tag:blogger.com,1999:blog-6600242232272197222023-11-16T07:50:27.101+01:00Use of wordsErik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.comBlogger47125tag:blogger.com,1999:blog-660024223227219722.post-85313963350868284742014-07-29T15:14:00.000+02:002014-07-29T15:14:32.088+02:00Transport layer for stealth and evil, 2014 editionA few years ago, I tested some <a href="http://useofwords.blogspot.no/2010/12/transport-layer-protocols-for-stealth.html">obscure transport protocols</a> on Ubuntu 10.04 and whether you could find processes listening for them on your system. Answer was - it depends.<br />
<br />
Fast forward a few years, RHEL7 and CentOS 7 appears. Long-deprecated netstat is gone from the default install.<br />
<br />
So let's repeat the tests for weird backdoors.<br />
<h3>
SCTP </h3>
yum install socat<br />
socat SCTP-LISTEN:8080 TCP-CONNECT:22<br />
<br />
ss(8) is the official replacement for netstat(8).<br />
<br />
So what does ss see?<br />
<br />
# ss -anp | grep socat<br />
#<br />
<br />
Nothing. netstat used to see this on Red Hat-derived distros, so a slight regression you might say. But ss didn't see it in 2010 either.<br />
<br />
Lsof has improved, though, and identifies it correctly this time.<br />
# lsof | grep socat<br />
socat 10790 root 3u sock 30501 0t0 SCTP ENDPT:ffff88003b23df00 0.0.0.0[8080]<br />
# <br />
<br /><h3>
DCCP</h3>
Well, first we need to get netsend up and running. Basically yum install gcc, and get the source from the ubuntu package. The original berlios upstream seems to be gone.<br />
<br />
# netsend dccp receive<br />
<br />
This sets up a listener at dccp port 6666.<br />
<br />
# ss -anp | grep netsend<br />
tcp LISTEN 0 0 *:6666 users:((netsend,11050,3))<br />
#<br />
<br />
Um, yes, it shows up ... but looks like a TCP socket? WTF?<br />
<br />
telnet localhost 6666<br />
gives connection refused as expected. This will definitely confuse somebody.<br />
<br />
# ss -anpd<br />
LISTEN 0 0 *:6666 <br />
users:((netsend,11050,3))<br />
<br />
So with the -d option (for dccp) it shows sane data.<br />
<br />
What about lsof then?<br />
# lsof | grep netsend<br />
netsend 11050 root 3u sock 0,6 0t0 33020 protocol: DCCP<br />
<br />
Well, better than before. It at least identifies the protocol, if not the details.<br />
<br />
<h3>
UDP-Lite</h3>
This massively popular protocol then?<br />
<br />
# netsend udplite receive<br />
<br />
Sets up a listener at port 6666, again.<br />
<br />
# ss -anp | grep netsend<br />
#<br />
<br />
Blank, as in 2010. And there's no udplite option.<br />
<br />
lsof then?<br />
<br />
# lsof | grep netsend<br />
netsend 17664 root 3u IPv4 38944 0t0 UDPLITE *:6666<br />
#<br />
<br />
Yeah, no problem, identifies it perfectly.<br />
<br />
<h3>
Conclusion</h3>
Hiding a backdoor in plain sight with an uncommon protocol is still viable, though local firewalls will mitigate. ss(8) still doesn't give you all the info it ideally should, probably because of some missing plumbing. lsof(8) is still a useful swiss army knife slowly getting more tools.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-38111305899227419372014-01-13T15:03:00.002+01:002014-01-13T15:31:09.106+01:00a bit of selinux for noobsSo, once again, you've added an initscript that works fine in test to a prod server. It fails. And you get permission denied to write to a directory - but waitaminute, the process starts as root?<br />
<br />
The obvious suspect: selinux. Turning it off is the stupid way out and not an option.<br />
<br />
[root@gnuff ~]# grep denied /var/log/audit/audit.log<br />
type=AVC msg=audit(1389617233.067:1073936): avc: denied { write } for pid=34988 comm="tcpdump" name="ts" dev=dm-2 ino=1572884 scontext=unconfined_u:system_r:netutils_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir<br />
<br />
So tcpdump isn't allowed to write to a var_t directory. Fair enough, really. What is it allowed to write to, from a confined user?<br />
<br />
sesearch to the rescue! (yum install setools-console)<br />
<br />
[root@gnuff ~]# sesearch -T -s netutils_t<br />
Found 3 semantic te rules:<br />
type_transition netutils_t tmp_t : file netutils_tmp_t; <br />
type_transition netutils_t tmp_t : dir netutils_tmp_t; <br />
type_transition netutils_t abrt_helper_exec_t : process abrt_helper_t; <br />
<br />
This searches for allowed type transitions from the netutils_t context. Aha!<br />
<br />
[root@gnuff ~]# chcon -t netutils_tmp_t /var/cache/ts<br />
<br />
And restart ... and voila! No more permission denied.<br />
<br />
[root@gnuff ~]# semanage fcontext -a -t netutils_tmp_t /var/cache/ts<br />
<br />
makes it permanent. (yum install policycoreutils-python if you have no semanage)<br />
<br />
Better do it via puppet, of course. (<a href="https://github.com/jgoldschrafe/puppet-selinux_types">selinux_fcontext</a>)<br />
<br />
PS. The strictly correct option is rather:<br />
[root@gnuff ~]# sesearch -A -s netutils_t | grep dir | grep write<br /> allow netutils_t netutils_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; <br /> allow netutils_t dirsrv_var_run_t : sock_file { write getattr append open } ; <br /> allow netutils_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ; <br />
<br />
which searches for allow rules. But the type transition rule search gets far fewer hits and is worth a try as a first approximation when doing a sysadmin fix-it-fast search. Few apps transition to a type they can't read/write.<br />
<br />
([root@gnuff ~]# sesearch -A -s netutils_t | wc -l<br />365<br />
)Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-23612946277158644972013-05-10T19:31:00.004+02:002013-05-10T19:31:50.403+02:00htrosbif alpha 5 - years late editionSo, somebody recently reminded me that htrosbif has languished for a while. And that's true, but I've had a bunch of changes pending since alpha 4.<br />
<br />
So I got off my ass and packaged an <a href="http://anduin.net/~knan/htrosbif/htrosbif-alpha-5.tar.gz">alpha 5</a>. Get it while it's... slightly warmer than Oslo in May.<br />
<br />
If you've followed the git repo, you've had most of this for ages. ( git clone http://anduin.net/~knan/htrosbif.git/
)<br />
<br />
Wishlist: anyone got a buildroot/openwrt-style build-webserversoftware-and-a-chroot-for-it script? That would speed up testing and signature generation awesomely.<br />
<br />
Shortlog:<br />
<blockquote class="tr_bq">
Erik Inge Bolsø (38):<br /> add monkey sig (insert obvious jokes here)<br /> xs-httpd added to testsuite. nicely old-school.<br /> userfriendliness bugfix (slashdot 1z broken! eek!)<br /> slash fiction<br /> add continuation tests, split into first/second/third-class tests<br /> basic first-class matching<br /> implement overlay test promotion<br /> fix some more hashref buglets, split classify_test from test run<br /> fix overlay matching bug if header list was empty<br /> add more modifiers, for better haproxy matching in strange circumstances<br /> minor pound detection bugfixes<br /> relax and prettify our json file handling<br /> don't overcompensate for lost tests<br /> varnish matching fixes<br /> refresh sigs, prettier now<br /> more json prettifying and relaxation<br /> sig_deref.pl cleanup<br /> standardize header names - yes, this throws away useful info, I may regret it later<br /> add fixme while I remember<br /> varnish=>zope,monkey,bauk quirks<br /> a bit of overlay debug code<br /> yes, varnish hides some interesting version-specific lighty bugs<br /> refresh old-cups & iis sigs<br /> add get_11_duplicate_contentlength test<br /> use caller function for debug tracing<br /> refresh sigs for new test<br /> one more varnish quirk<br /> some eccm, and fixed an overlay matching with limited info bug<br /> improve scoring with limited information<br /> launch flares, tune overlay detection threshold (hi kwy)<br /> add comotion-httpd sig (rare!)<br /> disable countermeasures by default, add --eccm option, add monkey-0.11.1 sig<br /> lighty 1.4 hasn't changed signature lately<br /> a random resin sig, and tomcat sigs<br /> refresh iis sig<br /> cleanup signatures a bit, preparing for squid<br /> minor signature generation bugfix - could drop http/0.9 style responses completely<br /> refresh sigs for latest changes<br /><br />Kacper Wysocki (1):<br /> usability: try to autosense the url<br /></blockquote>
Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-70684312687383775742013-05-04T19:05:00.001+02:002013-05-04T19:06:50.785+02:00Unbreaking the web with greasemonkeySo, a certain MMO recently managed to turn off their wiki, upgrade their forums and in the process break almost all their links from anywhere. Even intra-forum links broke utterly. And the in-game big friendly Help button.<br />
<br />
I'd really not want to responsible for that debacle. Breaking seven years worth of web forum google searches and intralinking is utter insanity from a professional standpoint.<br />
<br />
But a ten-minute greasemonkey script can fix that for me personally.<br />
<br />
<a href="http://userscripts.org/scripts/review/166620">DDO forum fixup</a><br />
<br />
Well done irritating your subscribers, Turbine. Whatever will they think of next...<br />
<br />Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-36390208436801359582012-10-07T16:25:00.000+02:002012-10-09T15:28:14.421+02:00Netbooting NetBSD in KVMSo, I feel the need to netboot various OSes again. Because I can.<br />
<br />
Output to serial is most convenient, my MIPS box is serial only, and besides I have no space for a bunch of extra monitors.<br />
<br />
In the IA32 case, the (very very nice, though old) Diskless NetBSD howto directs me to use <b>"pxeboot_ia32_com0.bin"</b>.<br />
<br />
Problem #1: since NetBSD 4 or so, this isn't in base.tgz anymore.<br />
<br />
David Laight points out that it can be created <a href="http://readlist.com/lists/netbsd.org/current-users/3/15577.html">like so</a> using the netbsd installboot(8) command. Though I have no NetBSD yet.<br />
<br />
Ah well. I'll boot a more normal NetBSD on KVM and create that, then. Quick DHCPD setup:<br />
<br />
<pre>subnet 10.50.1.0 netmask 255.255.255.0 {
range 10.50.1.200 10.50.1.250;
}
</pre>
host kvm-netbsd-ia32 {<br />
hardware ethernet 22:22:22:22:00:00;<br />
next-server 10.50.1.1; # TFTP / NFS host<br />
filename "/netbsd-5/pxeboot_ia32.bin"; # Path on TFTP server<br />
<br />
option root-path "/storage/nfs/ia32/netbsd-5.1.2/root"; # Path on NFS server<br />
# FreeBSD pxe can use IP:path here, I believe, NetBSD just uses next-server.<br />
}<br />
<br />
... not so fast.<br />
<br />
ISC DHCPD, current KVM's iPXE netboot firmware and NetBSD's pxeboot doesn't like each other.<br />
<br />
* iPXE sends a DHCP request with dhcp_client_identifier (option 61) set to 01-ethernet mac address, loads pxeboot_ia32.bin from tftp and runs it.<br />
* pxeboot_ia32.bin sends a simpler DHCP request without dhcp_client_identifier via PXE_UDP_WRITE. pxeboot_ia32.bin takes care to use the lease it knows about from the PXE environment as source IP, it just wants to ask for some more options.<br />
* ISC DHCPD wants to assign a new address, since this apparently is another client (no dhcp_client_identifier), and assigns that as unicast destination.<br />
* iPXE ignores the return unicast packet apparently sent to somebody else entirely.<br />
* pxeboot_ia32.bin gets no response and gives up.<br />
<br />
ISC DHCPD has a special case for BOOTP clients, and will give out an old lease if the hardware address matches even though they don't send any client-id. But we aren't BOOTP, we're just fragile followup-DHCP-in-PXE.<br />
<br />
The least icky way out here seems to be patching DHCPD to ignore dhcp_client_identifier mismatches. (CMU DHCPD has a runtime option for it, btw) But oh, the tentacles, ISC source isn't known for its sanity...<br />
<insert here="here" patch="patch"></insert><br />
<insert here="here" patch="patch"></insert><a href="http://anduin.net/~knan/ipxe-netbsd-pxeboot-hack.diff">hack for isc dhcp 4.2.4</a> <br />
<insert here="here" patch="patch"><br />So at this point I'm doing a traditional<br /> pxe rom (iPXE 1.0 as shipped with modern qemu/kvm, or whatever PXE rom my old VIA Mini-ITX is running)<br /> => tftp loads pxeboot second stage<br /> => pxeboot loads kernel via simplified nfs<br /> => kernel boots a nfsroot system<br /><br />The smart & modern way is of course to load the netbsd kernel directly from iPXE. But I'm betting that's too easy to be any fun.<br /><br /><br />Anyway, qemu-kvm in ubuntu precise has fun bugs that doesn't let the NetBSD kernel find any PCI devices. Like, for instance, the network card. So the boot stops with netboot interface not found.<br /><br /><a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653473">Fixed in current debian</a> and upstream qemu. A rebuild of QEMU seems to be in order.<br /><br />apt-get source qemu-kvm<br />apt-get build-dep qemu-kvm<br />cd qemu-kvm-1.0+noroms/debian/patches<br />wget -O 'pci-fix-corrupted-pci-conf-index-register-by-unaligned-write.patch' "http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=cdde6ffc27517bdf069734fbc5693ce2b14edc75"<br />echo pci-fix-corrupted-pci-conf-index-register-by-unaligned-write.patch >> series<br />cd ..<br />dch -i<br />cd ..<br />dpkg-buildpackage -b -uc<br />cd ..<br />dpkg -i qemu-kvm_1.0+noroms-0ubuntu14.2eib1_amd64.deb qemu-utils_1.0+noroms-0ubuntu14.2eib1_amd64.deb qemu-common_1.0+noroms-0ubuntu14.2eib1_all.deb<br /><br />et voila!<br /><br />Whee, I have a working NetBSD!<br />Current invocation: kvm -boot n -localtime -net nic,vlan=0,macaddr=22:22:22:22:00:00 -net tap,vlan=0,ifname=tap0,script=no,downscript=no<br /><br />Now then, in netbsd (After changing root's shell to /bin/sh instead of the traditonal csh abomination)<br /><br />cd /usr/mdec<br />cp ./pxeboot_ia32.bin ./pxeboot_ia32_com0.bin<br />installboot -e -oconsole=com0 -ospeed=0 ./pxeboot_ia32_com0.bin<br /><br />So far, so good. Drop our new binary in, and boot kvm with no VGA and a serial console:<br /><br />kvm -boot n -localtime -net nic,vlan=0,macaddr=22:22:22:22:00:00 -net tap,vlan=0,ifname=tap0,script=no,downscript=no -vga none -nographic<br /><br />knan@sarevok:/storage/current/netboot$ ./kvm-ia32-netbsd.sh <br /><br />>> NetBSD/x86 PXE Boot, Revision 5.1 (from NetBSD 5.1.2)<br />>> Memory: 623/391904 k<br />Press return to boot now, any other key for boot menu<br />Starting in 0 seconds. <br />PXE BIOS Version 2.1<br />Using PCI device at bus 0 device 2 function 0<br />Ethernet address 22:22:22:22:00:00<br />10090076+518916+618576 [521184+509293]=0xbb2988<br />Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,<br /> 2006, 2007, 2008, 2009, 2010, 2011, 2012<br /> The NetBSD Foundation, Inc. All rights reserved.<br />Copyright (c) 1982, 1986, 1989, 1991, 1993<br /> The Regents of the University of California. All rights reserved.<br /><br />NetBSD 5.1.2 (GENERIC) #0: Thu Feb 2 17:22:10 UTC 2012<br /> builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-2-RELEASE/i386/201202021012Z-obj/home/builds/ab/netbsd-5-1-2-RELEASE/src/sys/arch/i386/compile/GENERIC<br />[...]<br />Sun Oct 7 15:54:24 UTC 2012<br /><br />NetBSD/i386 (netbsd5) (console)<br /><br />login: root<br /><br />Yay!<br /><br />(Todo: train creaky old pxeboot_ia32.bin to retry DHCP via broadcast if unicast fails.)</insert><br />
<insert here="here" patch="patch"><br /></insert>Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-56946388331238777092012-04-26T16:44:00.000+02:002012-04-26T16:44:17.260+02:00FreeRADIUS and CRLsDeploying FreeRADIUS, you may want to use a Certificate Revocation List (CRL) to revoke access to users that has been issued a valid certificate at some point.<br />
<br />
How to actually do this isn't completely self-evident. Less so if you use multiple sub-CAs.<br />
<br />
FreeRADIUS basically uses OpenSSL's routines and options for this. And OpenSSL doesn't currently refresh CRLs in a running process, so after updating a CRL you need to restart the freeradius daemon (easily scripted).<br />
<br />
The important point in freeradius is in /etc/freeradius/eap.conf, specifically check_crl and CA_path in the tls section.
Also, comment out CA_file, since CA_path and CA_file are intended for the same purposes, but CRLs only work with the CA_path method.
<br />
<pre> # Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <ca certs&crls="" directory="">'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
check_crl = yes
CA_path = /etc/freeradius/certs/CA/
</ca></pre>
Be sure not to concatenate certificates in your CA_path. One CA, one file.
Then, after the c_rehash, your directory should look something like this:
<br />
<pre>root@radius:~# ls -l /etc/freeradius/certs/CA/
lrwxrwxrwx 1 root freerad 9 2012-04-26 03:15 12345678.0 -> local-sub-ca-1.pem
lrwxrwxrwx 1 root freerad 13 2012-04-26 03:15 12345678.r0 -> sub-ca-1-crl.pem
lrwxrwxrwx 1 root freerad 11 2012-04-26 03:15 23456789.0 -> local-root-ca.pem
lrwxrwxrwx 1 root freerad 8 2012-04-26 03:15 3456789a.0 -> local-sub-ca-2.pem
lrwxrwxrwx 1 root freerad 12 2012-04-26 03:15 3456789a.r0 -> sub-ca-2-crl.pem
-rw-r--r-- 1 root freerad 1360 2012-04-24 15:04 local-root-ca.pem
-rw-r--r-- 1 root freerad 1360 2012-04-24 15:06 local-sub-ca-1.pem
-rw-r--r-- 1 root freerad 1384 2012-04-24 14:58 local-sub-ca-2.pem
-rw-r--r-- 1 root freerad 1251 2012-04-26 03:15 sub-ca-1-crl.pem
-rw-r--r-- 1 root freerad 739 2012-04-26 03:15 sub-ca-2-crl.pem
</pre>
Thanks to <a href="http://yasu-2.blogspot.com/2010/02/freeradiuscrl.html">Yasuhiro ABE</a> for pointing me in the right direction.
ありがとうございました、あべさん!それはよかったよ!Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-34432405552510266902012-02-06T15:27:00.000+01:002012-02-06T15:27:36.579+01:00dnstool - curses-based DNS zone administrationOut now! Get it while the bits are still hot!<br />
<br />
<a href="https://github.com/Redpill-Linpro/dnstool">https://github.com/Redpill-Linpro/dnstool</a><br />
<br />
The Fine Manual is plain text and even has screenshots, perfect for the old-school lynx enthusiast ;)<br />
<br />
If your dns server supports RFC2136 dynamic updates, you might want to look at this. BIND9 does.<br />
<br />
Patches always welcome!Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-11891577066962804862011-10-17T18:14:00.002+02:002011-10-17T19:11:02.889+02:00Terra firmaOk.<br />
<br />
Jeg har i dag oppdatert firmware - på ei mus.<br />
<br />
Når ble de lure nok til å trenge firmware? Antagelig sammen med led/optikk-variantene.<br />
<br />
Og hva hindrer dem fra å gro et virtuelt keyboard om natta og bedrive bruteforcing av passordet mitt? Ingenting jeg vet om.<br />
<br />
(Ok, feedback er et problem. Men det fins usb skjermkort... :p)Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-38678568791012598182011-08-17T15:23:00.000+02:002011-08-17T15:23:52.519+02:00VerbbøyingsgalskapJapansk er fleksibelt og komplisert. La oss ta et tilfeldig verb, taberu - å spise.<br />
<br />
For det første er ikke ordbok-formen av verbet infinitiv på japansk. Ordbokformen av verbet er "uformell ikke-fortid" - kan hende det skjer omtrent nå, kan hende en bare har vage planer om det en gang i fremtiden, men det er iallfall ikke ferdig med å skje.<br />
<br />
<i>"Watashi wa niku ga taberu."</i> - Jeg spiser kjøtt. Temmelig generell og uformell vending. Om du allerede snakker om deg selv og det du liker, vil du vanligvis sløyfe de to første ordene. <i>"Niku ga taberu."</i> - Spiser kjøtt.<br />
<br />
Det er uformelt, dog. I høflig samtale med folk du ikke kjenner godt, vil du vanligvis bruke en normalt høflig form. <i>"Niku ga tabemasu."</i> (uttales "Niku ga tabemas".)<br />
<br />
Men hvis du vanligvis ikke spiser kjøtt, vil du kanskje uttrykke det. <i>"Niku ga tabemasen."</i> - Spiser ikke kjøtt. Å bøye verb i positive og negative former er en typisk japansk ting. Fremdeles en veldig generell vending.<br />
<br />
<i>"Niku ga tabetai desu."</i> - Har lyst til å spise kjøtt. Her er verbet gjort om til et adjektiv "lyst til å spise", mens "desu" = har.<br />
<br />
<i>"Niku ga tabete mimasu."</i> - Kan prøve å spise kjøtt og se hvordan det går. Her er du usikker på om dette er noe for deg. "Mimasu" er høflig ikkefortid av "å se", her som hjelpeverb.<br />
<br />
<i>"Niku ga tabete mitai desu."</i> - Har lyst til å prøve å spise kjøtt og se hvordan det går. Kombinasjon av de to over.<br />
<br />
<i>"Niku ga tabete imasu."</i> - Spiser kjøtt akkurat nå. "-te imasu" er noe ala "am -ing"-form på engelsk.<br />
<br />
<i>"Niku ga tabete iru hito."</i> - Personen som spiser kjøtt akkurat nå. "Iru" er den ikke-høflige kortformen av "imasu", når du bruker en hel frase som et adjektiv så brukes korte bøyinger.<br />
<br />
<i>"Niku ga tabemashou."</i> - La oss spise kjøtt! Høflig men direkte.<br />
<br />
<i>"Niku ga tabemasen ka."</i> - Skal vi ikke spise kjøtt? Indirekte invitt, høfligere.<br />
<br />
<i>"Niku ga taberaremasen."</i> - Kan ikke spise kjøtt. Potensiell, høflig ikkefortid, negativ form.<br />
<br />
<i>"Niku ga tabemashita."</i> - Har spist kjøtt.<br />
<br />
<i>"Niku wa tabeta koto ga arimasen."</i> - Har aldri spist kjøtt. Uformell fortid pga. hjelpeordene etterpå. En mer klumpete og direkte oversettelse blir "Erfaringen å ha spist kjøtt, har jeg ikke."<br />
<br />
<i>"Niku wa tabenai tsumori desu."</i> - Har ikke planer om å spise kjøtt. Negativ uformell ikkefortid + hjelpeord.<br />
<br />
<i>"Niku wa tabenakute wa ikemasen."</i> - Må spise kjøtt. ("Kan da ikke la være å spise...")<br />
<br />
<i>"Niku ga tabeta hou ga ii desu."</i> - Bør spise kjøtt. Formaning, "Det er bedre (for deg/meg) å..."<br />
<br />
<i>"Niku ga tabesugite wa ikemasen."</i> - Ikke forspis deg på kjøtt. Her er taberu blitt til det sammensatte verbet tabesugiru, der -sugiru betyr "for mye".<br />
<br />
... og jeg har fremdeles bare såvidt begynt på Genki II. Mange flere sammensetninger og former ligger på lur og venter. Og taberu er et enkelt, regulært verb i forhold til mange andre.<br />
<br />
Det er da litt gøy. :)<br />
<br />
また、ね!Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com1tag:blogger.com,1999:blog-660024223227219722.post-18044608439237503972010-12-21T14:15:00.001+01:002010-12-21T16:34:15.639+01:00Transport layer protocols for stealth and evilEver tested some of the more exotic transport protocols?<br />
<br />
<b>SCTP</b> is interesting ... multihoming means you can have several ips involved on each side of a connection (association in sctp speak) ... so when you move from wired to wireless your ssh session still is fine. If you find a proper SCTP ssh, of course.<br />
<br />
Testing it on Ubuntu LTS, though, using socat for glue... a listening SCTP socket is invisible in netstat -ln. Fun. tcp, udp, raw sockets are visible ... but sctp isn't.<br />
<br />
<tt>socat SCTP-LISTEN:8080,fork TCP-CONNECT:localhost:22</tt><br />
<br />
Nice, stealthy backdoor. Does not show in <b>netstat(8)</b> or <b>ss(8)</b>. Combine with socat TCP-LISTEN:2223 SCTP-CONNECT:localhost:8080 on a remote host and we have a completely stealthy tunnel, if the firewall is mildly clue-challenged.<br />
<br />
<pre>knan@ip:~$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:36558 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:45561 0.0.0.0:*
knan@ip:~$ </pre><br />
lsof reports a mysterious socket. But it also does that for udev and update-manager, so that's hardly conclusive.<br />
<br />
<tt>knan@ip:~$ lsof | grep socat | grep sock<br />
socat 24969 knan 3u sock 0,6 0t0 645716 can't identify protocol</tt><br />
<br />
The only place I've dug out useful info so far is from procfs.<br />
<pre>knan@ip:~$ cat /proc/net/sctp/eps
ENDPT SOCK STY SST HBKT LPORT UID INODE LADDRS
ffff8800722cb800 ffff8800342c8480 2 10 16 8080 1001 645716 0.0.0.0 </pre><br />
Hardly easy to read. But it says LADDRS 0.0.0.0, LPORT 8080. Ok.<br />
<br />
(BTW: SCTP not being in netstat is a Debian/Ubuntu-specific bug, SuSE/Red Hat have applied patches.)<br />
<br />
<b>sctp_darn(1)</b> can do more fun sctp-specific stuff, like setting up multiple local and remote addresses for the association.<br />
<br />
Cool enough. But there are other fun transport protocols we can try.<br />
<br />
How about <b>DCCP</b>? It's connection-oriented and has congestion control but otherwise is UDP-like.<br />
<br />
<tt>netsend dccp receive</tt><br />
<pre>knan@ip:~$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:36558 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:45561 0.0.0.0:*</pre>Netstat still says nothing.<br />
<br />
The only place in /proc/net you find DCCP mentioned is in /proc/net/protocols. Which says nothing about ongoing connections or listening sockets.<br />
<br />
<tt>knan@ip:~$ grep -ir DCCP /proc/net/<br />
/proc/net/protocols:DCCP 1400 1 -1 NI 1196 yes dccp_ipv4 y y y y y y y y y y y y n n y y y y n<br />
</tt><br />
<br />
lsof still says little.<br />
<tt>knan@ip:~$ lsof | grep netsend | grep sock<br />
netsend 25376 knan 3u sock 0,6 0t0 658124 can't identify protocol</tt><br />
<br />
ss(8) to the rescue! But only when you specifically ask it about DCCP sockets with -d.<br />
<br />
<pre>knan@ip:~$ ss -ldn
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 *:6666 *:* </pre><br />
The final protocol I want to propose today is <b>UDP-Lite</b>. This is basically a UDP variant with partial checksums, for the case when garbled data is better than no data.<br />
<br />
<tt>$ netsend udplite receive</tt><br />
<br />
As usual, netstat tells us nothing of this uncommon activity.<br />
<br />
<pre>knan@ip:~$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:36558 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:45561 0.0.0.0:* </pre><br />
This time, though, lsof identifies it!<br />
<br />
<tt>knan@ip:~$ lsof | grep netsend<br />
netsend 25461 knan 3u IPv4 661633 0t0 UDPLITE *:6666 </tt><br />
<br />
Which is good, since ss doesn't.<br />
<br />
To summarize (for Ubuntu 10.04 LTS):<br />
<br />
<table border=1><tr><th>Protocol</th><th>netstat(8)</th><th>ss(8)</th><th>lsof(8)</th><th>/proc/net/*</th></tr>
<tr><td>SCTP</td><td>No</td><td>No</td><td>No</td><td>/proc/net/sctp/eps<br />
/proc/net/sctp6/eps</td></tr>
<tr><td>DCCP</td><td>No</td><td>Yes (-d)</td><td>No</td><td>No</td></tr>
<tr><td>UDP-Lite</td><td>No</td><td>No</td><td>Yes</td><td>/proc/net/udplite<br />
/proc/net/udplite6</td></tr>
</table><br />
Hope this leaves you entertained by the possibilities. Black hats begone!<br />
<br />
P.S.<br />
<a href="https://bugs.launchpad.net/ubuntu/+source/net-tools/+bug/174858">launchpad:netstat+sctp</a><br />
<a href="https://bugs.launchpad.net/ubuntu/+source/lsof/+bug/692988">launchpad:lsof+sctp</a><br />
<a href="https://bugs.launchpad.net/ubuntu/+source/lsof/+bug/692990">launchpad:lsof+dccp</a>Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com2tag:blogger.com,1999:blog-660024223227219722.post-40012709026924326432010-12-15T16:10:00.000+01:002010-12-15T16:10:41.096+01:00sed for dns hackers(Requires gnu sed)<br />
<br />
Moving to a new set of nameservers is a bit like moving house. Lots of stuff thrown away for reasons of unreasonable antiquity, lots of stuff could do with a refresh and cleanup.<br />
<br />
<tt>sed -i.bak '/\(NS\|SOA\)/ s/\bdns1\.example\.org/innerdns1.example.org/g; /\(NS\|SOA\)/ s/\bdns2\.example\.org/innerdns2.example.org/g' master/*</tt><br />
<br />
This simple, pretty oneliner fixes NS and SOA records to point to new addresses, and leaves other records alone - unless you have really unfortunate and awkward capital-letter names in your zones. Add some more \b safeguards if so.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-67127580005026612282010-10-28T15:05:00.001+02:002010-10-28T21:52:17.242+02:00Japanese WHOIS funRecently, I wanted to look up info on a Japanese domain name. Being a command-line type of guy, I obviously did $ whois ac.jp and expected things to work out.<br />
<br />
Well, things were a bit less helpful than I'd hoped.<br />
<pre>$ whois ac.jp
Domain Information: [%I%a%$%s>pJs]
a. [%I%a%$%sL>] AC.JP
e. [$=$7$-$a$$]
f. [AH?%L>] 3X=Q%I%a%$%s
g. [Organization] Academic Domain
k. [AH?%<oJL]
l. [Organization Type]
m. [EPO?C4Ev<T]
n. [5;=QO"MmC4Ev<T]
p. [%M!<%`%5!<%P] a.dns.jp
p. [%M!<%`%5!<%P] b.dns.jp
p. [%M!<%`%5!<%P] c.dns.jp
p. [%M!<%`%5!<%P] d.dns.jp
p. [%M!<%`%5!<%P] e.dns.jp
p. [%M!<%`%5!<%P] f.dns.jp
p. [%M!<%`%5!<%P] g.dns.jp
[>uBV] Reserved
[EPO?G/7nF|]
[@\B3G/7nF|]
[:G=*99?7] 2005/03/30 17:37:52 (JST)</pre>While I can figure out what I need here, why the garble? This is 2010 and I'm running in a UTF-8 locale with proper fonts; I should see hiragana/katakana/kanji just fine.<br />
<br />
So I looked up the current <a href="http://tools.ietf.org/html/rfc3912">WHOIS protocol</a>. That's probably the shortest RFC I've ever seen.<br />
<br />
The interesting bit: "The WHOIS protocol has no mechanism for indicating the character set in use." ... rrrright. Obviously not UTF-8 on this server.<br />
<br />
Some trial and error, then.<br />
<br />
$ whois ac.jp > gnark.txt<br />
$ file gnark.txt<br />
gnark.txt: ASCII English text, with escape sequences<br />
<br />
Oh thank you. Very helpful. (irritated hacking ensues)<br />
<br />
End product (bash function):<br />
<pre>function jwhois { whois "$@" | iconv -f iso-2022-jp ; }</pre><pre>$ jwhois ac.jp
Domain Information: [ドメイン情報]
a. [ドメイン名] AC.JP
e. [そしきめい]
f. [組織名] 学術ドメイン
g. [Organization] Academic Domain
k. [組織種別]
l. [Organization Type]
m. [登録担当者]
n. [技術連絡担当者]
p. [ネームサーバ] a.dns.jp
p. [ネームサーバ] b.dns.jp
p. [ネームサーバ] c.dns.jp
p. [ネームサーバ] d.dns.jp
p. [ネームサーバ] e.dns.jp
p. [ネームサーバ] f.dns.jp
p. [ネームサーバ] g.dns.jp
[状態] Reserved
[登録年月日]
[接続年月日]
[最終更新] 2005/03/30 17:37:52 (JST)</pre>Looks better, yes?<br />
<br />
P.S. This was written using FreeBSD whois. Ubuntu whois acts completely differently - specifically asks for and shows English information in English locales, and breaks interestingly in the Japanese locales I've tested.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-20409784005543692662010-06-24T02:11:00.002+02:002010-06-24T02:22:43.356+02:00Wine on Windows...The <a href="http://www.winehq.org/">Wine</a> project is preparing the long-awaited 1.2 release for the end of the month.<br /><br />Stuff like this should help morale:<br /><br /><a href="http://forums.nvidia.com/index.php?showtopic=104636&st=360&p=1075892&#entry1075892">Gothic I & II not working on Windows 7</a><br /><br />Working around a longstanding d3d driver bug by instead running via crosscompiled d3d8+wined3d on OpenGL on Windows. :)Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com1tag:blogger.com,1999:blog-660024223227219722.post-34816966970152520102010-05-14T01:35:00.005+02:002010-05-14T02:00:16.714+02:00Fun hardware - first resultsTesting the Fusion-io ioXtreme 80GB (/dev/fioa) vs Intel X25-M gen 2 160G (/dev/sda). The non-directio dd went cpu-limited for some reason, needs looking into.<br /><br />792 MB/s read speed at 12% cpu use in the directio case looks a bit promising :)<br /><pre># dd if=/dev/fioa2 of=/dev/null bs=1M<br />26723+1 records in<br />26723+1 records out<br />28021615104 bytes (28 GB) copied, 201.797 s, 139 MB/s<br /># dd if=/dev/fioa2 of=/dev/null bs=1M iflag=direct<br />19792+0 records in<br />19791+0 records out<br />20752367616 bytes (21 GB) copied, 26.2142 s, 792 MB/s<br /><br /># dd if=/dev/sda4 of=/dev/null bs=1M<br />5157+0 records in<br />5156+0 records out<br />5406457856 bytes (5.4 GB) copied, 25.136 s, 215 MB/s<br /># dd if=/dev/sda4 of=/dev/null bs=1M iflag=direct<br />6040+0 records in<br />6039+0 records out<br />6332350464 bytes (6.3 GB) copied, 26.1701 s, 242 MB/s</pre><br />Stay tuned, more to come...Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-15151896953579258182010-05-13T19:13:00.002+02:002010-05-13T19:24:13.819+02:00Fedora kernel on Ubuntu Lucid 10.04I had need of a Fedora Core 12 kernel lately. Testing the fun hardware of the previous post.<br /><br />Turns out that running that kernel with Ubuntu 10.04 userspace is pretty easy. Alien + some dkms invocations are enough.<br /><pre>fakeroot alien kernel-2.6.31.5-127.fc12.x86_64.rpm<br />fakeroot alien kernel-devel-2.6.31.5-127.fc12.x86_64.rpm<br /><br />dpkg -i kernel_2.6.31.5-128_amd64.deb<br />dpkg -i kernel-devel_2.6.31.5-128_amd64.deb<br /><br />update-initramfs -c -k 2.6.31.5-127.fc12.x86_64<br /><br />dkms build -m nvidia-current -v 195.36.15 -k 2.6.31.5-127.fc12.x86_64<br />dkms install -m nvidia-current -v 195.36.15 -k 2.6.31.5-127.fc12.x86_64<br /><br />update-initramfs -u -k 2.6.31.5-127.fc12.x86_64<br /><br />update-grub</pre><br />et voila:<br /><pre>knan@sarevok:~$ lsb_release -a<br />No LSB modules are available.<br />Distributor ID: Ubuntu<br />Description: Ubuntu 10.04 LTS<br />Release: 10.04<br />Codename: lucid<br />knan@sarevok:~$ uname -a<br />Linux sarevok 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 GNU/Linux</pre>Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-24115591860779281342010-04-09T19:10:00.004+02:002010-04-09T19:22:32.359+02:00Tease<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj854FRFqhVeYIqolUzlHGK6tJYNwDY2V2vfKaK5D4Z0R9Z687ev6UGH5IWn2Brw-96F2-CPHAJcLDQDdr5cEqD2_K2gVo6Ac2oJMw2EKS_5HxA9pAdrMHBEAq3tZ5yTl1ugrS5yA_dudxn/s1600/gadget1.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 300px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj854FRFqhVeYIqolUzlHGK6tJYNwDY2V2vfKaK5D4Z0R9Z687ev6UGH5IWn2Brw-96F2-CPHAJcLDQDdr5cEqD2_K2gVo6Ac2oJMw2EKS_5HxA9pAdrMHBEAq3tZ5yTl1ugrS5yA_dudxn/s400/gadget1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5458187009578794258" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL2_IwWEe8-Bb69swJD6Fo5ceN4iSk0JJD942vYVYCEhYG6D1Lu5z_EjQWdFG6BlOTcpCYGJJIMZuHtb_NNupaEdX1FK4NGb6_xvLG44myHbC1RyVbtuyFVhKQySBLmHTfvKKmVDhGPJBj/s1600/gadget2.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 300px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL2_IwWEe8-Bb69swJD6Fo5ceN4iSk0JJD942vYVYCEhYG6D1Lu5z_EjQWdFG6BlOTcpCYGJJIMZuHtb_NNupaEdX1FK4NGb6_xvLG44myHbC1RyVbtuyFVhKQySBLmHTfvKKmVDhGPJBj/s400/gadget2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5458187215535020258" /></a><br /><br />Now, if only I had the rest of the New! Shiny! computer handy, this would be a very fun weekend... as is, I'll just have to tease and promise benchmarks & impressions in a few weeks' time.<br /><br />Buona sera!Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-17308385332153459442010-02-06T20:00:00.002+01:002010-02-06T20:05:49.788+01:00htrosbif gets better<a href="http://anduin.net/~knan/htrosbif/htrosbif-alpha-4.tar.gz">Alpha 4</a> is out now.<br /><br />More signatures, more tests, and even bugs fixed. Imagine.<br /><br />Git repo: git clone http://anduin.net/~knan/htrosbif.git/Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-46267079411390631652010-01-24T18:54:00.003+01:002010-01-24T19:05:10.140+01:00Perl trick-of-the-day - $USER-local modulesEver been frustrated by CPAN and scared to upgrade modules as root? Been burned by a perl rpm/deb upgrade overwriting your carefully upgraded modules?<br /><br /><a href="http://perl.jonallen.info/writing/articles/install-perl-modules-without-root">Jon Allen brings us the light</a> in a nice, short revelation. And a perl module. Of course.<br /><br />Install/upgrade local perl modules in a user homedir, with basically no extra effort. Brilliant.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-78196948926615214372009-11-05T22:17:00.005+01:002009-11-06T14:34:00.056+01:00introducing htrosbifhtrosbif - Active HTTP server fingerprinting and recon tool<br /><br /><span style="font-weight:bold;">What does it do?</span><br /><br />knan@viconia:~/ak-git/htrosbif.git$ ./htrosbif http://localhost:8525/<br />Match (1200/1200): pound-2.4.5.sig => jetty-4.2.19.sig<br />Match (1193/1200): pound-2.4.5.sig => jetty-4.2.24.sig<br />Match (1076/1200): pound-2.4.5.sig => jetty-4.0.6.sig<br />Match (1042/1200): pound-2.4.5.sig => jetty-4.1.4.sig<br />Match (1039/1200): pound-2.4.5.sig => apache-1.2.6-php3-used.sig<br />Match (1033/1200): pound-2.4.5.sig => jetty-3.1.8.sig<br />Match (1010/1200): pound-2.4.5.sig => jetty-3.0.6.sig<br />Match (1000/1200): pound-2.4.5.sig => tomcat-4.1.40-oldconnector.sig<br />Match (1000/1200): pound-2.4.5.sig => tomcat-5.0.30.sig<br />Match (1000/1200): pound-2.4.5.sig => apache-2.2.13-php-5.3.0-used.sig<br /><br />Does a bit of Recon by Fire, if you will. Prods the web server in all sorts of old, new, basic, fancy, spec-compliant and spec-breaking ways. Tries to characterise both the well-spoken educated responses and the seriously deviant babble it receives in return. Signatures contain no user data, only header names and http-level quirks. A few dozen sacrifical test installs of servers ancient (cern, 1993) and new have survived its tentacles.<br /><br />As a (very) useful side effect, might detect reverse proxies, http load balancers, intrusion prevention systems and web application firewalls.<br /><br /><span style="font-weight:bold;">Cool! Download?</span><br /><br />Sure. <a href="http://anduin.net/~knan/htrosbif/htrosbif-alpha-3.tar.gz">http://anduin.net/~knan/htrosbif/htrosbif-alpha-3.tar.gz</a><br /><br />$ git clone http://anduin.net/~knan/htrosbif.git/<br /><br /><span style="font-weight:bold;">License?</span><br /><br />GPL v3.<br /><br /><span style="font-weight:bold;">Alpha, huh?</span><br /><br />Yup. Signature format(s) are still in flux, and sections of the code are just stubs. But it basically works. Sending me signatures isn't very useful yet. Sending me patches, ideas and comments, however... are extremely welcome @ knan-rosbif at anduin.net.<br /><br /><span style="font-weight:bold;">Why?</span><br /><br />Because I wanted to see what could be inferred from behaviour alone.<br /><br />HTTP load balancers like Pound and HAProxy usually are invisible, ghostly presences, subtly directing traffic and shaping conversations - these touches are detectable, if you think to look.<br /><br />Replacing a Server: header is trivial effort, mimicking protocol handling quirks much less so.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-51964140068919402152009-11-02T01:24:00.003+01:002009-11-02T01:40:46.203+01:00Bad karmaThe 9.10 upgrade losing track of /boot and swap (What, uuid? never seen those uuids anywhere, honest! Wanna buy some slightly used /dev/sda* references? Fell off a truck!) and thus failing to boot was a bit painful.<br /><br />A bunch of games suddenly growing scratchy/stuttery sound problems not evident in jaunty was more painful. Much debugging ensued.<br /><br />Wondercure: apt-get remove --purge pulseaudio<br /><br />... if only all social disorders were as easy to correct.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-68649687675666076142009-10-06T23:22:00.002+02:002009-10-06T23:29:02.720+02:00Befuddling web servers for funsub test_get_11trailingcrap_knowngood()<br />{<br /> # So, does trailing crap after the HTTP/1.1 cause a panic?<br /> #<br /> # Lots of fun stuff ... some ignore the crap,<br /> # some think "stupid client, must be 1.0, here you go",<br /> # some get confused about the url and return a 404,<br /> # some reject with 400, some spew an error page<br /> # with no headers at all ("stupid 0.9 client, go away")...<br /> #<br /> # ...and some are just endearingly confused about it all.<br /> # UNKNOWN 400 Bad RequestErik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-53183495476901025762009-09-23T18:28:00.001+02:002009-09-23T18:30:52.896+02:00Fingerprinting funknan@viconia:~/ak-git/htrosbif.git$ ./htrosbif http://thepiratebay.org/<br />Fuzzy match (932/1000): lighttpd-1.5-svn2621.sig<br />Fuzzy match (797/1000): lighttpd-1.4.23.sig<br />Fuzzy match (797/1000): lighttpd-1.4.21.sig<br />Fuzzy match (797/1000): lighttpd-1.4.22.sig<br />Fuzzy match (683/1000): lighttpd-1.4.17.sig<br />Fuzzy match (683/1000): lighttpd-1.4.18.sig<br />Fuzzy match (683/1000): lighttpd-1.4.13.sig<br />Fuzzy match (683/1000): lighttpd-1.4.19.sigErik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-47915671473117018162009-07-06T01:22:00.003+02:002009-07-06T02:07:22.181+02:00Hairy stunt #1: firmware update via wineMy shiny new LG GGW-H20L blu-ray/alphabet soup reader/writer happened to need a firmware update. For some reason, many hardware vendors think win32 executables are handy for this sort of thing. I really... don't.<br /><br />But I got intrigued when several people reported success updating the firmware through wine. Copious amounts of wine can of course make almost anything seem like a good idea, so I bravely give it a try - it will probably brick something in an amusing way, at least.<br /><br />winetricks mfc42 grabs the usual missing dlls for us. Yet, the firmware updater fails with something on the order of ERROR_SUCCESS in informativeness.<br /><br />Oh well. Last try: running wine as root.<br />... and it works. Quickly and perfectly. I don't _think_ I'm hallucinating. More voluptuous hallucinations would be expected in that case.<br /><br />I suspect the kernel's blk_verify_command kicked in when running as a normal user. Fair enough, you don't necessarily want the backup job user to be able to overwrite the tape drive firmware with zeroes. Or a more-evil-than-usual ransomware virus.<br /><br />Still, I boggle. And salute fellow Wine contributors. Well done.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com4tag:blogger.com,1999:blog-660024223227219722.post-21813901735617270662009-06-15T19:20:00.002+02:002009-06-15T19:43:48.084+02:00ip6tables funNote to self. IPv6 connection tracking is a bit eccentric.<br /><br />Seems that neighbour solicitations are "INVALID" according to conntrack. I.e. IPv6's equivalent of arp requests are invalid ... and dropped if you have a "-m state --state INVALID -j DROP" rule before your accept-various-icmpv6 rules.<br /><br />This does great things for my host security, obviously.<br /><br />workaround: put --state INVALID drops after the icmpv6 rules.Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0tag:blogger.com,1999:blog-660024223227219722.post-86464296440641487132009-03-27T01:27:00.002+01:002009-03-27T01:34:02.463+01:00OpenVMS cuteness<pre>220 xx.xx.xx.edu MultiNet FTP Server Process V5.2(16) at Thu 26-Mar-2009 8:19PM-EDT<br /><br />ftp> site window-size 1073741824<br />200 TCP window size now 1073741824 bytes</pre><br /><br />Strangest ftp command competition, anyone?Erik Inge Bolsøhttp://www.blogger.com/profile/07276141948094162286noreply@blogger.com0