Intel CPU bug: Meltdown aftermath - Investing into popcorn for 2018
Monday, January 8. 2018
I came back from Christmas holidays on Tuesday 2nd January and quite soon that morning our corporate chat channels were buzzing about this "Intel CPU flaw". Lot of the information came from article The mysterious case of the Linux Page Table Isolation patches. At the end, the author of the post suggests "Invest in popcorn, 2018 is going to be fun". For something written on first day of the year 2018, that is pretty well said!
More and more details leaked on Wednesday 3rd. The Register article Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign suggested said, that Linux kernel team named the flaw as Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT. So, they must have been mighty annoyed by this one. Urban Dictionary has a rather hilarious explanation of it.
Given the time difference between US an Europe, the information was published late on 3rd January, in form of website Meltdown and Spectre - Vulnerabilities in modern computers leak passwords and sensitive data. On Thursday 4th European time, entire Internet was full of news and speculation of these security flaws. Nobody has really confirmed this, but it looks like Intel knew about this flaw back in June 2017, for example Ubuntu-project confirms, that they received information about the flaw back in November 9th.
So, what is fuss this all about?
Since nobody really understands Kernel page-table isolation or Speculative execution, a much simper approach is needed to get a grasp of this problem (yes, you Super-Nerds understand it, I know!).
Xkcd #1938 has the best summary of this flaw that I've seen:
Mr. Daniel Miessler also has pretty good summary of the problem in his post A Simple Explanation of the Differences Between Meltdown and Spectre:
Ultimately you have two choices:
- Have a computer, which has a serious exploitable security flaw
- Lose some of your CPU-power
Most cases door #1 is chosen for you by your operating system vendor or cloud service provider.
A real measured effect of the fix
This is what Epic Games measured for their game Fortnite:
While looking at the graph, please remember, that Epic Games didn't choose to have the fix installed. This decision was made for them thanks to cloud computing.
There are number of similar reports all around the web, including Tim Gostony's tweet "Impact of the patch for the Intel bug on my AWS EC2 instances running Linux". It shows much les bump in the CPU-power than Epic Games' graph, but still it is there and it can be noticed.
What now?
Ok, everybody's every CPU is affected, but luckily for Meltdown mitigation you wouldn't normally run malware on your computer anyway. For Spectre, it gets scary. It mostly affects shared computers where somebody else is capable of stealing data from your instance.
The #1 thing I'll be waiting most is a physical CPU product that can be purhcased from a store which has a fix for this. Nobody has even promised anything about that. The existing software-based fixes are horrible. For example I was running Progress Quest on a Windows 93 session on a i7 laptop. After the fix, simply starting Windows 93 on a web browser it takes almost all of the CPU instead of idling like it did before the fix.
Amazon Web Services (AWS) in their original statement they said that "This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices." I'm hoping, that it will take less than a decade to get it fixed.
QNAP Stopping Maintenance of TS-419P II
Tuesday, January 2. 2018
As usual, I got an e-mail from my NAS-box stating, that it has a new firmware upgrade QTS 4.3.3.0404 build 20171213.
It had the usual release notes telling the changes. What really caught my attention was:
QTS 4.3.3 is the final available firmware update for the following models: TS-419U II
WHAAT! Just out of the blue, my model was obsoleted piece of junk!
The actual full list of models is: TS-112P, TS-212P, TS-212-E, HS-210, TS-112, TS-212, TS-121, TS-221, TS-421 TS-120, TS-220, TS-420, TS-420U, TS-421U TS-412, TS-412U, TS-419U, TS-419U+, TS-419U II, TS-119P II, TS-219P II, TS-419P II, TS-119P+, TS-219P+, TS-419P+, TS-119P, TS-219P, TS-419P, TS-119, TS-219, TS-419
So, only the recent QNAP boxes were maintained from this point on. Darn! My take on their decision to stop maintaining all the old models is, that initially they barely maintained them at all. In fact, QNAP got burned seriously on not acting: 0-day: QNAP NAS Devices suffer of heap overflow. In less than two years they managed to get that one fixed. They received information on 1st Feb 2016, stalled on the fix and after 12 months somebody else stumbled into the same flaw and after QNAP failed to receive the information about it, he released into public. QNAP managed to the fix out at 14th Feb 2017.
To me that action (read: lack of it) means, that they did not have a protocol in place for a situation where a security flaw would be found in one of (read: all of) their main products sold to general public. While spewing out unfounded allegations here, I'm pretty confident, that it wouldn't have made any difference if the security flaw was in their internal systems. Also, I'm sure, they did not act on the initial report as the author was well-behaving and extended his grace period on QNAP's request. Unfortunately to QNAP, their security reporting system wasn't maintained and it didn't work at the time of second finding, so the information leaked quite soon.
After all this commotion, they chose to create processes, assign personnel to it and start maintaining their products, they suddenly realized, that IT'S HARD WORK! Oh really! Rest of the world knows it already. But that's what you need to do when you are in device manufacturing business. World is full of non-maintained IoT-junk, as this Twitter-feed points out.
Ok, enough rant. Now I have a decision to make. What to do with a perfectly good NAS-box. Suggestions are welcome.
Mini Arcade Machine
Saturday, December 30. 2017
Looks like I've been nice, as Santa Claus brought me a nice present. A Mini Arcade Machine!
By the looks of it, it must be some sort of Android device placed into an arcade cabinet.
There are 240 games to play, but none of them are well-known titles. Obviously, they didn't want to pay any royalties for using the names. However, all the games are classic ones which I've played couple decades ago.
What I was expecting to see is a HDMI-output, but there is none. All the gaming needs to be done on a tiny screen.
Windows 10 Fall Creators Update breaking sleep
Monday, December 18. 2017
Problem
My gaming PC got the fall update quite late and after that it wouldn't stay in sleep. Something got broken in the update and I had to shut it down every single time I didn't want to use it. Annoying!
Debugging - The Reason
The reason it popped back on wasn't big of a mystery. There is a simple command to query the wake reason:
PS C:\WINDOWS\system32> .\powercfg.exe /waketimers
Timer set by [SERVICE] \Device\HarddiskVolume4\Windows\System32\svchost.exe (SystemEventsBroker) expires at 21:46:29 on 15.12.2017.
Reason: Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Reboot' scheduled task that requested waking the computer.
There are number of articles about How to disable wake timers?, but it doesn't fix this.
A peek into Windows Task Scheduler reveals the ugly fact:
There is a hourly scheduled task, that indeed does run every hour and every goddamn hour it will wake my computer from the sleep to see if it needs to reboot it! Who having half a brain made that engineering decision at Microsoft?!
Attempt 1 - Disable the task - FAIL!
Ok, easy thing, let's disable the task. Or ... let's not. It is impossible! The permissions prevent regular human beings from doing that.
After a while, I bumped into somebody else having this same particular problem. Computer is waking up and: Can't modify task “Reboot” in win10 home. Basically, the idea is to go get Sysinternals PStools. It contains a tool called PSexec, which can do the modification for you.
Like this:
First run a cmd.exe with the PSexec 64-bit version:
PS D:\Users\Downloads> .\PsExec64.exe /s cmd.exe
Now, that permission-barrier is fixed, then:
C:\WINDOWS\system32>schtasks /change /tn "\Microsoft\Windows\UpdateOrchestrator\Reboot" /disable
SUCCESS: The parameters of scheduled task "\Microsoft\Windows\UpdateOrchestrator\Reboot" have been changed.
Now the stupid scheduled task is running hourly as expected, but NOT when your computer is sleeping. But ... guess what! Yes! There is something in Windows 10 internals, that keeps that particular task enabled. It will stay disabled for half an hour or so, but ultimately just using the computer makes the task enabled again, and the problem persists.
Attempt 2 - Remove the allow wake setting - FAIL!
By using the PsExec64.exe
-trick, it is possible to get an XML-representation of the task, by running:
schtasks /tn "\Microsoft\Windows\UpdateOrchestrator\Reboot" /xml
in the XML-data there is:
<WakeToRun>true</WakeToRun>
... but I don't know how to change a task from XML-file. You can create a new one, but changing seems impossible.
So, ultimately I had to find something else
Attempt 3 - Powershell - FAIL!
Instead of spawning a new cmd.exe, going for PowerShell has benefits - it can actually edit an existing task. There is a built-in applet Get-ScheduledTask
, with appropriate counterpart for setting the properties.
Spawn a nice PowerShell-session with appropriate permissions:
.\PsExec64.exe /s powershell.exe
The shell is kinda dead, for example output is garbled and input editing has issues, but if you know what to run, it will do it given the correct permissions.
As suggested in use powershell to find scheduled tasks set to wake the computer, now it is possible to get a list of Scheduled Tasks which have permission to wake the computer:
PS C:\WINDOWS\system32> Get-ScheduledTask | where {$_.settings.waketorun}
My computer will output a list like:
TaskPath TaskName
-------- --------
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.3031...
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.3031...
\Microsoft\Windows\SharedPC\ Account Cleanup
\Microsoft\Windows\UpdateOrchestrator\ Reboot
A simple(?) one-liner will edit the task (backtick is the word-wrap operator):
Get-ScheduledTask `
-TaskPath \Microsoft\Windows\UpdateOrchestrator\ `
-TaskName Reboot |
%{ $_.Settings.WakeToRun = $false ; `
Set-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Settings $_.Settings }
Yes, now the task is enabled, but has the appropriate condition setting for allow wake the computer from sleep disabled.
... aaaand it doesn't work. The same thing altering the enabled-state also resets this setting. Darn!
Attempt 4 - Revoke permissions - Success!
This was driving me mad!
It worked perfectly before the stupid update!
Finally, I found an article from Reddit: Is there ANY way to stop UpdateOrchestrator for turning 'wake the computer to run this task' back on after every cumulative update?
That guy suggested to revoke all permissions from the file. Now the automator which keeps resetting the settings fails to touch the file.
The command I ran in PowerShell is:
icacls $env:windir"\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" `
/inheritance:r `
/deny "Everyone:F" `
/deny "SYSTEM:F" `
/deny "Local Service:F" `
/deny "Administrators:F"
That simply puts everybody and everything into deny-list for the file-access. AND IT WORKS!
So, looks like ultimately whatever the mechanism is restoring the setting, somebody loves writing to the file, but it doesn't know how to reset the permissions. Which is nice!
I chose to keep the task enabled, but unset the allow wake -setting. So, when my computer is running, the task is ran every hour as expected, but when my computer is sleeping, my computer is sleeping and doesn't wake for nobody.
Microsoft:
Suggestion, eat your own dog food! If anybody at the Windows-team doing power management/task scheduler would run this at home they would know the annoyance instantly.
Com Hem offering IPv6 via DHCPv6 to its customers
Sunday, December 17. 2017
A month ago my ISP sent information that they're upgrading my connection speed without increasing the monthly cost! Nice. Totally unexpected from them.
Couple weeks ago my internet connection had dropped during night and I just flicked the switch on the cable router and it all came back. What I didn't initially realize, that I had an IPv6-address! WHOA!
Given zero public information about this on their public website, customer portal or anywhere, I just saw that on my network interface while investigating an another issue. They are broadcasting router advertisements and allocating a /64 from 2A04:AE00::/26 (SE-COMHEM-20140210). It looks like this on radvdump
:
interface enp1s0 {
AdvSendAdvert on;
# Note: (Min,Max)RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag on;
AdvOtherConfigFlag on;
AdvReachableTime 600000;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 9000;
AdvHomeAgentFlag off;
AdvDefaultPreference high;
AdvSourceLLAddress on;
AdvLinkMTU 1500;
}; # End of interface definition
Since the O-bit for "other" (AdvOtherConfigFlag on
) is enabled, it means that a DHCPv6-request will get more usable information. A DHCPv6 lease will look like this:
lease6 { interface "enp1s0";
ia-na xx:xx:xx:xx {
starts 1512476381;
renew 302400;
rebind 483840;
iaaddr 2a04:ae07:yyyy:yy::yyyy {
starts 1512476381;
preferred-life 604800;
max-life 2592000;
}
option dhcp6.status-code success;
}
option dhcp6.client-id 0:1:2:3:4:5:6:7:8:9:a:b:c:d:e:f:10:11;
option dhcp6.server-id 0:1:0:1:53:f:97:74:0:50:56:a8:22:a4;
option dhcp6.name-servers 2a04:ae3a:ae3a::1,2a04:ae3a:ae3a::2;
}
It works and is fast and all, but ... (there's always the but part). Given SLAAC, they issue only a /64 prefix. Why is that a problem you ask. Well, to be able to issue an IPv6 address to all devices in my LAN, that's not enough.
I tried sending a Prefix Delegation -request via DHCPv6, but no. They didn't honor that request. Should that worked, I'd be happy. I'd have my own /48 prefix for my LAN-devices.
In the current form Com Hem's IPv6 is mostly useless as none of my actual devices have IPv6 addresses in them. I'm investigating this and if/when I find a solution for this, I'll post something about it. Meanwhile, if you know how to get a prefix out of them, please inform!
100-year-old Finland
Wednesday, December 6. 2017
Today, 6th of December 2017, Finland celebrates its 100 years of independency. That's very convenient, as I'm not there to celebrate with my fellow Finns!
Since somebody lured lot of other states to celebrate with them, lot of the world-known objects were light Finnish-blue. One location from the list is Globen ("-95 nevö föget!"), which is conveniently a brief tunnelbana ride away from my home. For some reason, there are no published pictures of Globen in it's celebratory lighting. So, here goes:
Ok. In reality, the place is called Ericsson Globe, but nobody calls it that. It's just Globen.
Saving the day - Android tethering with Linux
Sunday, December 3. 2017
The fail
On a peaceful Sunday, I was just minding my own business and BOOM! Internet connection was gone. After a quick debugging session, restarting the router and eyeballing the LEDs, it was evident: something with my ISP Com Hem was down:
Ok, ISP down, what next?
I whipped up the iPhone and went for any possible service announcements. And yes, the above announcement was placed on my user account information. I was stunned by this, it was so cool to have:
- confirmation, that something was down with ISP: Yup, it's broken.
- that information tailored with the geographical location of my subscription: Yup, that fail affects you.
No Finnish ISP or telco has that. I was very impressed with such detail (and still am).
The fix
There is no way I'm sitting on my thumbs on such an event. I was just about to start playing Need for Speed and now Origin wouldn't even log me in, so, no Internet, no gaming.
I have an el-cheapo Huawei Android lying around somewhere, with a Swedish SIM-card in it. My dirt cheap subscription has couple of gigs data transfer per month in it, which I never use. I came up with a plan to temporarily use the cell phone as an Internet connection. The idea would be to hook it up into my Linux router with an USB-cable, make sure the Android pops up as a network interface and then configure the Linux to use that network interface as primary connection.
Thethering
I found tons of information about Android-tethering from Arch Linux wiki. It basically says:
- Make sure your Android is newer than 2.2
- Connect the phone to a Linux
- Enable USB-tethering from the phone's connection sharing -menu
- Confirm the new network interface's existence on the Linux end
On my phone, there was two settings for personal hotspot. Wifi/Bluetooth and USB:
Connection
New phones have USB-C, but its such a new connector type, that anything older than couple years, has most likely micro-USB -connector:
Hooking it up to a Linux will output tons of dmesg and and ultimately result in a brand new network interface:
# ip addr show
5: enp0s20u4u3:
link/ether 82:49:a8:b4:96:c9 brd ff:ff:ff:ff:f
inet 192.168.42.90/24 brd 192.168.42.255 scope
valid_lft 3595sec preferred_lft 3595sec
inet6 fe80::7762:e1a9:9fa:69f5/64 scope link
valid_lft forever preferred_lft forever
Routing configuration
Now that there was a new connection, I tried pinging something in the wild world:
ping -I enp0s20u4u3 193.166.3.2
Nope. Didn't work.
I confirmed, that the default network gateway was still set up into the broken link:
# ip route show
default via 192.168.100.1 dev enp1s0 proto static metric 100
That needs to go to enable some functionality. But what to replace the bad gateway with?
Since the connection had IP-address from Telco DHCP, there is a lease-file with all the necessary information:
# cat /var/lib/NetworkManager/dhclient-*-enp0s20u4u3.lease
lease {
interface "enp0s20u4u3";
fixed-address 192.168.42.90;
option subnet-mask 255.255.255.0;
option routers 192.168.42.129;
The fixed-address in the file matches the above ip addr show
-information. Required information was gathered, and the idea was to ditch the original gateway and replace it with a one from the Android phone's telco:
# ip route del default via 192.168.100.1
# ip route add default via 192.168.42.129 dev enp0s20u4u3
# ip route show
default via 192.168.42.129 dev enp0s20u4u3 proto static metric 101
Now it started cooking:
# ping -c 5 ftp.funet.fi
PING ftp.funet.fi (193.166.3.2) 56(84) bytes of data.
64 bytes from ftp.funet.fi (193.166.3.2): icmp_seq=1 ttl=242 time=35.6 ms
64 bytes from ftp.funet.fi (193.166.3.2): icmp_seq=2 ttl=242 time=31.7 ms
To finalize the access from my LAN, I ran following firewall-cmd --direct
commands:
--remove-rule ipv4 nat POSTROUTING 0 -o enp1s0 -j MASQUERADE
--add-rule ipv4 nat POSTROUTING 0 -o enp0s20u4u3 -j MASQUERADE
--add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp0s20u4u3 -j ACCEPT
--add-rule ipv4 filter FORWARD 0 -i enp0s20u4u3 -o enp3s0 \
-m state --state RELATED,ESTABLISHED -j ACCEPT
There is no firewall-cmd --permanent
on purpose. I don't intend those to stick too long. I just wanted to play the darn game!
Done!
Now my gaming PC would connect to The Big Net. I could suft the web, read mail and even Origin logged me in.
That's it! Day saved!
EBN European Business Number scam - Part 2 - Do not pay!
Saturday, December 2. 2017
Update 25th June 2019: EBN scammers bankrupt
Roughly an year ago I posted about EBN European Business Number scam. Now, an year later, it is one of the most commented article on my blog. At the time of posting, I was just pissed off about that stupid scam and wanted to inform and educate my readers about this and warn them for NOT to agree on their terms, nor pay anybody any money for it.
Then something that I didn't foresee or expect to happen happened: The article took off and thousands of people read it and dozens commented it. Looks like I stumbled into something big. The upcoming months proved, that this scamming corporation was operating all over Europe and doing their less-than-honest "business" of selling nothingness to unwary business owners.
Given the flood of comments, recently I found out that Raivo Laanemets, an Estonian software consultant, wrote about EBN scam back on 2015, over year before I did. Go read his blog post here. For the pointer, I'd like to thank Mr. Vaidas, who copy/pasted the comment from Mr. Laanemets' blog to mine.
This is the comment from June 2017 and contains following by Mr.(?) Gorila:
The critical claims made are:
- Person behind all this is Adrian Wittmer
- My comment: I'm not sure how to confirm this
- Mentioned Adrian Wittmer is actively involved in two companies: Credit Business Resolution s.r.o. and CCF Credit Collection Factoring s.r.o.
- My comment: I have not seen the threatening debt collector's letters, but in my previous EBN post comments, people have said, that the company doing the debt collecting is indeed Credit Collection Factoring s.r.o. from the Czech Republic
- Czech Republic legislation is more tolerant towards fraudsters
- My comment: I barely know parts of Finnish law, gaining understanding difference between German or Czech laws is way beyond me.
- Regulation (EC) No 1896/2006 of the European Parliament and of the Council of 12 December 2006 creating a European order for payment procedure
- My comment: The above mentioned regulation directs how payments of "low value" between companies. (16) says: "This would allow the court to examine prima facie the merits of the claim and inter alia to exclude clearly unfounded claims or inadmissible applications."
Article 7 (d) and (e) define, that EBN debt collectors need to establish basis for their claim and appropriate evidence.
Shortly: If EBN-scam can be proven as unfounded claim based on fraud, you don't have to pay.
- My comment: The above mentioned regulation directs how payments of "low value" between companies. (16) says: "This would allow the court to examine prima facie the merits of the claim and inter alia to exclude clearly unfounded claims or inadmissible applications."
- Mr. Wittmer has created a money-making-machine. First he sells a non-existing "service" for European Business Number, then he acts as an enforcer to collect his own debt from customers refusing to pay.
- My comment: Again, I'm not sure how to confirm this, but it sure looks like that!
What I found out to corroborate Mr.(?) Gorila's claims made is:
- A variation of EBN-scam has been running in Czech Republic since 1998. There is an article about the scam written in 2006.
- Articles about Intercable Verlag AG can be found back in 2003 in Swizerland.
- Intercable Verlag AG was raided by Swiss police in 2006 and placed in liquidation in 2009
- I found a ton of claims, that Mr. Wittmer was the managing director of Intercable Verlag, but was unable to verify that. I guess, I just have to assume, that the claim is true.
- Croatian authorities issued a warning against EBN scam in 2017. That binds Swiss Intercable Verlag AG into Dutch EU Business Register and German DAD Deutscher Adressdienst GmbH. That could be a proof, that same persons operate the scam.
- In September 2014 European Parliament issued a notice about on misleading offers from Deutsche Adressdienst GmbH (DAD). That document clearly states that all petitions against the DAD Gmbh have been "declared admissible".
Shortly: You don't have to pay!
There seems to be a lot of truth in his(?) comment.
Do not pay!
When going gets tough for you, just refer to European Parliament Petition 1176/2013, Petition 1180/2013 and Petition 1556/2013 to the judge. That should make things bouncing your way.
Perl - The most disliked programming language?
Sunday, November 26. 2017

As you can see the top-3 three really stand out of the rest! You can easily disregard 2nd and 3rd "best", as nobody really uses VBA or Delphi anymore. Unlike those, Perl is being used. Even your Linux has it installed. All, but the tiny distros pre-install it into base image. Also those popular Mint and similar have it as an option. The obvious reason why Perl is being installed used everywhere is the wide popularity back in the 90s. Perl pre-dates Linux and was pretty much the only scripting language in that era, if not counting BASH or Tcsh scripting. Then times changed and Perl paved the way for PHP, Ruby, Python and the likes.
I don't understand who would NOT love a programming language that can be written with shift-key pressed down all the time!
Here, I present some of the most beautiful pieces of code ever written in Perl (also known as Obfuscated Perl Contest):
- The 1st Annual Obfuscated Perl Contest, Best in "The Perl Journal" category:
package S2z8N3;{
$zyp=S2z8N3;use Socket;
(S2z8N3+w1HC$zyp)&
open SZzBN3,"<$0"
;while(<SZzBN3>){/\s\((.*p\))&/
&&(@S2zBN3=unpack$age,$1)}foreach
$zyp(@S2zBN3){
while($S2z8M3++!=$zyp-
30){$_=<SZz8N3>}/^(.)/|print $1
;$S2z8M3=0}s/.*//|print}sub w1HC{$age=c17
;socket(SZz8N3,PF_INET,SOCK_STREAM,getprotobyname('tcp'))&&
connect(SZz8N3,sockaddr_in(023,"\022\x17\x\cv"))
;S2zBN3|pack$age}
- The 4st Annual Obfuscated Perl Contest, 3rd in Do Something Powerful category:
$_=q(s%(.*)%$_=qq(\$_=q($1),$1),print%e),s%(.*)%$_=qq(\$_=q($1),$1),print%e
- The 5h Annual Obfuscated Perl Contest, Winner of The Old Standby category:
#:: ::-| ::-| .-. :||-:: 0-| .-| ::||-| .:|-. :||
open(Q,$0);while(<Q>){if(/^#(.*)$/){for(split('-',$1)){$q=0;for(split){s/|
/:.:/xg;s/:/../g;$Q=$_?length:$_;$q+=$q?$Q:$Q*20;}print chr($q);}}}print"\n";
#.: ::||-| .||-| :|||-| ::||-| ||-:: :|||-| .
Who would ever hate that?
Look! Even this kitten thinks, it's just a concise form of programming. Nothing to be hated.
Book club: The Art of Deception: Controlling the Human Element of Security
Sunday, November 19. 2017
About Humble Bundle
Couple months ago there was a real good deal in Humble Bundle for eBooks. For those of you who don't know what Humble Bundle is, it's a for-business subsidiary of IGN Entertainment (which again is a subsidiary of Ziff Davis). Unlike regular charities , which just make a plea to give money to them, Humble Bundle makes deals with software vendors to sell products which are way past their prime money-making age. Their slice of the operation is ~20% and the rest goes to software vendors and the charity of your choosing. In many cases you can choose the charity:software-split from range 0-100% and if you feel like it, you can tip Humble Bundle with something extra.
They passed $100M USD donated in September 2017. As there are costs of running the business, they raked in money more than that, but so far nobody has proved that they wouldn't actually deliver on their charity-promise. They are doing business with major corporations and if Humble Bundle would be caught red-handed, they would face a horde of lawyers suing their asses. For the time being, I choose to believe that they keep their promises and occasionally when I see something interesting in their mailing list, keep sending my money to them.
About the author, Kevin Mitnick
Ok, enough Humble Bundle, this is supposed to be about the book.
Since the deal was sweet, I went for it and paid couple € for the de-luxe bundle of security-related books (I think the actual amount was in region of 25 €). They delivered the download link for unlocked PDFs instantly after my PayPal payment was accepted. So, now I'm a proud owner of 14 books about information security.
The one book that I really wanted was the famous Art of Deception by Kevin Mitnick, a reformed bad boy who turned white-hat hacking. A warrant to arrest him was issued back in 1992 and he managed to evade FBI till February 1995. Since there was no applicable legislation in USA to convict him from the cracks he made to various US Government agencies and private corporations, US Department of Justice managed to keep him incarcerated for 4 and half years without bail or trial. When he got released to general public, a judge slapped a 7 year ban for him not to profit from selling books or movies, still on 2002 he put together this book and managed to get it published. He also published a book The Art Of Intrusion: The Real Stories Behind The Exploits Of Hackers, Intruders, And Deceivers in 2005, but it's unclear to me did he profit from them at all. Wired confirms, that the ban from profiting ended in January 2007. If anybody knows that, please drop a comment.
About the book
Well, enough of the author, this is supposed to be about the book.
The stories about social engineering tricks either Mr. Mitnick pulled off himself or the stories he describes in his book are really intriguing. But at the same time the technical details are vastly outdated, remember it was published in 2002 and stories are from 60s to 90s. Reading stories about dial-up modems, faxes and landline telephone voice mails make me laugh in the wrong place of the story. So, while reading, I was constantly thinking if it would be possible to pull off a similar feat in the modern world.
The books is written on four sections. Parts 1 and 2 are more about how social engineering works. There is always sonebody with poor awareness, either by not doing what was instructed or the instructions are missing or poorly done to begin with. Part 3 contains the "war stories" how people were fooled to say or do something they wouldn't normally do and while doing it didn't understand the value of their deed to the opposing party. To summarize, it's never a single piece of information which can compromise your organization, it's always a combination of things. To pull off such a social engineering hack, you must have detailed information about procedures and find a weak spot there. Also, most of the hacks are done to multi-site corporations. If your organization is geographically bound to a single location, it will be very hard to call in and request something "for my boss" at the remote site. My experience about small and medium sized Finnish companies is, that most people know everybody at least by name. Any incoming call would immediately raise suspicion and would question the caller's true agenda and identity.
Part 4 contains instrictions how to prevent such socical engineering attacks. For anybody not making security policies that part might be little bit boring. Here is an example of a flowchart how to train personnel:
Copyright © 2002 by Kevin D. Mitnick
Given in modern world, that government organizations don't need to pull of such hacks to get your information. You've already volunteered all of that! All they need to do is capture it from your cloud service provider's hard drive. Also, generally speaking personnel are more aware of possibility for social engineering. In his CeBIT Global Conferences 2015 video he claims, that for example dumpster diving still works. I personally wouldn't believe it. In Europe we don't need to print source code o passwords to paper and if we would be that stupid, there is a special secret-material-to-be-destroyed -paper bin at the office for such confidential waste.
Also, I remember seeing a video (... which unfortunately I was unable to locate) of Mr. Mitnick describing an assignment he got from a company, where his social engineering failed. It happened, that the receptionist knew about it. When Mr. Mitnick was requesting for a piece of information to get his assignment going forward, the receptionist actually responded: "Have you heard of Kevin Mitnick's book Art of Deception?". So, that was an example of well trained personnel to save that day. But unfortunately the book doesn't have a single example of social engineering failing. I was kinda expecting to see some of those.
About recommendations: people already knowledgeable about social engineering and feats that Mr. Mitnick pulled off don't get that much out of the book, but for everybody else, the book offers mind-opening stories, which can be reflected in everybody's real life. When somebody asks you for something they should already know, it may be time to think about social engineering.
If you have 6 minutes to spare, here is a DEF CON 23 video of Mr. Mitnick pulling off a social engineering hack, with permission from the target corporation, targeted to a pre-selected employee. They lure the poor guy to go to a website using Internet Explorer, which at the time had a known security flaw in it. That way they get a some sort of remote-access-toolkit to his computer. Nice! But not possible without the actual injection using the flaw being there.
F-Secure Ultralight Anti-Virus
Sunday, November 5. 2017
Which anti-virus software to use on a Windows 10?
There are a number of software to choose from. Some are free, some are really good at detecting malware, some are award winning, industry recognized pieces of software and there is even one that comes with your Windows 10 installation.
For couple decades, my personal preference has been a product from F-Secure. For those of you expecting me to hand out a recommedation out of numerous F-Secure products, given the multiple computers I operate on daily basis, just picking a single specific product is not possible. Also, I'm a member of their Beta Program and run couple pieces of their software which are not flagged as production-quality.
Here is the part with a recommendation:
When Ultralight Anti-Virus (for Windows) gets released, that's the one I definitely urge you to try out. The user interface is an oddball, simple, but odd:
On an initial glance, the first question I had was: "Ok, Where are the settings? Where IS the user interface?!" But that's the beauty of the product, it has no more settings than the above screenshot contains. That's wildly out-of-the-box. Functional, yes. But something completely different. Naturally it's a F-Secure product, and they don't make any compromises with ability to detect malware. It has no firewall or plugins to your browser or anything unnecessary.
When/If the product is ever released, go check it out!
Cygwin X11 with window manager
Saturday, November 4. 2017
Altough, I'm a Cygwin fan, I have to admit, that the X11-port is not one of their finest work. Every once in a while I've known to run it.
Since there are number of window managers made available for Cygwin, I found it surprisingly difficult to start using one. According to docs (Chapter 3. Using Cygwin/X) and /usr/bin/startxwin
, XWin-command is executed with a -multiwindow
option. Then XWin man page says: "In this mode XWin uses its own integrated window manager in order to handle the top-level X windows, in such a way that they appear as normal Windows windows."
As a default, that's ok. But what if somebody like me would like to use a real Window Manager?
When startxwin
executes xinit
, it optionally can run a ~/.xserverrc
as a server instead of XWin. So, I created one, and made it executable. In the script, I replace -multiwindow
with -rootless
to not use the default window manager.
This is what I have:
#!/bin/bash
# If there is now Window Maker installed, just do the standard thing.
# Also, if xinit wasn't called without a DISPLAY, then just quit.
if [ ! -e /usr/bin/wmaker ] || [ -z "$1" ]; then
exec XWin "$@"
# This won't be reached.
fi
# Alter the arguments:
# Make sure, there is no "-multiwindow" -argument.
args_out=()
for arg; do
[ $arg == "-multiwindow" ] && arg="-rootless"
args_out+=("$arg")
done
exec XWin "${args_out[@]}" &
# It takes a while for the XWin to initialize itself.
# Use xset to check if it's available yet.
while [ ! DISPLAY="${args_out[0]}" xset q > /dev/null ]; do
sleep 1
done
sleep 1
# Kick on a Window Manager
DISPLAY="${args_out[0]}" exec /usr/bin/wmaker &
wait
The script assumes, that there is a Window Maker installed (wmaker.exe
). The operation requires xset.exe
to exist. Please, install it from package xset, as it isn't installed by default.
Call of Duty: WWII launch
Thursday, November 2. 2017
Given, that I work in Activision/Blizzard/King -corporation, every once in a while the job has nice perks.
Today, I got to go to CoD WWII launch party in Stockholm!
It was the first time I've been to a launch party of a game ever! Of course a corpo party is a corpo party. Lot of jada-jada, blah-blah and free booze. But a game launch party of course is about the game. There was an option for every party guest to play the game on PS4. Then they had invited couple of Swedish semi-celebs to play in a friendly competition eSports-style 6-vs-6. Btw, the winners went home with brand new CoD WWII special edition PS4s. Insiders told me that all of the celeb-gamers had an option to practice playing the non-released game at the Activision office in Stockholm.
And of course, nobody went home with empty hands. Everybody was given a goodie-bag with a CoD WWII T-shirt and a PS4 store code for the game.
I'm not a huge fan of FPSs on console, so, I think I'm not going to play much that one. I'll wait for some PC Steam-codes to float around the office (eventually they will) and then start playing.
Games: Gran Turismo Sport
Sunday, October 29. 2017
Yes!
The best-ever time sink is out again!
I'm a huge fan of the GT-series, have been that since the first Gran Turismo was published for PlayStation in 1997. Because the PSX doesn't support racing wheels, I played the game with a NeGcon-controller. Most of you have never heard of it, because it supported only PSX and was discontinued around the time when PS2 was released in year 2000. PS2 has USB-port, which made generic USB 1.1 wheels available to PlayStation/Gran Turismo -world too. NeGcon is one of the weirdest game controllers anybody has ever seen. Its like a normal game controller with swivel in the middle. Twisting the controller makes it possible to act as a steering wheel. It also had three analog buttons in it making throttle and break control reasonable accurate for race gaming.
Fast forward trough GTs 2-6 to GT Sport, which is the latest, best, brighest and first GT for a PS4. The controller I'm using on my PS4 Pro is a Logitech G29, but I'd definitely like to give my NeGcon a go, if the game would support it somehow. Now I'm wasting space for a Wheel Stand Pro, a NeGcon wouldn't require that!
Of course I have to put some miles to my GT Sport, so, not much happening here in my blogosphere.
Real-word Squid HTTP proxy hierarchy setup - Expat guide
Tuesday, October 17. 2017
Half a year back I posted about moving to Sweden. I built network and router setup to gain access to The Net. One of the obvious use cases for a connection is to playback various streaming media services. I have touced the subject of configuring Squid for YLE Areena earlier.
As an ex-patriate, I like to see and hear some of the media services I've used to consuming in Finland. Those stupid distribution agreements make that unnecessarily difficult.
Spec
With my current setup, I need to access services:
- directly: Using no fancy routing, direct out of my Swedish IP-address. It's faster and less error-prone. This is majority of my HTTP-traffic.
- from Finland: To access geo-IP blocked services from a Finnish IP. I have my own server there and I'm running Squid on it.
- from my VPN-provider: To access selected geo-IP blocked services from a country of my choosing
Of course I can go to my browser settings and manually change settings to achieve any of those three, but what if I want to access all of them simultaneously? To get that, I started browsing Squid configuration directive reference. Unfortunately that is what it says, a reference manual. Some understanding about the subject would be needed for a reference manual to be useful.
Getting the facts
Luckily I have access to Safari Books Online. From that I found an on-line book called Squid: The Definitive Guide:
That has an useful chapter in it about configuring a Squid to talk to other Squids forming a hierarchy:
© for above excerpt: O'Reilly Media
Now I familiarized myself with Squid configuration directives like: cache_peer
, cache_peer_access
and always_direct
.
... but. Having the book, reading it, reading the man-pages and lot of googling around left me puzzled. In the wild-wild-net there is lot of stumble/fall-situations and most people simply won't get the thing working and those who did, didn't configure their setup like I wanted to use it.
Darn! Yet again: if you want to get something done, you must figure it out by yourself. (again!)
Desired state
This is a digaram what I wanted to have:
Implementation
But how to get there? I kept stumbing with always_direct allow never
and never_direct allow always
-permutations while trying to declare some kind of ACLs or groupings which URLs should be processed by which proxy.
After tons and tons of failure & retry & fail again -loops, I got it right! This is my home (Sweden) proxy config targeting the two other Squids to break out of geo-IP -jail:
# 1) Define cache hierarchy
# Declare peers to whom redirect traffic to.
cache_peer proxy-us.vpnsecure.me parent 8080 0 no-query no-digest name=vpnsecure login=-me-here!-:-my-password-here!-
cache_peer my.own.server parent 3128 0 no-query no-digest name=mybox default
# 2) Define media URLs
# These URLs will be redirected to one of the peers.
acl media_usanetwork dstdomain www.usanetwork.com www.ipaddress.com
acl media_netflix dstdomain .netflix.com
acl media_yle dstdomain .yle.fi areenapmdfin-a.akamaihd.net yletv-lh.akamaihd.net .kaltura.com www.ip-adress.com
acl media_ruutu dstdomain ruutu.fi geoblock.nmxbapi.fi
acl media_katsomo dstdomain .katsomo.fi
acl media_cmore dstdomain cmore.fi
# 3) Pair media URLs and their destination peers.
# Everything not mentioned here goes directly out of this Squid.
cache_peer_access vpnsecure allow media_usanetwork
cache_peer_access vpnsecure allow media_netflix
cache_peer_access mybox allow media_yle
cache_peer_access mybox allow media_ruutu
cache_peer_access mybox allow media_katsomo
cache_peer_access mybox allow media_cmore
never_direct allow media_usanetwork
never_direct allow media_yle
never_direct allow media_ruutu
never_direct allow media_katsomo
never_direct allow media_cmore
never_direct allow media_netflix
# 4) end. Done!
request_header_access X-Forwarded-For deny all
Simple, isn't it!
Nope. Not really.
Notes / Explanation
Noteworthy issues from above config:
- On my web browser, I configure it to use the home proxy for all traffic. That simply makes my life easy. All traffic goes trough there and my local Squid makes the decisions what and where to go next, or not.
- In above configuration:
- I declare two peers (
cache_peer
), how and where to access them. - I declare ACLs by URL's destination domain (
acl dstdomain
). It's fast and easy! - I associate ACLs with peers (
cache_peer_access
) to get HTTP-routing - I make sure, that any traffic destined to be routed, does not exit directly from Sweden (
never_direct allow
). Slipping with that will be disastrous for geo-IP checks! - I don't declare my traffic to be originating from a HTTP-proxy (
request_header_access X-Forwarded-For deny
). Some media services follow up to the real client-address and do their geo-IP checks on that.
- I declare two peers (
- The VPN-service, I'm using is VPNSecure or VPN.S as they like to be called nowadays. Two reasons:
- No mandatory softare installation needed. You can just configure your browser to use their proxy with proxy authentication. And if you are using Google Chrome as your browser, there is an VPN.S extension for super easy configuration!
- Price. It's very competitive. You don't have to pay the list prices. Look around and you can get ridiculous discounts on their announces list prices.
- My Finnish proxy is just out-of-the-box Squid with ACLs allowing my primary proxy to access it via Internet. Other than default settings, has
request_header_access X-Forwarded-For deny
in it. - For testing my setup, I'm using following display-your-IP-address -services:
- Finnish services C More and MTV Katsomo are pretty much the same thing, share user accounts and in future are merging more and more. To have C More working, both ACLs need to declared.
- YLE Areena is using Akamai CDN extensively and they tend to change.
- Ruutu is using external service for geo-IP for added accuracy. They compare the results and assume the worst! Redirecting both is necessary to keep their checks happy.
- Netflix is using their own state-of-the-art CDN, which is very easy to configure. Regardless what Mr. Hastings publicly, they only care that the monthly recurring credit card payment passes. Using different countries for Netflix produces surprising results for availability of content.
Finally
This is working nicely!
Now moving from one media service to another is seamless and they can run simultaneously. Not that I typically would be watching two or more at the same time, but ... if I wanted to, I could!
Now, beyond any doubt I know answers to two crucial questions:
1. Who is behind the EBN fraud?
and
2. Why the Debt Recovery business has relocated to Czech Republic?
1. Who is behind the EBN fraud
After short investigation of two debt recovery companies who are sending threatening letters to the victims of EBN fraud I have found out that the man behind the EBN fraud is a notorious fraudster Adrian Wittmer. Wittmer is well known as the CEO of Intercable Verlag AG and was involved internationally in many similar frauds.
He was prosecuted by the Swiss Police and his company in Germany was closed after the Police raid. He has relocated his business into Czech Republic which is more tolerant towards fraudsters.
Adrian Wittmer is a founder of at least five fraudulent companies in Czech Republic; two of them are still active whilst the other three were closed. All companies allegedly have no employees and negligible turnover More information about these companies you may find from public data of the Czech Business Register. (https://www.detail.cz/osoba/adrian-wittmer-varsavska-715-36-praha/Hmp7dwW27XI/).
2. Why the Debt Recovery business has relocated to Czech Republic.
In Germany, as well in the EU, debt recovery is legally regulated and must be carried out according to the law, in accordance to the Regulation (EC) No 1896/2006. This regulation describes payment procedure for claims not contested by the defendant. This regulation simplifies, speeds up and reduces the costs of litigation in cases involving more than one EU country. The problem for DAD/EBN is that procedure procedure applies just to cases where the claim is not contested.
In case of the defendants’ complaint the matter ends up at the court which would judge against DAD in accordance to German Laws and Judgement of the German Supreme court which has rendered EBN fraud impracticable in Germany. Therefore, DAD is keen to settle accounts out of the court, but German legislation opposes any other than the lawful debt recovery.
In the past some attempts have ended by the police investigation and imprisonment for 2,5 years (Mr. Wilk and Mr. Schnell from Rostock, Germany). Therefore, the illegal part of the busies is relocated to Czech Republic which favors fraudsters, or at least, doesn’t persecute them.
Two active companies founded and owned by Adrian Wittmer Credit Business Resolution s.r.o. CCF Credit Collection Factoring s.r.o are now sending threatening letters, representing themselves as acting on behalf of EBN/DAD. In reality, they are doing the second illegal part in the fraud which is punishable by the German laws. Hence DAD/EBN have relocated that part of the busies into Czech Republic.
EBN in Hamburg is just the first stage in the business: harvesting signatures, issuing invoices and is sending payment reminders. They do just the part which is not prosecuted in Germany by the Criminal Police. What they do is bordering on matters punishable by the German laws but remain at the safe side. Therefore, we may conclude that the whole EBN fraud is illegal according to the German laws and presents no treat to those who have returned signed forms to DAD. DO NOT PAY – Just ignore them and enjoy ongoing vacations.