dc0de’s & friends notes…

This is why I'm not getting one...

The iPad may be “cool” but I fail to see the point.  It’s not going to be the “next big thing”, tablets have been out for YEARS people, and they are relegated to minimalistic roles in the computing industry.  Would I use a tablet? Sure, if I had a way to input information as fast as I can type, which at last test was in the 55/wpm range.  Voice recognition isn’t there, handwriting analysis isn’t there, so what is the purpose of a “tablet” based computer?  Here’s what I can see as a viable use for such a product:

• reading documentation (similar to a kindle & other ebook readers)
• drawing and sketching
• surfing the web with a mouse only, as typing is cripplingly slow on any tablet interface
• performing tasks that currently have specialized equipment, such as retail inventory systems and bar code scanning
• a new pretty interface for McDonalds(tm) POS terminals

Aside from those, this is just another pretty toy.  When you couple it’s fixed configuration and limited battery life, you’re going to be sending it to the scrap pile in 3 years, adding to the pile of trash that we as Americans produce.  I’m still not giving up my laptop or my netbook, as they are both upgradeable (to a point), and provide all of the same functionality that I could get with the iPad.  Until there is a fully upgradeable tablet computer with a full keyboard that has the battery life of my netbook, I really don’t need this toy.

Way to go Apple, another non-green product for our future.

Official Gmail Blog: Today’s vowel outage.

In yet another blow of outages and problems for the Cloud Computing proponents, it seems that Gmail has suffered yet another problem.  Over the past year, Cloud Computing supporters have raged over the features and benefits of computing “in the cloud”, yet outages like these continue to occur in massive numbers.

Google‘s Gmail blog today noted that they are suffering problems with their flagship free email service.  The blog post states that the problem was noted at 6:01am Pacific time, and that it began spreading to other data centers in an almost virulent fashion.  The gmail blog goes on to state that the letters a,e,i,o, and u, are missing from the alphabet on their web servers.  Google has yet to determine why this is happening, and recommends that you track their blog for ongoing details.  (linked here)

The Gmail staff and Google headquarters have refused to comment on this outage, stating, “We do not discuss ongoing technical support issues.”

After the recent Pwn2Own contest, the Microsoft product manager Peter LePage spoke out about the two “features” that were completely sidestepped to hack a Windows 7 system. He stated, ”

Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer (IE) and Firefox, Microsoft said the measures AREN’T MEANT to “prevent every attack forever.”…

Pete LePage, a product manager with IE’s developer division, stood up for DEP (data execution) and ASLR (address space layout randomization), the security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest last Wednesday

via Microsoft defends Windows 7 security after Pwn2Own hacks.

I find these comments from Mr. LePage a bit misguided, and very suspect.  How can a security “feature” so easily be sidestepped?  Two minutes?  I can’t wait until we get the details of the attack/exploit so that we can really see how this was done.

I just got around to reading this, it’s a great article, well stated. No matter if you love or hate Google, you need to check this out.  The Government is going to throw billions of US Dollars at broadband, and get us to a point where there is no competition in most markets, yet Google is going to drive much faster service to selected areas for a better price.

“…there is simply nowhere near enough competition in almost all of the markets in this country. In fact, under the new plan, some 85% of homes covered would have no choice when it comes to a provider. So while it’s great that just about everyone will potentially have broadband access in 2020, plenty likely won’t be able to afford it…”

“…The U.S. has the highest broadband prices among advanced nations, while countries like Japan and France get faster (and better) services, for a fraction of the price many of us pay. Again, it’s all about competition. So why do we put up with it? Because the U.S. government has no backbone and ruins its own ideas (such as the National Broadband Plan) because they give into corporate lobbyists…”

“As Benkler points out in his piece, Time Warner is quite pleased that it can set higher prices due to a lack of competition. Meanwhile, Comcast is raking in just about a billion dollars in profit each quarter thanks in large part to their pricing bullshit.”

Perhaps our government could take note of how Google is going to accomplish their feat  of providing 1 gigabit-per second connections to homes much sooner than the 100 megabit-per second connections that the National broadband plan promised by 2020.

Is it me, or does our Government have the reverse Midas Touch?

————————————————————-

Help Us Google, You’re Our Only Broadband Hope. (The Government Has No Spine.)

TechCrunch.com
Sunday, March 21, 2010; 6:24 PM

via Help Us Google, You’re Our Only Broadband Hope. The Government Has No Spine. – washingtonpost.com.

Security Fix – Apple issues security updates for Mac OS X.

How can this be?  My father recently went to the Apple Store outside Chattanooga TN, and they told him, “Apple doesn’t need any anti-virus, or other security software.  It’s just secure.”

Apple’s Advertising program makes it out to be impervious to the threats that all of the other computers might also have

Even Brian Krebs (While I like and respect him), stated in his blog a few weeks back that to be secure on the internet, you should do your online transactions on a Mac.

Well… something seems to be amiss.

Let’s be clear here:

All Operating systems:

• Are flawed
• Will be attacked
• Need some sort of Anti-Virus
• Need a client based Firewall
• Need constant care and attention

The major issue with most operating systems is the User.  Most users, of any operating system, fiddle with the configuration.  This is similar to saying that “All drivers of a car, modify their car”.  This is somewhat true.  Let’s explore this for a minute:

Types of modifications drivers do to their cars:

• Seat Covers
• Floor Mats
• Rims / hub caps
• Exterior and Interior Trim
• Stereo System/GPS
• Tires
• Engine Modifications/Upgrades
• Suspension Modifications/Upgrades

Except for the last three items, most of these things, in moderation, are harmless to the driving safety of the vehicle.  However, if you don’t know what you’re doing, and you make some or all of the last three changes, you’re going to fall into one of the following categories:

• Outside your ability to drive the vehicle
• Creating an unsafe engine
• Creating an unstable vehicle to drive

Now, taking this analogy back to computers, if you make modifications on your computer system, like installing software un-proven software, or installing many of the gazillion web toys to play games online (for example, flash-based games), you’re inviting your system to be taken over.  When you add any of the other high risk behaviors that we’ve been asking people not to do for the past 12+ years on the internet, (e.g. surfing porn, downloading music and movies, file sharing, opening un-requested emails, not having a firewall, not having Anti-Virus & Anti-Spyware tools, etc…) you have a recipe for disaster.

I think that it is high time that we hold the software manufacturers accountable.  (Including Apple)  Software manufacturers have to OWN the risk, and share the risk with the general public.  After all, if you purchased an automobile that was prone to blowing up while you used it normally, wouldn’t it be recalled?  Couldn’t you sue the manufacturer?  It’s high time that companies get with the program, and start making software that is SECURE BY DEFAULT, instead of bolting on thousands of “patches”, “fixes”, and even stating, “We rely on third party companies to provide that functionality”.

Apple is the biggest failure in Truth in Advertising, and since there are so many Apple Fan Bois, (sic), it doesn’t seem to be happening.  Sorry, I’m not falling for the smoke screen.  Sadly, many of you are.

How about you “Man Up”, and ask your wonderful Apple manufacturer to be truthful?

That’s my 2¢, YMMV.

-

dc0de.

While working this past week, I encountered a problem that I first solved in 1997, while working in Norcross for a small start up firm. The problem that we were having was related to a client/server connection going through a Firewall, being shut down after 5 minutes of no activity. I was amazed that a Firewall would shut down an idle connection in 5 minutes, but that’s what was happening. To make matters worse, the Firewall (Cyberguard), was hard coded to shut down idle tcp sessions after 5 minutes, and you couldn’t modify it in any way.

Well, we replaced that firewall, with a different product, but later that same year, we encountered the problem when we encountered the CheckPoint default session timeout of 60 minutes. We considered modifying the setting to 2 or more hours, but realized the risks of doing so. Leaving tcp connections open for long periods of time invites potential session hijacking risks. Since we were a security conscious company, we decided to look for alternate solutions. We went back to the RFC’s and really dug into TCP/IP settings and TCP Tuning.

We looked at how the tcp stack is implemented in Windows and found several documents on how to modify the systems we were running. In fact, I used the technet article so often, I have it memorized.  It’s Q120642.    We made several registry modifications and I even used this knowledge to write a document for CheckPoint FireWall-1 on how to tune the TCP stack on a Windows host that runs FireWall-1.

Several of the settings were modified to allow a high connection load,others we made on the servers on different segments on the firewalls.

To improve Connection Load we modified these two settings:

ForwardBufferMemory – default was for enough for fifty 1480-byte packets, rounded to a multiple of 256  (ONLY 50!!!)  We increased this to 5000 (Note, if you change this, you have to change NumForwardPackets as well)

NumForwardPackets – default here was enough for fifty packet headers.  We increased this to 5000 as well.  (Note, if you change this, also change ForwardBufferMemory)

(For windows servers running Internet facing sites, where connections may be greater and you need to transmit more date, you may also want to modify the above listed parameters)

We modified much more and here isn’t the forum, however, Microsoft has actually written a very nice document on how to tune your 2008 servers for many different scenarios.  You can find it here: http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx (read it… it’s actually well written!)

Now for you Linux guys, I know… you want to know how to tune your stacks too! Well, all I can say is learn your distro.  Use Google.  Or better yet, let me do that for you…Click Here for Linux TCP Tuning Tips

BUT I DIGRESS….

This is really about trying to get people to OPEN their minds and think outside the box.  No, wait… No it’s not.  It’s about getting people to open their minds and listen to reason.  Here are some interesting facts about tcp_keep_alives.

• RFC 1122 states “A “keep-alive” mechanism periodically probes the other end of a connection when the connection is otherwise idle, even when there is no data to be sent. The TCP specification does not include a keep-alive mechanism because it could: (1) cause perfectly good connections to break during transient Internet failures; (2) consume unnecessary bandwidth (“if no one is using the connection, who cares if it is still good?”); and (3) cost money for an Internet path that charges for packets.”
• it goes on to state, “To confirm that an idle connection is still active, these implementations send a probe segment designed to elicit a response from the peer TCP. Such a segment generally contains SEG.SEQ = SND.NXT-1 and may or may not contain one garbage octet of data. Note that on a quiet connection SND.NXT = RCV.NXT, so that this SEG.SEQ will be outside the window. Therefore, the probe causes the receiver to return an acknowledgment segment, confirming that the connection is still live. If the peer has dropped the connection due to a network partition or a crash, it will respond with a RST instead of an acknowledgment segment.”
• This RFC was written in 1989!!!

I was asked what the “down side” of enabling keep alives were today, and there really is ONLY one.  BANDWIDTH.  In 1989, bandwidth was expensive.  Note in the section above, it mentions why the specification for TCP doesn’t REQUIRE a keep alive mechanism… to cause a good connection to fail during transient Internet Failures.  Wow… that doesn’t really happen in $20mil data centers…. does it? And it could cost more because you’re putting a packet on the wire, and it may cost more $$ in charges for packets… Do you really pay more for two packets totaling less than 256 bytes every n minutes?  On your internal 10Gig network? (I don’t think so)…

So, the downside is ≤ 256 bytes every n minutes, or, some intermediary security device will time out your “TIME_WAIT” connections every 30 or 60 minutes. (depending on your security products)

Product/Default Timeout
Juniper SRX / 30 minutes
CheckPoint FW-1/60 minutes
Cisco PIX-ASA/60 minutes
TCP Default / 120 minutes

So, if you’re a platform operations person, and you’re presented with this problem, should you:

A) Tell everyone to modify every protocol on every security device in the network to keep Applications that don’t support Application Level Keep-Alives connected?

B) Enable tcp keep alives on the server hosts that are running these broken applications?

BIG HINT, the answer is B!

Epilogue:

TCP settings are not specific to one product, one operating system or one device.  The TCP/IP stack is mostly deployed as a standard by “most” vendors, and your settings and capabilities most likely are going to vary.  If you are looking for the specifics of the Operating System, hardware, vendor or other product, PLEASE GOOGLE IT, or contact your vendor directly.  If they don’t know the TCP/IP tuning parameters, stop buying their equipment, they’re too stupid to deserve your money.  As always, this is my 2¢, YMMV.  All rights reserved for those products that I’ve mentioned by name.

Cisco wireless LAN vulnerability could open ‘back door’ – Network World.

Ok, really? Come on, you must be bluffing.  People ask me all the time why I don’t pursue a Cisco Certification path in my career.  Here is why.  This is the company that has foisted such slogans as

• “Changing the way we work, live, play, and learn.” (1996)
• “The Worldwide Leader in Networking for the Internet”(1997-2002)
• “Empowering the Internet generation.” (1998-2002)
• “The fastest way to increase your Internet Quotient.” (1999-2001)
• “This is the Power of the Network. now.” (2003)
• “Discover a new world of Productivity.” (2003)
• “The Network Works. No Excuses.” (????)
• “Data Center 3.0″ (????)
• “Welcome to the Human Network” (????)
• “The Network is the Platform” (????)
• “The Self-Healing Network” (????)

I mean really.  John Chambers should be PISSED.  This is the kind of engineering I expect from a “has-been” company, or a really STUPID startup.  However, if Cisco would have embraced the “hacker community” instead of shunning it, perhaps Cisco’s technical expertise and prowess would be still employed at Cisco, instead of being at Juniper Networks, CheckPoint, Microsoft, and others.

I’ve been saying this for years, but perhaps it’s now the clearest time for someone at Cisco to listen.  Get back to your core competency; Routing.  Everything else you try to do is a distraction.  Come on, do you really think that I’m going to build a data center with Cisco blade servers? (Who? Cisco? Servers? What?)  Pluuuheeese.  Stop trying to do everything, and do ONE THING RIGHT.

I refuse to believe that Cisco didn’t know about the above vulnerability when they purchased the product (We all know that Cisco doesn’t invent stuff anymore, unless it’s trying to patent someone else’s fix for a broken protocol), but really, I’m sure that a cost-benefit-analysis was done on the vulnerability, and it wasn’t “important” enough to fix at the time that they purchased, re-badged, and shipped out the “new” lightweight access points.

Any idiot with 1/2 a brain and has spent more than 30 minutes working on Wireless networks knows that you don’t send anything in the clear that you don’t want subverted, so really Cisco, how did this happen?

How about you reach out to the information security industry, (the same one that you claim to belong to), and ask for help?  There are many researchers who would be willing to help you, as long as you’ll sign a waiver to never sue…

Finally, I’m happy to be working on my Juniper certifications.  They aren’t perfect either, but at least they don’t sue researchers to not release vulnerabilities that you refuse to fix.  Oh, and they have a much faster platform.

That’s my 2¢, YMMV.

(Note, the comments above represent my personal opinion, and in no way are related to any positions I may have held in the past, present or with future companies.  These opinions are mine, and mine alone, and are not representative of any company, service, system, software, hardware, automobile, table, chair, any person (dead or alive), or anything.  If you want to try to sue someone, please sue yourself.)

Here’s a cool tool I found, by accident.  It may be old to some of you, but I find it to be very useful.  It allows me to make bootable USB sticks, very easily. Sourceforge Project Page Wikipedia Entry UNetbootin is an amazing tool, well written and multi-platform.  I have used this tool to create several USB Bootable flash drives, and really enjoy it’s ease of use.  There are several options for well known distributions, that will create a bootable USB flash disk, and download the latest iso image to build your flash distro. **You can also install your own distribution of choice, as seen in the screen shot below:

Options in the current version, are: Arch Linux, BackTrack, CentOS, CloneZilla, Damn Small Linux, Debian, Dream Linux, Elive, FaunOS, Fedora, FreeBSD, FreeDOS, FrugalWare, Gentoo, Gujin, Kubuntu, Linux Mint, Mandriva, NetBSD, NTPasswd, openSUSE, Ophcrack, Parted Magic, PCLinuxOS, Puppy Linux, Slax, SliTaz, Smart Boot Manager, Super Grub Disk, Ubuntu, Xubuntu, and Zenwalk.

If you don’t see your distro of choice, you can simply download the iso image, and select it from your hard drive.  I used it to install SumoLinux from iso onto a 32GB usb stick recently, and it worked flawlessly.   As I am writing this, I’m also installing SliTaz onto a 1MB USB stick, and including the download of the ISO, from start to finish, took only a few steps.

1. Insert the target usb stick
2. Launch UNetbootin
3. Select the drive from the dropdown, (My only USB inserted was F:\, and was preselected)
4. Select the distribution from the dropdown list
5. Press “OK”

The Slitaz distro was 26Mb, so it took a minute or two to download, and then the build process begins:

Once downloaded, the process only takes about 60 seconds:

I am very happy to have found it, and wish to thank Geza Kovacs (tuxcantfly) [The Author of UNetbootin], and all those who helped.  This is a great tool!

This month’s dc404 meeting was awesome.  We had ~40 people there and discussed many of the tools that we all use for our computers, and I found quite a few that I think I’m going to have to add to my personal list.

I decided in the first 10 minutes of the meeting that I would put together the list of what was presented, in order for us to have a record of them, and perhaps to even add more comments, and additional tools from some people who weren’t comfortable sharing in a large group.

My thanks to everyone who contributed, I’m always amazed at our groups dynamic, and appreciate everyone’s contributions.

I have uploaded the spreadsheet that I took my notes in here, and also an HTML page here, that you can simply bookmark and refer to…

If you’d like to add more tools, or leave a comment, please do.  (If you want an account to blog here, please simply request one).

–

dc0de.

I’ve seen everyone scrambling now that Dell has pre-announced their new sub/mini notebook. I’ve even seen posts claiming that it’s the EEE killer… I beg to differ.

Looking at the feature comparisons, I’ve created the following table:

*optional upgrades.

So, while the Dell looks nice, I’m not too impressed with it’s short battery life, small SDD, and their minuscule online storage. While the EEE PC is .8 lbs heavier in the bag and $200 more expensive, it seems that the EEE PC is going to be a much better netbook to purchase. (At least for me…)