70 Year Anniversary of V-J Day

2015/08/16:
Just to clarify something. Japan’s surrender was not an immediate action (perhaps this isn’t surprising but you’ll find references to different days as being the day, but it was a many day process to be completely accurate). The official signing of the surrender was September 2. August 14th was the beginning of the surrender (more conflicts occurred between these dates). The speech below took place on the 15th. If you pay attention (which this year is probably much harder to not do) to current affairs, you’ll see references to V-J Day prior to September 2 (e.g. the 15th perhaps because the nation was addressed) but in the end, this was not an overnight event – it is – and always has been – a complicated war.


 

(Note: This most likely – I’m quite certain this is the case – includes some structural and/or disorganised flow of thoughts and as a result it might be harder to follow. I would delay this for another day but the day itself is significant enough to not consider this, at least for me.)

Earlier this year (May 2) I wrote about the end of the Battle of Berlin (and its surrender) which was shortly (May 8) followed by the surrender of Nazi Germany, resulting in V-E Day. I intended to write something about V-E Day but I never got around to it – which is unfortunate because I think there is a lot I could have written about. I also intended to write about ‘Little Boy’ (the name of the atomic bomb dropped over Hiroshima on August 6, 1945) and ‘Fat Man’ (the name of the bomb dropped three days after Little Boy, over Nagasaki). But I felt a loss of words for the bombings that – along with the Soviet Union declaring war on Japan – ultimately led Emperor Shōwa (more commonly known as Hirohito) of Japan to order an immediate surrender of Japan (a coup that followed was foiled). Perhaps silence is the best way: the utter devastation and suffering these bombs inflicted upon Japan – and the world – is hard to fathom to this day. I think Emperor Hirohito’s speech holds significant value to this day, and even eternally:

To our good and loyal subjects:

After pondering deeply the general trends of the world and the actual conditions obtaining in our Empire today, we have decided to effect a settlement of the
present situation by resorting to an extraordinary measure.

We have ordered our Government to communicate to the Governments of the United States, Great Britain, China, and the Soviet Union that our Empire accepts the provisions of their joint declaration.

To strive for the common prosperity and happiness of all nations as well as the security and well- being of our subjects is the solemn obligation that has been handed down by our Imperial Ancestors, and we lay it close to the heart.

Indeed, we declared war on America and Britain out of our sincere desire to ensure Japan’s self- preservation and the stabilisation of East Asia, it being far from our thought either to infringe upon the sovereignty of other nations or to embark upon territorial aggrandisement.

But now the war has lasted for nearly four years. Despite the best that has been done by everyone– the gallant fighting of the military and naval forces, the
diligence and assiduity of our servants of the state and the devoted service of our 100 million people–the war situation has developed not necessarily to Japan’s  advantage, while the general trends of the world have all turned against her interest.

Moreover, the enemy has begun to employ a new and most cruel bomb, the power of which to do damage is, indeed, incalculable, taking the toll of many innocent lives. Should we continue to fight, it would not only result in an ultimate collapse and obliteration of the Japanese nation, but also it would lead to the total extinction of human civilisation.

Such being the case, how are we to save the millions of our subjects, or to atone ourselves before the hallowed spirits of our Imperial Ancestors? This is the reason why we have ordered the acceptance of the provisions of the joint declaration of the powers. We cannot but express the deepest sense of regret to our allied nations of East Asia, who have consistently cooperated with the Empire toward the emancipation of East Asia.

The thought of those officers and men as well as others who have fallen in the fields of battle, those who died at their posts of duty, and those who met with death and all their bereaved families, pains our heart night and day.

The welfare of the wounded and the war sufferers, and of those who have lost their homes and livelihood is the object of our profound solicitude. The hardships and suffering to which our nation is to be subjected hereafter will be certainly great.

We are keenly aware of the inmost feelings of all you, our subjects. However, it is according to the dictates of time and fate that we have resolved to pave the way for a grand peace for all the generations to come by enduring the unendurable and suffering what is insufferable. Having been able to save and maintain the structure of the Imperial State, we are always with you, our good and loyal subjects, relying upon your sincerity and integrity.

Beware most strictly of any outbursts of emotion that may engender needless complications, and of any fraternal contention and strife that may create confusion, lead you astray and cause you to lose the confidence of the world.

Let the entire nation continue as one family from generation to generation, ever firm in its faith in the imperishableness of its divine land, and mindful of its
heavy burden of responsibilities, and the long road before it. Unite your total strength to be devoted to the construction for the future. Cultivate the ways of
rectitude, nobility of spirit, and work with resolution so that you may enhance the innate glory of the Imperial State and keep pace with the progress of the world.

All you, our subjects, we command you to act in accordance with our wishes.

There is criticism – both legitimate and illegitimate – on all sides, and the Emperor – perhaps more so after his death – receives criticism to this day. But the fact is Japan did not want to surrender (which I will discuss below), but they did. He took responsibility of the situation and if only everyone would heed his warning about nuclear weapons. Nuclear warfare exemplifies some of the worst of mankind (and this includes the only known uses of it in wartime) and it does so extremely well. His warning is 100% accurate. Of course, the atom was split and once done there is no going back. The Cold War worsened this with its nuclear arms race. But it also brought some good: the predecessor to the Internet – the arpanet – which was meant to be a network that could withstand a nuclear attack (which means that if a host is down, it won’t receive or send data, but other hosts will still be able to communicate with each other); and it brought the good out in some people – for instance, it motivated a woman called Lynne Cox to risk a dangerous swim across the Bering Strait between the United States and the Soviet Union in an attempt to bring friendship instead of conflict. At this time, we are in another cold war, even if it isn’t recognised as such. While a cold war is better than a real war, a conflict is a conflict, and there comes a point where any significant outbreak of war, will become a third world war, and that will likely be an apocalypse. Yet despite this, there are politicians in some countries that have no problem with war, and I dare say they even want war. That is a sign of extreme weakness and is the exact opposite of what a real leader should strive for – peace.

Japan didn’t want to surrender but neither did any other country (and there is the story of a soldier – Hirō Onoda – who thought for 29 years following the war’s end, that it was still going on; it is a fascinating story for those interested in the war, and it really shows just how much they wanted to win and could not lose). I personally feel that not giving up is a positive, productive and noble thing. There are no victors in war (which is ironic when you consider what the V stands for in V-E Day and V-J Day) but this goes beyond war; those who give up might never have what they could have, they might never accomplish great things (that they could otherwise accomplish), and they might be at a great loss. Winston Churchill himself stated that [we] will never, ever surrender. But imagine if the Allies had surrendered – the world would be very different. Imagine, also, if the Axis Powers surrendered earlier – the world would be different in another way entirely. But imagine still if Germany didn’t invade Poland on September 1, 1939 (or for that matter, take over and annex other countries prior to this).  How different would the world be today?

Despite these thoughts, too much blame is placed upon nations for their past. Punishing Germany at the end of World War 1 was an incredibly stupid decision and some recognised it then (basic logic explains why and how it was so stupid). Yet to this day some think that Germany is responsible for great harm in this world; I say that those punishing Germany at the end of World War 1 are equally responsible for harm. But that should not be the focus; consider this instead: the actions of Germany (and many other countries) might have caused great harm, but the world should learn from the past and not dwell on it.

70 years ago marked the end of a very dark chapter of mankind but the many lessons are still not taken to heart and that is equally as dark – if not darker – than the war itself. We should not only remember the impact of the war – we should also remember why it happened and what could have been done differently, to prevent it. Lastly, attention should be shifted to the present. If this is not done – and I’m afraid that history shows it isn’t – mankind is doomed to ultimately destroy itself (it already destroys the treasures of the world and that includes wildlife that has become endangered if not already extinct).

Windows 10: An example of DOA (Disaster of Automation)

I have to admit, when Microsoft first announced that Windows 10 would be the final release of Windows, I raised an eyebrow. Then, because Windows 10 was offered for free (as an upgrade for the first .. month?), I was more suspicious: if it is free, are they simply baiting the customer to upgrade, hoping to make a profit by some contract (literally or figuratively) of some kind (pay for some sort of subscription or otherwise future software or updates)? After all, some corporations (maybe even Microsoft?) have subscriptions for technical support and software, so how else could this work? I truthfully do not know but given that they are a for profit, there has to be something at play. But there is more to the story of Windows 10. When I first found out that Windows 10 Home edition would automatically be updated, I shuddered.

The fact remains that humans are not perfect, programmers are humans, therefore programmers are not perfect. If you remember, Microsoft at one point pushed out an update that was required in order to receive further updates (therefore encouraging customers to update), only for that update to prevent updates working (off hand I don’t have the information but it definitely happened and there are articles about it). That is scary when it is manual updates but it is even scarier when it is automatic. Yet, even without that mess, automatic updates is what will lead to what conveniently shares the abbreviation of Dead on Arrival  (DOA which is often used to refer to computer hardware – probably other things too – that failed quality control and therefore is ‘dead on arrival'[1]): Disaster of Automation. There are several things to consider.

Firstly, even an experienced system administrator can apply a patch (in binary distributions it would be an update to the package but the end result is the same), only to find out what was updated no longer works. I know in the past I have updated BIND (Berkeley Internet Name Domain) – which is a critical component given that it includes named (name daemon) and therefore is a DNS server – only to find it failing to start or having warnings upon restart (i.e. the postinstall script reloads the configuration file or restarts the service). What happened is as simple as ownership of files being changed. The administrator (a friend) of my slave DNS servers (second, third, fourth) has in the past had this exact same problem on his servers, and DNS failures can cause many problems.

But even if it didn’t cause problems, consider this: the update failed for some reason or another. What happens if it was automated and you’re not at the system? I won’t even get in to the problem that Windows installer is brain dead enough where you have to reboot for almost everything (or last I knew it is and I can’t imagine it is different now). Hopefully it only updates and waits for you to reboot manually.

The astute reader would point out that I’ve not given any examples so far (and Windows 10 is quite new, which makes what I’m about to show, even worse) of updates going afoul with Windows 10. For that matter, I’ve not pointed out Windows 10 problems at all (besides being created by Microsoft, that is). Well here goes.

Since Windows Updater also now considers drivers not optional, and since Windows 10 automatically installs updates, and since an Nvidia GPU driver has a bug (or bugs, maybe), people are having all sorts of problems as described on their forum. Problems like flickering (which is not at all good for eyes!) and even multi-head (more than one monitor) not working correctly (if at all).

Then there is ‘Windows Update Delivery Optimization’. What does it do? It theoretically allows you to not have to download updates from a remote (out of your network) server more than once. So for instance, you can update all your Windows 10 systems without having to download the updates more than once. Well, that is excellent that Windows has a concept similar to local repositories. Unfortunately, though, their method is presumptuous, arrogant and irresponsible. Here is what their FAQ says:

Download updates and apps from other PCs

In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from:

PCs on your local network. […]

PCs on your local network and PCs on the Internet. […]

You would like to believe they have a good design here. But the very fact they have on the Internet is disconcerting. From what hosts? My understanding is they now have update verification. But that should always have been in place. If they already have it, why bring it up (aside from maybe reminding people of it)? If they don’t, why the hell didn’t they have update verification?! I’ll return to this in a moment. The problem is worse, however:

Send updates and apps to other PCs

When Delivery Optimization is turned on, your PC sends parts of apps or updates that you’ve downloaded using Delivery Optimization to other PCs on your local network, or on the Internet, depending on your settings.

How is my PC used to send apps and updates to other PCs?

Delivery Optimization downloads the same updates and apps that you get through Windows Update and the Windows Store. Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time. Depending on your settings, Windows then send parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.

It would be one thing if it defaulted to off as it should be. Opt-out means you have to know it is enabled and it is poor design to assume the user knows everything about the system (or can remember what they know, even). Yet so many corporations (Google and Facebook to name two others with delusions of grandeur) are arrogant enough to make things opt-out instead of opt-in. But in this case, it is worse still! Not only is it defaulted on, it defaults to share updates to the Internet!:

Delivery Optimization is turned on by default for all editions of Windows 10, with the following differences:

  • Windows 10 Enterprise and Windows 10 Education: The PCs on your local network option is turned on by default.

  • All other editions of Windows 10: The PCs on your local network and PCs on the Internet option is turned on by default.

Yes, great idea, Microsoft. I’m sure your grandeur justifies it all, but did it ever occur to you that most homes don’t have high upstream rates? Did it ever occur to you that they might be capped or even throttled? Did it ever occur to you, in your complete brilliance, that when [you] download content from another host, the other host is uploading to [you]? Did it ever cross your mind that many homes have asynchronous connections (and fairly slow upstream specifically), and even if they didn’t, not pushing upstream to its limit is important for – irony! – optimising connections? Even more important, did you ever consider that not everyone will want this enabled and fewer still would want it being uploaded to the Internet (or downloading from servers other than Microsoft repositories)? As a vendor you shouldn’t burden the customer any more than is necessary, and clearly this idea is not necessary.

Going back to update verification. Microsoft insists the following:

Delivery Optimization can’t be used to download or send personal content.

Yet this claim has been made before and it has fallen down due to a variety of reasons. I really, really, really cannot wait for this to be abused; some of my demons actually want it to happen sooner than later. It isn’t a matter of will it be but instead when will it be. I’m eagerly waiting.

Finally, I have one more update issue to share. The one where Windows 10 update KB3081424 (which includes security fixes) is causing some computers to enter a reboot loop. Indeed, this really is a disaster of automation and it is a fatal design flaw, courtesy of Microsoft.

[1] Some times the product is fine but the user (‘builder’) makes a mistake (e.g. there is a short that prevents the core components of the computer to boot) and assumes it is the product rather than a mistake on their part. But there are times when it truly fails to .. well, deliver what it should.

HOWTO: Flood-fill transparency in GIMP

(Aside: This might work on other platforms too – I assume it does, even – but I only use Linux so I’m including it under Linux software. I intend to at some point have this – as well as other tips – as a simple document but for now it is only here.)

Problem: You want to flood fill an area of an image in GIMP to be transparent.
The solution is what appears to be an undocumented feature. First, make sure there is an alpha channel; to make one click Layer -> Transparency -> Add alpha channel (if you know the image already has an alpha channel you can skip that step). Next, select the bucket fill option. Then, configure the bucket fill mode to be ‘Colour erase’ (if you have American English it probably is ‘Color erase’). Then make sure that transparency is at 100%. Finally, execute the flood fill (called bucket fill in GIMP). By erasing the colour you’re making the area of the image transparent.

The Dangerous Twin of Bring Your Own Demon: The Internet of Things and ‘Smart’ Technology

2015/08/12:
Earlier today I was made aware that another exploit for another car allows remote controlling of a car, including halting the car (brakes) and even disabling the brakes! All it takes is sending a specially crafted SMS message. The device is called Metromile Pulse OBD-II. This is what Metromile’s advisory says:

At Metromile we take the security of our products and services very seriously.

The typical statement that nearly every organisation says after a successful exploit is found (or attack is executed). It is as dull as ever and it is a half truth if not an outright lie.

Recently, it was revealed to us that MDI, who makes our OBD-II dongle, the Metromile Pulse device, has a vulnerability that can remotely takeover these devices. We took immediate action and released updates to all devices in the field to resolve the discovered remote exploits and can confirm that most of the devices have successfully downloaded and applied the patch and we expect the remainder of devices to be patched by mid-August.

Immediate action that you shouldn’t have had to take in the first place because an SMS message shouldn’t be able to control a car – the driver should! Too little too late. The fact not all devices are patched when it endangers the lives of others is worse (and despite the fact it would take time, it still isn’t immediate action).

Connected telematics devices such as the Pulse are powerful because they have the potential to make many aspects of driving and owning a car simpler, less expensive, and more convenient. We ask that customers who are concerned about the security of Metromile systems contact us at security@metromile.com.

So the device is powerful because it has the potential to make many aspects of driving and owning a car simpler, less expensive, and more convenient, does it? Funny definition of convenient, isn’t it, seeing as how now the owners have to worry about a serious blunder you made. Perhaps you weren’t aware, but security conflicts with convenience. Yet you take security seriously, do you? Cars are heavy machinery that, while useful (to get where you need to), are deadly even under the best drivers in the best conditions. Driving a car requires discipline. There is a reason for driving licenses, there is a reason you need to maintain the car safety (how much so varying on the country), there is a reason for all these hurdles, and there is a reason you shouldn’t be driving under the influence! The reason is it isn’t a toy and it isn’t a game where you can start over! The fact a car can be manipulated through an SMS by an external party is irresponsible and it completely disregards the safety of people. To all those creating devices for the IoT, wake the hell up before you kill more people (which means they will never wake up again)!


 

2015/08/08:
Clarified (and added a link to) another vulnerable thing (as part of the Internet of Things) and added a few thoughts.


If a car is meant to be controlled by the driver in the car, how the hell is it being vulnerable to outside manipulation considered ‘smart’?


On February 17, 2012 I wrote a piece on the concept called Bring Your Own Device which I renamed Bring Your Own Demon, and just how stupid and dangerous it is. I’ve also written about so-called smart technology and how dangerous (and stupid) it is. I’m bringing up one because it is somewhat relevant to something I will bring up today (in that this has to do with the so-called smart technology). On September 3, 2013 I wrote a piece entitled ‘Smart’ Technology Is Still Dumb. In that piece, I highlighted an incredibly dangerous situation that would arise because of emergencies, be it medical, fire, or any other occasion where the rules of traffic must be broken by specific people (fire fighters, police officers, paramedics, etc.) in order to help the situation (which might include preventing the loss of life, loss of a home, or restoring peace). This warning still holds strong; the dangers still exist and they cannot ever be solved with automation: emergencies are unpredictable, unpredictable in every way. You cannot know when an emergency will occur and you cannot know what it will take to resolve it in the safest and quickest way possible! One seemingly minor variable can change things drastically! This is inherent to emergencies.

But then there is the Internet of Things (commonly IoT). Instead of bringing your own demon, you have many demons all around you. This includes medical equipment in a hospital and that is one of the things I will refer to today. First a brief understanding: the IoT is the idea that everything should be connected to the Internet in some way or another. This includes refrigerators, thermostats, cars, medical pumps, sniper rifles and even skateboards. I’m going to aim (and fire) at three of them now.

The Hospira LifeCare PCA Infusion System has serious flaws. Most recently is one that boggles my mind, boggles it because the flaw is so negligent, so amateurish, and has been that way for eternity. A remote attacker could login as root through TELNET without authentication! That is a very serious flaw and it is an utter disgrace for anything to be this way, but especially when it is medical equipment. But that isn’t the only problem. There are many other problems. Apparently this researcher also knows of the TELNET flaw and brief skimming of that page, it seems it might be more than one of the pumps (which is even worse). Disgraceful neglect is about as nice as it can be worded.

Then there is a skateboard that can be compromised. Yes, because a skateboard needs Internet connectivity, right? If you ask many, though, it seems they do truly believe this. Even if it isn’t need (which realistically it is not need) in their mind but instead a want, it shouldn’t take much intelligence (which might be part of the problem here?) to figure out it shouldn’t be connected to the Internet or for that matter, it shouldn’t have a computer at all. But at least one does exist. Quote from the researcher describing the problem:

Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.

So unencrypted, no authentication, and remote connection for a skateboard. Utter stupidity is putting it nicely.

Let’s now go to a sniper rifle. Yes, that is right: a sniper rifle as part of the IoT. This is from an interview given to Wired (I haven’t listened to it, I only have a quote).

The only alert a shooter might have to that hack would be a sudden jump in the scope’s view as it shifts position. But that change in view is almost indistinguishable from jostling the rifle. “Depending on how good a shooter you are, you might chalk that up to ‘I bumped it,’” says Sandvik.

As I’ve noted many times (of many more to follow, I’m sure), I strongly detest the misappropriation of the word ‘hack’ and ‘hacker’ but I can’t change that because of the influence the governments and the media have (a shocking amount of power, and it is quite scary) and this is a decades old problem. A problem that will never be resolved because the word is forever poisoned to have negative implications over positive. Which is a bloody shame, ungrateful and a damn disgrace, given what hackers have given society: without them we wouldn’t have the Internet and many other things we have today (and critically, the security problems would be worse by a lot). It used to be a good thing but now it is a bad thing, at least the perception many (if not most) people have [of hackers]. To add salt to the wound, governments couldn’t help but become hypocritical about yet another thing (there is never enough of this in their view, see?): poison the word and then do exactly what they poisoned all the while whining about others doing it (and arresting them for ‘breaking the law’). But to get away from a most touchy subject, if you look at their description, you can see the problem here. Except that there is a more serious problem. Apparently the device has a remote, root hole, and that means escalating to root (in this case it means adding an equally powerful user). Yes, that means whatever the interface allows, they have complete control. Why anyone wants a sniper rifle to have embedded Linux is beyond me. But they make it worse because then it is connected (through Wi-Fi). Then to make it worse still, they are so irresponsible that they feel they have no need to pay attention to security whatsoever. Thankfully pulling the trigger is still a manual thing. I really hope that stays that way forever.

Unfortunately, there are many more devices that have been compromised (or found holes that would lead to it), including researchers who remotely halted a Jeep going 70mph on a highway (or maybe more like a freeway, the US version of Germany’s Autobahn – which for those who like trivia, is in fact one of Adolf Hitler’s envisions). But that’s only in recent weeks. This isn’t a new problem and it won’t get better because more and more companies are creating what they call smart devices (also known as things) that just have to be connected to the Internet (hence Internet of Things). Yet people still think the IoT is a good idea (they say I’m batshit crazy but to think that some actually feel the need to have home appliances connected to the Internet …), and people actually believe these are smart devices (with equally a brilliant concept of it being connected to the Internet). If a car is meant to be controlled by the driver in the car, how the hell is it being vulnerable to outside manipulation considered smart? No, no, the above (and there are more examples and many more will follow) is a great example of human stupidity, something that this world is in excess of (the definition of homosapien perfectly demonstrates this given that the most foolish people of all others, are those that claim high intelligence and don’t challenge that claim whatsoever, whereas the most intelligent will challenge what they know and who have an insatiable appetite for learning and improvement, knowing that they can be a lot smarter than they are).

Yet despite this, the risk of self driving cars becoming the norm has not yet happened but when it does there will be problems. There are certainly other things in this world that are equally as dangerous but self driving cars is high up there on the list of dangers. I’ve warned about this before and I’ve also warned about automation in general (the less you concern yourself with thinking, the less capable you are of thinking when required or even desired) and I later (in admittedly an arrogant manner) wrote about my warning being real when a pilot relied on semi-automation, ending the life of two passengers (teenagers!). The pilot made multiple errors but the biggest error was assuming the plane would fix it for him. You’d like to believe a pilot would not be so negligent and stupid but instead to actually take care of problems he caused. But no. He couldn’t acknowledge this fact and two teenage girls died because of it. He might not be legally responsible but it is still his fault and he should forever feel badly about it (that is punishment enough and perhaps will remind him to be cautious about being too reliant on technology). But if semi-automation fails to account for emergencies, what makes any semi-sane person think full automation will work any better? If an emergency happens in a fully automated car, what will happen? Emergencies cannot be predicted and therefore there is no way to account for all outcomes (or solutions)! And if it can’t fix itself, how will it account for problems unrelated to itself (e.g. an ambulance on its way to the hospital)? It won’t, and this will only get worse. There are some things that require manual work in this world and operating heavy machinery is one of those things; cars are not toys – they are tools that are highly convenient but they are dangerous nonetheless.

The fact so many people are so glued to their bloody phones (and obsessed with social media and texting) that they walk in to people, walls, walk off piers (as I linked to in another post here, which it seems was not an isolated incident) says a lot. The fact Antwerp, Belgium, has for the time being, introduced text walking lanes (so they don’t walk in to sane people), says just how bad the problem is. The link there suggests that there are more mobile phones in this world than there are people; I find it hard to fathom but I’m not surprised either: nothing surprises me in this world because this is how the world works – it is evolution at play (if go back centuries very few would believe you if you claimed to them that one day there would be jets in the air, travelling from one place to another; they would probably think you’re mental, too).

Quick tip: logrotate yearly, log timestamping and logwatch confusions

Yesterday I noticed something odd in the logwatch report. It reported that many packages were installed and many others updated. It appeared to be a distribution major version update, actually. I wasn’t sure if I was reading it right (because of exhaustion), going so far as to thinking I was imagining it (or somehow a major version was now available) but I was reading it right (that I pondered the alternatives is another matter entirely, I admit). One concern is: was there foul play here? I wasn’t particularly concerned because it is highly unlikely (because of ingress and egress filtering on ssh) that there was unauthorised shell access but it would have been very foolish to not check (everyone can be bested and security is a constantly mutating thing). Looking at the tail of /var/log/yum.log I saw that there were no changes of the sort. Looking at the log entries, though, I remembered that syslog doesn’t have year as part of the output. I did wonder about this but I didn’t think beyond it. Until today.

I noticed that today too there were some supposedly installed updates. Looking at the log file again, the cause of the problem came to me at once: I have /var/log/yum.log rotate on a yearly basis but with the additional restriction of a minimum size (which was far too high for this) before it rotates the log. Going back to last year, I see that indeed the packages referred to yesterday and today, were in fact installed and updated. This makes sense because of how the log is written (no year) and therefore logwatch disregards the year.

In my case, I removed the minimum size and forced (just because I wouldn’t trust myself to remember if minimum size was in addition to the rotation cycle or not, even if I was sure of how it worked – the above demonstrates why) rotation:

# /usr/sbin/logrotate -f /etc/logwatch.conf

Problem solved (if you feel the need to confirm then check that the log file has indeed rotated or, equally valid, run logwatch manually and inspect the report).

Nostalgia and Perspective: Arcades, Books and Record Stores

I’m not one to dwell on the past; I don’t find it healthy at all. It is a powerful coping mechanism for me. I can generally control my thoughts, in that I can empty my mind of all thoughts, at will, and I can focus on something specific, if necessary (the latter is perhaps somewhat fraught with peril because I’m unfortunately most familiar with negative thoughts and emotions). I can’t generally filter out other distractions but I can filter thoughts. But while I don’t dwell on the past, it doesn’t mean I don’t miss certain things. I’m just writing about some things I miss from the past, because one of those things is on my mind, and I have nothing else better to do. Some friends miss these things, too, as do people I don’t know, but this is – like always – first and foremost for me.

I’ll go in the order of the title, but I’ll also throw in some other things.

Video Games and the Arcades

I’ll not get in to my favourite type of game of all time (text adventures) because these still exist and arcades don’t (and I have no idea what happened to some of the old video game consoles I had).

The first video game console I played was the Atari 2600. I have many fond memories of the console and its games from Breakout to River Raid, to Outlaw to Adventure, and everything in between (Donkey Kong, Pac-man, Space Invaders, Frogger? Hell yes!). Next I went to the Nintendo Entertainment System, where perhaps my favourite game there would be Ninja Gaiden. That game is a true classic; it was the first game to introduce cinematic cut-scenes to progress the story. I loved the music of the game and I found it a lot of fun. Many seem to think the old games were hard but I never thought that; sure, there were some games that were harder (Ninja Gaiden wasn’t hard for me except the very end, right outside of the final boss The Jacquio; Ninja Gaiden II I beat and Ninja Gaiden III I won’t even discuss) than others, but I beat almost every game I played, repeatedly. Indeed, I knew some games better than the back of my hand (including the puzzles, mazes or whatever they might be). I spent many hours playing video games (more than the two consoles listed) at home, over the years (the last console I owned was the Sony Playstation 1), and also at what is mostly an artefact from the past: the arcades. I spent hours and hours at the arcades, and I have nothing but fond memories of the games I played, among them: Mario Brothers (note: what is on the gaming consoles is Super Mario Brothers; Mario Brothers was an arcade game!), Street Fighter, Teenage Mutant Ninja Turtles: The Arcade Game, Mortal Kombat (all of them), Pac-man, and perhaps especially pinball (and its Sonic the Hedgehog spinoff Sonic Spinball, although that was for the Sega Genesis/Mega game drive). There were many more I thoroughly enjoyed, far too many to mention (let alone remember). But I’ve not played a single arcade game in years. I miss that a lot. Nowadays games are connected to the Internet somehow (which I have no problem with, in fact, multi-user dungeons, aka MUDs – predecessors to the MMORPGs of today – are very much a part of me to this day) and otherwise are far superior in graphics (yet I’ve always felt that with all the hardware advances, the effects are far less impressive exactly because the hardware is so advanced; there isn’t nearly as many limitations to the hardware, and some games had rather decent graphics when you consider 8-bit versus what they have nowadays).

Book and Record Stores.

This is what inspired me to write this, actually. This past week I went to a real bookshop, something I hadn’t been in in far too long. It was wonderful. I always loved (even when I buy online I do, but it is different at a bookshop, at least for me and those whom I have talked about this) the smell of the books, the feel of the cover, the binding, the pages, everything about bookshops. You could sit down and read a book (or part of), you could browse different types of books (and genres) whether fiction, non-fiction (whether textbook or something else), and lose track of time (the same was true for record stores except there you might listen to some of the music and you would be browsing records, tapes and eventually CDs; I’ll return to this later). But mostly they are gone today. However, I want to point something out. Something I’ve long believed and now I have proof. See, many people (including employees and owners of book and record stores) believe that the world wide web (or as they would erroneously call ‘the Internet’) is the reason these stores have either gone out of business or have had to change their business model (or otherwise have drastically reduced profit). There is just one little problem with that theory. Amazon.com sells books for cheaper, even if you combine shipping costs. Meanwhile, when you buy in person, you don’t have shipping costs (which means you have less to spend). For instance, I finally got around to buying The Silmarillion (of course by J.R.R Tolkien). I buy hardcover where possible and it was possible for The Silmarillion, too. I spent 40 USD. However, earlier today I saw it at Amazon for 22.66 USD. That is a 43% difference! So here it is: if bookshops would actually change their pricing, they would be able to more easily compete (granted some don’t have the memories of going to an actual shop, but those who do, I know many miss them). Do I mind that I spent 43% more? No. But that is because it was an enjoyable day and I miss the older days here. Otherwise, yes, yes I would mind it.

As for other things, including the fact you don’t see records and tapes as much (I’m ignoring the revival of the vinyl scene because I’ve always thought records were better, more real and more collectible, than tapes and CDs, although nowadays tapes are far more collectible than CDs, DVDs and Audio DVDs; I’m deliberately ignoring bluray and other HD video and sound – I can’t see or hear the differences, anyway). There are many things I do miss. I have really old computer parts that I used years ago but I can’t throw out. The things that we had of yesteryear would surprise the youth of today. If they had any idea of how small hard drives were (in capacity) and how expensive they were (in comparison to what they are today, and considering the capacity differences), they would probably be floored. I still to this day have a hard drive less than 1GB. In this case it is at the ~540MB barrier (which some will remember it as that was as high as they could get it due to limitations that at the time they could not overcome). I also have a HDD that is ~2.5GB. I probably have other drives that are (guessing here) 20GB, 80GB, 120 or 200GB.

There is something else, here, though. It always greatly amuses me when kids tell adults things like “you don’t understand what it is like growing up these days .. it is so different now; we have social media, mobile phones, and we have the Internet!”. It amuses me because they wouldn’t really know anything else, so how would they know that it is so different? Of course, they wouldn’t. I’m going to elaborate just because I want to show how yes, things are different because of evolution (of technology and in general) but no, they aren’t any more complicated (with what we have and don’t have) than before. (Furthermore, things change for both better and worse. But realising this changes things significantly.) Indeed, the Internet is older than they are. For that matter, if you consider its predecessor (arpanet), it might be older than their parents (probably it is)! Certainly the arpanet is older than I am. Depending on what part of the Internet (it developed and extended itself over time) you think of, it is older than me; other parts of the Internet are younger than me. That brings me to social media and the Internet more generally: First, many erroneously believe that the World Wide Web IS the Internet but the Internet is much more than that. The WWW is a small part of the Internet, and without the lower layers, the WWW wouldn’t be ‘world wide’ at all (it might not even exist, we wouldn’t have email and we wouldn’t have many other things that people think of as a single technology). But no, the Internet isn’t new at all, and so this is not something that is all that different (the IoT – the Internet of Things – is another issue entirely, and one that has serious problems, but one that won’t be going away, unfortunately; still, this is technology evolving). As for social media: there were other ways of communicating with people. Let’s start with BBSes (bulletin board systems) and later on web based forums. Then you go to UNIX and you had the talkd (‘talk daemon’) which allowed to users (on the same system or different systems, as I recall) to ‘talk’ with each other (writing messages where one user was at the top and the other at the bottom; it showed characters as sent to the system, so you would see the actual sequences for backspace and the like but this was a matter of getting used to and then it wasn’t really a problem). Then there is IRC (‘internet relay chat’ which worked for the Internet and an internet; the latter simply being a network of networks but not necessarily connected to the global Internet). You also had (later on) ICQ, MSN, Yahoo Instant Message (and others). So no, social media isn’t all that new; it is only an extension of what we had before. I will point out some irony, though, something others have thought of individually, but something that I’ve thought of for a very long time:

Despite the ‘social media’ and the phenomenon of people looking at their bloody phone instead of where they are walking (or with whom they are eating with, sleep with, and who knows what else) and even more ‘connectivity’ (network connectivity only), we are more than ever disconnected. I’d like to say I was ahead of my time (because I wasn’t one who really socialised with peers) but I know I’m not in that way. I was (and am) just… different. I never identified with anyone (in person) and I never really associated with many people (and when I did it was only because of school; I didn’t spend time with them off campus).

Yes, I miss many things that are very different today (different is very loosely defined). But does that mean that I wish I lived in the past? No, absolutely not. It isn’t healthy to dwell on the past; you can’t change it either and the only way to stay somewhat sane (…if that is possible for me – but others can go mad by dwelling on the past, too) is to focus on right now. Even then, there are some things that are better; accept and learn from your mistakes and they aren’t mistakes. Continue to learn, evolve, grow, and you have more to experience, more to understand and more to appreciate. Similarly, if you look at what is here now, you can realise that while some things might be worse, other things are better. It can always be worse (this especially goes for your own health.. and yes, this is what it took for me to understand this though it took many years for me to do so). Always. It might not seem like it to some people but if they ever have long term hardships they will understand this (not to say you can’t understand it without hardships!). Not only will they understand this, they will be thankful for it, and it will give them strength and some sort of peace and acceptance of the world (and others).

Perspective is incredibly powerful; it changes everything!

US Navy in (0-day) Exploits Black Market

I’ve made the statement before that the US government is not merely a victim of cyber attacks but a perpetrator (to be fair, it isn’t just the US but this is about the US). I went further to point out that they provoke other nations. I seem to think I at one point wrote about how they participate in a black market, and how that would not at all help the situation. Even if I haven’t discussed the latter, I have the others. So it is most unfortunate that there is solid evidence (I know I’ve seen other evidence, though) of them wanting to buy 0-days. It isn’t even hearsay. No, not at all; it is a statement directly from the United States Navy.

The Electronic Frontier Foundation has a mirror of the document that was taken from Google cache. This, I might add, is another thing I believe I’ve written about and if I haven’t I know I meant to at one point. I’ll just give a quick summary here: you don’t simply erase something from the Internet. The people that believe Snapchat is a brilliant way to keep things safe are very ignorant, very ignorant indeed. It isn’t brilliant at all (in any way), and there has been more than one incident where many of these supposedly very temporary photos were archived elsewhere (that is not a link but FOUR unique links, two of which include a list of different exploits and results.. and there certainly are others out there). Then there is the Internet which is even more extreme here. That is another topic entirely, however, so I will refrain from going there. I’ll return to the issue of persistence again but for the moment all you need to know is the Navy has since removed their copy of the document. But it isn’t gone.

I’m going to highlight some points from the document, comment on them and bring them all together.

This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied on commercial software.

From the very mouth of the US Navy; they require binaries to exploit widely used and relied on commercial software. Software they almost assuredly will use themselves. It gets better though; I’ll return to the issue of who uses what in a bit.

– These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others. [sic]

While there are other things I could label with [sic] I won’t because I’m not trying to be critical here (I won’t at all suggest I don’t make mistakes in writing… I do. Often). However, I do want to point out that Linux isn’t commercial software. In addition, they want the exploits to exploit including but not limited to these products, and all others (is there a reason to list any at all, then? If there is, why ‘and Linux, and all others’?). But the important point here is that they don’t actually care what it is; if it is used they want exploits for it. Not just any exploits though, they want 0-days and also technical support, instructions and everything you would expect a legitimate vendor to provide. I’ll return to this again, too.

– The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.

Interesting bit here: they will select from the list and direct development of the exploit binaries. Why then, pray tell, don’t you just go to a CVE website where they can find it all for free? You know, they exist for a reason, a good reason. But here they’re being used for anything but good. It isn’t bad enough that many home users have unpatched (or otherwise insecure) systems (often unknowingly) that are already infected by more viruses and worms (etc.) than a human body would likely experience in a life time (certainly in the amount of years computers are ‘alive’). No, of course not; but governments to the rescue! Yes, it will affect others: even systems that aren’t vulnerable can be affected indirectly. People are also affected. Including our saviours in the Navy. That’s the best part. This also goes for governments wanting to get rid of encryption; it’ll affect them, their family, their friends, the nation they state they say they are protecting (that’s why they need to get rid of encryption, see? It is a lie, however, that smells near as bad as septic tank.. which is to say can easily be sniffed out even for those without a strong sense of smell). It also is a risk to themselves. It has the potential to affect every device. And the more exposure a device has, the more risks can affect it. This is sort of like the immune system: the common cold is nothing for those with a healthy immune system but to those with a poor immune system, it can be very serious.

– Completed products will be delivered to the government via secured electronic means. Over a one year period, a minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.

It is rather amusing, isn’t it, that they want it delivered in a secured manner. I suppose they hope no one else will have access to these exploits (which I have alluded to already and will get to further) and somehow it will be safer for everyone. Safer for themselves, actually, and that is incredibly naive: if the US government accidentally ships live anthrax to laboratories across the US and even in other countries (all of which has been reported recently.. and other similar incidents have happened), who is to think they could keep computer exploits under their control? Reality: malware tends to spread; there is a reason the words ‘virus’, ‘worm’, ‘trojan horse’ are used for naming said types of malware. Even if it isn’t malware itself it is incredibly stupid to believe it can’t directly affect the buyer (themselves). You don’t control exploits in the wild like that – you don’t nicely tell it that you are its master and it’ll suddenly obey your every command. Even then you have the reality of bugs in software: humans aren’t perfect (irony: because I thought I saw it earlier, and because I should rest my eyes soon, I checked spelling and what did I do but spell perfect as ‘prefect’ … a great example and I wouldn’t be surprised if more exist in this write-up), programmers are human, therefore programmers aren’t perfect: this leads to errors in software (commonly called ‘bugs’). I won’t even get in to simulators.

– Based on Government’s direction, the vendor will develop exploits for future released Common Vulnerabilities and Exposures (CVE’s).

This extreme naivety that comes close to delusion (and using that word is painful… I readily admit have been delusional in the past and much of their problem is extreme foolishness) they have, that they are in control, is rather scary. Unsurprising. But scary nonetheless.

– Once a product is transferred from the vendor to the government, the government maintains a perpetual license to use, modify or share at the buyer’s discretion.

Obviously. After all, Microsoft and all these other vendors you suggest (with the exception of open source software which you don’t mention many) sell their software and openly allow it to be modified and shared with others. The license also works for infinite devices. So of course you would have this right! Too bad you’re dealing with a black market, isn’t it? Governments create black markets. Stupidly, I might add. Yet in this case there is nothing else: this is to break the security of others, something the governments outlawed years ago. Creating black markets is also another example of not learning a bloody thing from history. Yet in this case it isn’t the same thing, is it? Not exactly. If a company hires (or better yet has on staff all the time) others to audit their security (maintain it), that’s fine. But if a company were to pay another company (or other third party) to break the security of another corporation – or states! – they would be in a lot of legal trouble. This is a triple standard: whine about being victims; pay others to help you do to others what you would whine about if others did it to you; and if anyone else were to do it to others, whine also. Global police.

– The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytical white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.

Gullibility to the extreme! To think that anyone would believe that an entity selling exploit code (especially since in the past, and likely still, much exploit code is still released for free.. but it doesn’t take much thought to figure out that some would have no problem to profit over it; can you blame them? Do corporations sell to only one customer?) is going to not profit from others that would be willing to also pay, is amusing, very amusing indeed. I’ll also point out there is a hypocrisy here: you have the right to do whatever the hell you want with the software, something that corporate vendors wouldn’t allow (and some free software doesn’t allow it!) with their software. At the same time, though, you have the boldness to state that you maintain the license here and not only do you state the licensing terms, you also state that the vendor can’t do what they wish with their own work! Licenses are only acceptable if you’re the one stating the terms, yes?

– All delivered products will be accompanied by documentation to include exploit description, concept of operation and operator instructions.

Pathetic. That’s being incredibly nice. That is the brutally honest truth. You really need documentation of how it works as well as how to use it? Weren’t you also the one wanting to direct the development? Usually the developers write the documentation (at least when they do document it which isn’t always)! Script kiddies demanding documentation. Highly impressive. I know, I know… you bought it all on your terms and since you state the terms, you can also demand the documentation. No dignity, no pride, no honour whatsoever.

– Technical support shall be provided by the vendor to the government for purposes of integrating, troubleshooting, bug fixes, feature enhancements, and OS and third party software compatibility testing. These services must be available Monday through Friday during normal working hours (0730 EST through 1630 EST).

You demand technical support.. on your own hours?! The amount of arrogance there is unfathomable.

Indeed, no pride, no honour, no respect for others (including themselves actually), no dignity. None at all. I’ve made clear that governments participating in cyber attacks are not just victims but perpetrators (and consequently provokers). Well here is solid proof that they really are doing exactly that. With no shame on their behalf (meanwhile everyone else will see their actions as only shameful). I’d like to lastly say this: they deleted it from their website for a reason. They finally realised the implications. If they didn’t mean harm they wouldn’t have removed it. But they did. There is only one reason for it. The tragedy here is they could do things to make things better. But instead they make things worse, worse for everyone. It is a cyclical process too. Indeed, just like mirroring, this will continue more and more.

The Facebook Law and Ethic

Fair warning: I’m in a mood and this is by its very nature going to be touchy (and there will be some bias but the points I’m trying to make are still valid). While I don’t at all find my points out of line, I know many would, especially with the amount of obsession if not outright lust for Facebook that many have. You could call this post somewhat unusual for here although I diverge slightly in to another issue – privacy. This post is motivated by something I saw yesterday, one of many other things I’ve read about before, that makes me think that Facebook truly believes that they can do whatever they want with impunity and no regard to any ethics that they clearly violate. I have a strong ethic, and while I am certainly not perfect, I find abuse and destruction unacceptable. But then there’s Facebook policies and what they allow.

Where to start? Right, we’ll start with what the BBC reported. It is a well known fact that child abuse is a huge problem in this world (much like abuse to the environment, to humans in general, to animals, even the air we breathe). It is also a well known fact that it unfortunately goes to the extreme cowardice (which is sadly cyclical – abuse leads to abuse, there’s some psychology behind it but I’ll not get in to that) of physical abuse including sexual abuse (and frankly it doesn’t matter what age but children is relevant to the discussion). It is also well known that it is illegal in many countries, definitely the country Facebook’s premise is (I’m not sure they live in it, though – some of them certainly don’t act as if they believe they do), to have videos, photos or any example of paedophilia (whether hard copy, on a computer or anything else) As it should be. But one would like to believe videos of child abuse in general is illegal. Let’s assume it isn’t though. What Facebook allows is unethical, it only adds to abuse and frankly it is an utter disgrace in general but especially when their age requirement is just 13. But how do they enforce that? Something like what year you were born in, probably (because it equates to less privacy and more ‘important’ information) your date of birth. Yes, that’s definitely going to be accurate, I’m sure of it. In any case, I dislike kids a lot. That is putting it quite nicely, to be blunt. But I dislike something more: abuse and neglect. Both neglect and abuse makes matters worse for everyone – the victim as well as the people the victim (when older) victimises because they are emotionally/ethically/morally damaged. But here it is, Facebook has what? A video of a baby being repeatedly dunked in to a bucket of water (upside down with arms twisted). Unsurprisingly the baby was crying and one would assume terrified. But what isn’t surprising, either, is that Facebook truly believes it doesn’t break any of their rules, and they only added a warning to the video after a complaint was escalated by the National Society for the Prevention of Cruelty to Children.

The following from the BBC:

“While the welfare of this child is naturally paramount we would also urge you to look at all available options which will ensure UK citizens, including millions of children, are no longer exposed to this kind of dreadful and disturbing content,” the National Society for the Prevention of Cruelty to Children’s chief executive Peter Wanless wrote.

“The NSPCC believes we have now reached the long overdue point where it is time for social networking sites to be held to account for the content on their sites and pay more attention to their safeguarding duties to protect children and young people, whether they are viewing the content or appearing in it.”

Facebook responded as such:

“In cases like these, we face a difficult choice: balancing people’s desire to raise awareness of behaviour like this against the disturbing nature of the video,” said a spokeswoman for the firm.

“In this case, we are removing any reported instances of the video from Facebook that are shared supporting or encouraging this behaviour.

“In cases where people are raising awareness or condemning the practice, we are marking reported videos as disturbing, which means they have a warning screen and are accessible only to people over the age of 18.”

Whether that means they allow referring to it to raise awareness but not allowing it when it is being encouraged, or if they removed this instance but generally feel that raising awareness is acceptable, I do not know. What I do know is that they often state that others should have the choice to watch it if they want, and especially because it will raise awareness (even though the videos they claim are for this go about it in the exact opposite of what would be done for awareness).

Yes, Facebook, because showing videos of atrocities, cruelty and who knows what else, will raise awareness (typically when you raise awareness for such things, there’s something of an explanation that goes along with it, and that includes warnings where relevant)? I imagine also that allowing the videos in some instances won’t actually encourage others to do similar under the guise that they’re raising awareness? I suppose, also, that having these videos won’t be harmful to those who unfortunately and unknowingly watch it without realising what it is they are to see (something I will return to)? That isn’t how you raise awareness: you’re raising awareness? Of what? Why? What should be learnt? What went wrong? Of course, your way will discourage others from these things, too, I’m sure (try telling that to victims of hate and see how far you get). Of course not, all of it is for the good of mankind. Except it isn’t – what you really mean is it is good for you because you have less responsibility to manage and less to worry about. Yet other organisations wouldn’t get away with this. It is only your user base and repeated lies and misdirection – both of which are very easy to sniff out – that allows you to worm your way out of trouble. Indeed, if I were to have such content on my server I could be in serious trouble – as it should be! This isn’t the first time and it isn’t the last time, that you have allowed things like this. Why is that? Because you don’t concern yourself with responsibility, ethics and even if you get away with it legally, it doesn’t mean it is necessarily legal: there’s a reason that child protection services exist and they will actually go after parents simply because their kids enjoyed having a lot of fun doing things that caused injuries needing emergency care (for instance, my brother, myself) fairly often. I’m sure the child in this video was asking for it too, though, so I suppose all is okay, right? Somewhat ironically, though, there’s also a link here – if that video was paedophilia, it would land you in serious legal trouble (as it should) and I would expect far more outrage (as there should be). When is abuse acceptable? It shouldn’t be. But there’s should/shoult not be, and there’s reality, I suppose. Yet there’s a huge problem with being too accepting of others, of things, of surroundings, something that many of your users don’t understand (and/or realise), and also do the same as you. It is even worse, for you, because of your mentality that the information is necessary, that privacy is a bad thing (even if this has lessened over time, it still exists) – you ignore the reality here in ignorance, arrogance and hypocrisy. So here it is:

If you’re too trusting, too accepting, you leave yourself incredibly vulnerable to harm and that means off the Internet (or is that ‘Facebook’ ?) and on. But people are this way and it is often to their peril. Lack of awareness is a real problem (an unfortunate part of being unaware of something includes being oblivious to the lack of awareness in the first place). No matter how aware you are, there’s more you can be aware of (and just like time, things change). Since Facebook has this requirement that you use your real name (although funnily enough, I once had a fake account with the name of a Disney character, one with a nose that grows when they lie – of course it was deliberate on my part), and since the default of many settings – as I’ve read for many different issues; I can’t say from personal experience – are opt out (instead of opt in, as it should always be), including those revealing what should remain private, a scary amount of information can be revealed and mapped (in what I’m about to explain it is literally). While many have probably been more public, I would like to note one that is a plugin to the Chrome browser (I’ll leave Google out of this discussion) and was called by the author the Marauder’s Map which is indeed a reference to the artefact in Harry Potter. You can find more information on how and why this works, what it does, and everything else the author reveals by following the additional links here (the link here is to a brief write up with some additional thoughts). For those who don’t know, in Harry Potter, the map plots out every person in any form (by real name) on the Hogwarts School of Witchcraft and Wizardry grounds, even if they are invisible, by location, with the exception of a couple places (there’s more than one possible reason and I don’t believe there’s ever been a confirmation on which of the reasons were the case though I would certainly like to know), even as they are travelling through the grounds (so it moves the person’s location on the map). Instead this is real and based on a feature of Facebook, that allows mapping out users – including those you aren’t ‘friends’ with – over time, to discover where they tend to be including where they sleep (so not over a period of time but patterns can lead to fairly accurate results). The problem besides it being scary? They could plot an attack even through social engineering (but otherwise too). This might be to rob your flat, your car, physically assault you, or it might be a cyber attack.

All of the latter part could be somewhat summarised as: be very careful of who you trust, ask yourself why you trust them, and whether what you think is harmless is really harmless. The argument that Zuckerberg likes to throw – that you have nothing to fear if you have nothing to hide – is a dangerous viewpoint that is both hiding true intent and ignoring the things they wouldn’t share to others (bank account, etc.), something I’ve explained before. As for ‘friends’ I have this to say: I once mocked a friend (which means in another country, one I’ve never met in person and probably won’t because that’s just part of my personality) about Facebook when he finally caved and joined. He knew I didn’t mean offence but in any case, it was about his so-called friends. Well, some time after that he told me of an occasion where he asked his ‘friends’ if any of them would want to spend time with him in person? Not one. Yes, folks, it is interesting, isn’t it, that the more connected we are too technology, the more aloof we are in person as a side effect, not much unlike how I choose to be.

The unethical issue is hard to summarise and it is rather hard to imagine that a corporation, especially a corporation that is about social networking, would accept it (even though it isn’t surprising).

70 Years Ago Today at the Battle in Berlin

This is clearly an off topic post but when I looked at the calendar today, it occurred to me that on this day in 1945, Berlin unconditionally surrendered to the Allies. It was a significant moment in the second world war, and it wasn’t long before all of Germany surrendered. This is something I felt inspired to write in light of such a dark chapter known to mankind.

70 Years Ago Today at the Battle in Berlin: A look in to the heart of mankind, its past, present and future

The Battle in Berlin ended on 1945 May 2. It was a glimmer of hope for many, and would be a day that would begin the ultimate surrender of Germany in World War 2. Hitler (20 April 1889 – 30 April 1945), along with his newly wed wife Eva Braun, had committed suicide 10 days after Hitler’s 56th birthday – April 30, 1945; he knew the end was approaching and he was not one to surrender: he made sure he was not captured. Josef Goebbels[1], who stayed with Hitler to the very end, had also committed suicide – and forced his family, including his kids (the mother assured the kids everyone was using this drug – I believe morphine – and to not worry, therefore allowing them to be sedated while they’re poisoned) to do the same. Goebbels was, of course, the master propagandist of Nazi Germany, and this combined with Hitler being a very powerful speaker is a very dangerous combination (yet they weren’t the only powerful variables). Hitler of course was concerned that the cyanamide was not sufficiently potent, and despite him being close to his German Shepherd Blondi, a day before he committed suicide, he tested a dose of cyanamide[2] on Blondi; she would be buried and later excavated by the Soviet Union. Meanwhile, Hitler ordered that his remains as well as Eva’s remains, to be burnt. I’ll return to the liberation of Berlin towards the end of this essay.

The fact Hitler was never one to surrender is quite obvious when you consider the end of the first world war – the war to end all wars: he felt it was an utter betrayal to surrender and was in disbelief that the war was finished; he truly wanted to continue after recovering from temporary blindness (from a mustard gas attack). The Germans (Hitler was born in Austria and was very much Austrian: indeed, over the years, as I recall more than once, many cities in Austria have rushed to make sure that he was not still an honorary citizen, after it was made known that a city still declared him exactly that) told him they no longer needed his service. This of course, was not the end: The Treaty of Versailles left Germany a disaster.

Germany lost a lot of land; the Rhineland was to be demilitarised; their military was limited to no more than 100,000 men; they were not allowed an air force; were to give up military air craft; they were not allowed to import or build air power for six months among other air warfare restrictions (yet ironically, despite all this, the Luftwaffe would later literally flatten areas in the UK during The Blitz, which caused many in England to use the tube stations as bombing shelters and led to utter devastation in areas – like North Ireland – that did not prepare if not outright ignore warnings); prohibition in the arms trade; limitations as to what the navy was allowed (battleships as well as number of men); they were to pay billions (marks) in reparations, something I believe they’ve yet to pay off (I would be surprised if they ever do, assuming that indeed they have not yet); and much more. Germany was not invited to the discussions. All of this paved the way for Hitler to eventually take over what would later become the National Socialist German Workers’ Party – or Nationalsozialistische Deutsche Arbeiterpartei (abbreviated as NSDAP), more commonly known as the Nazi Party. It was originally the National Socialists party. It was Hitler who decided to rename it to what it is known as today. His idea was it would appease to the masses, essentially everyone but the communists and the Jews[3]. In addition, the victors also largely ignored the Japanese, despite Japan being a victor.

When you think of all this, it would be absurd to even dream of there not being another major conflict. As far as I am aware, the Americans tried to some time later get some of these limitations removed, because of this fear. But they were too late and/or not successful. Essentially, the treaty would be to the victors’ – and indeed the entire world – peril.

Yet despite the terror of the time, despite the atrocities, mankind has not taken to heart all the lessons. There is no such thing as tolerance if it is not respected and considered 100%; therefore, tolerance is a dangerous lie: selective tolerance still discriminates and that is exactly what happened so many years ago and to this day still occurs. It is true that there were horrible atrocities with terrible consequences and to this day there still is. But war is war. While that does not justify what was done, it should always be kept in mind. The last remaining body guard of Hitler once said something that should be remembered because it is completely honest and 100% valid: there’s never been a war without war crime. I would extend this, and perhaps he meant this too, by adding: war itself is a crime.

Yet despite the Soviet Union liberating Berlin (and other Nazi occupied land), they were not above being horrendous, either. The Red Army looted, committed mass rape and mass murder. This affected many more people: rape and in general sexual – which is also physical, mental and emotional – abuse ruins lives (and a close friend of mine can attest to that, even though it should be obvious). Then there’s the murders. Is that better than the Nazis? The effect would not happen if it wasn’t for the cause; the cause is the lack of tolerance, the hate, vengeful, discriminatory and oppressive behaviour and mentality. Yet many Soviets earned medals for liberating Berlin. One hopes that none that participated in the deplorable actions were also rewarded, but as I’ve already noted – war is a criminal act, and it is inevitable that these things will happen, and in all likelihood many perpetrators were indeed rewarded.

It is interesting to note that two very significant things changed the war outlook (of course there’s others, including some that are because of these). First, Hitler regretted his pact with the Soviet Union, and he decided to break it by invasion. With the Soviet’s scorched earth tactic, combined with the climate and temperatures there, the German army suffered terribly. This also meant that the Soviets would fight the Nazis and ultimately would liberate much of Europe (it is also worth noting that other neutral countries – Sweden, for example – would not only remain unoccupied but also gain the Nazis trust and as such, many Jews were able to flee to Sweden). The other is that Japan bombed Pearl Harbor and this, combined with Hitler shortly thereafter declaring war on the United States of America, would bring the US in to the war. The Americans were an important part of the victory, from D-Day (Normandy) and through the Pacific.

70 years ago today began the first part of a transition to the end of a very dark chapter in mankind. Never forget what happened, how many lives were lost, how many lost family, how many suffered. Never forget it could have been worse. But do not forget either that it could have been better if only there was tolerance, more peaceful cooperation (instead of aggressive competition) and if only more people remembered how their actions affect others. Ultimately, World War Two could have been avoided as could many other wars, including wars after World War Two. But they aren’t avoided. 70 years have gone by and mankind has still not acknowledged these things; there is nothing darker than this realisation.

[1] Just like it is commonly spelt Adolf Hitler (when his birth certificate actually shows Adolphus) it is often Joseph instead of Josef. One of the books I have on Hitler (as below) spells it Josef. Probably the common spellings are English.
[2] I always remembered cyanide. However, because I wanted to cite references to some of this, I looked at one of the books I have on Hitler. While some other Nazis did use cyanide, apparently Blondi was given cyanamide (and it seems that it was initially Hitler’s doctor that suggested this be the way to test it). Ironically, despite Hitler’s fear (he shared the fear with someone who had relayed the fear to Hitler although they had different reasons as to believe it) it was Eva Braun who took the cyanamide (although she tried to use something else; the name fails to come to mind). Hitler shot himself instead.
[3] There was no place for Jews as far as he was concerned. What made him hate Jews so much is likely a combination of factors but one theory is something the Nazis used themselves – spreading fear and hate by words and actions; certainly he mirrored some beliefs as others had already made public, and certainly he was influenced by others. I’m not certain why he hated the communists so much except that he supposedly railed against them in Mein Kampf in addition to the Jews.

While I have more books on Hitler, the one I have actually read (albeit a long time ago until some brief checks earlier today) is below.

Books
Adolf Hitler: The Definitive Biography by John Toland (Anchor, 1992)

systemd tips and tricks

I really have tried to get myself to like systemd and if nothing else I’ve tried to get accustomed to it. While the latter is mostly the case (though I certainly do not know it as well as I could or perhaps should, this admittedly due in part to strongly disagreeing and being against some of the more recent – past few years – changes in Linux, including a great deal of the systemd concept), I still have mostly failed to like systemd; indeed, there is still much of it I really do not like. So this is perhaps an unusual post, in a sense, because I don’t like it – why would I bother with this? Well the reason is it is true to my nature, and I share information where I can (and I’m sincere enough to give credit where credit is due, including for things I dislike). The other reason is that I do find some features really useful and today, as I was updating some configurations, I decided to go beyond the intended goal: in the process, I also came up with some little bits of information that I find useful and if nothing else, I might find it a useful reference later on. The list is short (perhaps not as short as it seems, if you consider the first entry’s additional resource). I feel somewhat humbled and I can honestly claim that – while I still don’t like systemd in full – writing this list actually makes for additional cases for systemd (rather than against), as well as discovering more and learning in the process (which is always positive for me).

  • The passive finger printing service, known as p0f, has an issue that I see as a defect, but can be repaired by systemd (this is something I do appreciate). The defect is that upon detecting the network is down (even if the network service is restarted, i.e. stopped and started immediately), it errors out, terminating itself. But if it is able to detect the network is down, it should be able to sleep/poll (actually, systemd allows for this exactly albeit by having p0f restart on failure, trying until it succeeds) until the network is back online, and then resume its normal operations. Maybe there is some technical reason for their choice (specific to their internals or a library they rely on) but if that is not the case I consider it a defect. It is true that p0f (at least the version I am using) doesn’t support systemd natively, but then you can create a basic p0f.service file and activate it, start it and therefore resolve the problem (systemd can restart services when they fail, as well as in other occasions).
  • As I explain in the p0f.service file, if a service becomes a daemon, you’ll want the line (in the Service section) because otherwise the service will be dead but with no explained reason (systemctl status will show it as it started but that is the last message yet it is dead; the process won’t exist in the system, either):
    Type=forking
  • This is another thing I like (I admit it could be done with SysV but it is somewhat simplified here because each service has its own state as well as its own configuration file and where applicable it can share settings; more specifically, the process of configuration and setting this up, is simplified – you don’t necessarily need multiple PID files, either): you can run more than one instance of the same service, without any problems, even if they have different configurations. For instance, if you use stunnel (tip for stunnel: if your system does not have enough entropy, if you can obtain and use rngd, it can solve the problem, therefore allowing stunnel to start; note, however that you might have to force it to stay in the foreground [the option -f does this] – which isn’t to say you have to keep the session active! – and you might also have to read from /dev/urandom in order for it to start itself!)  you can have a stunnel-client and a stunnel-server, each with their own configuration file (something I just thought of, which could possibly be useful, is multiple instances of a MTA – postfix, for example – for different domains etc.), and each with their own state (is it enabled, is it active, was it stopped?). You should of course make sure they log to different files (or somehow synchronise them) if it would cause problems reading (or parsing) the file but that probably always applies. To enable this, once you create the .service files, you can use the normal commands (enable, disable, etc.) on each service (the main difference is – besides any adjusted configurations – the service name). I find this functionality rather useful. This – I might add – can be extended to make other virtual services; it doesn’t necessarily need to be a daemon (or otherwise fork), and of course systemd has more than services.

So I guess you could say that there’s some useful cases for systemd. In addition, I know there’s another one which makes diagnosing fatal errors – say, boot up failure – easier because of the journal (I think this was the idea although I might be remembering part of this wrong; that is besides the point, however – the idea is it has some benefits and I’m willing to acknowledge and accept this, even though there is much I don’t like, too).

Solution: systemd-sysv-generator: Could not find init script for


2015/03/08: I never seem to remember this and only by chance did when able to note it. I am not fixing it here, however, for two reasons: I don’t have the time or inclination, and it isn’t harmful – it is actually beneficial – to type commands on your own. The problem is this, though: formatting of certain characters on websites. Specifically, the – and — are a minus/subtract/dash sign and two together, respectively. But they won’t be displayed that way so if one was to copy and paste, it won’t be what is truly typed. I am positive this problem is elsewhere here, but again it is something I seldom remember.


This is something I’ve seen in a Fedora VM. It seemed odd to me because the services were not enabled and actually weren’t installed (but had been). I never really looked in to it, however; after all, it is just a warning and I had seen odd things in systemd before (as I’ve documented). But just a bit ago I decided to look in to it. It is quite simple really (however, I’m elaborating on different parts and this includes safe computing practises; indeed, there are some things to consider and if you don’t know how certain things work in full you would be wise to learn those things).

systemd-sysv-generator is a simple wrapper to allow services – that are not systemd enabled (or maybe ‘capable’ is better), that is, those that don’t have systemd files (and instead, as is suggested by the name, is SysV init scripts) – to work with systemd. All one needs to do is determine this (which isn’t all that complicated) and it becomes quite natural to suspect that something refers to what used to exist but does not now. That suggests, also, that it is a dangling symlink (much like a dangling pointer in C, the symlink points to something that doesn’t exist but at one point did). This means that you need only rm the symlink itself. To find all broken symlinks in /etc/rc.d (which is the directory in which all the SysV init scripts are located) you can use the following. Note that I pass the option –color=auto to ls for those who have colour terminals (which means most) and therefore can see that they are indeed broken. However, I’ll explain the reason this works as such. I’ll show how to remove the links but I’m first including how to print the link names. It should be obvious why but just in case: never ever copy and paste a command that deletes (or truncates or otherwise overwrites) files, without knowing the full consequences. Sometimes broken links are installed and I wouldn’t go around deleting just any link (it is one of those things that “don’t do this unless you truly know what you are doing” – it just isn’t safe practise to delete files because they appear useless to you; see below, also).

To find broken links in /etc/rc.d you would use the following command (you shouldn’t need to be root to display them; you would be to delete them, whether through sudo, su with the option -c or as root is up to you):
$ find -L /etc/rc.d -type l -a -exec ls –color=auto -l ‘{}’ \;
The -L option means dereference symlinks. We only care about files under /etc/rc.d so we specify that as where to find the files. -type l means symbolic link. The result of this type is always false unless -L is specified and the link is broken. The -a (you can omit the -a because two expressions, one following the next, implies it) stands for and which means only execute the ls command if the previous expression is true. Since we want to find broken symlinks, and since -L dereferences symlinks, if the file doesn’t exist the dereferenced file cannot be a symlink. Therefore, because of the return value (as previously explained), if the link is broken, we need the and option. The -exec syntax of find is something that I think throws people off. I never had this problem; I read it in a book many years ago and it made sense to me. The idea, however, is this: you escape (in this case through single quotes) the {} (and therefore you have ‘{}’). That is the current object. ls –color=auto is for colouring, as I explained earlier (you don’t have to use that option, of course). The \; you can read as the end of the command. You could also do ‘;’ but the general form is escaping it (hence \; ). Thus, in my case, I saw (not including colour) the following (snipping some of it for sake of brevity):

lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc2.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc2.d/S90tcsd -> ../init.d/tcsd
lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc6.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc6.d/K10tcsd -> ../init.d/tcsd
lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc4.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc4.d/S90tcsd -> ../init.d/tcsd
lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc0.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc0.d/K10tcsd -> ../init.d/tcsd

Therefore, to delete the files, I would do the following. Note, however, that I am passing the -i (interactive) option to rm for demonstrations purposes. If you want to confirm that you copied and pasted it right (You should rather type it!), or that there isn’t anything else wrong (and this is a good idea in general; I mean no harm but if I make a typo myself, leave out some information by accident or… if I was being malicious.. it would not serve you well: while I am biased because I am incredibly cynical in life, being cynical when it comes to instructions in computer-land is a very good thing! Trust is far too easily given and this has been abused many times over the years, and I mean in the extreme: rooting a system which means gaining root access which means complete control of the system and potentially more of the network!). This is the command:
# find -L /etc/rc.d -type l -a -exec rm -i ‘{}’ \;
After that, assuming you confirmed every file, and assuming no errors, if you were to try the first find command (the one invoking ls), you would have no output because all broken links would be gone.

As for deleting files (that I referred to earlier, with regards to files that seem useless). This is more general, and by more general I mean the way symbolic links work in general. Depending on options to commands and otherwise how commands are invoked, you can run in to problems: is a symbolic link dereferenced, for example? If it is, then acting on it will act on the target. Otherwise it will act on the link itself (this is akin to C, also, where you can have a pointer to a structure but if you don’t dereference it you are only accessing the pointer, not what it points to!). In short: unless you know which commands do what in which conditions, you can run in to problems (whether you do or don’t is another matter entirely; taking the risk is however, not exactly the best choice). This is also what I described in a post some years back called The Spirit of Pranks – Technology Style and in particular the entry that I titled (one of the entries that were my own doing) ‘The “don’t type a command if you don’t know what it does” trick’. Of course, type also implies (maybe more so!) copy and paste. I want to point something out, finally, on this: this rule is especially important because what if you use a command that and specify the wildcard on a directory? It might be that if you use the recursive option, the command does not dereference the links (and for good reason). However, if you don’t specify that option and you instead use a wildcard (or otherwise a file globbing pattern), you might cause damage rather tha solving your problem. I’ll give you an example, and one that almost bit me hard (and I’ve since that time never had a link to this again): if you have a symlink to /dev/null and you run a command that changes the file (it was I believe owner, since only root can change the owner and therefore the command was run as root!), you can break your system. It might seem absurd, but /dev/null is critical. Furthermore, changing the owners, modes, and so on, of files (in /etc is a good example but it isn’t the only example) can break your system. Indeed, a big mistake is when people accidentally (or don’t know better) use recursively change ownership. The problem is: .* does not mean all dot files/directories below the current working directory. It means all .dot files/directorys in the entire filesystem, when acting recursively! It might seem like it would, because after all, a* shows files that start with an a but it isn’t that simple. If you want more information here, read section 7 of glob in the manpages). And while it is similar to regular expressions it is NOT the same! As I think I’ve made clear before (On this subject, in fact), the pattern would be ‘.??*’ (without the quotes, of course). However, the proper way is to be in the starting directory and then recurse on the path ‘.’ (without the quote). But again, this can be very risky; if you are in /etc you can cause a lot of problems (same with /usr …).

Multiple Default Routes Per Network Interface

Problem: You have two NICs in one system where the first NIC is for Internet bound traffic and the second NIC is for an intranet (in my case attached to the switch but is not allowed to communicate with the first NIC and is isolated from the Internet through ingress and egress filtering). Furthermore, the first NIC is associated (by IP addresses assigned to it) with more than one network. How do you make sure that inbound and outbound traffic for one network uses its default gateway and every other network uses its own default gateway as well? After all, if you have a /32 (single IP) and a /29 block, then you would expect the default routes to be different. But both are on the same interface!

Taking the method of configuring multiple default routes found here with a slight change will solve the problem. I did this a while back and I offered some hints there. But somewhat related to a previous post of mine, that of IP masquerading based on destination port, found here, I have decided to explain it more thoroughly (actually, there really isn’t much to explain at all). So what is this slight change? In fact, the change is only that instead of dealing with multiple NICs (one or more for each network), you only concern yourself with one NIC. Yes, it is that simple. I do have a bonus, however, albeit nothing much. If you use SysV initscripts  (e.g. Red Hat), this is how you configure it so that it remains across reboots; contrary to what is often suggested, you typically do not need to write your own script and neither do you have to modify a script that runs on boot, for these types of changes: the support is already there and for good reasons – no one would expect you to reconfigure your network every time you reboot! This is all you do:

After replacing the IP addresses (this includes all the IPs: the network, the gateway and the IP associated with the interface in question) with your own, making sure the configuration works (after typing – and remember, if you type it you’re more likely to remember it, as opposed to copy and pasting! – it and testing it at the shell as well as from other hosts that are relevant), you take each object type (route and rule) and create a file (i.e. for each interface and for each object type) in /etc/sysconfig/network-scripts with a few tweaks. For rules, if your NIC is eth0, you’d have the following file:
/etc/sysconfig/network-scripts/rule-eth0

In this file, you would take what follows the ‘:’ from the command ‘ip rule show’ and place it in to the file. Note that you want the rules that apply to the table the rules apply to! You don’t want the other tables!

You would also have the file:
/etc/sysconfig/network-scripts/route-eth0

and inside it you would place the ip route add command (that was typed in previously) except that you don’t include the ‘ip route add’ but only what follows it (to the right).

That’s all there is to it!

(Of course, that’s all there is to if you’ve read the original document and equally important, if my being distracted while writing this – which I was – has not created a null … route).

Rant: The State of Cyber War

2015/08/11:
I want to restate one thing in particular. I brought up Nazi Germany. But I did this because I’m more familiar with them than any other (because I’ve always been fascinated with that time in history above all others). However, this would make some (reasonably enough) think of Reductio ad Hitlerum and also of Godwin’s law. That is not something I’m keen on. It is true that they made a lot of excuses. But this is a trait of humans – to justify questionable actions (questionable in the eyes of others) they make excuses, use partial-truths or outright lies (both) and do anything else necessary to get their own way (scaremongering, for example?).

But states indiscriminately collecting metadata on everyone (national or international), as well as attacking other states, is what you might expect from a rogue nation or one governed by state police (and otherwise not a nation with a permanent seat on the security council of the United Nations). Ironically, countries that throw out lies about why they need more powers to spy, specifically those referring to terrorism (instilling terror), are making use of fear themselves, to get what they want. It isn’t an accident though: fear is an emotion, emotion doesn’t mix with logic, scaring people isn’t all that hard (this is quite obvious), and this is an extremely effective way to take away liberties. That is what it comes down to. Never forget the Reign of Terror during the French Revolution and its purpose.


 

2015/02/19:
Prepend ‘Rant:’  to the title. I’m on the fence of whether it would be better as ‘Viewpoint:’ or ‘Rant:’ but for now I’m erring on rant because there is aggression and rant is therefore more likely what people would think of (even though there certainly are personal viewpoints here). Yes, the point is valid – cyberwar is a dangerous game indeed, and a game that is unlikely to stop (this is not War Games, after all – at least not as the movie portrays). But sarcasm is in my blood, it really is (and it has always been this way, even as a toddler), and if I were a god I would likely be the god of sarcasm with a quick and nasty temper. I won’t deny it; the way I express myself is probably not the best, certainly it is not the way most people express themselves. I do try to be reasonable – and fair – and this is one of the reasons I try to always have a point but the fact remains that it is often in a vague and cryptic manner with a tendency to go too far.


I want to take some time to clarify some things that I wrote yesterday, that being 2015/01/20. The intent that this is less aggressive. With that in mind, here goes:

Perhaps it is true that I should not have tackled what I did yesterday. Based on how I’ve felt for quite some time, it wouldn’t surprise me one way or another. But even though I might have gone too far in some ways (or in some parts), there is the fact that the point remains the same: attacking someone (or some entity) as well as provoking them, followed by whining (and that is EXACTLY what it is) when the same happens in return, is stupid and hypocritical. Would you really lunge at someone and then complain about how much harm they caused you in return? That is what it is – you reap what you sow.

The fact remains that participating in cyber war, in general, is a dangerous game (and directly attacking other nations computers is NOT defence – it is the cyber equivalent of declaring war on and invading the country). In other words, yes, the suggestion that if all the activity being done was in the real world, it would be a nuclear holocaust, isn’t so far off the radar (if you will excuse the pun).

Lastly, the very idea that nations need laws to somehow share more information with corporations, it is an absurd and dangerous lie. That they also claim it is for the citizens’ own safety and good, is actually scary. Shockingly scary. Yesterday I didn’t want to elaborate on why I chose Nazi Germany to compare. I’ll get to the point momentarily, but to anyone who might want to know (not that I believe I have many readers): there’s many reasons, one of which is I’m a WW2 buff. I studied Nazi Germany extensively. While there is much I don’t remember (compared to before), I still remember a lot. So here it is: the Schutzstaffel, otherwise known as the SS, and the secret police the Gestapo? They made these same claims too: that they were doing it for everyone’s good. The world still hasn’t learned from the war and they didn’t learn much about tolerance, either, did they? Not even close. Tolerance for group one and not group two is not any more tolerant than being tolerant for group two and not group one. But that is exactly what happens to this day and it is a double standard (at best). I’ll not get in to the history aside from this final point, a point that should not be dismissed (I know it is and will continue to be, though): the problem isn’t how far someone travels (i.e. the severity of each act); the problem is how willing they are to create the path that allows the travelling (i.e. what laws come into existence to remove the blockades). In other words, the very idea that they’re needing more and more control (notice how this doesn’t stop after they get the next amount? And then the next? And next? And start all over ad infinitum? Ask yourself how new you really believe that is) for the same purpose – for the safety and the good of the population is scarily similar to what should never be ignored. But it is ignored. Ironically – as I already suggested – the rationale of ‘why they need this’ remains the same. The part that does change is they continue to need more and more (of what they already supposedly have!) to fulfil the same(!) task. The more they need, the more they abuse (it) and the more they abuse the more power they crave. Truly feel safer? What makes you feel that way? What actually changed? Sadly some (many, obviously) will fall for this claim – repeatedly. It is ironically just like history.


This will be a piece that is mixed with ridicule as well as a warning. I fully acknowledge that the warning will be largely dismissed, at least dismissed by those who actually should not ignore it. But then you can’t really reason with politicians, can you? No – one of the definitions of a politician is a complete idiot that is dangerously high on a power trip, desperate for power, one that spreads fear, incites hate and anger. That is about as far as I’ll go in that regard because, as I’ve made clear before, politics is one of the most potent cesspools known to mankind (I have no problem, however, with actually attacking their arguments, their claims, when it comes to computers). To this end, another warning: while I do have good intent here, it was a thoroughly obnoxious day. So the ridicule might go too far. I’ll be in good company though, won’t I? Not sure it is the right company but such is life. So with that:

It seems to me that, given the circumstances, now is a good time as ever to write about the risks of cyber wars. What circumstances? It has been claimed by the New York Times, as well as Germany’s Der Spiegel, that the reason the US officials suggested that North Korea was responsible for the attacks on Sony, is that they had access to North Korea’s network. Yes, that means they compromised North Korea’s network. Yes, that means more hypocrisy indeed (there is never enough of that, is there?). These two news sources, I might add? These are the agencies that Edward Snowden leaked the spying accusations to. As I’ve made clear before, the NSA has a long history of hissy fits about encryption (and otherwise needing control) so really the only news to me is what specifically they were up to – as a spying agency, and as a spying agency that has the history that the NSA has, it isn’t really surprising. Sadly this makes it even more believable. Let’s see, what are the claims that are known, and what is the US saying in defence of themselves?

“While no two situations are the same, it is our shared goal to prevent bad actors from exploiting, disrupting or damaging US commercial networks and cyber infrastructure,” said spokesman Brian Hale.

Noted. That says quite a lot, doesn’t it? The fact no two situations are the same and the fact you want to prevent bad actors from ‘exploiting, disrupting or damaging US commercial networks and cyber infrastructures’, this is why you don’t count yourself, right? Because it is a different situation than yourselves. Makes sense – and since there’s often a lot of assumptions in this topic, I don’t see why I shouldn’t assume here, too, that my suggestion makes sense. That isn’t wrong, is it? Or perhaps it is because you aren’t actually actors but instead being your usual self? That seems quite plausible, too, I must admit. Then again, maybe it is simply that you don’t consider reputation all that important? That would explain why you find it perfectly acceptable to BREAK THE LAW as long as it is for those you (supposedly) are protecting? But it gets better, doesn’t it?

When it becomes clear that cyber criminals have the ability and intent to do damage, we work cooperatively to defend networks.”

You work to defend the networks. If it is on the land of the US, of course. But is that really the full truth? I don’t know if I agree. The BBC makes claim that the paper reporting this new information says that you – that is the officials supposedly investigating the crime – believed that North Korea was mapping the network for two months prior to the attack. Considering that one of the very first things an attacker will do, when going after a network, is getting as much information as they can about the organisation (its employees, its hours of work, its network, the hosts, the services, everything means as much as they can possibly gather), this would make sense, wouldn’t it? Yet it took you two months to figure this out? Weren’t you monitoring them? Why would you not alert them? Why would you not help them? (One hopes you don’t do this with your own although seeing as how there are issues at times, it makes me wonder) Is it because there is some other use out of it? I don’t know, maybe making it an excuse to give more power, more control to the government, with regards to what capabilities you are allowed? Something like this:

A senior Democrat on the House Intelligence Committee on Friday will reintroduce a controversial bill that would help the public and private sectors share information about cybersecurity threats.

“The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger (D-Md.), told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea.

Or maybe it was because then more sanctions could hit North Korea? Because a cyber attack is the right reason for that over all other things, yes (and of course, sanctioning an isolated state isn’t provocative – it is actually helping the relationship, that’s what sanctions are for, right? It won’t hurt the citizens and actually it will make them feel better, that other nations care enough to cause them more grief ‘as long as it teaches the nation to do what’s right’)? On the other hand, it is possible the attacks are being abused to do that (some might argue all of the above – they’re probably right). My problem with this, goes further. This is encouraging cyber attacks (yet more recently there is the suggestion that the US and the UK will participate in war games, the irony in it all is too much, when you consider why the two nations want to do this). “I want to keep the momentum going on what’s happening out there in the world” implies that you honestly don’t care why, you just have to have more control, as if it is as I put it – a drug. Nazi Germany did similar and their excuses were similar too; they were protecting others from whatever they didn’t like (even though the claim was a farce). Indeed, that ‘keep the momentum’ remark also implies that you’re fine with the attack, an attack that revealed confidential information about people whose only crime was working for Sony. You’re fine with it because it gives you an excuse to tighten the noose (ironically the law allows more spying on the citizens of the nation you claim to be protecting – again, just like Nazi Germany). (Yes, I’m deliberately comparing it to Nazi Germany even though there are plenty of others.  There are many reasons for it. I won’t elaborate on it aside from that.) And the law you want to introduce isn’t just making it easier to share information about cybersecurity threats. There is not a single thing that prevents you from doing that now! Nothing prevents the corporations from informing you of attacks (as they recently showed you exactly that – because the government refused to warn them even knowing it was imminent, a shameful act indeed). The only thing that prevents the government from sharing that information is they would rather not. But that isn’t a legal issue. No, the law you refer to is CISPA – the law that allows spying on citizens (among other things). Anything else is an absurd lie – a lie designed to manipulate the situation (yet again just like Nazi Germany)! No, it wouldn’t have prevented the attack, either. Ironically, given the claim by the government, it seems the one thing that could have prevented it would be the government themselves; the government that claims they need more power (yes, because having been monitoring North Korea wasn’t enough!). Indeed – people in power can never get enough, no matter what they have already, and the more they get (and they are often so insistent on it that it is expected they will) the more they want in a vicious cycle just like the addictive properties (and effects) of drugs.

The fact of the matter is: the United States is not just a victim of cyber crime; they are perpetrators just as much as other nations (perhaps in some ways more so). It is just the United States has the status to get away with it more easily. The reality is that by participating in cyber wars, you’re actually creating more problems and I do not refer just between nations (but that is what this is about). The end result: each and every nation that adds fuel to the fire rationally has only themselves to blame when they fall prey. In addition, corporations that are attacked because of where they reside also could rationally blame their nation (whether they are allowed to be there or not is frankly an irrelevant point (and keep in mind that Sony is a Japanese corporation, not an American corporation, and this, I fear, makes that argument – of nationality and otherwise location – less relevant)). If nations acted this way in the real world – and let’s be honest: that is already far too extreme – there would be a nuclear holocaust. Much of what is claimed is defence is actually direct provocation. As for North Korea versus the United States, I will remind you again: the two nations are not allies and in fact are more like enemies; consequently, provoking them and then complaining about the response, is hardly helpful. It is actually about as stupid and arrogant as when a human goes in to the ocean, even with warning signs about recent shark activity, gets killed (why go in to its territory?) and what do officials do? They hunt the shark down and viciously slaughter it, as if it was deliberately in the territory of humans (because humans live in the oceans, yes?) to slaughter as many (humans) possible (never mind the fact that many shark attacks are accidental). Yes, that is a great analogy: go in to their territory, run into problems and then it is their fault; they shouldn’t have been where I wanted to be! Indeed.

Source IP Masquerading by Destination Port


2015/01/11:
Fixed previous mixup on ports (that I noted but did not fix). I also cleaned up some less-relevant (if not outright irrelevant) stuff and tried to make some things a bit clearer. In addition, while I haven’t yet, I’m considering going through all my how-tos here and move them (or add them to) http://docs.xexyl.net (which has more documents I’ve not made notice to here). This would be among them. If I do this I’d likely try to clean this up even more and make it more clear. For now, however, there should be fewer inconsistencies and errors.


(Another name might be: Source IP selection based on destination port or service)

Problem: you have a static IP (singular or block) and you also have a dynamic IP. For some hosts (i.e. server) you want static IP always, for other hosts (e.g. workstation or desktop) you might have a static IP and a dynamic IP. As for the latter, it might be – since you have a static IP block – that you have a fully-qualified domain name (FQDN). You might also have a PTR record (reverse the address and add an .in-addr.arpa = 127.0.0.1 (localhost) becomes 1.0.0.127.in-addr.arpa) so that if you claim you are host.example.com then the host you are claiming this to, can verify it by confirming that your IP does indeed resolve to host.example.com and not something else (if anything). This is most common with sending email. What to do when you sometimes want to use a dynamic IP (e.g. for web browsing) but certain services should really use a static IP ?

There’s two approaches, depending on what you need. You can use ip routes (and rules) so that depending on source (and/or destination) IP it should use one IP whereas otherwise it’ll use a  different IP. This is how I had my desktop configured because the hosts I ssh in to do ingress filtering by IP blocks (so I have to use my static IP – they’re declared static for a reason and it is the most reliable IP to allow). But something I did not like made me think of (spur of the moment solution came to mind) a way to not have to add many IPs (to the static routing table) simply to solve this problem. The issue is that if I am sending mail to a host that doesn’t resolve to my IP block (which would then know I am indeed who I claim to be), if I’m connecting via my dynamic IP block, I obviously do not have a PTR record. So the fact I claim to be a certain host that the PTR record does not match means any number of things (and this is another subject entirely). But then, surely I don’t want to maintain a list of IPs that should use one route (therefore one source IP) and otherwise use the default (dynamic) IP. So what can you do? Well if you know that certain services are going to prefer (if not require) you to be who you claim, then you can use iptables to masquerade your connection to be from the static IP.

Yes, this involves NAT and specifically source NAT. (And yes, I generally hate NAT but there are uses for it. This is definitely one of them) Now there are two ways to do this. The usual way (‘usual’ might be ‘more common’) is through the iptables target MASQUERADE (yes, all caps indeed). As the man page shows though, that is more so if you have a dynamic IP (it still works, though). I seem to remember it has similar if not exact options (which means you might replace ‘SNAT’ with ‘MASQUERADE’ and get away with it). Regardless, I’m going to use the SNAT target.

If I send mail through port 465 or 587 (SMTP is 25 and mail servers do use it but if you use the former ports – i.e. for secure authentication for purpose of mailing – then it is what matters (and you can do this for multiple ports (and indeed completely different services))) then the following rules will masquerade any packet sent to port 465 or 587 (to any host that matches the rule) so that the source IP will be that which you specify. A note: originally I included what I have in my set up: only match if the source IP is not in the 10.0.0.0/8 block. I’m removing this, however, because I feel it makes it harder to understand. Therefore I am only including the bare minimum. The IP below, 192.168.1.66 would be YOUR static IP (or whichever IP you want to send and receive packets from).


# iptables -t nat -I POSTROUTING -p tcp –dport 465 -j SNAT –to-source 192.168.1.66
# iptables -t nat -I POSTROUTING -p tcp –dport 587 -j SNAT –to-source 192.168.1.66
# echo “Additional rules can be added for other ports”


# is the prompt in this case so don’t type it (I have to state this because, firstly, if you were to copy it to the shell it would be a comment and therefore not run, and second, you should always be careful at the command line and especially when root). So to break down the rules (will only explain the first – the second is the same as the first except we care about a different port) I’ll explain it in one go. Then I’ll explain certain parts below, in more detail. The -t option specifies which table to add the rule to (in this case nat). We insert this rule at the front of the POSTROUTING chain ( -I POSTROUTING ) (in the nat table as noted), specifying that the protocol must be tcp (-p tcp (yes, lowercase here)) and that the destination port is 465 (–dport 465). If the packet matches this criteria, then we jump to the target SNAT (-j SNAT), passing the option –to-source with the IP we want to masquerade as: 192.168.1.66 would be the IP you want to send the related packets from (and have your host translate the inbound packets related to). The basic form, then, is that what follows –to-source is YOUR IP you want to send and receive packets FROM when communicating TO PORT 465. So in my live setup, the IP after –to-source would be my static IP and the rest would be the same. This way, whenever I send to to port 465 on any host, I will use my static IP; when I send to a different port (not specified in any other rule or manipulated elsewhere), I would use my dynamic IP. You can add additional rules and you can change the ports, you can specify port ranges (in one rule) and you can adapt the rules as you see fit. The idea, however, is hopefully clear. I did try rearranging this several times and I think it is mostly understandable now but if not I’ll hopefully be able to explain it better in the future.

In any case, the above is a much cleaner way to deal with the problems combined: specific services (so ports) regardless of the IP (which there could be many including some you might only have the host names (although using hostnames in firewall rules is definitely not to be suggested, which means you would be better off resolving it to the IP but it is still possible). Compare this to keeping a list of all IPs (and keeping it updated) so that certain services work properly (multiple definitions of work properly, two I described in this write-up). Anything else will be fine per your configuration. I should lastly point out that this obviously won’t be of help if you have IPv6 enabled and default to using it (over IPv4): I specifically force thunderbird and firefox to use IPv4 so this works for me (there are other ways around this, too (but is out of the scope of this article)). At my end this is important because I don’t have authority over my IPv6 block (and it would be different with ip6tables).

The Consequences of the Sony Attack

While this should maybe be under security, I want to highlight some other things, too. It is rather interesting to me, but so many people, every year around this time, talk about resolutions. While I’m going to get to the issue the title refers to, I actually think security (and therefore that issue) is a perfect thing to discuss with resolutions. Indeed, I find this interesting yet also something of a farce. I call New Years Resolution what they are: nonsense.

Why on Earth do people think that a certain time is any better than another, to be better about (or accomplish, or… ) something? Is that not absurd? If the idea is to improve yourself, why not always do so? If you can only improve yourself when you’re ‘supposed’ to, you’re not actually improving yourself: you’re actually sealing your fate in a vicious cycle of only do something (that supposedly is better for you) for a short time in the year and then  wait until next year. What is so special about this time of year, and why does it happen every year? The answer to the rhetorical question is, of course: because (they) only last a few weeks before giving up which really means they only pretend to care – you want to improve or you don’t, it is that simple. The only other part of it is that some people believe they want to change in some way but they actually don’t want to (which conveniently fits in ‘or you don’t’) – they try to convince themselves of it but they don’t really want to. I’m a perfect example, actually, but not in the sense of New Years and not actually bettering myself (but it indeed is cyclical). I often try to tell myself I need to be more social (I am incredibly asocial – I’m essentially a hermit that has Internet access and will go to doctors but aside from that I tend to shy away from gatherings). But it doesn’t last and I then come to the conclusion (in a repeated cycle like I described New Years Resolutions) that no, I was only thinking I wanted to change this. In reality I was lying to myself (something I admit I do probably far more often than I’d like to – wait for it – believe) about it.

Where does this go with security then? Correct: you should always be improving your standards (just like everything else, if you truly do want to improve) and this goes for security in normal cases but it goes double (if not triple or quadruple or…) after an attack. It is most interesting that those in to security (I’m not even going to include myself here simply because I don’t – as I suggested moments ago – generally like to be included in a group) are calling the claim that North Korea is the sole responsibility, nonsense. Yet at the same time, those who should be paying attention to them, are just pointing the finger (perhaps figuratively and literally pointing the finger!). I find it rather sad that even despite two groups admitting their role in the attack, the authorities then decide to re-frame it to… North Korea decided to contract the work out. Why not admit to a lost cause? Not only is it impossible to verify (let’s also remember justice is a farce (and unfair first impressions does not help here) and people actually admit to committing crimes they were wrongly accused of (and then they are serving time for a crime they didn’t commit and in fact someone else is free – justice indeed)), it isn’t as if no other country would do similar. That includes the United States of America. So what does this equate to? Instead of trying to figure out what can be learned from the attack, it is playing the game of victim only – a victim of the same thing in the past (and in the past…) and not changing because of it. While I don’t know Sony’s point of view is now what I do know is there was a leaked email from Sony and if I recall, it was the CEO himself. And what was included but the idea that there was nothing they could have done (and the so-called security experts they called in (as if security is only once in a while!) made the claim to Sony!), it was unprecedented and nothing like it has been seen before (if I had a dollar for every time I’ve heard/read/been told/etc. that, I would be filthy rich…). They’re wrong though. This isn’t the first time Sony has been subjected to serious attacks. I doubt it’ll be the last. The last one was not the first, either, as I recall.

The fact is: attacks happen and more attempts happen. Sony is not the only victim. I see a lot of attempts on my (low profile) server. They’re a huge, international company. Of course they’re going to see attacks. Make the best of old news or repeat history (we already know where much of society fits in this selection). It is expected and here is the brutal truth, folks, and this is something Sony (and others) would do well to understand (because the mentality that there was nothing that could be done is actually exactly what I’m going to describe): if you want a sure fire way to get breached, all you need to do is not care about it, tell yourself there is nothing that can be done and just accept the future. In short, do nothing but admit defeat, even before it happened. Ironically, by doing this you’ve actually already lost (yet if you don’t go this route you haven’t lost). Indeed this is a self-fulfilling prophecy: if you so wish to meet this fate, by all means, don’t learn from it. If that makes you feel better then  who is anyone to judge you over it? Certainly I won’t. But I also won’t feel sympathy (for those who won’t change – the fact others are affected is another issue entirely).

As for the United States, I find this rather amusing. I know I’ve explained this before, that I think (because it is the case) the idea of freedom of expression is often taken too far (“kids will be kids – yes, kids will be kids until, that is, they get revenge on bullies, and then how dare them, how dare their parents for not teaching them right from wrong… “). But then since many in the United States are champions of this idea, that freedom of expression (the problem is taking it to the extreme – the problem is not the idea itself: all good comes with bad and all bad comes with good (the two are subtle but it is different: it means even bad people have some good even if it is hard to see for most people)) is ever important, I have to ask: why can’t other countries, other people, also express things that they find important to them (no matter what it is)? I’m not suggesting any one who sees this is not following this, but nevertheless, some do. So to elaborate on the rhetorical question: If someone (or some country, or…) attacks someone, regardless of the legalities, regardless of the ethics, morals, whatever else (that comes to the mind of the ones judging), they are technically expressing themselves. To express something is to convey a thought or feeling through words, gestures or conduct. If they were responsible for the attack, and for the reasons given, then they are by definition expressing themselves! Call it a paradox if you want (but being a paradox does not mean it isn’t valid, remember that) but the reality is the anger they had (and how they display it) is expressing; you might not like how they do it or in what way but they could say the same about you, couldn’t they? It is a healthy thing to believe strongly in something. I feel strongly about some things (but arguably less than I should). But I would like to believe that those who do feel strongly about something do not let it cloud their judgement and that they don’t let it apply to only them (or someone/something they agree with (I already gave an example of this)). Yes, I’m pointing the meaning of expression out because it is true and something that really should be considered. I do look at things from a lot of angles and if you will excuse me, I feel strongly that it is a good thing to do (and yes, I am conveniently expressing myself on the whole issue (see how I did that?)).