Frank Leonhardt's Blog

Am I being phished?

Today I received an intriguing email with a Microsoft Word attachment implying I had money coming to me if I filled in a form. Yeah, right. I was just about to hit delete but I was a bit surprised the sender was addressing me as Prof. Leonhardt. It’s hardly the first time someone’s got this wrong – and to be on the safe side I can see why people might start high and work backwards through Dr. and so on, as people who are about such matters are only offended if you start too low.

But why would a botnet add the title?

On closer inspection I recognised it was a royalty payment enquiry from a publishing company that had actually done a book for about five years ago. I didn’t expect it to sell (it wasn’t that kind of book), so hadn’t thought much about out.

But I still haven’t opened the attachment. The email headers suggest it came from the publisher, but they can be forged. And this could be a clever spear-phishing attempt – after all, if you bought the book, which was largely about email security, you’d have the name of the publisher and my name – and the email address used can be found using Google.

I don’t believe I have ever been spear-phished before, so I’m feeling a bit more important than I did yesterday.

Time to fire up the sandbox!

23-May-1623-November-21

FreeBSD, ZFS and Denial of Service

I’ve been using ZFS since FreeBSD 8, and it has it’s uses. It’s pretty be wonderful and all that, but I was actually pretty happy with UFS, and switching to ZFS isn’t a no-brainer.

So what’s the up-side to ZFS? Well you get more error checking and correction and it’s great for managing huge filing systems. You can snapshot and roll back, and do lots of other wonderful stuff with datasets and rive arrays. And it’s more “auto” when it comes to allocating disk space. But call me old fashioned if you like; I don’t like “auto” if I can avoid it.

Penguinistas might not “get” this next bit, but on a UNIX system you didn’t normally have One Big Disk. Instead you had several, and even if you only had one, you’d partition the slice it up so it looked like several. And then, of course, you’d mount disks or partitions on to the root filing system wherever you wanted them to appear.

For reliability, you could also create mirrors and striped RAIDs, put a FS on them and mount them wherever you wanted. And demount them, and mount them somewhere else, and so on.

ZFS does all this good stuff, but automatically, and often as One Big Disk. A good thing? Well… if you must. But there are a few points you might want to consider before diving in.

First off, I like to know where and on which disk my data actually resides. I’m really uneasy with ZFS deciding for me. If ZFS loses it, I want to know where to find it. I also like having a FS on each drive or partition, so I can pull the drive out and mount it wherever I want to get data off – or move it from machine to machine. It’s my data, I’ll do what I want to with it, dammit! You can do this virtually with ZFS datasets, but you can’t unplug a dataset and hold it in your hand. Datasets, of course, are fluid rather than fixed in size, so you don’t need to guess how much space to allocate.

Secondly, with UFS I get to decide what hardware is used for each kind of file. Parts of the FS that are rarely used can be put on slow, cheap, huge disks. The database goes on a velociraptor or better, and the swap partitions – well! Okay, you can use multiple zpools for difference performance situations but then you’re using it like UFS.

Thirdly, there’s a price for all this ZFS wonderfulness. Apart from the software overhead, the Copy-on-Write business needs a lot of RAM to maintain good performance. Fragmentation no the physical drive is guaranteed. If you’re running software (e.g. a database) that uses random access files and lots of transaction, UFS with its in-place modification wins out. A DBMS will take care of its own consistency and storage optimisation, and it has the edge as it knows what the data represents at the application level.

But what of the Denial of Service problem in the headline? Okay, it’s been a bit of a ramble, but this is something you must consider.

There are always management issues with One Big Disk. Linux users seem oblivious to this, but this doesn’t mean putting everything on a big partition is a great plan – even if you’re using a single disk in practice.

With the old way of having multiple partitions, each with an FS, mounted on the directory tree, when an FS on a partition/drive filled up, it is was full. You couldn’t create more files on it. You either have to delete unwanted stuff, or you can mount a bigger drive in its place. With One Big Disk, when it’s full, it’s also full. The difference is that you can’t write any data anywhere on the entire FS. And this is where DoS comes it.

Take, for example, /var/log. Any UNIX admin with a bit of sense will have this in its own partition. If some script kiddie then did something that caused a lot of log file activity, eventually you’d run out of space in /var/log. But the rest of the system would still be alive. With UFS the default installation process created partitions with sensible sizes. Using the One Big Disk principle, ZFS satisfies the requests of any disk-eating process until there isn’t a single byte left anywhere, and then rolls over saying the zpool is full. Or it would say it if there was a monitor connected to the server in a data centre miles away, and there was someone there to look at it.

With ZFS you can set a limit to the size on a dataset-by-dataset basis and prevent this sort of thing from happening. But it doesn’t happen by default, so set your quotas manually if you’re plonking the OS, and in particular /var on it.

Okay, this might sound a bit anti-ZFS, and I’ve yet to have a disaster with a ZFS system that’s required me to move drives around, so I don’t really know how possible it is when the chips are down. And ZFS has is a nice unified way of doing stuff, rather than fiddling around with geom and the FS separately. But after a couple of years with FreeBSD 10, where it became practical to boot from ZFS, shouldn’t I be feeling a bit more enthusiastic about it?

Having a ZFS pool attached as a data store rather than as a boot device is, of course, a different story. That’s when you see the benefits. But it does also eat resources, so I want the benefits to be worth it for the particular application. For the time being I’m putting the OS on UFS, usually with a data partition for databases to thrash, and userland putting simple files on ZFS – best of both worlds.

17-May-1617-May-16

BBC plays the temperamental chef

Today the BBC hit back after being told to do its job. The white paper on its future told the public service broadcaster that it needed to produce public service output, rather than duplicating material ably produced by the commercial sector. The phrase used was “distinctive output”, and this was repeated ad nausium in its reporting of this morning’s story that it would be dropping its popular web recipe archive.

The reason given was that this was not “distinctive output”, and according to Radio 4’s Today programme, it was to save £15M/year from its on-line budget. Really? Anyone who knows anything about web publishing can tell you that publishing recipes is cheap, especially when you already have them. A quick look around the BBC more exotic on-line offerings will soon show where the money really goes.

So what are they up to? Politics, of course. The liberal elite running the BBC isn’t happy about being reminded how it is supposed to be spending our money, and is acting up in a disgraceful manner.

In its own on-line reporting of the matter, the BBC is linking this to the new requirement to publish details everyone having their celebrity lifestyle funded by more than 450K of our license money. This is going to be be awkward for the luvvies and the star-struck BBC executives fawning over them.

It’s about time the BBC started serving the people who pay for it. It’s hardly impartial when it comes to politics; it’s right in there playing politics itself – albeit the playground variety.

14-May-16

BT’s Infinitely useless Infinity call centre in India

In the middle of last week I was expecting an important call. It didn’t come. Then someone said they’d been trying to get me on the phone and couldn’t. It turns out I’ve got a line fault. And OpenReach’s response so far is an object lesson in to how to get things wrong.

First off, the fault results in the caller hearing a ringing tone but nothing ringing at this end. This means the caller simiply thinks your not answering. BT’s automated system quickly identified that the line wasn’t working, but I had to ask that callers got an “out-of-order” message. Is OpenReach reluctant to admit that it’s lines could be faulty?

The line provides VDSL and an analogue telephone, which goes in to a PABX. Therefore its lack of dial tone wasn’t noticed; the PABX simply skips until it finds a working line when you’re making an outside call. But on plugging a handset direct to the line, it’s as dead as a doornail. No voltage across A-B, no dial tone, no crackle. Nothing. Except, strangely, the VDSL is still working.

Now anyone with half a brain will realise that the pair is good, and the fault is going to be in the street box or exchange. My guess is that it’s in the green cabinet up the road where my line connects to the FTTC service.

So, several days pass and I notice it hasn’t been fixed. Then I get a call (on one of the remaining working lines) from BT; an obviously foreign accent. Apparently they have determined that there is a fault outside of the exchange (and by implication in my cabling). It’s not with me. The first thing anyone would do is disconnect the PABX and the VDSL modem (and its filter) and test the incoming socket. Just try explaining this to an overseas call centre reading from a script. To humour the hapless fool I eventually I again removed the NTE5 face plate (she didn’t even know what an NTE5 was!) and plugged a handset direct in to the incoming socket. Only then would she agree to send an “engineer” to look at it.

I did explain exactly where the fault was likely to be (remember, the VDSL hasn’t been interrupted – it’s not difficult to work it out). Apparently an engineer is now booked for Monday afternoon. I pointed out that he’d need to call me to get access, should it be needed (it shouldn’t) but I’m not sure she took it in.

And then, insult to injury, she sent a text message to the landline!

I told them about the fault days ago, and exactly what the problem was. It was flagged as fault on their own self-diagnostic. And OpenReach couldn’t even mark the line as out-of-order to callers until I moaned at them. BT makes a lot of money implementing overseas call centres. Yet even they can’t get them to work on a human level.

3-May-16

New mystery “Appear in Court” malware

In the early hours of the morning (BST) I intercepted a large number of emails of the “Appear in Court” variety, but unlike usual, these were not Microsoft documents but JavaScript (stored in a .ZIP file). They end in .doc.js, which means they obviously look odd.

I couldn’t resist running a few, to see what they did, and the answer is not much. They run cmd.exe and I’m pretty sure it does an egg hunt to find some code in core to execute, and it goes looking for DOCUME~1.DOC in various likely locations. But in my sandbox, it doesn’t get anywhere.

These are being spammed from clean IP addresses, no AV currently detects them by signature, so they’re going to get through. But what do they need to run, and what do they do if they succeed? Unfortunately I can’t stick around this morning to check further.

25-April-1627-April-16

UbuntuBSD – lovechild of Linux and FreeBSD

It’s no secret that Linux users with good taste have viewed the FreeBSD kernel with envious eyes for many years. A while back Debian distributions started having the FreeBSD kernel as an option instead of the Linux one. (Yes, you read that correctly). But now things seem to have been turned up a notch with UbuntuBSD.

It seems a group of penguinistas regard the Ubuntu world’s adoption of systemd as a step too far, and forked. And rather than keeping with Linux, they’ve opted to dump the whole kernel and bolt the Ubuntu front-end on to FreeBSD instead, getting kernel technology like ZFS and jails but “…keeping the familiarity of Ubuntu”.

Where could this be going? We already have PC-BSD for a “shrink wrapped” graphical desktop environment. Is anyone actually using it? I’m not. I’m sure we’ve all downloaded it out of curiosity, but if I want a Windows PC I’ll have a Windows PC. With BSD I’m more than happy with a command line, thank you very much.

UbuntuBSD could be different. Linux users actually use the graphical desktop, and most can’t cope with a command line. If they were to switch to FreeBSD instead, UbuntuBSD would make a lot of sense.

Although it’s only been around a month, in early beta form, its Sourceforge page is showing a lot of downloads. If I wanted to run a graphical desktop on top of FreeBSD, UbuntuBSD would make a lot of sense over PC-BSD, because I get the vibes that Ubuntu has desktop applications more together.

The project has just launched its own web site too, at www.ubuntubsd.org.

So does this spell the end of PC-BSD, Ubuntu Linux, Windows 10 or none of the above? It’s surely a strong vote against systemd.

20-April-1627-April-16

FreeBSD 10.3 hangs on upgrade – beware!

There seems to be a bit of a problem with upgrades to FreeBSD 10.3-RELEASE. Basically, shutdown -r is hanging, requiring you to manually reset the machine (turn it off and on again). This is annoying unless the machine in question happens to be at a data centre on a different continent, in which “annoying” really doesn’t cut it.

This was a known issue with 10.3-STABLE., but it appears to have made it in to -RELEASE too.

I suggest not using freebsd-update. Basically if you follow the official instructions you may need someone on hand to reboot the old fashioned way.

18-April-16

OKI laser duplex unit doesn’t work

OKI C5650 or C5750

This was a weird one. For some reason my OKI c5750 printer (similar to c5650) started ignoring its duplex unit. Stuff was printing on two sheets, single sided. I checked the Windows drivers, and that Duplex long-edge was enabled on them and on the printer control panel. But nothing was doing. The two single-sided sheets came out instead of double-sided, and what’s more it seemed slower than usual.

I initially thought it was a Windows fault introduced by my recent troubles. Had I restored the printer driver to a weird state? But after half an hour of fishing around I finally found the problem on the web interface. It’s subtle.

You can select the weight and type of paper for various trays. It turned out that the tray I was using was set to “thick” and “glossy”. I reset this to “normal weight” and “normal”, and everything started working again. I assume that the OKI internal software won’t send think paper (i.e. light card) into the duplexer, but it doesn’t tell you this. The Windows restore must have set the manual feed tray to light card. This would also explain the slower roller feed.

I hope this helps if you’re also having trouble.

15-April-1618-April-16

Great Northern Trains First Class grott-hole

GreatNortherFirstClassTip — Great Northern Trains “First Class”. What you can’t see is the dirt, sticky carpets and tables.

I’m currently on the 11:52 Great (sic) Northern Trains service from Kings Cross to Cambridge. I’m in First Class. The compartment is a tip – strewn with litter and the tables are filthy. It has the kind of carpet that you stick to in places. The ticket collector has just been and gone, and I pointed out the state of the place. She shrugged. I enquired if anyone ever cleaned it. “Only if there’s time.”, she said.

I pointed out that this really wasn’t good enough, especially for a first class compartment. It wasn’t Northern Train’s fault, came the reply. Apparently “It’s because of the customers, we put up notices but they still drop litter.”

In a normal compartment I’d have some sympathy with this; in First Class it’s not really the right attitude. I’ve seen at least three Northern Trains staff crewing the train; one of them could clear it. Why else am I paying three times the price for the ticket? For a table I don’t want to use without using anti-bacterial cleaner first (which I forgot to pack silly me).

Update:

I brought the state of the compartment to the attention couple of Northern Trains customer service representative ticket barrier. Apparently the turn-around at Kings Cross is too short to do anything about cleaning the whole train. I pointed out that I was talking about a dozen seats and two tables in a tiny First Class compartment and they fully understood my point, agreed it was indeed unacceptable, and apologised for the ticket inspector. So Norther Trains – are you listening?

11-April-16

Microsoft Windows Backup Dramas

brokengreenglass Always take a backup. Everyone knows that. There are plenty of articles on the web singing the virtues of the the new (Windows 7, 8 and 10) backup utility, and how easy it is to use. But none on how to actually restore your data when things go wrong. ‘sfunny that.

A week ago, when my Windows PC decided to scramble its hard disk I felt smug for having followed my long-standing advice. I’d taken an Image Backup of the entire system disk with the applications installed, data files were shadowed on a server (FreeBSD of course) and I had last month’s “User files” Windows backup to bring the system up-to-date (the odd Windows update notwithstanding). And even better, the system was still in a condition to boot albeit with a few warnings about corrupted DLLs, none of which were important.

Ha!

The first stage in any situation like this is to make an exact copy of the trashed drive in case things go horribly wrong. This involves mounting the disk on a working system and copying the drive as data. If you;re reading this because you are having problems, but don’t have the ability to image a drive, please find someone who can do this for you. The remainder of this diatribe assumes that you either know what you’re about, or at least have a safe copy of the disk you’re about to try and resurrect.

Only when the drive is imaged and safe is it okay to to try to boot the machine and run CHKDSK. No hardware faults were found in this case, but it fixed numerous errors in the directories and it was pretty obvious that nothing on the disk could be trusted. Windows had obviously gone ape and trashed the disk itself. so it was necessary to restore from a Backup Image to ensure the system was clean. And this is where my fun really started.

You have to reboot the PC into recovery mode (Windows RE). This is achieved by holding down a function key on boot and selecting the “Recovery” option from possible boot disks (details vary by manufacturer), or if you’re running Windows already you can find it under Advanced Options on System Restore – it will reboot to Windows RE mode for you. Then all you need to is select the image you want to restore, which in my case was on the network, so I entered the server details and login as requested. No dice.

Re image Your Computer

An internal error occurred. The following information
might help to resolve the error:

The network location cannot be reached. For information
about network troubleshooting, see Windows Help (0x0800704CF)

The restore utility must be wrong, and a quick Google search threw up some possible explanations. In my case it was nothing to do with the file permissions; it was on a FreeBSD cluster and I’m very confident I have control over the file permissions on that.

So what next? A Windows Image backup (since Windows 7) creates a .vhd file (Virtual Hard Disk). This is Microsoft’s half-arsed equivalent to being able to mount a file as an device and then using an FS on it. You can mount (Attach) a .vhd file from the “Mange Computer” console, using menu that pops up when you right-click on the “Disk Management” part of the tree on the left, which is not obvious. (Even less obvious: to detach it you need to right-click on the left-hand area representing the drive in the partition map on the right).

So, if Windows RE couldn’t read the image across the network I decided to use Windows itself to copy the files back manually by mounting the .vhd from the backup location. This isn’t that simple; you can’t copy the OS back while it’s running so you need to boot from somewhere else before you finish the job, but its better than a poke in the eye with a sharp stick.

Again, no dice.

“This image was created by a different version of Windows”

What? No way! It was created by this version of Windows; on this PC, no less.

This may have been because, for some bonkers reason, you can’t mount a backup .vhd as read-only, at least the first time its mounted on anything. It doesn’t tell you this, it just says that its an incompatible version. You must un-check the Read-Only box; and if you’re like me, you’ll make a backup of the backup before doing this. But it still didn’t work.

I tried again with the backup .vhd I’d made, largely because it had a much shorter name, and bingo! It mounted and all my files were visible. What’s going on? It wasn’t a permissions issue – of that I’m certain. The only explanation I’ve have is that the path name was too long before, with the Microsoft names being a UUID (GUID). Try shortening the name/path if you can’t mount a .vhd.

Armed with this knowledge that the .vhd really was good, I fiddled the file names and associated links and tried Windows RE image restore again, but with the same 0x800704CF error code as a result. A bit more digging, and it turns out this means that basically the system isn’t talking to the network card, probably because there is no driver. Microsoft’s solution is to install the driver with the disk that came with the card. But this Lenovo PC came with pre-installed Windows and NIC – Microsoft doesn’t supply Windows OEM on a disk any more, never mind a driver CD. One might assume, given that Windows RE happily asked me for network credentials as I supplied it with the network address of the image, that it had the network driver pre-installed. But that would be to sensible.

Rather than messing about looking for a suitable NIC driver and burning it to a CD, I just copied the “WindowsImageBackup” folder to the root of a USB-connected and disk and it restored just fine. Actually, it only worked after I moved the USB drive from its normally USB 3 slot to a USB 2 slot, because presumably Windows RE doesn’t have a driver for USB 3 hardware either. A pattern was emerging.

The image was restored; all my software was back. The only snag is that there were more than 200 Microsoft updates; taking another four hours to install. But at least I knot it’s now a clean install, and as a reward for my hard work I was able to put put of installing the Windows 10 “upgrade” nagware (KB2952664 and KB2976978 if you’re interested – it doesn’t identify itself as such).

So what have I learned from all of this? “Don’t Trust Microsoft”? Well I haven’t trusted a Microsoft backup solution since MS-DOS 2.1, and with good reason. But from now on I’ll always take the trouble to use dd image for imaging drives in future, even if that means taking them out of the PC to do it.