Jul 232022
 

I was following one of those Twitter threads posting their favourite command-line tools (specifically for infosec), and added my own entry – the incomparable tshark. Later it occurred to me that the best command-line tool isn’t really a tool at all as it is built into the shell – the pipe. Many of the command-line tools just wouldn’t be quite the same without it.

For those who aren’t familiar with the command-line, the pipe (“|”) takes the output of one command and feeds it as input to another command. And you can string such pipelines together to add to each other (which can lead to inefficiencies).

For example :-

» ls | wc -l
84

This takes the usual command for listing files and sends the output into the “word count” command to produce a count of the number of files in the current directory. To be more precise, it produces a count of the number of files that ls thinks is in the directory. You can get different results with different variations :-

» echo * | wc -w
89
» ls -a | wc -l
463

If you had a log file containing DHCP requests you could :-

» grep DHCPDISCOVER 2022.07.local0.info.log | head
2022-06-30T23:59:05+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 4D:6D:4F:55:59:B4 (esp32-D04CCC) via 10.72.0.1
2022-07-01T01:30:04+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 4D:6D:4F:55:59:B4 (esp32-D04CCC) via 10.72.0.1
2022-07-01T02:53:33+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from DF:69:AF:DC:79:3E via eth0
2022-07-01T02:53:33+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from DF:69:AF:DC:79:3E via 10.0.0.1
2022-07-01T02:53:39+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from a8:a6:48:92:9d:36 via eth0
2022-07-01T03:01:03+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 4D:6D:4F:55:59:B4 (esp32-D04CCC) via 10.72.0.1
2022-07-01T04:32:02+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 4D:6D:4F:55:59:B4 (esp32-D04CCC) via 10.72.0.1
2022-07-01T04:56:53+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 91:06:27:15:EF:DC via 10.72.0.1
2022-07-01T06:03:01+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 4D:6D:4F:55:59:B4 (esp32-D04CCC) via 10.72.0.1
2022-07-01T07:34:00+00:00 <local0.info> 2001:db8:bad:cafe::b/d-FCB dhcpd: DHCPDISCOVER from 4D:6D:4F:55:59:B4 (esp32-D04CCC) via 10.72.0.1

List out the first few DHCP DISCOVER requests (the astute may notice that I’ve done some obfuscating). We can then pick out a field using awk to list just the MAC addresses :-

» grep DHCPDISCOVER 2022.07.local0.info.log | awk '{print $7}' | head
4D:6D:4F:55:59:B4
4D:6D:4F:55:59:B4
DF:69:AF:DC:79:3E
DF:69:AF:DC:79:3E
a8:a6:48:92:9d:36
4D:6D:4F:55:59:B4
4D:6D:4F:55:59:B4
91:06:27:15:EF:DC
4D:6D:4F:55:59:B4
4D:6D:4F:55:59:B4 

We can then remove the “head” command and add a sort and uniq command to produce a full list of all MAC addresses that have performed a DHCP DISCOVER :-

» grep DHCPDISCOVER 2022.07.local0.info.log | awk '{print $7}' | sort | uniq -c
      4 DF:69:AF:DC:79:3E
      3 89:C1:67:B8:9D:6F
      6 F3:55:1E:06:D4:49
      4 F3:55:1E:06:D4:48
     12 4D:6D:4F:55:59:B3
     92 91:06:27:15:EF:DC
     46 85:2C:B4:B3:70:7E
    333 4D:6D:4F:55:59:B4
      2 40:5B:D8:FF:FA:29
     72 FD:D4:00:41:29:BE
      5 36:1E:07:2D:AD:76
     41 44:FD:6E:05:82:21
     81 CC:78:14:BB:E4:3D

We can sort the result into reverse numerical order :-

» grep DHCPDISCOVER 2022.07.local0.info.log | awk '{print $7}' | sort | uniq -c | sort -r -n
    333 4D:6D:4F:55:59:B4
     92 91:06:27:15:EF:DC
     81 CC:78:14:BB:E4:3D
     72 FD:D4:00:41:29:BE
     46 85:2C:B4:B3:70:7E
     41 44:FD:6E:05:82:21
     12 4D:6D:4F:55:59:B3
      6 F3:55:1E:06:D4:49
      5 36:1E:07:2D:AD:76
      4 F3:55:1E:06:D4:48
      4 DF:69:AF:DC:79:3E
      3 89:C1:67:B8:9D:6F
      2 40:5B:D8:FF:FA:29 

And if you have access to the relevant script, you can produce terminal graphics (just to keep innumerate managers happy) :-

» grep DHCPDISCOVER 2022.07.local0.info.log | awk '{print $7}' | sort | uniq -c | sort -r -n | awk '{print $2, $1}' | tbar --replace 1 --max 350
4D:6D:4F:55:59:B4 ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
91:06:27:15:EF:DC ■■■■■■■■■■■■■■■
CC:78:14:BB:E4:3D ■■■■■■■■■■■■■■
FD:D4:00:41:29:BE ■■■■■■■■■■■■
85:2C:B4:B3:70:7E ■■■■■■■
44:FD:6E:05:82:21 ■■■■■■■
4D:6D:4F:55:59:B3 ■■
F3:55:1E:06:D4:49 ■
36:1E:07:2D:AD:76 
F3:55:1E:06:D4:48 
DF:69:AF:DC:79:3E 
89:C1:67:B8:9D:6F 
40:5B:D8:FF:FA:29 

The pipe isn’t so much a tool itself as a mechanism to combine tools into producing interesting results.

It’s Round
Jul 232022
 

A certain bunch of … let’s call them idiots to be relatively polite … have been spewing forth idiocy in the online comments of various places labelling the heatwave warnings as “scare-mongering”. Mentioning the summer of 1976 and saying we all coped.

The heatwave of 1976 although it went on for longer, didn’t get as hot (36C was nearly reached). That’s 4C below this year’s heatwave peak. And people died during that heatwave too – there was a 20% increase in “excess deaths”.

So no we didn’t cope in the 1976 heatwave; at least not those of us who died.

A lot of criticism was aimed at the Met Office for the heat warnings, and mainstream media channels for repeating the warnings so endlessly. “Oh! We see such temperatures every year on holiday” the numb-brained drawl. No, you don’t; at least not often.

And when you do, it’s when you’re sleeping in air-conditioned hotel rooms beside a pool, with plenty of shade around. You aren’t stuck in offices with no air-conditioning, even hotter work-places (such as kitchens), or outside in the sun (nailing tiles to a roof). You’re not sleeping in a bedroom with the choice of leaving the windows shut (and building up heat), or opening them to let hot air (and noise) in.

When experts issue warnings, it is wise to pay attention to them. Whilst I understand an instinctive distrust of authority (I share it), subject specialists should be trusted – not blindly but (for example) when the Met Office issues heat warnings, it isn’t just one expert thinking it. If you want to question an expert, get as much education as they’ve had.

In short :-

  1. That heatwave was dangerously high and justified the number of warnings issued.
  2. It isn’t natural and was made more severe by climate change.
  3. Being that guy who claims that we’re all snowflakes for being concerned about it just shows that you’re an idiot.
Two Posts in the Sea
Jul 132022
 

Not all shell aliases of course, but some. I’ve just seen a youtube video that suggested creating a shell alias to run rmtrash when rm is invoked :-

alias rm='rmtrash'

Seems sensible enough doesn’t it? This is in fact the classic example of how dangerous shell aliases can be, although the classic example was to turn on “-i” :-

alias rm='rm -i'

The problem is that you get used to “rm” being safe – either it asks before it removes files (“-i”) or it safely preserves what is deleted in the Trash folder. But what happens when the alias doesn’t get created? Perhaps you have a broken .zshrc and Zsh stops interpreting before the alias is declared. Or you’ve logged on to a remote server that doesn’t have your .zshrc installed as yet?

All of a sudden you are running the unadulterated rm command – deleting files without being asked, or preserving them in the Trash folder. See the danger now?

It is better not to replace standard commands but create a new ‘command’ :-

alias del="rmtrash"

Perhaps you regard this as being excessively risk averse – fair enough. But just don’t say you weren’t warned – and I’ve encountered missing aliases every year over the last 30-odd years I’ve been using Linux and Unix.

The Bare Family
Jul 092022
 

The supposed resignation of Boris Johnson comes as a bit of a surprise to many observers – they felt that he wasn’t going to go voluntarily. But with an all time record of ministers resigning from his government, to the point where government business had to be suspended, there wasn’t much in the way of choice.

The funny thing is the number of misconceptions floating around about his resignation. I’m no constitutional lawyer (although I do at least know that the UK does in fact have a written constitution), but here’s some corrections :-

  1. He hasn’t resigned as the UK’s Prime Minister, or we would have a new one by now – the House of Commons would nominate and the Queen would appoint. This is distinct from his place as the leader of the Tory party.
  2. He may have resigned as leader of the Tory party, or potentially indicated his intention to resign once a new leader has been nominated and elected. In theory, he could simply refuse to stand down as Prime Minister – his position as PM is not directly contingent on his being the leader of the Tory party.
  3. The House of Commons could have a confidence motion to force the resignation of the PM or the dissolution of parliament forcing a general election. That hasn’t happened so far but may happen next week. In normal circumstances there is no chance of a government with a majority of MPs would lose such a motion, but these aren’t ordinary circumstances. And Tory MPs may feel that removing a rogue PM is more important than the risk to their seats in an early general election; certainly you could expect them to vote in the interests of their country. Although if Tories really are self-centred sociopaths who are more interested in covering their arses than the good of the country then such a motion of no confidence will fail.
  4. All the noise about the 1922 Committee is about the Tory party and selecting its leader – it has nothing to do with the government.

In all likelihood, Johnson will remain the PM whilst the Tories select a new leader – quite possibly sooner than the autumn even though Johnson is hoping for autumn. And the new leader will be worse than Johnson – Johnson is a lazy fool and his replacement will want to make their mark.

Filthy Roaring Beasts Rushing Along The Scar
Jul 032022
 

In 1973 seven dudes (the gender becomes relevant later) decided that US States had no right to legislate what women did with their uteruses specifically that States laws prohibiting abortion were unconstitutional. In 2022, four dudes and one women struck down Roe vs. Wade opening the floodgates to repressive State legislation.

On at least one point, the ruling is historically wrong – the make a big point about how many of the States had made abortion illegal in the 19th century; what they overlook (or gloss over) is that under English common-law, abortion was legal (and widely practiced) until the “quickening” (when it starts to move) of the foetus. Essentially that 19th century legislation removed a long-established right to abortion.

Of course the “pro-life” bunch are cock-a-hoop, although places where abortion is legal (and not just legal in name only where “pro-life” terrorists harass anyone visiting an abortion clinic) have fewer abortions than places where abortion is illegal.

Some of the reaction from the pro-choice has revealed some interesting misconceptions.

The first is the notion that this decision reverts the US back to the medieval era. It would be more accurate to say that when the States enact anti-abortion legislation, the situation becomes that of the early 20th century where abortion is illegal, but there are multiple campaigners. The medieval era was no shining light of liberalism, but abortion (before “quickening”) was legal or at worst treated by the church courts as a misdemeanor.

The second relates to gender – that this is men controlling women’s bodies. Well there’s certainly an element of truth there, but it isn’t quite that simple. Bear in mind that Roe vs Wade was enacted by seven old white dudes, and opposition to it is not exclusively male – those misguided justices that overturned it included one woman.

In addition, if we look at the wider US population support for prohibiting abortion, there is support amongst both genders – 40% amongst men and 37% amongst women (source: Pew research). A Gallop poll shows that 12% of women and 14% of men support prohibiting abortion in all circumstances.

No this is the result of a tiny minority of religious extremists having infiltrated the SCOTUS. They’re certainly misogynistic but it isn’t so much men as christofascists.

Dover Castle Gateway