Mike Meredith

VirtualBox, and Volatility

 Computing  No Responses »
May 102015
 

Whilst messing around with malware, memory dumps, and memory forensics, it is kind of handy to be able to use VirtualBox. Particularly when that is your virtual machine "weapon of choice".

According to the documentation, Volatility can read core dumps from VirtualBox. Once you realise that you need to specify a “profile” to read the result, this is quite simple :- 

✓ mike@pica» VBoxManage list vms | grep Windows
"Windows" {9cefc95e-eaf2-4052-b466-cb665c73a36a}
✓ mike@pica» VBoxManage debugvm "Windows" dumpguestcore --filename ~/windows.elf
✓ mike@pica» ls -l ~/windows.elf
-rw------- 1 mike mike 2.1G May 10 14:11 /home/mike/windows.elf

If you specify the right profile option, then Volatility can make use of this :-

✓ mike@pica» volatility -f ~/windows.elf --profile=Win7SP1x86 cmdline          
Volatility Foundation Volatility Framework 2.4
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    260
Command line : \SystemRoot\System32\smss.exe
{Long list of processes removed}

All fairly obvious really, but if you do not specify the profile, volatility will present you an error that indicates it does not understand the format of the memory dump which is a bit confusing :-

✓ mike@pica» volatility -f ~/windows.elf cmdline                     
Volatility Foundation Volatility Framework 2.4
No suitable address space mapping found
Tried to open image as:
{Long list of memory image formats}

At least to someone as thick as me! Yes it took me ages to get this figured out.

UK Election 2015: What Went Wrong?

 Politics  No Responses »
May 092015
 

Well if you are a Tory supporter nothing went wrong; indeed you must be cock-a-hoop given that you have a Tory government when 64% of the voters wanted something else! But if you are against the Tories, you have to be wondering what went wrong.

The most obvious problem is the broken medieval electoral system we have. For practical reasons it made sense in the days of horse-drawn carts to ask each area to appoint a representative in parliament. But today we should be able to design an electoral system where MPs represent people not places, and where everybody can say their vote helped appoint someone to parliament.

As an example if all the votes for the Green party were distributed amongst the smallest UK consituencies (you did realise they are different sizes didn't you?), they would have ended up with 23 MPs instead of just 1! The Tories would end up with 240 seats rather than 331, which basically means that the Tories are very good at distributing their supporters.

In my case, my vote went towards a loser which means I'm "represented" by a politician whose policies and attitudes I find totally repulsive. There is nobody in parliament that I voted for. And the same applies to a huge swathe of the population who are now feeling alienated by the whole process.

And that is something that can and should be changed.

The alienation caused by the first past the post system is probably one of the causes of the low turnout; what is the point in voting if you live in a "safe" seat?

The most obvious difference in this election is the wholesale take-over of Scotland by the SNP, which surprised everyone. Which leads the new Tory government to a bit of a problem – with just one MP in Scotland, they essentially have no mandate to govern Scotland. 

And even in England, the Tory majority is nothing to crow about – a majority of 5 is what would have been called a "fragile majority" in the past. A Tory leader with such a slim majorty is likely to run into problems if they try and ram through a radical programme.

The Tories managed to persuade many of us that a bit more self-flagellation is necessary, and punishing the poor and unfortunate is good for the country.

The effect on the Liberal Democrats is both surprising and entirely predictable. Joining a coalition with the Tories was always a mistake in terms of future elections – it was always seen as helping to put the Tories into power, and many Liberals were far less accepting of this than they would have been to see the party join a coalition with Labour. What the Liberal Democrats failed to sell was the idea that their presence in government helped to amerliorate the Tory extremes.

Labour's failure was probably down to several things :-

  1. The failure to demolish the myth of Labour's economic incompetance that "caused" the recession. It was the global failure of the banking system that caused that failure. Labour's spending was actually reasonably restrained until the need to rescue the banks arose.
  2. The failure to come up with a true alternative to the austerity plan of the Tories. Given the level of government debt that would be a hard job, but it could be started by pointing out (quite rightly) that simplistic austerity makes the debt problem worse.
  3. The inability to persuade that most voters are actually "working class". There is a historic problem with the class system by which people think of the working class as cloth-capped horned handed manual workers of one kind or another. In reality, everybody who works for a living is working class.

Of course whinging about it is not going to change things. We have five years of Tory mismanagement and punishing austerity to accept now.

Upgrading Linux Containers from Debian Wheezy to Jessie

 Linux, Working Notes  No Responses »
May 022015
 

I have recently been upgrading my Linux containers from Debian wheezy to jessie, and each time have encountered a problem preventing the container from booting. Or rather as it turns out, preventing the equivalent of init from starting any daemons. Which is systemd of course.

Now this is not some addition to the Great Systemd Debate (although my contribution to that debate may well arrive someday), but a simple fix, or at this stage a workaround (to use the dreaded ITIL phrase).

The fix is to re-install the traditional SystemV init package replacing the new systemd package. This can be done during the upgrade by running the following at the end of the usual process :- 

apt-get install sysvinit-core

Of course you will probably be reading this after you have encountered the problem. There are probably many ways of dealing with the situation after you have tried rebooting and encountered this issue, but my choice is to run the following commands from what I tend to call the "global container" :- 

chroot ${container root filesystem}
apt-get install sysvinit-core

As mentioned before, this is not a fix. And indeed the problem may be my own fault – perhaps it doesn't help having the "global container" still running wheezy. Perhaps there are some instructions in the Debian upgrade manual that details some extra step you should run. And of course by switching back to System V init, we are missing out on all of the systemd fun.

Always Check Your DNS Resolver (/etc/resolv.conf)

 Linux, Working Notes  No Responses »
Apr 252015
 

So for ages I've been having these mysterious slow downs in connecting to some of my internal servers. A few seconds, but once connected things are working normally.

And of course I kept putting off having a look into the problem, because firstly I'm lazy, secondly there are other more interesting things to look at, and thirdly I'd already discounted the obvious (actually I'd "fixed" it but made certain assumptions). But it's finally time to have a look.

Now I said I'd earlier discounted the obvious but decided to have a look any way. The thing to remember is that when you connect to a server it almost always performs a DNS lookup on your network address, so a mysterious slow down could well indicate that DNS resolution is to blame. You could perform diagnostics to determine what the problem is, but in all the decades I've been solving issues with computers whenever a mysterious slow down has occurred when connecting over the network, then the problem has almost always been the DNS resolver.

Taking a look at /etc/resolv.conf on the relevant server (a Linux container), and I find the file has a nameserver within it that was retired several weeks ago! Fixing that solved the issue.

Lessons learnt :-

  1. Just because you have a centrally distributed /etc/resolv.conf that is automatically installed on all your home network doesn't mean to say that it is always automatically installed. My Linux containers don't get that centrally distributed file (which had been corrected!).
  2. Don't assume that it's not the obvious even if you have reasons for thinking it couldn't possibly be the obvious (see #1).

 

From Stinkies to Vaping, Conspiracy Theories and Politics

 General, Media, Politics  No Responses »
Apr 222015
 

This post is going to be quite long and a bit of a mishmash of different things – my own personal story, a description of what vaping is, politics and conspiracy theories. No great detail in here – it's pretty much an overview.

After approximately 10 months of vaping and not smoking (the "stinkies" being the vaper's term for cigarettes), I think I can reasonbly claim that I am no longer a smoker. Like most ex-smokers, I made numerous attempts to give up varying from a few months to just a few hours. The last attempt to give up was assisted by having the right vaping equipment, but was surpisingly easy – either it was just at the right time, or vaping really does make it easier to quit. 

Of course without a double-blind study to show it, we really are not supposed to say that vaping makes it easier to quit smoking, but anecdotally (and personally) it certainly seems to be the case.

But …

What Is Vaping?

To put it simply, vaping is the act of inhaling the vapour produced by heating an e-liquid so that it produces something close to steam.

There is no burning or smoke involved. The vapour that is produced contains nicotine, vegetable glycerine, propylene glycol, and various flavourings.

Really rather chemical-sounding, but it contains hundreds of chemicals less than that produced by a burning cigarette. And whilst (with the exception of nicotine) the chemicals used in vaping are not necessarily approved for inhaling, there are approved for human consumption. 

The Gear

Cig-a-likes, clearomisers, tanks, mods, … the world of vaping equipment is a confusing mess. Some are more effective than others, and it isn't always easy to tell which is going to suit you, but the sound-bite :-

The more a device looks like a cigarette, the less effective it is.

(Although there is a seperate rant about cig-a-likes)

All devices whether they come as seperate components or as an integrated device can be split into two – the power source, and the atomiser. The atomiser is what turns e-liquids into vapour and is the key item (assuming a reasonably capable power source) for determining the quality of the vapour production. All of the different atomisers work in the same basic way – there is some form of e-liquid storage, some wicking material to move the e-liquid, and the electrical coil which heats up the e-liquid to produce the vapour.

The coil itself is pretty much like an old-fashioned electric fire, although a bit smaller. The coils vary in resistance from about 0.5 ohms to about 2 ohms; the lower the resistance the greater the strain on the power source. Varying the resistance makes a difference to the vaping experience that is too complex to go into here.

The different power sources themselves can be divided into two – regulated devices and unregulated devices. Unregulated devices are little more than a simple battery where the power suppplied to the atomiser is whatever the battery can provide. Whilst there are advantages with unregulated devices, they can be unsafe with lower resistance coils and so should be avoided by beginners.

Regulated devices allow you to set the power sent to the coil and if the battery is capable of delivering that power, it will be delivered. Most also include safety features to prevent electrical accidents.

Device Safety

Having mentioned issues with device safety, let's go a bit further into that.

If you buy a cheap and nasty battery off a well-known online auction site, charge it from a cheap and nasty battery charger, use it on an unregulated power source with an unreasonably low resistance coil, then you may have issues :-

  1. Electrical fire when your charger blows up or forces more electricity into your battery that it wants to hold.
  2. Battery venting when the battery gets overloaded. Whena  battery vents, it heats up dramatically, leaks liquids and gasses.
  3. If a battery vents inside a device that doesn't allow for the gasses to escape, then the gas pressure will build up until something lets go – in extreme cases you can have pieces of a metal tube fragmenting and scattering at high speed. A pipe bomb in other words.

Now that I've scared you all, let me emphasise that this does not happen if you're sensible – sensible in your purchasing decisions and sensible in your vaping habits. A good charger will shut down if the cheap and nasty battery it is charging shows signs of blowing up. A regulated device will turn off when the battery starts behaving badly. And a sensible vapour will make sure all their vaping components are safe before trying sub-ohnming.

Essentially when you hear of some kind of vaping accident (and you will – bad news travels faster than good news), you will know that you're hearing of an unlucky idiot.

Those Damn Cig-A-Likes

Cig-a-likes are exactly what they sound like – electronic cigarettes designed to look like "analog" cigarettes. Even down to a silly little LED that glows on the end when you take a puff.

They don't work. Or at least didn't work for me.

The batteries are too small to last more than an hour, and what is worse is they don't just stop but fade away.

The cartidges that plug into the batteries contain a tiny amount of e-liquid, and tastes bad enough that it makes bilge-water seem like a tasty drink.

As you might have guessed, I made several attempts to give up with the assistance of cig-a-likes, and failed every time. At best they were a crutch that kept me off the stinkies for a few days or hours, but they weren't satisfying, or enjoyable.  

E-Juice

I'm not entirely sure where the name comes from, but the liquid we use to generate the vapour is called "e-juice". 

It is flavoured, and may contain nictotine. Yes, you can get e-juice without the dreaded nicotine.

But what may come as a surprise is that most e-juice flavours have nothing at all to do with tobacco. Various fruits, spirits (whiskey, rum, etc.), baked goods, custards, and probably a whole lot more. And the relative unpopularity of tobacco flavours probably surprises the e-juice suppliers as much as you!

And no, all these colourful flavours have nothing to do with hooking children; as a whole the vaping industry seems horrified at the thought of selling to children. Since starting vaping I've seen more popup "Are you over 18" pop up messages from sites than in all the years before. It has much more to do with former smokers rediscovering their taste buds.

Is It Safe?

Oh boy! Is that a big can of worms. No. 

Alternatively

I don't know, but it smells nicer.

There is no such thing as safety. All activities (including consumption of anything) necessitate taking risks. Including vaping. This section should of course include many links to the relevant scientific papers detailing studies done. Unfortunately I'm too lazy, but not everyone has been :-

The right two questions to ask are :-

What Risks Are Associated With Vaping?

The short answer to that is that nobody knows.

The longer answer is that apparently there is not a significantly higher amount of HPHCs (a technical word meaning "nasty stuff") in e-cigarette vapour than there is in ambiant air whereas cigarette smoke contains tons (well to be more precise, milligrams which is lots in this scenario). Of course I have ignored the results of studies done with poor methodology.

There are studies which have found nasty stuff (in particular formaldehyde) in e-cigarette vapour, but in many cases this is a result of poor experimental methodology. Any experienced vapour knows about "dry hits" or "burnt hits" where the power is too high and/or the wicking isn't sufficient to deliver enough e-liquid to the coil. What happens then is that the coil chars or burns the wicking material, which results in a vapour that is so acrid and nasty that nobody could breathe it in fully; in one recent posting it has been described as Satan's farts.

With an automated testing machine it is difficult to avoid these dry hits as there is no human in the loop to say "Yerk". Interestingly in one study, the published tweet claimed high levels of formaldehyde which caused the researchers some distress as they had deliberately tested beyond the safe limits to produce half of their results. Their full study actually showed that there was no formaldehyde when vaping normally and formaldehyde was only found at ridiculously high levels of power (for the atomiser they were using).

Lastly, there is some level of misunderstanding of study results going on. For example, there is the case where a study found high levels of metalic nanoparticles in the vapour produced. Which was instantly leaped upon by the anti-crowd who negelected to point out that the levels found were below safe limits.

The long term effects of what appears to be non-toxic components of e-cigarette vapour are not well known, but it is widely accepted amongst reasonable people who have studied the question that vaping is much less risky than smoking. In fact it is entirely reasonable to suppose that walking alongside a busy road has a far higher risk (from internal combustion pollution) than vaping.

Or my old phrase summing up the situation :-

If you're a smoker, you'd be crazy not to try vaping. If you're a non-smoker, you would be crazy to start vaping.

Is probably a bit too cautious.

What Risks Does Vaping Impose On Bystanders?

This is even less well studied than vaping. But have you ever complained about the "smoke" machines at gigs or clubs? No? Well you've been ignoring a risk that is for all effective purposes just the same as an electonic cigarette; those "smoke" machines altough they pre-date e-cigarettes, are just big versions of a vaping device. 

Admittedly the "e-liquid" they put into smoke machines lacks the nicotine and usually flavourings that e-liquids contain, but the levels of nicotine reaching a bystander are zero or so low as to be negligable.

Probably the biggest risk is that the smell of some vapour is likely to make bystanders on a diet feel hungry.

Think Of The Children!

Actually, and just for once, let's not. Let's think of the smokers who will die if we daemonise vaping first

Vaping isn't for children. And if children do "experiment" (which they already do with cigarettes) isn't it better they experiment with something that is less risky than smoking itself? If we eventually change the world so that smoking is almost non-existent and most ex-smokers vape instead, children will find it much harder to experiment with smoking and will have to resort to vaping.

And preliinary evidence shows that children who do experiment with vaping are less inclined to get addicted to it.

Conspiracy Theories and Politics

When it comes to moves to regulate electronic cigarettes, the online vaping community seems particularly subject to conspiracy theories :-

  • Big Pharma wants to daemonise vaping because it has invested billions (really?) in nicotine replacement therapy and wants to keep selling the nicotine patches, sprays, and pills. 
  • Big tobacco wants to daemonise vaping to maintain their revenue stream.
  • Politicians want to daemonise vaping to maintain their revenue stream (from taxes).
  • Anti-tobacco campaignes want to daemonise vaping to maintain their revenue stream (if vaping takes over from smoking there will be fewer anti-tobacco jobs).

l'll be the first to say that I cannot disprove any of these (you cannot disprove a negative), and there may be some truth in some of them.

But Occam's razor leads me to believe it is just ignorance and assumptions that lead to the opposition to vaping. Regulation is necessary, but sensible evidence-based regulation not reflex regulation. So we need to educate the politicians, and the politicians need to educate themselves.

 Older Entries  Newer Entries