CentOS vs. RDP

Since I've been wrapping up the proxy project for the last few months, I've been spending a lot of time on my CentOS laptop writing my magnum opus, although due to format constraints I have to use Word in Windows over an RDP (Remote Desktop Protocol) session.  And I'm finding CentOS—or maybe CentOS's implementation of X—has some problems.  See below (click for full size).

For the most part RDP is OK, but "Ls" and "t's" in certain places get reversed.  I thought this may be a problem with rdesktop, the standard RDP client that ships stock with most Linux distros, so I downloaded and built freerdp... with the exact same results.  I had a similar issue with rdesktop on Debian r4.0 back when it first came out.  Besides the reversed characters, it also had the nasty habit of crashing constantly on any slightly challenging display.  Rebuilding it took care of everything on Debian.

Not so on CentOS.

So I'm just living with it.  The problem didn't show up in any application until I fired up that PuTTy session above.  If during your RDP session you hit Alt-PrintScreen and paste it into MSPaint, the fonts are correct!  (The capture above was done in Linux)  In fact, if you change the PuTTy font size while in RDP the display gets better. It's still screwed up, but not as much, which is what leads me to believe it's an X issue.

As usual I can find no other human being on the planet with this particular problem.

CentOS being CentOS (highly stable and reliable and therefore not bleeding edge), this issue will probably not go away for a long time.

UPDATE!

I RDP'd to my Windows 7 laptop from CentOS (via rdesktop) for the first time and was surprised to see that the Aero theme wasn't disabled.

I'm not a big fan of Aero (in fact I really couldn't care less), but it is disabled whenever you start a Windows-to-Windows RDP session.  A good thing, too, because RDP chokes on heavy graphics.  It was pretty sluggish at first, but once all the graphics were cached, it was very usable.

I haven't made up my mind whether it's a bug or a feature.

"Heartless Bastards In Cameroon"

Attention Pappa Dollars, STARVO, Dabbleed, et. al.

Try to be nice, OK? You're pissing people off.

They're calling you names now.

Thanks and remain blessed,

Хинки

UPDATE!

12/04/2010 — Thanks for the link, Cameroon!

NoScript + gmail = NoLove

Hard to pin down, but some combination of Firefox, NoScript, and a dozen or so other FF plug-ins trashed gmail for me for a couple of weeks. Chat stopped working completely and I lost the ability to create filters.

Following as many security lists as I do, I need to create filters just to keep may gmailbox in order. You can just tell when a Full Disclosure thread is going to go Full Troll (like this one) and I really don't need that bullshit. After deleting plug-ins, and even removing NoScript, those particular features were still broken, so I moved all my gmailing over to Chrome.

Then, after a few days, there was a NoScript update and everything was fine again.

I can't really blame it all on NoScript because I have other FF browsers with NoScript and the problem never affected them. Just one browser on one machine.

And during this same time period Google had one of its worst vulnerabilities that hit all their apps.

Just makes you want to say what-the-fucking-fuck.

Sic Transit Gloria Mundi

Thus passes the glory of the world.

Three years ago this month the Salt Mines got their first Chief Security Officer.  At the time I was busy with other things, most notably My Very First Websense Hack.  I didn't get around to mentioning the re-org until several months later, at which time I made a prediction that the newly formed Security Group would eventually dwindle down to  four to six people.

As usual, I was right, although the motivation for hacking the team to shreds was not layoffs (or was it?).  The stated reason is that we are moving to a Managed Security Service Provider.

In my gut, I know this is not a Good Thing, but I'm told I will remain on the team (no doubt to train a replacement), and so I shall, but no amount of reassurance is ever going to give me a Warm Fuzzy about this situation.

Having been a consultant in a previous life, I know how these guys work.  They're going to look at the salaries of the Team (including the CSO or CISO or whatever they're calling him these days) and see an untapped revenue stream.  So, I'll be watching my back in the months to come.

With that in mind, I have ordered this book.  From the reviews, it sounds like so much pop-psych bullshit but I'm leaving it on my desk in a position of prominence just for shock value.  In essence, it's a stage prop, only there to be seen.  Whatever people take from its presence will come from their own minds.

(If you're wondering, I'm not mentioning the title because I don't want this blog post to end up in any search results specific to the book.  FWIW, as a companion piece I have also ordered this book, which I have previously read but I foolishly lent it out to a jerk who never gave it back.  It is a great book, not pop-psych and people never read the subtitle, so they always get the Wrong Impression, which is exactly my motive.)

No, I'm not paranoid.  People are out to get me.  People who, until lately, were part of my trusted group of co-workers (the clowns who got removed from the Security Team).

Yes, I was, as they say, being thrown under the bus.

No, I'm not paranoid!

Hinky is a gullible, good-hearted guy, trusting in peoples' stated motivations and assuming good intentions from all; your typical, self-deluded man on the street.  But this time I was shown I was being thrown under the bus.

Luckily, I lived to tell blog about it.

Coincidentally, I was also recently involved in an investigation into someone else getting thrown under the bus.  It's very difficult to explain without going into too much detail, but I was exposed to both sides of a situation similar to my own near-encounter with the nether regions of public transportation.  On one side were people making a mountain out of a mole-hill and on the other were people desperately trying to make a mole-hill out of a mountain.  Vested interests on both sides, with Hinky in the middle.  Soon there will be rolling heads, but I lost a lot of sleep (literally) being involved in this.

It was this that began my preoccupation with lying, and ordering the books.  Wikipedia has an excellent article on the subject.  In fact, although my personal motto (stolen from Firesign Theater) is "I never lie and I'm always right" I see a lot of myself in this section.

A friend of mine—now deceased—was a near pathological liar.  He was an expert.  He never used his talents against me—that I'm aware of—and often practiced his white (-ish) lies in front of me. 

These days you might call him a "social engineer" (yes, there's the security hook).

His masterpiece was The Great Display Case Massacre.  He single-handedly threw all of his co-workers under the bus.  We worked together in sales at a high ticket retail shop.  He accused the entire sales staff of a highly plausible practice: selling merchandise out of the display case instead of out of the stock room.  Proof?  No merchandise in the display case and empty boxes in the storeroom.  Case closed!

He had everyone going on that one, including the owner and management of company, who weren't too concerned because, after all, items were still being sold.  Or so they thought.

Of course, no one was selling out of the display case and it was him stealing the company blind, although they were clueless the entire time.

I found out the truth because I asked him about it, years (Statute of Limitations years) later.  He freely admitted it and we both got a good laugh out of it (the company owners were bastards who ended up screwing the sales staff anyway—which doesn't make it right, but there was no one left to care).

I don't believe reading books will ever make me good at spotting the lies that count, but as long as people think I'm a Grand Inquisitor I have an edge I can leverage.

Yes, I'm living in interesting times.

Another One Bites The Dust

Sadly, EXP3 died today.

In fact, given its pedigree, it took EXP 1&2 with it. So I got about 48 months out of that dog, which was a Tiger Direct refurb to begin with.

I didn't actually croak. It's still operational. One of its 256MB DIMMs took a shit on itself and the box became unbootable. An fsck with bad RAM finished off the boot disk, so at this point it's just euthanasia.

It's just as well. There are far too many boxes around here anyway. EXP4 sits in a corner waiting for "something" to happen. Plus, I have a nearly 12 year old Windows domain controller that should just die and get it over with (it's so old there's even an NT4 boot partition on it). It barely serves any purpose anymore (local DNS but that's easily replaced by a Linux box).

In fact I'm starting to look at Windows as a Third World operating system these days (not sure what that makes Linux). It is a hopeless, lost cause.

But I digress.

EXP5 continues to shine. It's a very nice box and I've been using it a lot while you folks aren't using it. And sometimes while you are. I installed the HTTP Anti-Virus Proxy (HAVP) on it out of concern for all the crap floating around on the Interwebs. It, in turn, shoves everything through SQUID, which lives on BOT House.

I'm not convinced it's a robust AV solution, being based on ClamAV which is very e-mail centric, but I felt I needed another layer of protection after seeing all the trouble the fools folks back at the Salt Mines have been getting themselves into with their wacky Web browsing habits. So far it seems all I can detect are EICAR files (you will get a warning from your AV on that link, but it's just an AV test file).

There's never a virus around when you need one.

What a bunch of PANSIES!

Seriously, Auto-AutoAdjust isn't THAT bad, people!

Even you hot shots get your feelings hurt when the bots start slamming you (see how it feels, huh?). Don't like it? Then don't get a huge point spread. That, or FIGHT BACK! It's not impossible to beat them. I've seen it done a number of times already and I've even beaten them myself! And I SUCK!

So anyway, I twiddled the kick-in spread to 40% of the high score.

Map Death & Resurrection

I brought back two maps on EXP5 and got rid of one. BOT House & BITCH House remain the same.

Gone: Morpheus

I never did like that map, but I don't know why. I just can't put it into words, but it's always a groaner for me whenever it comes up in the rotation. I used to love hitting Thummy with the Redeemer whenever she camped out in the tower with the sniper rifle. But alas, she's gone and there's nothing but painful memories left.

BACK: Crane

Oh, stop. It's not that bad, especially in low gravity. I like going up on the crane and taking pot shots at everyone down below. It's a nice "Big Sky" map, which was the only redeeming feature of Morpheus.

BACK: Morbias II

I like bouncing up to the Redeemer hole with a rocket launcher and a full load of rockets. You can bounce the rockets off the wall and down into to tunnel below and navigate the Redeemer through the narrow passageways when it pops into existence.

Yes, I'm a camper at heart.

And speaking of rockets & redeemers, one of my favorite things to do on a boring Winter afternoon is fire up Facing Towers and taking redeemers on a spin around the map. They go on forever, or at least until you get bored and blow something up.

Lately I've been exceedingly fond of bouncing rockets into the wall ahead of me and dodging or jumping out of the way when they bounce back to hit the player chasing me. I've always been a rocket bouncer. I'm the guy in Oblivion who camps out in the hallway and lobs rockets into the big arena in the front of the ship. It's very effective if you're a crappy player like me (eleven years and I still suck at this game). And that's me on the roof in Curse II, running around in circles and dropping rockets on everyone below. I've been doing that since 1999 and it never gets old. In fact it really used to annoy my kid when he was a teenager because it was damn near the only map I ever played, cranking the bots up to 32 and setting the high score to 999. It wasn't about winning; it was about dropping rockets. Ahhh, the old days!

EXPERIMENTAL *5* Online!

Ain't she a beauty, boys and girls?

Yep, a genuine off-lease, refurbed IBM ThinkCentre corporate type PC!  Vintage 2006!

It's not so bad as it looks.  It has the good old P4 3.4gHz CPU and a gig of RAM.  Hey, 32 bits is all you really need!  Not much to speak of in disk space (40G), but it's really not needed for a lowly UT99 server.  And, as usual, it was cheap!  What else do you expect from the Dinkster?

She's runnin' Debian 5.0 (Lenny) and I just hacked together a custom kernel out of the latest release code (2.6.35.5) from kernel.org.  Plus I threw in the latest greatest revs of iptables & ipset.  Slicker 'n snot on a doorknob, kiddies!

And I did it just for YOU!

Welllllll... maybe.  It's part of my Take Back The Dual Core AMD64 Project.  We never did need all that power for a UT server and I'd like to get some mileage out of it before it goes obsolete, although it pretty much is already.  There's a few more things to do before I take it down, like migrate the UPS and reroute one of my covert tunnels but those are projects for another weekend.

So, EXP 5 (the box) now runs BITCH House, Classic ]i[, and Experimental 5, which is identical to Experimental 4 if you haven't noticed already.  It will also be the backup for BOT House, if need be.  If push comes to shove and BH (GAWD FORBID!) dies, this thing can take over the whole operation.

Besides being a rockin' UT99 server this box is actually a very decent Linux desktop!  Especially with Google Chrome and Firefix on it (you can keep IceWeasel, Debian).  On the first rev (actually the second after my disappointing experience with Xubuntu 10.4) I tried the LXDE version of Lenny but it was just too limited.  So I wiped it in favor of XFCE.  I usually go for Gnome, but I've seen Gnome on Lenny and it's just plain boring.

And of course, I despise KDE.  Always have, always will.  It's simply a matter of aesthetics.  I don't care if it's faster and I don't want to get into a flame war about it.  It's just fugly.

So anyways... come by and play a few rounds.  When was the last time you played Classic ]i[?  There are some fun levels in that package!

So Long, Ubuntu!

I have to admit I'm a little behind the curve on Ubuntu. 10.4 LTS has been around for months now, but all I've done is throw it on a VM and play with it a bit. That, and a disastrous upgrade attempt on a VirtualBox VM. But the other day I installed Xubuntu 10.4 (the Xcfe version) and I really liked what I saw, especially after installing Chrome on it.

In fact it was just about set up to my liking and I was moving some UT servers over to the disk when I decided to wrap up the install over Xwin from my XP box.

What a fucking disaster that turned out to be. It's all explained here.

Long story short, Ubuntu has decided to start screwing its pooch. So I said "buh-bye" to Ubuntu for good and started to look for another distro to install.

Oh, I thought about Fedora and CentOS and Suse and my first love, Slackware and I even [i]tried [/i]to download Suse & Slackie but it was a no go.

And although I'd [i]had it [/i]with Debian 5.0, that's where I landed. Deb will always take you back like a fat fuckbuddy.

At least it runs Chrome. That's about all I ask for in a Linux distro these days.

So here we are again. Look for EXPIV to become EXPV, but the BITCH House and Classic ]i[ will remain the same.

Five Hour FAIL

Today, on the Autumnal Equinox, a powerful storm blew through the area during rush hour. Driving through it was a serious BITCH, and when Pinky & I finally got home, the power was out and the house was dark.

According to the one analog clock in this house, it shut down a 5PM. It finally came back on after 10PM.

On the bright(-ish) side, all four UPSes shut down perfectly, even the new APC 1500, which had been giving me fits lately. Everything came back up without incident.

But, as expected for a long outage, the IP address changed, so you'll have to update your UT99 favorites accordingly.

And speaking of UT99, I may be replacing one of the servers in the near future, probably the 64bit dual core system, which is the hottest box I have right now. Unfortunately it is also severely underutilized.

But that plan is subject to change without notice and I have so many things going on right now it may be quite some time before I do anything at all (but I do have the replacement box right now).

Stay tuned.

FUCK Adobe

And the horse they rode in on.

I patched Firefox for a Flash 0day and I got this horseshit along with it (click for a larger view)...

I didn't want "New York Times Reader" and they never asked.

I avoid the NYT like the plague.  The first time I ever logged in to NYT was in 1997.  I did not know SPAM before that day.  Afterwards, my inbox was trash.

What's even worse is I haven't found out how to uninstall this crapware yet!

GRRRRRRRRRRR....

BOT House is BACK ON TWITTER!!!

It's kind of a lulzy state of affairs and it probably won't last long, but BH is back on Twitter!

Here's the trick: Twitter sucks.

They didn't really get rid of BASIC Authentication, they got rid of it for the Little Guy (that's you and me, boys and girls). If you're a Big Playah, you get a pass and your application can use BASIC Auth.

The details can be found here.

You will get a chuckle out of it!

Thanks to achillean for tweeting this!

Chrome on CentOS AT LAST!

I'm not a big fan of CentOS but I've been compelled to run it for a couple of reasons. The first being I need something compatible (and free) that's compatible with the Red Hat systems we have at the Salt Mines. CentOS is Red Hat with all the branding removed to make it free.

The other reason is this old (circa 2005) Sony Vaio laptop I inherited from my kid, Inky Dink, shown at left. Installing Linux on it was pure Hell. CentOS is the only Linux distribution that runs on it and doesn't crash, and it's actually a pleasure to run it (the touchpad is super flaky but I usually use a USB mouse with it anyway).

And that in itself is the reason I have a love/hate relationship with CentOS. The stability comes at a price: everything about it is old.

Because it's old you just can't get the latest and greatest version of anything. Then again, because it's Red Hat compatible almost everything is available for it.

Almost! Chrome isn't. Google doesn't distribute a compatible version. But these folks in the UK hacked together a distribution that really works.

I'm using it now to write this. I have been using Opera, but it dogs down in places where I need it to perform, specifically Google Maps (I'm quite proud of this and I need to update it every day).

In typical Chrome fashion, everything is just plain fast.

I'll definitely be using this laptop a lot more in the future.

Now if I could only play UT on it... hmmm...

DELETED: Adobe Reader

I have decided I don' have time for the drama Adobe Reader adds to my life.

That, and the incessant reboots the weekly patches require, if they succeed at all. I can live without it, thank you.

I am voting with my feet on this issue.

I have decided to go minimalist and rely on evince for all my PDF needs. The Windows version is Spartan, but I really don't care. At most all I do with PDFs is print them or copy & paste to something else. Evince does both those tasks well enough.

Sure, evince has had its share of problems in the past, but I don't care. If I could live my life completely Adobe-free I would be a happy man. But then there's... ugh... Flash.

A Case of the Stickies

I have no clue what happened, but yesterday I took the joint down cold to check out the UPS hooked up to BOT House, an APC BackUPS x1500.

Yeah, that one. The new one.

This little bitch is pissing me off. Very occasionally it will go "click click" and BOT House will hang, requiring a reboot.

That is not what a UPS is for.

Everything was hooked up correctly, so I did the only thing I could do. I just plugged it in to a different outlet on the UPS.

I fired BH up and played a few games. I kept getting stuck, and I noticed bots kept getting stuck. Players, too. WTF?

So I took the place down again and did what I did on EXP4 that fixed that particular problem; I tied the game down to one CPU (with taskset). That doesn't make sense, since it's a single CPU system, but it is hyperthreaded, so it thinks it has two CPUs. I started it back up and the problem went away.

It's been running fine ever since.

Worst Browsers: IE8 & Opera 10.6

This is not a review. This is a rant about Windows browsers. I run Firefox with AdBlock Plus and NoScript because I can't tolerate ads. On top of the that, the home proxy runs SQUID with AdZapper. True, lots of sites can't run without Javascript, but for those I use the "Chrome View" Firefox plug-in. And now that there's an AdBlock for Chrome, I hardly see any ads with either browser.

The absolute best of both worlds. FF+ABP+NS for security and Chrome+AB for speed.

Internet Explorer 8

This browser, aside from the problems of its pedigree, is simply dog shit SLOW.

The slowness is evident whenever you hit the "new tab" button. It can take up to five seconds for the new tab to appear and then you get that "WTF do you want to do now?" page.

Just give me a blank page and do it now! No stupid questions!

Next is the dedicated clipboard embedded in IE 8. This is totally unnecessary. Not only does it have "enhancements" I never use, but like the new tab button, it takes forever to pop up after you highlight and right-click.

90% of the time all I want to do is cut and paste.

And, this new clipboard is a resource hog. If you do a lot of highlight, copy, paste in a browser window it will eventually stop working. Ctrl-C and Ctrl-V still work, but the popup menu is gone until you kill IE and restart it.

And what is the point of "grouped tabs"? Most of the time the added pastel colors are offensive. I end up ungrouping the tabs so I don't have to look at it.

Why can't I shut that off?

Opera 10.6

Straight up I'll say at this very moment I'm writing this with Opera, but I'm doing it on my Linux (CentOS) laptop. It's fast and responsive on Linux and a great option when Chrome won't run on your distro.

On Windows it's different story unless Opera is the only browser you're running. I've been known to run four or five different browsers at a time—FF, IE, Chrome, Comodo, SRWare Iron, Safari—you name it, I run it.

Opera doesn't like that. It likes to be your one & only browser. I don't know why that is, but, like Safari and to a lesser extent Chrome, Opera uses IE's guts and it's doesn't like to share.

For me, that makes it unusable, which is a shame because I like Opera. But when IE and Opera are open at the same time, dog shit slow IE wins the speed contest.

If you're a one browser kind of guy, Opera isn't a bad choice. You can do worse.

Also-Rans

SRWare Iron was a great browser.

In 2008.

But they haven't updated it since. I have a hard time believing it's that well made. Still, it's a good alternate when I'm already running Chrome and I want to switch to a different proxy, which is just a command-line switch away.

I don't have any real objections to Safari. I just don't use it much. Primarily I don't like the looks of it. I like my windows to match the system colors, and the burnished stainlees steel look simply doesn't. And since it's tied to IE 8's proxy settings—which wasn't always the case—it's less than useful for my purposes.

While I'm at it I'll throw some turds at Iceweasel 2.0, although it's not a browser anyone uses anymore and it's only available on older distros of Linux. Me, I'm stuck on Debian 4.0 for a number of reasons, the main one being they never fixed the issues with VNC 4.0 on the newer version, Lenny.

The burning issue I have is Debian's insistence that "copy on select"—highlighting automatically copies into the clipboard—is the right thing to do everywhere. Blogspot simply disagrees. I disagree. That is not how the Universe works.

But, I'm stuck with it. If I upgraded to Lenny I could have Chrome and Opera. But not VNC 4.

New Look For Fall!

Well, I finally did it. I gave Blogger a few months to come up with some new templates but they disappointed me. Same shit, different day. And although I've criticized the look of "Dark-Ass Security Blogs" in the past, the other options are just too happy, trendy, or touchy-feely for my tastes.

After all, this place is about HAXX and FLACK, not puppies and flowers.

So it's back to the same old, same old but with more horizontal space. The old style always seemed so cramped.

Apologies To Shirley In Accounts Payable

Once again I have managed to get the #1 result in another Google Search No One Ever Uses, "Shirley In Accounts Payable"...

Which is odd because at one time—the 90s?—there was an anti-virus ad featuring "Shirley in Accounts Payable" (because nothing can protect your company from her).

So... sorry, Shirl... you're just too easy to pick on.

I used to work with a Queen Bitch named Shirley (we liked to call her "Squirrelly") who happened to work in Accounts Payable at a company I once worked for.  It was my first IT job.  Whenever the "Okie Dokie" printer, as everyone called them back then, was down, she would inevitably say, "If I can't print we don't get paid!"

Truthfully, she was a nice lady, about 40, blond, with a big set of bazongas, in a day before "MILF" was a common expression (you only knew it if you listened to Howard Stern back then).

These days, if she hasn't hit the wall by now, she might be a GILF.  It was that long ago.

But when that time of the month rolled around (no, not that time, but whatever day of the month accounting departments get busy) the Queen Bitch came out and you had best stay out of her office.  It was years after that the "Shirley In Accounts Payable" ad came out.  That ad always stuck in my mind because it reminded me of her and to this day I use "Shirley In Accounts Payable" when describing the average corporate user in everyday conversation.

So anyway, the original article mentioning Shirley is here.

Twitter Muzzles BOT House, EXP4

Twitter updates from BOT House and EXPIV stopped abruptly on September 1st when Twitter stopped supporting BASIC authentication.

This is both good and bad.

Bad because I have no idea how to use their new authentication model. I'm sure I can hack it out sooner or later, but I have other weenies to roast at the moment.

Busy, busy, busy!

Good because, face it, BASIC authentication sucks ass. It's so barely encrypted (in BASE64) that it might as well be clear text. It's a method to be avoided at all costs. But, it's also a good quick hack, something I'm very good at.

So for now, no more Twitter updates from BH or EXP4.

You can still tweet me if you feel like it.

UPDATE!

09/13/2010 — BOT House is back on Twitter!

(EDITORS: STORY CAN END HERE)

I ran across a variation of the phrase in the blog title in this news article just minutes ago. I concluded (I think rightly) that it was a "serving suggestion" by the journalist/author to the copy editor of whatever publication was considering the article. I Googled the phrase and found the one above. I Googled that one and came up with over a quarter of a million results.

I conclude there must be a shortage of copy editors in the world.

And I'm thinking if I try hard enough I can get the number one hit for this search!

UPDATE!

Thar she blows...
I love it when a plan falls together!

PoTTy DLL Hijack Vulnerability

NAME: PoTTy v0.60
=================

VENDOR: Mr. Hinky Dink
======================

PoTTy, an Open Source, modified version of Simon Tatham's PuTTy (Windows version, v0.60) for Bruce Leidl's Obfuscated-OpenSSH v5.2 server, has been demonstrated vulnerable to the recent Windows DLL hijacking exploit(s).


PROOF OF CONCEPT
================


See storm's (storm@gonullyourself.org) exploit code at http://www.exploit-db.com/exploits/14796/

VENDOR RESPONSE
===============

WTF? How do I fix this?


REMEDIATION
===========

Stop running Windows.


HISTORY
=======

08/27/2010 - Vendor notified
08/27/2010 - Vendor craps pance
08/27/2010 - Vendor decides any publicity is good publicity
08/27/2010 - Vendor publishes details


LINKS:
======

Vendor Response: http://proxyobsession.net/?p=1097
PoTTy Download Page: http://www.mrhinkydink.com/potty.htm
Obfuscated-OpenSSH: http://github.com/brl/obfuscated-openssh

c. MMX Mr. Hinky Dink

SKILLZ--

A few refinements were made today.

First, I bumped the BOTs' skillz downward.

Second, if BOTs are in first and second place, AutoAdjust is turned OFF.

Lastly, the spread that kicks in AutoAdjust is now HISCORE/3. This makes no difference in BOT House, but it kicks the spread up to 11 in EXPIV.

In all, it's easier to kick into AutoAdjust. You just have to work harder when you're winning!

I finally had to stop following BOT House and EXPIV on Twitter. There was just too much garbage and - I never thought it would happen, but - I'm actually starting to need tweets to stay informed on a number of subjects. I still keep a tab open on both of them to see what's going on and I continue to be amazed at the fact that, combined, they have over 1100 followers.

In fact, if you search for BOT House on Google (with or without quotes), the BOT House Twitter page is the number one hit. That came as quite a shock, considering without quotes there are over seventeen million hits (with quotes, just over 14K).

So anyway, tweet me if you get a chance. I am finally paying attention.

It's Always Something!

After I published my first Websense hack back in 2007, my hard drive died. It took out BOT House for a couple of months (just the box itself, the UT servers were jacked around to other boxes and VMs).

The second time, RoadRunner died.

Now, on the day after the third Websense hack, RoadRunner decides to re-engineer its entire network.

They moved the DHCP server and re-IP'd the entire network in my area sometime after 2AM this morning. As a result, everything died.

For the average user, moving the DHCP server should never be an issue, but in RR's case, it's on a 10.0.0.0/8 network. The problem is, with my unique setup, I already have a route for 10.0.0.0/8, so the router/firewall (which is where BOT House lives) was never able to renew its address, knocking it offline.

Which is just as well because BH only expects to lose its address after an extended power outage. It's hacked around so that everything - startup scripts, routes, system variables, etc. - gets changed after a reboot with a new IP. No reboot, no IP change.

And naturally, once I rebooted BH to set everything right again the damned thing decided to check all the disks, which took forever.

The servers are indeed back up, but you will need to update your UT99 favorites, if that's how you connect.

AND ANOTHER THING...

For the first time in four years this place attracted comment SPAM in the Websense Redux article, which was THE WORST PLACE they could have picked. I don't want to moderate the comments, but if it keeps up I'll have no choice.

Websense/ISA "Via:" Bypass Redux

discovered by mrhinkydink

PRODUCT: Websense Enterprise

EXPOSURE: Trivial Web Policy Bypass (III)


SYNOPSIS
========

On May 29, 2010 I demonstrated that by adding a "Via:" header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. This was addressed in Websense Knowledge Base article #5117.

However, anyone familiar with the Via bypass technique would have noticed this remediation was insufficient.


PROOF OF CONCEPT
================

The following works in a Websense Enterprise system using the ISA Server integration product in a Cache Array Routing Protocol (CARP, sometimes referred to as "CRAP") configuration, which requires at least two ISA servers.

Assuming there a two ISA servers configured as per Websense Knowledge Base article #5117, one at IP address 10.10.0.1 and another at 10.10.0.2, perform the following:

I. Install Firefox >= 3.5

II. Configure Firefox to use one of the proxy servers in the CARP array (10.10.0.1).

III. Obtain and install the Modify Headers plug-in by Gareth Hunt

IV. Configure the plug-in to add a valid "Via:" header pointing to the other server in the array.

    Example: "Via: 1.0 10.10.0.2"

V. Browse to a filtered Web site

VI. All content is allowed without monitoring or filtering


PoC RESTRICTIONS
================

All restrictions of the original Via Bypass article apply.

See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html

OTHER USES
==========

Limited only by your imagination! You do have an imagination, don't you?

See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html


WORK-AROUNDS
============

Install Hotfix 17 provided by Websense.

HISTORY
=======

06/25/2010 - vendor notified

08/13/2010 - vendor releases Hotfix 17

08/18/2010 - PoC published



c. MMX mrhinkydink

10 Days of "Auto AutoAdjust"

And no one has complained yet!

I must say it adds a bit of a challenge. And that challenge is staying less than 10 points ahead! That, and finding a good place to hide when it's time to KICK OUT THE JAMBS!

IN OTHER NEWS, it seems like the stars and planets have aligned for some sort of cosmic spotlight on the old Dinkster. Normally, for me at least, when I get that feeling it's reminiscent of the archetypal wide-eyed convict with hands spread and back against the prison wall.

Generally speaking, not a good feeling.

This time around I think things are going to be different. There are some endings and beginnings on the horizon and all of them are good. Not only is there a light over at the Frankenstein Place there's one at the end of the tunnel as well. Last week brought a Triple Whammy of Good Things, all centered around the same subject, a subject on which I just happen to be a Subject Matter Expert (SME, for you non-PMPs).

And although I don't want to get specific just yet, suffice to say this may finally be my ticket out of the Salt Mines.

XOR AX,AX Retired

The bot XOR AX,AX (a.k.a "Zero") has been retired and replaced by "ASS-HOLO", in (dis)honor of ACE-GORO, who is an annoying little bitch because he's always trying to lure players away to his server.

After testing out Auto-AutoAdjust I decided to take some skillz away from 6 Pack Sally, who was more than nasty enough without getting AutoAdjusted. She's still tough, but not as tough as she used to be.

FWIW, "xor ax,ax" is an old (I first heard about it in the 80s) programmer trick to load a CPU register with zero. Since any number xor'd with itself is zero, it helps to save CPU cycles and memory over an immediate load. It has become so prevalent over the years it has become a standard assembler optimization. It will probably never be retired.

Now that it's working I am declaring a General Amnesty and clearing out the firewall rules.

NEW! Bot Skillz Code

From here on out, if you want to know the Bot skill level during the game, say:

HSQ!

... and the admin will tell you after a short delay.

I suppose it stands for "Hinky Skill Quotient". It must be ALL CAPS. Don't forget the BANG (!) at the end.

Of course you can always do it the old-fashioned way, whatever that is. I assume there must be a command somewhere in the UT game console, but I seldom use it, so I wouldn't know.

Auto AutoAdjust works quite well. It gives the good/cheating players a run for their money and since they usually clear the place anyway I'm not too concerned about that happening. It will always reset to Novice sooner or later, and it will not AutoAdjust when a Bot has the lead.

When it happens the best thing to do is try to hide somewhere and let the hotshots deal with it until it's over.

Back To Plan "A"

"Auto Godlike" was just a bit too much.

Some players are going to have nightmares tonight because of it. They went home crying their little eyes out.

Sorry about that.

Plus for some reason it seemed to be a little "sticky", meaning it just wouldn't reset itself between games. I know I've seen that before. Godlike has a mind of its own sometimes.

And when everybody's getting beat, no one wants to hang around. It really cleared the place out, which is not the point.

So it's back to "Auto AutoAdjust", which is capable of Godlike if it has to be. The spread is hard-coded to ten instead of half the high score. That way, Classic ]I[ will never go into AutoAdjust (the high score is only 10). There are better ways of doing that but for now it's a quick fix.

I need to put a little finesse into it as well. It shouldn't kick in if a bot is winning, only a human. That might take a little work, but bots are pretty obvious because they have a zero ping.

When the admin says "KICK OUT THE JAMBS" that's when everything kicks in, so watch out for it.

0days & Anonymous Assclowns

Tomorrow, August 2nd, Microsoft is supposed to release a patch to address the (decade-old) "LNK" 0day vulnerability in all (supported) versions of Windows.

If you haven't heard about this yet, you've been living under a rock for the past month.

Or, like most people, you just don't give a shit about computer security (after all, you play UT99 and install untrusted DLLs almost every time you play, right?).

I consider this a severe threat. So much so that I have moved all my online activities (except UT) over to Linux, specifically my 64bit Mythbuntu system.

(And - incidentally - I have also been using Opera, which is much better on Linux than it is on Windows - why is that?)

If you're wondering why you haven't heard about this on Hinky Links, the fact is I'm pretty burnt out on security and I've been letting Hinky Links slide into the shitter.

On top of that, working at the Salt Mines has been an incredible disappointment. Rumor has it our "Security Officer" is about to get the axe, and he's been acting like it.

That would be Anonymous Assclown #1 and the less said about him the better.

Anonymous Assclown #2 recently dropped a few threatening comments here at Blogspot accusing me of being in cahoots with yet another Assclown. I have no clue what that is all about, but if he shows up again I'm going to have to shut off anonymous comments.

ASSCLOWN UPDATE

I didn't mention it earlier, but this is what Assclown #2 had to say...

If you fail to answer my question in a timely manner, I will assume that you are working directly with Kimmo [this guy - hinky]. As such, I will be forced to send tons of false abuse reports to your registrar and host, GoDaddy, which may result in you losing your domain and hosting privileges.

I'm not sure what this assclown's schtick is, but apparently this "Kimmo" dude has raised the ire of 4chan et. al. over the past few years.

Me, I never heard of him. But since I'm not interested in losing my GoDaddy accounts just yet (although I've been bitching about them for years now), I called Tech Support and let them know of this guy's threats. Their policy is to contact the client before taking any action on abuse complaints, so it shouldn't be a problem.

I deleted Assclown 2's original comments but if he shows up again I'll probably let them float for awhile, just for posterity's sake.

Auto Godlike Mode!

Once Auto AutoAdjust started working after I fixed it, I decided it didn't work too well.

At least it did work, after all these months, but it just wasn't enough to make a difference. So now on top of AutoAdjust, I kicked the bots' skillz up to "Godlike".

Again, this only happens once the lead players' score is half the winning score ahead of the next highest player. It only effects the bots, so if there is a house full of humans nothing really happens.

Considering the bots normally start out as "Novice", if you're really good and you're the only person playing, WATCH OUT!

I have taken great pains to assure that the bots go back to "Novice" mode after the game is over, but there may be unusual circumstances where they might get stuck in "Godlike" mode.

To test all this out I may declare another General Amnesty and un-ban all the bad players.

I have the week off so I'll probably be playing quite a bit.

Pussyfooting Does It AGAIN!!!

Last night at about 7:45PM she shut down EXP IV for the second time in three days!

She wasn't as graceful this time. First I heard the sound of shit getting knocked over before the tell tale "beep" of the UPS off-button.

This was obviously a malicious, deliberate act! Cyberwar in my own Fambly Room!!!

I have since implemented countermeasures to keep it from happening again. A cardboard barricade, secured with spare paving bricks, is the first obstacle. If she gets past that, she has to knock the keyboard out of the way.

My Cat Just Shut Down EXP IV

Jesus.

The UPS is at floor level and evidently she just stepped on the power switch.

Seriously.

To make matters worse it appears to be hung. It's starting up read-only.

This is NOT the first time this has happened, but it is a first for the cat, that's for sure!

Bear with me while I bring it back to life.

UPDATE!

WHAT AN INCREDIBLE PAIN IN THE ASS!!!

Since Miss Kitty kicked the plug, /etc/mtab was not deleted so the system thought all the drives were mounted. The "remount" option would not take and a shutdown with "-F" would not check the partitions on reboot. I had to force a check on the root system while it was mounted, which is normally a HUGE no-no. But it's a JFS partition so evidently that doesn't matter (try it with ext3 and see what happens).

So I finally mounted it read/write, deleted /etc/mtab, and brought the system back up.

Now I have to figure out where to put the UPS so the cat won't step on it again.

Epic FAIL - Hinky Style!

Back in February I updated Chat-O-Matic to include a "feature" that turned out to be a bug. It was an incredibly sublime bug and I spent a lot of time tearing my hair out over it. The bug manifested itself in three ways:

• The admin name stopped changing on EXP IV
• The admin stopped harassing the top player
• The "feature" never worked worth a damn

But, it didn't break Chat-O-Matic.

I only looked into the first problem, which was incredibly annoying. You might recall that "Eddy" was the admin on EXP IV for a long, long time. It changed once or twice when I was debugging, but I could never make it change automatically.

So WTF happened?

I broke all the functions dealing with score-tracking when I added the new feature. The aim was to kick the bots into high gear whenever a player (assumed to be a cheatz0r) had a lead of half the winning score over the next highest player. There was already a variable called HISCORE and I added another variable named 2NDHI to calculate the point spread, like so:

PSPREAD=$((HISCORE - 2NDHI))

I suppose anyone who knows BASH sees the error and here we get into the difference between RTFM (Read The Fucking Manual) and UTFM (Understand The Fucking Manual).

You can RTFM and never UTFM a lot when it comes to Linux.

It turns out a variable name cannot begin with a number.

I did not know that!

And nowhere in the BASH manual does it explicitly say "You cannot have a variable that begins with a number".

But it does say that "[n]" is interpreted as a file descriptor. Every time the interpreter ran across "2NDHI" it spit out a "command not found" error.

I changed "2NDHI" ti "HI2" and everything worked fine again.

Sixteen years banging away at Linux and I never knew that.

Cameroonian HUSTLAS

Although they've stopped bothering me about UK proxies (see the chatter on this page), Cameroonians still represent almost two thirds of visitors to my Proxy List page.

Notorious for their Puppy Scamming activities, the 'roonians are branching out into social networking, according to this article at TMCnet. Nowadays they are exploiting the lucrative Lonely Hearts market.

"An American girl created a Facebook profile to escape the loneliness created by the break-up of a relationship. Being of Cameroonian origin by her father, she began adding people from Cameroon to her profile, although she had not visited the country in over 15 years. Less than two months ago, she was contacted by one of the Cameroonians on her profile who is based in Kuala Lumpur. She was taken in by what quickly became a love scam. She fell head over heels for the scumbag, who knew just the right words to tell. Hard working and a brilliant student, she soon promised to sponsor his entry into the United States and to help him get into the same university where, of course, she would be paying the fees for him. After buying a plane ticket to spend vacation with her new lover in Malaysia, she gave access to her scammer lover to collect money from her account to book a hotel and rent a car for her stay in Malaysia. The girl later realised huge sums of money was taken from her account with the new lover no more in existence."

Poor girl.

Literally.

Of course, the traditional 419 "Business Opportunity" remains popular. The same article also notes...

"Some foreign businessmen have been found wandering in some streets in Cameroon after arriving in the country to realise that their Cameroonian business partners are not real."

I don't know about you but I get a chuckle out of that visualizing it in my tiny little punkin head.

lulz

"I" BANNED

What can I say? I've had "I" (to be precise, "^I\$") in the Ban-O-Matic list for a while now but it just doesn't seem to hit on him.

He was just too good to be true.

He's from Greece, according to his IP address. A very small ISP. If he shows up again the entire subnet is outtahere.

If you're gonna cheat, don't do it while I'm playing.

Thanx in advance.

MASTER_B8

There's a new bot in the house!

Magnificent Bastard has been laid to rest (I never did like him much) and MASTER_B8 has taken his place.

MASTER_B8, if you're slow or a complete n00b at BOT House, is a play on MASTER_T6, a long-timey BOT House playah. T6, the original (I'm not sure the current T6 is him, you guys are always stealing each others' monikers), showed up back in 2003 when the original BH went online (completely by mistake of course... it was originally put up for my kid, Inky, and his pals... but other people showed up and the rest is history).

T6 was also Thummy's first cyber love. At least, her first on BH. The old logs are long lost but, my, how they carried on!

If Mrs. T6 only knew!

He disappeared for a long time and then after Thummy disappeared, he showed back up! She had, of course, broken his heart and he couldn't stand to see her getting all slutty with new players.

And she went on to break many more hearts.

It's only fitting he be honored with his own bot.

Happy Horseshit June 2010

Greetz Dadz & Gradz!

Last night we had a two hour cable TV & RoadRunner outage, oddly not combined with a power outage. I entertained myself watching my MythTV box on the local HD airwaves. There was absolutely nothing on, but I ended up watching Knight Rider and The A Team on the local "Retro TV" station. These are two shows I never watched back when they were on the air (what... 30 years ago?), so it was all fresh to me.

And I realized why I didn't watch a lot of TV back then. It was all crap. Well, that and my TV was usually hooked up to the old Commodore 64 (or the VIC 20) most of the time.

But I must admit those 80s chicks were HAWT as FUCK. Where are they now?

The Websense Hack turned out to be ISA specific, so if it didn't work for you, you're probably not behind an ISA server. Unlike the last time, this was not fixed by a Websense database update, which means your local Network Nazi actually has to do something to fix it. Chances are he won't. And it appears to me that the fix is "iffy" at best. We'll see. More on that soon enough.

The Murder/Suicide Blog has a new look. I'm quite pleased with the way it turned out. I have also mapped out every murder/suicide in 2009 and 2010 with Google Maps, which was one helluva piece of work. Unfortunately, Google limits you to 200 map markers per page, so 2009 takes no less than four pages to display the whole year. Luckily, Google Earth lets you see the whole shebang all at once.

I may redesign the UT99 Blog, but I'm still quite fond of its simplicity.

Back at the Salt Mine, rumors of a new re-org are flying. It turns out my boss, the CSO, is not a very popular guy up and down the food chain. Meh... it goes with the territory. Some suggest he's going to get booted in the coming weeks and the security team will be split up and cast asunder. Oh well, bosses come and go. I've never seen one last more than three years.

Right now I'm taking a few days off from all that madness anyway. Yesterday's Big Event consisted of getting a cyst cut off from my eyelid. It wasn't very large (I'd say 3mm tops), but it was about twice the size it was when I first noticed it. In & out the door in thirty minutes.

Tuesday, it's back to the Old Grind.

Websense 6.3.3 "Via:" Bypass

discovered by mrhinkydink

PRODUCT: Websense Enterprise v6.3.3

EXPOSURE: Trivial Web Policy Bypass


SYNOPSIS
========

By adding a "Via:" header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment.


PROOF OF CONCEPT
================

The following works in a Websense 6.3.3 Enterprise system using the ISA Server integration product and transparent authentication. It is assumed it will work with other proxy integration products, but this has not been tested.

I. Install Firefox >= 3.5

II. Obtain and install the Modify Headers plug-in by Gareth Hunt

III. Configure the plug-in to add a valid "Via:" header to every request

    Example: "Via: 1.1 VIAPROXY"

IV. Browse to a filtered Web site

V. All content is allowed without monitoring

VIDEO PoC!
==========




PoC RESTRICTIONS
================

The Modify Header plug-in does not work with SSL. However, in practice a user could browse to a so-called (by Websense) "Proxy Avoidance" Web site and use the SSL capabilities of the remote proxy.


OTHER USES
==========

Properly configured, a downstream SQUID proxy can send requests to the upstream ISA server and all requests will pass through without blocking or monitoring. No evidence of activity will be logged by Websense. This was in fact how this vulnerability was originally discovered. Considering the simplicity of the attack, the author suspects this bypass technique is already well-known in certain circles.

Also, it is trivial to modify proxy-enabled Linux utilities to leverage this bypass. The author has recompiled (that is, HACKED) OpenVPN, connect-proxy, PuTTY, stunnel, and others to take advantage of this policy bypass.

Obviously, the risk of undetected (by Websense, at least) covert tunnels is high in a vulnerable installation of this product.

Linux platforms using this method in this specific environment will also enjoy bypassing Websense's transparent authentication.


WORK-AROUNDS
============

For this specific installation scenario (Websense 6.3.3 + ISA 2004/6 + transparent authentication), none are known. The following may work:

  * Use Windows Integrated Authentication on the ISA Server

  * Upgrade to Websense 7.x

  * Do not use a proxy integration product


HISTORY
=======

10/09/2009 - vendor notified

05/29/2010 - PoC published



c. MMX mrhinkydink

New_Laptop_Boi

That's me!

For some unknown reason, The Boss decided I needed a laptop a year and a half after he decided I didn't need a laptop. So, now I have a new laptop.

I liked the old one just fine. It played UT great! I've had nothing but heartache with my own laptop and UT. At first I thought it was Vista, but all the problems remained after I upgraded it to Windows 7 (a.k.a. "Vis7a"). Then, one day I plugged a USB keyboard into it and tried playing. All the problems vanished. Turns out it's the keyboard hardware (or the driver). Still, it's not convenient to play that way.

This new laptop is nothing stellar, a run-of-the-mill HP 6530B with a dual core Centrino, two lousy gigs of RAM, 32-bit Vis7a, and an 80G hard drive (encrypted!).

meh.

I'm not impressed.

But... it runs UT like a champ! So now I can play from the comfort of my own couch. And it's small enough that I can have a cat on my lap at the same time!

It makes playing UT fun again!

So if you see New_Laptop_Boi say "Hi".

McAfee's 5958 DAT Fiasco

This week I got caught up in McAfee’s 5958 DAT mess back at the Salt Mines. Not only am I the local Network Nazi, but I also manage McAfee’s crappy AV for the entire enterprise. Luckily that day (Wednesday) I was telecommuting, so I was not in the thick of things.

I was “in the cloud”, as it were.

I was also wise enough never to have installed Service Pack 3 on my Salt Mine PC, so I was one of the lucky ones. For a variety of reasons, I never trusted it. I was almost ready to apply it once IE 7.0 came out, but then I heard there was no roll-back to IE 6 on machines with SP3, so I passed. I have it on all the XP machines here on DinkNet, but I use different AV on those boxes.

And that was an odd thing...

I have Microsoft Security Essentials (MSE) on my main box and that fateful morning it died. Very mysteriously. The little green system tray icon was just plain gone and when I went to restart it from Control Panel, Services the system told me it could not be found.

This was before the news came out that the whole thing was due to a turd dropped on the world by McAfee, so I was quietly sweating bullets. Had some bug followed me home? Or crawled through my other covert tunnel, OpenVPN? I switched boxes while I re-installed MSE on that system. Then I rebooted it and performed a full scan. Nothing.

And “nothing” doesn’t mean shit these days, with fast-mutating bugz like Zeus floating around the Interwebs. The virus definitions you get today are for crap that has been around for months.

While all this is going on I get a call from my sprog, Inky Dink, and it turns out he’s having AV problems too! And I know damn well he doesn’t run McAfee because I personally installed MSE on his system!

What the motherfucking fuck was going on here?

But it turned out Inky had been victimized by one of those scareware AV programs. I pointed him to malwarebytes.org and he took care of it himself later that evening.

Again, all this time we, the corporate IT proles, had no idea it was a McAfee problem. What was I to think? AV software was dying everywhere as far as I could tell from my small corner of the Universe. Was it cyberwar? Was the the “Digital Pearl Harbor” the trade press has been crying about for the last four months? Was Google’s January hack the warning shot?

No. It was ludicrous. It had to be a series of coincidences, so I kept my mouth shut during the Salt Mine phone conference.

Other people were not so cautious. They started spreading all sorts of FUD. All it takes is one jerk to read one unsubstantiated claim on one Internet forum and as soon as that happens he’s sending e-mail out to everyone and his brother and the next thing you know you’re in full chickens-with-their-heads-cut-off mode.

Luckily even though that particular jerk (our very own local security wannabee) made a complete idiot of himself that day, cooler heads prevailed. The only thing he damaged was his own credibility.

By about 10:30AM that morning the news finally came out and we went into Full Damage Control Mode. When the dust cleared, about 25% of our systems were down.

McAfee later stated it only affected one half of one percent of their customers. Do tell. Maybe they based that number on the phone calls they got that day (“All lines are busy, please hold!”). Maybe they thought it was just rubberneckers that took their site offline.

And WTF happened?

This event was curious in that the update that caused this mess arrived early that day. Normally, and I admit I haven’t checked in some time, we get that update between 11:30AM and 2:30PM EST. The timestamp on the files said they came in at 4:37AM. Why? Did their QA department in Bangalore (or Shanghai or whatever) take off early that day? What was the Big Rush?

If McAfee’s Legal Department gets their way – and there is no doubt in my mind it will get its way – we may never know what happened.

Хинки Динк

I spend a lot of time these days doing the IT security geek thing over at Proxy Obsession. For instance, over the last three weeks I've been hacking my own version of PuTTY, the popular Windows ssh client, and blabbering endlessly about my progress (or lack thereof). Real boring shit.

Anyway, since that particular blog is Wordpress, I get a lot of comment SPAM. I'm not sure what it is about Wordpress that attracts the comment spammers, but they love it. They keep spamming me and I keep adding their IP addresses to my .htaccess file.

Mostly I just tolerate it. And by "tolerate" I mean "delete".

A lot of it is vanity SPAM, attempts at schmoozing your way in to get a link. Stuff along the lines of "I love your blog and I'm subscribing to your RSS feed!" or "That was a very well written and thoughtful article!" and other such bullshit.

Slightly less than half of all the SPAM I get is written in Russian. Today I got one that said (translated by Google)...

"You would know that about you write in other blogs :)"

What? I guess he's trying to say that other people write about me in their blogs.

Yeah, right. That doesn't happen. But it got me curious about how often "Hinky Dink" shows up in Russian on the Interwebs, so I did a phonetic translation of "Hinky Dink" into Russian and tried this search.

There was a total of nine hits, and eight of those were about Michael "Hinky Dink" Kenna, the old timey Chicago political boss.

There was nothing about me me me ME, so I figured I would do something about that!

And that's why you're reading this!

Changing The Default SSH Port Without "Really" Changing It

UT99 players can sit this one out.

For years, on security forums and mailing lists, if you ever dared to suggest changing SSH's default port (TCP 22) the "security by obscurity" crowd would come out of the woodwork and nail your ass to the Cross of Righteousness for having the unmitigated gall to even dare utter such heretical nonsense.

Unfortunately for these dogmatic True Believers, changing the ssh daemon's default listening port is such an incredibly effective method for avoiding ssh scans and brute force password attacks that it's starting to show up in HOWTO security articles as a method for hardening your system.

For example, see this article at Linux Magazine.

But the Port 22 Crowd will not leave well enough alone. Although they haven't abandoned the "security by obscurity" mantra completely, they're now using the following argument with increasing frequency:

NEVER CHANGE YOUR SSH PORT! If an exploit comes out that can crash SSH locally, a local unprivileged user on your system could crash SSH and start their own daemon on the SSH port > 1024 and capture your usernames and passwords. If you want SSH on a different port, do this with firewall rules.

Note that ALL CAPS is required when raising this alarm.

Also note that if you require users to connect with SSH in the first place, it's not going to do them a helluva lot of good to crash SSH. If you have users who actually sit down at the keyboard of the physical system, that's another problem entirely. Why bother with crashing SSH when they can slip a bootable CD into the tray and bounce the box?

And of course if you choose a port other than 22 but less than 1024 you can avoid this issue completely.

However, "changing the port with firewall rules" struck me as a novel idea (maybe I'm just stupid but it never occurred to me before) and set me to wondering how you would do such a thing, since I've always taken the easy way out by changing or adding ports in sshd_config.

So I sat down with iptables and experimented a bit. I came up with the following method. If everything you have is behind NAT, the problem can be reduced to simple port forwarding. If not, there are a few hoops you need to jump through. Be advised the iptables rules presented below assume you have a blank set of rules. Just copying and running them against an existing set of rules probably won't work.

First, set SSHD back to the default port 22. Next, figure out what port or ports you want to do SSH over. We're going to use 44, 88, and 8188 here.

Now we take care of the Hypothetical Evil Unprivileged User by not accepting anything over those ports in the first place. This is only meaningful for port 8188 (since 44 and 88 are privileged ports) but we'll do all three for the sake of completeness:

#~iptables -t filter -A INPUT -p tcp -m multiport --dports 44,88,8188 -j REJECT --reject-with tcp-reset

Then, pick a number between 1 and 4294967295. This will be the value of the iptables "mark" we use for ssh. I'll use 0x2200 (8704), just because it's ssh-ish, but any positive integer in that range will do. We're going to tell iptables to reject anything without this mark coming into port 22.

#~iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m connmark ! --mark 0x2200 -j REJECT --reject-with tcp-reset

I would prefer to DROP these packets rather than REJECT them, but more on that later.

Now we'll tell iptables what ports we will accept for ssh.

#~iptables -t filter -A FORWARD -p tcp -m multiport --dports 44,88,8188 -j ACCEPT

In the "mangle" table we slap our mark on these packets.

#~iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 44,88,8188 -j CONNMARK --set-mark 0x2200

Finally, in the "nat" table we tell iptables to send the marked packets back to port 22.

#~iptables -t nat -A PREROUTING -p tcp -m multiport --dports 44,88,8188 -j REDIRECT --to-ports 22

The packets go back to the INPUT rule and, since they're marked correctly, are sent to the SSHD process listening on port 22.

We have done exactly what was recommended, i.e. we have indeed changed the default ssh port with firewall rules alone (and without NAT). And yet, ssh still listens on port 22!

I must admit this appeals to me on a number of levels, not the least of which is that it has all the hallmarks of a slick little hack. Secondly, it definitely takes a load off of the ssh daemon since it's listening on one port instead of three (in reality I have ssh listening on seven ports).

However, this is done at the expense of complexity, which has yet another group of Annoying True Believers who are fond of chanting "COMPLEXITY IS THE ENEMY OF SECURITY" at the slightest provocation. This is another religion I have never bought into (it may be the same group since increasing complexity generally tends to increase obscurity).

Well, fuck them, you can't please everyone.

Besides, I use the most bizarre, complex combination of port forwarding and routing you'd ever want to see. Most days I have a hard time understanding it myself. It keeps me sharp.

I am almost 100% certain this wouldn't please a "real" firewall administrator. They're mostly overpaid Certified Cisco Clowns anyway. It would never even occur to them to actually use iptables.

But what we have done in essence is put all our trust in iptables working "just right". And we're betting the next time there's an update to the netfilter core code (or the kernel) everything will still work.

I've been around iptables/netfilter far too long to ever bet on that. Sorry, fellas, "once bitten, twice shy" and all that.

Then there's the TCP reset thing. Can it be bypassed? Web filtering appliances that use span ports and two-way TCP resets work fine when everyone "plays by the rules of TCP/IP" (actual statement from Web filter appliance vendor Sophos), but the Bad Guys don't usually play by the rules.

The alternative, DROP-ing the packet, lets anyone scanning our system with tools like nmap know with absolute certainty that SSHD is listening on port 22 since it will show up as "filtered". This makes TCP resets the lesser of two evils, but it's still evil.

In the end analysis, isn't sending a reset from an "open" port just another instance of "security by obscurity"?

Not that I care, that was a purely rhetorical question.

And what about attacks against iptables connection marking (CONNMARK) itself? Do they even exist? Am I opening myself up to an unknown exploit vector? Do I have to take additional measures to avoid spoofing or brute forcing or some other method (fragmented/crafted packets, maybe) to get around my firewall rules?

Even though we followed this fellow's advice, there are too many open questions and it appears that just changing the port in sshd_config is still a simple and effective countermeasure. It's worked for me for over ten years. I have escaped all 0day SSHD vulnerabilities for over a decade and no one ever tries to brute force passwords on my box. It doesn't happen because port 22 isn't open.

Simple. Effective.

duh!

So I feel compelled to shout out my own advice:

ALWAYS CHANGE YOUR SSH PORT!!!

The Hinky Dink Top 10 Koobface Infested Shitholes Report

FOR IMMEDIATE RELEASE

The Hinky Dink Top 10 Koobface Infested Shitholes Report

Columbus, Ohio – March 22, 2010 – Mr. Hinky Dink, a Big Time Security Professional™ today released an analysis of the spread of the Koobface worm. Based on an exhaustive study of his database of over two and a half million open Web proxies collected over two years, Hinky's findings demonstrate where the most vulnerable social networking users can be found.

“With more losers piling into social networking sites this trend is very likely to continue,” said Hinky. “This study highlights the cities with the most gullible users on the Internet. This study will no doubt help cybercriminals, script kidz, and Cameroonian puppy scammers target their next online marketing campaigns.”

View the complete report here.

Koobface May Be Mutating

Followers of my Proxy Project may have noticed a tremendous increase in the past few weeks of the number of active Koobface proxies in the wild.

They have become so widespread in the USA that I had to include a warning about them on my proxy list.

Koobface proxies are widely known to use TCP port 8085. However since the beginning of March I have seen a new trend of proxies listening on port 2479.

And by "trend" I mean an average of over 900 new proxies per week since March 3rd in the USA alone (the USA is Koobface's #1 "market").

This may be a new strategy by the KK (Koobface Korp) or it may be an entirely new botnet being set up.

We live in interesting times, boys and girls!

UPS: The Autopsy

I performed a few more experiments with the dead UPS and noted that after it had sat for a few days I could get four or five software self-tests out of it as long as there was zero load on the battery.

Then it dawned on me that I didn't have a dead UPS. I had a dead battery.

After that I decided to put its dead carcass on the slab and rip its guts out.

I was quite surprised to find that its insides were spotless. For having rested for four years in the same spot I was astonished that it wasn't full of cat hair, parakeet feathers, dust mites, and all the other detritus that collects inside the many computers hooked up to DinkNet.

Four years! I have to clean out the computers every six months or the fans get clogged!

I pulled the battery out, which was a much more difficult operation than it should have been. The two APC UPS's I have both have easy-access battery compartments, but this thing required a near complete disassembly to remove the battery.

Once I got the battery (actually two batteries taped together and wired in series) out, I pulled the part number (CB1270 for those who care) and looked it up on the 'Net. An equivalent replacement was forty bucks and the manufacturer clearly stated it would last three to five years.

So... there was never anything wrong with the UPS at all and four years is about what you'd expect to get out of a battery anyway.

Anyway, I ordered a replacement battery. This UPS will be dedicated to keeping the Proxy Project up and running, since that particular box runs 24x7 and takes a lot of abuse whenever the power blinks out. Its an XP box, my favorite UT99 platform, but its primary purpose is to run a Linux VM for proxy testing and database operations. Since I despise the Windows software Powercom distributes with these things, I'll probably run NUT on the VM to monitor it and WinNUT on XP for shutting down the physical box.

That's really an odd way of doing power management, but it's the Hinky Way!

UPS Post-mortem

It's dead, Jim!
We had another power outage today! Did you notice? Of course not, because everything's working as intended now.

For giggles, I plugged in the old UPS and hooked it up to a power-unprotected Windows XP box. I installed the GAWD-AWFUL-UGLY software (see below) and did a self-test on the UPS.


The result?

IT DIED. THE FUCKER CHOKED. IT PUKED ALL OVER ITSELF.

And everything went dark.

I had to go back to the Old Blog to see when I installed this thing. It was officially announced in October 2005, so it lasted for four years and change. Now, it's junk.

TOXIC JUNK, since it has a lead-acid battery inside it. I suppose if I were a drunken electrician (like my dear old bald-headed Daddy, Drinky Dink) I could fix this thing, but now I have to take it somewhere and probably pay somebody GOOD MONEY to throw it in the lake for me.

For the record, I would never buy one of these again, although... ummm... I already have bought one (a different model) for my "domain services" box. That one appears to be working fine, but I do feel like I'm waiting for the other shoe to drop.

If/when I buy another UPS, it's definitely going to be an APC.

UPS Replaced!

We had yet another power outage today! EXPIV was seriously fuckered when the power came back on, just like last time.

Thing is, I bought a new UPS yesterday. I just neglected to set it up.

So, I set it up. And while BOT House was offline I gave it a much needed cleaning. It was caked with dust and cat hair. Very nasty.

Instead of going with a cheap Chinese knock-off, this time I bought an APC Smart UPS (which was probably made in China anyway but what the fuck).

The last UPS had a serial port connection. It was probably the last of its kind because everything is USB these days. So I had some fucking around to do. EXPIV has had a USB UPS since it was EXPIII so I just copied the config files over. It didn't work! In fact it seems the UPS on EXPIV has never worked, which explains why it was always fucked up whenever the power went out. So I had two boxes to fix.

I fixed EXPIV first, because, like I said, it was fucked up. After I un-fucked it (it turns out mounting a JFS root partition with errors=ro is very bad idea - it fixes itself at boot but never remounts read/write), I set about getting the UPS to run right. When I proceeded to fix BOT House I discovered I was using two different versions of Network UPS Tools (NUT). The old version worked fine with the new UPS, but the new version of NUT seemed more capable, even though EXPIV's UPS (also an APC) has less features.

So I bit the bullet and built the new version for BOT House.

The dust has settled and everything's working fine now. We should be good to go for the next power outage/brownout.

Famous last words.

Auto "AutoAdjust" Bots

I added a twist to the action today. I'm not sure how it's going to work, but it's an idea I have been tossing around in my head for quite some time now.

It goes like this: as soon as the point spread between the number #1 player and the number #2 player is greater than or equal to the winning score divided by two, the bots (if any!) go into AutoAdjust mode.

Meaning, of course, the bots will become as skilled as the best player.

When the high score is less than or equal to two, implying a new game has started, AutoAdjust shuts off. It will also shut off if no one is playing at all.

I'm not sure this is a good idea or not, but some players are just too fucking good. And it may not be good for Classic ]i[, which has low winning score.

I may clean out the firewall filters and shut off the ban hammer just to see how this idea plays out with cheats. Unfortunately, it doesn't kick in if there is more than one cheat, since the point spread between the number #1 and number #2 players wouldn't hit the maximum allowed.

There are also some variations of this that have been going around in my head, like turning on "Fat Boy" mode when the spread is too great. Or maybe adding more bots.

The possibilities are endless!

Powerloss

The juice went down yesterday and again today.

Yesterday, the power company dropped by, unannounced, to install a "smart grid meter". Of course, they had to cut the power "momentarily".

Now it appears my UPS may be fried, because it didn't make it through that outage.

Today the power went out all by itself, and the UPS didn't come back on again.

That's three times in less than a week.

The Experiment Continues...

After experiencing the bizarreness of EXPIV for almost a year now, I think I finally have the bugs figured out.

I added a utility called schedutils that lets you set the processor affinity for a given process. EXPIV now runs exclusively on CPU #0 while BITCH House and Classic3 share CPU #1. This has made a big difference as far as I can tell from this end.

I was so disappointed with EXP's performance I was going to install VMWare GSX server and run the games on a 32bit virtual machine. Unfortunately, that is way too much work if I want to stick with the current kernel. That was when the processor affinity idea dawned on me. Sure enough, Debian had a tool, but it didn't come stock with the distribution.

And speaking of Debian, they just announced they would be discontinuing security updates for Debian r4. That's a real shame because DEBIAN 5 STILL CAN'T RUN VNC4 WORTH A SHIT.

Pissed? A little. I can probably squeeze a couple more years out of 4.0 and roll my own security updates, but up to a point it becomes a losing battle with all the code dependencies.

And it's a shame Ubuntu 9.10 turned out to be a steaming pile of shit or I'd be looking into moving in that direction.

"Life Takers" Clan Banz0red

Thanks for the heads up, LT|Bonecru$her//!

Seriously, dude, take your clan SPAM somewhere else.

kthxbai

I love this job.

BOT House Makes World Top 100 Twitter Cussers List

lulz

I knew that hack was good for something.

Link available here.

For some reason Exp IV is only ranked 350-ish.

That's Gotta Suck

A nine million+ ping?

lulz.

There were a bunch of these today, up to and including a Player10. All the same guy, this fellow down in New Zealand.

A few other things sucked today as well. The power went out briefly, which shouldn't be a problem. But it was a problem! I'm not sure what the issue is. The power was blinking on and off last night, but the UPSes handled it. There was a lot of relay clicking going on but nothing went down. In fact event the boxes not connected to a UPS stayed up, so I thought nothing of it.

Then about noonish today it did it again, but this time two out of the three boxes without a UPS bounced, and BOT House died! That shouldn't happen!

But it did and it sucked.

Luckily the IP made it through the reboot, so no big woof. My biggest complaint is my latest kernel 2.6.32 fix (you may recall I disabled DMA on the hard drives) was going on four weeks without an incident. Now, testing is back to square one. Or maybe square two. Or maybe Free Parking. I dunno. All I know is I didn't pass "GO" and I didn't collect two hundred bucks.

There has also been a lot of general suckiness going on around here lately.

December was a total wash. On the 10th I had the dreaded periodontal surgery. Three teeth ripped out of my mouth and bone grafts. Nasty shit. I was living on Ensure, yogurt, and ice cream for about three weeks. After the 1st of the year the stitches finally fell out, but it sucked.

Later this year I'm supposed to get titanium implants in the new bone and after that heals, I get a pair of fake teeth to replace the ones that got yanked.

In other sucky news, I've just about had it with Ubuntu 9.10! I've done one upgrade (on a VMWare virtual machine) that went well and two fresh installs that were absolute nightmares. This is the first distribution of Linux that I simply can't recommend to anyone. The phrase "steaming pile of shit" comes to mind whenever I think about it now.

I did learn a few stupid Linux tricks in the process, like how to boot from a USB drive when your CD drive is broken and your sucky system doesn't even know how to boot from a USB drive. That alone was worthwhile.

Oh, and work sucks. Don't get me started on that subject.

In general, boys and girls, it sucks to be me lately. Usually, come January/February I chalk this kind of thinking up to Seasonal Affective Disorder, but this time around it feels real and I'm having a hard time shaking it.

So anyway usually the best cure for this is to dive into UT and kick some ass. See you there!

Loser!