Conficker

People are already calling Conficker the worst worm in years, even though bloggers in Europe (where it’s already April 1) are saying it’s not doing anything.

It looks like ESet, makers of the fine NOD32 anti-virus software, have a page on how to remove Conficker, including what seems to be a free tool for its removal. Based on my limited reading, it seems that installing the latest security patches for Windows pretty much render your immune. But we all know people who don’t do that.

It looks like Conficker alters some Windows network internals, causing it to exhibit some different fingerprint characteristics when probed, so tools like Nessus and nmap are apparently able to detect it. Though Nessus is a gigantic problem, and I don’t have any machines with Conficker on my home LAN, so I can’t confirm this.

ssh Brute-force Attempts

I used to get a couple hosts bounced a week… They’d try to brute-force username/password combos over ssh and DenyHosts would ban their IP after 5 failed logins.

For a couple days last week, I probably had about 50 in a 24-hour period, and then they went away as quickly as they started.

Today… Well, today is insane. As this site confirms, GMail limits a “conversation” to 61 conversations. So as this screenshot shows…

Failed ssh logins

Security Forces

I just finished a show on “NatGeo” about the private security firms working in Iraq. It was a really interesting watch. They’re not there to engage in combat, but they’re there for “security,” such as escorting construction materials for a new police station (something insurgents are eager to stop), and transporting VIPs around.

IEDs are apparently a huge problem, moreso than the news portrays. One of the guys brought back his SUV, with the whole side blown in and full of bullet holes. The SUV was “reinforced,” meaning that it had bullet-proof glass and huge steel plates over it, and yet it was still in terrible shape. He made it out alright, although the driver, an Iraqi, died. “That was my seventh IED,” he mentioned casually.

Most are apparently set on desolate roads, and are basically just tripped by any car. There are often just tripwires that set them off, versus manually being tripped. Which got me thinking of an old idea…

I want to build an “RC Car,” something radio-controlled. Except I don’t mean a little RC car. I mean an actual car that’s driven remotely. With GPS and a set of video cameras (plus a high-speed, low-latency data link), you could be pretty accurate. It probably wouldn’t be a good idea to remotely drive one of these down Route 3 (although I think you could design it to work pretty accurately). But I think they might rock in Iraq. You send one out a quarter-mile in front of your “real” convoy. No one’s in it, but its main purpose would be to trip IEDs, and do some scouting for you. From the back of a van in tow, or from a remote headquarters, people could watch for anything suspicious. And, “worst case,” it trips an IED, effectively wasting the IED on blowing up a van with no one in it. The real people behind could either divert their course, or plow on through, knowing that the bomb had been detonated.

I’ve also thought RC planes would be interesting. These days they’re “UAVs,” unmanned aerial vehicles. What I have in mind is isn’t the military UAV, a “real” airplane remotely controlled, but something a couple feet long with some cameras. Outfit it with GPS and various data links, such that it can stream video real-time, or even capture higher-resolution still images and transmit those. (Heck, fit a high-end camera on it, but have it transmit a 640×480 image, and just store the full-res to an 8GB Flash drive…)

I always thought it’d be cool to have as a pet project. Fly it around and go “sight-seeing” from your room, with what’s essentially a wireless webcam in the sky. I think they’d also be popular with places doing mapping / “satellite” imagery, as you could send these little things up and just have them run autonomously, snapping photos of an area until the batteries / gas ran low, at which point they’d return “home.”

But these things would rock in combat, too. Send these out over areas you’ve got to travel. (And areas you’re not travelling, to keep them guessing.) At a remote command post, someone can spot potential threats and identify them long before they become a problem. (You could even try grazing them with your mini RC plane.)

I don’t know what sort of radio infrastructure over there (well, I know they’re running CDM1250s and HT1250s, but I mean, I don’t know if they run repeaters / what power they run), but you might even fit a portable repeater on the little UAV, ensuring that their portable radios could still keep in touch with their post miles away.

As an aside, the radios I saw them with in the show don’t support encryption, meaning that it really wouldn’t be hard for insurgents to tune in. Their bombs keep getting more and more complex, showing that they’ve got some technically-minded people on board. It seems like a pretty bad idea to me to not encrypt your radio traffic in those circumstances.

Public Safety

For those of you who don’t monitor police scanners regularly, I’d like to introduce what can be considered a fairly scary fact: their computer systems go down all the time.

Where it usually comes up is when they try to run a license plate or a person, or to query NCIC or similar. The officer calls it in and waits a few minutes, before the dispatcher calls back that the (remote) system is down. When you’re monitoring multiple neighboring towns, you’ll often notice that they all lose it at once. The backend servers are going down.

This drives me nuts. It’s usually not a huge deal, but now just imagine that you’re the police officer, and the guy you pull over, but can’t run through the system, actually has a warrant out for his arrest. For murdering a police officer. But you have no clue, because the system is down. Of course this is extreme, but it’s always been said that traffic stops are actually the most dangerous and unpredictable things an officer does. They never know whether it’s a nice old lady or someone with a warrant out for their arrest. A decent amount of arrests come from pulling people over for traffic violations and finding subsequent violations, like cocaine or guns, or an outstanding warrant.

My webserver sits in Texas on what’s basically an old desktop system. And it seems to have better uptime than these systems. As biased as I am in favor of my blogs, even I will admit that police databases are more important. Further, if my blogs were routinely unreachable, I’d be furious with my hosting company. Why is it tolerated when this happens?

Databases are fairly easy to replicate. Put a “cluster” of database nodes in a datacenter. You’re protected against a hardware failure. Of course, the data center’s still a single point of failure. So put another database node in a separate datacenter. That alone is probably all you’ll ever need. But you can keep turning up more database nodes in different locations as budget permits. (I suspect budget is the limiting reactant.)

But you can take it one step further. Set up another database node, not in a lonely datacenter, but in a large dispatch facility. (The MA State Police apparently run a very large 911 answering center.) So they get a database node there, that doesn’t answer public queries, but that receives updates from other database servers. And, in the event of some sort of catastrophic failure, remote dispatchers can call up and request that something be run.

I’m just really bothered that people seem to find it acceptable that, probably at least once a week, the system is unreachable for quite some time.

Digital Photo Recovery

I just discovered PhotoRec, a tool for recovering digital camera images.

For the non-geeks, a quick basic background…. When you save a file, it writes it to various blocks on the disk. Then it makes an entry in the File Allocation Table, pointing to where on the disk the file is. When you delete a file, the entry is removed from the File Allocation Table. That’s really all that happens. The data is still there, but there’s nothing pointing to where on the disk it is. This has two implications. The first is that, with appropriate tools and a little luck, you can still retrieve a file that you’ve deleted. (Whether this is comforting or distressing depends on your perspective…) The second is that, with no entry in the File Allocation Table, it’s seen as “free space,” so new files saved to the disk may well end up getting that block. It’s technically possible to recover stuff even after it’s been overwritten, but at that point it’s much more complex and much more luck is involved.

Last night we went out to dinner… We took lots of photos, but some were deleted. So I figured PhotoRec might recover them. So I gave it a try.

The filesystem shows 163 photos. After running PhotoRec, I have 246 photos. What’s odd is what photos I have. It’s not the ones from last night. They’re scattered from various events, and several are from almost two months ago.

This does leave us with an important tip, though: if you delete an essential photo, stop. Each subsequent thing you do to the disk increases the odds of something overwriting it. In a camera, just turn it off. Taking more photos seriously jeopardizes your ability to recover anything.

In my case, I didn’t have anything really important… I just wondered how it would work. And I got strange results for recovered files. (Which has me wondering a lot about how its files get written out to disk, actually.) But it’s good knowledge for the future. (By the way, PhotoRec runs under not just Linux, but also, apparently, Windows, and most any other OS you can imagine.)

Emulating spamd for HTTP

I won’t lie–I love OpenBSD’s spamd. In a nutshell, it’s a ‘fake’ mailserver. You set your firewall up to connect obvious spammers to talk to this instead of your real mailserver. It talks to them extremely slowly (1B/sec), which keeps them tied up for quite some time. (As an added bonus, it throws them an error at the end.)

One thing that really gets under my skin is bots (and malicious users) probing for URLs on the server that don’t exist. I get a lot of hits for /forum, /phpbb, /forums, /awstats… What they’re doing is probing for possible (very) outdated scripts that have holes allowing remote code execution.

It finally hit me: it’s really not that hard to build the same thing for HTTP. thttpd already supports throttling. (Note that its throttling had a more sane use in mind: limiting overall bandwidth to a specific URL, not messing with spammers and people pulling exploits, so it’s not exactly what we want, but it’ll do.)

Then you need a large file. I downloaded a lengthy novel from Project Gutenberg. It’s about 700 kB as uncompressed text. I could get much bigger files, yes. But 700 kB is plenty. More on this later.

It’s also helpful to use Apache and mod_rewrite on your ‘real’ server. You can work around it if you have to.

Set up your /etc/thttpd/throttle.conf:

**    16

Note that, for normal uses, this is terrible. This rule effectively says, “Limit the total server (**) to 16 (bytes per second).” By comparison, a 56K dialup line is about 7,000 bytes per second (or 56,000 bits per second).

Rudimentary tests show that having one client downloading a 700 kB file at 16B/sec places pretty much no load on the server (load average remained 0.00, and thttpd doesn’t even show up in the section of top that I can see), so I’m not concerned about overhead.

You can also set up your thttpd.conf as needed. No specific requirements there. Start it up with something like thttpd -C /etc/thttpd/thttpd.conf -d /var/www/maintenance/htdocs/slow -t /etc/thttpd/throttle.conf (obviously, substituting your own directories and file names! Note that the /slow is just the directory I have it serving out of, not any specific naming convention.)

Now what we need to do is start getting some of our mischievous URL-probers into this. I use some mod_rewrite rules on my ‘real’ Apache server:

# Weed out some more evil-doers
RewriteRule ^forum(.*)$ http://ttwagner.com:8080/20417.txt [NC,L]
RewriteRule ^phpbb(.*)$ http://ttwagner.com:8080/20417.txt [NC,L]
RewriteRule ^badbots(.*)$ http://ttwagner.com:8080/20417.txt [NC,L]
RewriteRule ^awstats(.*)$ http://ttwagner.com:8080/20417.txt [NC,L]

In a nutshell, I redirect any requests starting with “forum,” “phpbb,” “badbots,” or “awstats” to an enormous text file. I’m not sure if escaping the colon is strictly necessary, but it has the added benefit of ‘breaking’ the link when pasted, say, here: I don’t want anyone getting caught up in this unless they’re triggering it. I tend each with (.*), essentially matching everything. You may or may not see this as desirable. I like it, since /forum and /forums are both requested, and so forth. You could take that out if necessary. The [NC,L] is also useful in terms of, well, making anything work.

I want to watch and see whether anyone gets caught up in this. Since it’s technically passing the request to a different webserver (thttpd), it has to tell the client to connect to that, as opposed to seamlessly serving it up. I don’t know if the bots are smart (dumb?) enough to follow these redirects or not.

Note that /badbots doesn’t really exist. I inserted it into my robots.txt file, having heard that some ‘bad ‘bots (looking for spam, etc.) crawl any directory you tell them not to. I wondered if this was accurate.

The ending is quite anticlimactic: we wait not-so-patiently to see what ends up in the logfile.

Fundraising

For whatever reason, we’ve been getting a lot of calls asking us to donate money to various causes all of a sudden. My mom did some research and unearthed some interesting information. Most of the calls come from “paid fundraising” companies. They take a percentage of what you donate–usually around 40%, it seems. We had the same person call us today on behalf of two separate charities. Both from the same company.

Should you find yourself in the same position, don’t fall for the irritating, “Can the {starving children, disabled veterans, cute kittens, abused children} count on you for support?” line. Respond by asking where they’re calling from, if it’s a paid fundraiser, and how much they get. If you’re feeling charitable when they call, thank them, and tell them you’ll make a donation directly to the charity.

You could make an argument that it’s simple economics, and that there’s even “good” being done–most charities don’t cold-call people, so they may be bringing in incremental donations. But, in my mind, it’s extremely sleazy to not fully disclose your own fiduciary interests when taking donations.

9/11

While I don’t believe Rudy is going to make it far in the campaign, and while I really don’t like the attack ad element of politics, I’m frankly pretty appalled with Rudy Giuliani. I think it’s immoral to try to use 9/11 to your advantage. But Rudy’s use seems particularly insidious. He keeps running ads suggesting that we need to vote for him if we want to be safe from terrorists. Besides the fact that his is creepy fear-mongering, what bothers me most is that there’s an unspoken (in this ad) implication that his leadership on 9/11 is what qualifies him.

It was a really crass comment, but a political commentator someone said something to the effect of, “Giuliani is an expert on terrorism just like the mayor of New Orleans is an expert on flood prevention.” While it maybe goes a bit too far, the point remains the same: what, precisely, about 9/11 makes him a qualified leader?

The IAFF (firefighter’s union) put together a video asking the same question. And if there’s anyone people respect because of 9/11, it’s FDNY. The IAFF essentially blasts Rudy for mis-handling things. One big problem I’d forgotten all about was the radio failures. They knew since the 90’s that their radios didn’t work inside the WTC, but repeated attempts to get it fixed never occurred. (They mention an “upgrade” that was actually so bad that they went back to their old radios, which is what they used on 9/11.) Tragically, more than 100 firefighters, because of these communication failures, never got the signal to evacuate WTC and ended up losing their lives because of it.

Some have also criticized Rudy for his decision to locate much of the city’s emergency communications infrastructure in the World Trade Center. Even if his common sense / expertise on terrorism didn’t tell him that this was an intuitively bad idea, previous attempts by al Queda to blow it up might have.

And if you’re not offended enough, give this a watch. I keep wanting to believe that this is a farce, with a look-alike mocking him. Except that all indications are that this is real. A Parkinson’s victim calls into a program Rudy’s doing on the radio to ask him why he took his food stamps and Medicaid away. Rudy cracks up laughing, mocks him, and offers to send him psychiatric help “because [he] clearly need it.” While Rudy surely didn’t know he was mocking a Parkinson’s victim, why would he treat anyone that way?!

Moral of the story: if you’re going to try to exploit 9/11 to win an election, you’d better make sure your botched leadership didn’t kill our firefighters. And you might want to refrain from going on public radio and cracking up laughing, and subsequently mocking, people who call in to say they have Parkinson’s and can’t afford their medication. But that’s just my opinion. I’m no political consultant or anything.

Update: For those that don’t read the comments, you should at least check out the link in this one for more of Rudy’s radio program.

Idea

Why isn’t there a really good “network appliance” as a network gateway? You can get a low-end firewall/router, or you can build your own machine.

Setting up OpenBSD is no walk in the park, though. I want to build an “appliance” based on OpenBSD, and give it a nice spiffy web GUI. You buy the box, plug one side into your switch and one side into your cable modem or whatnot, and spend ten minutes in a web browser fine-tuning it. I was really fond of the appearance of the Cobalt Qube, although it could be made much smaller. And throw a nice LCD on the front with status. You can run a very low-power CPU, something like the one powering these. It really doesn’t need more than 512MB RAM, but give it a small solid-state drive. And a pair of Gigabit cards, not just for the speed, but because GigE cards usually are much higher-quality. In building routers, the quality of your card determines how hard the CPU has to work.

There’s so much that a router can do. You can run a transparent caching proxy, a caching DNS server, priority-based queuing of outgoing traffic (such as prioritizing ACKs so downloads don’t suffer because of uploads, or giving priority to time-sensitive materials such as games), NAT, an internal DHCP server, and, of course, a killer firewall. You can also generate great graphs of things such as bandwidth use, blocked packets, packet loss, latency…You can regulate network access per-IP or per-MAC, and do any sort of filtering you wanted. It could also easily integrate with a wireless network (maybe throw a wireless card in, too!), serving as an access point and enabling features like permitting only certain MACs to connect, requiring authentication, or letting anyone in but requiring that they sign up in some form (a captive portal). And I really don’t understand why worms and viruses spread so well. It’s trivial to block most of them at the network level if you really monitor incoming traffic.

I’m frankly kind of surprised that nothing of this level exists. I think there’s a definite market for quality routers. A $19 router does the job okay, but once you start to max out your connection, you’ll really notice the difference! A good router starts prioritizing traffic, so your ssh connection doesn’t drop and your game doesn’t lag out, but your webpages might load a little slower. An average router doesn’t do anything in particular and just starts dropping packets all over the place, leaving no one better off. (And a really bad router–our old one–seems to deal with a fully-saturated line not by dropping excess packets or using priority queueing, but by reboot itself, leaving everyone worse off… I think this may have had to do with the duct tape.)

Geek

We’ve been having a lot of intermittent network problems at home. Periodically, our Internet cuts out. At first I assumed it was our ISP–it’s no longer Adelphia (run by pharmacists), though–but subsequent research indicated that it wasn’t our ISP’s fault: our router was going down.

My dad set it all up, so I wasn’t too sure how things went. I was pretty confident that we were just using a generic store-bought broadband router, though, so I found it strange that it would be drifting in and out. It turns out that I overlooked something about the router: it’s being held together with duct tape.

I’d already been intrigued by OpenBSD’s pf, so this seemed like a sign! I commissioned an old desktop system, loaded OpenBSD up on it, and went to work configuring it. OpenBSD was just more different from Linux than I expected. It asks you if you want to let OpenBSD use the whole hard drive. I said yes, and thought, “Wow, this is just as easy as Ubuntu!” But it turns out that this was just the first stage. After this, you have to set “disk labels,” which are sort of like partitions but ambiguously different. The syntax is obscure, the purpose is obscure, and so forth. Then I had to configure the network. NICs are named by the drivers they use, so instead of eth0 and eth1 (for Ethernet), I have rl0 (Realtek) and dc0 (who knows).

I was also extremely confused trying to set up routing. Long-term, it was going to be the router, but short-term, it needs to know about our existing router so that it can connect and download the requisite packages.

So I finally got it all set up. I also installed MySQL (unnecessarily, it turns out), Apache, and PFW, a web-based configuration tool for pf. I ended up not using PFW, because my understanding of pf is so bad that I’m basically relegated to copying-and-pasting rules from websites into the configuration file.

Even using pf is confusing. It’s called pf, but typing “pf” at the command line doesn’t do anything. It turns out that you control it with a tool called “pfctl.” You can do pfctl -e to enable pf, and pfctl -d to disable it.

As I tried to tweak the firewall/routing rules, I’d periodically “restart” pf by disabling and then re-enabling it. I wasn’t sure if it read the rules “live” or if a restart was needed. It turns out… neither! The rules are stored in memory, but restarting pf doesn’t flush the rules. You need to pass pf some more arguments to tell it to flush the cache and read them anew from its configuration file.

After a few more hours of work, I thought it was all set up. Both NICs were configured, the external one to get an IP over DHCP, and the internal one with a low fixed IP. I had a complex set of rules, doing NAT, filtering traffic, and using HFSC for prioritized queueing. (HFSC seems completely undocumented, by the way. I took my tips from random websites.) It seemed very impressive: I prioritized ACKs so that downloads wouldn’t suffer if our outbound link was saturated. (Aside: it really doesn’t make sense to do queueing on incoming traffic, since the bottleneck is our Internet link, not our 100 Mbps LAN.)  I also afforded DNS, ssh, and video game traffic high priorities, but allocated them a lower percentage of traffic. I even figured out the default BitTorrent ports and gave them exceptionally low priority: if our line is fully saturated, the last thing I care about is sharing unnecessary data with other people.

And there are other neat features. It “scrubs” incoming connections, reassembling fragmented packets and just eliminating crap that doesn’t make sense. It catches egregious “spoofing” attempts and discards them.

I hooked up the second LAN connection to test it out, rebooted, and… waited.

It never came up. Well, it did come up. The computer’s running fine. Both network cards show up with the switch. Doing an nmap probe of our LAN, I see one strange entry. It’s actually pretty mysterious: it has no open ports, and attempting to ssh into it just sits there: it doesn’t send a connection refused, but completely ignores the incoming packets, leaving my poor ssh client sitting there waiting for a reply, having no clue what’s going on.

In a nutshell, it seems that I just built a firewall/router that’s so secure that I can only find one of its two cards on the network, and I can’t even try to log into it. Let’s see you hack that! Of course, this does have some issues. For example, I can’t use it.

I haven’t lost hope yet: I have a keyboard and monitor so I can log in on the console and try to do some tweaking there. (You can’t firewall off the keyboard.) It’s just not very encouraging to think, “Alright, let’s reboot and make sure it works as flawlessly as I think it will” and then have the darned thing not even show up on the network.