root labs rdist

I’m moving so won’t be posting for a little while. I thought my experience with two of my utilities was quite telling.

AT&T recording: “Your call may be monitored or recorded. Tell your rep if you don’t want this.”
Me: “Hi, I don’t want to be monitored or recorded.”
AT&T: “Sorry, we can’t disable that on a per-call basis. All calls are automatically recorded. I can take your number and have someone give you a call back later today.”

Compare this to…

PG&E recording: “Your call may be monitored or recorded. Press 1 now if you don’t want this.”

It’s probably more a result of bureacracy and poor systems than anything else but it does make you wonder. By the way, AT&T managed to move my phone line perfectly but somehow screwed up the DSL portion of the order, which will now take 5 more days. Ugh.

[Epilogue: the complaint to AT&T customer service must have worked to escalate the DSL move. It was completed later the same night, only one day late.]

Even though it’s a bit late, Thomas Ptacek and I wrote up our predictions for 2008 over on Matasano’s blog.  If you’re wondering how we did for 2007, you can find out here.  Were we more conservative or crazy this time?

I’m a big fan of the lightweight Panasonic ultraportable laptops.  The R-series is small but still usable.  The Y-series offers a full 1400×1050 screen, built-in DVD-RW drive, and long battery life in a 3 pound package.  As a FreeBSD developer, I also find the BIOS in the Panasonic and Lenovo/IBM laptops are mostly compliant, meaning suspend/resume and power management work fine.

Recently, I upgraded the hard drive on my CF-Y4.  I found that these disassembly instructions (another good source) for the CF-Y2 are mostly accurate.  However, there are a few caveats I wanted to note for others with the R/W/T/Y series laptops.

First, all the notes about 3.3 volt logic versus 5 volt logic for the hard drive no longer apply.  The Toshiba hard drive that came in my Y4 uses 5 volt logic, along with 5 volt motor supply.  In fact, the pins are tied together internally.  It was straightforward to swap in a WD 250 GB drive with no clipping pins necessary.  This may apply to the newer R-series as well, though I haven’t verified it.  If in doubt, use an ohmmeter to verify no resistance between pins 41 and 42 on the stock hard drive.

Next, heed the warnings about stripping the top two large hinge screws.  They screw directly into plastic, while the other two hinge screws have a steel sleeve.  Use a good jeweler’s screwdriver for the small screws.  You don’t need to remove the two screws that hold the VGA connector to the case.

When removing the keyboard, pry smoothly in multiple places but don’t be afraid to put a little effort into it.  The glue used to hold it down is surprisingly strong.  Be sure you removed all the small screws from the bottom, of course, otherwise it won’t pop out.

Be sure to clean the CPU’s heat sink connection carefully and use some good thermal paste when reassembling.  These laptops have no fan (awesome!) but that means it’s critical to make a good connection between the CPU and the keyboard heat sink area.  Also, don’t forget the GPU, which sinks heat through the bottom of the motherboard.  I cut a small piece of plastic to use as a spreader to eliminate any bubbles.  I also put a thin amount of paste along other parts of the internal skeleton where it touches the keyboard.  Once you reassemble the case, monitor the system temperature for a while to be sure you didn’t make a mistake.  I found my temperature actually dropped compared to the factory thermal paste.

You’ve just finished opening your seventh corporate calendar gift. You’re ten pounds heavier. What better way to celebrate 2008 than revisiting our predictions from last year ?

Nate: Predicted! 99% of spam comes via image attachments

[N] Wrong. I do get lots of image spam and PDF attachment spam was new in 2007, but the lack of “clickability” limits the usefulness of this type. This year, I resolve not to make predictions about spam.
[T] I got more spam from Ron Paul supporters this year than I did from image attachments. I may be 6 months behind the times in calling this an ‘07 result, but the bigger news in antispam seems to be the failure of Bayesian antispam filters. Remember when Bruce Schneier wrote that article calling antispam software one of the industry’s success stories? I’d regret that column today if I had written it. And, not that I think this blinding flash of inspiration makes me Kreskin or anything, but the other trend? Email is no longer the frontier of spam; online communities like Facebook are.
[N] Akismet is still a success story.

Thomas: Predicted! A New Mainstream Bug-Class

[N] Right, although a lot of the C++ stuff was already started last year.
[T] I’m giving myself a clean win here: 2007 was the year that C++ fell, in the mainstream, thanks largely to Mark Dowd and John McDonald. The bug class everyone seems to remember here is the delete/delete[] thing: because of C++’s asinine inability to distinguish an array from other complex objects (including vectors), you can lose a program to using the wrong delete operator. But the “rest” of the problems here are far worse. For instance, pretty much nobody has ever written a C++ program without an STL iterator bug. And Alexandrescu-style “modern” C++, which replaces pointers with smart pointer templates, creates memory lifecycle vulnerabilities every time data passes an API boundary. A huge chunk of our infrastructure was written in C++ in the mid-late ’90s, and until recently there was a mass delusion that C++ was safer than C. I don’t want to get into predictions for ‘08, but, I just did.

Nate: Predicted! The “Month of X Bugs” meme fades out, finally

[N] Yay, right.
[T] Thank god. Least said, soonest mended.

Thomas: Predicted! A Year Of Cisco Vulnerabilities

[N] Wrong, no one is paying attention to networks right now. As I said, PC/Windows and shiny devices (iPhone) were what attracted researchers this year.
[T] I can’t claim to have nailed this prediction. But I’m not so sure of your policework there, Nate. Nobody is paying attention to IOS vulnerabilities? That’s not what’s holding back the flood: the finger in the dike right now is the fact that few people can find bugs in IOS. How many skilled vulnerability researchers are there in the whole industry? Oh wait: we figured that out two years ago — a good SWAG guess is 1,000. Of 1,000, how many can do low-level C vulnerabilities? A generous half? Of those 500, how many read assembly fluently? Half again? Of those 250, how many have the time and inclination to reverse undocumented embedded operating systems? If there are 100 people in the world who are currently IOS-qualified researchers, I’m shocked.
[N] You mention that skilled researchers are lacking, but I still maintain that is because they’re all focused elsewhere right now. FX, initiator of Cisco buffer overflows, was talking about bar codes this year.

Nate: Predicted! Apple follows OpenBSD, Linux, and Windows, by adding OS hardening features

[N] Right, Leopard did although their ASLR needs some improvement. Also, they threw in a weird userland firewall implementation that no one expected.
[T] Swing and a miss! I grudgingly concede this prediction to you; they did add, uh, “stuff”. But it’s a huge mixed bag, and if you just look at the places where they followed OpenBSD and Windows, they failed decisively. Whatever the Wikipedia editors might want to say, Leopard ASLR is broken and irrelevant; a shellcode tweak speedbump at best. On the other hand, Apple is blazing a new trail in MAC and program sandboxing; the TrustedBSD extensions they’ve provided to lock programs into OS capabilities appear strong, and could finally give OS X a real security advantage over Win32, if Apple handles them well.
[N] You conveniently overlook the fact that I didn’t claim OSX would be more secure than Vista after the changes, only that they would add similar features. The MAC layer is already present in Darwin, just not enabled by default. It will also be interesting to see if they can do it [Allow?] in a less annoying [Allow?] way than Windows [Allow?].
[T] It’s interesting that the most effective Windows security solutions are the behind-the-scenes runtime improvements, and the most effective Apple security solutions are design-level changes. Oh, wait, no, that isn’t interesting.

Thomas: Predicted! Bruce Schneier Will Not Score A New York Times Op-Ed

[N] I’m wrong also. Schneier did not make the move to tamper resistance, but attackers did enter crypto in a big way. Xbox hackers used timing attacks against the 360, and the Mifare stream cipher was reversed with hardware techniques.
[T] This prediction was wrong just days after I made it; Schneier got an op-ed on the airport security CLEAR program on January 21. Schneier gets steadily less relevant to hard skills security every year, but I’ll make a 2009 prediction: he’s going to be angling for a role in politics.

Nate: Predicted! Zero-day exploits in client apps like Office outnumber researcher advisories

[N] Wrong. It looks like Microsoft themselves are finding the most bugs, as should any company that cares about security.
[T] Zero day clientsides increased in ‘07, but organically, not exponentially. I call this a miss.

Thomas: Predicted! Drastically Fewer Windows XP/Vista Vulnerabilities

[N] Easy gimme for you. But I was also right in that 3rd-party signing would prove ineffective (example: Joanna’s ioctl flaws found in common signed drivers).
[T] I give myself no credit for predicting this. You only have to make one assumption to figure this out: money buys improved security. Nobody in the industry spends as much as Microsoft on software security. Nobody spends more directly, on third-party software security testing. Nobody spends more internally, on full-time security practitioners, researchers, engineers and trainers. And nobody spends more indirectly, bearing the cost of improved security in every stage of their release cycle. My company probably does less Microsoft work than any other top-tier independent consultancy, but you can call me out for a conflict of interest here. I repeat and amplify this prediction for 2008.

Nate: Predicted! Content producers strike back: broadcast flag legislation passes and allofmp3.com shuts down

[N] Wrong, but Germany did outlaw “hacker tools”.
[T] Here’s what I think: either Macrovision is going to step up and make Blu-Ray’s BD+ scheme a success, and we’re going to have hundreds more crappy DRM schemes, or the critical mass of studios backing off on DRM is going to result in the end of software protection. In a way, it’s too bad: software protection is a fun problem, and one of the few (maybe spam is the only other) where each side of the fight is so evenly matched. I’m watching BD+ in 2008, and I’m not telling you who I’m rooting for.
[N] The big news for 2007 is that the battle for music DRM is over. MP3 (FLAC actually) wins. I’ve refused to buy music online until I can get it in a non-lossy format. It’s too early to predict an outcome for high-def movies, but it seems already obvious that revocation alone is a bad strategy. I’m shying away from making a prediction here due to conflict of interest (I’m a co-designer of BD+) but I will say that in 2008 studios will see the value in a system that requires continual effort by hackers to break each disc versus one that doesn’t.
[T] My siblings don’t share your hatred of DRM; I don’t think Steve has ever asked himself, “what would Nate do?” (people at Matasano do all the time, though).

Thomas: Predicted! TSA Starts Checking Software On Laptops

[N] Wrong, but they did start checking lithium batteries as I hinted.
[T] I retain this prediction for ‘08. If you had asked me last year, “which is more likely: a TSA malware screening of laptops due to a scare about wifi and software radios interfering with avionics, or a blanket ban on a phase of matter”, I would not have predicted the ban on the phase of matter.

[N] In summary, both of us got two right. None of our far-reaching predictions came true.
[T] I was right about the bug class. We’ll be dealing with that one for the next 5 years.
[N] We also did something different in terms of giving counter-predictions in response.
[T] I got four counter-predictions right (anti-spam — though I did not anticipate the Paulbots, Month-of-X-Bugs, Apple, and Office zero-days).
[N] I got two right (no IOS hacks, crypto attacks mainstream).
[T] I’m apparently the better predictor, but only when I’m disagreeing with someone else.
[N] I disagree?

This past weekend I attended the Vintage Computer Festival at the Computer History Museum (article). There were numerous highlights at the exhibits. I saw a demo of the Minskytron and Spacewar! on an original PDP-1 by Steve Russell. The Magic-1 was a complete homebrew computer made of discrete 74xx logic chips running Minix. The differential analyzer showed how analog computers worked. I also met Wesley Clark and watched team members type demo code into the LINC, similar to ed on a very small terminal.

One question I asked other attendees was what recent or modern laptop I could get for outdoor use. I am looking for a low-power device with a high-contrast screen for typing notes or coding while camping. Older LCD devices like the eMate met these criteria but a more modern version is preferable. Most recommended the OLPC XO-1, and in monochrome mode, it sounds like what I want. But I think I’ll wait for the second version to be sure the bugs are worked out.

After looking around at attendees, I was concerned for our future. Other than a few dads with their kids, most people were 40+ years old. While I missed out on the golden era of computer diversity (I got my first C64 in 1987), I was always fascinated with how computers were invented. I checked out books from the library and read old copies of Byte magazine found in a dumpster. Once I got on the Internet, I browsed the Lyons Unix source code commentary and studied the Rainbow Books to understand supervisor design.

So where was the under-30 crowd? Shouldn’t computer history be of interest to most computer science/electrical engineering students, and especially to security folks? Many auto mechanics enjoy viewing and maintaining old hotrods. Architectural history is important to civil engineers. I appreciate the work bunnie is doing to educate people on semiconductor design, including old chips. Is this having an effect?

If you’re under 30, I’m interested in hearing your response.

Baysec continues its unbroken monthly streak.  We’re back at O’Neills again this month.  It’s worked out the best of the venues we’ve tried so far.See you on Monday, August 20th, 7-11 pm or so.

O’Neills Irish Pub
747 3rd St (at King), San Francisco