that "illegal imagration" may be the transmission vector.

As regards medical intervention as it is a new variant there are no vacinations possible nor likly to be for between six months and two years (depending on who you listen to). However CDC have issolated a "seed virus" so it is a question of manufacturing ramp up etc.

The US and UK stock piled anti-virals appear to be effective IF and ONLY IF administered in the very early stages (ie befor pneumonia symptoms apear). And importantly will not prevent re-infection.

Also Steroids appear to be benificial as well, althought it is to early to tell if Statins will provide some defence against H1N1.

One area that is going to come up for discussion is the use of anti-virals.

Mexico only has enough for a single course of treatment for one million people. The UK and US have stockpiles rumourd to be sufficient for every person in the respective countries (although I have my doubts on this).

This gives rise to two questions,

The first of which is the obvious humanitarian one of the US and UK passing over some of their respective stockpiles to Mexico.

The second and less obvious one is to do with effectivness. Anti-virals only work in an infected person in the early stages of infection and they do not in any way prevent re-infection at a later date.

With no immediate prospect of a vaccine anti-virals are at best a "stop gap" measure, and importantly will not stop and may possibly aid the spread and mutation of the virus.

Which as I noted means that prevention falls back on strengthaning peoples resistance via things like steroids, statins and other non steroid anti inflamatories (such as asprin).

Unfortunatly the efficacy and safety of using these medications is a bit of an open question at present.

For instance all these medication groups are known to have members that have longterm use side effects in a significant proportion of the population.

For instance Simverstatin can cause muscle wasting in something like 20% of those who take it. Asprin is known to be contra indicated with many longterm conditions such as gout etc. And has been well publisised by those with asthma steroids have so many side effects that many sufferes would rather risk death than live with the missery of taking them.

dot tilde dotApril 26, 2009 7:43 AM

hey there, happy 21th of december to you! (and all the people reading the front page of schneier.com)

scnr...

.~.

Sally O'BoyleApril 26, 2009 1:39 PM

One of the biggest problems with vaccines is that we as a population, vaccinated against everything, are losing our natural immunity to anything. People who get swine flu and live will develop a natural immunity. By the time a vaccine is developed, the swine flu will likely have mutated... so the vaccine will be ineffective. The flu shot you got this year was for last year's variety... completely ineffective this year.

Better to eat well, take plenty of vitamins (D3 and fish oil are thought to be particularly good to prevent flu), drink clean water, exercise. Prevention. Get your body healthy so it can fight off a virus.

AndyJApril 26, 2009 5:37 PM

Actually Sally you have that bass-ackwards... vaccines work by challenging and strengthening the immune systems. Perhaps you should preach your new-age babble elsewhere?

Clive RobinsonApril 26, 2009 10:40 PM

Sorry folks,

The last sentance of my post above was firstly not ment to be the last, and secondly typed whilst my young son decided that he needed "dadies attention" in a somewhat direct manner by jumping on my semi recumberant post Sunday lunch stomach (my wounds will I hope one day heal and his hearing might also recover ;)

What I was going on to say was the mix of security / scare / immigration / nationalism / pseudo science in the swine flu story looks set to make it a "big news" in the comming few days.

This of course will be "egged on" by stories about Japan and other countries digging out the equipment they last used during SARS at Airports arrivals gates (where it is probably to late as those otherwise healthy people on the aircraft with the sick person will have been infected and through the gate...).

It should also tie in nicely with other stories about "False twitter rumors" etc.

Possibly ending up in calls for "increased Government regulation of the Internet" because somebody will say "but think of the children"...

Sadly however what will be missed in it all is the real story about how we actually deal in a rational and measured way to what will in all likley hood one day will be a real threat to our sociatal fabric, without "sounding like the boy who cried wolf".

KevinApril 27, 2009 9:53 AM

While Squid is interesting and useful (and free), there are a number of other web proxies in the path of user data that are also of interest.

Particularly interesting are the "transcoding" proxy servers deployed by just about every cell phone carrier. These sit between the wireless data network and the public internet, and primarly exist to shrink down web content for faster rendering on mobile devices. There are a couple of free examples of this class of proxy, including at least one written in Java.

Ranium FanApril 27, 2009 9:41 PM

@Sally O'Boyle

>The flu shot you got this year was for last year's variety... completely ineffective this year.

Actually Sally the flu shot is not "last year's" variety. The flu vaccine companies work with the CDC to determine what is the most current flu strains in the wild. Due to long development time because they use eggs to incubate the vaccine, they do miss very current strains. So some years are more effective than others. There are companies that have found way to shorten the cycle because they have found a way to develop with using eggs. Expect the next few years to start seeing shorter development cycles, hence more timely flu vaccines.

Sally O'BoyleJanuary 17, 2011 12:57 PM

It's nice that history will show me and my "new age babbler" buddies correct in calling out the swine flu crisis for what it was: mass hysteria designed to sell vaccines and make money for Big Pharma.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..