East Coast Attack and Musical Escape

So there was a DDoS (Distributed Denial of Service) attack today mostly directed at East Coast sites (Amazon, Facebook, Twitter, etc.) and using the I[di]OT Internet Of Things for the attack (using devices like web cameras and such that have poor and static defenses) as the toolz to do the attack. OK, it could be something truly evil, or more likely since it was very focused on East Coast Money Makers an attempt at “education by demonstration” to get those of TPTB to actually listen to “folks like me” when we say things like the Internet Of Things is a Very Bad Idea or that “if it doesn’t NEED to be on line, don’t PUT it on line” or even just “don’t f-ing use Microsoft and Lenovo Damn It!”…

Who knows the motivation… yet there it is.

OK, Larry and Phil need a h/t in “Tips” for discussing it. You can read their names just by hitting the tips thread and reading starting here:

https://chiefio.wordpress.com/2016/10/11/tips-october-2016/#comment-73665

So this thread is about that, the attack, and about the general nature of all things tech, and about the culture of those of us who fight the cyber war Every Single Day… I’ve spent way too much of my life in it. The Necessary Paranoia shows in my postings on computer security and how I constantly am on the move from OS to OS (Operating System) and from device to device and from browser to browser. A constantly moving target…. At least a dozen browsers on at least 4 hardware platforms on at least a half dozen different OS types…. Paranoid? “I’m not paranoid, I’m the Systems Admin., they ARE out to get me!!” is the pro forma response….

When you hold “The keys to the city” with full root privilege everywhere, AND know how to break into all sorts of “impossible” things, well, lets just say it gives you a certain “different perspective” on things along with a giant target you know is on you at all times.

God I want those contact lenses ;-) (That as someone who is already ‘startlingly blue’…)

Not too surprisingly, as Guy Geeks outnumber Girl Geeks about 4 to 1, I’m in love with that girl… (No Worries, guys fall in love about twice a day… we learn not to act on the impulse… well, most of us do unless we are named Clinton…) She’s a natural brunette I think. There’s nothing quite as hot as a brunette in blond dress, don’t know why, but if you look at iconic “hot blonds” in the media, many are not natural blonds. Go figure… then again, is blue a class of blond?…

For those not Geekly Inclined, many of the phrases in that song are related to Geekly Things. “Rip It” being ripping DVDs and CDs to get free music. Re-write it and burn it being what you do daily. Drag and drop? Do I need to explain? Break it fix it? Day in the life. Being “up all night” being part of the turf… The ‘working harder’ and ‘make it better’ is the whole gig…

Yes, I’m “way over the top” fond of this video… even though they are musicians and not real geeks… It’s the thought that counts…

The thing being “covered”:

My “old college roomie” is teaching robotics to high school kids in his retirement. I’m preparing for the ‘recovery from the collapse’ as a bit of a retirement hobby. The Political Class and TPTB can’t STAND that they are utterly dependent on systems WE built and control (as we are not fond of them and the abuses they use these systems to force on ordinary people). Thus the incessant “cracking” of their email. Here’s a clue: YOU TPTB despise us and we know it. So “we” arrange for your most necessary communications to be ‘weak’ and ‘accidentally’ ‘hacked’ by ‘that bad guy over there’… And, most importantly: There’s not a DAMN THING YOU CAN DO TO STOP IT.

We are Anonymous and we own you.

Hey, it’s a cultural thing… you are sociopaths with high social need rank and we have near zero social need strength and are altruists.

Why does Socialism fail? Because “people like you” gain ‘power’ and ‘authority’ and people like us ‘arrange for you to fail’… We blow smoke up your skirts and you think it is praise. All the while that shiv in your back that came from nowhere was a complete surprise to every one but ‘folks like us’… so “Ooops I did it again”

We puff you up for our own gain, but then you think we really believe in your “cause” or buy all that BS you spout at us.

Nope.

We just know that if we smile at the right times you buy it.

So, Ms. Hillary, please note that you depend on us, those “geeks” you despise… us of the Deplorable Class… and we know it.

You think us stupid and unaware, and we let you…

but don’t ever confuse sweet words with agreement…

Dear Secret Service and NSA and other TLA’s: The following is solely political speech directed at the general power structure and political class and not, in any way, to be thought of as an intent to any action in The Real World or directed at any individual person. I have no desire nor interest in anyone having any bad experience, nor certainly anything involving bodily harm let alone death. (One might ponder a moment about the current legal circumstances that require that disclaimer…)

Please please please, do not push us Deplorable’s too far…

You may not like the result…

Just sayin’ you might not like what your maid thinks…

Se podría pensar que usted es más deplorable que ella … no?

Now I’m not a Texan. I’m only an honorary Texan as I married into a Texan Family. But I take my responsibilities serious like. My Uncle Ken tol’ me that “if you eva’ do anythin’ to hurt that little girl, I’m a gonna hunt you down an’ kill you sohn. Welcome to the family…” now him, being a retired guard from a Federal Prison, kinda impressed me. So I take my responsibilities as an Honorary Texan right serous like. And “anythin’ to hurt” her I interpret to mean letting a run away Federal Government screw up the world, sell out to Soros, and generally be, well, Clinton Like in their view of Law and Order, to be a ‘harm’. So I suggest you think on that a bit.

Jus’ sayin’…

When you are looking down at us, just remember you need us much much more than we need you, and we are much brighter than you think.

We let you ‘take power’ so we don’t have to deal with the shit that is day to day politics and ‘international affairs’ so we can do important things like listen to music and spend time with our children and grandchildren. Do not confuse that with any idea that we think you competent or that we think your ‘decisions’ have merit. All we really want if for you to not screw up too much and kill our kids in stupid wars. Even that, you can’t get done right…

So just realize one off-tune flute or baritone player, and you are in the dust bowl of history. Just sayin’… maybe actually thanking us for what we do, or at least not pissing on us, and you might not have the Leaks From Hell….

If not, well, we can play both sides…

I ought to have been an oboe player… or maybe a Blade Runner…

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Arts, Political Current Events and tagged , , . Bookmark the permalink.

42 Responses to East Coast Attack and Musical Escape

  1. philjourdan says:

    Hilary thinks us stupid? I do not recall any “geek” giving out national security secrets on national TV. She has got to be the most stupid candidate for president in HISTORY. Bar None.

  2. Jon K says:

    I always thought this song fit my relationship with the political elites perfectly.

  3. pg sharrow says:

    The Internet and the computer hardware & software that it runs on is the most wonderful tool that humans have created. It is Created and run by “Geeks”, and the politicians and 3 piece suits that make use of this tool think that they own it! 30 years ago I told a geek that this would change the world and break the hold of the ruling Elite because only geeks could grasp it. Geeks would always be a step or two ahead of the bureaucrats.
    Activities on the net require co-operation of large numbers of smart people to work, real democracy at work. Greedy Evil Bastards will have a hard time herding such a band of people because we don’t need them.
    Kind of like the time the smiths learned to work iron. ;-) …pg

  4. M Simon says:

    I designed an IoT gadget. It was strictly one way. It sent data. It could not be programmed on line.

    And further. I got fired from a writing job for writing an article that the Smart Grid was a stupid idea. I wouldn’t back down. They needed a positive spin to sell ads.

    To this day I despise those people.

  5. Gail Combs says:

    M Simon, I PAY $30 a month EXTRA NOT to be on the Smart Grid. MY electric fence and barn is on the smart grid so they can tell if the electric goes out but the house is not on the smart grid.

    They sent out a ‘persuader’ and I loaded her down with a large file on why the Smart Grid is NOT a good idea and bent her ear for two hours explaining that file and handing her each article one at a time. (SNICKER)

  6. Gail Combs says:

    In the background Hubby is having fun with a pollster. He says he will vote by secret ballet….

  7. John Robertson says:

    “Please please please, do not push us Deplorable’s too far…”
    Sorry no chance of that, kleptocracy must expand or fail.
    Progressives never stop pushing, as it is always about them, their wants.
    Never about fellow citizens,country or justice.
    These are people who do not understand “No”.
    Who believe compromise is their opponents duty.
    And really do believe they can live your life better than you can.
    They will keep pushing until our tolerance snaps, then they whine and cry what victims they are.
    Takers.
    Parasites cannot change their diets.
    I have yet to see any evidence that kleptocracy can be peacefully reformed.
    Because extortionists rely on violence and intimidation.
    And mistake politeness for fear.

    As our (Canadian) Liberals say;”We are entitled to our entitlements”.

  8. Aron says:

    Interesting post. Good to hear there are many geeks out there on the good side. However, all these media stories about hacking lead me to believe that some “fix” to combat the issue is in the works, and the internet will not be the same afterwards. Hegelian dialectic: problem (nothing is secure on the internet), reaction (public fear), solution (“resolve” secuity issues by taking away more personal freedoms).

    The day is near we will all need an ID to log on to the internet, tracking every one of our moves (I suppose its the reality now but it would make it easier for them to “deny access”). Digital currency is here and will become the standard sometime in the future. All aimed for maximum control.

    It’s all rather depressing thinking about it and where we are heading. I can think of some solutions but they require the sociopaths step down from their control positions, and a thinking population, neither of which is imaginable, so its hard to fanthom what a workable solution actually is.

    All I have control of is myself and the interactions I have with other people close to me, and maybe try to reach out to some other people in a wider network now and again and point to some evidence of the control and manipulation going on around us that does not have mine or your best interests at heart. Regardless of our social position, it really is the awake people who need to instigate the changes needed because the masses are asleep and brainwashed and the rulers are sociopaths. A massive collpase will wake up the masses but I’d rather avoid such an event. Slightly bumpy transition or straight off a cliff? I don’t like the odds on this one.

  9. Another Ian says:

    E.M.

    FYI

    “Mari C
    October 23, 2016 at 5:15 am · Reply

    No mention of the Level3 outage a few weeks ago. We lost our access at work, locally, and even our web site hosts were out. AT&T didn’t bother to even try to contact hose affected – we found out through a 3rd party which supplies our IT consultant/tech. I spent the better part of a day consoling coworkers who couldn’t get to their sites. Sniggered at those directors who insisted on using web-based systems for their departments’ work loads. It was only a day, and not too wide an outage, but it was pretty complete.

    With the number of devices on the net, and lack of any attempt at security (not even simple anti-virus email scanning, fer cryin’ out loud) by so many, it’s probably more of a miracle that more of these “outages” aren’t happening. And it need not be the big red scary menace of Russia – there are savvy folks all over the world who could, and more than a few who would, disrupt things. And some just because they can. No evil or power-mongering reason, just. because.

    Millions of teenagers unable to access what ever it is they use right now (instagram? snapchat? it changes almost daily with my niece, I suppose it’s the same everywhere) could be, well, interesting. Millions of businesses unable to perform daily tasks, well, that is a disaster.”

    A comment at

    http://joannenova.com.au/2016/10/us-election-the-smear-war-is-there-to-stop-people-talking-about-the-issues/

  10. Larry Ledwick says:

    @Aron

    The day is near we will all need an ID to log on to the internet, tracking every one of our moves (I suppose its the reality now but it would make it easier for them to “deny access”). Digital currency is here and will become the standard sometime in the future. All aimed for maximum control.

    Due to the nature of computer technology and the internet protocol we are already effectively identified as soon as we log on.

    Each computer connects through one or more interfaces which by design all have unique id numbers (MAC address), and with the exception of those few who actively try to change things up, most users consistently log in over the same IP address (at least as long as DHCP does not expire the lease on that IP which often requires that you not log in for a week or two for it to expire), plus we typically (except EM and a few others consistently use the same browser version) and the same internet provider (even if DHCP shifts our IP around slightly). Add in traffic analysis (ie what wording you tend to use and word frequency of unusual words or phrases) anyone with access to the raw network traffic can quickly identify anyone who does not take a special effort to change those variables, even if they clean up history files and cookies. Especially for anyone who consistently logs into anything that requires login credentials.

    For example go here https://www.grc.com/x/ne.dll?bh0bkyd2 and check out the block titled
    “The text below might uniquely identify you on the Internet”

    At this page you can use is probe to check to see if your router is open to respond to UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets
    https://www.grc.com/x/ne.dll?rh1dkyd2

    If you choose the port scan option for shields up, he will probe your system on all the first 1056 ports to see if any of them are open and listening and respond to his probes. The more locked down the system the fewer ports will be exposed or respond to random probes.

    The only saving grace right now is the volume of data limits how many users they can profile in depth, and to keep things manageable they just collect raw data and save it. But that data file can be queried at any time and mined for information that matches a profile.

    It is like in the Clint Eastwood movie firefox I believe his Russian contact tells him that the trick is to tip toe softly past the sleeping dragon (KGB) so as not to attract his attention.

    Short of changing network cards, ISP providers (or random wifi connections) etc. all you can do is make it more complicated and time consuming to identify a digital signature.

  11. Larry Ledwick says:

    Drat second link is broken you have to drill down to the tests using the proceed buttons on the first link page.

  12. Aron says:

    Thanks Larry!

  13. Larry Ledwick says:

    Don’t know were to put this other than here.
    After the DDOS attack on DNS the other day I decided to try and figure out how to get a system that would be independent of DNS for at least a few critical web urls.

    My theory was to use /etc/hosts file on linux to hard code some name – ip resolutions for key web pages like this one that I want to be able to reach if the bat guano hits the air circulator.

    Step one:
    I updated my linux box to Ubuntu 16.04.1
    *success*

    I then wrote a simple script to grab the IP’s used by key webpages while DNS is working.
    (intention to make it a cron and write them out to a file so I have an archive of IP’s that have successfully been resolved by DNS when it was working.)

    #script to capture current dns resolutions
    files="/home/lledwick/tools/key_domains"
    
    for f in $(cat $files)
         do
         echo
         echo $f
         gethostip -dn $f
        done
    

    It reads the file key_domains and outputs the domain name and concanical domain and IP

    twitter.com
    twitter.com 199.59.148.82

    bigstory.ap.org
    a1896.g.akamai.net 23.3.68.115

    etc etc etc depending on the urls listed in the key_domains file.

    *success*

    Then I edited the /etc/hosts file with the twitter resolution, and silly me I thought it would be simple to “turn off” dns by changing the dns servers to invalid ips to test to see if it still would resolve the twitter url.

    Turns out Ubuntu has gone off into the weeds on name resolution and after reading a dozen web pages I still can’t find where the current dns servers values exist so I can change them or a simple easy on off switch method that I can use to kill DNS for testing because of NetworkManager and the way they have it setup now, where it essentially ignores the /etc/hosts file and over writes any changes you make to /etc/resolv.conf because it gets rewritten every few seconds.

    Looks like there is a way to force it to use different DNS servers ( I think the original on install values are provided by my modem because they are the comcast DNS servers and I don’t recall having to put those values in, but I can’t for the life of me find where they are coming from unless NetworkManager pulls them off the router each time it needs the info, it does not seem to reside in any /etc/foo file I can find.

    For the moment I give up – time to get some sleep but just wanted to add my little rant to Chiefio’s comments about the way they have broken reliable configuration file systems with magic sauce changes that are almost totally opaque.

    http://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten

    http://askubuntu.com/questions/130452/how-do-i-add-a-dns-server-via-resolv-conf

  14. E.M.Smith says:

    @Another Ian:

    Yup, The Pointman has it pretty well knocked…

    BTW, that Selma Hyack video on the side was, er, ‘something’…

    I seem fond of Hispanic singers and dancers…

    Then again, I seem to be attracted to blue / purple haired girls… like this one:

    Maybe someday I’ll figure out why ;-)

    but the mind wanders…

    @All:

    FWIW, my ‘plan’ for whenever I’m forced to buy an I[di]OT device is to set up a dedicated small router and plug it into that, then essentially block all traffic from it and to it. A Pi ought to do nicely… IF it must be in communications at bring up, OK, I’ll let that through and capture the traffic. After that, spoofing whatever it seems to think it needs and having a dead line to the internet…

    It’s easy enough to ‘ground’ particular IP ranges so they can’t talk in or out… Another reason why running your own DNS is a Very Good Idea… (China? I don’t EVER talk to China, so why not just block all addresses in that range and all names ending with the China token?…)

  15. Another Ian says:

    E.M.

    Pointman didn’t mention the industrial scale test on the Ukraine power supply

  16. E.M.Smith says:

    @Another Ian:

    But you did in a comment to his article…

    @Larry:

    Part of why I’m running away from SystemD as fast as I can is that they have stated the intent to put DNS resolution into IT and away from reliable controllable files… the present mess in things like Ubuntu is the halfway house between what it had been, and what they are trying to turn it into.

    FWIW, you most likely presently have your network config set to DHCP. That picks up both the IP address and the default DNS from your internet boundary router / modem. As that is set by your telco, it may be hard for you to ‘adjust’.

    Two fixes:

    1) You can just changed to manually set IP and DNS servers in your network setup panel or using command line stuff if you like.

    2) Insert a second WiFi hot spot or router between your computers and the Telco box.

    Personally, I do both for critical machines and only use DHCP on things I don’t care much about, like a chip that boots the Pi into a Tor Browser and where a different IP is almost a feature…

    Now it may seem a bit overkill to have TWO WiFi access points and TWO networks just for one computer or three… but among other nice bits is I can directly connect to the Telco WiFi if I want to get priority on traffic (i.e. when I had bittorrent downloading like crazy behind the second layer of router, it made videos a bit, er, jerky. Going one router up from it, the video cleaned up. A kind of poor mans QOS… It also means that IF I choose to open a port to, say, an email server or VPN server from the Telco router, all my OTHER computers are still behind a second NATing router with no open ports… much harder to crack. So, for example, my DNS Server Pi sits just off the Telco router, but I’m on a very different non–routing network with this machine. It can reach one upstream to the DNS server or two to the internet. Yet the DNS server doesn’t get stuck on requests behind a saturated router doing bittorrent or ‘whatever’…

    I can also just pull the uplink from the second interior WiFi access point and router and isolate my entire machine cluster from the internet if I don’t like the looks of the blinky lights on the AT&T box… or for just some private work… and don’t have to change how everybody gets their IP set…

    BTW, part of why I set up the Pi with DNSmasq was just that it was a much easier way of handling that whole caching a load of addresses and having my workstation pick up the right stuff. I set my interior router to point DNS at it, so anything that DHCPs an address from it gets pointed to my caching DNS server for resolution. The ‘caching’ is a key bit. It takes some config to turn it on and set it long, but by doing that, you get some of that resiliency. IIRC I have mine set to a 1 or 2 day timeout on the cache. Considered very long. IF, say, Amazon pushes a new IP address, I’ll be ‘stale’ for a day or so before it updates and could miss out on some of their wonderful ads for that thing I bought 3 weeks ago… ANY DNS lookup leaves a copy in the cache and all subsequent lookups are ‘free and local’.

    It was a lot easier than wrangling a dozen different systems and how they grab things.

    Now I like your script idea, but I’d put it on my DNS server. Now I can just run it, snag a bunch of stuff, and put it into the local file on that server and have it forever (or until things change). That, BTW, is how I ‘ground’ a whole bunch of ad services and other junk. I have them hardcoded to 127.0.0.0 in my DNS server ;-) (It also has a tiny Apache web server running and puts up ‘It Worked!’ when ads are requested ;-)

    About $35 and a few hours work. Well worth it.

  17. E.M.Smith says:

    Oh, and it ought to be possible for you to configure your Ubuntu to use dnsmasq on itself.

    In that case, all the other DNS stuff on the box is ignored and it looks to it’s own copy of dnsmasq for where to get things. That, then, points at the files you choose… and caches as you set the timeouts… So you could use the script idea, and mate it with dnsmasq locally, and have a really trick setup. Since dnsmasq has it’s own list of upstream DNS servers (and a longer list than just 2 is possible…) you can have a very robust config. I use Opendns, and something over in Europe somwhere IIRC, along with the local telco and some others. Odds of taking them all down are nearly nil (as long as the wire is up at all and routers routing) and dnsmasq knows to use whichever ones are responding…

    Can you tell I really like dnsmasq ? ;-)

  18. Another Ian says:

    @Another Ian:

    But you did in a comment to his article…

    When I remembered it!

  19. Larry Ledwick says:

    On the DNS servers to use it always struck me as odd to use a primary and alternate server from the same source (ie)
    nameserver 8.8.8.8.
    nameserver 8.8.8.4

    If google’s name servers are for some reason unreachable I would presume both would not respond.
    The obvious exception being a failure of the primary server only.

    If you wanted to have very robust external DNS resolution I would think something like as follows would be more reliable under DDOS or major cable cut type outage situations:

    nameserver 8.8.8.8 <—- google
    nameserver 209.244.0.3 <—– level3
    nameserver 208.67.222.222 <—– opendns
    nameserver 75.75.75.75 <—— comcast

    This assumes that you can have more than 2 DNS servers listed which I think is allowed.
    The odds of all 4 providers being unreachable is really remote if the internet is working at all.

    Have you used dnsmasq with more than 2 dns servers listed – will it work with 3 or 4 servers listed(?) and actually walk down the list in the order provided until it resolves the address?

    Comments ? — I want a setup that you can do a default install of Ubuntu, make a simple change to the default install and then not have to mess with it in the future. Ideally something you can script in something like your install script
    (the less you “fix” the less likely you are to accidentally break something else. )

  20. E.M.Smith says:

    dnsmasq lets you have multiple servers, rotate through them or take them in strict order, and more.

    IFF you ever run out of options in it, which I never have, you will be skilled enough to use ‘bind’ instead, which does anything…

    I usually put Google servers last due to their information harvesting nature and include one from another continent…

  21. Larry Ledwick says:

    I found some tutorials on dnsmasq so will be looking at that (also just ordered a RPi3).
    Now all I have to do is go back and find your old links and re-read them for your RPi builds and DNS blackhole for served ads on web pages.

    A little after action information on the outage this week.
    http://www.reuters.com/article/us-usa-cyber-companies-idUSKCN12O041

  22. M Simon says:

    Larry Ledwick says:
    23 October 2016 at 3:17 am

    The trick is to do everything you do on the ‘net with a view that it is all compromised.

    I used to have a security clearance. I assume I’m being watched. I don’t bother with crypto or all the tricks. It would just call more attention to myself.

    So what is ideal? Well have a presence such that you are somewhat well known – a blog – but not so well known that you influence too many people. Be an annoyance not an aggravation.

    Don’t go for the big win. Go for the long haul. I got Polywell Fusion recognized by posting a few comments a day at various blogs where the topic was relevant. It took about 6 months.

    And a personal note to you: Prohibition is a government program. Need I say more? I will add this:

    If the question is “what to do about xxx” and the answer is “we need a law” you are talking to a socialist.

    And socialism is not a left/right thing as so many assume. Anyone who favors solving social problems at the point of a gun is a socialist. The current anti-abortion crowd on the right comes to mind. We used to have an anti-abortion faction in Rockford that believed in changing minds not government. It has since disbanded.

  23. Larry Ledwick says:

    The dangers of tit for tat cyber retaliation for the US vs Russia or China.

    http://freebeacon.com/national-security/russian-hacks-bring-u-s-vulnerabilities-forefront/

  24. Larry Ledwick says:

    And add medical devices to the list of vulnerable technologies
    http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1

  25. Larry Ledwick says:

    By the way EM now that you have lived with the RPi3 as a daily browser for a while, and had some time to play with different OS installs, what are your current favorites on that platform?

    Judging on :
    Problem free install
    Inherent stability and lack of built in problems you have to “fix” before you can have a reliable, locked down system.
    Speed (ie light weight OS that gets basic browsing done but not a lot of useless bells and whistles.

  26. Larry Ledwick says:

    Another item on the risky nature of using Lenovo computer equipment.

    http://freebeacon.com/national-security/military-warns-chinese-computer-gear-poses-cyber-spy-threat/

  27. E.M.Smith says:

    @Larry:

    I’ve not updated the Pi OS lately, as I have several on chips and running already and I’m not keen on moving to SystemD releases.

    In general, Arch has been fast and reliable, despite the Systemd in it (but it looks like an ‘at arms length’ use of it). Debian is generally good with rapid fixes and support, but being a rolling release, it can break without a lot of warning if you are on the early testing side…

    Fedora lags, but works more reliably. Kind of locked down for my tastes, though.

    Ubuntu is, well, Ubuntu. Fatter and slower than I like.

    All of them install easily and work relatively free of bugs. Arch you need to take extra steps to get an x-windows environment (but it’s in the script I put up, I think ;-)

    I need “someday” to do the Void install, as I’m pretty sure it’s the end game for me. BSD is very robust, fast, and I love it, but configuring X is not direct and I got distracted, so haven’t done it. Slackware is, well, Slackware. I like it a lot, but it’s a funky. I may yet “go there” as they still use Version 7 style rc.d files for init… and that’s still in my brain somewhere. (Changing Everything I Know about systems admin just to adapt to how SystemD wants me to do things differently is not high on my life goals…)

    So mostly I’m running Arch and I’m happy. Occasionally I run Fedora and it’s OK too, but restrictive (though more secure). I can’t get excited about Ubuntu, but that’s just me I think. Debian is fine for many things (most things) and I’ve used it the most, until I went the Arch route. Debian’s SystemD build was a bit buggy (first cut a while ago) and Arch worked, so I made the move then and mostly run the last non-SystemD Debian. “Someday” I ought to go back and try the latest Debian again and see if it’s working well now and how badly “everything I know is wrong” now on configuring things…

    So does that help?

    Short form: You can trivially install several OS types on one chip with Berry Boot, though it is a tiny be slower in operation than a direct install to the chip. Install onto a 16 GB or so chip: Debian, Fedora, Ubuntu, Arch, and Puppy. Then boot them all, one at a time, and spend your first day or two playing. You can always change your mind later…

    Oh, FWIW, I use Puppy for “boot do something on a clean OS, exit and reset”… Berryboot lets you reset the OS to a base state. Nice for assuring nothing evil crawled in and made it home… It’s very handy for that. It is also fast and light.

    Oh #2: THE biggest PITA has been getting reliable Video with sound to work. I’ve generally just been lazy and used the Chromebox. Often it works on Arch, but sometimes the sound goes funky. Then again, I’ve not done any updates for about a year, so it’s likely fixed by now in most of the OS types… IIRC, it worked OK in one of the other OSs but I’ve forgotten which one… Ubuntu? Puppy?… At any rate, it’s the video / sound that’s the biggest ‘issue’ in my releases and close behind it is the SystemD changes to how you set / configure / control things…

    I really need to do another Financial Update AND another Pi Tech posting or three, but I’ve been on a Domestic Kick (canning and food) and overrun by Politicks (“many blood sucking insects”)… hopefully that whole thing wraps up in the next month…

    Sigh. So much to do, and only one me…

  28. Larry Ledwick says:

    Now they are starting to walk back the assertion that the DDOS was the work of the Russians.

    http://www.washingtontimes.com/news/2016/oct/26/historic-ddos-attack-likely-waged-by-non-state-act/

  29. E.M.Smith says:

    Yeah, after the headlines are long gone and lost to the past…

    There are script kiddies who can launch a bunch of bots for a DDoS using nothing but downloads from the ‘net, fer crying out loud. Heck, I’d do it if it wasn’t so damned boring! Just watch the bug boards for known exposures in typically non-maintained machines (routers, I[di]OT things, phones and TVs and TV boxes and…) then look for a script that does the hack. Launch, wait, trigger.

    It’s just Sooo dumb that I can’t bring myself to even bother doing it once. Even against my own boxes! It’s like deciding to go watch paint dry to see how it works…

    Any “pro” at a State Actor farm would not bother with a DDos, they would take over the box (or the things it depends on directly like routers and load balancers) and do something trick with it. Cause it to infect the whole company, or all visitors, with something icky so they never want to come back again… or have 1 in 10 ‘visits’ directed to their direct antithesis, or have it cause it’s backups to be corrupted for a year THEN blow it’s own disk… Now some of that would be interesting to program…

  30. beng135 says:

    EM, thought you might find this interesting on the DDoS attack & a Linux vulnerability:

    https://www.grc.com/sn/sn-583.htm

  31. E.M.Smith says:

    @Beng135:

    Thanks for that!

    I’d been meaning to do a bit of a deeper dive into WTF was done, that had the details.

    The COW attack I’m not so worried about. That it is a Linux Kernel bug of long standing is a PITA as I have several long standing Linux images… so they are all vulnerable. Then again, essentially only one of them is an outward facing server (my DNS server) so not particularly at risk since for most of them no ports are exposed to scanning.

    The Telco WiFi router is their problem to maintain and update, so I’m out of it on that one ( I presume they have enough clue to prevent their entire user base from being wide open as they supply the routers to just about everyone…)

    My interior WiFi Router is relatively new, but I’ll need to “check for updates”. I suspect it is vulnerable.

    I’ve just done an update on the Chromebox. (Last version was Oct 4th, after the update, October 26th, so 2 days ago they released a build… I wonder why ;-) I’ll be running on the Chromebox for outward facing things as I go through the rest of the shop…

    It’s that drammer bug that’s the most bothersome. Exploit of a hardware cheapness fault… Sigh. I do wish:

    1) Hardware vendors would stop being such cheap asses.
    2) Management at all levels of all companies would actually give a damn about security.
    3) The Government would stop making life easy for Russian, Chinese and all other hackers by pushing for “almost enough security but not enough to keep TLAs out”. That does not work and just means EVERYONE has access if they work at it a bit.

    (The sop to Global Warming in the middle of the long article was humorous in a way, being so glaringly out of place, but the start and end were great tech talk ;-)

    OK, looks like a load of work for the weekend:

    1) Update the OS on my long neglected DNS server. Use Berryboot so I can “reset to base” state and “reset to approved state” with one click and not have to “restore from secure backup” as that’s an annoyance.

    2) Add Host IDS and Network IDS to it. It sits in my “DMZ”, so is most of the time all alone on that level of the network. It’s also the first stop-and-shop point for intruders, so it would be a nice first warning of “something is wrong”. (Well, really, the first warning is the Telco Blinky Lights about 2 feet to my right… but as I’m not always sitting here and when the spouse is doing things they always blink, it’s more of a “maybe sometimes” early warning of major issues…)

    3) Make a secure offline archival copy of the new DNS server chip.

    4) Update my “Daily Drivers” systems images. There’s roughly 3 of them at this point. 2 are “rolling releases” so I need to find out if the kernel bug is patched in “stable” where I’m at, or up at “devo”…which also unfortunately means moving up to SystemD for some of them. Damn it. Maybe it’s time to just get that Void trial done… it’s not SystemD afflicted… Install host and network IDS on at least the main one of them.

    5) Check the update level on my interior WiFi Router. Check if it was patched for the kernel bug (COW). Consider, if not, perhaps finally installing OpenWRT on it. Failing that, maybe get a Round Tuit and roll my own “Access Point Chip” for the Raspberry Pi… I have three of them and “most of the time” only 2 are in use at once. The PXE boot server is off right now, for example. I could combine Access Point with PXE server… I’d need to find the power supply for my 10/100 Ethernet Switch though ;-)

    6) Put a hub in the middle of the network between my private network, the DMZ, and the public router so that an IDS will scan all traffic. Build and install a dedicated IDS and Host IDS archival server. Maybe this can be integrated with one of the above things…

    7) Order a couple of more small system cards. (Perhaps something more beefy than the Pi for an upgrade in desktop speed?) Evaluate Pi Zero and Pi Above Zero as IDS / DNS / dedicated micro server appliances. Essentially scope an enhanced network that still leaves me with enough Pi’s to have some to play with ;-)

    8) Found an old unused briefcase in the garage (that, silly me, I started to clean out yesterday… and is now partly in the living room… right when I need to go be computer geek for the weekend…) and realized that it would be a great “breadboard” for an “I.T. Shop In A Van” updated to today and micro sized servers. Listed the basic services (email, DNS, web, IDS, WiFi, power supply, Torrent, HotSpot Internet routing, FTP, NFS, disk ‘farm’ of 2 TB, etc.) that would make such a shop. I think I can make it all fit easily with Pi’s and similar. Maybe do some of the “rebuild” into it? Or maybe put it off… It would be kinda fun to be able to toss the power cord in, close the lid, latch the case, and walk out the door with my “I.T. Shop In A Box” ;-)

    Sigh. Somehow that looks more like a week than a week end…

    I think I need some prioritize time…

    FWIW, for the last week? or so I’ve only used Chromebox and Tablet as both of them are “disposable” to me. (I.E. I’m OK with “reset to factory and reload / update”) and the spouse has only used Mac (as it is relatively solid and secure to this stuff; she did an ‘update’ last night so is current and good to go).

    ALL my archive disks, Pi images, working data store (USB disk of regularly used files) and the Pi systems they plug into have been left OFF. Other than the DNS server. This isn’t a knock on the Pi. I’d be equally happy booting a “disposable” Pi image (and have some for that purpose, the Puppy Pi and Fedora for example… on the same chip with my “daily driver”). It is just that both of the Tablet and the Chrombox do Video really really well and I’ve been on a TV Video kick… so the “off time” for the “regular command line Linux systems with X-Windows” has been partly a matter of ‘what is on them’ and partly a matter of “want known good TV / Video for testing links”.

    The point is just that YOU ought to have a “disposable system” ready to run whenever things go “bump in the night”. It is just good practice. First off, you know it’s clean as it has spent the last months off and off line. Also the archive image of it is “up to date” and if you scrog the thing, you just reload that last archive. Third, your main box might be compromised, so using it for diagnostics / repair has a (small) risk. Fourth, using it exposes it (and all data on it) and until to re-lock-down your world, you likely don’t want that…

    I typically have at least 4 “main systems” available to me (with a dozen or more system images on them). It isn’t hard nor expensive. Two of them are old PCs (Windoze 7 & XP and Linux dual boot). They can also be booted from CDs of Linux should I be really worried ( I have an archive of at least a dozen different live CDs). So that’s a ‘free’ set. One is a laptop bought for $100 for something else 3 years ago (Windows 7? only) also boots live CDs and I made a Knoppix SD card for it. One is the Tablet (bought 4? years ago for on the road browsing) and one is the Chromebox (bought 2? years ago for on the road and entertainment system use). Then there are the Pi’s. About $100 worth, all told. And about $100 of “chips” with various OS images on them. I think it is about 15? chips with an average of 4 OS images per chip. Call it 60 system images for about $250 all up cost. (Normal folks would only need about 1/3 of that…)

    That gives me over 75 total system images I can easily get to and boot up if desired. (It also gives me 75 images to worry about maintenance… but most of them are ignored most of the time…) All up I think I’ve got about $800 in the lot of them spread over about 4 years. $200 / year is about 1/5 of my phone bill or 1/10th of my TV / Network bill or 3 tanks of gas (about 2/3 of one drive to Florida… not counting food and hotels… or maintenance on the car)

    So in addition to my general “rotate the shields” swapping between the top 4 on a pseudo random basis, I’ve got 70 more clean choices to boot at any given time even if I know things have gotten inside the walls. Some of them locked SD cards, others CDs, some just powered off. I always have a clean system I can boot to start recovery. (Old habits die very hard, and some never do.. ;-)

    I would strongly encourage others to consider something similar. Even if it is just downloading a Knoppix Live CD or an Ubuntu Live CD or a Puppy Live CD or making a Debian Bootable USB stick or… It is just sooo nice to be able to think “That’s a dodgy site to visit… I think I’ll boot the USB stick” instead of “WTF just happened to My Citadel Of All Things Important after I clicked on that dodgy link?”… I never use my main system for “random browsing of questionable sites”. The Chrombox is set up for video watching and blog stuff. The tablet is used for TV and some web browsing of known places. IT is also used “on the road” so a ‘reset’ is an ok process on it. Saved downloads get copied off and quarantined as needed. If I’m going somewhere “dodgy”, it is a Live CD or similar that gets booted. On the Pi3, I will boot a Puppy Linux or sometimes Fedora for such things. My main files live mostly in a drawer, but a (often times newly installed…) Linux image is used when managing them. The “Daily Driver” sometimes has my working set of files plugged into it, but often not. It is used for “likely OK” browsing and occasional blog stuff. I also read mail there (and you might guess it doesn’t get read all that often as the system is often not powered on…)

    PITA? Yup. But any “Aw Shit!” is always and necessarily of limited scope. It can only hit those t hings that are powered on and online at the time, and that is, by design, a very small percentage.

    At any one time, a complete EMP based fry of “all things connected” could happen and 90% plus of my data and systems would be fine. Just Fine. (The internet TBD…) USB dongles on the Daily Driver and Chromebox and Tablet have backup images in the offline archive, so recoverable to about 2 months back, worst case.

    Now, that said: What makes that drammer bug so PITA OMG PITA is that it isn’t software based as an exploit. It is hardware based and based on the nature of DRAM. Nothing is guaranteed secure against it until proven otherwise. What makes the COW exploit a PITA is that it exploits a Linux Kernel bug of 9 years standing. That means 95%+? of my system images are exposed to it. OK, they are substantially never used in a way to put them at risk, but still… So “servers” need to be fixed first, and occasional use boxes ‘whenever maybe’… but about that Daily Driver image… I’m now, for Debian and Ubuntu and others, in a “Take SystemD or be exposed to COW exploit” dilemma box. So that, for me, means “Find an alternative and burn all the past”… Or in other words, look for a non-SystemD current patched kernel release and “move on”… that I think is most likely Void or maybe going back to that BSD build I had 3/4 done (needed to install X windows).

    Sigh.

    I need about a 48 hour day…

    Did I day “Thanks for that!”… ;-)

    I knew I did… 8-)

  32. beng135 says:

    (The sop to Global Warming in the middle of the long article was humorous in a way, being so glaringly out of place, but the start and end were great tech talk ;-)

    Just shows to me AGAIN that people smart in one discipline may be clueless in others.

  33. pg sharrow says:

    @EMSmith; “Find an alternative and burn all the past”… It seems to me that after 4 years of pondering this thing you are ready to move forward. May be the correct decision. All the files and software of the past are in boxes that are “safe” as long as they are NOT connected to the internet. So the nexis is the internet connection and the router behind it. I should think that the DNS server is the place to start. Maybe based on the Pi-2.
    I am pleased with my Raspi 2B and chrome as an internet tool, a bit slow but usable, but I don’t do video. The Raspi 3 might be a good base for such things, certainly for everything else. Good video might be a bridge too far. Internet TV should stand alone and not be a concern in the present solution.
    We just bought a smart flat screen TV, as our old CRT analogue died, $200 at Best Buy.

    As security is of prime concern, you are the best man for the job, maybe the only man with the qualifications and attitude to get it done right. There are several commenters here that seem to be willing and able to help. The Raspberry Pi has a very large base of enthusiasts that might be tapped.
    K.I.S.S. and Solid is the best direction. The less Bells and Whistles the better. Real people will have to operate and maintain their system as there is no factory rep. to call on…pg

  34. Larry Ledwick says:

    I see a book opportunity EM!

  35. Larry Ledwick says:

    In that vein EM what would a block diagram of the ideal home high security setup be?
    I am looking for something like this (a visual block diagram is so much easier to understand).

    (1)  { cable modem }- - - - {home dns box}- - - - - {primary browsing system}
    
    (2)  { cable modem }- - - - {home dns box}- - - - -{home firewall}- - - - -{primary browsing system}
    
    (3)  { cable modem }- -{hub} - - {home dns box}- - - -{home firewall}- - - -{primary browsing system}
                             |
                             |
                     {Intrusion detection system}
    
    
    

    By the way in poking around I stumbled across this page which helps make sense of firewall logs and what someone is trying to do.
    When I get around to doing a firewall this likes like it will be a big help.

    http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html

  36. Larry Ledwick says:

    Drat the intrusion detection system was supposed to line up with the {hub}

    [Reply: Fixed it for ya… It’s always tricky to get the spacing right as some things look proportional but are not. -E.M.Smith]

  37. E.M.Smith says:

    Well, I was being too pessimistic. I’d figured kernel patching would be too much to ask of the home gamer… seems debian (and by extension Ubuntu) have a kernel patch kit
    https://packages.debian.org/jessie/kernel/kernel-patch-scripts

    So for most of my kit I just need a kernel patch. Those exist for Debian with systemd AND for the releases just prior as they are not yet EOL.

    Happy happy joy joy! “Just Patching” is a lot better for me than full update…

    @P.G.:

    I generally prefere a migation path to a burn the village path. I’m already well along the migration (most of search done, need Void install – it was a bit raw back when but now ought to be ready for prime time) and I’d rather put time into that for the daily driver than spend a month remaking various old system images that could instead just be marked “dirty COW bug risk” and put back in the drawer…

    The Pi B is overkill for the DNS server. My intent as of now is to rebuild it first (it is a couple of years out of current and with that much “old experiments” cruft on it. It is also the most exposed AND it doesn’t need XWindows so that PITA is dodged…) The present services list, in order of importance, is:

    DNS – essential as it is presently a configured service in the rest of the shop
    IDS – Both net and host – essential as present threat levels require it.

    Optional or “fun someday” can be added later services:

    DMZ side eMail spooler server.
    VPN target (let me bounce off home with secure tunnel)
    Torrent server
    Onion router (need to open port in telco router I think)
    FTP archive of non-private files
    WEB server / Apache for sharing things without wordpress

    It looks like Debian Jessie with patched kernal is the easiest path guaranteed to work, but I might investigate Void or even BSD for it.

    Then the Daily Driver finally gets pegged to a target and that New World built / completed.

    Then the “Interior server” based on lessons learned from those two with:

    IDS – both net and host
    Internal private eMail server
    DNS server
    PXE Boot server
    WEB server (mostly as landing spot for DNS Spoofed ads so no timeout lag)
    Print spooler
    DBMS SQL server for temp data experiments
    File Server – NFS, SAMBA, FTP, GIT

    At present, many of those are on different chips as testbeds. The Pi 2 is plenty for the interior server for one person as I will be limiting.

    I’ve inventoried all my old chips and as they are depricated, can be put in the repurpose pike.

    As all data tends to live outside the systems, they are “disposible” (with a few exceptions to be backed up).

    Folks may notice the lack of a backup server. As things change a lot, I tend to do them long hand and on demand. Someday it might be nice to automate that (just post conversion?)

    @Larry:

    I already have 2 books I’m not writing… ok, I’ll add a third ;-)

  38. E.M.Smith says:

    Well, the interior router had a firmware update available… So now it’s both a bit locked down and with the newest software.

    FWIW, it seemed to not want to let me back in to manage if from 2 of my devices. I’d set it to only allow known hosts to connect. It looks like it keeps a table of IP, MAC, and Machine Name. Since I’m using DHCP for IP, I think for those they had aged out and gotten new IP numbers… so were locked out. Dumb. OK, note to self: Either shut off ‘known machines only” or try it with fixed IP addresses…

    I’ve now recovered it using the third device to log in, become manager, and reset the device lockout… Sometimes you can have a bit too much security ;-)

    With the update in place, I’m going to back off to “anyone with password and local can connect” as that’s likely enough security. It already requires manager rights requests to come from the “inside” network, so the wire directly connected or inside WiFi range (which in practice means my house and / or 3 neighbors)

    So at this point the routers are all done (or the Telco responsibility), the major “system in a box” machines are done (Chromebox, Mac, Tablet) and I’m ready to hit the DNS “DMZ based services” Pi Model B, then on to the Daily Driver Pi… Other chips to be “patch kernel if you ever need to use that chip again; or just reuse / repurpose it” as needed.

    Somehow I still think this is going to take way longer than a weekend or even a week…

    @Larry:

    In a typical world, you would do something like:

    TELCO - HUB - INTERIOR FIREWALL ROUTER - Switch or Hub - everything else
             |
            IDS & DNS & DMZ Stuff
    

    Then on the backside of the interior router, you would have another IDS, and then a switch with all your interior servers and workstations. Also note that the DMZ can be branched out of either the boundary router (TELCO in this case) or the INTERIOR router. If taken via the INTERIOR router, I’d add another level of routing / firewall behind it… then again, I’m prone to security overkill… then again, again, that stopped the Infamous Internet Worm that killed most everyone else…

    I treat the HUB as the DMZ in my setup, just because dealing with the Telco router has been a PITA so far (though I’ve now found how to configure it at home, even if I haven’t tried it yet.) It has a set of 4 ports in it that I think is a switch, but might be a cheap hub. In this case, oddly, I hope it is a hub as then the IDS can just plug straight into it. (some testing required…) If blinky lights show it to be a hub (i.e. laptop causes web page traffic, activity light on Pi strobes with that traffic on another port) then this diagram simplifies to the IDS, DNS Server, and INTERIOR router all just plugged into the Telco Boundary Router hub ports.

  39. Larry Ledwick says:

    Thanks! I was not sure about the actual physical topology of how the devices were typically connected.
    Just trying to engineer how I want to lay out my system to be both traffic secure but EMP / electrical surge resistant.

    Considering building a “network in a box” with the RPi’s as mentioned above with a metal brief case just to see if I can put together a self contained “get out of Dodge system” that is both compact, flexible and secure as a learning tool.

    Something like this:
    https://www.amazon.com/dp/B00NQ15BK4/ref=wl_it_dp_o_pC_nS_ttl

    The hardest part about learning computer stuff is that it is much more efficient/useful if you are actually trying to solve a specific problem and have to deal with the entire end to end chain of hardware and software. So I am trying to mentally engineer a problem I think I can solve then try to cobble together a working solution.

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s