Frank

Aussie Census takes a tumble

The Australian government bureaux of statistics had a census yesterday. Every aussie, wherever in the world they happened to be, and to fill in the on-line census form before midnight. For those living in London, they tried to do this late afternoon in order to meet the deadline. No luck! it’s down with a message saying “Sorry Mate, our servers are currently shagged. Please try later and we’ll forget about the fine this time.” Or words to that effect.

On trying again this morning, it was still out of action.

I wonder if all the Australians in the world decided to leave it to the last couple of hours of the day, and whoever designed the system didn’t consider what the peak load might be?

Please don’t click here to see for yourself, as their servers are overloaded enough already.

Update: 10-Aug-16 17:06

Apparently they’re now blaming it of foreign hackers or a DoS. There was some controversy about the security of an on-line census before the event; I see a “told you so” slanging match before long!

9-August-169-August-16

Five year old “new” malware discovered “by Kaspersky”

Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.

Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?

Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.

AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works to circumvent very specific and uncommon high-end security software indicates its in the APT category.

Microsoft, who’s operating systems it attacks, has yet to comment.

8-August-16

Quadrooter – major security bug in Qualcomm Android drivers

Check point software claims to have found what it calls a serious vulnerability in Qualcomm software running on LTE chip-sets used in many Android ‘phones. Apparently they informed Qualcomm about six months ago, and they’ve now modified their drivers to stop it in future, and issued patches, but I doubt many of the 900,000 of the devices already sold with the LTE chips will end up being patched. LTE is two-thirds owned by Qualcomm.

Check Point has released an App to check whether your phone is vulnerable, but it’s up to the device manufacturers to actually push the patch on to their users. The major ones may, but the majority of handsets are of the cheaper variety, sold in third world countries, and not as well supported.

Normally I’d treat stories like this with a bit of caution, and I’ve yet to fathom exactly how ti works. However, Check Point’s description is scary – and the Israeli company isn’t known for hype. Basically, the flawed Qualcomm chip-set drivers have flaws that allow a downloaded App to gain root access without the need for any unusual permissions. This is bad.

Check Points advice is to only trust Apps installed from Google Play, which is ironic given that as recently as this May they released a report saying you shouldn’t trust Apps from Google Play as too many nasty ones crept in.

1-August-161-August-16

Windows 10 Free Upgrade failure

Last Friday was the last chance to get a free upgrade/downgrade from Windows 7 to Windows 10. The Microsoft checking utility confidently announced my system was compatible, but I doubted that as I was running stuff in XP Mode, and some old Chicago (Windows 9x) software. But I thought I’d give Microsoft the benefit of the doubt and try. But before that I backed up the entire hard disk.

Giving Microsoft the benefit of any doubt is always a bad plan, and in my case the installation died half way. The update was apparently downloaded, but I left it all weekend and it failed to install.

It’s hard to see why anyone who knows about computers used for serious purposes would consider “upgrading” to Windows 10 a good idea. I’m not sad I had to revert to the backup and get my Windows 7 machine back. Windows 8+ completely failed to implement the backward compatibility that Microsoft used to do so well. Upgrading DOS or Windows meant you could keep your legacy applications and hardware, but switching to OS/2, Apple, UNIX or Linux meant you could not. Now upgrading Windows means ditching older software too – in my case, I suspect my company’s accounting system. If you’re going to do anything as rash as that, you might as well break free from Microsoft completely and choose a whole new platform.

I was expecting to write something slamming Microsoft for messing up my PC this morning, but thanks to their complete incompetence, the upgrade didn’t work anyway.

13-July-16

Parent Pay adds fuel to its fire

Following a disastrous software “upgrade” on 6th June, it appears that ParentPay, the controversial on-line payment system used by many schools, finally appears to have noticed it has a problem. In an email sent to all its 1.7 million ~~victims~~ users today, CEO Clint Wilson apologised that people were having difficulties with the new system and conceding their support service was overwhelmed. He promised to fix the problems and get it right over the summer.

Perhaps in order to emphasise the fact that he really don’t know much about this technology stuff, the email was sent in a Microsoft-only format, with an invitation to “view it in your web browser” if you weren’t using Hotmail, or whatever else it was designed for. It really doesn’t bode well.

The ParentPay website was always awkward, requiring very specific web browsers in order to operate, and using insecure technologies rather than HTML. The latest update relied very heavily on JavaScript and assumed specific screen resolutions, forcing people to upgrade browsers and wait for updates in order to use it – and it looks ridiculous on a desktop-sized screen.

At the same time ParentPay implemented a system where parents were made to pre-pay in to the account and then allocate funds later, rather than paying for the items at the time they were selected/purchased. Subsequently the company has sought to defend this tiresome system as an initiative to help low-income families, although exactly how pre-payment does this isn’t clear. The fact that ParentPay is left holding money for longer before the school gets is probably didn’t even cross their mind.

Parents, already leery about the whole ParentPay system and the way it has been imposed on them by schools in spite of widespread long-standing dissatisfaction, have taken to social media to slag off the crass software update and appalling customer service..

It’s a sad fact that schools and local authorities lack the necessary IT savvy to spot a turkey when its marching up and down in front of them, and instead opt for “safety” in numbers. I don’t actually blame the schools for this – it’s not their job. It’s the government and local authorities that are unable to provide good advice – but local authority and government IT projects are, of course, a byword for expensive shambles.

22-June-16

Am I being phished?

Today I received an intriguing email with a Microsoft Word attachment implying I had money coming to me if I filled in a form. Yeah, right. I was just about to hit delete but I was a bit surprised the sender was addressing me as Prof. Leonhardt. It’s hardly the first time someone’s got this wrong – and to be on the safe side I can see why people might start high and work backwards through Dr. and so on, as people who are about such matters are only offended if you start too low.

But why would a botnet add the title?

On closer inspection I recognised it was a royalty payment enquiry from a publishing company that had actually done a book for about five years ago. I didn’t expect it to sell (it wasn’t that kind of book), so hadn’t thought much about out.

But I still haven’t opened the attachment. The email headers suggest it came from the publisher, but they can be forged. And this could be a clever spear-phishing attempt – after all, if you bought the book, which was largely about email security, you’d have the name of the publisher and my name – and the email address used can be found using Google.

I don’t believe I have ever been spear-phished before, so I’m feeling a bit more important than I did yesterday.

Time to fire up the sandbox!

23-May-1623-November-21

FreeBSD, ZFS and Denial of Service

I’ve been using ZFS since FreeBSD 8, and it has it’s uses. It’s pretty be wonderful and all that, but I was actually pretty happy with UFS, and switching to ZFS isn’t a no-brainer.

So what’s the up-side to ZFS? Well you get more error checking and correction and it’s great for managing huge filing systems. You can snapshot and roll back, and do lots of other wonderful stuff with datasets and rive arrays. And it’s more “auto” when it comes to allocating disk space. But call me old fashioned if you like; I don’t like “auto” if I can avoid it.

Penguinistas might not “get” this next bit, but on a UNIX system you didn’t normally have One Big Disk. Instead you had several, and even if you only had one, you’d partition the slice it up so it looked like several. And then, of course, you’d mount disks or partitions on to the root filing system wherever you wanted them to appear.

For reliability, you could also create mirrors and striped RAIDs, put a FS on them and mount them wherever you wanted. And demount them, and mount them somewhere else, and so on.

ZFS does all this good stuff, but automatically, and often as One Big Disk. A good thing? Well… if you must. But there are a few points you might want to consider before diving in.

First off, I like to know where and on which disk my data actually resides. I’m really uneasy with ZFS deciding for me. If ZFS loses it, I want to know where to find it. I also like having a FS on each drive or partition, so I can pull the drive out and mount it wherever I want to get data off – or move it from machine to machine. It’s my data, I’ll do what I want to with it, dammit! You can do this virtually with ZFS datasets, but you can’t unplug a dataset and hold it in your hand. Datasets, of course, are fluid rather than fixed in size, so you don’t need to guess how much space to allocate.

Secondly, with UFS I get to decide what hardware is used for each kind of file. Parts of the FS that are rarely used can be put on slow, cheap, huge disks. The database goes on a velociraptor or better, and the swap partitions – well! Okay, you can use multiple zpools for difference performance situations but then you’re using it like UFS.

Thirdly, there’s a price for all this ZFS wonderfulness. Apart from the software overhead, the Copy-on-Write business needs a lot of RAM to maintain good performance. Fragmentation no the physical drive is guaranteed. If you’re running software (e.g. a database) that uses random access files and lots of transaction, UFS with its in-place modification wins out. A DBMS will take care of its own consistency and storage optimisation, and it has the edge as it knows what the data represents at the application level.

But what of the Denial of Service problem in the headline? Okay, it’s been a bit of a ramble, but this is something you must consider.

There are always management issues with One Big Disk. Linux users seem oblivious to this, but this doesn’t mean putting everything on a big partition is a great plan – even if you’re using a single disk in practice.

With the old way of having multiple partitions, each with an FS, mounted on the directory tree, when an FS on a partition/drive filled up, it is was full. You couldn’t create more files on it. You either have to delete unwanted stuff, or you can mount a bigger drive in its place. With One Big Disk, when it’s full, it’s also full. The difference is that you can’t write any data anywhere on the entire FS. And this is where DoS comes it.

Take, for example, /var/log. Any UNIX admin with a bit of sense will have this in its own partition. If some script kiddie then did something that caused a lot of log file activity, eventually you’d run out of space in /var/log. But the rest of the system would still be alive. With UFS the default installation process created partitions with sensible sizes. Using the One Big Disk principle, ZFS satisfies the requests of any disk-eating process until there isn’t a single byte left anywhere, and then rolls over saying the zpool is full. Or it would say it if there was a monitor connected to the server in a data centre miles away, and there was someone there to look at it.

With ZFS you can set a limit to the size on a dataset-by-dataset basis and prevent this sort of thing from happening. But it doesn’t happen by default, so set your quotas manually if you’re plonking the OS, and in particular /var on it.

Okay, this might sound a bit anti-ZFS, and I’ve yet to have a disaster with a ZFS system that’s required me to move drives around, so I don’t really know how possible it is when the chips are down. And ZFS has is a nice unified way of doing stuff, rather than fiddling around with geom and the FS separately. But after a couple of years with FreeBSD 10, where it became practical to boot from ZFS, shouldn’t I be feeling a bit more enthusiastic about it?

Having a ZFS pool attached as a data store rather than as a boot device is, of course, a different story. That’s when you see the benefits. But it does also eat resources, so I want the benefits to be worth it for the particular application. For the time being I’m putting the OS on UFS, usually with a data partition for databases to thrash, and userland putting simple files on ZFS – best of both worlds.

14-May-16

BT’s Infinitely useless Infinity call centre in India

In the middle of last week I was expecting an important call. It didn’t come. Then someone said they’d been trying to get me on the phone and couldn’t. It turns out I’ve got a line fault. And OpenReach’s response so far is an object lesson in to how to get things wrong.

First off, the fault results in the caller hearing a ringing tone but nothing ringing at this end. This means the caller simiply thinks your not answering. BT’s automated system quickly identified that the line wasn’t working, but I had to ask that callers got an “out-of-order” message. Is OpenReach reluctant to admit that it’s lines could be faulty?

The line provides VDSL and an analogue telephone, which goes in to a PABX. Therefore its lack of dial tone wasn’t noticed; the PABX simply skips until it finds a working line when you’re making an outside call. But on plugging a handset direct to the line, it’s as dead as a doornail. No voltage across A-B, no dial tone, no crackle. Nothing. Except, strangely, the VDSL is still working.

Now anyone with half a brain will realise that the pair is good, and the fault is going to be in the street box or exchange. My guess is that it’s in the green cabinet up the road where my line connects to the FTTC service.

So, several days pass and I notice it hasn’t been fixed. Then I get a call (on one of the remaining working lines) from BT; an obviously foreign accent. Apparently they have determined that there is a fault outside of the exchange (and by implication in my cabling). It’s not with me. The first thing anyone would do is disconnect the PABX and the VDSL modem (and its filter) and test the incoming socket. Just try explaining this to an overseas call centre reading from a script. To humour the hapless fool I eventually I again removed the NTE5 face plate (she didn’t even know what an NTE5 was!) and plugged a handset direct in to the incoming socket. Only then would she agree to send an “engineer” to look at it.

I did explain exactly where the fault was likely to be (remember, the VDSL hasn’t been interrupted – it’s not difficult to work it out). Apparently an engineer is now booked for Monday afternoon. I pointed out that he’d need to call me to get access, should it be needed (it shouldn’t) but I’m not sure she took it in.

And then, insult to injury, she sent a text message to the landline!

I told them about the fault days ago, and exactly what the problem was. It was flagged as fault on their own self-diagnostic. And OpenReach couldn’t even mark the line as out-of-order to callers until I moaned at them. BT makes a lot of money implementing overseas call centres. Yet even they can’t get them to work on a human level.

3-May-16

New mystery “Appear in Court” malware

In the early hours of the morning (BST) I intercepted a large number of emails of the “Appear in Court” variety, but unlike usual, these were not Microsoft documents but JavaScript (stored in a .ZIP file). They end in .doc.js, which means they obviously look odd.

I couldn’t resist running a few, to see what they did, and the answer is not much. They run cmd.exe and I’m pretty sure it does an egg hunt to find some code in core to execute, and it goes looking for DOCUME~1.DOC in various likely locations. But in my sandbox, it doesn’t get anywhere.

These are being spammed from clean IP addresses, no AV currently detects them by signature, so they’re going to get through. But what do they need to run, and what do they do if they succeed? Unfortunately I can’t stick around this morning to check further.

25-April-1627-April-16

UbuntuBSD – lovechild of Linux and FreeBSD

It’s no secret that Linux users with good taste have viewed the FreeBSD kernel with envious eyes for many years. A while back Debian distributions started having the FreeBSD kernel as an option instead of the Linux one. (Yes, you read that correctly). But now things seem to have been turned up a notch with UbuntuBSD.

It seems a group of penguinistas regard the Ubuntu world’s adoption of systemd as a step too far, and forked. And rather than keeping with Linux, they’ve opted to dump the whole kernel and bolt the Ubuntu front-end on to FreeBSD instead, getting kernel technology like ZFS and jails but “…keeping the familiarity of Ubuntu”.

Where could this be going? We already have PC-BSD for a “shrink wrapped” graphical desktop environment. Is anyone actually using it? I’m not. I’m sure we’ve all downloaded it out of curiosity, but if I want a Windows PC I’ll have a Windows PC. With BSD I’m more than happy with a command line, thank you very much.

UbuntuBSD could be different. Linux users actually use the graphical desktop, and most can’t cope with a command line. If they were to switch to FreeBSD instead, UbuntuBSD would make a lot of sense.

Although it’s only been around a month, in early beta form, its Sourceforge page is showing a lot of downloads. If I wanted to run a graphical desktop on top of FreeBSD, UbuntuBSD would make a lot of sense over PC-BSD, because I get the vibes that Ubuntu has desktop applications more together.

The project has just launched its own web site too, at www.ubuntubsd.org.

So does this spell the end of PC-BSD, Ubuntu Linux, Windows 10 or none of the above? It’s surely a strong vote against systemd.