Sunday, October 17, 2010

The Computer with Linux is Installed

This is the continuing story of a family who is switching the kids' computer from Windows to Ubuntu Linux. Long story short: The computer had been infected with some nasty malware. Try as I might, I couldn't get rid of all of them. Since I was going to be re-formatting and re-installing anyway, I asked the father if I could just install Linux rather than Windows. After he gave me the go-ahead, I installed the latest version, which is 10.10 or "Maverick Meerkat".
The one thing I noted off the bat was that the install was much more streamlined than in previous versions. It even asked if I wanted to do updates during the install, as opposed to doing the updates manually afterwards. Plus, and here's a big one, they asked if I wanted to add the ability to handle proprietary formats (Helloooo, MP3!) up front. Yes, I do. I try to be as software- and hardware-agnostic as I can. Right now, as much as open source purists hate it, MP3 is the primary method for storing digital music. The family has many, many songs already in that format. It would be more of a pain to convert them than to simply make it possible to load the appropriate (but proprietary) codec on the system.
As stated in my previous post, I added accounts for each of the two kids (ages 13 and 10), plus admin accounts for me and the parents. And to make things simpler for everyone (the drive is about an hour), I went ahead and added an SSH server. I included a public key-based authentication and removed the password-only from their system; while I was installing the computer, I set up their router to allow the SSH request to be forwarded to this computer.
As an added bennie, I noted that, when loading programs onto the kids accounts, the system asked for the username and password of one of the two admin accounts (me or the parents). No more did I need to worry about the whole "make the kids temporarily superuser" stuff. Just put in my username, type in my password, click and done.
Yesterday, they finally got their new (but old) computer. One thing I was really interested in was to find out precisely what the kids were using the computer for. Mind you, neither of these kids is an online gamer. (That kid, the oldest, is now in college.) But the youngest does check out various kid-related sites such as poptropica.com. It turns out that all either of them really needed was a word processor (for which they have OpenOffice) for school-related projects and a web browser (Firefox). Plus, with this version of Ubuntu, Firefox comes ready to play. No need to manually add Flash or anything. Once its loaded, its ready to rock.
After installing the computer, I walked each kid through the basics of starting up the computer, logging into his / her account, opening up OpenOffice (I put the requisite icons directly on the desktop), and opening up the browser. For the youngest, I had him open up his normal web sites, then I created bookmarks for each. I also added several of them directly to his Firefox bookmark toolbar. Once he opens Firefox, he has to make one click to go to his most favorite sites.
The one problem I had was trying to get their old printer to work. It's a Dell 720 color printer, and I could not get it to work. I scoured the Interwebz for how-tos. Several people spoke of using a particular driver for the Lexmark Z615 printer, since the Dell is allegedly a re-branded copy of that printer. No luck. I couldn't get it to work. I then tried to get the computer to print to an Epson printer which was connected to the parents' computer. The parents' computer is running WinXP. And at the moment I was trying to make it work, they happened to have left for some errands. Since I didn't have access to that computer, I decided to save that one for another day. For now, the kids will have to save their files to a thumb drive and print them on the parents' computer. Not ideal, but workable until we can figure out a better solution. I'd really like to get that Dell printer to work. Regardless, a minor glitch and, frankly, I can't blame the OS for it. Dell didn't provide a driver for it; besides, it's a low-end (I'm being polite.) printer anyway.
So, when I woke up this morning, I SSHed into their box and did a quick "who" command. Who's on the box this morning? One of the parents. Just before I left, I showed the father how to save a document in the MS Word format (since he has to send a lot of letters that way). And he was impressed with the ability to export to a PDF. His eyes actually lit up when I showed him that. Could he be doing something with OpenOffice? Possibly. My guess (and a quick "ps" command seems to bear this out) is that he's surfing the Internet using Firefox. Oh, and he was really impressed with how quickly the computer booted up, compared to the ages it took when Windows was still loaded.
I imagine their will be other problems (aside from the no-printer problem) in the future, but so far, so good.

Tuesday, October 12, 2010

The Family Linux Box - An Experiment Begins

Can a family that has used nothing but Windows convert to Linux? I may be about to find out. I have a family who have two desktop computers. One computer is for the parents; the other is for the children, ages 13 and 10. The kids computer was infected with what Norton stated was "11 risks". The risks were various trojan horses, general viruses, and a rootkit. I've tried all of the standard procedures to get rid of the various pieces of malware, all to no avail. I asked their father if I could load Ubuntu Linux on the computer. He said to go ahead.
The computer is now loaded with version 10.4 (Lucid Lynx), though I may update it to 10.10 (Maverick Meerkat). I've added an admin account for myself, an account for each of the kids, and an account for the parents.
I've already identified one problem. Neither of the kids is a super user, which means neither of them can use "sudo" to add programs or change their account in any way. So, while they can keep each other out of his and her respective files, they can't add any meaningful programs. Further, I don't know how I, as an admin, can do it for them. What I'm thinking right now is to temporarily make them super users, make the changes I need, then remove their super user status.
If you have suggestions, please leave them in the comments. Thanks!

Tuesday, October 05, 2010

Damn onions

I'm a regular reader of the web site Blackfive. One of the best things they do (among many) is to honor those who have fallen, to make those who stop by the site pause for a moment to reflect on someone who has given their life so that I can have mine.
It was while reading a recent one that I remembered two words that I'd come across in the comments for a similar article. The words were, "Damn onions". When I first saw those words, I understood. I've discovered, though, that not everyone gets it. In case you don't, let me explain.
The short answer is that the story, like chopping onions, made the reader cry. But in my mind, it's more than that. The readers of Blackfive cover all of the military services. I've seen comments from those in the Coast Guard, Air Force, Marines, Army and Navy. While they may rib and kid each other, the one bond they share that no outsider can truly understand is that they are and have been sent into harm's way. Many of them subscribe to the macho world of the military. Be cool, calm and professional, but always have a plan to kill everyone you meet. That kind of thing. Therefore, showing emotion, even through the relative anonymity of the interwebz, is not something that comes easily to them. When they read of a comrade who has died, though, it's gonna happen. The tears will flow. They can fight it, but frankly, they'd rather not. They could type out everything they're feeling, but words really don't suffice. The emotion is too raw, and perhaps (just as with me) they cannot write well. Words might be in their head, but whether they are the right words put into the right order is another thing, entirely. So, to keep up appearances, we get the comment, "Damn onions."
It's those two words for which the true significance would take a thick book to fundamentally explain. They may not want to show emotion in public, especially to a bunch of strangers on the internet. But still, they are. They are crying. Just as I am, having read the story of SSG Miller, recently (and posthumously) awarded the Medal of Honor. If you are ever reading a story of a comrade, a warrior, someone who has given their life for their country, and you see those two words, understand the depth that those two words represent.

Thursday, August 19, 2010

Analysis of a Malware Installation Attempt

Here's the background. Earlier this year, I was in a masters class that was an introduction to the TCP/IP suite of protocols. TCP/IP is, in essence, the backbone of the Internet. It's what allows all computers to talk to all other computers, regardless if they're little handheld iPhones to large supercomputers.
Me, I hate theory. I mean I really hate it. So many textbooks provide such dry prose that I have to stand in a monsoon to keep some humidity around me. To help keep my interest, I decided to do a little experiment. A friend's computer had been infected with a virus when she clicked on a link in her Facebook account. Turns out the link was from a friend of hers, whose account had also been infected. My friend's computer was running Windows, and it required several days and a couple hundred dollars to get it fixed. Anyway, I decided to use this as an opportunity to learn something. So, I set up a virtual machine (using VMWare) to create a Windows 7 Professional system. Then, I loaded Kaspersky Anti-virus, created a limited account, and went hunting. I stored a few of the links that were now appearing on her (now infected) Facebook account.
Rather than bore you here with all of the details, here's a short, graphic-laden summary of what transpired. The short answer is that it appears that Windows 7, when run on a limited account, is a much tougher nut to crack than I thought. Considering that I converted to Linux just last year, that's saying something.

Rob, We Need You Back

I've been a follower of Rob Rosenberger for many years. It's been at least ten because I remember reading his work while still living in a townhouse, and that was in 1999. Rob hasn't posted on either his Vmyths site nor on the SecurityCritics.org site since last year. So far as I'm concerned, Rob was (and remains) the master of biting commentary with respect to computer security and the computer security industry. Finding him looking over your shoulder is similar to finding a "60 Minutes" news crew outside your front door. It's just not something you want to see happen. For example, when he went after Richard Clarke, you could hear the bitch-slap reverberating all across the country.
For those of us on the other side, the receiving side, of his wit and wisdom, it's just the opposite. You hope, nay pray, for him to find someone or something to ridicule. Seriously, to me, reading Rosenbergers's insightful analyses was like finding the Rosetta Stone of the anti-virus industry. I could feel my IQ rising with each paragraph I took in.
Which brings me to my point. Rob, we need you back. I mean it. We need you. The seeming rise of botnets and uberhackers and what not just screams for someone with the knowledge and, even more importantly, the ability to translate that knowledge for the masses, and that means you. We need someone with the expertise to be able to look past the fluff and spin and exaggerations to be able to say what is BS, and what is BS.
Come back, Rob, when you can. As the ad goes, "We'll leave the light on for ya."

Saturday, July 03, 2010

Happy Fourth!

I don't drink alcohol, but I'll still raise a toast tomorrow (the 4th) out of respect for those who pledged their lives, their fortunes, and their sacred honor.

Oh if you're going to hit me with stupid whininess that you think passes for cynical wittiness, don't bother. If you don't know what passes for "stupid whininess", it's comments such as this:

From a comment on a Wired article: "Do you think that the Founding Fathers would be proud of us with the Bill of Rights reduced to a list of suggestions, Privacy gone, a government that kidnaps and tortures with no consequences to the perpetrators, wars waged based on lies and deceit?"

From a Gizmodo article: "This Sunday, our fine nation celebrates blowing up other nations for its independence."

Frankly, the second one is the dumbest thing I've read so far this year. It's so dumb that it will probably hold the title for the rest of the year, if not for several years after.

Enjoy your fireworks, your families and friends, and your independence.

Thursday, April 29, 2010

Botnet from a Linux kernel vulnerability?

I was reading an article on two men indicted on creating, then unleashing, a botnet attack. What really got my attention was this (my emphasis added):
A few hours later, T35 President Alex Melen responded to Zook's post, blaming the compromise on a Linux kernel vulnerability, and noting that "a lot of companies are dealing with these hacking attacks right now and not a lot can be done."

I found an article which seems to address an issue related to a Linux kernel vulnerability, but I don't know if this is the one addressed in the botnet attack. If it is the same one, they a patch has already been produced. Further, if it is the same one, then that gives me an idea on when this attack occurred (probably in the mid- to late-2009 timeframe).
Just another reminder to be on your toes with respect to computer security, regardless of your platform or operating system.

Thursday, April 15, 2010

Hey, FX Networks! You SUCK!

Again, it's my fault. I started watching the new series on FX Networks called "Justified". For whatever reason, I like it. However, I missed the second episode. This has not been a problem on other shows. For example, both "Burn Notice" and "In Plain Sight" (two of my other favorites) provide online episodes. Click to the website, click "Play" and away we go.

Not so with "Justified". First, I'm told that I have to download the "Move Media Player" which will provide "rich and exciting" video to my desktop. If you've read any part of this blog, you'll know that I no longer run Windows as my primary operating system. When I clicked on "Install", I was given a window that stated that "Move Media Player" only works on Windows XP and Vista, as well as Mac OS X.

Strike 1, FX.

I went ahead and fired up my laptop, which runs Vista. Except that Windows decided to go off the deep end. The "explorer.exe" process was running at 100%, making running anything impossible.

Strike 2, FX.

An hour later, I'd created a work-around for that problem. I managed to get the media player loaded. I started the episode I wanted. By the way, that took two restarts of the browser due to several errors I received. Except the episode is the wrong dimensions. Everyone is stretched out vertically.

Oh, and that whole "no buffering" is a whole lot of bullshit. If you're operating on the Internet, you're using a buffer. No way around it. Period.

So, I've downloaded a problem in which the first thing presented is either a lie or a completely made-up piece of bullshit. (My fault.) Then it requires over an hour to get to work. (Their fault.) And, to top it all off, it's probably watching everything I do. (My fault AND their fault.)

Strike 3, FX. You're out.

I'll be deleting the "Move Media Player" from my computer. And telling FX to pound sand.

Sunday, April 04, 2010

Yet Another Reason I Like Linux: Panorama Pictures

Under Windows, I had a heck of a time finding decent panorama stitching software. At least, software that didn't cost a gazillion dollars. Under Ubuntu, I appear to have found a great panorama stitching program that is free. It's called "Hugin Panorama". It's actually two different pieces of software; one is the backend processor (called "Hugin Batch Processor") and the other is the frontend GUI (called "Hugin Panorama Creator"). I installed both from the repositories. In this case, it was using the Ubuntu Software Center (Applications -> Ubuntu Software Center, then do a search on "hugin").
The first panorama I created was of a Civil War battlefield (Bolivar Heights) just outside of Harpers Ferry, West Virginia. Personally, I think it came out stunningly.





The latest requires a short bit of digression. I used to be a volunteer firefighter. One of the first people I befriended when I joined the department goes by the nickname of "Tink". "Tink" is still with the department, but I'm not. But he wants me back. To try to push me in that direction, he suggested I stop by a building right next to where we have breakfast every Sunday morning. This particular establishment burned down due to the carelessly-thrown away ashtray. I stopped by. But I also decided to see how well Hugin would do with some cellphone pictures. Again, in my most humble opinion, I think it came out real well.





Consider this. I took this with an LG260 Rumor camera phone. If you don't know anything about this phone, know this: it takes crappy pictures. Yeah, they might tout it as a "1.3 megapixel", but those 1.3 million pixels have obviously had a hard life. I know, I know. It wasn't meant to take studio quality pictures. But, of all of the panorama stitching programs I've had, they always wanted good quality pics. Obviously, Hugin works differently. Or just better. Or differently better. Whatever. I just know it does a great job. (Just finished dropping a few dollars to the developer. Good work like this needs to be rewarded.)
Also, I didn't know the specs on the camera. All panorama programs need to know some basic camera info. Well, Hugin wants to know either the camera's horizontal field of view (shortened as "HFOV") or its focal length and length multiplier. Hell, I felt lucky the manual told me it was "1.3 megapixel". Forget about anything more detailed such as the focal length. I was able to take out a piece of paper, a pencil and a ruler, then actually calculate the horizontal field of view of the camera. It's approximately 52 degrees of HFOV. That works out to a 35 mm lense with a 1x length multiplier. Go figure. Punching that in allowed me to make the panorama shown above.
Hey, Hugin people, you guys rock!

Sunday, February 21, 2010

Why Wireshark Doesn't Show Padding on Ethernet Packets

This post will be about a truly esoteric part of the interwebs. I'm going to use my small home network for this discussion. I have a couple desktops hardwired with switches, along with two laptops (an HP and a MacBook) tied in wirelessly. I also have an HP printer that is wired in. The medium, as with most home networks, is Ethernet over 100BaseT. When I use a piece of software that wants to communicate over my network, whether its just to my networked printer sitting next to my desk or to a web server sitting half-way around the world, the software will create a frame of bits. That frame will use an address, called a "medium access control" or "MAC" address, send that frame to the next system in the link. If the address is for something on my network, then the connection is direct. However, if I'm going to send the frame outside my network, to the big Internet, then the MAC address that's used is the MAC address of my little Linksys router. When the frame gets to the router, the router changes the source and destination MAC addresses to those of itself and the server at Comcast (my ISP) that I'm tied into. This is standard Ethernet (802.3) stuff.
But here's a little known (to most non-geeks) fact. My computer only holds onto the MAC address of the systems on the network for about 20 minutes. It keeps these addresses in a file called an "ARP cache". That's a small file that ties IP (Internet Protocol) addresses to MAC addresses. The "ARP cache" is dynamic. It will only keep its contents for 20 minutes, then it's removed. So, what if it's been 20 minutes since the last time I connected over the network? More specifically, what if it's been 20 minutes since I connected to my router? Then the router's MAC address won't be in the "ARP cache". This means it needs some way to find out the router's MAC address. Which is the purpose of ARP, or "address resolution protocol". The purpose of ARP is to allow a system to determine the MAC address of another system given that it knows the IP address of that other system. So, when my computer wants to connect to the router, it sends out an ARP request stating, "Hey, who has 192.168.1.1? Tell 192.168.1.100." This message is broadcast to every system on my network. My router, recognizing its own IP address (192.168.1.1) sends a reply back to my computer (192.168.1.100) stating, "I have 192.168.1.1 and its MAC address is 00:01:45:a0:d2:30".
Still with me? Okay, here's where I get to the purpose of this post. Ethernet requires a minimum of 64 bytes (512 bits) be put "on the wire". I won't go into the reasons here, but this 64 bytes includes a 4-byte CRC. The CRC is typically not included, so that the minimum size from most programs that look at frames is 60 bytes. If you happen to be using Wireshark, you can use this program to capture the frames directly off of your network. I use it quite a bit just to better understand networking.
One thing that I noticed, though, was that I would look at ARP requests and notice that they were only listed as having 42 bytes. Actually, that's the actual size for an ARP request. But Ethernet requires a minimum of 60 bytes (again, not including the 4-byte CRC). In order to make the minimum, the computer will add 18 bytes of padding (simply a bunch of 0s) to puff up the frame to make it the 60 byte minimum. But Wireshark was not showing those padding bytes. Big deal! you might say. The problem is that there are known attacks using padding bytes to pass malicious data. So, why is Wireshark not showing those padding bytes?
The short answer is because Wireshark doesn't see those bytes. The 42 bytes shown occurs when Wireshark is run to capture frames from the same NIC card as which the frames originate. In other words, if I'm running Wireshark on my desktop and capturing packets from this same desktop, when the ARP request goes out, Wireshark will only show it as being 42 bytes long. The ARP replies, however, since they originate from a different computer, show the proper length of 60 bytes. However, I've looked at ARP requests from my desktop using Wireshark running on a different computer. All of the ARP requests, both requests and replies, showed as being 60 bytes, the Ethernet minimum. In short, this means that the NIC is adding the padding at some point that Wireshark cannot see it.
That's the answer why Wireshark shows some frames as being less than the required Ethernet minimum. It only happens when capturing frames originating from the same system Wireshark is running on and its because there are parts of the NIC that Wireshark does not have access to.

Monday, February 01, 2010

Running Windows under VMWare on Ubuntu

As I've posted previously, I'm trying to figure out how to perform under Ubuntu all of the tasks I used to perform under Windows. Unfortunately, I'm having difficulties. This was expected. And I'm not blaming Ubuntu. If as many people were making software and hardware for Linux as they were for Windows, this wouldn't even be a topic of discussion. As it is, right now, I can't find a working Linux driver for my old Visioneer scanner. That means I still need Windows. I've had my system as a dual-boot. In those cases where I need Windows, I restart the system, bring up Windows, perform the task, then restart back into Ubuntu. It wouldn't be so bad except for the fact that, with a lot of the garbage that Windows requires (here's looking at you, Norton), booting up in Windows takes minutes.
I may have found some better solutions. First, on the scanner. I tried out several of the emulator and virtual machine programs that are freely available. These include Wine (an emulator of Windows that runs on Linux & Unix), Virtualbox (a virtual machine) and VMWare Player (another virtual machine). NOTE: While VMWare Player is free, most or all of the other VMWare programs cost money. Frankly, in my opinion, VMWare Player works best for me. I now have a (n almost) fully functional Windows XP system running on top of my Linux system. If I need to do some scanning, I can bring up the virtual machine (takes about 30 seconds), perform the scans (which are scanned into a shared folder between the Ubuntu host and Windows XP guest system), and close it down. Done. Also, if there is ever a problem with the Windows system, I have a stable copy backed up. That's the wonderful thing about virtual machines. They are simply a collection of files. BIG files (we're talking almost 10 GB for the WinXP stuff), but still just files. If the working copy is corrupted, delete it, and put a fresh version in its place. No muss. No fuss.
Second, on the video-related stuff, I occasionally play around editing video, such as when I made a short video for my father based on some pictures and video clips taken at his 70th birthday party. Nothing fancy. Fortunately, Ubuntu has several video editors available. I've chosen Kino, and so far, its working fine. What this means is that I can now see a not-too-distant point in the future when Windows will not be talking directly with my hardware. It will be safely ensconced in virtual machine where any damage it can do will be minimal at best. It also means its one more step when Windows won't be necessary at all.

Monday, January 18, 2010

Welcome back, Skippy!

Back in nought-eight, I booted Skippy's List from my list of favorites. It started with that wiener Michiel (to which I did post a response, and even had Michiel himself show up to express his displeasure at my displeasure), and ended with Todd's post on the best way to kill someone and get away with it. I thought that a bit over the top, so I stopped linking to Skippy. It wasn't until I was talking with a friend of mine (who tends to be, uh, outspoken shall we say) that I realized the error of my ways. His response was, "So, you disagree with this [guy] and all you do is to remove your link to his site? What, are ya kiddin' me!?!" Put that way, I have to admit my response was on the back end of lame. Then, when he (my friend) found out that it wasn't even Skippy who wrote the posts I disagreed with, well, let's just say he took me to task. Again.

Besides, that really was no way to repay what I consider to be a true act of kindness.

Long story short, Skippy is back on the list. And sorry, Skippy, for just punting you.

Sunday, January 10, 2010

I'm Doubling My Rates on Smokers and Compaq Presario Owners

I've been working on a friend's computer for the past week. She has a Compaq Presario SR1000. Let me start by saying, "What a piece of shit." To start (and this is the most minor of all the problems it has), the heat sink for one of the smaller chips fell off. The heat sink is held in place by a spring, and the spring connects to two loops on the motherboard. One of the loops broke. I can't fix the broken loop, so I'm only able to connect the heat sink by sitting the computer on its side and letting gravity do its thing.

As I said, the most minor of all the problems. The next problem (and the one that has taken the most time) was the upgrading of the memory. The computer came with 512 MB of RAM. But that's misleading. The video is onboard and the RAM is not just for the CPU, but for the video as well. The video uses 128 MB, meaning that only 384 MB was left for the CPU. The system is running Windows XP, so 384 MB barely meets the "I'll run, but I won't like it" level. The 512 MB (shared between the video and CPU) was in one chip. The motherboard has two slots. I bought two 1 GB chips. The first went in with no problem. But the second... did I mention that the girl smokes? When I first opened the computer, the dust inside wasn't just heavy, it was black. I mean black. Cigarette smoke is the result of combustion, as is all smoke. Which means that it has a lot of carbon. And that carbon residue was everywhere, in every crevice, nook, cranny, and portion of the interior of the computer. Including in the open RAM chip slot. Now, I've tried for over a week to clean the contacts. I've managed to get a clean cloth with isopropyl alcohol into the slot. The first few times, it came out black. Now its coming out clean. But, still, for some reason, there's some issue because, with the second chip installed, the computer will run fine for some random time but will then go BSOD (blue screen of death). I've given up. It will have to run with just 1 GB of RAM (again, shared between video and the CPU).

The next, and perhaps the biggest, problem is that it's a Compaq. I've never seen a computer so bogged down with extra... crap... than I have with this one. It's bad enough that it's running Windows. That will slow anything down. But, then, it has all of the HP and AOL crap on top of it. That has taken a solid day of work just to get rid of most of it. I'd get rid of it all, but that would probably require a week. I relieved the system of the worst offenders, but the light offenders get a pass. This time. If I have to work on a similar system again, it will be with the understanding that the only that I'll be willing to load onto the system is Linux. That's an hours worth of work that will pay huge dividends in saved time later on.