Tuesday, January 12, 2016

The Mythical STEM Shortage

Long ago, there were Personnel Managers.  Nowadays, there are Human Resource Managers.  As an engineer or scientist, you are a consumable resource, just like oil and electricity.  You are used to make a project work and once the project is done, you are not needed anymore and you will be laid off.  

In my experience, there is a perpetual over supply of engineers and scientists and roughly 10% to 15% of engineers are always unemployed or underemployed.  However, there is a huge shortage of Entrepreneurs.

Jobs are created by small businesses - large businesses destroy jobs.

Large businesses buy small businesses, absorb them, take the good products, discard the bad ones, fire half the people in the first round, and the rest in the second round.  This is known as increasing productivity.

For example Intel, Microsoft, Cobham, IBM, Yahoo, Boeing, Lockheed-Martin, United Technologies - they buy companies and then frack them and shake the employees out.  The result is a constant clamor from thousands of middle aged engineers and scientists complaining that they cannot find work.

However, for the younger 20-something crowd, the situation is much worse and their unemployment rate varies from 25% to 50%!


In a capitalist system, the over 45 crowd are supposed to provide jobs for the under 25 crowd and that can only happen if the large businesses light a fire under them and force them to start their own businesses.

If you are an unemployed or underemployed STEM, then you can do one of two things: Go look for a job in a tough and desolate place where others are scared to go, or find an unemployed salesman and an unemployed MBA and start a company. 

Engineers and scientists are typically NOT good at sales and management.  Don't try to do it yourself, you will waste your own money and you will fail.  Your job is to innovate.  Get others to sell the junk you make and schmooze the bank manager. 

When a reporter asked Sutton why he robbed banks, he replied: 'Because that is where the money is'.  Apparently O'l Willy had a MBA.

So, since I already took the only job in the desert - you have to get off your chair, go start a company with two compatriots and hire five unemployed 20-somethings to do the work!

Cheers,

Herman

Juniper, Citrix and Fortinet

No, this is not about the famous Donovan song.

Most of this list was compiled by M. Jennings:

NSA Helped British Spies Find Security Holes In Juniper Firewalls [theintercept.com] Quote: "... British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks..."

Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors [wired.com] Quote: "This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire."

New Discovery Around Juniper Backdoor Raises More Questions About the Company [wired.com] Quote: "Juniper added the insecure algorithm to its software long after the more secure one was already in it, raising questions about why the company would have knowingly undermined an already secure system."

Juniper 'fesses up to TWO attacks from 'unauthorised code' [theregister.co.uk]

'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS [theregister.co.uk] Quote: "And it may have been there since 2008, making this a late contender for FAIL of the year."

How to log into any backdoored Juniper firewall -- hard-coded password published [theregister.co.uk]

Juniper promises to fix ScreenOS cryptography ... eventually [infoworld.com]

Listen up, FBI: Juniper code shows the problem with backdoors [infoworld.com] Quote: "FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors."

Another quote from that article:

"Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said.

And ditto for Fortinet [arstechnica.com], the Deep Packet Inspection filter company, who also thought it wise to install a SSH server with a hard coded password.

Not to be outdone, Citrix also makes products with the same stupidity and a fixed password of Citrix123.

It is amazing that Fortinet, Citrix, Juniper and its spawn Pulse Secure, are still doing business. The only explanation is that literally nobody cares about security and only pays lip service to it.

GIGO: Garbage In, Garbage Out...

Herman

Monday, November 30, 2015

Ethernet Funnies

Sometimes it is very hard to connect to an embedded system, because the designers cut some corners to simplify the system and keep memory use down, or simply because the system is prehistoric and full of bugs.

One such device worked fine provided that there was a little ethernet switch between the laptop machine and the target, but a direct connection between the laptop machine and target device only worked about half the time.  Even the little switch sometimes could not connect.

MAC, PHY, MAG

An ethernet interface device consists of three main parts: The Media Access Controller (MAC), the Physical Interface (PHY) and a set of transformers - the Magnetics.  When you plug a cable in, the PHY sends out little pulses to figure out what is going on and then swaps the wires around internally and changes the speed and duplex settings to make the interface work.

The trouble was that the target only supports 100 Mbps, while the laptop machine wanted to run at 1 Gbps and the two just could not reach agreement.

Ethtool

The ethtool program can be used to configure the ethernet interface device manually:
# ifconfig em0 up
# ethtool em0
# ethtool -s em0 speed 100 duplex full autoneg off
# ethtool em0
# ifconfig em0 192.168.111.1 netmask 255.255.255.0


That forced the laptop machine to the correct speed and duplex settings, turned the broken auto negotiation off and then life was good.

Shortly after writing the above, I ran into a case where the embedded system works better with a 100 Mbps half duplex connection, but the auto-negotiation usually resulted in a full duplex connection.

# ethtool -s em0 speed 100 duplex half autoneg off

Problem fixed.

These weird issues are usually due to a bad board layout around the ethernet chip set.

Reference

More information here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-ethtool.html


La voila!

Herman

Wednesday, November 18, 2015

Compile The Latest ffplay From Source

Compile latest version of ffplay from source

Note that this script doesn't overwrite the existing ffmpeg installation:
https://trac.ffmpeg.org/wiki/CompilationGuide/Centos

The gotcha in the above guide is the SDL-devel package without which ffplay will not build.

#! /bin/bash
yum install autoconf automake cmake freetype-devel gcc gcc-c++ git libtool make mercurial nasm pkgconfig zlib-devel SDL-devel


mkdir ~/ffmpeg_sources


cd ~/ffmpeg_sources
git clone --depth 1 git://github.com/yasm/yasm.git
cd yasm
autoreconf -fiv
./configure --prefix="$HOME/ffmpeg_build" --bindir="$HOME/bin"
make
make install
make distclean


cd ~/ffmpeg_sources
git clone --depth 1 git://git.videolan.org/x264
cd x264
PKG_CONFIG_PATH="$HOME/ffmpeg_build/lib/pkgconfig" ./configure --prefix="$HOME/ffmpeg_build" --bindir="$HOME/bin" --enable-static
make
make install
make distclean


cd ~/ffmpeg_sources
hg clone https://bitbucket.org/multicoreware/x265
cd ~/ffmpeg_sources/x265/build/linux
cmake -G "Unix Makefiles" -DCMAKE_INSTALL_PREFIX="$HOME/ffmpeg_build" -DENABLE_SHARED:bool=off ../../source
make
make install


cd ~/ffmpeg_sources
git clone --depth 1 git://source.ffmpeg.org/ffmpeg
cd ffmpeg
PKG_CONFIG_PATH="$HOME/ffmpeg_build/lib/pkgconfig" ./configure --prefix="$HOME/ffmpeg_build" --extra-cflags="-I$HOME/ffmpeg_build/include" --extra-ldflags="-L$HOME/ffmpeg_build/lib" --bindir="$HOME/bin" --pkg-config-flags="--static" --enable-gpl --enable-libx264 --enable-libx265 --enable-ffplay
make
make install


cd /usr/lib
ln -s /home/username/bin/ffplay fffplay



Play Video With Low Latency Using ffplay

This is the fastest I can make ffplay:
ffplay -threads 2 -flags low_delay -fflags nobuffer -rtbufsize 32768 -fast -probesize 800000 -analyzeduration 800000 -ss 1 -framerate 50 udp://224.0.1.6:2006

Play Video With ffmpeg

This also quite fast, just to show that you can play video directly with ffmpeg using SDL output:
ffmpeg -i udp://224.0.1.6:2006 -f sdl -


La Voila!

Herman

Friday, November 13, 2015

Windows Insanity

Rusted Sieve

Windows 10 is about as secure as a rusted sieve, with a few deliberate holes added for good measure.  Microsoft essentially tries to convert your Personal Computer into a cell phone, which is a purpose built blabbing and tracking device.  They don't seem to understand the word 'personal' in 'PC' though.

https://answers.microsoft.com/en-us/windows/forum/windows8_1-update/what-is-diagnostics-tracking-service-which-was/253fe2ec-fba6-4240-bfb8-2a3bdc801ed1?auth=1

Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage.

Recently, the Diagnostics Tracking Service (DiagTrack) service was renamed to the Connected User Experiences and Telemetry service.  Sigh...

Microsoft, in their infinite wisdom, hooked up a plethora of tracking systems and tunnels, to capture your keystrokes, your voice, every address you visit on the web, your WiFi router passwords and your disk drive encryption keys.  I guess they figured that your camera is already captured by Skype, so they didn't need to add that to the list.  I can see many a giant law-suit lurking on the horizon because of this.

Here is a list of utilities that can be used to clean Windows 10 and try to prevent it from blabbing to all and sundry about everything you do with your computer.

ShutUp10

http://www.oo-software.com/en/shutup10

Techne

http://techne.alaya.net/?p=12499

DisableWinTracking

https://github.com/10se1ucgo/DisableWinTracking

BlockWindows

https://github.com/WindowsLies/BlockWindows

GWX Control Panel

http://blog.ultimateoutsider.com/2015/08/using-gwx-stopper-to-permanently-remove.html

Spybot Anti-Beacon

https://www.safer-networking.org/spybot-anti-beacon/

Evil Addresses

A list of evil hard coded addresses I found, that should be blocked in a router:
134.170.30.202
137.116.81.24
204.79.197.200
23.218.212.69
65.39.117.230
65.55.108.23

I have no idea what these addresses are and there may be many more.  These are hard coded connections in Windows, that cannot be blocked with a domain name server or hosts file.

Domain Names

My hosts file that I made after looking at packets with tcpdump:
127.0.0.1 dns.msftncsi.com
127.0.0.1 ipv6.msftncsi.com
127.0.0.1 win10.ipv6.microsoft.com
127.0.0.1 ipv6.msftncsi.com.edgesuite.net
127.0.0.1 a978.i6g1.akamai.net
127.0.0.1 win10.ipv6.microsoft.com.nsatc.net
127.0.0.1 en-us.appex-rf.msn.com
127.0.0.1 v10.vortex-win.data.microsoft.com
127.0.0.1 client.wns.windows.com
127.0.0.1 wildcard.appex-rf.msn.com.edgesuite.net
127.0.0.1 v10.vortex-win.data.metron.life.com.nsatc.net
127.0.0.1 wns.notify.windows.com.akadns.net
127.0.0.1 americas2.notify.windows.com.akadns.net
127.0.0.1 travel.tile.appex.bing.com
127.0.0.1 www.bing.com
127.0.0.1 any.edge.bing.com
127.0.0.1 fe3.delivery.mp.microsoft.com
127.0.0.1 fe3.delivery.dsp.mp.microsoft.com.nsatc.net
127.0.0.1 ssw.live.com
127.0.0.1 ssw.live.com.nsatc.net
127.0.0.1 login.live.com
127.0.0.1 login.live.com.nsatc.net
127.0.0.1 directory.services.live.com
127.0.0.1 directory.services.live.com.akadns.net
127.0.0.1 bl3302.storage.live.com
127.0.0.1 skyapi.live.net
127.0.0.1 bl3302geo.storage.dkyprod.akadns.net
127.0.0.1 skyapi.skyprod.akadns.net
127.0.0.1 skydrive.wns.windows.com
127.0.0.1 register.mesh.com
127.0.0.1 BN1WNS2011508.wns.windows.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 settings.data.glbdns2.microsoft.com
127.0.0.1 OneSettings-bn2.metron.live.com.nsatc.net
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com.nsatc.net
127.0.0.1 win8.ipv6.microsoft.com
127.0.0.1 go.microsoft.com
127.0.0.1 windows.policies.live.net

How Many More?

If the above lists haven't convinced you to shun this super quality spying system, then consider that there may be many more leaks that we haven't found yet and as soon as Microsoft figures out that most holes are plugged by the above tools, then they are sure to add new ones to keep the data flowing - as evidenced by the recent rename and rework of their networked sniffing service.  It is bound to keep happening to throw off the defenders.

Therefore I still think that the only secure way to use Windows 7, 8 and 10 is in a virtual machine with networking disabled.  The trouble is that you cannot analyze encrypted tunnels with packet inspection in a router, so you have to unplug the network cable so to speak.

The only real solution is to use UNIX - buy a Mac, install Red Hat Linux Fedora or PC-BSD, since MS Windows is a futile game of Whack a Mole.

Sigh...

Herman

Tuesday, November 10, 2015

Dropbear - Embedded SSH Daemonology

A Bear of Very Little Brain

The name Dropbear is intriguing since it makes me think of grizzlies and gummy bears.  I love sugar - who doesn't - but I should not eat it anymore.  I found that cinnamon makes a good substitute in most things, but I digress, this is not supposed to be a treatise on sugary treats.

The Dropbear SSH daemon can be compiled with various options, but when one is faced with an existing system that cannot easily be changed, then one has to make do with what one got.

I was trying to download log files and video off an ARM based system and it took forever.  So I experimented with the SSH encryption and compression options to speed it up.  Since a typical embedded system has a dinky little processor, selecting a simpler encryption algorithm can make a huge difference.

AES vs Blowfish

The standard copy command "scp user@target:~/data ." ran at all of 6 Mbps.   I could see the grass growing, which is really special, since I live in a desert.

The default algorithm is AES256, which has special instructions on a X86 type processor to speed it up, but not on an embedded ARM based target.  When I tried Bruce Schneier's Blowfish "scp -c blowfish-cbc user@target:~/data ." it immediately ran at more than double the speed, clocking 13.5 Mbps.  It felt like flying compared to the previous.

Arcfour would run even faster, but Dropbear doesn't have it by default and some people are concerned that Arcfour is not secure anymore, though that is actually a Windows implementation problem.  IMHO Arcfour is not much worse than Blowfish - sorry Bruce...

Header Compression

I then tried header compression (the -C option) and it halved the speed again.  So this poor ARM processor really doesn't like the Zip algorithm either.

Process Control

Finally, I checked to see what the target processor was doing with 'top' and found that one running process was consistently sapping 25% of the processor power, so I thought I would hit the jackpot if I simply suspend that process while downloading.

A bit of remote job control using pidof and kill:
$ PID=$(ssh user@target "pidof -s processname")
$ ssh user@target "kill -SIGSTOP $PID"

Then I did my download test again and disappointingly found that the resulting speed-up was only 5% from 13.5 Mbps to 14 Mbps - where did the other 20 go?  Oh well, I'll take that little bit too thanks.

After the download one can resume the suspended task with:
$ ssh user@target "kill -SIGCONT $PID"

SSH Password Scripting with ssh-askpass

Another disappointment with this version of Dropbear was that it doesn't seem capable of public key authentication, only passwords and typing a password all the time gets boring really quickly, but OpenSSH is not particularly script friendly.

Fortunately there is a utility on Red Hat systems called ssh-askpass.  Users of Debian distributions will have to compile it from source, since it is not in the repositories, due to some misplaced concerns with protecting evil users of SSH against themselves.

Save your target password in a variable called SSHPASS, then use a command like this:
$ SSHPASS=password
$ ssh-askpass -e ssh user@target "remotecommand"

Zenity has a password entry dialogue that is useful for this type of problem.  Later in a script, I'd blank out the password so it doesn't hang around in memory too long, to salve my conscience.


La voila!

Herman

Saturday, October 24, 2015

Nothing to Fear

Armand Jean du Plessis, Cardinal-Duke of Richelieu and Fronsac, 17th century Prime Minister of France, reputedly said something to the effect of:

"Give me six lines written by an honest man and I will find something in it to hang him with".

There are probably many things he said, that he didn't say, but it is a nice quote.

Beware of a Man in a Dress

The French encrypted communications up to the early 19th century, using simple ciphers known as petits chiffres. These were short notes, based on 50 numbers. Later, they began to write letters using a combination of 150 numbers, known as the Army of Portugal Code.  By 1812, new cipher tables were sent from Paris based on 1400 numbers and derived from a mid-18th century diplomatic code.

 18th Century Paris Cipher

Many people think that 'If you have nothing to hide, then you have nothing to fear', or simply state 'I have nothing to hide', meaning that they don't care about ubiquitous government surveillance.  Well, if you are that boring, then no-one would want to talk to you!

In reality, even the worst, boring, dullards try to keep their bank account, tax return, passport and credit card private and even Germans usually at least wear budgie smugglers when they go for a swim...

To me, the biggest problem is organized criminals who can drain a bank account in seconds, ruin your credit rating and state security agents acting like the infamous Cardinal, who can plant incriminating evidence on your IT systems to hang you with.  Just watch what is happening to Hillary Clinton and the Aussie PM who ran private email servers, which were legal at the time, but which are now being systematically stuffed with 'new discoveries' of 'classified information', much like the tiny mountain cabin of Ted Kazinsky, that was searched multiple times and each time delivered a treasure trove of new 'evidence' - there must have been a rather large cave under O'l Ted's shack.

Encrypt everything!

Encrypt your phone, your tablet, your laptop PC, your desktop PC, your email.  Buy a Black Phone.  Use the Red Phone.  Install RetroShare.  Use Free Software.

Use Keepass to save the passwords and keep the master password in your wallet if you don't trust your memory.

Do not make it easy for online miscreants hiding in their mother's basement on the other side of the world, to destroy your life.

Upon the death of the most revered Cardinal, Francois Marie Arouet (Voltaire), who wrote rather more than six lines criticizing the dear Cardinal said:

'He was a kind and generous man, 
provided of course, that he is really dead.'

Ecrasez l'Infame.

Herman