Christmas Come Early for Scammers – Thanks Microsoft

As a reminder that Microsoft never lets security considerations get in the way of a Good Idea, it’s emailed 50,000 gift cards to random addresses it has on file. To quote:

To help spread holiday cheer, Microsoft Store has surprised a total of 50,000 U.S. customers with virtual gift cards via email. 25,000 customers will receive a $100 Microsoft Gift Card while 25,000 others will receive a $10 Microsoft Gift Card ahead of this holiday season. These randomly selected recipients can redeem their gift card on Microsoft Store through December 31, 2021 and spend it within 90 days of redemption

Publications in the US are advising punters to check their spam folder in case they’ve got an e-voucher for free Microsoft goodies. Presumably these email address are of lusers with a Microsoft account of some kind.

With the media coverage starting to appear in the US, anyone phishing for Microsoft account credentials now has the perfect social engineering exploit, available between now and the New Year. Nice one Microsoft.

Minecraft server in a FreeBSD Jail

You may have no interest in the game Minecraft, but that won’t stop people asking you to set up a server. Having read about how to do this on various forums and Minecraft fan sites (e.g. this one) I came to the conclusion that no one knew how to do it on current FreeBSD. So here is how you do it, jailed or otherwise.

First off, there isn’t a pre-compiled package. The best way to install it is from the ports, where it exists as /usr/ports/games/minecraft-server

Be warned – this one’s a monster! Run “make config-recursive” first, or it’ll go on stopping for options all the way through. Then run “make install”. It’s going to take quite some time.

The first configuration option screen asks if you want to make it as a service or stand-alone. I picked “service”, which sets up the start-up scripts for you but doesn’t actually tell you it’s done it. It does, however, stop it trying to run in graphics mode on your data centre server so I’m not complaining too much.

The good news is that this all works perfectly in a jail, so while it’s compiling (it could be hours) you can set up the required routing, assuming you’re using an internal network between jails – in this case 192.168.2.0/24. Using pf this will look something like:

externalip="123.123.123.123"
minecraft="192.168.2.3"
extinterface="fx0"
scrub in all
nat pass on $extinterface from 192.168.2.0/24 to any -> $externalip
rdr pass on $extinterface proto tcp from any to $externalip port 25565 -> $minecraft
rdr pass on $extinterface proto tcp from any to $externalip port
{19132,19133,25565} -> $minecraft

And that’s it. You’re basically forwarding on TCP and three UDP ports. If you’re not using a jail, you obviously don’t need to forward anything. For instructions on setting up jails properly, see here, and for networking jails see elsewhere on this blog.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

One thing that’s very important – this is written in Java, so as part of the build you’ll end up with OpenJDK. This requires some special file systems are mounted – and if you’re using a jail this will have to be in the host fstab, not the jails!

# Needed for OpenJDK
fdesc /dev/fd fdescfs rw 0 0
proc /proc procfs rw 0 0

If you’re using a jail, make sure the jail definition includes the following, or Java still won’t see them:

mount.devfs;
mount.procfs;

Once you’ve finished building you might bet tempted to follow some of these erroneous instructions in forums and try to run “minecraft-server”. It won’t exist!

To create the basic configuration files run “service minecraft onestart”. This will create the configuration files for you in /usr/local/etc/minecraft-server. It will also create a file called eula.txt. You need to edit this change “eula=false” to “eula=true”.

You can make the minecraft service run on startup with the usual “minecraft_enable=yes” in /etc/rc.conf

And that’s really it. There are plenty of fan guides on tweaking the server settings to your requirements, and they should apply to any installation.

This assumes you’re handy with FreeBSD, understand jails and networking; if you’re not so handy then please leave a comment or contact me. Everyone has to start somewhere, and it’s hard to know what level to pitch instructions like this. Blame me for assuming to much!

Nominet EGM, March 2021

Members of the UK’s domain registry, Nominet, have called an EGM to get rid of most of the governing board. After fighting tooth and nail, chairman
Russell Haworth resigned yesterday (Sunday), but other controversial board members remain.

Unusually for me, this year’s report will be updated live. But you’ll have to refresh your browser manually!

Note that this is paraphrased!

The argument is over the direction of Nominet. When it was founded, the idea was for it to take over from the Naming Committee and run the UK’s top level DNS servers. The Naming Committee was overwhelmed, and it was felt reasonable that a new organisation could take over the work, funded by a small fee for new registrations.

This was inevitably going to lead to a surplus income, which was supposed to be distributed for the public benefit, keeping reasonable reserves in case of major court cases.

In 2006 Nominet altered it’s remit to allow other activities, which I warned about at the time. It turns out I was right (as usual), and in the intervening years the board diversified into such things as self-driving cars and subsidising a cyber-security business, in competition with some of the members who were paying for it. Network Solutions all over again.


Mark Wood opens, and acknowledges that the board hasn’t been listening to members. Grateful to Russell Howarth for driving growth.

Invited Simon Blackler to speak for a few minutes. Mark Wood says he declined.

Now going to member’s questions, starting with those sent in advance.

Question: Why has the board predicted chaos if the board changes?

James Bladel: It will, indeed, fall apart without the experience of the existing board. As the board has prevented the second motion to appoint a new board, it will delay reforms.

Question: The campaign by the board has been dirty. How will you heal the rift.

Rob Binns: “We will continue an open dialogue” and make sure there is a meaningful two-way dialogue.

Question: Ester. Why was second resolution (Appoint new directors) blocked?

James Bladel: Don’t ask me – ask Roy. But we have established processes, so we’re not going to make an exception just because the members vote to have one.

Question: What are the chances of the government stepping in and resulting in a price rise?

Steven Page: There is a possibility, but we don’t know for sure. “Nominet is at the heart of digital Britain”. Sounds to me like a FUD pitch.

He’s just suggested the NHS might collapse if the board is removed, as Nominet is critical infrastructure.

Question: Why were Registry Advisory Council idea underway before the EGM?

Ellie: We wanted to find another way to get feedback. She described it as a “registry business”.

Question: What are the board’s future plans depending on whether the resolution passes or not?

Rob Binns: “As a board we will lay out a process that will drive that engagement” regardless of the outcome.

If the motion passes (board half fired) we will have a focus on stability.

Questions: What justifies huge increases in board remuneration.

Mark Wood: Our strategy was to diversify into alternative revenue streams as a hedge against possible income decline. Stated that costs would increase (but didn’t explain why).

Jane Tozer: We take the pay issue seriously, so we’ve frozen it. Our executive team has outperformed on its targets. Appears to be reading a written statement. It benchmarks pay against similar sized technology companies. (Odd, as these are profit driven – Nominet is supposed to be running a DNS).

Question: What is the cross-subsidy between domains and cybersecurity?

Ellie: We’re not cross-subsidising.

Question: One of the problem is lack of engagement. Would the board introduce members meetings?

Anne Taylor: As a board want to export all ways of engaging. It was a bad move to shut down the forum.

David Thornton: Shutting down the forum was inflammatory but needed a re-vamp.

Question about discounts for .co.uk and .uk together. Irrelevent.

Question: Why has it taken so long to realise members are not happy?

Mark Wood: We’ve missed some signals. Simon Blackler has run a good campaign and raised a lot of issues. We want to make these changes and accelerate them.

Question: Will be bring back member engagement lunches.

Ellie: Yes, stuff like that. “We’re going to need to find more ways to get the views of the network”.

Question: Why can’t we hear from Simon Blackler?

Mark Wood: It’s not a debate; it’s a company EGM. Simon Blackler declined to speak.

Question: Has the current board makeup been complicit in side-lining members’ decent?

James Bladel: I don’t think this has really happened as we have vigorous debates on the board.

Question: What’s Russell’s status right now?

Mark Wood: Russell actually stood down from the board on Sunday. (Subsequently confirmed that the registration was accepted).

Question: About CNI status.

Stephen Page: We’re not, but we’re looking at what would happen if were were designated as such. It could push up our costs. It depends which part of the regulatory system takes us on. We hope it won’t increase prices.

Question: If the broad is critical, what is the plan if anything happened to it?

Rob Binns: Yes, we have a contingency plan. The motion is to remove various members of the board. We’d have to think about how we’d manage that. In any scenario we’ll continue with improved engagement. Didn’t explain what the plan was.

Question: Similar to previous on member engagement.

Mark Wood: Repetitive waffle. Sounds like they’re talking out more difficult advance questions.
James: Bladel: More repetitive waffle. Absolutely nothing that hasn’t been said before. “We need to focus on the future.” “Rebuild relationship”.

Mark Wood: Largest turnout in Nominet’s history. As the whole board has said, Nominet will change as a result of this. I believe it will be easier if we don’t change the board. Closing the member forum was a mistake. We’ll find new and better ways.

We also need to bring the government into management of Nominet as a stakeholder. Nominet delivers brilliant service, does an important job, and does very well.

Don’t Do This To Fix Slow WiFi

Have you seen adverts like this popping up on dodgy web sites? If you’ve ever clicked on one, you go to a page where someone explains that ISPs are deliberately slowing down people’s internet connections, but for £50 they’ll sell you a miracle box that will thwart your ISP’s attempt do to this.

It is, of course, complete garbage. What they’re actually selling is a generic Chinese WiFi repeater, which they’re calling a WiFi Blast. Whether this will help with anything is debatable; but it might.

What a WiFi repeater does is act as an intermediate station between two others – i.e. your current wireless AP and the thing you’re trying to connect. If the distance is too far for the signal to propagate, the relay sits in the middle where it can see both ends, and passes the messages back and forth.

Unlike normal radio repeaters, a WiFi repeater is going to be half duplex, as it’s not going to be able to transmit and listen at the same time – the input would be swamped. This is obviously going to be slower than a direct connection, but it’s useful to cover long distances.

Whether it’s useful to get through walls is highly debatable. RF propagation is a funny thing. Run a wire instead.

The sales pitch likely breaches dozens of different advertising laws. But if you’re determined to buy one anyway, they’re about £10 on Amazon. Repeaters do have their uses, including linking a wired ethernet device to WiFi, but changing the speed of your Broadband by some miracle isn’t one of them. And no, I don’t get a kick-back if you buy one through this link.

USB Ethernet on FreeBSD

Why would you even want to cripple your network connection by using USB instead of a proper NIC? Well if you have no free PCIe slots you might have to, as is the case if you’re using a very small computer as a router/gateway.

But why would you use a small computer as a FreeBSD router? Well FreeBSD doesn’t keep crashing like the purpose-built routers we all know and hate. Yes, that’s right – you can use FreeBSD in your router and it won’t crash. Having to turn your network router on/off periodically is, it turns out, entirely optional.

So back to these small computers: the problem is they tend to have but one Ethernet port, and no slots to add a second. They do tend use USB as the only way of expanding the hardware. But assuming you don’t have a crazy fast WAN you can still get away with a USB network adapter on that. Perhaps don’t bother using a bunch of them to make a switch though, but for a single second port and not much else going on, it works just fine.

But here’s the thing – FreeBSD doesn’t support USB3 Ethernet chips very well. In fact the only one I know of is the ASIX88179, and there are mixed reports about how well this works these. I’ve ordered one to take a look at.

In the mean time, the smart money is on USB2; and although you can get 1Gb USB2->Ethernet chips, a quick calculation will show you can’t do a sustained 1Gb transfer through it. But if your WAN is <100Gbs, this won’t actually matter.

There are, fortunately, plenty of USB2->100baseT chips to choose from, and these are the safest options. I’ve extracted this list from the documentation:

ADMtek AN986 Pegasus
ASIX AX88172,AX88178,AX88772,AX88772A,AX88772B and AX88760
CATC EL1210A (10Mb only!)
Kawasaki LSI KL5KLUSB101B
RealTek RTL8150
SMSC LAN95xxx
Davicom DM9601

I’ll be doing some experiments with a few of these to see which work best, but if you’ve got any further information please comment!

Incidentally, thus far I’ve been happy with ASIX chips. That said, I’ve not tested them, or the others, to their limits yet. They do seem stable though.

Networking FreeBSD Jails

Or port forwarding to a jail

I’ve already explained how easy FreeBSD jails are to set up and use without resorting to installing heavy management tools, but today I thought I’d add a bit about networking. Specifically, how do you pass traffic arriving on a particular port to a service running inside a jail?

It’s actually very easy. All you need is a very local network inside FreeBSD, natted to the one outside.

Suppose you have your jail.conf set up as per my previous article. Here’s an excerpt:

tom { ip4.addr = 192.168.0.2 ; }
dick { ip4.addr = 192.168.0.3 ; }
harry { ip4.addr = 192.168.0.4 ; }

The defaults were set earlier in the file; the only thing that’s unique about each jail is the IP4 address and the name. What I didn’t say at the time was that 192.168.0.0 could have been on an internal network.

To define your local network just define it in rc.conf:

cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-14/28"

This creates another local loopback interface and assigns a range of IPv4 addresses to it. This can be as large as you wish, but I’ve defined 1..14 (with appropriate subnet mask) because they’ll be listed every time you run ifconfig!

Next you’re going to need something to do the natting. pf us your friend. Enable it in rc.conf too:

pf_enable="yes"

And you’ll need an /etc/pf.conf file to do the magic. I like pf – it’s easier for my brain to understand than most. Here’s an example file:

PUB_IP="192.168.1.217"
INT="bge0"
JAIL_NET="192.168.0.0/24"
TOM="192.168.0.2"
DICK="192.168.0.3"
HARRY="192.168.0.4"
scrub in all
nat pass on $INT from $JAIL_NET to any -> $PUB_IP
block on $INT proto tcp from any to $PUBIP port 111
rdr pass on $INT proto tcp from any to $PUBIP port 3306 -> $TOM
rdr pass on $INT proto tcp from any to $PUBIP port {21,80,443} -> $DICK
rdr pass on $INT proto tcp from any to $PUBIP port 81 -> $HARRY port 80

So what’s going on?

I’ve used a few macros. PUB_IP is your public IP address, and INT is the interface it’s on. pf may figure some of this out, but I’m being explicit.

TOM, DICK and HARRY are the IPv4 addresses of the jails.

Next I’m scrubbing all interfaces (normally a good idea, but you don’t have to). But the next line is important – it uses nat to allow stuff on your jail network to talk to the outside world.

The following line is where you might want to block more stuff – in this case NFS on port 111. Then we’re back to jail things for the final three lines. They’re pretty self-explanatory, but here’s an explanation anyway.

Let’s say the tom jail is running a MariaDB server on port 3306. The first line takes anything arriving on port 3306 and sends it to tom’s jail IP. Simple. It can reply because of the nat line earlier.

dick is running a web and ftp server, so ports 21,80 and 443 are sent there. The pf syntax lets you do nice stuff like this with the {..}

Finally we come to harry. Here we’re running an http server on port 80, but to make it accessible externally we’re mapping it to port 81 as otherwise it would clash with dick. In other words, if you don’t specify a destination port in the redirect it will assume the same as the source port.

And that’s it! When you jail is started you will see an interface lo1 with the IP address defined in /etc/jail.conf and assuming you have something sensible in /etc/resolv.conf you’ll have a jail that looks like it’s running behind a NAT router with port forwarding.

Of course, if you don’t need to map a jailed service to an external IP address, don’t! Jails can access services on each other using their own virtual network.

What’s a “digital motor”?

It’s certainly not just a fancy name for an electric motor, but the term “digital” was added by Dyson (I believe) to make his vacuum cleaners sound more exciting. Before that they were known as “brush-less” DC motors.

In simplistic terms, an electric motor works by having a moving electromagnet attracted to a fixed magnet, with the electromagnet on the spinning bit in the middle. Turn on the current and the electromagnet gets pulled towards the fixed magnet. Yeah! We have motion. However, when the two magnets reach each other they’re going to “stick”, so at that point you need to reverse the polarity of the current in the electromagnet so it changes from North to South, and it will then push itself away from the fixed magnet – carry on spinning.

In a traditional motor this is achieved using a commutator, which contains two contacts (+ve and -ve) called “brushes” which wipe against contacts on the spinning bit and provide power to the electromagnet. As the motor turns 180 degrees, the contacts are arranged so that the polarity is reversed – pull becomes push and vice versa, and the motor continues to rotate another 180 degrees – where it repeats.

To run smoothly you need more than two magnets, so something is always pulling, but that’s the general idea.

These brushes are a PITA. They cause friction, wear away, and make sparks. But it’s 19th Century technology and the best we had for a long time.

A brush-less DC motor uses electronics to switch the polarity in the electromagnet. It uses a sensor on the spinning bit to work out which electromagnets need current and when. This can be done with analogue or digital electronics according to taste. Hence someone decided to call it “digital” after a while, because digital was “cool”. However, a digital motor has many advantages – not least of which is getting rid of the hated brushes and the need to replace them periodically. If you have smart electronics the motor can be more efficient by applying exactly the right current for requirements, to more electromagnets. It’s similar in a way to electronic fuel injection motor vehicles (if you’re old enough to remember carburettors) – there’s a chance to put in the right power at the right time, saving energy and improving performance.

An AC motor doesn’t have the commutator problem, because the AC current is changing polarity all the time anyway. You could look at a brush-less DC motor as a AC motor, with the DC converted to AC by electronics.

Wake on LAN with FreeBSD and Broadcom Ethernet

To be fair, the Broadcom Ethernet adapter chips aren’t the best supported by FreeBSD. They’re okay, but for FreeBSD Intel rules the roost at 1-Gig and Chelsio at 10-Gig plus.

Unfortunately you may have no choice, as Broadcom chips are built in to the motherboards on some HP servers; notably the Microservers.

The Microserver Gen 7 is a great little box. I love them. I’m not so keen on the Gen 8 or Gen 10, as they’ve dropped a lot of the features that make the Gen 7 so adaptable.
So after much investigation, I decided to either forego WoL support, or bung in a cheap Realtek card simply to wake them up, but with only two PCIe slots, it was a pity to waste one on a better supported Ethernet NIC. That was a long time ago, and I’ve had one eye out for a fix for a while.

And then last year someone looked at it, and I found references to this in bug tracker. Unfortunately I don’t know who to credit with the fix, and it hasn’t made it to the kernel yet as it’s not 100%, but if you need it I’ve patched the 12.1 driver based on all the notes I could find.

There’s a question about the new driver’s correct operation on laptops. Why you’d be using WoL on a laptop eludes me; but for the Microservers it just works.

Download the patched driver ‘C’ file above (as edited by yours truly – no guarantees), and copy it to /usr/src/sys/dev/bge/if_bge.c, rebuild the kernel and away you go. As it was a bug with the state the chip was left on shutdown, you have to reboot the NEW kernel to shut down in the correct state for WoL to work. Don’t forget to enable WoL in the Microserver BIOS too.

Although this fixes the WoL issue, I know the Broadcom chips are capable of more than the driver – for example jumbo packets. If you want better network performance with a Microserver, add a dual-port Intel Ethernet card instead. Sorry, HP/Broadcom.

FreeBSD in Godden Green

What is going on with FreeBSD in Godden Green in Kent, UK? Jobsite has been spamming me with junior/mid-level programmer roles mentioning FreeBSD for months now, and I’m getting curious!

I have an alert set up so whenever FreeBSD is mentioned I get a ping, as I like to know what’s going on. This isn’t one of the usual suspect AFAIK – they might even be interesting!

The Huawei thing

A few months ago I was asked for comment on the idea that an embattled Theresa May was about to approve Huawei for the UK’s 5G roll-out, and this was a major security risk. Politics, I assumed. No one who knew anything about the situation would worry, but politicians making mischief could use it to make a fuss.

Now it’s happened again; this time with Boris Johnson as Prime Minister. And the same old myths and half-truths have appeared. So is Chinese company Huawei risky? Yes! And so is everything else.

Huawei was founded by a brilliant entrepreneurial engineer, Ren Zhengfei in 1987, to make a better telephone exchange. It came from the back to become the market leader in 2012. It also made telephones, beating Apple by 2018. While the American tech companies of the 1980’s grew old and fat, Huawei kept up the momentum. Now, in 2020, it makes the best 5G mobile telephone equipment. If you want to build a 5G network, you go to Huawei.

Have the American tech companies taken this dynamic interloper lying down? No. But rather than reigniting their innovative zeal, they’re using marketing and politics. Fear, Uncertainty and Doubt.

Some arguments:

“Huawei is a branch of the evil Chinese State and we should have nothing to do with it.”

Huawei says it isn’t, and there’s no evidence to the contrary. The Chinese State supports Chinese companies, but that’s hardly novel. And whether the Chinese State is evil is a subjective judgement. I’m not a fan of communist regimes, but this is beside the point if you’re making an argument about technology.

“Huawei is Chinese, and we don’t like the government or what it does”.

So we should boycott American companies because we don’t like Trump? We do business with all sorts of regimes more odious that the CPC, so this is a non-argument. You could make a separate argument that we should cease trade with any country that isn’t a liberal democracy, but this could be difficult as we’re buying gas from Russia and oil from the Middle East.

“Huawei works for the Chinese secret service and will use the software in its equipment to spy on, or sabotage us.”

First off, Ren Zhengfei has made it very clear that he doesn’t. However, there have been suspicions. In order to allay them, Huawei got together with the UK authorities and set up the HCSEC in Banbury. Huawei actually gives HCSEC the source code to its products, so GCHQ can see for itself; look for backdoors and vulnerabilities. And they’ve found nothing untoward to date. Well, they’ve found some embarrassingly bad code but that’s hardly uncommon.

Giving us access to source code is almost unprecedented. No other major tech companies would hand over their intellectual property to anyone; we certainly have no idea what’s inside Cisco routers or Apple iPhones. But we do know what’s inside Huawei kit.

“Because Huawei manufactures its stuff in China, the Chinese government could insert spying stuff in it.”

Seriously? Cisco, Apple, Dell, Lenovo and almost everyone else manufacturers its kit in China. If the Chinese government could/would knobble anything it’s not just Huawei. This is a really silly argument.

Conclusion

So should we believe what the American’s say about Huawei? The NSA says a lot, but has offered no evidence whatsoever. The US doesn’t use Huawei anyway, so has no experience of it. In the UK, we do – extensively – and we have our spooks tearing the stuff apart looking for anything dodgy. If we believe our intelligence services, we should believe them when they say
Huawei is clean.

Being cynical, one might consider the possibility, however remote, that America is scared its technology companies are being bested by one Chinese competitor and will say and do anything to protect their domestic producers; even though they don’t have any for 5G. Or if you really like deep dark conspiracies, perhaps the NSA has a backdoor into American Cisco kit and wants to keep its advantage?

The US President’s animosity to trade with China is hardly a secret. Parsimony suggests the rest is fluff.