running ubuntu on powerbooks
Saturday, May 10, 2008
ERROR: Your architecture, \’ppc\’, is not supported by the
Adobe Flash Player installer.
Why software protection broke my user experience
Wednesday, April 30, 2008
I use a professional VPN software on my Powerbook called VPN Tracker from equinux. I bought this software because I wanted a streamlined and pushbutton system for dealing with the ISAKMP VPN at work. Normally this software works quite well but because of the aging hardware in my Powerbook I’m suddenly without any access to my internal network.
Several bits of my laptop are broken and I had to bring my powerbook to the repair center. Before I turned in my laptop I created a mirror of the drive using rsync. OS X lets a user boot from a firewire drive and so with a “loaner” powerbook from work I have a complete, albeit slow, clone of my original laptop. thunderbird, firefox, etc all work the same and are configured exactly as they were. VPN Tracker unfortunately is not. the configuration is still intact however the software doesn’t think it is licensed anymore. I imagine that this is due to some check made on my CPU, drive volume, etc to verify that I’m not installing this on multiple computers or something similar. More interestingly I can’t get to my email server anymore because our work place is very paranoid and requires vpn authentication for access.
I understand the need for software protection in this marketplace but at this time I can say that it has utterly failed me as an end user. Despite supporting the company with a purchase all I can do now is sit and wait for an answer to my email. I only hope they respond to the alternate address I provided them.
wget recon technique
Saturday, April 19, 2008
I was looking for a novel way to recon a network for webservers and came up with a command line combination involving wget and find. The first stage is to use wget and download the index page of any server that responds. The second stage is to remove all the zero length files that will be written for non responsive but active IP addresses.
WGET STAGE
If you are assigned to scout a network range from 192.168.1.1 - 192.168.1.255 you can use a for loop and wget to quickly download index pages. Obviously this technique could be adapted for larger ranges but in this published form is best for Class C only.
for i in `seq 1 255`
do
wget -O 192.168.1.$i.html 192.168.1.$i &
done
Expanding the parameters of the wget command we see that -O is used to write an ouput file with a specific name. Otherwise we will have filename collisions all over the place and more importantly we will have no idea what the originating server is. The & is used to put the process into the background and acts as a cheap form of parallel tasking. All of the requests will launch at the same time. Since we are limiting ourselves to a class C we won’t worry about overloading the machine.
ZERO LENGTH FILE STAGE
The resulting files will either have html in them or have a zero length. The zero length files will occur when the ip address is alive but there is no web server there to respond. To clean these we use a clever technique for discovering these files using the find command.
for i in `find . -empty -exec ls {} \;`
do
rm $i
done
What is left is html code saved with a fliename of the ip address where it was found.
Lost connection to MySQL server during query
Saturday, April 19, 2008
after hours of struggling with some code that writes to a mysql database I finally discovered that I was using old and buggy drivers. If you are on ubuntu and find yourself staring at this error it would be a good idea to install libdbd-mysql-ruby
sudo apt-get install libdbd-mysql-ruby
Anti Scientology Videos taken down en masse on Youtube
Friday, April 18, 2008
The other day I received an email about a new Anonymous vs. Scientology dispute on Youtube. The enterbulation forum reported that Tory Christman, a very vocal critic of Scientology, had her Youtube account suspended. This time it looks as though Mark Bunker (wise beard man) has had many of his videos taken down as Terms of Service violations. Roughly 90 of his videos appear to be down at this time. You can view these takedowns as we discover them at Youtomb
[disclosure: I am an active team member of the Youtomb project]
[update: the enterbulation forum has also confirmed this account suspension on the same thread on page 21]
I’ve created a CSV of the videos affected here.
Because Wordpress won’t let me upload .CSV I have named the file .txt. Rename it to .CSV and use your favorite spreadsheet software to view it.
Given the history of Mark Bunker one has to wonder what Scientology told Youtube in order to have his account shutdown. As one can see from the data collected all the public is told is that there was a Terms of Service violation. we have no idea what those violations might be.
Cyber Security in a New Digital Age
Saturday, March 29, 2008
This is the keynote by Dan Geer at the SourceBoston 2008 Security Conference.
disclosure: I am on the board of advisors for this conference.
Streaming Flash Video
MP4 File
Files hosted courtesy of blip.tv
Basic Ubuntu Server Hardening
Saturday, March 29, 2008
This is a basic level of hardening for Ubuntu servers and should be considered a baseline. This tutorial will cover two topics: SSH and Firewall. This tutorial was prepared using Ubuntu Server 8.04 beta.
SSH
edit the ssh daemon configuration file to move the ssh port away from 22. Most worms or bots are programmed to look at 22 and bruteforce whatever is there. Moving to an unknown port is the easiest way to decrease the level of log activity.
zeroday> sudo vi /etc/ssh/sshd_config
Look for “Port 22″ and change it to a different value. Anything above 1024 is fine.
# What ports, IPs and protocols we listen for
Port 65522
Now restart sshd
zeroday> sudo invoke-rc.d ssh restart
Firewall
Shorewall is an easy to configure Netfilter and provide a basic level of perimeter for your server’s Internet facing interfaces.
zeroday> sudo apt-get install shorewall
Once the system is installed it will display an error message stating it can not start until configured. This is a “dummy proof” feature so that new users will not deploy Shorewall without making critical changes to the rules. Simply put it will lock out all inbound connections if deployed as is. This is a great way to stay secure but would prevent even ssh from working.
The first step is to copy the example configuration files
zeroday> sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall
To allow the most basic of services we will add rules to allow inbound connections for the web server and ssh server.
zeroday> sudo vi /etc/shorewall/rules
Look for “Permit all ICMP traffic FROM the firewall TO the net zone” and add the following lines after the icmp rule:
- ACCEPT net fw tcp 65522
- ACCEPT net fw tcp 80
Your rules file should now look like this:
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
ACCEPT net fw tcp 65522
ACCEPT net fw tcp 80
Now the last two steps are enabling the system to startup. The first location is in the shorewall.conf file.
zeroday> sudo vi /etc/shorewall/shorewall.conf
Look for the STARTUP_ENABLED variable and change it from “No” to “Yes”. This is not case sensitive.
The file should end up looking like this:
#######################################
# S T A R T U P E N A B L E D
#######################################STARTUP_ENABLED=YES
Lastly we need to change the shorewall file in /etc/default.
zeroday> sudo vi /etc/default/shorewall
Look for the “startup” parameter and change it from 0 to 1.
It should look like this when you are done
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to startstartup=1
Now you are ready to start your firewall. It is a good idea to double check your work. I like to compare my edited configuration files to the originals using diff.
zeroday> for i in `ls /etc/shorewall`;
do
diff /etc/shorewall/$i /usr/share/doc/shorewall-common/examples/one-interface/$i;
done
Once you have confirmed the changes start up the firewall.
zeroday> sudo invoke-rc.d shorewall start
mouseHole: A ruby web proxy
Tuesday, March 11, 2008
I have been thinking about writing a web proxy for a while. There are several projects that all involve web proxy technology. So tonight while searching for a simple one I found exactly what I’m looking for. mouseHole.
There are a lot of dependencies so be sure to run the following script.
echo "installing ruby and dev libraries"
sudo apt-get install ruby --assume-yes
sudo apt-get install ruby1.8-dev --assume-yes
echo "installing ruby gems"
sudo apt-get install rubygems --assume-yes
echo "installing hpricot gem"
sudo gem install hpricot --include-dependencies
echo "installing camping gem"
sudo gem install camping --include-dependencies
echo "installing activerecord gem"
sudo gem install activerecord --include-dependencies
echo "installing json gem"
sudo gem install json --include-dependencies
echo "installing mongrel gem"
sudo gem install mongrel --include-dependencies
echo "installing sqlite3 and libraries"
sudo apt-get install sqlite3 swig libsqlite3-ruby libsqlite3-dev --assume-yes
echo "installing sqlite3 gem"
sudo gem install sqlite3-ruby --include-dependencies
This is nearly automated however you will need to pick the versions of several of the gems (ruby, win32, jruby, etc). If there was a single piece of functionality I’d like from gem installs is the ability to automate this last bit. i’d like to have an option that says “assume the highest version of ruby” for each of those choices. –assume-highest-ruby-version ?
New trojan email attempt?
Sunday, February 24, 2008
I don’t really have time today to look into this but an email made it through spam filters purporting to be an animated “card” from some model on Adult Friend Finder. The file attached as a zip file. I’m sure there is something fun inside and I’m sure it will be infectious. Hope someone else can dissect this and let the world know.
Beansec this Wednesday!
Tuesday, February 19, 2008
Yo! BeanSec! is once again upon us. Wednesday, February 20th, 2008.
BeanSec! is an informal meetup of information security professionals, researchers and academics in the Greater Boston area that meets the third Wednesday of each month.
Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend. Map to the Enormous Room in Cambridge.
Enormous Room: 567 Mass Ave, Cambridge 02139. Look for the Elephant on the left door next to the Central Kitchen entrance. Come upstairs. We sit on the left hand side…
Don’t worry about being “late” because most people just show up when they can. 6:30 is a good time to aim for. We’ll try and save you a seat. There is a parking garage across the street and 1 block down or you can try the streets (or take the T)
In case you’re wondering, we’re getting about 30-40 people on average per BeanSec! Weld, 0Day and I have been at this for just over a year and without actually *doing* anything, it’s turned out swell.
We’ve had some really interesting people of note attend lately (I’m not going to tell you who…you’ll just have to come and find out.) At around 9:00pm or so, the DJ shows up…as do the rather nice looking people from the Cambridge area, so if that’s your scene, you can geek out first and then get your thang on.
The food selection is basically high-end finger-food appetizers and the drinks are really good; an attentive staff and eclectic clientèle make the joint fun for people watching.
