Related link: http://www.usatoday.com/money/industries/technology/2004-11-29-honeypot_x.htm

“While most break-in tries fail, an unprotected PC can get hijacked within minutes of accessing the Internet.” So what? Everybody knows that :-) That is actually not the point of my blog entry. The interesting thing we observe in our Linux honeypots lately is that the time to compromise has dramatically *increased*. Skiddies used to “own” unsecured RedHat 7.1 in days, now the same thing will sit for months (same applies to newer Linux variants). Thus, I easily belived that “there were no successful compromises of the Macintosh, the Linspire or the two Windows XPs using firewalls”, as the article says. Internet security for home users is actually THAT simple…

Related link: http://www.usatoday.com/money/industries/technology/2004-11-29-honeypot_x.htm

Since my last post about patching Windows using Knoppix before connecting it to the net, a new study has come out that finds the time until intrusion is as little as 4 minutes for a fresh Windows XP machine.

Once compromised, the machine was then used as a zombie to further spread and otherwise do the bidding of the attacker. The machines used for this study were honeypots–they were taken off the net once compromised to prevent the attack spreading to other machines–but this same thing happens to new machines (or old machines with a fresh install) every day. Today’s Internet is full of zombies looking for fresh brains.

If this doesn’t give you a reason to look into methods for patching machines before you connect them to the Internet, I don’t know what will. There are a number of hardware and software methods to protect against zombies at your disposal. The hardware method is to get a rifle or a cricket bat and aim for the head. If you don’t have either of those handy you will have to fall back to software methods. I’ve already discussed patching Windows with Knoppix so I won’t go over that again here, but other options include slipstreaming a patch into your Windows install. The steps are pretty well laid out, and involve creating a copy of your Windows install disk, extracting the latest Service Pack so that the new files overwrite the current system files you have extracted, and then creating a new bootable CD based on those files.

Of course, slipstreaming assumes you have a second computer with Windows already installed, in which case you could just download a copy of the latest Service Pack, burn it to CD, and then apply it to your fresh install before you hook it up to the network.

Whatever method you choose, be sure to keep the machine disconnected from the net until it is protected. Now that time-to-infection is as short as 4 minutes, there’s less chance you will be able to patch your machine before it turns into a zombie.

Related link: http://www.securitytracker.com/alerts/2004/Nov/1012341.html

I hope more people will pay attention to this, as it looks like a harbinger of ominous things to come. Here is some background on the whole “vulnerability thing” to understand the impact. How things were in 1990s-2002? Somebody discovers a security hole, notifies the software vendor, CERT, etc, then times the release of his advisory with the vendors. Gain for the discoverer? Some publicity and nothing else. “Security community” and amateur attackers both benefit. Fast forward to 2004: less people are willing to do the above for free publicity. Why sent to vendors and bugtraq/CERT - just because some think “its the right thing to do”? Why disclose, if you can profit (which I certainly respect)? Looks like many in security space are used to thinking that “security reseachers” are doing their research for the common good, and they are up for a rude awakening. Just look at the timing in the advisory (http://www.immunitysec.com/downloads/instantanea.pdf) - discovered May 2004, released to public Nov 2004… YOUR server might be owned way before you know it.

Knoppix is pretty easy to remaster and many people have created their own Knoppix variant to suit their needs. However there are a number of tweaks and changes you can make that don’t require a complete remastering if you take advantage of the knoppix.sh script. I’ll go over some of the advantages to this approach over a full remastering below.

I have watched quite a few people get introduced to Knoppix for the first time. After they use it for awhile they invariably want to tweak things. They usually either want to change some of the desktop settings or add their favorite program. Most of the time they decide to create their own version of Knoppix with a complete remastering.

Now there’s nothing wrong with remastering, but it is rather time and resource intensive, and there are some margins for error, especially the first time you try it. If you have minor tweaks, I think it is better to take advantage of Knoppix’s saveconfig script and knoppix.sh file it creates to change and tweak settings without a full remaster.

The saveconfig script

The saveconfig script within Knoppix is probably the best way to “remaster” Knoppix without remastering. You can type saveconfig from a terminal, or otherwise you can click Kmenu->KNOPPIX->Configure->Save Knoppix configuration. A simple GUI will pop up and allow you to choose what categories of settings to save from desktop and program settings, the entire Desktop directory, network settings, graphics settings, and other system settings. Choose the settings to save, and the device to save them to (from a list of detected devices Knoppix provides), and the script does the rest, creating a configs.tbz and knoppix.sh file on the device you chose.

Next time you boot, add the cheat code myconfig=scan and Knoppix will scan all available devices for the knoppix.sh script and then execute it. This script will extract configs.tbz and otherwise restore your settings.

If you are the kind of person who likes to hack around with things, you might think to yourself: “Hmmm I bet I could tweak that knoppix.sh script and do other things at boot.” And you would be right, the knoppix.sh script is the key to remaster Knoppix without remastering.

What is the knoppix.sh script?

The knoppix.sh file is a simple shell script. When Knoppix boots, it scans the KNOPPIX directory on the CD for a knoppix.sh file (or if you use the myconfig=scan cheat code, it will also scan other devices on your system). If it finds this file, it will execute it. Windows users can think of this file as an autoexec.bat script. You can basically put any series of commands into this script and Knoppix will execute them upon startup. A typical knoppix.sh script looks like this:

#!/bin/sh
[ "`id -u`" = "0" ] || { echo "You need root privileges to modify the system!" >
&2 ; exit 1; }
[ -d "$1" ] && CONFIGS="$1/configs.tbz"
[ -f "$CONFIGS" ] || CONFIGS="/cdrom/KNOPPIX/configs.tbz"
[ -f "$CONFIGS" ] || CONFIGS="/mnt/floppy/configs.tbz"
if [ -f "$CONFIGS" ]; then
echo "^[[1mExtracting config archive $CONFIGS...^[[0m"
tar -jpPtf "$CONFIGS" | while read i; do rm -f "$i"; done
tar -jpPxf "$CONFIGS" ; chown -R knoppix.knoppix /home/knoppix
fi

The best way to get started with tweaking this file is to run the saveconfig script once to generate a knoppix.sh file to work from. There are some various checks this script runs, but its basic function is to extract the configs.tbz file. Based on what settings you saved, this file will overwrite settings in /etc or /home/knoppix. You can simply change the configs.tbz file if you want and add or remove files with the settings you want.

It’s important to remember that certain parts of the filesystem under Knoppix, such as all of /usr, will be read-only even when the system completely boots, so this means that the interesting areas you will be able to change are in /etc/ and /home/knoppix/. Also, at the time knoppix.sh runs, /home/knoppix doesn’t exist yet (that directory is copied from /etc/skel later), so while you might think that you can just add a cp filename /home/knoppix/ command to the script, it will fail when you run it. If you want to copy files to /home/knoppix, you will need to create a tarball from / that includes those files, that way the /home/knoppix directory will be created for you as that extracts.

Install Programs

While this setup is typically used for saving your settings, you can also work around having to install programs with this method. Knoppix has two different popular methods for installing software directly to the live CD, the included knx-live-inst.sh script (or click Kmenu->KNOPPIX->Utilities->Install Software while running from CD), or klik. Both of these programs install software directly into the /home/knoppix directory and modify file paths so that they can run from there. After you install programs with this method, you can save your home directory and those programs will still be there the next time you boot with myconfig=scan.

If your program isn’t included in the list of software you can live-install, you can attempt to install it to the local path yourself. Of course this process will vary in difficulty depending on the complexity of the software you want to install.

Advantages over Remastering

There are other advantages to using these tweaks over a full remaster. For one, you can carry your custom knoppix.sh script and any other files it needs with you on a usb key drive, and can use any generic Knoppix CD you happen to find. Since the usb drive is more portable than a CD-ROM, you are probably more likely to have it in your pocket. In a pinch you could boot up with your custom setup on a friend’s Knoppix CD.

You can also make changes much more quickly with this method. With a full remaster, each change you make requires that you create another compressed KNOPPIX filesystem (which is time-consuming) and another .iso. With this method you just have to re-run saveconfig or edit knoppix.sh. Also, if you have come up with a really cool knoppix.sh script, it’s much easier to make available on a website for download compared to a complete custom Knoppix .iso.

Another advantage to this method is that you can maintain multiple knoppix.sh scripts on a single usb drive. Name the individual configs something other than knoppix.sh, and when you want to use one of them, just create a copy called knoppix.sh. This copy will be the one executed the next time you boot Knoppix and use myconfig=scan. I use this on my usb key drive so I can switch between a general customized desktop knoppix.sh file I have, and one that turns Knoppix into a full-fledged kiosk (based on a Hack I included in Knoppix Hacks). I can toggle between these settings without having to carry around multiple Knoppix CDs.

You can even burn a knoppix.sh script to a Knoppix CD provided all of the other files remain the same. Put the knoppix.sh file and any tarballs it needs into the KNOPPIX directory on the CD and it will execute the script when it boots. I used this method when I created the CD included with Knoppix Hacks. I didn’t want to change around the actual KNOPPIX compressed filesystem, but I wanted to create a custom background and add a few links to the desktop. I created a tarball of the desktop links, and changed the background.jpg on the CD. This way I wouldn’t unknowingly risk introducing any bugs into the compressed filesystem–something that was rather important since I couldn’t modify the CD after it was shipped with a book!

If you are a Knoppix user who is thinking of starting the remastering process, I recommend trying knoppix.sh tweaks first. You’ll likely save yourself time and blank CDs in the process.

Sometimes I get funny looks from people when they see me check my mail with mutt. In this day of graphical mail clients that create pretty HTML email, I must look like a caveman with my text-based client. Still, I haven’t found a GUI email client that will let me have the level of configurability I have with mutt such as the ability to tie specific sigs (and whether to top or bottom post the sig) based on to whom I’m sending an email or the email folder I’m in. Plus mutt is fast. I like to joke that I can open mutt, check mail, and close it before another mail client loads.

A lot of the GUI email clients have started adding features to help us deal with the deluge of spam that everyone seems to get from time to time. Recently Mozilla Mail/Thunderbird added a “Junk” button that lets you mark mail as junk so that it can learn from that to tag new messages. I realized that similiar functionality for me was only a few muttrc tweaks away.

First I needed to identify potential spam. I’ve been getting a lot of “borderline” spam myself lately. By borderline I mean spam that doesn’t quite meet my spam threshold so it makes it through. Most of the time these messages have vague-enough Subject lines that I end up opening them to make sure before I get rid of them. If I knew that these were borderline messages I could get rid of them without having to open them, so if your spamassassin threshold was 5 (the default) you might set up a rule like this:

color index red default '~h "X-Spam-Status:.*score=(2|3)."'
color index brightred default '~h "X-Spam-Status:.*score=(4|5)."'
color index magenta default '~h "X-Spam-Status:.*score=(6|7)."'

These are just examples but you can see how they might work. Messages with a spam score of 2 or 3 are colored red, 4 or 5 are colored bright red, and 6, or 7 are colored magenta. That last line I use when I’m in the spam folder so I can more easily find potential false positives.

Once I identify a message as spam, I want to move it to a spam folder I maintain on the mailserver. I have a cron job set up to train spamassassin on that folder every day, so I want it to learn from messages that got through. While I could type ’s’ to tell mutt to save the message, and then type in the path to my spam folder, I’m lazy, so I set up a macro:

macro index     S "simaps://mail.example.com/INBOX.spam"
macro pager     S "simaps://mail.example.com/INBOX.spam"

Now I just hit ‘S’ and it automatically saves the message in the spam folder. Granted these commands are not too advanced, but that’s part of the point I suppose–you can get a lot of the same functionality from fancier email clients with just a few tweaks to a .muttrc file.

What tweaks have you made to mutt to make it easier to manage spam?

Related link: http://www.trifusil.com/mgr_intro_detail.htm

Last month, I solicited the various BSD mailing lists for resources which could be used at the Open Source booth at GTEC , the Canadian government IT exhibition. One of the persons who responded was Bruce R. Montague who offered to send me a few copies of his latest book.

I had a chance to read through the book while waiting for a plane in NYC. It is an excellent advocacy tool designed to be given to managers and other non-technical persons. If you’re like me, you’ve probably been asked to explain the whys of using Open Source and probably felt you don’t quite give the answer justice. Even if you did, it’s nice to have some “clout”–something tangible to give to your superiors proving that you’re not the only person out there who believes in Open Source.

As the description promises, this book contains an excellent rationale regarding Open Source licensing and, in particular, the BSD license. All in a slim volume which is readable in one sitting. Even as a technical user, I found the history of what is now known as Open Source a must read which filled in a lot of gaps regarding why things are the way they are.

The book is a work in progress and is being published using a publish on-demand service. Bruce is willing to send a copy to anyone interested in providing either copy-edit or technical feedback. If you’re interested in contributing, contact Bruce at the above-mentioned URL.

Related link: http://2004.eurobsdcon.org

This past week I experienced two major firsts: my first trip abroad to Europe and my first speaking engagement at a conference. Now that I’m back from EuroBSDCon, I have the chance to reflect on my experience and to share it with the various user groups who are anxiously awaiting my report.

Back in May when I wrote about BSDCan, I touted the many advantages of conferences: the chance to rub shoulders with developers and other users, to put faces to names, to keep abreast of the latest developments–all in an informal atmosphere. Add to that the opportunity to be a tourist in a gorgeous part of the globe and to see how your favourite operating systems are doing in other parts of the world.

Attendees at this conference represented about 20 different nationalities. And while I won’t turn this blog into a travelogue, Germany really is gorgeous. I already miss the pastries and coffee (and for those of you who prefer cooler beverages, I hear the beer is pretty good too…) I certainly miss the weather as it is hovering around freezing and snowing out my Canadian window as I write this.

This conference featured a full day tutorial followed by two days of 22 talks divided between 2 tracks. I had the opportunity to attend Greg Lehey’s tutorial on “Debugging Kernel Problems”. I was able to follow along pretty well. It helped that David Maxwell had introduced me to gdb when he was contributing to “BSD Hacks” and that I had made it about half way through Kirk McKusick’s “Design & Implementation of the FreeBSD Operating System” during the plane trip. I see that Greg has put up some pictures on the diary portion of his site.

Breaks on Friday and Saturday morning were rough. I’m shy by nature and don’t exactly look forward to mingling in a crowd of strangers. Out of the 200ish attendees, I counted 2 other registered females and a handful of spouses. My attempts at conversation fizzled out shortly after “hello”. During the talks, noone would sit in my row and the seats immediately ahead of and behind me were embarrassingly empty. I was starting to wonder if I was suffering from a bad case of BO.

The talks themselves were interesting. Emmanuel Dreyfus discussed the problems NetBSD encountered adding binary compatability for Mac OS. Alistair Crooks gave an excellent talk regarding pkgsrc

I just missed Martin Husemann’s talk as a test run of my laptop with the projector failed miserably. It took several geeks mucking about with X for half an hour to realize that we weren’t going to achieve a resolution better than 640 x 480. Meaning that only the first 2 letters of each of my slides would be all that would be visible! (If anyone knows the solution to this for an IBM Thinkpad, please let me know).

Fortunately, I teach for a living and am used to carrying on despite technical disasters. (It never fails, the day you want to show a class how something works is the day it doesn’t work). I did discover though that 45 minutes is not enough time to give a non-technical talk that invites participation. I’m thinking of giving a modified version of the talk at BSDCan 2005 and will ask for a double time slot.

For those of you who either saw the talk and missed the slides or who missed the talk all together, I’ve uploaded the PDF to my web site’s BSD Resources section. Yes, I know the site is ugly. It’s a feature.

Interaction improved after the talk. Several people came up to introduce themselves and to thank me for delivering a non-technical talk aimed at users instead of developers. I also made some good contacts regarding BSD education and common criteria certification.

Sunday’s talks were most informative. As an educator, I was looking foward to Hubert Feyrer’s talk on sysadmin training. I was very pleased to learn that there is a working virtual Unix lab at the University of Applied Sciences of Regensburg. I will definitely be writing more about this as I find time.

This was followed by Jan Schaumann’s talk–a success story regarding NetBSD. Jan is the sysadmin for 2900 users using over a 1000 applications; yet he manages to keep both OS and applications up-to-date! If you’re a sysadmin, you definitely want to view his slides and scripts once they become available.

I also had the opportunity to meet Federico Biancuzzi, a BSD advocate from Italy. He maintains a BSD presence at the Italian Linux magazine and coordinated last year’s BSDCon Italy.

Oh, I almost forgot. Saturday night, we were all treated to a personal walk-through of Luigi Colani’s exhibition. Being a car enthusiast from an early age and an appreciator of design, I must admit that most (okay, all) of my vacation pics were of cars, buildings and statues. I’m the wrong person to send to a conference with a camera. I didn’t get one picture of a person!

All in all, I think the organizers of EuroBSDCon are to be commended for a job well done. And I’m definitely looking forward to a EuroBSDCon 2005.

Related link: http://www.oreillynet.com/oreilly/linux/news/bsd_ss.pdf

For those of you that missed my October 23 posting to the various *BSD mailing lists, the BSD Success Stories have been formatted into a downloadable PDF and are available for distribution.

You can also download and distribute the advertising flier from here .

Both PDFs are freely distributable and you are encouraged to print out copies for conferences, install-a-thons, your place of work, or wherever else your BSD advocacy efforts take you.

The initial response has been tremendous. The day I made the announcement to the mailing lists, I received over two dozen requests to host copies of the PDFs. The PDFs are now being hosted all over the globe and you are welcome to host your own copy and advertise its existence as your bandwidth limitations allow.

There are also efforts to translate the stories into Portuguese and German and I’ll provide the URLs for the translated versions once they are available. If you translate the stories into any other language, drop me an email with the URL so others can be made aware of your efforts.

Several readers also contacted me to report that the Success Stories have already proved useful in their own advocacy efforts. More than one sysadmin was able to convince a previously reluctant manager to try out a test BSD system. Here’s to many more Success Stories.

Related link: http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html

Here is a funky piece that proclaims that “the days of vulnerability hunting in support of better security are over”. Good guys supposedly should stop looking for new vulnerabilities in software and just let the bad guys handle that side of the house :-) Instead, they should focus on protection with no regard to known vulnerabilities.

Here are some smart people
poking fun at the article.

Not sure whether the author intended it this way, but to some extent the claim makes sense. Just assume every exposed piece of software you run has vulnerabilities known to somebody in the world! That makes the whole prevent/detect/respond business much more challenging and fun…

Related link: http://legonet.org/~griffin/firefox_vi-bindings.html

There have been a lot of articles written recently about the Firefox web browser as it nears 1.0. I’ve used Mozilla or other Gecko-based browsers as my main browser for quite a long time, first with Mozilla and then a few years ago Galeon. I particularly loved Galeon’s tabbed browsing features and configurability (something Mozilla didn’t have at the time) and other nice features such as vi-style navigation (using h,j,k, and l to move left, down, up, and right respectively, just like in vi).

Without getting too much into what happened (it still sometimes makes me want to rant), Galeon underwent a rewrite and as a result lost many of the features that made me love it. While many of those features have started to return, in the mean time I found myself toggling between Galeon and Phoenix/Firebird/Firefox (or whatever name the project will end up having once three programmers in Malaysia or somewhere send mozilla.org a Cease and Desist letter stating that they named their Open Source minesweeper game “Firefox” two years ago).

Neither browser in its current incarnation completely satisfied me, although Firefox with the Tabbed Browser Extensions came the closest. I’ve been using that combination on all of my computers full-time except for my laptop. My laptop “only” has 256Mb of RAM and an 867Mhz Crusoe, and Firefox ran really slowly on such a setup.

This is interesting for two reasons. One, the fact that Firefox under Windows ran so much faster than Firefox under Linux, and two that Firefox, which aims to eliminate all the “bloat” from the complete Mozilla suite, actually ran slower than Mozilla on my machine (and Galeon ran slower than both).

I found myself toggling between Mozilla, Firefox, and Konqueror on my laptop, because Konqueror blew away all the Gecko-based browsers in speed, yet I still needed Mozilla and Firefox for certain sites. Another advantage to Konqueror was that it supported vi-style navigation. I’m a trained touch-typist, and I hate having to move my hands away from home row over to the arrow keys just to scroll down a page. This is doubly annoying on my laptop, because it has a trackpoint mouse, so I can even navigate with my mouse without leaving home row, but I still had to reach over for the arrow keys to scroll down a page.

Speed and vi-navigation were the two things keeping me away from Firefox full-time on my laptop, and both of those things have seemed to be remedied as of a few days ago. The speed issue has seemed to be fixed in the latest version of Firefox to hit Debian Sid (0.99+1.0RC1-3). I’m not exactly sure what changes they made, but there is a definite difference in opening new tabs and loading pages. It could still be faster but it’s a marked improvement.

Also I’ve discovered how to enable vi-style navigation on Firefox. This page lists the very simple steps in the process, which are to create a userHTMLBindings.xml file in your res/builtin directory for your Mozilla install. In this file put:

<?xml version="1.0"?>
<!-- In order to work correctly, this file must be named -->
<!-- res/builtin/userHTMLBindings.xml in the mozilla tree. -->

<bindings id="htmlBindings"
   xmlns="http://www.mozilla.org/xbl"
   xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

  <binding id="browserUser">
    <handlers>

      <handler event="keypress" key="k" command="cmd_scrollLineUp"/>
      <handler event="keypress" key="j" command="cmd_scrollLineDown"/>
      <handler event="keypress" key="l" command="cmd_scrollRight"/>
      <handler event="keypress" key="h" command="cmd_scrollLeft"/>
    </handlers>
  </binding>

</bindings>

Save the file and restart Firefox and hjkl work as advertised. I think Firefox is going to be the full-time browser on the laptop from here on out.

Have you noticed an increase in Firefox’s speed under Linux lately?

Related link: http://www.securityfocus.com/infocus/1808

Intrusion detection, attack detection, probe detection - all nice, but I want to know when the stuff is truly “0wned” - compromised, penetrated, infected, etc. This paper looks at the problem of reliably discovering compromised machines on corporate networks. I also received a peculiar comment about the claim quoted in the first section. The person provided some hints that the claim might indeed be true.