Hashemian Blog
Web, Finance, Technology, Running

What The Linux Ghost Bug Teaches

by @ 6:07 pm
Filed under: computers,hacking — Tags:

A couple of weeks ago it was revealed that a known Linux bug, Ghost (short-ish for the gethostbyname() function in the older glibc library versions) is riskier than previously thought. So the internet became abuzz with warnings to those who might not have updated their Linux distros.

I have several versions of Fedora running on various machines and updating them was simply not an option. Unfortunately they are also too old and patches are no longer available. But here comes the beauty of Linux, the open source code model. Combine that with a virtual server like Hyper-V and you have all the tools you need to create the patch yourself.

This is what I did to create patches for one of my platforms:

  • Created a guest virtual machine on the virtual server.
  • Downloaded the needed version of Fedora from this archive.
  • Installed the OS on the guest machine.
  • Downloaded the appropriate source code version of glibc. rpmfind.net is a good place to find many source code packages.
  • After installing all tools and libraries necessary to compile and build glibc, I used this StackExchange post as a guide to patch the C files based on the documented modifications and built the rpm package.
  • After installing and testing the newly built glibc library on the guest machine, I copied the rpm files to the production machine and installed them.
  • After a reboot, the bug was patched.

C code

Now many would object to running an older and unsupported version of Linux for production but I am not so sure that jumping to every new version as soon it is released contributes to additional safety. Staying with older versions does make the job of patching these sorts of bugs more cumbersome, but there's something to be said about the educational value of patching these bugs at more basic levels than just running the yum or apt-get commands. I, for one, learned quite a bit from this exercise.

 

PHP - echo'ing String Fragments Using Periods Vs. Commas

by @ 10:18 pm
Filed under: computers — Tags:

One of the mysteries of PHP's echo function is the supposed equal treatment of multiple strings separated by periods (.) vs. those separated by commas (,). Actually echo is a language construct, but I digress. In both cases echo appears to concatenate the string fragments and output the resulting string.

In actuality, the period is the real concatenation operator in PHP. The comma on the other hand signifies echo's ability to accept variable-length arguments. Judging by Google search, most people just accept the fact that they can use either periods or commas with the echo function to get the job done.

But there's a subtle difference that's mostly overlooked because it rarely mucks up the results. Take a look at the two code lines below. You might expect to see 12 for both cases, but that is not so.

php echo

The reason is that with periods, some or all expressions are evaluated first and the results are concatenated. Then echo outputs the result after all fragments are concatenated. With commas echo walks the argument list, evaluating expressions and spitting out the results as it goes along.

Klaatu-Barada-Nikto, The Original Ctrl-Alt-Del

by @ 2:58 pm
Filed under: computers,microsoft,space

The Day the Earth Stood StillI was watching the classic 1951 movie, The Day the Earth Stood Still, and found it amusing that the command Klaatu-Barada-Nikto given to the robot Gort by actress Patricia Neal, almost had the same effect as Ctrl-Alt-Del has on many computers today.

In that scene, the robot was on the verge of rampaging and destroying Earth when the actress was able to reset it by giving it the voice command, Klaatu-Barada-Nikto.

Wonder if Microsoft guys had seen that movie when they came up with the Ctrl-Alt-Del keyboard combination to reboot a computer.

Strangely, I had never heard of this movie nor the voice command which seems to have a high degree of cult fame, nor the actress Patricia Neal whom I found to be particularly beautiful.

 

Linux Shellshock Bash Bug Workaround

by @ 12:55 pm
Filed under: computers,hacking,internet — Tags: , ,

The warnings about the shellshock bash bug are ominous and not unfounded. This is perhaps a greater risk than Heartbleed. Here are the gory details of this bug.

To test your system for this bug run the following command from the shell:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

if you see the word 'vulnerable' anywhere in the output, like below, you have the bug.

shellshock bash bug

Because bash is such a fundamental part of Linux/Unix and used in so many ways and so prevalent, it wouldn't be that difficult for malicious hackers to use this bug to penetrate a machine and do all kinds of bad things including completely take over the machine. Web sites would the most obvious target of such attacks.

Now how to fix this. New bash versions with the bug patched have become available so users can update bash and be done. But this is not as easy to do for everyone. Some people may have older, obsolete versions of Linux, so they may not find the new patched bash version. They would need to get the source code and the patches, and then build and install it themselves. Yes, I know everyone should be on the latest version of everything, and I am guilty as charged, but let's dispense with the tarring and feathering for now.

Redhat however, in its haste and panic, had released a workaround on this page with a small block of C code that once installed, would disable function definitions and therefore mitigate this risk. They called it dangerous because one must assume this workaround would disable a legitimate feature of bash and possibly cause system failure if it were being used. Unfortunately a while later this workaround vanished (Update: actually here is the Redhat page for LD_PRELOAD mitigation. I don't know,  maybe the page never vanished at all. Just use the steps on that page then), but not before I had availed myself to it. For me, the ease and speed of its deployment made it worthy of a try. And here are the steps.

1- Put the following C code in a new file, bash_ld_preload.c.

#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

static void __attribute__ ((constructor)) strip_env(void);
extern char **environ;

static void strip_env() {
  char *p,*c;
  int i = 0;

  for (p = environ[i]; p!=NULL;i++ ) {
    c = strstr(p,"=() {");
    if (c != NULL) {
      *(c+2) = '\0';
    }
    p = environ[i];
  }
}

2- Compile bash_ld_preload.c to get bash_ld_preload.so using the following command.

$ gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so

3- copy bash_ld_preload.so to the /lib/ directory like so:

$ cp bash_ld_preload.so /lib/

4- Add the following to the file /etc/ld.so.preload on a line by itself:

/lib/bash_ld_preload.so

5- Restart all relevant services or just reboot the system to be sure.

 

There you have it. I deployed this on several machines that run various applications. It killed the bug and there were no adverse effects. That means that those machines were not using the function definition feature of bash. Of course at some point we may write code or install applications that need to use this feature and if we have forgotten about this workaround, there will be a lot of head-scratching.

So, use the above workaround at your own risk. It will probably work for you, but the best approach as always is to update your platform and of course your version of bash.

Apple Hitting Lows

by @ 12:36 pm
Filed under: business,computers,technology — Tags:

Apple shares hit a 52-week nearing $400/share today, even below some of the price points from when Steve Jobs was alive. The news surrounding Apple isn't very rosy. iPhone continues to lose market share to Google's Android, iTunes is losing market share to Amazon, and the PC/laptop markets are shrinking in general dragging Apple down along the way. Analysts aren't predicting a good quarterly report next week.

Now I admit to not being an Apple fan but the one force that was keeping the company firing on all cylinders was Steve Jobs and that is undeniable. When he was there the first time, the company was doing exceptionally well, when he was forced out Apple became a dud, then he returned and Apple came roaring back.

Now Jobs is gone once again and Apple continues on the momentum that he brought with him but that momentum is naturally wearing off. Jobs was a genius and a visionary and it is because of him that Apple has continued to do well much longer than I had anticipated. But eventually the vacuum of vision and innovation must show its effects.

I do wish the company well, but companies don't thrive on well wishes. Jobs was the secret sauce behind the resurgence of Apple and without him the inevitable must now happen. Apple will no doubt survive, but thriving doesn't seem to be the cards.

Man outsources coding to China

by @ 5:16 pm
Filed under: business,computers — Tags: , ,

Love this story. Software developers are certainly infamous for being lazy. Most of us are, and that drives us to write code to automate things or write utilities to give to others to perform certain tasks. It's all about finding clever ways to make things easier for us and our employers.

But one guy took it one step further and secretly outsourced his coding responsibilities to a Chinese firm paying them a fraction of his salary and spending his own days having fun. His employer was oblivious to this for years until they ran an audit and discovered the scheme.

The blog post below is really about this coder's exploits and a cautionary tale for others to keep tabs on their networks. Still a part of me wants to high-five him for his cleverness right up to the point he was caught.

Verizon Business Security Blog » Blog Archive » Case Study: Pro-active Log Review Might Be A Good Idea.

Year 2038 problem

by @ 9:11 pm
Filed under: computers — Tags: , ,

25 years from now we could be dealing with an issue similar to the Y2K issue, year 2038 problem.

This problem was brought to my attention by  user 'Ken' commenting on the countdown tool page on this site. Basically *nix systems keep time in 32-bit integer formats counting seconds since Jan. 1, 1970. On Jan. 19, 2038 the 32-bit integer will overflow, resetting to 0 and many systems may interpret that as year 1901.

Certainly a vexing issue, but one with some time remaining to resolve. Even better, some of us will either be retired or simply no longer around to worry about it at all.

A number of fixes and workarounds have been proposed, chiefly among them using a 64-bit integer to keep time. That will do quite nicely and we won't have to worry about the rollover issue for some 292 billions years 🙂

Disabling SELinux

by @ 6:16 pm
Filed under: computers,hacking — Tags: ,

I know it's sacrilegious for some to disable a security feature on a platform, but SELinux (an enhanced Linux security feature) has left me no choice but doing exactly that on Linux.

SELinux was added to Linux to give it additional security measures beyond what it inherited From Unix. By default many of the Linux distros such as Fedora have SELinux built into their kernels and enabled upon install.

The issue is that SELinux can be so restricting and obsessive about curbing malicious activity that it can also hinder normal operations leading to server stress or errors. Having been bitten by SELinux multiple times, I have vowed to deactivate it every time I install Linux on a host. The one time I forgot to disable it, the Varnish server I have setup for my company nearly died taking the company's web site along for the ride. Looking inside the messages file, this arcane message is what I saw in prodigious numbers:

setroubleshoot: SELinux is preventing irqbalance from mmap_zero access on the memprotect Unknown. For complete SELinux messages. run sealert -l efce…

I know the security sticklers would accuse me of not setting up SELinux correctly and for the record SELinux is very configurable. But my most favorite setting for SELinux is disabling it in the /etc/selinux/config file by setting SELINUX=disabled.

I don't have the time nor the inclination to learn SELinux's every minutia, which may or may not protect my hosts completely anyways. The old fashion file permissions, file ownership, suexec, sudo, suid, running daemons with least privilege, and a good dose of firewalling is good enough for me. Feel free to disagree.

Apple Discrimination

by @ 5:14 pm
Filed under: computers,politics — Tags: , , ,

A few weeks ago my children dragged me into the local mall's Apple store, kicking and screaming where I bought them each a Macbook, a cheap Linux knock-off in a shiny skin.

I am a devout Apple-hater and have been so since 1988 when I had to write a LISP program on a Macintosh desktop. Nothing this company does or produces has ever looked remotely exciting or interesting to me and let's not even get started with the ridiculous prices. I personally own nothing from this company and am proud of that fact.

I could have bought my children very nice Windows laptops at a third of the price, but that wasn't an option. Apple seems to have plenty of people under its spell. They can sell them street garbage stamped with the bitten-apple image like it's some magical product from Venus.

Since Apple has the policy of not selling to Iranian-Americans, I just wonder where the Apple police was on the day I wasted my hard-earned money on their junk.

Apple sucks. Always has, and probably always will.

Fedora 16 Pain and Confusion

by @ 10:56 am
Filed under: computers — Tags: ,

When I recently installed Fedora 16 on an experimental server at work, it felt like dealing with a whole new platform. Prior to version 16, my last install was version 14 and things seem to have been in their familiar places. With 16 I was suddenly dumbfounded, like starting to learn Linux anew. I am not even referring to the GUI here, not a big fan. Windows is fine with me there.

For starters, there's the new Grub2 boot loader to learn. Then there's NetworkManager which tries to sniff out and configure everything when I was just happy with the plain old network startup. Related to that is what’s known as Consistent Network Device Naming. My ethernet adapter was suddenly labeled p1p7 instead of the familiar eth-0.

But the worst offender of all is the startup hell known as systemd. In a not too distant past the daemons and other startup processes were housed under /etc/init.d/ and then configured via chkconfig. Those were the good days of SysV. No more, now we have the purported super-polished, parallelized, speedy and advanced systemd, managed via the systemctl command. random symbolic linking here and there and strange file extensions. Even worse, old commands like chkconfig are hacked to call the newfangled systemd functions. I'm still trying to figure out the systemd craziness.

I know some of these changes started with previous versions and these changes were supposedly introduced to take advantage of new architectures and simplify, streamline, and accelerate operations, but that doesn't alleviate the shock and confusion of finding oneself in an unfamiliar terrain so unexpectedly.

Maybe I'm too old and set in my ways. And perhaps I should understand that Fedora is free and experimental and radical changes are par for the course. But there's a lesson Linux can learn from its nemesis, Windows. Microsoft hasn't scrapped Service Control Manager or Device Manager with every successive release of Windows. They improved them and added more features but the core functions remained the same and that goes a long way to allay users' and admins' fears of upgrading to new versions.

Older Posts »

Powered by


Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Contact
Bitcoin: 1K9TzBvQ2oaEb4tX9t2vKDtZouMcpfV6QF
© 2001-2017 Robert Hashemian   Powered by Hashemian.com