This is another of the W.O.O.D. series of semi-regular
Weekly Occasional Open Discussions.
(i.e. if I forget and skip one, no big)
Immediate prior one here:
and remains open for threads running there (at least until the ‘several month’ auto-close of comments on stale threads).
Canonical list of old ones here:
Or “You are not paranoid when they ARE out to get you” department…
I was looking around for online copies / PDFs of the Dr. Seuss books that have been removed from print. They are out there as copyright expired a while back.
Downloaded them… BUT… they did not show up on my desktop. Even opening a terminal window and doing an “ls” or “ls -a” didn’t show them. WT?
At this point there’s a few possibles. Corrupt file system. “Hidden” files by the provider trying to be ‘cute’. Even malware hack in progress.
Watching HTOP, not much happening. Disk “blinky light” seems a little more active than I’d expect, OTOH I’ve got swap on it so it does tend to be active. All this is on the Odroid N2.
On the Chromium Downloads page I can see them. Clicking the “show in file manager” (or whatever the exact text is) does open it. I can open them in some programs (like GIMP) but then saving another copy of it from GIMP fails to have that show up on the desktop.
Even login as root, dismount file system and do an “fsck” doesn’t find anything wrong with the disk.
I do a logout / login as me again. At that point HTOP shows a brief episode of rsync running. To the best of my knowledge I have NO rsync process (but maybe SystemD does? It does strange things…) but suspicion is mounting.
So I’ve just shut it down cold.
This is S.O.P. for me. IF something odd is happening, just pull the plug once you are not sure what it is.
For now, the Odroid N2 is “cold metal” as is the disk on it.
Well, first off, this is where having a lot of my disks “shut off all the time” is very nice. IF any damage was done / will be done, it is highly limited. I’ve used the N2 as a daily desktop for a few months, but that’s it. Random browsing history may be lost. Potentially some saved memes, gifs, pdfs and a few saved videos. Not really much else.
A lot of stuff was done on “other machines” too. So all that is isolated and safe. (Now you know why you see me occasionally saying “and now I’m on the Foo Box!”…) The N2 is on the workbench along with the disk. I’ve moved the RockPro64 / Armbian back to Daily Driver. (My main ‘daily driver’ of many many months, the Odroid XU4 has been off for a few weeks now, so all that is isolated too).
I’d made 3 chips for the RockPro64. Two are Armbian (one of them an Armbian Ubuntu) and one is a Devuan Buster. The Buster is the most pristine, but I’m presently running the Armbian Ubuntu. I’d used it as a desktop for a month or so some while back, so it’s mostly “as I like it”. I’m also not that fond of Ubuntu so if I mangle it too I won’t care as much ;-)
So the “good news” is I did my usual of “swap machines and stay running” and I’m “back in business” after only a brief outage. The RockPro64 is a very nice machine. Not as fast as the N2, but quite fast enough.
The “bad news” is that I’ve got a Forensic Recovery to do on the Odroid N2 and disk. That can take a while…
Then there’s both good and bad news there. The N2 Chip was backed up not that long ago, and it’s just a generic Armbian install anyway. I can, if I so choose, just reflash it and bring it up to date. “scrub that puppy” as it were. The real risk, though, is those files that can’t be seen on the hard disk. If persistent embedded malware, that’s “format the disk” time.
But what about the data saved on it?
OK, remember some many many months ago I did an experiment with squash file system read only /usr and such?
Well what I get to do now is “pick a chip” out of my stash and put a Brand New OS on it on a R.Pi M3. Then convert it to that squashfs overlay file system format so none of the relevant system spaces can be written. I’ll need to leave /var writable (I think…) and /tmp, but beyond that I ought to be able to lock it up tight.
Using that system, mount the hard disk RO Read Only. Then carefully pick out only what I want to copy off to somewhere else (another isolated disk until I can assure it isn’t buggered in the copy process) and after that, hard format and erase the disk partition.
FWIW there are some things that try to survive a reformat, so what I tend to do is format the partition in a couple of different ways. So once as “linux-swap” and once as FAT and once as UTF and then back to EXT for linux. That scrambles the bits pretty well ;-)
Then I’ll put a new OS on the N2 and see if things are back to acting normal.
It will likely be a few days as this is a lower priority recovery task. This is why I have a “few extra” SBCs and several chips for each. Any hardware, software, or intrusion suspicion can just be “flowed around”. Take it off the network and powerdown. Boot something completely different.
Is this overkill for a few files that just got marked strange in the file system? No, I don’t think so. A classic thing to do is spike a download with some crap and then try to disappear it in the file system. Waiting to see if it encrypts your whole system or not is the wrong thing to do. Stopping it before it gets fully entrenched is the best.
Most likely IFF this is a “hack”, it is just in the phase where it tries to copy persistent entry code into other parts of the file system / systems codes. Not yet to the “doing damage” part. At that point, scrubbing and reloading everything ought to still be OK. But if it isn’t, doing that on a system where 95% of it is squashfs / locked and where it is isolated from the network is likely to save you grief AND has the potential to show it knocking on closed doors.
Now it (whatever “it” might be) also needs to do “Privilege Escalation” as I was just logged in as a ‘regular user’. That usually takes time and a decent amount of “trying things”. I saw none of that, so most likely nothing ever got more privs than “just me”. Which also limits where any malicious code might have spread itself. I think at most it could make a hidden copy in some other directory where I have write permissions, but that’s about it. (IF anything happened at all other than a file system fault…)
That’s “isolate to observe” going to be my basic process “for a while” with that disk. I’ll reflash the OS on the uSD chip and reboot the system in isolation just to see what it does. After running enough time with “no bad thing” or even unexpected behaviours, I’ll put it back in service. I’ll also leave the (reformatted / reloaded) disk back in service on a squashfs armored disposable R.Pi system also off the network, and observe it for a while too.
EVENTUALLY, if I’m really comfortable that everything is square, I might move disk and data back onto the system. Note that I’ll be doing the data ‘copy off’ not via tools like “tar” that tend to take the whole file system as given, hidden files and all, but one directory at a time as I inspect them for the unexpected and only via a cp copy of the visible files I want.
Yes, that will take a lot of time. It doesn’t really matter though as my “work habits’ have me equipped with 3 or 4 very serviceable system images for each of 3 or 4 main Daily Driver SBCs and 95%+ of all data archived off on other disks that are powered down. So basically I’m “back in service” with almost no interruption already. Meaning the “other stuff” can go slow-boat and not matter.
This is one of the great benefits of the small SBC approach to Desktop Computing. A new system / complete system image costs about $10 for the uSD card, or less than a ¢ of hard disk archive space. Swapping cards is trivial compared to moving PC Hard Disks, and having saved data scattered over 1/2 dozen external USB drives keeps it highly compartmentalized and secure in the face of any Aw Shit. All while it’s fast and nearly trivial to plug a disk into any given SBC and have access to the data when needed.
Bottom line is that my worry level is near zero, and the needed work entirely not urgent at all, while it is something that I find interesting to do. Later…
Once I’ve got things locked down and can launch the browser on that system again, I’ll note the sites I visited and post them. (I’ll also likely ‘try again’ one at a time with a completely ‘disposo-system’ to verify that the same thing happens). But don’t expect that for a few days.
Things of interest
Many of these items were found on Bongino’s site:
Second NY Newspaper Editorial Board Calls for Gov. Cuomo’s Resignation
Biden to Sign Voter Registration Executive Order, Pushes Senate to Pass HR 1
Trump Promises to Travel to Alaska to Campaign Against Sen. Murkowski
Texas Gov. Deploys National Guard, State Troopers to Respond to Growing Border Crisis
Trump Sends Cease and Desist to RNC, NRCC, and NRSC for Using His Name to Fundraise
Senate Passes $1.9 Trillion Coronavirus Relief Bill
So we’ve got 2 Dim. Govs in trouble. Nuisance in California facing recall, and Cuomo getting the Bimbo Eruption problem. Nice ;-)
The Dimocrats are wasting no time in trying to lock down fraudulent elections for all future time. It will be interesting to see how many RINOs vote for it too. We will know who wants fraud based on their vote.
Murkoswki is about to learn how much she stepped in it…
Texas is not going to put up with a chaos-at-the-border moment.
Then Trump telling the RINO’s to stuff it? I wonder what that’s about…
And it looks like we’ve got another few $Trillion of “Relief To Leftist NGOs and well connected $Billionaires” with a small touch taken from your tax pocket and put in your hand to hide the theft.
The “Worldometer” has the USA (and California) reaching a lower level platau as the new cases stabilize lower. California, where supposedly some new horrible unstoppable mutant is running rampant, had 4211 new cases. About the same as June 17, 2020 when this was just getting started. Somehow I’m not seeing the need to panic… It looks to me like we are in the “coast out” phase after the big hump.
And of course I’m wondering just how the insane ended up deciding what’s acceptable in the culture. This “woke” crap is just crazy town. Dr. Seuss for having an Asian character with yellow skin and slanted eyes? Isn’t that a common cartoon extreme characterization? Like Irish with red beards and leprechaun hats / coats? Like English with a top hat, monocle and tails?
What do they want from a book that has talking cats and miniature worlds only an elephant can hear? Photo realism?
I’ve decided that any time I experience this “in my face”, my response will be something along the line of “That’s Bull Shit.” or “Do you really believe that crap?” depending on circumstances.
I’m done with just ignoring it. Push-back, it’s a thing. If we’re lucky, they will reach mental exhaustion and adrenal fatigue and collapse in a whimpering heap. Drive them to the wall with emotional fatigue. I’m also considering, for polite environments: “Frankly My Dear, I just don’t give a damn.”…