Ben's Blog

Category: maniacal paranoia

25 Articles
I.T., maniacal paranoia ben October 09, 2025

Update Hell

Software is steadily becoming more dictatorial. It gives us fake choices like one does to a child to trick them into behaving, with a so called dark pattern to make the “right” decision obvious. I’m pretty sure I’ll be going back to Linux soon.

If update prompts spoke the truth:

I don’t mean to particularly pick on Apple, that’s just the template I used.

Christ on a bike, can I do anything?

We’ll harass you until you click the button, It’s our gift to you!

“For now”, you’ll comply eventually.

I.T., maniacal paranoia ben June 11, 2025

Attention Sniffing Events

I get disproportionally upset with websites playing videos which pause when you background their browser tab. I don’t understand why browsers respect the focus and blur event at the window level, clearly they only benefit nefarious purposes seeking to milk a poor soul. Either by forcing them to watch content, or by building a better model of their attention behavior. Attention which we all know is a currency to be extracted on the internet.

A while back I added a Tampermonkey script to catch the registration of these events, and invalidate it. Out of curiosity, I added reporting to it these past 10 days. I was curious to know how prevalent the practice was.

Out of 140 domains visited these past 10 days, 28 cared to know whether my eyeballs were pointed at them or not. 8 were in the constellation of Google.

Now of course, I don’t use social media, I have pretty established work routines, and 2 layers of ad blocking. I suspect both the numbers of domains visited, and the number domains interested in my eyeballs would be significantly higher if I disabled ad blocking. But do I really want to subject myself to 10 days of ads? No, I really don’t, not even for science.

maniacal paranoia ben May 06, 2025

More Private

I’ve struggled more and more with the idea of posting things on the internet as of late. I’ve kept a reasonably high bar on personal stuff (thank you gifs for your terrible quality), but the reality is that it’s not high enough. Beyond privacy, I’m questioning why even toss nicely curated & authentic pieces of information into the sewer, I enjoy doing so less and less. Algorithms seem to gain new exploitative dimensions every few years, making everything you posted before a retroactive liability. The advent of AI clearly is one such evolution. Where social media fed off our attention, the fuel for AI is authenticity. Just as I absconded from social media early on when its extractive nature became clear, I seek to avoid fueling models, nor do I want them used against my family.

I don’t think I want fractions of our lives to be digested and regurgitated, this is especially true as my kids are getting older. I do realize the same was said about nascent photography, and I know it’s a funny thing for me to criticize generative models given my work with markov chains. That is how I feel nonetheless, and don’t get me wrong I love AI, just with someone else’s data in it :).

This blog has definitely turned into a bit of a personal journal over the years, and I don’t want to lose this as I often refer back to it. But in reality, there’s a lot I refrain from journaling here because it’s too public, and now more than ever it also feels dirty for a myriad of reasons all stemming from the current state of the internet.

I’m in a pickle, how does one filter for reasonable humans? Well, on this imperfect internet, the least bad solution I can find is to password protect some posts. And so I’ll do this from now on, and I’ll have to be better at segregating personal content from what is meant for public consumption. It’s unfortunate really, the projects I work on are deeply intertwined with our life, and will be more dry separated from it.

If you’re a reasonable human and you know me, the password when used is where I worked from 2003 to 2004.

I.T., maniacal paranoia ben November 01, 2024

Disabling Cell Connectivity on an F150

I’ll do my best not to rant here, I got a new car, of course it’s connected, of course it defaults to sharing your location and everything else with Ford and its dumb affiliates, of course I diligently went through all the settings off the lot to disable all the data sharing, of course these settings found themselves back to enabled magically after a few days. And now Ford knows where I live, work, shop, eat, and everything in between. ~16 years ago society still cared about privacy, but multiple “scandals” quickly showed corporations there were no real repercussions legally or reputationally for privacy abuses. Since then it’s been a free for all, and a new generation of people has assimilated these practices as a norm. Let’s beat the piñatas for all they’ve got!

I’ve been trying to disable the cell modem in this car. Even if the car had a no-tricks UI for privacy settings (it doesn’t), I don’t trust software to truly report nothing back to the mothership. And so for definitive results, I want to pull the plug. Today I can, tomorrow, I’m sure cars will absolutely require a fresh slice of your private life before they deign take you anywhere.

Take a look at your car’s manual to find the fuse box and a mapping of what they control. In my case the box is by the passenger side’s right foot. It’s work to move the panels it’s behind out of the way. The manual points to a likely candidate:

Yup, sounds like the sort of shit I want to nuke

So I removed it and hoped for the best.

Next thing you know, gone is all the worthless bullshit Ford reimplemented worse than Apple so they too could suck up your data.

It brings me pleasure to see incapacitated corporate malpractice, but I know things will only get harder with time. At least I got me a 10 year respite.

I.T., maniacal paranoia ben October 11, 2024

Fake Time in Docker

What if you need a container to have a different time than its host? Well, LD_PRELOAD has a solution for you. While this solution generally works outside of Docker, I rarely find myself outside of a container these days. I like that it works in one without requiring special privileges.

Dockerfile:

FROM ubuntu:latest

RUN apt-get update --fix-missing
RUN DEBIAN_FRONTEND=noninteractive apt-get install git build-essential -y
RUN git clone https://github.com/wolfcw/libfaketime.git
WORKDIR /libfaketime/src
RUN make install
RUN echo "/usr/local/lib/faketime/libfaketime.so.1" > /etc/ld.so.preload

ENTRYPOINT bash

Build with:

docker build -t faketime .

Run with:

docker run -ti --rm -e FAKETIME="1970-01-01 00:00:00" --name faketime faketime

Of course you can run the “date” command to confirm, but this fake time percolates to all processes in the container. I was reminded of the existence of LD_PRELOAD to hijack system calls recently, and remembered this old trick I had stashed in my notes.

And just in case it goes away, I mirrored the excellent repo this is based on here.

all out geekery, I.T., maniacal paranoia ben August 09, 2024

Flipper Zero

I finally got my hands on a Flipper Zero and boy oh boy, let me tell you, I should have done this a long time ago. I got it for my own interests because I was curious to understand some protocols better. To my surprise, both kids have been way into it. I’m of course elated to titillate their hacker spirit. I didn’t even think it possible with a 7 year old, but the cross between ease of use, and yes… a Tamagochi is really hitting home. Esther’s mind was blown when she scanned and replayed the IR signals of a toy of hers.

Robin & I are trying to sniff and replay all kinds of signals which always leads to a deeper understanding of technology for the both of us.

I too I’m in love the with the fun packaging and the geek humor. There isn’t anything revolutionary about the capabilities, but they way lowered the bar of entry. Most of all, it’s built with a spirit that strongly appeals to my original love of computers. This little wonder sparks curiosity and discovery everywhere it goes.

I.T., maniacal paranoia, web development ben May 07, 2024

Focus & Blur: Behavioral Inference & the Tattletale Browser

This web thing’s been bugging me for too long. Have you ever tried to background a tab that is playing insufferable & unskippable content, only to find out that the annoyance has paused itself until your eyeballs are known be aimed back at it? Why do browsers honor requests to let websites know if you’re paying attention or not?

This is achieved by relying on the focus and blur events. But there are many UI Elements that rely on them to trigger useful UI responses. Think of a suggestion box that shows up when you click in a search bar for example. The window element though, is one for which I cannot think of a single instance where the focus and blur events at are used to benefit the user. I think a well intended couple of events were generally implemented to every possible elements, but one of them reveals more than was intended and is abused to that effect. Why would ad-blocker not nuke them either? I’ve gone through this rabbit hole several times over the years trying to find an extension or adblocker customization to dismiss these events. Alas, they never seem to have made it into the crosshair as the true annoyance that they are. How do you like to have your browser report how good you are at consuming content as intended?

These events are responsible for more ills than making sure you’re watching, they are a key metric for inferring behavior. As with much of data mining, what’s scary isn’t really the information you’re giving away, it’s what can be inferred from it. In a way these attention events are perfectly suited for the attention age. Particularly though, they matter when they are attached to the window element. As far as I know, that is the only method I’ve seen in the wild that is abused into this purpose.

In any case, since I never could find anything, here’s what I came up with. The best way I found to run user JS on all websites is using Tampermonkey. Then here’s the script I’m running:

// ==UserScript==
// @name         Attention Event Nuker
// @namespace    http://tampermonkey.net/
// @version      2024-05-01
// @description  nukes focus and blur events when attached to the window element
// ==/UserScript==

(function() {
    var old_add_event_listener = EventTarget.prototype.addEventListener ;

    EventTarget.prototype.addEventListener = function(event_name, event_handler) {
        if( this.toString()==window.toString() &&
           (event_name=="blur" || event_name=="focus") ) {
            console.log( "attention event caught: " + event_name + " on: " + window.location.host ) ;
        } else {
            old_add_event_listener.call( this, event_name, event_handler ) ;
        }
    };
})();

Unfortunately I did run into a couple of sites that somehow rely on the events to even work properly. I don’t think I want to reverse engineer them 1 by 1 so I’m adopting a blacklist of sites which is a bit obnoxious. For a while I did have the script report which sites were asking for the events, the results weren’t surprising and showed that pretty much any big site with a baseline of behavioral data mining wants to know what your eyeballs are in front of.

I.T., maniacal paranoia ben March 13, 2024

Quiet Airtags

I didn’t post several years ago about the GPSes I installed on our farm vehicles. It felt like painting a target on my back. It took quite a bit of figuring out to set up Particle.io‘s early asset trackers. They’ve since created a dedicated preprogrammed and well polished device, seeing an opportunity in the success of the early hobbyist version I suppose. I never posted my setup, code, or experience but let’s just say it worked well for a few years, for very cheap. Unfortunately, the 2G network they relied on was eventually retired, and that forced me reconsider options.

And well, an obvious contender these days are Airtags. I bought a few for testing, and they quickly became the obvious choice. I replaced bulky cellular GPSes with them and folded them into home monitoring. Watching for geofences, battery status, and last contact.

While I can’t wire them directly to the vehicle’s battery, their battery does seem to last a good year (Vermont winters wear them down faster). And they come with several huge advantages over GPSes.

  • A mesh network of people’s iPhones has a lot better coverage than cellular in a rural area. Cell phones will report them when they finally get to a tower or some wifi.
  • They aren’t subject to tree or cloud cover.
  • They are tiny! I went through great lengths to paint and find a place for bulky GPS boxes. Airtags on the other hand will live anywhere.
  • They are cheap, and have no recurring cost (except the cell battery once a year).

These advantages led me to significantly lower the bar to what I stick them on. It’s no longer reserved for the expensive vehicles. If it costs money and isn’t fastened to the ground, it gets an Airtag.

Of course when used as theft tracking, their chirping is problematic. And so I finally bit the bullet and gave them the surgery they need to make them quiet. And it was very very trivial, I should have done this much earlier.

Open them up, I used a stronger blade than the exacto for prying. Note the 3 sharpie dots to point tabs.

I simply snipped the 2 wires going to the speaker

Still works!

I.T., maniacal paranoia ben September 06, 2022

Analyzing Ultrasonic Signals

Disclaimer: I and other people may or may not have had anything to do with figuring this out.

Zoom Rooms emit ultrasounds to let devices within “earshot” connect without the user having to type anything. Ultrasounds have been used for such proximity related convenience before, and sometimes for more nefarious purposes such are mapping out who’s next to each other in the world. All using a wireless network that is available anywhere and completely ad-hoc. It just doesn’t go very far (thankfully).

In this post we’ll see how to analyze such a signal using Zoom Rooms’ Share Screen signal as an example.

Harvesting the Sound

First things first, to decipher the signal contained we need to extract the bits from a fuller audio landscape containing “noise” throughout various frequencies. Ultrasonic frequencies, the ones the human ear can’t hear, are by definition above 20KHz. Now this fluctuates between individuals, and especially age groups 🙂 but that’s the general cut-off: anything above 20KHz is unhearable, thus usable to transmit hidden signals. Although microphone and speaker manufacturers have no incentive to build products in the non-human range, humans are the one giving them money after all. And so hidden signals tend to be right around the 20KHz cutoff, where human-centered manufacturing specs will have a good chance of still working.

Audacity is great for recording and analysis, this is what we’ll use here. First record your sample, using your laptop, get close to the source of the ultra sounds, try and keep things quiet during recording, and gather a good sample.

Extracting the Signal

Looking at various time zoom levels, we can home in on a repeating pattern. The room is complete silence but your computer does hear it loud and clear.

The complete silence as it was recorded. Note the time scale just above the recording.

Zooming in on the pattern, each of the pattern’s blob is made of several blobs. At this level we can guess that the signal is made of 10 notes. Zoom Room’s Share Screen codes are 6 digits long so it feels right, either for control characters, or because they planned on room for expansion. Now we don’t know really know when the signal ends and when it stops, I’m drawing the rectangle for 10 notes starting on the quiet one, because I could see a silence being used as a separator much like a space or a line return.

Finally, we zoom in just enough to start poking at each individual note/character.

Pretty easy so far, all we’ve done is record and zoom and we can start seeing our signal. Now begins the tedious task of annotating as many samples of this signal as you can. This is the data that will let you decipher the code.

Select a clean section of just one note, don’t grab the edges, just the meat.

Then Click on Analyze -> Plot Spectrum

This will do a Fourier Transform of the selected area to decompose the sound into all of it various frequencies

Place the cursor on the highest ultrasonic peak, and read the frequency: 19201Hz or 19.2KHz here.

Make note of it by adding a label at the selection. You’ll first need a label track if you don’t already have one.

Then you can add the label.

Do this for each note/character in the signal, it’s worth confirming the 10 character repetition we think we’re seeing. Then do this for many more samples… The more data, the easier it’ll be to decipher. Your project, which you should save often, will look something like that:

Deciphering the Signal

Now, obviously depending on what signal you are studying, the encoding will differ. I’m only talking about Zoom Rooms here and so I’ll only give general advice followed by the Zoom algorithm.

The general advice is as follows:

1. Gather a lot of data, this is the non-exciting part so it’s easy to want to move past it.

2. More often than not, there will be control notes/characters indicating the beginning or the end, or both of the signal. In the screenshot above, 19.1Khz followed by 19.2Khz is looking very likely like a control, align your audio sample to it and focus on the remaining notes/characters.

3. Look at the data from different angles, visually write it differently to see if patterns emerge. Spreadsheets can help.

4. Try various scenarios, even if you know they are likely false, they might get you closer to the truth.

5. Occam’s razor (or the lazy programmer) is likely a good guess

Zoom Room Rosetta Stone

Each signal starts with 19.1Khz followed by 19.2KHz. Then the 6 digits of the code displayed on the screen is “played”. Then a 2 digits representing the checksum of the 6 digits which is their sum. That’s 10 characters total.

Each digit maps to 2 possible frequencies:

0 -> 19.2Khz / 19.3Khz
1 -> 19.3Khz / 19.4Khz
2 -> 19.4Khz / 19.5Khz
3 -> 19.5Khz / 19.6Khz
4 -> 19.6Khz / 19.7Khz
5 -> 19.7Khz / 19.8Khz
6 -> 19.8Khz / 19.9Khz
7 -> 19.9Khz / 20.0Khz
8 -> 20.0Khz / 20.1Khz
9 -> 21.1Khz / 20.2Khz

Weird how they can possibly overlap and this is the twist behind this encoding, all other things being rather straightforward, for your next digit you always pick the frequency furthest from the frequency you just played. If you just played your control signal: 19.1Khz, 19.2Khz and your code starts with a 3 you will pick 19.6KHz to play the 3 as it it furthest from 19.2Khz. If your next digit is a 2, you will pick 19.4Khz to play it as it is furthest from 19.6Khz. I don’t know enough about sound engineering to know if Zoom did this to disambiguate frequencies which are close to each other, or if it’s meant as a cipher. I’m guessing the former, it seems to be a smart way to guarantee at least 0.2Khz of difference between 2 proximate characters while only adding 0.2Khz of spectrum. Since we know devices are likely to become distorted at the beginning of the inaudible range, it makes sense to both make an extra effort to distinguish characters, while not expanding too far into that range. Pretty cool eh?

Here’s a real world example, say that the code played is 790155:

first you play the control: 19.1Khz, 19.2Khz

then 7 with 20.0Khz as it is the furthest from 19.2Khz
then 9 with 20.2Khz as it is the furthest from 20.0Khz
then 0 with 19.2Khz as it is the furthest from 20.2Khz
then 1 with 19.4Khz as it is the furthest from 19.2Khz
then 5 with 19.8Khz as it is the furthest from 19.4Khz
then 5 with 19.7Khz as it is the furthest from 19.8Khz

compute your checksum of 7+9+0+1+5+5 = 27

play 2 with 19.4Khz as it is the furthest from 19.7Khz
then 7 with 20.0Khz as it is the furthest from 19.4Khz

Voila!

Some Code to go along with it

If you want to play the Share Screen code from your Zoom Rooms into the world, the following code will do it for your for a few seconds. Just make sure to update the “code” variable near the top. This code works in your standard browser’s web inspector console.

[code lang=”js”](async function main () { var code = "<6_digit_code_goes_here>" ; var context = new AudioContext() ; var o = context.createOscillator() ; o.type = "sine" ; var g = context.createGain() ; o.connect( g ) ; o.frequency.value = 0 ; g.connect( context.destination ) ; o.start( 0 ) ; var sleep_time_ms = 50 ; var control_frequency = 19100 var frequencies = { 0:[19200,19300], 1:[19300,19400], 2:[19400,19500], 3:[19500,19600], 4:[19600,19700], 5:[19700,19800], 6:[19800,19900], 7:[19900,20000], 8:[20000,20100], 9:[20100,20200], } console.log( "starting ultrasound emission" ) ; var i = 50 ; while( i>0 ) { i– ; // control o.frequency.value = 19100 await new Promise( r => setTimeout(r, sleep_time_ms) ) ; o.frequency.value = 19200 await new Promise( r => setTimeout(r, sleep_time_ms) ) ; // payload var checksum = 0 ; last_frequency = o.frequency.value ; for( var j=0 ; j<code.length ; j++ ) { checksum += parseInt( code[j] ) ; o.frequency.value = pick_furthest_frequency( last_frequency, frequencies[parseInt(code[j])] ) ; last_frequency = o.frequency.value ; await new Promise( r => setTimeout(r, sleep_time_ms) ) ; } // checksum checksum = checksum.toString() ; if( checksum.length==1 ) { checksum = "0" + checksum ; } o.frequency.value = pick_furthest_frequency( last_frequency, frequencies[parseInt(checksum[0])] ) ; last_frequency = o.frequency.value ; await new Promise( r => setTimeout(r, sleep_time_ms) ) ; o.frequency.value = pick_furthest_frequency( last_frequency, frequencies[parseInt(checksum[1])] ) ; last_frequency = o.frequency.value ; await new Promise( r => setTimeout(r, sleep_time_ms) ) ; } console.log( "stopped ultrasound emission" ) ; g.gain.exponentialRampToValueAtTime( 0.00001, context.currentTime + 0.04 ) ; function pick_furthest_frequency( previous, possible_new_frequencies ) { if( Math.abs(last_frequency-possible_new_frequencies[0]) > Math.abs(last_frequency-possible_new_frequencies[1]) ) { return possible_new_frequencies[0] ; } return possible_new_frequencies[1] ; } })();[/code]

I.T., maniacal paranoia ben November 17, 2019

Paranoia Through Inertia

I.T., maniacal paranoia ben November 10, 2019

Relinquish your own thoughts

Slowly but surely, we are foregoing self agency to algorithms.

2019 Gmail settings:

I.T., maniacal paranoia ben February 12, 2019

Web Omnipresence with Docker, VPN & Squid proxying

Here’s a method for having several browser windows proxying through several countries concurrently.

Demo

[mejsvideo mp4=”http://ben.akrin.com/videos/omnipresence.mov.mp4″ ogg=”http://ben.akrin.com/videos/omnipresence.mov.ogv” webm=”http://ben.akrin.com/videos/omnipresence.mov.webm” poster=”http://ben.akrin.com/videos/omnipresence.mov.jpg” width=”640″ height=”360″]

Working Principle

Requirements

  • a VPN service supporting OpenVPN as a client (this example uses vpntunnel)
  • Docker
  • Firefox
  • MacOS isn’t a requirement per se but this guide & accompanying scripts are written for it.

Setup Steps

  1. Download this package containing Dockerfile build instructions & some scripts.
  2. Populate the directory “openvpn_config_files/” with the ovpn files from the VPN service you use.
  3. Edit the script called “vpn” and replace <VPN_SERVICE_USERNAME> and <VPN_SERVICE_PASSWORD> with your username and password.
  4. Run with “./omnipresence.sh <name_of_ovpn_file>”
I.T., maniacal paranoia, web development ben March 03, 2018

Turning your web traffic into a Super Computer

Full disclaimer:

The subject matter of this post is controversial as it discusses extracting computing resources from the visitors of a website. There are a lot of discussions at the moment centered around web-browser based crypto currency mining. Most paint a deplorable picture of the practice; please keep in mind that there are very desirable paths alongside which these practices can develop. I am not elaborating on these arguments here, I am only describing a method to harness the resources.

Premise

Web browsers are becoming quite powerful for code execution. Between Javascript’s increase in capability, WebAssembly, access to GPU & threading, a web browser today is almost as desirable for computing as the machine it’s running on. Ever since the rise of web-based crypto currency miners, I’ve been thinking of harnessing all that computing power as a single entity: a super computer made of your visitor’s web browsers.

Just like a regular computer cluster, the nodes all participate in a coordinated fashion to solving a single problem. Unlike a regular computer cluster, the nodes are very ephemeral (as website visitors come and go) and can’t talk to each other (no cross site requests).

Here’s a demo of what I came up with:

Right: the super computer control server
Left: one of the web clients contributing to the super computer simply by being connected to a website (& CPU metrics)

[mejsvideo mp4=”http://ben.akrin.com/videos/transient_node_javascript_supercomputer.mov.mp4″ ogg=”http://ben.akrin.com/videos/transient_node_javascript_supercomputer.mov.ogv” webm=”http://ben.akrin.com/videos/transient_node_javascript_supercomputer.mov.webm” poster=”http://ben.akrin.com/videos/transient_node_javascript_supercomputer.mov.jpg” width=”640″ height=”360″]

The problem being solved here is the hashing of 380,204,032 string permutations to find the reverse of a given hash. Problem parameters were chosen to make heavy processing quick for the clients.

Implementation & code samples

At the core of the idea is the websocket technology. It creates a persistent connection between a server and all of the nodes (the visitors of your website). This connection can be used to orchestrate actions between the nodes so that they can act as a concerted entity. From delivering the code to passing messages for coordination, websockets are what make everything possible.

Having a websocket connection to clients dramatically changes what you can do with web clients. They are fully addressable for the duration of their visit. They may show up on a website and be served some pre-established javascript; but with websockets, any javascript can materialize at any time.

Right: the super computer control server
Left: a web client being given an instruction on the fly

 

Slightly tangential but still worth considering, using a web view app, Javascript can pass execution to the app itself. This means code showing up on the websocket can escape the webview bubble and go into app land.

Right: the super computer control server
Left: a web app being given an instruction which percolates to the app layer

 

Now this is nothing new in a lot of ways; apps can be made to get instructions from C&Cs, and websites can get Javascript after the initial page load from dynamic sources. The websocket technique though is as dynamic as it gets (no Ajax pull), it is portable to many browsers and many devices, it is hard to catch looking at a web inspector; lastly, it executes with full access to the context it materialized in.

So we’ve established that websockets can be used to dynamically deliver code to be ran by the nodes. It can also be used for message passing and the overall orchestration of distributing the problem to be solved.

Crackzor.js

6 years ago I wrote a ditributed OpenMPI based password cracker: crackzor. Password cracking is a good distributed problem to solve because it’s a fairly simple problem: run through all the character permutations. The fact that it exhausts a known space also means benchmarking is easy. So to put the idea of a transient node javascript super computer in practice, I rewrote crackzor in JS instead of C, and for websockets instead of OpenMPI.

Every distributed problem is different and crackzor itself isn’t a magic way to distribute any problem to be solved. The magic of crackzor is its ability, given a space of character permutations, to divide it up in chunks which can be processed by the nodes. Given the problem, a start iteration and end iteration, a node can get to work without having to be provided the permutations themselves, thus removing the bandwidth bottleneck.

The first challenge: maximizing usage of the node’s CPU.

Javascript runs single threaded by default, so when the websocket sends code to be ran by a client, by default, the code running as fast as it can will only be able to fill one core of the CPU. A large majority of machines today have many more cores available. So we have to figure out how to use them or our super computer is going to loose a large portion of its processing power right off the bat.

Web workers to the rescue. With HTML5, it’s easy as pie to thread code. The one trick with the code we want to thread is that it can’t be gotten from a file as the web worker documentation suggests. That’s because our code doesn’t come from a static javascript file remember? It shows up out the the blue on the websocket, so it came from the network and is now in memory somewhere => not a file we can refer to.

The solution is to wrap it in a blob as such

[code language=”js”]var worker_code = ‘alert( "this code is threaded on the nodes" );’

window.URL = window.URL || window.webkitURL;

var blob;
try {
blob = new Blob([worker_code], {type: ‘application/javascript’});
} catch (e) {
window.BlobBuilder = window.BlobBuilder || window.WebKitBlobBuilder || window.MozBlobBuilder;
blob = new BlobBuilder();
blob.append(worker_code);
blob = blob.getBlob();
}
workers.push( new Worker(URL.createObjectURL(blob)) ) ;[/code]

Here you’ll notice we have our first layer of encapsulation. The code relevant to the problem we are solving is in the variable worker_code, the rest of the javascript only threads it.

Having distributed amongst a node’s cores, we now look at

the second challenge: distributing between the nodes

This work is obviously up to the websocket server along with subsequent coordination. Without going into too much details, the websocket server keeps track of all the nodes as they come and go, it also keeps track of which ones are working or not, allocates new chunks of the problem to nodes as they become available.

A trick of the websocket server is that it is running at all times to handle node connections. Super computer problems however may change from one day to the next. To address that, I give it a function which reads a file and evals its code; the function is summoned by a process signal. As such:

[code lang=”js”]function eval_code_from_file() {
if( !file_exists("/tmp/code") ) {
console.log( "error: file /tmp/code does not exist" ) ;
} else {
var code = read_file( "/tmp/code" ) ;
code = code.toString() ;
eval( code ) ;
}
}

process.on(‘SIGUSR1’, eval_code_from_file.bind() );[/code]

With this puppy in place, the next time I “kill -USR1 websocket_server_PID”, it will be imbued with new code that did not exist when it started. Does this sound familiar? Yup, javascript is super interesting in the ability it gives you to run arbitrary code at any time with full access to the established context.

Thus arrive the 2nd and 3rd layers of encapsulation, the code which will be distributed to the nodes is in a file which is to be evaled on the websocket server side and sent over the websocket to the clients.

The actual distribution to the nodes is simple, have them connect with a callback to eval code. Something like that:

Client:

[code lang=”js”]var websocket_client=io.connect("http://websocket_server.domain.com") ;
websocket_client.on( "eval_callback",function(data){data=atob(data),eval(data)}.bind() ) ;[/code]

Server:

[code land=”js”]client_socket.emit( "eval_callback", new Buffer("alert(‘this code will run on the client’);").toString("base64") ) ;[/code]

Recapping where we are

So…

  1. all the transient nodes (web browser of website visitors) attach to a websocket server
  2. the websocket server receives SIGUSR1 which signals it to execute new code it gets from a file
  3. this new code gives the websocket server a packaged problem to be solved by the nodes
  4. this new code also instructs how the websocket server will distribute and coordinate the nodes
  5. once the packaged problem to be solved shows up on a node, it is evaled and it contains threading to maximize CPU usage.

And there you have it,

all the pieces you need to make a super computer from your web traffic. I’m choosing not to publish the full code of my implementation for reasons of readability, security and complexity but I can go into more details if asked.

The same way that peer-to-peer protocols made any data available anywhere any time, could this do the same for computing power? Mind=blown, and your CPU along with it.

More tips

  • When choosing a chunk size for clients to work on, it’s important to not pick too big a size. The nodes are very transient and a big chunk size means the chunk’s processing is more likely to be interrupted. Most web browsers also offer to kill poorly coded javascript running berserk and so a small chunk size taking a few seconds and letting the machine catch it’s breath briefly will make it less likely that a browser will notify a user that a script needs to be killed.
  • When encapsulating out the wazoo, keep in mind that Internet Explorer (Edge or whatever it’s called today) doesn’t support backticks.
  • Syntax highlighting will be confused by the strings in strings in strings of encapsulation, it helps to just turn it off.
  • Javascript md5 implementation here: https://gist.github.com/josedaniel/951664
  • I found it necessary to keep track of an average time to solving a chunk so that I may exclude the nodes which are taking too long and polluting the good performance of the supercomputer.
all out geekery, I.T., maniacal paranoia, unix / linux ben June 29, 2012

The impairing lack of light pollution

When we lived in the city, ambient light pollution was such that I could set my CCTV cams to a certain brightness/contrast and the limited auto adjustments they did were enough to cope with day & night. In the middle of the forest, the night gets full on #000000 dark. The poor cams can’t adjust and I need to pick whether I want to record at night and get white frames during the day, or at daytime and get black frames during the night.

I wrote the following script which computes the average brightness of a cam’s current frame and issues more drastic adjustments if needed. It is obviously tailored for my FI8918Ws but the same idea can be used for others.

[php][/php]#!/usr/bin/php
<?php

$img = @imagecreatefromjpeg( 'http://192.168.1.203:8003/snapshot.cgi?user=<username>&pwd=<password>' ) ;
if( $img===false ) {
    die( "Unable to open image" ) ;
}

$w = imagesx( $img ) ;
$h = imagesy( $img ) ;

$total_r = 0 ;
$total_g = 0 ;
$total_b = 0 ;
for( $i=0 ; $i<$w ; $i++ ) {
    for( $j=0 ; $j<$h ; $j++ ) {
        $rgb = imagecolorat( $img, $i, $j ) ;
        $total_r += ($rgb >> 16) & 0xFF;
        $total_g += ($rgb >> 8) & 0xFF;
        $total_b += $rgb & 0xFF;
    }
}

$average_brightness = round( ( $total_r / ($w*$h) + $total_g / ($w*$h) + $total_b / ($w*$h) ) / 3 ) ;
echo $average_brightness, "n" ;

if( $average_brightness<30 ) {
    echo "night time!n" ;
    echo "moden" ;
    $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=3&value=0&user=<username>&pwd=<password>' ) ;
    sleep( 10 ) ;
    echo "contrastn" ;
    $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=2&value=6&user=<username>&pwd=<password>' ) ;
    sleep( 10 ) ;
    echo "brightnessn" ;
    $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=1&value=240&user=<username>&pwd=<password>' ) ;
} else if( $average_brightness>170 ) {
    echo "day time!n" ;
    echo "moden" ;
    $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=3&value=2&user=<username>&pwd=<password>' ) ;
    sleep( 10 ) ;
    echo "contrastn" ;
    $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=2&value=4&user=<username>&pwd=<password>' ) ;
    sleep( 10 ) ;
    echo "brightnessn" ;
    $result = file_get_contents( 'http://192.168.1.203:8003/camera_control.cgi?param=1&value=64&user=<username>&pwd=password>' ) ;
}

?>[/code]
I.T., maniacal paranoia, unix / linux ben May 14, 2012

Loopback & crypt: a filesystem, within an encrypted partition, within a file

So here we are, 2012 and physical media are going away really fast. We won’t even talk about CDs which have been relegated to the role of plastic dust collectors; hard drives even are being abstracted by a myriad of cloud based solutions. Their purpose is shifting towards a container for the OS and nothing else. Filesystems & their hierarchies become hidden in a bid to remove any need to organize files, rather, you are supposed to throw it all up in the cloud and search on metadata.

While moving away from physical media is convenient and inevitable, I like the hierarchical organization that directories provide. What’s more intuitive than a labeled container with stuff in it?

How can we detach our hard drives from their physical shells, move them around in an omnipresent cloud and keep them secure?

By creating a file, attaching it to loopback & creating an encrypted partition in it!

Here’s how to do it
  • Create a file that will be your soft hard drive with:

[bash]dd if=/dev/zero of=/tmp/ffs bs=1024 count=524288[/bash]

This will create a 512MB file (524288/1024).

  • Make sure that the loopback device #0 is free:

[bash]losetup /dev/loop0[/bash]

You should see something telling you that there is “No such device or address”.

  • Attach the soft hard drive to the loopback device:

[bash]sudo losetup /dev/loop0 /tmp/ffs[/bash]

  • And then make sure it was indeed attached by re-running:

[bash]losetup /dev/loop0[/bash]

  • Create an encrypted partition on your attached soft hard drive:

[bash]sudo cryptsetup –verify-passphrase luksFormat /dev/loop0 -c aes -s 256 -h sha256[/bash]

  • Open your encrypted partition:

[bash]sudo cryptsetup luksOpen /dev/loop0 ffs[/bash]

  • Create a filesystem in it:

[bash]sudo mkfs.ext3 -m 1 /dev/mapper/ffs[/bash]

  • And mount it like a regular disk:

[bash]sudo mount /dev/mapper/ffs /mnt[/bash]

  • When you are done using your encrypted soft hard drive you will want to umount it:

[bash]sudo umount /mnt[/bash]

  • Close it:

[bash]sudo cryptsetup luksClose ffs[/bash]

  • Detach it from loopback:

[bash]losetup -d /dev/loop0[/bash]

These steps can be automated of course. As a quick reminder, using the drive goes “loopback attach -> crypt open -> mount” and when you’re done it’s “umount -> crypt close -> loopback detach”.

That’s it! media-less & secure storage.

Tested on: Ubuntu 12.04 64b

I.T., maniacal paranoia ben May 14, 2012

OpenMPI distributed password cracker: crackzor

Download

crackzor_1.1.c.gz

Previous versions:

crackzor_1.0.c.gz

Quick start
  1. Download & extract with “tar zxvf crackzor_1.0.tar.gz”
  2. Make sure you have the right packages in place

    [bash]sudo apt-get install build-essential libopenmpi-dev openmpi-bin libssl-dev[/bash]

  3. Compile with

    [bash]mpicc -O3 crackzor.c -o crackzor -lm -lssl -lcrypto[/bash]

  4. Create a file called “machines” containing a newline separated list of every machine that are in your cluster, for example:

    [code]machine00.domain.com
    machine01.domain.com
    machine02.domain.com
    machine03.domain.com
    machine04.domain.com[/code]

  5. Open MPI uses SSH for communication between nodes, as such, you need to make sure that the node you will be launching crakzor from is able to do SSH key based authentication to all the other nodes in the cluster. For my example above, if machine00 is where you will be working from, you will want to

    [bash]ssh-copy-id machine0X.domain.com[/bash]

    where X E [0,4] (yes, machine00 needs to be able to SSH to itself).

  6. You now need to disseminate your executable across all the machines that will be running it:

    [bash]for machine in `cat machines`; do scp crackzor $machine:~; done[/bash]

    Pro-tip: having network storage attached to all the machines makes this step unnecessary.

  7. Run with:

    [bash]mpirun -npernode Y -machinefile machines crackzor fbade9e36a3f36d3d676c1b808451dd7 abcdefghijklmnopqrstuvwxzy 1 1[/bash]

    where Y is the number of cores each machine in your cluster has. If you are running this on machines with 2 CPUs with 8 cores each, Y = 8 * 2 = 16.

Tested on Ubuntu 10.04 64b / Ubuntu 12.04 64b / Ubuntu 14.04 64b

Screenshots

[bash]mpirun -npernode 16 -machinefile machines ./crackzor 7ca4793dcdff46ecda38e48d65b6c913 abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ 1 7[/bash]

This is what “htop” looks like with a bunch of processes spawned & hammering every core:

Statistics

For the purpose of testing crackzor, we give it the md5 hash of an 8 character word and tell it to bruteforce it up to 7 characters. This insures that we will compute every permutation up to 7 character longs. The characters I asked it to permute are “abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ”, our sample space size is thus 52^7 + 52^6 + 52^5 + 52^4 + 52^3 + 52^2 + 52^1 = 1,048,229,971,204.

Here is the raw data, and here it is graphed:

I wish it would show the linear progression more but 3 things got in the way:

  1. approaching the machine’s actual number of cores on the Dell blades leaves little room for linear expansion
  2. which is emphasized in a multiuser environment where other users run other computation
  3. the EC2 bar flattens the graph a bit but I still wanted to show how it compares

Ideally I would run through a few iterations of EC2 to observe its progression but hey, it’s expensive :).

Limitations
  • Right now, the only hashing algorithm supported by crackzor is MD5. It can very easily be expanded upon.
  • I also may not be using the fastest MD5 method with the fastest call, distribution is what I’m interested in.
  • Distributing password cracking among multiple machines is throwing linear resources to an exponential problem!
I.T., maniacal paranoia ben February 21, 2012

IPv6 link-local surface analyzer

Download

ipv6_surface_analyzer_1.0.tar.gz

Quick Start

    1. make sure that nmap, ifconfig & arping are installed and in your path
    2. run as root

    tested on Ubuntu 11.10 64b

    Screenshot

    (actual ips obfuscated)

    Purpose

    With more devices coming IPv6 ready out of the box, a shadow network is emerging that nobody is paying attention to.

    There’s Joe sysadmin, configuring a tight firewall for this new server, default deny, very restrictive & all. This is great but did he realize that there is nothing in front of IPv6? We are used to setting up iptables, ipfw, et cetera. Unfortunately ip6tables & ip6fw too often get forgotten.

    With IPv4, a device was manually configured or wasn’t configured until it got an address from DHCP. With IPv6 a device that is not manually configured will hop on the network with a link-local address and try to further discover its settings. In fact, IPv6 reserves a range of addresses for network discovery, these link-local addresses are based on the device’s mac address.

    Here is what ipv6_surface_analyzer.py does:

    • iterate through a given IPv4 range
    • for each address in the range, discover if a host sits behind it
    • port scan potentially found host on IPv4
    • infer IPv6 link-local address of host based on its mac address
    • port scan inferred IPv6 address

    The purpose of which is to establish by how much your attack surface is augmented by link-local IPv6.

    This threat threat is somewhat mitigated by its local nature and there are 2 reasons why:

    1. link-local isn’t routed and thus your visibility is bound to networks you have a presence on.
    2. Getting a host’s mac address is only possible while being on the same network.

    Local as it may be, having a shadow network providing a way to circumvent firewalls is quite risky.

    I.T., maniacal paranoia, unix / linux ben October 10, 2011

    Poor man’s 2FA: a simpler 2-factor authentication mechanism for SSH

    The problem with PAM based 2FA:
    • PAM does not get called when the SSH daemon does key based authentication. So your 2FA there only works with password authentication. This might be something you want but maybe not.
    • A PAM module based solution to 2FA is harder to implement
    The solution: Poor man’s 2FA!

    It is possible to add the ForceCommand directive to your sshd_config. Like the name suggests it simply runs a command after authentication and before the shell is spawned. This is a good spot to add an extra check, say another factor for authentication.

    The code:

    [bash]#!/bin/bash
    trap "echo "I’m sorry Dave. I’m afraid I can’t do that."; sleep 1 ; kill -9 $PPID ; exit 1" 2 20
    code=`od -a -A n /dev/urandom | head -2 | tr -d ‘ ‘ | tr -d ‘n’ | sed ‘s/[^a-zA-Z0-9]//g’ | awk ‘{print substr($0,1,5)}’`
    echo -e "Subject:$code\nFrom:root@server <root@server.com>\n2FA code in subject" | sendmail phone_number@carrier.com
    read input
    if [ $code = $input ];
    then
    `awk -F: ‘($1 == $LOGNAME) { print $7 }’ /etc/passwd`
    else
    kill -9 $PPID
    fi[/bash]

    That’s it really, save this to an executable file, replace the obvious variables and ForceCommand its ass.

    I.T., life in the U.S., maniacal paranoia ben September 17, 2011

    Avoid getting tracked in a datamining society

    Welcome to the information age! Memory is cheap, millions of records are copied in the snap of a finger and everybody wants your information. This is called data-mining and everybody is doing it essentially to better advertise to you. These databases of your facts & habits are often sold and even hacked. It is time to ponder how little control you have over your own information. And when you do so, think not only about the information you give but above all about the information that can be inferred from it.

    Compiled bellow is a list of tips for avoiding getting tracked in modern society. They range from simple good practice to paranoia. Obviously you could go live as a hermit in the woods and be untraceable. Feel free to comment on anything I missed and I’ll add to the post.

    Day to day life

    • Broadcast the least information possible. Does your state require license plates in the front & rear? 19 states don’t, google them. Police cameras automatically scan all the license plates they see, why double your chances? Your license plates are also often recorded when you drive through tolls.
    • Pay everything in cash, credit/debit card transactions can easily place you in space and time. Moreover, encoded in the magnetic stripe is your name, stores know everything you buy and when you buy it. This is pant creaming data for the marketing geniuses trying to figure out ways to make you consume more.
    • Avoid customer rewards programs. An even better way to tie information back a a customer that might use multiple methods of payment. Still want the sweet deals? Don’t use your real info when signing up, or just don’t sign up, the cashiers often have default cards to scan.
    • Avoid mail-in rebates. They are nothing more than a way for you to sell your information.

    I.T. life

    This is a dense section, no surprise this is where most data mining occurs.

    • Don’t let email load remote content

    This is commonly used as a way to know if you’ve opened the email, at what time you opened it, where you opened it from (IP geolocation) and what your email client was. The technical explanation is that some email have HTML formatting with images included. These images can be embedded in the email itself or referenced to a remote server. In the later case, the remote server will for example enable PHP parsing for JPEG files, execute code to track you and then feed the image to the email client which never had a clue it was loading a “special” image. This is all transparent to the user and the email client.

    • No smartphone GPS tracking

    Let’s take an example: you enable Google Latitude on your cell phone to share your location with friends and get to know fun facts about how much you travel. The information you give Google are geographic coordinates, the informations inferred from it are where you live, where you work and whether or not you pull your 40 hours a week there.

    • Let’s go further: no smartphones at all!

    Apple’s Iphones and Google’s Android phones gather location information WHETHER YOU WANT IT OR NOT. That’s right, you can turn off GPS all you want your phone still recurringly reports back to Apple & Google telling them not only where they are but also which other wireless devices they see around.

    More info here from the most excellent Samy Kamkar.

    The tech giants are involved in a major data gathering process where they use you to create a comprehensive map of the wireless spectrum. This is both an awesome project using crowdsourcing to accomplish a daunting task & a scary invasion of privacy. Because it doesn’t ask you, and because you take it home and so it reports your wireless router and so now everytime you use a regular computer connected to said router, they know exactly where you are. It is scary because even if you could turn it off, others around you are passively reporting your location.

    • Even further? no cell phones! your location can be triangulated from cell towers.
    • Forget social networks, even if you use fake information. Sooner or later, your contacts, something you said, someone that said something about, will be traced back to your real self.
    • Remove EXIF data from the pictures you distribute online, especially if they were taken with smartphones.
    • SSL encryption, SSL everywhere. In fact any time you configure a connection (IMAP, FTP, HTTP) make sure that it uses an encrypted mechanism. The number of network taps are growing and you don’t want to make the job easier on them.
    • Review pictures you distribute online for license plate numbers, bills laying on tables and other identifiers.
    • A strong firewall not just for incoming traffic. Nowadays devices are very noisy, from Bonjour to checking for updates the packets coming out of your network interfaces without your knowledge are plentiful and growing. And every time to send a packet out, your presence is known. A firewall with rules on outgoing traffic is a good idea to keep unwanted traffic to a minimum.
    • Don’t give your email address to anyone that asks for it, use services like mytrashmail.com or even better yet, get a new email account every time. This way if they sell your information you will know right away since you only have 1 email account per company. You can then check they EULA and see if maybe they boast of not selling your information, Make them accountable! On a side note Gmail offer the capability of adding a plus (“+”) following by a string of your choosing to your regular email address. For example if your email address is address@gmail.com, Gmail will also accept mail to address+sillysite@gmail.com. This way you can segregate mail by company with the convenience of having it all go to the same account. The caveat to that is that “+” is often considered as an invalid character in an email address even though it is a valid character.
    • Adblock is one of the best plugin for your web browser (Firefox or Chrome). It removes ads thus significantly enhancing your browsing experience. By negating traffic to advertisement servers, you are denying their chance to data mine the crap out of you. Browser fingerprinting is one of many techniques used with an argument often made that the combinations of browser related software are so plentiful that your browser can be uniquely identified. Permanent cookies are also used to keep an eye on your web whereabouts.

    And even if you follow all these steps, you are not 100% untraceable online.

    The path of maximum sheep

    Finally, for when you have to give information, try and be a generic & blend as possible.

    • Your name is needed to sign up for something? John Smith.
    • Need a new car? White Honda Civic, no bumper stickers, no vanity plates.
    • Gotta find a new name for a PC? Linksys.
    • Need a username for that shitty forum? User2656, don’t use the one you use everywhere else or one thing leading to another, it can most likely be tied to your real identity.
    I.T., maniacal paranoia, unix / linux ben May 26, 2011

    Adding an Endace card to Symantec’s DLP

    I decided to publish this hack as I could not find an iota of information about getting an Endace card working With Symantec’s DLP (previously Vontu) on RedHat.

    After you’ve installed the module for your Endace card, you recycle your sensor and are confronted with the following error message:

    Endace DAG driver is not available
    Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information.

    A look at /var/log/Vontu/debug/PacketCapture.log yields:

    ERROR PacketDriverFactory - Driver Dag is unavailable: libdag.so.3: cannot open shared object file: No such file or directory [PacketDriverFactory.cpp(423)]

    do an

    updatedb
    locate libdag.so

    You will notice you just compiled a version more recent than libdag.so.3. As it turns out, Symantec DLP v11.0 does NOT know how to use the generic libdag.so nor the latest libdag.so.4.0.2 you just compiled. I’ve tried many tricks mostly with symlinks and I just couldn’t get it to use libdag.so.4.

    Hold on to your pants as I explain the unholy hack that made it work:

    edit /opt/Vontu/Protect/lib/native/libPacketDriverDag.so.11.0.0 , this is a binary file so using a hex editor is a good idea although vi works fine. Also, do respect placement very carefully, you will be changing 1 character and 1 character only.

    search for libdag.so.3 and replace its 3 by a 4.

    Recycle your server again and it should be happy about life 🙂

    I.T., maniacal paranoia, unix / linux ben April 12, 2011

    2-factor authentication & writing PAM modules for Ubuntu

    Download

    2ndfactor.c

    The problem

    Passwords are often seen as a weak link in the security of today’s I.T. infrastructures. And justifiably so:

    • re-usability, which we’re all guilty of, guarantees that credentials compromised on a system can be leveraged on many others. And given the world we live in, password re-use is inevitable, we just have too many accounts in too many places.
    • plain text protocols are still used to transmit credentials, and the result is that they are exposed to network sniffing. This is worsened by the increase in wireless usage which broadcasts information. Telnet, FTP, HTTP come to mind but they aren’t the only ones.
    • lack of encryption on storage is a flaw that too often makes it way into architecture design. How many databases have we heard about getting hacked & dumped? How many have we not heard about?
    • password simplicity & patterns are also factors weakening us against bruteforce attacks.

    So far, the main counter measure we’ve see out there is complexity enforcement. Sometimes IP restriction, or triggering warnings on geographic inconsistencies (Gmail, Facebook). But these barely help alleviate problem.

    A solution

    One hot solution that is making its way into critical systems (banks, sensitive servers) is Multi-factor authentication, and by “multi” we’ll stick to 2-factor authentication (2FA) because, well 3 factor authentication might be getting a little cumbersome :). The goal is to have more than one mean of establishing identity. And as much as possible, the means have to be distinct in order to reduce the chances of having both mechanisms compromised.

    Let’s see how to implement 2FA on an Ubuntu server for SSH. Ubuntu uses PAM (Pluggable Authentication Modules) for SSH authentication among other things. PAM’s name speaks for itself, it’s comprised of many modules that can be added or removed as necessary. And it is pretty easy to write your own module and add it to SSH authentication. After PAM is done with the regular password authentication it already does for SSH, we’ll get it to send an email/SMS with a randomly generated code valid only for this authentication. The user will need access to email/cell phone on top of valid credentials to get in.

    Implementation

    Let’s do an ls on /lib/security, this is where the pam modules reside in Ubuntu.

    Let’s go ahead and create our custom module. First, be very careful, we’re messing with authentication and you risk locking yourself out. A good idea is to keep a couple of sessions open just in case. Go ahead and download the source for our new module.

    Take a look at the code, you’ll see that PAM expect things to be laid out in a certain way. That’s fine, all we care about is where to write our custom code. In our case it starts at line 35. As you can see, the module takes 2 parameters, a URL and the size of the code to generate. The URL will be called and passed a code & username. It is this web service that will be in charge of dispatching the code to the user. This step could be done in the module itself but here we have in mind a centrally managed service in charge of dispatching codes to multiple users.

    Deploying the code is done as follows:

    [bash]gcc -fPIC -lcurl -c 2ndfactor.c
    ld -lcurl -x –shared -o /lib/security/2ndfactor.so 2ndfactor.o[/bash]

    If you got errors, you probably need to first:

    [bash]apt-get update
    apt-get install build-essential libpam0g-dev libcurl4-openssl-dev[/bash]

    Do an ls on /lib/security again and you should see our new module, yay!

    Now let’s edit /etc/pam.d/sshd, this is the file that describes which PAM modules take care of ssh authentication, account & session handling. But we only care about authentication here. The top of the file looks like:

    [code]# PAM configuration for the Secure Shell service

    # Read environment variables from /etc/environment and
    # /etc/security/pam_env.conf.
    auth       required     pam_env.so # [1]
    # In Debian 4.0 (etch), locale-related environment variables were moved to
    # /etc/default/locale, so read that as well.
    auth       required     pam_env.so envfile=/etc/default/locale

    # Standard Un*x authentication.
    @include common-auth[/code]

    The common-auth is probably what takes care of the regular password prompt so we’ll add our module call after this line as such:

    [code]auth       required     2ndfactor.so base_url=http://my.server.com/send_code.php code_size=5[/code]

    The line is pretty self descriptive: this is an authentication module that is required (not optional), here’s its name and the parameters to give it.

    send_code.php can be as simple as:

    [php]<?php mail( "{$_GET[‘username’]}@mail_server.com", "{$_GET[‘code’]}" ) ; ?>[/php]

    Or a complex as you can make it for a managed, multi-user, multi-server environment.

    Lastly, edit /etc/ssd/sshd_config and change ChallengeResponseAuthentication to yes. Do a quick

    [bash]/etc/init.d/ssh restart[/bash]

    for the change to take effect.

    That’s it! try and ssh in, the code will be dispatched and you will be prompted for it after the usual password. This was tested on Ubuntu 10.04 32b / Ubuntu 10.04.2 64b / Ubuntu 11.04 64b / Ubuntu 12.04 64b.

    A few disadvantages of this 2FA implementation worth mentioning
    • more steps required to get in
    • doesn’t support non TTY based applications
    • relying on external services (web service, message delivery), thus adding points of failure. Implementing a fail-safe is to be considered.
    • SSH handles key authentication on its own, meaning a successful key auth does not go through PAM and thus does not get a chance to do the 2nd factor. You might want to disable key authentication in sshd’s config.
    I.T., maniacal paranoia, unix / linux ben February 14, 2011

    Tripwiring your linux box

    Privilege escalation, trojan’ed SSH daemons, key loggers… While the focus is still mostly on MS platforms, Unix boxes aren’t free of exploits. As they are made popular by Macs and ever more approachable distributions like Ubuntu, they become more of a focus. The large share of the server market they represent is a considerable source of information that is mouth-watering to hackers.

    A good tool in the fight against ever evolving malware is Tripwire (the open source version cause we’re cheap). It takes the signature of key files on your systems (configuration, binaries) and checks them regularly for changes. Its major strength is the fact that no matter what exploit was used to compromise a certain binary, if this binary is infected, tripwire will go off. Modern antivirus softwares look for specific signatures of known infections, and there are so many of them that they only look for the ones that are thought to be in the wild at any given time. They also are in reactive mode against 0days and usually take a few days to adjust. Their behavioral analysis methods are based on heuristics and generate too many false positives to be worthwhile.

    Tripwire doesn’t care what the infection is, it just goes off if something changed. This is simple and efficient. Now it should only be one piece of a comprehensive security policy.

    In this article we’ll look at getting it installed and going on Ubuntu in a matter of minutes. You’ll want to be root for all this.

    ——————————————

    First, get the package:

    [bash]aptitude install tripwire[/bash]

    It’ll ask you for the passphrases used to secure itself.

    You’ll end up with these config files in /etc/tripwire:

    ——————————————

    Edit /etc/tripwire/twpol.txt to define which areas to keep an eye on, a pretty ok default is provided but needs some tweaking for Ubuntu and personal preference. I’d publish mine but hey, that’d be pretty stupid. Just keep in mind that you can use an exclamation mark “!” to negate a line, let’s say you want it to look at /etc but not /etc/shadow (user will want to change passwords in most cases) you’ll have a rule that looks like that:

    [code]{
    /etc        -> $(SEC_BIN) ;
    ! /etc/passwd ;
    }[/code]

    ——————————————

    When you’re done, run:

    [bash]twadmin –create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt[/bash]

    This will create the secured policy file based on the text file you just edited.

    ——————————————

    The config file (/etc/tripwire/twcfg.txt) can be edited too but the defaults are nice too. When done run:

    [bash]twadmin –create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt[/bash]

    Again, this creates it secured equivalent.

    ——————————————

    Make sure that the created file are only readable/writable by root

    [bash]chmod 600 /etc/tripwire/tw.cfg /etc/tripwire/tw.pol[/bash]

    Good practice dictates that you also should be removing plain text configuration files but you’ll want to keep them around for a little while, as you tweak your original config.

    ——————————————

    Finally, you can initialize the database with:

    [bash]tripwire –init[/bash]

    What this does is take a snapshot of everything you’ve specified in the policy file. If any of it changes, you’ll be notified.

    ——————————————

    The following will run the check for changes manually.

    [bash]tripwire –check[/bash]

    When you installed the package with aptitude, /etc/cron.daily/tripwire was automatically created to have this run everyday, root will received a mail report every day.

    ——————————————

    If you want to make a change to the base config:

    [bash]edit /etc/tripwire/twpol.txt
    twadmin –create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
    tripwire –init[/bash]

    If you want to update the base config, for example to acknowledge changes that happened on the box:

    [bash]tripwire –update –twrfile /var/lib/tripwire/report/<hostname>-<date>-<hour>.twr[/bash]

    I.T., maniacal paranoia ben January 27, 2011

    The death of the internet

    Let me throw a few of concepts we’ve been hearing about more & more lately:

    • metered bandwidth
    • end of net neutrality
    • content censorship
    • protocol restrictions
    • geographic restrictions
    • wiretapping
    • deep packet inspection
    • malware becoming crimeware
    • dataleaks
    • DDoS
    • internet kill switch

    The way that we used to see the internet as an unrestricted web of information is changing rapidly. And it looks like the free ride is coming to an end.

    Corporations want to dictate our internet usage, politicians don’t understand the issues of a technology from the next generation; and if they do, lobbyist money has a strong convincing power. And quite frankly your average user has no clue either. What was once a free and unrestricted flow of information is quickly becoming a metered and port/site/protocol restricted happy network.

    references:

    Traffic discrimination & Net Neutrality

    Comcast’s P2P throttling suit

    What was revolutionary about the internet was its lack of boundaries, the world was connected. Since then the marketing & licensing geniuses have caught on to the fact that it is possible to restrict content by geographic location. Like regions on DVDs you now cannot consume certain media in certain regions. It is a travesty to the human accomplishment that is the internet and inevitably leads to the absurdity that it is easier to consume pirated content than legal one.

    Organized crime also has caught on, the obnoxious malware & viruses that were once spreading for fame or installing dumb toolbars are now becoming very targeted at committing crimes. From harvesting financial information to generating DDOS attacks. A black market of stolen information and network hitmen is emerging on an internet that many companies handling your data do not understand. Viruses much like biologic organisms are becoming polymorphic with self defense mechanisms. Their technological advancement clearly shows funded work as opposed to the classic image of the basement hacker we all have ingrained in our heads.

    references:

    Zeus botnets specialized in harvesting financial data

    Researchers hijack control of the Torpig botnet for 10 days and recover 70 GB of stolen data from 180,000 infections

    Governments are starting to play their silly international politics game on this new field, releasing cyber attacks against one another. The amount of information & critical infrastructure facing the great network is making it a strategic field of military and intelligence importance. It is clear that the network in its current state of international openness is an issue to government interests, and we can fully expect to find cyber borders erected in the near future, not unlike the great firewall of China even though this last example has other applications. Applications that pertain to opinion control via censoring, China isn’t the only country doing that, Australia is pretty good at it. And the U.S. is working on creating a presidential “interet kill switch”, you know just in case people here get sick enough of 2 everlasting wars and 4th amendment tramplings to take the streets. Egypt has just done it, they shut down internet and cell phone communications during their 2011 protests.

    references:

    Stuxnet’s specific targeting of Iran’s SCADA controled systems

    The Great Firewall of China

    Australia’s intenet censorship

    Obama’s internet kill switch

    How Egypt shut down the internet

    At a time when Wikileaks is putting to shame governments and corporations, more controls are inevitable.

    So what’s next?

    Computers and network devices have become increasingly powerfull. So much so that this blog you’re reading is instantiated on a 8 years old server sitting on a fridge behind a home DSL. Besides computing & networking power, something else has been growing that you might have heard about: social networks.

    I think that one day, a couple of geeks will be tired of the state of the internet and will throw a home-made link between their houses to share what they want when they want without getting advertised, wiretapped, datamined or attacked. This can currently be done with long range wireless devices (WiMAX) or even by adding a layer to the current infrastructure (think VPN).  Soon a third geek friend will want in, and provided that he is trusted by the founders, he’ll get in. After a while, adding friends of friends will become too far out of reach for the founders to decide and they will implement a social reputation based system for dealing with users.

    And that’s it, you have a social network (at the strictest send of the term) that is growing & correcting itself based on reputation. This will of course be completely decentralized (unlike the internet) which means you will be relaying information for individuals you don’t know, hence the criticality of its reputation element.

    This network will eventually be overrun by corporate, mafia & government interests finding ways to abuse the reputation systems, it will slowly die and be replaced by another couple of geeks down the road.

    The end.

    Posts pagination

    1 2 Next →

    This blog is solar powered

    Interactive

    Handwriting Capture
    Mandalagaba
    IPv6 link-local to MAC converter
    IPv6 MAC to link-local converter
    Markov Text Generation
    Markov Word Generation
    Markov Music Generation
    Duplogrifier
    Flood Fill Algorithms
    Homestead Metrics
    RGB Playground
    Web Games

    Categories

    • aesthetics111
      • plots54
      • specular holography6
    • Books3
    • I.T.202
      • 3D modeling / printing21
      • AI6
      • all out geekery36
      • electronics27
      • homestead automation6
      • maniacal paranoia25
      • plotters49
      • unix / linux29
      • video games4
      • web development29
      • web games3
    • Lego / Duplo67
    • life in the U.S.42
    • miscellaneous202
    • nature encounters114
    • old vinyls3
    • organs2
    • self sustainability560
      • agriculture105
      • apiculture38
      • apple20
      • building131
      • canning3
      • crochet6
      • foraging6
      • hunting10
      • maple syrup47
      • poultry39
      • preserving2
      • solar power28
      • water23
      • wood84
    • trip to a new life6
    Theme by Bloompixel. Proudly Powered by WordPress