Datashur iStorage Encrypted USB Stick

 Computing, Security  No Responses »
May 012013
 

Sigh. Yet another company under the foolish impression that you have to stick an “i” in front of something to make it cool. Which is a bit of a shame really, because this is sort of cool :-

What it is, is an encrypted USB memory stick but unlike most others, this one does not rely on software. You enter the appropriate PIN code on the built in pad, and the storage is unlocked. With everything built into the stick there are a number of advantages :-

  1. It’s a lot simpler. There’s no special software to run to decrypt and encrypt a special file on the memory stick. 
  2. Because it’s simpler, it’s harder to make mistakes – there’s no chance of accidentally writing unencrypted data to the stick – don’t laugh, it happens!
  3. Also because it’s not based around a software package, there’s no platform limitations – it’ll work fine with all the odd platforms you can find out there – Linux, Android devices, PS3s, old Unix workstations (if you can find a USB hole to plug it into), etc.

However it’s not perfect :-

  1. There’s concern about how long the keypad will remain reliable for. It should be more than reliable enough, as normal keyboards are reliable for millions of key strokes, and this keypad may well be more reliable (it’s simpler). 
  2. Because the PIN is only effective whilst the memory stick is “mounted”, it may require a lot of PIN entries when used in certain ways – such as a bootable device.
  3. Entering the PIN whilst the memory stick is attached may be tricky; it might be better used on an extension lead. Although it’s possible to enter the PIN whilst disconnected, this doesn’t seem natural.
  4. Given the environment that most USB sticks live in (i.e. pockets or handbags), there is a concern that moisture, dust, or fluff could work itself into the casing and interfere with the workings. However the case that fits over the keyboard seems to fit quite well including a rubber seal that should help.

One thing that came as a surprise when I first got it was that it has a re-chargeable battery which seems a touch odd until you realise that some operations can only take place when this stick is not connected. This includes changing the default PIN code, and of course this numbskull took an age to realise that you cannot set the PIN code when it is connected to the computer!

Once that was sorted out, it took very little longer to have a properly working USB stick. It works very much the same as any other USB stick except that when it becomes “unmounted” (I use this under Linux) it refuses to act as a USB memory stick until the PIN is re-entered.

Physically it is on the larger size of what is sensibly carried around in the pocket, but obviously could not be much smaller without making the keypad smaller than it is. Whilst usable, any smaller and the current keypad would become very awkward to use for those with larger hands (such as me).

Long term robustness will have to wait until it has been in my pocket for more than a week. However so far, the following observations have occurred :-

  1. The paintwork of the external casing (the cover for the stick itself) may not be especially robust as a few scratches have already appeared.
  2. The wire loop for attaching to a keyring feels a little flimsy, but perhaps that is because the expectation is for a key ring rather than a loop of wire.
  3. The mechanism for unscrewing the wire is a little fiddly.

The “Real” History of the Web

 Computing, History  No Responses »
Apr 302013
 

Today’s news stories include an item on CERN’s initiative to re-create the very first web page, and it included a tiny bit of history of the web.

The only trouble? Their (the BBC’s that is) history of the web doesn’t quite match my memories of how it happened, and as it so happens I was there. Not at CERN of course, and I can’t claim to be a particularly significant part of the history of the web. But I did create one of the earliest web servers in 1992, and again in 1993 (the archived copy was made in 1997).

The big error in the BBC’s article was the importance of the discussion of whether CERN should try to retain control of the web or leave it to the public to decide. Whilst that decision was undoubtedly important – particularly for keeping the web standardised – it wasn’t quite as important as described as by 1993, the web was already “out there”.

CERN did release the very first server software to support the web, and the very first web browser way back in 1991. The server software (at least by the time I saw it) was pretty much a standard Unix-based piece of software so it could be compiled and run on pretty much any Unix-based machine. The browser (WorldWideWeb) on the other hand was restricted to NeXT-based machines which were relatively rare; most people were restricted to a text based browser called Lynx. The popularity of the web took off when an NCSA project introduced a graphical web browser called Mosaic.

If it had not been for Mosaic, it is quite possible that another graphical web browser would have popularised the web anyway – CERN’s browser had shown what was possible. And Mosaic was not the only graphical browser being created at the time.

The other thing that is often overlooked was that CERN’s “web” wasn’t unique in being an application with a “browser” and a “server” that allowed information to be fetched across the Internet and displayed appropriately. One of the biggest competitors was Gopher, but there were others around at the time. Indeed most early web browsers would happily display “gopher pages”.

The unique “selling” point of CERN’s web, was the use of hypertext as the main content which allowed for information to be presented on the same page as navigation content – most alternatives would have hierarchical menus to browse through until you found the information you wanted at the bottom of the tree.

By 1993, CERN’s “web” was already so widely in use that they had no choice about keeping it to themselves; indeed the decision made by CERN was to formally make their software “public domain” but it was effectively after the horse had bolted.

This sounds like an attempt to trivialise what CERN did – it isn’t. They deserve plenty of credit for what they did, but neither should we forget that something very similar was already happening, and in the end it was the people who created the first interesting web pages and not just the people at CERN who deserve the credit for today’s web.

Discarding Log Messages with rsyslogd

 Computing, Working Notes  No Responses »
Apr 252013
 

Normally when I want to do something other than the “standard” thing with logging, I replace whatever came with the server with syslog-ng, but I’ve just had an urgent need to do something with rsyslog. Specifically exclude any messages with reference to a certain card that was generating “corrected” errors at a vast frequency … enough that my /var filesystem was filling up regularly.

Turns out to be surprisingly easy, if you figure out how to get rsyslogd to read the updated configuration.

First the rule :-

:msg, contains, "pcieport 0000:00:09.0" ~

This more or less translates as look for the string “pcieport …” in the complete message sent to syslog and if it appears then discard.

It turns out (quite sensibly) that this needs to appear before any rule sending messages off to a file to get stored for later. And of course the configuration file to edit was /etc/rsyslog.conf.

Before blindly restarting, it’s quite nice to have something that will check the syntax of what you’ve just written to make sure it is valid. Nobody gets this stuff right first time! Turns out there’s a simple way :-

# rsyslogd -f /etc/rsyslog.conf -N 1

Once that stopped giving an error, I needed to get the running daemon to accept configuration changes. It seems that whilst it accepts SIGHUP, it perhaps does not re-read the configuration file so a full restart is necessary :-

# /etc/init.d/rsyslog restart

Fixing A Mangled PDF With Some Pages Requiring Rotation

 Working Notes  No Responses »
Apr 032013
 

Scanning paper documents is such a tedious task that I tend to lose concentration when doing it. And as a result I recently ended up with two PDF documents needing post-processing. In the worst case, the PDF consisted of three pages – one in the correct orientation, and two rotated 180°!

As usual, there’s a Unix command to help out with that – pdftk. Specifically :-

pdftk \
  input-file.pdf \
  cat 1 2-endS \
  output out.pdf

The interesting operation is contained within the cat 1 2-endS which translates as copy the input page 1 to the output unaltered, and copy the remaining pages rotated 180° (or “S”) to the output. This is of course only the tiniest fraction of what this tool can do.
 

Media Panics Over Spamhaus DDoS Attack

 Computing, Security  No Responses »
Mar 282013
 

This article is short on references because I haven’t gotten around to filling them in … they will come

The fuss in the mainstream media about the distributed denial of service (DDoS for short) attack against Spamhaus goes to show that journalists need to buy more drinks for geeks, and the right geeks. It is nowhere near as bad as described, although the DDoS attack was real enough and definitely caused “damage” :-

  1. New York Times: http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?pagewanted=all&_r=0
  2. Daily Mail:  http://www.dailymail.co.uk/news/article-2300810/CyberBunker-revealed-Secretive-fanatic-worst-cyber-attack.html

This article is not intended to be totally technically accurate in every detail; it is intended to describe the incident in enough detail and with enough accuracy that it can be understood without übergeek status.

So What Happened?

Spamhaus are experiencing on ongoing distributed denial of service attack that started on the 20th March, and is ongoing. The initial attack very quickly overwhelmed their 10Gbps (that’s about 1,000 times faster than your Internet connection) link to the Internet. Whilst this disrupted the Spamhaus web site, and various back office services, the main service that Spamhaus provides kept running (as it is distributed).

The very clued up geeks at Spamhaus who have had plenty of experience of being under attack, very quickly contacted CloudFlare which started hosting their web sites and other back office services at numerous data centres around the globe. Their services rapidly started returning to life – it isn’t the sort of thing that can be done instantly, and probably took a lot of late nights.

However the attacks escalated and reached levels of up to at least 300Gbps (that’s about 30,000 times faster than your Internet connection) or about 13Gbps of traffic for each of CloudFlare’s 23 data centres. That’s a lot and could be responsible for Internet slowdowns …

The Internet Is Slow. Is It The DDoS?

Well perhaps. We all have a very understandable tendency to blame known events for problems we’re having. Is the Internet slow? It must be that DDoS . But it is not necessarily so.

And if all the Internet was slow for you, it is quite possible that you were unknowingly taking part in the attack! Because the attack relied on infected PCs together with other stuff described below.

It is also possible that some parts of the Internet were overwhelmed by the DDoS. Reports have indicated that Internet services plugged in alongside the CloudFlare data centres (or in them) were suffering somewhat because of the extraordinary levels of traffic. However, this is the Internet and there is always lots of stuff going on that may cause slower performance than normal in various corners of the ‘net.

Was This The Biggest DDoS Attack?

Possibly. The figure of 300Gbps (and it was probably larger than that – the 300Gbps figure was through one Tier-1 ISP) probably qualifies as the largest known public DDoS.

However DDoS attacks are not always made public; there could well have been larger attacks that were not made public.

Various responses have indicated that the attack was not as serious as described by others :-

  1. http://cluepon.net/ras/gizmodo
  2. http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie

It may be that these commentators are mistaken to the extent that they didn’t see a problem; it may be that European and Asian networks were more prone to a slow-down than elsewhere.

What Is A Distributed Denial Of Service Attack?

If you were an attacker, you could try sending network traffic as fast as your PC could handle to the target of your attack. However the amount of traffic you could send would be very limited – you can’t send more than the speed of your Internet connection. Say 10Mbps … a lot less than most large services use for their own Internet connections.

To make an attack more effective, you will want to have lots of people send traffic as quick as they can. And the easy way to do that is to infect PCs with some sort of malware, and use your control of those infected PCs to send out that denial of service traffic. At which point it becomes a distributed denial of service attack because the attack traffic is distributed around the Internet.

And if you can find some way of amplifying your attack traffic so that say 10Mbps of traffic becomes 1Gbps of traffic, you make your attack much more effective.

So How Was This Done?

The details of what went on become pretty hairy very quickly, but very simply :-

  1. The attacker takes control of a large number of infected PCs to make his or her “robot army” to send out network traffic under their control.
  2. The attacker instructs their robot army to send out DNS requests as quickly as possible with the source address forged as the victim’s address.
  3. The negligent ISP allows those packets out by not applying source filtering.
  4. The network traffic reaches any number of misconfigured DNS servers that answer with a larger reply sent to the victim’s address.

DNS?

This is short for the domain name system and is a service that turns names into numbers (amongst other things). You type in a name such as www.google.com and the DNS server your PC is configured to talk to turns that name into an Internet address such as 203.0.113.63 or possibly 2001:db8:0:1234:0:5678:9:12. Your PC then makes a network connection to that numeric address in the background, and fetches a web page, a music stream or some other content you want.

Without the DNS we would all have to rely on numeric addresses to make connections – a lot tougher!

There’s another factor here as that DNS is an amplifying service – you ask for a name such as www.google.com, and the answer is a whole lot longer than just the numeric address you “need” as it can (and often does) contain a number of network addresses together with associated information :-

% dig www.google.com  

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		61	IN	A	74.125.138.104
www.google.com.		61	IN	A	74.125.138.106
www.google.com.		61	IN	A	74.125.138.99
www.google.com.		61	IN	A	74.125.138.147
www.google.com.		61	IN	A	74.125.138.105
www.google.com.		61	IN	A	74.125.138.103

;; AUTHORITY SECTION:
google.com.		126160	IN	NS	ns3.google.com.
google.com.		126160	IN	NS	ns2.google.com.
google.com.		126160	IN	NS	ns4.google.com.
google.com.		126160	IN	NS	ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		126160	IN	A	216.239.32.10
ns2.google.com.		126160	IN	A	216.239.34.10
ns3.google.com.		126160	IN	A	216.239.36.10
ns4.google.com.		126160	IN	A	216.239.38.10

;; Query time: 1 msec
;; SERVER: 10.0.0.26#53(10.0.0.26)
;; WHEN: Sat Mar 30 09:52:59 2013
;; MSG SIZE  rcvd: 264

If you are talking to a misconfigured DNS server, it could answer even when it should not. Normally DNS servers are configured to answer just for those they are intended to provide answers to – your ISP’s DNS servers will answer your questions, and not mine. However if they are misconfigured, they will answer any question and will function as a DDoS amplifier.

This does not include public DNS servers such as OpenDNS, or Google’s public DNS servers – they are specially configured to avoid acting as a DDoS amplifier – probably by imposing a rate limit to stop answering if you ask too many questions.

Source Filtering?

When you click on a link in your web browser, your browser sends out a network packet containing the request (“GET /webpage”), and that network packet contains the destination of the web server – so your request reaches it, and your own address – so the web server knows where to send the answer! Your own address (in these circumstances) is known as the source address.

With appropriate software, you can forge your source address so that replies to your request go back to a different place. Without that only the very simplest DDoS attacks would work.

Of course, it has been best practice to block forged source addresses since well, not long after the beginning of the Internet. This is known as source filtering. An Internet router is capable of deciding that packets coming in from wire A should not have the address assigned to wire B, so should be dropped on the floor.

An Internet router that doesn’t do that is poorly configured.

So How Can This Be Stopped?

The answer is that we have known how to stop this sort of attack for at least a decade. And indeed the best Internet citizens have done so for years.

The trouble lies with those on the Internet who are not necessarily the best Internet citizens. Of the big three remedies, two are probably being neglected because managers of ISPs do not see the business benefits of applying those remedies. And there isn’t a business benefit, but a social responsibility.

The three remedies are :-

  1. The average Internet user needs to take action to prevent their PC from getting infected. Get anti-virus protection, and an Internet firewall. If the PC acts weird, get it looked at. And if the Mac acts weird, get it looked at too (yes they do get infected).
  2. ISPs should apply BCP38 (which dates back to 2000) which specifies source filtering.
  3. ISPs running DNS servers should ensure that their DNS servers are properly configured to only answer queries for legitimate clients.

And if you happen to know a senior manager at an ISP, ask them about BCP38 and if they’re doing it – source filtering is probably the most important action here.

But Who Is Responsible?

It is easy to get distracted by the problems caused by those leaving poorly configured router, and insecure PC lying around on the Internet. Whilst their owners are responsible for effectively leaving tools around that attackers can use (and all too often do use), they are not directly responsible for the attack.

The attacker is.

But who were they?

The fairly credible rumours are that the attackers were either Cyberbunker or Stophaus.com, as part of a campaign against the actions of Spamhaus. Various criminals behind the flood of spam targeting your mailbox with all sorts of rubbish have long complained about the actions of Spamhaus, as they try and prevent spam arriving. And Cyberbunker is an ISP dedicated to providing hosting to services that may get shut down elsewhere – they deal with anyone except paedophiles and terrorists, which leaves a whole world of swamp dwellers that you would really rather not know about. And spammers.

Who Are Spamhaus?

Spamhaus are subject to a great deal of black propoganda – including accusations of blackmail, extortion, censorship, and probably kicking cats too. The reason? They help identify spammers, so that ISPs can choose to block spam.

Spammers are somewhat irritated by this – their business model relies on polluting your mailbox so that the 1% (or so) of people who do respond to spam is a large enough number that they can carry on making money. And they get irritated very quickly if someone tries to interfere with their “right” to use your inbox to make money.

Mail server operators have long been blocking spammers using a whole variety of methods, and some of the best collaborated on producing lists of addresses of spammers that others could use. These evolved into DNS based RBLs, and one of the most respected groups of volunteers became known as Spamhaus.

You may be thinking that you still get plenty of spam, so they cannot be doing too great a job. But :-

  1. You may be with an ISP that chooses not to use Spamhaus.
  2. You don’t see the spam that gets blocked. Even if you see dozens of spam messages a day, you may be seeing only 5% of the spam that was sent your way.

It is telling that amongst those in the know, those who deal with spam and Internet abuse in general, there is practically nobody who thinks of Spamhaus as anything other than the good guys.

 

 Older Entries  Newer Entries