I am playing around with konboot after first hearing about it on the Hak5 podcast. If you haven’t heard about it, it is a boot disk you can create on a floppy, CD or USB drive (see Irongeek’s site for USB instructions). The disk changes the windows or Linux kernel on the fly while booting to allow you to bypass the login password. In windows you just use any valid user name and a blank or garbage password, you will then be logged in as that user and can access all their files. So naturally you will probably want to try the local administrator user which will allow you to access all files on the computer. In Linux you will use the user name kon-usr and no password. This will give you full root access on the Linux machine.
I have found it works well if the system is not muti-boot. On my systems which are all multi-boot it would only work on one system and only on one OS which happen to be EEEbuntu. My other laptop gave me error about the cylinder number being too high like the old school days of LILO where the boot image had to be below cylinder 1024. I am assuming this is the same issue as the days of old. Also a caveat don’t use Konboot to login to a domain account on a computer that is connected to the network. This will disable the account on the domain and won’t allow you to login. In most environments user credentials are cached in case the network goes down. So air gap the computer before using a domain account.
Remediation steps are fairly simple. Lock the bios with a password and only allow the system to boot from the hard drive. This should already be in the check list of task to perform when deploying a new PC. Since this type of threat isn’t new kon-boot just make it a little simpler to access the PC than loading up a live linux distro like knopix. If there is any sensitive information on the hard drive encryption should be used of course since if someone steals the computer or hard drive its game over. With the breach notification laws in most states that is not a fun proposition.
I was setting up a test VM with 4 one TB SAN LUNS. After successfully creating and testing the VMware image I blew it away without touching the LVM. After greating the production image I tried to add the LUNS back to the LVM and I of course got errors when adding the LUNS to the LVM. The meta data for the old volume group was still there and the OS refused to add the LUNS to the existing volume group. I then tried to remove the volume group with the vgremove but since the devices with the UUIDs themselfs were long gone I could not do it.
I finally found a very simple solution just DD the damn things with zeros. That will blow out all the metadata. So for each lun I ran
if=/dev/zero of=/dev/XXX bs=512 count=5
Probably only needed a count=1 but what the hell I don’t care I didn’t have anydata on the LUNS anyways. After that running lvscan came back clean with no orphaned UUID’s and I was able to initialize the LUNS again and add them to the new volume group.
There is an article on Reuters about flaws in Adobes flash video on demand services such as Amazon and Hulu. The author writes
“The problem exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience.”
What? This is an opinion did you ever take a journalism class Mr. Wakabayashi you are supposed to be objective. You report the facts you don’t regurgitate the lines from the MPAA. This is no big deal the people who would have pirated movies already were anyone can download Handbreak for free and rip 99% of the DVDs on the market today. So who is going to pay for software to pirate DVD’s that I can get with a Netflix subscription for $19 a month? I would guess not very many. Just so you know Mr. Wakabayashi music piracy today is probably more rampant than it ever was in Napster’s day despite all the RIAA lawsuits.
DRM is fundamentally flawed as it is. If a movie is encrypted it has to be decrypted to be displayed on the screen at some point. You are giving the consumer the crypto key to decrypt the file. The key is just cleverly hidden and or obfuscated. Given time all DRM is broken. Adobe will come out with a work around and then it will be game on again for the small companies who are selling the software to record flash movies. The dance will go on and on as it has for every other DRM technology. Oh and Mr. Wakabayashi this is my opinion you see this is a blog not a news article.
There has been some buzz about the Roku netflix player releasing some of its source code. The thing is they have to release the code as its GPL open source code that they modified. The truth is the code should have been available since day 1. This is no different than the Tivo source code that has been released. They didn’t release any of their proprietary code. Now that I know that this is based on Linux though this should hopefully be pretty hackable. It would be great if Xvid and H.264 support can be added. Then I won’t have to use my noisey Xbox 360 to stream my movies off my computer.
The Linux Cisco VPN client seems to try the first avalable interface to make a connection. In my case this was eth0 which is my wired port which isn’t connected to anything. In order to get it to work I had to down the interface with ifconfig eth- down then it would connect fine with my wireless interface eth1. I haven’t seen any documentation to see if there is a way to manually bind it to a specific interface, and there is no MAN page installed. At least –help gives some usage, which is heads and shoulders over the tsmc tivoli command line I was using today what a royal PITA. Just encase anyone needs it the command to restore a previous version of a file is “tsmc restore -todate=yyyy-mm-dd -inactive /path/to/file” the documentation gave the format for the date as mm/dd/yyyy and the command would just come back and say -todate not recognized. Not wrong date format no that would have saved Jeff an hour of goggling.
Finally the one feature I have been waiting for. It looks like on Dec 4th the new dashboard update finally adds divx and xvid support to the 360. No more trans coding! Hopefully it will support full 5.1 sound. I have a ton of movies that I ripped myself with no way of watching them on my big screen. I was looking at the sling catcher when it came out but this is free since I already have a 360.
I live in California where the Secretary of State Debra Bowen has allowed The University of California to test the E-Voting systems used in here in California. What they found was that all of them are hackable. I find the preliminary findings very scary but not at all surprising. The legislature of California are not Computer Security Experts but they should have consulted with and let Security Professionals verify that they were secure before Certifying the systems. It is inexcusable to allow what is arguably the most important Computer System in the country to be so insecure. These machines are what decide our election. If you could modify the election results you could execute a bloodless coup and no one would be the wiser. No one could prove that an election had been stolen if there is no paper trail.
I will give you one scenario. All the electronic voting machines are stored in some medium security warehouse with a few guards and 1 or 2 cameras. A disgruntled technician from company XYZ that makes $20,000 a year maintains voting machines is payed some large sum to hack the companies voting machines. He is admitted entry into the facility do do “maintenance” He turns them all on and one by one inserts a USB thumb drive that installs a virus on each machine. He also updates the BIOS and changes the checksum check that is used to verify that the operating system is certified, just like he has to do when he installs any patch. This virus will change the vote on 41% of the votes in the favor of candidate FOO. Thus virtually insuring victory. This virus then removes all traces of itself and restores the correct checksum back into the BIOS at 7:55PM on election day. With the current systems that have no paper trail and no one would find out unless someone starts looking at the technicians large bank account.
I am not saying to go back to all paper ballets, to me this is even more error prone and hackable than E-voting. Just make up some ballet boxes and switch them in transit to the registrars office. No to me the problem is fairly trivial technologically speaking. The solution is 3 fold. First and most simple a paper copy must be printed out and verified correct by the voter. Thus ensuring a backup in case the electronic version is lost or tampered with.
The second part of my proposed solution is PKI (Public Key Infrastructure). Each voter should be assigned a private key, a 3D bar code would work nicely. This key should be assigned completely at random and only good for 1 election so that voting patterns couldn’t be data mined and somehow connect to an individual, there should also be no record kept of the voters private key only their public key should be kept. This private key should be encrypted with a master public key so that there is no way a voters private key and identity could be obtained by coping it in transit unless the person also had the master private key. The voter then would then scan their bar code and the voting machine would verify that it is a legitimate key by decrypting the key with the master private key. The voter would then vote and the results would be signed with the users private key, and also be printed out. If the results were tampered with the signature would not match and it would be obvious that the results were tampered with. If two different votes were signed with the same private key you would also know that the user voted twice and to trow out all other votes signed with the same signature. The public keys and paper copies should be escrowed so that recounts could be done for some defined time.
The last and most important is both the physical security and openness of the system. The inputs should be protected with 3DES encryption so that only certified devices could be plugged in. No uncertified devices should be allowed on the system. No one should be able to plug a key board in. The case should be wielded shut and painted with a heat sensitive paint so any attempted tampering would be apparent. The system should be completely open source from the OS to the voting software so that all code can be freely audited. It someone did manage to hack the system the paper backup should throw up the red flag that the system was compromised. The system should also be on an encrypted EEPROM so that even if you get into the case you can’t modify the EEPROM with out the key. The key should be on a physically separate dongle that is locked up separate from the voting machine and must be present when booting the machine and removed thereafter. If any dongle is lost then all the dongles will have to be replaced and the EEPROM reprogrammed so it is very important that they don’t go missing. The systems should never be plugged into an open network. The system that collects the votes should also have a certificate assigned to it and stored on the voting machines so that the voting machines don’t disclose voting results to an unauthorized system.
All of this technology is common and in use today. We need to reform the voting system so that we implement this as soon as possible. If we don’t we may soon find our country not in our control anymore. I don’t go into all the details about the system but I would love feedback, what are the weaknesses in the system I described. If done correct E-Voting is both more efficient and more secure than paper based voting alone.
I set up Synergy at work. I now have 4 monitors and 3 computers all using 1 keyboard and mouse. Synergy lets you move the mouse off the edge of one screen and it shows up on the screen of the next computer. Synergy also lets you copy and past between the systems. I have 1 mac, 1 vista dual screen, and my Ubuntu Fiesty linux laptop. I am using Vista as the synergy server. It was fairly painless to install. The only hitch was installing openSSH server on vista via Cygwin. By default everything is sent in the clear over the wire in synergy, so you have to port forward though SSH to secure the channel. I am using RSA keys with no pass phrases so I can easily script the port forwarding and the start of synergy client on Linux and the mac. The only problem with my set up is Compiz Fusion doesn’t run all that great. When you spin the cube it is little jerky and unresponsive, I uped the speed and that helped a little. I can live with that though, I usually just use the keyboard short cuts any ways.
This weekend I was at the South Coast Plaza and stopped off at the Apple store to check out the much hyped Iphone. This was Sunday afternoon mind you and they had the phone in stock, so there was no need to wait hours for this thing Friday afternoon. They had a half dozen demo units and I had to wait and 20 seconds to get my turn at one.
The interface I must say is amazing. It is the best I have ever seen for a smart phone. Everything flows fluidly and there is hardly any noticeable lag when switching between applications. The web browser is great, you can zoom in by double clicking and use your finger to drag around the page. The orientation changes from portrait to landscape automatically as you flip the phone down or up. I did notice that it got a little confused when I switched between the modes quickly 5 or 6 times, but it did recover in a few seconds without crashing.
The picture mode was equally as good, with much the same interface. You had albums and you use your finger to flip between the pictures. The next picture flows onto the screen as the old picture flows off of the screen as if you were looking through a negative roll. The built in camera was alright; it was more responsive than most camera phones and the image quality was about on par as others. There is however no video mode.
I checked out the Ipod mode and it continued the trend, but I must admit I didn’t try it out all that much. I watched a short section of Lost and it looked fantastic and filled the entire wide screen.
Now onto the negatives of this phone. Number one is the price $600 for the 8 gig model and $500 for the 4 gig model. You also have to sign up for a 2 year AT&T contract. Considering that the phone is unsubsidized, as far as I can tell, this is ridiculous price. Also the storage size is way too small for me. I have a 30 gig 5G Ipod and it is too small for all of my music. Considering this is the first Ipod I would consider watching videos on that 8 gigs would go real fast. Also there is no memory card slot so you can’t add any memory. The sim card is also hidden in the guts of the phone, so if one wanted to sell their Iphone it would be a royal pain to switch the SIM out.
The on screen key board was also a royle pain. I have large fingers and I had lots of trouble typing. The data is also EDGE or 802.11 WI-FI. That is a real oversight as far as I am concerned. I know the 3G HSDPA network isn’t as large as the existing edge network but the speed difference is huge. Instead of focusing efforts on improving their EDGE network they should have rolled out for HSDPA coverage and included it instead of EDGE. The lack of A2DP is also a major oversight. I want a wireless stereo head set with my $600 Iphone, but no dice for the first generation Iphone. Also they should have throw in a car charger considering the battery life on these things and the insane price. The biggest downside though is that it is a closed environment with no way to install 3rd party applications. There are certain applications I need like a SSH client. It would also be nice to use Skype or some other SIP client to save some plan minutes.
So I will not be picking one of these up as I am a poor poor network admin, but even if I were rich I would wait until the phone is revised to have HSDPA support and support for third party applications even if those applications had to be apple approved. I hold high hopes for Openmoko the Linux based open smart phone, but we will see how it fairs when it is released in October. I can’t seeing it being completive given the equally ridiculous price of $600.00. It does have the advantage of being unencumbered and not locked to 1 carrier.
I rarely touch MS SQL but I have to administer 2 instances, so I have had to learn some of the administrative tasks that have to be done from time to time. One of the less obvious task is truncating transaction logs. The MS SQLs transaction logs can get out of hand on databases that do a lot of writes. MS SQL does not purge transactions that have been committed in case you want to roll the database back to a point in time. At some point after a back up you will probably want to get rid of the old data as it can quickly fill your hard drive. You have to manually truncated the old transactions by running
BACKUP LOG databasename WITH TRUNCATE_ONLY
The easiest way to do this is to open up query optimizer and run it from there.
That will flush out all the old transactions that have already been committed to the database. This however does not resize the file. You will have to manually do this in enterprise manager by choosing shrink database. If you have a scheduled maintenance plan that covers resizing; it will take place on its own the next time it is scheduled.
