sindro.me - everything

Pallido Puntolino Azzurro (Radio)

2014-09-15T17:32:00Z

L’immagine qui sopra è un’immagine radio del Voyager 1. È stata scattata dal VLBA, un sistema di dieci radiotelescopi distribuiti dalle Isole Vergini alle Hawaii, vale a dire 8600 km di radiotelescopio (!).

Quel puntolino azzurro è l’oggetto più distante mai costruito da noi umani: si trova a 15 miliardi di chilometri dalla Terra. La potenza radio del Voyager 1 è di 23 watt, ma data la distanza il segnale che rileviamo ha una potenza di un miliardesimo di miliardesimo di watt (1 attowatt).

Questo flebile segnale è l’unica informazione che proviene da una sonda che ha lasciato il nostro pianeta trentasei anni fa.

Non è sufficiente solo rilevare il segnale radio, dobbiamo riceverlo proprio come si riceve una stazione radio o una chiamata cellulare. Questo richiede una sensibilità ancora maggiore, ed è per questo motivo che usiamo i radiotelescopi per comunicare con il Voyager.

Dobbiamo essere in grado di ascoltare i suoi quasi impercettibili messaggi, e inviare indietro risposte radio potenti e a fuoco a sufficienza perché il Voyager possa riceverle.

Il Voyager è stato il primo manufatto umano a raggiungere lo spazio interstellare. Ma poiché lo spazio è tanto, tanto, tanto vasto, il Voyager ha solo appena iniziato il suo viaggio verso i confini esterni del sistema solare. Alla fine riuscirà ad uscire completamente, perché va abbastanza veloce, ma il diverrà silenzioso molto tempo prima: tra 10 anni al massimo non avremo abbastanza potenza radio per inviare messaggi e controllare i suoi strumenti.

Il Voyager non solo è arrivato nello spazio interstellare, gli strumenti a bordo non hanno solo rilevato l'uscita dall'eliosfera, ma il Voyager ha anche telefonato a casa, informandoci che era uscito nel giardino. È un risultato strabiliante.

Questo pallido puntolino azzurro, un tremore radio in un cielo oscuro, è parte di noi.

È un computer nucleare pesante 800 Kg, grosso come un’automobile, che abbiamo lanciato nello spazio per esplorare il sistema solare. La nostra curiosità ci ha spinto a crearlo, e la nostra intelligenza ci ha permesso di costruirlo. E dopo un viaggio di 36 anni nello spazio interstellare, continua a comunicare con i suoi creatori.

Un pallido puntolino azzurro... che ne guarda un altro.

Originale in inglese: Brian Koberlein, https://briankoberlein.com/2014/09/15/pale-blue-dot/

Avevo un amico pittore

2014-07-30T19:00:00Z

I nostri punti di vista erano differenti, ma comunque apprezzavamo le stesse cose. La bellezza dei fiori, ad esempio.

Un giorno mi disse “Guarda quanto è bello questo fiore. Ma non dire niente. Se tu adesso iniziassi a descriverlo con la tua mente analitica e scientifica, ridurrai questo fiore a qualcosa di meccanico e banale.”

Non ribattei.

Pensai.

Prima di tutto, il fiore era davvero molto bello. E la bellezza che lui vede è disponibile a tutti e anche a me. Le sfumature, le forme, le fragranze. Allo stesso tempo, posso immaginare le cellule e le delicate interazioni tra esse, fino ai meccanismi subatomici della pianta, che ci donano l’ossigeno che respiriamo.

Anche queste cose hanno una loro bellezza.

Non c’è solo la bellezza alla dimensione di un centimetro, c’è anche bellezza a dimensioni più piccole. Oh, e i processi.

Ad esempio, i colori dei fiori si sono evoluti per attrarre gli insetti. E questo significa che gli insetti vedono i colori.

E' interessante. Vuol dire forse che quindi gli insetti hanno senso estetico?

Tutte domande interessanti, che aggiungono bellezza. Io proprio non capisco come queste domande che provengono dalla scienza e dalla conoscenza possano sottrarre e banalizzare.

— Libera reinterpretazione di Richard Feynman, da https://www.youtube.com/watch?v=cgraCYOQJl4

The answer to Life, Universe and Everything

2014-07-01T07:27:00Z

Tenzin Gyatso, il Dalai Lama: "Se la scienza smentisse qualche credenza del Buddismo, allora il Buddismo dovrà cambiare. Nella mia visione, la scienza e il buddismo sono entrambe ricerche della verità, per comprendere la realtà. Imparando aspetti della realtà meglio compresi con la scienza, io credo che il Buddismo arricchisca la sua visione del mondo" (fonte).

Mi trovo concorde con questa visione. Mi risuonano in mente anche le parole di Einstein "Sono abbastanza un'artista da disegnare liberamente con la mia immaginazione. L'immaginazione è più importante della conoscenza. La conoscenza è limitata. L'immaginazione abbraccia il mondo".

Da sempre siamo alla ricerca della verità. Nel tempo le nostre capacità tecniche sono avanzate, permettendoci di leggere i libri geologici e cosmici che ci hanno circondato da sempre, e di cui abbiamo sempre avuto distacco e paura.

Abbiamo compreso e metabolizzato i nostri limiti, e con la nostra immaginazione abbiamo ideato e costruito macchine e tecnologia atti a superarli. La nostra realtà è sempre stata piena di elementi invisibili ai nostri occhi, che abbiamo cercato di raggiungere e spiegare con i nostri mezzi limitati.

Questa continua ricerca è stata per tanto tempo anacronistica e presuntuosa. Siamo rimasti delusi. Pregni della nostra incapacità di capire, abbiamo inventato spiegazioni per soddisfare i nostri bisogni, costruendo noi stessi quelle fonti della verità di cui avevamo tanto bisogno.

Questo approccio può sembrare innocuo, ma leggendo la storia troviamo l'inquisizione del mondo cristiano, l'annullamento della matematica nel mondo arabo che perdura ancora oggi - opprimendo un popolo, il moderno Scientology e il metodo Stamina.

Non lasciamo che la nostra delusione fermi la nostra creatività e immaginazione. Personalmente, ho raggiunto una forte consapevolezza di me e dell'universo in cui vivo, e che è dentro di me. Vi ho trovato completezza, fascino e bellezza, unita alla certezza di star attingendo da una fonte di verità non fatta da una persona sola. O da una filosofia sola.

La vera verità è quella scritta nel grande libro della Natura. Le parole di questo libro sono l'elettromagnetismo, le forze nucleari, l'equivalenza di materia ed energia, la danza cosmica orchestrata dalla gravità, le stelle che bruciano nelle curve dello spaziotempo, forgiando gli elementi di cui noi siamo composti, percorrendo la freccia del tempo seguendo la legge universale dell'entropia.

Entropia: da ordine a disordine. Tutto si muove seguendo questo intrinseco "bisogno" di equalizzazione: dalla tazza di tè che si raffredda tra le tue mani, dall'energia del Sole immagazzinata nel legno, restituita dal fuoco e poi ridotta in cenere, al Sole che smetterà di bruciare tra cinque miliardi di anni, all'intera galassia che si disperderà nel cosmo, allo spaziotempo stesso che si dilaterà all'infinito.. in un futuro lontanissimo.

Questi pensieri sono il mio personale Graal, che ho trovato e che come un sogno condivido con voi, perché sono potenti e danno forza. Forza di superare i nostri limiti miscelando conoscenza, immaginazione, pensiero e consapevolezza di sè.

La mia personale filosofia costruita negli anni, mettendo assieme tanti pezzi di un puzzle, che adesso inizia a mostrare un disegno e a dare delle risposte. Un puzzle che un giorno sarà completo.

Il mio personale consiglio è adesso di dimenticare tutte queste parole e di partire. Partire nella lettura del libro di Natura, attraverso la fisica.

Nessuno è un messia, nessuno è in grado di fornirti la verità su un piatto d'argento. Chi è convinto di farlo è vittima stessa della delusione, e cerca nel suo seguito una conferma.

Lo so bene perché lo faccio anche io.

Buon viaggio.

Science and Religion: it doesn't work

2014-06-23T00:28:00Z

#Science and #religion are both humans searching for truths. The two differ in their methods: in religion faith is a virtue, in science it’s a vice. This makes the two fundamentally incompatible.

Why does this matter? Because religion is the most venerable superstition – and the most politically and financially powerful, because believing blindly fundamentally weakens our concept of truth.

Religion’s inability to find the real truth then produces things such as the oppression of women and gays, opposition to research, denial of vaccines, and of course all those wars, suicide bombings and religious persecutions. And fear of comets.

Let’s move on.

Il vero sistemista

2014-02-28T03:38:00Z

di Franco Lanza

Il vero sistemista e’ un po’ come il meccanico di una volta, quello che se gli portavi la macchina per rifare la convergenza e quando arrivavi sentiva che il minimo non andava bene, ti faceva la convergenza, e giustamente la pagavi, ma poi ti sistemava anche il minimo e non ti chiedeva nulla, lo faceva perche’ non sopportava di sentire una macchina che non era a punto come si deve.

Era quello che da ogni minimo e impercettibile rumore indovinava subito qualsiasi problema, anche quello di cui il cliente non si era ancora accorto.

Era quello che dopo cena a casa con la famiglia, tornava in officina, dove potevi vedere le luci accese fino a notte tarda, perche’ stava lavorando al “suo” gioiello, una qualche macchina semi d’epoca recuperata chissa’ dove che con passione piano piano sistemava fino a farla tornare nuova.

Ecco, il sistemista e’ come quel meccanico, e le sue auto sono i server.

Fonte: VeteranUnixAdmins

goto fail;

2014-02-28T02:29:00Z

In its own words:

Sources: 55179.13.c, 55471.c

Source code differences between two consecutive versions of the Security.framework, a MacOS/iOS component. The seemingly innocuous extra goto fail; is the cause of a severe security flaw in most Apple products.

This weekend I didn't code

2013-12-01T05:37:00Z

Because I have been busy doing this:

Install node.js via APT on Debian Squeeze

2011-09-12T10:48:00Z

Abstract: add SID APT source, configure APT Pinning to give squeeze packages priority over SID ones, rebuild the nodejs package under squeeze.

Add SID APT source by creating /etc/apt/sources.list.d/sid.list (use your nearest mirror):

deb http://ftp.us.debian.org/debian/ sid main
deb-src http://ftp.us.debian.org/debian/ sid main

Configure APT pinning by creating /etc/apt/preferences.d/sid:

Package: *
Pin: release a=unstable
Pin-Priority: 50

Install the latest version of libv8 manually, libv8-3.8.9.20 at the time of writing this:

apt-get install libv8-3.8.9.20

Download the nodejs package sources, dependencies and build them:

cd
apt-get source nodejs
apt-get build-dep nodejs
cd nodejs-*
debuild -nc -uc

If you encounter build-dependency errors, you should try first to lower the dependency in debian/control, both in Build-Depends and in Depends and re-run debuild. If the build fails (e.g. with undefined reference to `ev_run') the previous version is missing required functions. So, you must install the updated versions of the required dependencies (e.g. libev4) from sid, using apt-get install name=version e.g. libev4=1:4.11-1. I suggest this because you’ll have to manually update packages installed from sid, so the lesser, the best.

Install the generated package

dpkg -i nodejs_*.deb nodejs-dev*.deb

Profit :-)

Binding 80/TCP as non-root on your development server

2011-07-07T12:11:00Z

neo-tux by sagarkshetri.com.np

So you have a Linux VM you use for development, because you want to mirror the production environment as closely as possible. You have many applications to deal with, they have to be running at the same time because they are nifty REST JSON web services.

You are very tired to remember which one you put on port 8081, and your configuration files slowly become a real mess. So you set up IP address aliases in for the network interface and decide to assign even host names – /etc/hosts is just fine – for each app.

Then, in such a setup, why would you still need to run them on ports higher than 1024? Wouldn’t be just great to type the application name in the browser address bar? Indeed it is, but it’s better to not run them as root, anyway.

The solution are Linux capabilities (see also here). The one that interests us is cap_net_bind_service: it gives a process the right to bind well-known ports (< 1024). If you use an interpreted language, of course you’ll have to add the capability to the interpreter itself. That’s why there’s development in the title of this article – you should not set this up on a production server, if you don’t know what you are doing.

One final quirk: if you happen to dlopen() shared objects that dynamically link towards libraries outside the canonical paths, you cannot load them via LD_LIBRARY_PATH (e.g. the SYBASE.sh) as it is ignored for setcap-ped processes. You should better move the library paths into an /etc/ld.so.conf.d snippet.

tl;dr

Assuming you are the latest and greatest rails developer, you should become root – or use sudo, as you wish – and

# YOU ARE ON YOUR DEVELOPMENT MACHINE
setcap cap_net_bind_service+ep `which ruby`

Profit:

thin start -a yourapp -p 80
>> Using rack adapter
>> Thin web server (v1.2.11 codename Bat-Shit Crazy)
>> Maximum connections set to 1024
>> Listening on yourapp:80, CTRL+C to stop
...

PH-Neutral 0x7db

2011-07-02T15:46:00Z

“If it is good, they stop making it”, the payoff printed on the conference necklaces, distributed to every participant, along with an über-l33t badge customized with our nickname and the key hash.

Being my first experience at an international security conf (I’ve only been to the ccc2k+7 camp), and being a ph outsider ‘cause I never participated to previous editions, the boot keynote held by FX, staffer and frontman, has been enlightening: “you ought to be here!”, he yelled while pointing at the stage, wearing a white shirt with the Phenoelit logo printed on both arms.

“This conference has never started on time”, he continued, “so there was no reason to do that for this last one”. the schedule is straightforward: party, the next days talks from 12.00PM to 7.30PM, then party, and the last days talks from 12.00PM to 5.30PM. definitely a setup well-playing with the available alcohol :-D.

Afterwards, another speaker informed us that the wi-fi access keys we received at the registration allows us to use a 6 APs/3 repeaters beast driven by an OpenBSD box – they want the audience to hack it because, well, “you are the Worst Case Scenario.” :-)

Then, the funny Hacker Hacker video was presented:

:-D

After a lousy and not so exciting first night (due to tiredness), we’ll wait and see what the next day would bring.

Sniffjoke – a sniffer-evasion toolkit

High capacity sniffers used in big cos and on border national gateways that collect user generated traffic on order to find possibly “criminal” patterns are today generally available for bandwidth to the 10Gbps, there will be soon appliances that’ll process streams of 100Gbps. Sniffjoke, by vecna and evilaliv3 is a tool that can inject into TCP connections outsider packets that will fool the intercepting sniffer but with no remarkable effect on the receiver. these packets for instance trick the sniffer into thinking that the connection has been reset even it is not true – by injecting a wrong-checksummed RST or a packet with a TTL less than 1 of the hop count – or try to consume its processing power by using known vendor-specific interpretations of the TCP RFC. Details: website, slides, wireshark thread.

WLAN router horror stories

Did you ever woder what happens when the wireless network password is directly tied to the device MAC address, from which it can be inferred because it is part of the essid? horror stories, as the an Austrian (ViBi) and a German (5M7X) researchers showed us. many carriers who sell wifi equipment ship it with similar vulnerabilities, as also mayhem and cyrax show us in this video (italian only)

We’re talking about a technology whose potential is not maximized, as a result leads to flawed the security measures, because of bad engineering and misleading instructions: some wifi apparatus manuals even recommended the user to never fiddle with the configuration and leave the default passwords in place. clever. Other examples of bad engineering include making the network key the last 4 bytes of the internal eth MAC address and then broadcasting that MAC via a multicast packet sent to 224.0.1.0 (Samsung G3200 / G2210 / G3220).

Other companies, such as the synchron who produce the easybox has a patented way to provide a key recognition method, and direct correspondence between the mac and the key seed. eventually, there are even companies who sell their devices with the management SSHD open on the external interface, and who base the network key entirely on the internal MAC. Couple it with default passwords and you get the picture.

If you want to know more, you should get some armory and either reverse engineer the algorithms yourself, or participate to security conferences and ask the researchers for the slides :-). Once the industry will be ready, all the details will be revealed.

Hacking TETRA

Held by Harald Welte (@laf0rge), member of the gnumonks.de crew, the talk described a terrestrial radio communication technology that is similar to GSM but runs on lower frequencies of the spectrum, thus achieving wider coverage with less transceivers. TETRA employs ways to authenticate and encrypt communications, features a signaling channel over 140-chars messages are exchanged and identifies each user on the network using the match between the subscriber number and the terminal one.

TETRA is widely deployed over the world as a communication medium for public transport, public safety, firefighters, etc. it is a technology suitable for these uses, but laforge correctly reminded us that even if the tools allow us to implement secure networks, often the implementations of such tools is ineffective and prone to breakage.

He showed us how the signaling on the network works. He started by first showing us packet dumps in wireshark, thanks to chinese hackers who wrote the dissectors. He was also able to associate to a tetra network used by BVG, the german public transportation system, and listen to a call between the headquarters and all train drivers: the former was asking the latters to push a button contemporarily. Yes, sir: in the 21st century you still need people to do that. Awesome. If you want to build your own, you should first learn how radio communication works, buy yourself a FUNcube dongle and check out the OsmocomTETRA project. An introduction is available on heise.de.

Printer Hacking

Find vulnerability into a printer management interface, write a java applet that exploits it, define hooks to drive it from Javascript, and your web-based printer vulnerability scanner is done!

I missed the first part of the talk, so I don’t have the details, but as the speaker told me later when I asked him how it all fitted together, “it’s everything on the paper!” so just RTFM here :)

Chip & PIN is definitely broken

Moving on in the list of badly-implemented technologies, nowadays credit / debit cards are vulnerable to a typical downgrade attack when it comes to validating the PIN. There are different types of chips, ones that only allow plaintext authentication between the POS and the chip, others that employ a challenge-response mechanism, and almost every one of them allow the PIN to be validated online with the bank.

No matter what, the SIM exposes an interface to the card readers, that can be queried and whose communication can be eavesdropped by an intercepting device. Because cards must be backwards-compatible with existing POSes and viceversa, such an intercepting device is able to alter the advertised capabilities of the card and force the POS to use plaintext authentication, and then intercepting the pin as the user types it.

Such a skimmer is a 4×4cm device, that can be installed inside a POS or an ATM, thus possibly going unnoticed for a long period of time. And even if there are insurances that cover you against these frauds, if you’re a frequent traveller, you can hard time in demonstrating you were a victim, both because the card number and pin match, and because this is now considered as a “secure” technology that cannot be broken.

Thanks to Andrea Barisani and Davide Bianco for making us aware of the downgrade flaw. If you want to know more, here are their slide published on their company site, inversepath.com.

FreeBSD kernel exploitation

As years go by, stack smashing is still alive and powerful, as argp explained during his talk. CVE-2008-3531 is a known vulnerability of the FreeBSD kernel that allows code execution in kernel space, whilst the UMA – FreeBSD’s memory allocator – has known flaws in it as well.

Without going into deeper details, the main issue here is the “if it ain’t broken, don’t fix it” approach employed by many system administrators when it comes to production machines: as a result, they do not get updated for years. Maybe it’s not broken today (if ever, ya’now 0dayz?) but it will be broken tomorrow, and you’ll get pwned if you do not keep up to date. WORD.

Advances in win32 ASLR evasion

When I think about Microsoft products, I always feel that they’re not built to be used by people, because it looks to me that coders who write them never care about using them in the first place. They do not eat their own dog food. just go on and try to use IE developer tools and you’ll get the point.

Their software is written for business, it must match some higher-order requirement agreed by some random manager 7 layers up in the hierarchy, and very often it fails to implement them correctly. Thus, as JF pointed out during the talk “Microsoft has spent a lot of money fixing the exploitation problem, but they only created more of them”. Word, dword and qword! :-)

ASLR is a mitigating factor for exploits that assume the return address of vulnerable code lies in at a well-known address in memory. These locations are used to compute where to write the shellcode in order to trigger its execution after exploitation. If the return address gets randomized (thus Address Space Layout Randomization), then the exploit will just crash the vulnerable software by making it reference an address outside its space.

Problem is that, for some obscure side effect, for each 16 threads you create, if their base address is even (0x02xxxxxx, 0x04xxxxxx), 13 of them will end up being based at a known location, thus making ASLR ineffective and bypassed. PWN!

Check JF slides out here – thanks for sharing @not_me!

JF apologized at least 4 times before ending up closing its laptop and ending the presentation with vodka and gin, because he said that he did not do a good work in explaining but, as I also told him later, he was more than effective: it’s not easy at all to understand how all the side effects played together. Only he that was on this stuff for months was able to see the patterns in addresses and convey a successful exploitation of an ASLR-protected process. Enlightening!

Modern heap exploitation using the low-fragmentation heap

I’m no MM guy and I didn’t get most of the concepts of the talk, but its abstract is very explanatory:

Heap memory management has matured over time, but with complex new code comes new opportunity for exploitation. This presentation will focus on understanding the Low Fragmentation heap on Windows 7 (32-bit). After a foundation of integral concepts is laid, new exploitation techniques will be thoroughly discussed. Finally, we will use this new found knowledge to leverage supposed non-exploitable vulnerabilities. Specifically we will cover a case study showing how to craft an exploit for the IIS FTP 7.5 denial of service (http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-= unauthenticated-denial-of-service-vulnerability.aspx-= unauthenticated-denial-of-service-vulnerability.aspx), resulting in full control of EIP.

What is interesting is that in order to use a memory allocation optimization subsystem to do what you want, you have to mix and match 7 different attack primitives, understand thoroughly how the block allocations are made and how they interact with the host CPU. As well as battle with all the side effects in order to write in the program counter the address you want to execute. “@You say JMP, we say what addr@”, a T-shirt was correctly stating in front of me. :-)

Incredibly complicated as it sounds, Chris Valasek was able to find, exploit and explain the vulnerabilities, with a mental exercise that is both brilliant than inspirating: always dig deeper, and you’ll be able to reach any goal.

Here are Chris’ slides, but you’ll have to enable Flash unfortunately.

Exploiting the Hard-Working DWARF: Trojans with no Native Executable Code

Could you ever imagine that in every GCC-compiled binary may lie a complete virtual machine subsystem, that gets invoked on every call/ret and has the ability to read and write the heap and every cpu register? indeed it is, and it’s called DWARF, a debugging instrumentation used by GDB to help the developer debug his/her software.

“It’s a DWARF and ELF story…” LOL! :-D.

What’s interesting is also that DWARF code is not considered by analysis tools as being part of the object code of a binary, thus making it an injection vector to attach trojans to a binary. Moreover, DWARF is platform and architecture independent, being a finite-state machine on its own: a DWARF-based trojan can be used over multiple platforms and attached to any ELF binary.

If DWARF code is present, it gets executed for each function called and on each return, as the stack gets unwinded, and yes you can read and write the CPU and on the heap. Neat. For all the details, check the whitepaper out.

Here we see an example of hobby-ism and poor project management on the GCC side – no offense intended of course – but such a crafted and complex subsystem ends up being available in the vast majority of OSs, possibly making up an infection vector.

I infer this because DWARF is an obscure, undocumented, cargo-culted piece of code written because somehow today and tomorrow the GDB devs needed instrumentations, and GCC devs built in an excessively powerful tool to support them, but said tool can then be abused and no one really know how the first releases work – unless you skim through random posts on the GCC mailing list. More recent releases are pretty documented, though.

Funnily enough, I think to support GDB, even the LLVM compiler infrastructure, built with clean design from the ground up, uses DWARF! That said, the moral of the story is that ugly hacks today, will call you for trouble tomorrow – or the next day.

Party! (Music Here)

- “hey man, are you the guy behind the openbsd box acting as an host AP for the ph wifi network?”
- “yeah, I am”
- “may I ask you a root shell?”
- “you want… WHAT?”
- “yeah, you know, I’d like to issue ifconfig, brconfig, pfctl -s, ls -lrt /etc | tail, stuff like that – just to see how the thing works :)”

Kudos to the OpenBSD panda, that didn’t give me a shell, but illustrated me how the dorepanda access point “cluster” works, creating a network that spans all the 802.11b/g and n spectrums. It load balances clients between the APs, using cryptography to verify the AP identity and trying to prevent eavesdropping.

- “man, you are actually a grey beard at a security conference!”
- ”... so what?!”

... and then you talk with a 20-yrs experienced DBA that tells you “Oracle is flawed by design” and you chat with him about how the security scenario has changed over the years.

- “nothing really changed, it just got more complicated along the way”
- “you mean, the bottom line is always you have to snatch some shellcode in memory and then find a mean to execute it?”
- “exactly – you may have an NX bit, ASLR and canaries, but there’s alway a way around it.”

A good sysadm friend of mine told me similarly, in terms of “as long as I read enough documentation, I’m able to set up and deploy whatever system. no challenges anymore.”

To me, confs like this one make you wonder, think and activate mental circuitry that stimulate your passion: you see brilliant humans solving tricky problems, walking deeply into details and actually learning new things in the process. human beings whose model of the world includes sequences of interactions happening inside the machine. Like a skilled netadmin recognizes AS numbers from netblocks, a kernel hacker learns to recognize portions of the address space: he/she literally breathes within the operating system.

It amazes me how I found strong matches of Jeff Hawkins’ theory of intelligence (TED video) in hackers’ minds. I talked about the HTMs paper to the folks I met, and I was surprised no one of them knew about a technology aimed at building intelligent machines by reimplementing the human brain’s cortical algorithm in silicon. For instance, Chris Valasek and JF talks demonstrate the basis of expertise: more and more you receive inputs from a context, the more your brain will be able to see deeper and complicated patterns, because they get moved lower in the cortex hierarchy, whose job is to recognize details – as they did with ASLR and the low-fragmentation heap.

- “sir, you are the only one wearing a tie in this hall”
- ”...”
- “so you must definitely work for Microsoft!”
- “ahem, no…”
- “ah, ok so my assumption was incorrect. sorry for bothering! :D”

At 5:15, it’s really better to get to bed, waiting for the next good morning!

Day 3 – 98% Zero-Day Virus Detection

After such a party, both the social engineering and Exploit Next Generation++ talks were a bit foggy, I ever failed to recognized the metasploit source code language (ahem). :-)

Then shirtie (@skjortan) on stage illustrated how you can use a Bayesian / MAXENT classifier to identify unknown, 0day malware.

Exactly like an anti-spam filter catches spam by first analyzing a training set, identifying the recurring patterns and then matching them with novel data, malware as well as spam has typical features that can be used to find it. For instance, the presence of a reference to the CreateProcess API or the absence of the <a href="http://en.wikipedia.org/wiki/Pentium_FDIV_bug">_check_fdiv</a> one, to whether the binary is UPX-packed or not.

The technology looks effective, it is not a replacement of a signature-based AV rather it is an augmentation, because it is prone to false positives, but it is the only that identifies unknown, 0-day malware – the one for which no signatures exist.

Offensive XSLT

XSLT is a language used to transform XML documents into another form, and it is a turing-complete language executed either in the server or in the client context. it is used both by content management systems and in client-side applications, the most prominent example being the index of a subversion repository.

Because XSLT is a (functional) programming language, it offers means to read and write files and to execute code. If the user input is not sanitized and/or the XSLT engine exposed, it can be used to pwn a machine. Of course, the abusable features can be turned off if they’re not needed, or alternatively wrapped with a secure API if they are. Check Nicolas Gregoire’s slides out here. Liferay users, you’ve been warned :-)

Final words

Thanks @nhaima for telling me about the conf and allowing me to have a grant (thanks nobody :)

Thanks @techdoer for editing the post – hopefully this is my first one without grammar errors :-D

Thanks @phenoelit and @41414141 for organizing the party (you’re da men), everyone who was there. I hope to see you soon on stage :). Yay!

Rome RSC 2011

2011-03-06T17:06:00Z

Thanks to @jodosha efforts and praising the former Javaday event, now renamed into codemotion that brought in Rome many Ruby developers from Milan, Padua and other parts of Italy – the first official Ruby Social Club in Rome has been a great success. Of course, officialty is measured only in the amount of twitter spam posted about it! :-): earlier RSCs in Rome go back in time to 2006 organized by current mikamai members and more meetups promoted by @jeko in 2007.

What matters is that there's a community, there's a passion, and there's love to share knowledge - no matter who holds the meetings, the important thing is that they're being held :-).

The event was simple and direct - some beers first, then my keynote on RVM and Ruby interpreters, then Luca's one announcing his minege.ms project and after real social networking :-). I met @gravityblast after much time we didn't meet, knew the PIP group and met @svarione, @punkmanit, @leonardoperna, @riggasconi @ogeidix and other smart people. Moreover, we spent quite some nice time together, making up a really lousy and funny week-end.
Of course, huge kudos to @nhaima's car - that tirelessly carried us around Rome for two days :-)

Now, looking forward to the next meetup, thanks everyone who participed, who offered me beers and, last but not least, thanks to @etapeta for bringing me in time at the meeting - you're the real hero :-).

*BSD onto a MacMini 4,1? No way. :-(

2011-01-04T17:20:00Z

I spent the last two days trying to set up the Aluminium Mac Mini (rev. 4,1) as a home NAS server with encrypted storage, and I wanted a BSD system on it. There’s already an embedded OpenBSD onto the soekris gateway, and another companion would have been nice. :-)

Guess what, there’s no way out:

FreeBSD 8.1 doesn’t complete the boot process, due to a bug in the SATA chipset, NV MCP89;
FreeBSD 8.2-RC1 boots but, due to the same bug, doesn’t recognize any SATA drive nor any USB umass device;
NetBSD 5.1 boots fine, handles SATA disks via the generic pciide driver (no DMA, thus quite slow) but, unluckily, doesn’t handle the BCM57762 ethernet controller. I tried with quick and dirty patches to bring the bge driver up to date with -current, but still no luck: the MII link detection works, the card transmits but doesn’t receive. The sdmmc controller as well works with -current but not with 5.1-RELEASE. ACPI works correctly;
OpenBSD 4.8 boots, can access the SATA drives without DMA, and recognizes the bge network card, but exposes the very same behaviour as NetBSD 5.1 with the -current driver fitted in;
DragonFlyBSD 2.8.2 doesn’t even enter kernel mode, I suspect due to ACPI bugs;
PureDarwin didn’t inspire me too much, due to the many blocking issues.

All of them support encrypted storage, I built up a NetBSD CGD disk flawlessly onto dk wedges; FreeBSD has got the interesting gbde(8) and geli(8) GEOM-based tools that I wasn’t able to test, while OpenBSD supports crypto via a softraid personality. Unluckily, support for the, nowadays, exotic Apple hardware is a no-brainer.

So, with no other way left open, I decided to go the Linux route, using the excellent sysresccd, that I elect today as the successor of the pld-linux rescuecd, companion of endless system recoveries :-). Anyway, you’ll need the 2.6.36 kernel to make it boot onto the MacMini4,1, due to the aforementioned MCP89 bug. Ethernet card and SD card reader work out-of-the-box.

Now, I’m playing with LUKS and, while I’m not that competent in cryptography, looks like it is more evolved than the *BSD counterparts, and anyway it is more versatile tool than the tools in OpenBSD and NetBSD. On the latter, having to set up GPT and DK Wedges to make the CGD and synch MBR and Disklabel to make the boot loader work (yuck!), everything coupled with rEFIt is quite a mess™. There’s a GPT loader for NetBSD but I hadn’t a chance to try it out.

I hope this information is useful to anyone who tries a similar adventure, comments are appreciated :-).

Learning about world cultures via Google Autocomplete

2010-09-16T18:58:00Z

Out of curiosity, I was looking how a browser interacts with the Google Instant backend. While looking the HTTP exchanges via Firebug, I first asked myself why they’re encoding HTML and JS with \xYY escape sequences, then why the very same JS functions are sent back and forth on every request, and later I stumbled upon the google.com/s?q=QUERY JSONp service.

Give it a query, and it’ll return the suggested related phrases that are used to build the menu under the search input while using suggestions and/or instant (didn’t dig too much in all the other parameters).

Anyway, what’s interesting is that, of course, the suggestions are customized on a per-country basis. To show the differences explicitly let’s ask the service the simplest query possible, a:

For Italy you’ll get:


$ curl http://www.google.it/s?q=a
window.google.ac.h(["a",[["ansa","","0"],
["alice","","1"],["alitalia","","2"],["alice mail","","3"],
["apple","","4"],["agenzia delle entrate","","5"],
["audi","","6"],["aci","","7"],["autoscout","","8"],
["atm","","9"]],"","","","","",{}])

hum, let’s scrap the JSONp and parameters out:


$ curl -s http://www.google.it/s?q=a | ruby -rjson -ne 'puts JSON($_[19..-2])[1].map(&:first).join(", ")'            
ansa, alice, alitalia, alice mail, apple, agenzia delle entrate, audi, aci, autoscout, atm

For the US you’ll get:


amazon, aol, att, apple, american airlines, abc, ask.com, amtrak, addicting games, aim

UK:


argos, amazon, asda, asos, autotrader, aa route planner, aol, apple, amazon uk, aqa

Ireland:


aer lingus, aib, argos, amazon.co.uk, argos.ie, asos, aa route planner, amazon, aldi, aib internet banking

Lastly, because I’ve been there lately and it has been a profound experience, Cuba:


asus, antonio maceo, amor, amigos, ain, antivirus, avira, alba, aduana, as

I’m sure @nhaima is smiling while seeing these words, because hell yeah, over there they really google antivirus software (avira is one of them) a lot because it’s a world without the Internet, thus without free software: you’re condemned in using Windows stuff, and you take what you pay for. Antonio Maceo has been an hero of the 19th century revolution, and it’s in the heart of Cuban people. Amor, Amigos! :-)

Anyway, looks like that simple queries like this really give an insight on what a population thinks and/or needs, because they’re surely generated by the search trends, thus are the “most searched words”. Am I discovering hot water? Maybe, but it was funny to rediscover it. Just make sure not to hammer the /s service with too many requests, because they’ll anyway be handled by the same cluster of machines, thus you’ll be banned early (I’ve been :-p).

Panmind spin-offs presented at Ruby Social Club Milan

2010-08-05T14:11:00Z

On July 22nd 2010, Mikamai hosted a Ruby Social Club in Milan, where nearly 50 people attended watching five speeches about Ruby, Web development and Startups. I was glad to be one of the speakers, and I presented a set of Rails plugins we spinned off from our latest (and greatest) project: Panmind (read more on the about page) and released as Open Source on GitHub.

The keynote is split in two parts: the first one explains why you should follow the sane software engineering principle of writing modular and interest-separated code and then how you could (and should) extract it from your Rails application by decoupling configuration and then prepare for the Open Source release, by writing documentation AND presenting to a Ruby event so, hopefully, someone else will write unit tests! :-)

We released an SSL helper plugin that implements filters (like Rails' ssl_requirement) but also named route helpers: no more <%= url_for :protocol => 'https' %>! You'll have something like plain_root_url and ssl_login_url - like they were built into the framework. Then, a Google Analytics ultra-simple plugin, with <noscript> support, a couple of test helpers and an embryo of a JS Analytics framework - hopefully it'll evolve into a complete jQuery plugin. Then, a ReCaptcha interface, with AJAX validation support and eventually a Zendesk interface for Rails.

We released also more code on Panmind's GitHub account, including the nifty AJAX Navigation Framework that implements all the boilerplate code for the ultra-fast AJAX navigation of panmind contents and projects.

The keynote follows, you can download it in PDF (no exploits, I swear! :-) from this link or view/comment it on slideshare here.

Final words: check out mikamai blog post on the Ruby Social Club to read the other keynotes (I will, hopefully, update this post with sum-ups of them when time permits :-)) and say hello on twitter or on GitHub if you're interested in contributing our open source projects or you want to work with us.

PS. The slideshare flash-based player sucks by design and relies on its app servers, on its CDN and on the S3 CDN to work properly - if any of these breaks, the whole thing will break. If you find it broken, download a PDF version of this keynote here.

On the iPhone PDF and kernel exploit

2010-08-04T10:36:00Z

As most of you already know, there are two open, critical vulnerabilities in iPhone OS versions from 3.x up. The first one resides in the Compact Font Format component of the PDF renderer and the second one an error in the kernel, allowing attackers to bypass the sandbox (SeatBelt) inside which applications are run on the iPhone.

The two vulnerabilities were discovered by @comex, @chpwn and other people.

Only few weeks later the .lnk design flaw on windows (guys, you’re using LoadLibraryW to load a damn icon!), these iPhone OS vulnerabilities are even more interesting, because of the way the release is being handled by the community and the vendor.

I spent 3 hours last night trying to find detalied information about the bug, and except confused (and propagandistic) blog posts the only bit of information is in this tweet, and in the actual pdf exploit running on jailbreakme.com. Where are the security lists posts? Where is the CVE? Even the CERT still doesn’t say anything about this vulnerability.

There’s something terribly wrong going on: the cat-and-mouse-game that is making the iphone-dev team researchers not disclose any of the vulnerabilities they find has become very dangerous for end users: an exploit that allows remote code execution and jail escape without no interaction whatsoever by the user, carried via something that’s used to consider “safe” (a PDF file) is what is called a critical hole; while the exploit that uses it is called a 0-day. It’s the first time in my life I see a 0-day packaged and distributed explicitly via a web site.

Anyway, the dev-team researchers did not have any other choice: if they had communicated with Apple prior to public disclosure, we wouldn’t have had a so easy jailbreak vector; OTOH now we have vulnerable phones and pads that can be very easily exploited by mailcious parties. It’s also funny that in order to be warned when a PDF is about to be loaded thus mitigating the risk, you should jailbreak your device and install the PDF Loading Warner afterhand.

My stand on this is that the real problem is Apple itself: they’ve crated a walled garden, outside any legislation, where they’re the absolute god and give and take whatever they want. It’s not gonna work forever. I really hope that people will understand think that it’s not the hackers’ fault, rather it’s the totalitarian companies’ fault, for not giving us control over the devices we buy from them. Hackers are only trying to liberate them, and it’s fair use under the DMCA, after all.

UPDATE 2010-10-05: I’ve posted a summary of this bug on the full-disclosure mailing list – you know, if it’s not on FD no one would think about it :-).