codeblog code is freedom — patching my itch

April 30, 2006

slow debian mirror avoidance

Filed under: Networking — kees @ 8:02 pm

ftp.us.debian.org has 4 mirror servers in their DNS round-robin. One of them (216.37.55.114) is very slow (25Kb/s) for me. The others are blazing fast, especially 204.152.191.7 (800Kb/s). I’ve gotten sick of having to hit Ctrl-C to abort an apt-get, and then restart it, hoping to get a better server out of the DNS.

Today, I added the following to my machine’s iptables config, so that it will just redirect all attempts from the slow mirror to the fast mirror:

iptables -t nat -A OUTPUT -p tcp -d 216.37.55.114 –destination-port 80 -j DNAT –to-destination 204.152.191.7

If I wanted to do this for my whole network, I’d just slap this rule on my firewall and change “OUTPUT” to “PREROUTING”.

I love iptables.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 28, 2006

lvm article

Filed under: General — kees @ 2:14 pm

Bryce wrote a great article on LVM and disk management that I helped do some technical editing on. Hopefully stuff like this will help other people get more comfortable with LVM, and make it less of a dark art. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 26, 2006

smallville, as measured in lana-minutes

Filed under: General — kees @ 7:00 am

I enjoy watching Smallville. I found Lana tiresome almost immediately. Recently, the writers teased us by showing an alternate future where she died. Struck with the possibility of not having to deal with her while watching the show, I became very excited. Then they brought the character back, and I couldn’t bear to continue watching the show. Every minute she’s on the screen is a minute stolen from me through the dark arts of terrible acting. If I didn’t so enjoy the rest of the plots and characters, I could so easily just stop watching. (I am also starting to run low on SG-1 episodes…)

To help combat my annoyance with Lana, I think I’m going to measure her screen-time. I’m going to count every minute that she’s on-screen and not dead, or when the on-screen plot is a direct result of her idoicy. (i.e. Clark complaining about something Lana did.) The goal will be to reach a “perfect episode” Lana-minute score of ZERO.

As a bonus, I figure I should also track Chloevage minutes. I figure Lana and Chloevage timers shouldn’t run if they’re both on screen at the same time — they cancel eachother; I am neither frowning nor smiling. The Chloevage-minutes would be a tie-breaker for episodes with nearly the same Lana-minutes value.

Ah, the physics of abstract television analysis.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 23, 2006

grub, yaird, mdadm, and missing drives

Filed under: General — kees @ 7:54 pm

This is basically a rant. I spent all my energy tracking down the problems, so I never did get things actually fixed. :P

I have my machines configured for software RAID between my primary and secondary drives. I always have. LILO supported this configuration back in RedHat 5.2 days. I’ve been doing RAID1 for a long time now. About a year ago, I changed my preference for boot loaders to GRUB, and just kind of assumed it handled mirroring. Well, much to my surprise, grub totally and completely does not handle mirrored configurations. Even the proclaimed fix didn’t work.

As a result of this “discovery”, I’ve switched back to LILO, which, I think, is a pain in the ass because it doesn’t actually have any filesystem-smarts built into it. (i.e. I have to re-run “lilo” every time I change a kernel or initrd.) I may see if another fix works as expected, but I don’t have a lot of hope considering the device map in the filesystem is the same for both grub drives, which is what causes the problems in the first place. (“Ieee! Where did the other drive go?!”)

So, moving forward, assuming my bootloader works, all kernels from 2.6.13 forward don’t support devfs, and the older initrd tools can’t handle that. Debian invented “yaird”. I had assumed they used the /sys filesystem and did other smart things. As it turns out, it’s fairly brain-dead. I booted without one of my mirrored drives, and yaird totally freaked out. As I discovered while digging through the initrd yaird generated, it just statically builds device nodes, based on what the running system used to look like.

There are two problems with this:

  1. DM devices (LVM, crypto, etc) are dynamically assigned. They may not have the same numbers after rebooting. This is mostly worked around by waiting for stuff to show up in /sys, so I’ll only complain about Ubuntu’s practice of encoding the major/minor numbers for the root device. (e.g. 0xFF00 — my root partition may not always be detected first) I don’t understand this, since the loader handles string-based paths for the root partition. But that’s not the bug I ran into for this rant.
  2. If a device goes missing, yaird assumes this is a bad thing. It has no concept of quorum. It could be argued that it shouldn’t, but in that case, it shouldn’t drop me to a prompt every time a device goes missing. It should only do that in “debug” mode. (I should send my patch for that in.)

While digging to open a Debian Bug report against yaird, I discovered that yaird, while annoyingly dropping me to a prompt (which I can “exit” out of), isn’t the real problem. The real problem is that “mdadm” incorrectly thinks it can’t start up the mirror with only 1 drive. There’s actually a counting bug where it just flat out thinks it needs 2 drives to start. Once I found this, I got pissed, “What? How could this bug exist?”

I proceeded to find the current source for mdadm, so I could write a patch to fix it. Only then did I discover that Debian’s version of mdadm is 5 REVISIONS BEHIND (including a major version jump)! AAAGGGh!

At this point I got in line reporting how old mdadm is, installed a work-around-mdadm patch to my yaird templates, and switched back to LILO. Ugh. And before someone yells “Run Gentoo!”, I checked already. The Gentoo mdadm version is old too. But at least they have a masked ebuild of the modern versions.

I hate choosing between stability and bleeding edge, but I don’t usually complain because I recognize the costs associated with stabilizing new stuff. But, come on, the mdadm 2.x series came out in AUGUST. That’s 8 months ago. I think that’s pretty stable! *sob*

I wish I had enough time to be a Debian maintainer instead of just sitting here and moaning, but hopefully my bug reports will do some good. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 13, 2006

Bruce Schneier on attack trends

Filed under: Blogging,Security — kees @ 9:20 pm

On Wednesday I attended Bruce Schneier‘s short talk about the trends of online attacks. I figure I need to take his talk with at least a small grain of salt. While he has a reputation to maintain, he also works for a security outsourcing company. That in mind, I still like reading his blog, and I enjoyed hearing him talk.

The main take-away from his talk was that attackers are more rarely “hobbyists”, and more commonly criminals. (i.e. there is profit motive rather than an interest in boasting rights.) In the same vein, worms are becoming more sophisticated, quieter, and increasingly effective, while losing their cleverness. (Criminals don’t care if their worm is lame, they don’t care if they ripped off someone else’s worm, they care that their worm is staying undiscovered and is making them money. As a result, whole families of slightly different worms are appearing.)

One thing he said, that I have a hard time believing, and if true is pretty scary, is that cyber-crime profits are now exceeding drug profits. I would love to understand what the sources for that statistic are. Beyond just phishing, beyond worms waiting for you to authenticate to banks before emptying your wallet, there is even small-scale Denial-of-Service extortion. Generally, it’s against places that are themselves on tenuous legal ground, like offshore gambling sites. “If you don’t pay us $X, we’ll DoS you again!” It’s protection money online. Wild.

The market for blackhat exploits is growing. This is reducing the time between vulnerability announcement and exploit usage. Unfortunately, in the Microsoft world, an opposite trend is happening: patch speed is slowing due to their needing to test more and more configurations, staying infinitely backward compatible. At least this has an upside that their patches are generally better and corporations are learning to trust auto-update systems. (And I think this kind of brain-share is actually good for all OS vendors.)

The commoditization (and therefore homogenizing) of hardware and software means that everyone runs the same stuff. Even the criminals. Before, generally only the various corporations had old AS/400 machines and no one really wrote attacks against them. Now stuff runs on PCs.

Overall, the attacks online are becoming increasingly more damaging financially (“criminals are good at what they do”). The volume of attacks come from the open Internet, but the more successful attacks come from inside a private network. More worms are simply waiting for opportunity instead of beating on a network.

While some of the crime organizations have been taken down, there are still large bot networks that are continuing to grow in size even though they have no controller any more. This is truly something out of dystopic sci-fi. I don’t know why, but while I find the idea of full AIs reasonable, and totally non-intelligent systems reasonable, I find half-AI systems really creepy. They just keep doing some semi-smart thing over and over waiting until mommy comes back to tell them to do something else now.

He wound down discussing his worries for the future. He wants people thinking about VoIP security now. (Worms sniff your typing and packets already, soon they can sniff your voice.) He hinted at Digital Restrictions Management without actually saying DRM. (“Who owns your computer?” To which I thought, “I do. This is why Free Software is so important.”)

In closing he talked about security being more about usability than technology. I took that to mean “the Art of security is more about usability than technology.” I can have infinite security by just unplugging something. But that’s not very artful. Towards the goal of successful (artful) security, he wants to see service providers be ultimately liable for the financial damage. He figures this puts the motivations in the right place. It seems like the right thing to me (if credit card companies want to avoid it, it must be good for me) but I suspect there is something hidden deeper that may cause greater harm. I can’t put my finger on it, so for now, I’ll agree. :)

At one point he gave a nice view into his own world, in which he has to go twice a year and disinfect his own mother’s computer of worms. The cobbler’s childrens’ feet…

The end of the session was a book signing (Counterpane gave out gratis copies of Schneier’s new book “Beyond Fear“). I showed my geek by having brought a copy of “Applied Cryptography” for him to sign too. For which he was geek-prepared, and tossed in a cryptogram. Even though he does this for lots of people (Google told me later), it was fun to see it in my book; I wasn’t expecting it.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 11, 2006

construction movies

Filed under: Multimedia — kees @ 7:55 pm

From the time-lapse construction webcam I set up with Brian, I built a pair of AVIs. These were made with ffmpeg so they use the FMP4 codec. Windows folks can find ffdshow in a number of places.

Left view movie (31M), set to Delerium’s “Silence” (with Sarah Mclachlan).
Right view movie (24M), set to a remix of Everything But the Girl’s “Like the Deserts Miss the Rain”.

I tried to build these movies showing only day-light hours, on work days. A few holidays sneak in, though. (There’s a longer section of a few days where no one shows up for work across Thanksgiving, for example.)

The AVI frame rate is 25fps, with each frame jumping 10 minutes. The effective speed is 14400:1. They span the time from July 26 2005 through January 21 2006. (The right-side camera was added on August 29.)

My least favorite easter egg is where the room-light-shield I taped up to keep room glare off the camera peels off the window and hangs in front of one of the cameras during Christmas and New Year’s vacation (when no one was around to fix it).

My most favorite easter egg is near the latter half when a pile drilling rig is parked in the foreground. Over the course of the day, the hydraulics holding the drill up at an angle bleed out, and the drill slowly pitches forward. I just love it; it’s exactly the kind of event no one notices at the time because it’s happening so slowly. Seen in time-lapse, though, it’s very obvious — it’s the only thing moving at all! :)

Enjoy!

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 9, 2006

greasemonkey for RMLS

Filed under: Web — kees @ 8:15 pm

The house-for-sale listings that RMLSweb.com produces are very detailed, and even include a link to show a map for each house’s address. However, this link goes to MapQuest, which I find infuriatingly annoying to use. I wanted the link to at least go to Google Maps instead. Since I live near Portland, I also wanted to search the fantastic Portland Maps site at the same time. That way I could see lot dimensions, crime statistics, etc.

This was clearly a perfect job for GreaseMonkey. The result, after my usual fights with javascript, is my script to override the RMLS address mapping function.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 2, 2006

in honor of DST: SW

Filed under: Blogging — kees @ 7:56 am

Since I’ve lost an hour to Daylight Savings Time, I thought I’d record a list of links to Alternate Star Wars Theories.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 1, 2006

NetFlix movie downloading

Filed under: Multimedia,Vulnerabilities — kees @ 12:22 pm

Netflix accidentally lets you download movies for free. I reported this on March 18th, but they still haven’t replied. It’s been 2 weeks, so I’m posting the details now.

While digging through Netflix’s javascript I found a function named “startDownload“. I was originally just curious about the AJAX responsible for the movie info popup boxes, but this proved much more interesting.

I’m guessing they must be beta-testing this for some accounts because nothing visible through my account ever calls “startDownload“, but I could still use it.

Turns out the function handles a bitrate selection, and then just rewrites the URL a little. You can get the same affect by just adding “&download=avi&br=4” to the end of a movie info URL. For example, this is the URL to get info about Ice Age, and this is the URL to download Ice Age. This even seems to work without being logged in.

I haven’t had time to check if everything in their library is downloadable, but of the 6 or so I tried, they all worked. If anyone finds a cut-off date, let me know.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

Powered by WordPress