South Korea attacked from Chinese IP address so it must be North Korea

On Wednesday, South Korea’s government said a malicious code from unknown hackers caused “massive” computer network failures at several banks, the police and TV stations. ATM machines ceased to function. The South Koreans seemed fairly quick to blame it all on the nasty people from the North.

This morning I woke up to the news that the attacks originated from an IP address in China; “apparently” it’s a favourite tactic of the North Koreans to work indirectly through Chinese IP addresses to cover their tracks.

The whole story is starting to pong.

Facts are scarce, but the suspicion is that that this malware was distributed by email in the traditional manner, using files called ‘KBS.EXE’ and ‘MBC.EXE’ (Page in Korean but you can get Google to translate). This doesn’t sound like a targeted attack on critical infrastructure, it sounds like a standard malware delivery to PCs. It’s claimed that the malware activated on Wednesday and wiped the hard disks, displayed skulls and so on. It possible, but another explanation is that malware often attempts to install itself on the boot partition and sometimes goes wrong, leading the luser to believe the disk has been maliciously wiped when in fact it’s just been made inaccessible accidentally, and it won’t boot. The synchronised timing could be accounted for by a botnet software upgrade that didn’t work as expected.

Now let’s consider the “plot”: To knock out critical South Korean infrastructure. If you wished to disrupt the Internet, that’s what you’d have to attack; not the endpoint PCs. Attacking PCs simply inconveniences individual users rather than taking down an organisation. The suggestion that an email virus could take down the ATM network is, frankly, ridiculous. How do you kill an ATM machine by emailing it? Or the bank’s mainframe? If there was ATM disruption, it could have been a side-effect of botnet traffic gone wild, but to say it was targeting the ATM network needs evidence to back it up before I’d take it remotely seriously. A DDoS attack may be possible if it’s not isolated from the Internet, but if that were true they were being very lax about things, and reports are talking about PC malware, NOT a DDoS attack.

And what of the attacking IP address traced back to China? No surprise there. China is botnet central. To be blunt, a lot of the software used on private computers in China is bootleg, which means it’s either supplied with botnet software pre-loaded, or isn’t able to receive security updates from Microsoft making it easy prey. It’s no coincidence that the incidence of zombie computers is higher in countries where interlectual property rights are less vigorously enforced, and that part of the world is a case in point. So, whilst it’s true that North Koreans would use botnets based in China, it also a meaningless statement. Everyone uses botnets based in China and the Far East.

Reports could be wrong, of course. This could be a DDoS attack against the South Korean Internet in general, and specific high profile targets. However, this does not square with the malware reports of computers not booting, and “skulls appearing on screens”.

The whole thing pongs. Here’s my theory: Social engineering emails were used to distribute malware in South Korea. Because the criminals were using emails in Korean, only Korea was affected. Either maliciously, or more likely through incompetence, the malware tried to install some botnet software and broke a number of PCs. The news media in Korea has been quick to blame this on a sinister North Korean plot, and the world’s media has picked this up as a story without enough people sanity-checking the whole scenario.

Another Yahoo mail account pwned

This is getting ridiculous. I don’t monitor Yahoo or other freemail accounts in any way, but it’s seems like almost every week I come across one that’s been taken over by criminals.  I got another email this morning from the account of an old friend sent by Yahoo webmail. He’s a a BT Internet customer, and I’ve no doubt from some features on it that it was sent out by someone sitting at a web browser, logged in as him. It wasn’t him, unless he’s moved to Hyderabad and taken up a life of crime – unlikely, he’s a retired fire officer in the north of England, and it’s not his style.

Yahoo obviously provides BT’s email service, so their customers get a Yahoo webmail account, like it or not.

This happens to other freemail users too, but the number of Yahoo accounts being hit is getting disproportionately ridiculous. Yahoo would need more customers than everyone else put together if this was just a random effect.

So what is going on? My assumption in cases like this is usually that the compromised accounts have been as a result of key loggers at Internet cafes or public Wi-Fi systems. It makes sense, and fits the facts in cases I’ve investigated. But not this time…

Earlier this year there was a problem with Yahoo involving cross-site scripting that could affect insecure web browsers (that includes all of the commonly used web browsers).  A character called Shahin Ramezany uploaded a video to YouTube  showing how to do this. Yahoo very quickly came back with a fix. They said. This just the latest in a long time of embarrassing problems – in Summer last year someone broke in to their computers and pinched a lot of confidential files.

Researchers at Bitdefender have also worked out how do to this, and it’s unclear whether Yahoo really has fixed the problem. For technical details, see CVE-2012-3414. It works by cookie harvesting, taking advantage of the way cookies are shared between different levels of a domain path.

Either this remains very much a problem, six weeks after Yahoo claimed to have fixed it, or the criminals have a large backlog of compromised user accounts and they’re just working through them. Users of freemail beware – how well do you think, with the best will in the world, that their operators will be able to provide technical assistance to hundreds of millions of advertising-supported punters?

If you have a Yahoo or BT Internet account, my advice is to log in and change the password right now, if you want to keep it.

787 Batteries Included – Why Li-Ion and aircraft shouldn’t mix

787 battery (over-cooked)

Poor Boeing – its 787 “Dream liner” fleet looks like it’s grounded for at least another month following fires in its Li-Ion battery. Many years ago I found myself researching and writing several articles on battery technology, and at the time I really didn’t like Li-Ion, even though it was being pushed as the latest thing. So I’m not that surprised that Boeing has had trouble. I’m only surprised that they used such risky technology in an aircraft, assuming it hadn’t been refined since I last looked at it. Given the problems they’ve had, it clearly hasn’t been refined.

Li-Ion batteries can actually be made from a very wide range of chemistries, all with different characteristics. The anode is normally carbon, but the cathode can be various metal oxides and the electrolyte a lithium salt – plenty of combinations to try. I understand that Boeing went for lithium cobalt oxide, which has one of the highest energy densities (better power-to-weight ratio) but is also considered one fo the most flaky. It’s the same chemistry as is commonly found in consumer devices with Li-Ion batteries. It’s the battery technology that the airlines felt so strongly was unsafe that they initially banned it from your luggage (only allowing later so business travellers could still use their laptops). It’s the type of cell that UPS won’t allow on international flights. And Boeing decides it’s a good idea to make a great big one and fit it in the heart of its new aircraft!

Apparently their plan is very much to mitigate the battery problems by encasing the cells in ceramic, put it in a strong metal box and venting it to the outside in case it starts smoking again. The FAA will be asked to sign this off as safe – potentially it could be considered unable to bring down the aircraft, although one has to wonder how well it will operate once the battery has self-destructed in a contained environment. If it’s not important to the operation of the aircraft, why’s it there at all?

Li-Ion does have an advantage over less exotic technologies in that you can store more power in a smaller, lighter package. But at a cost. Apart from the cells costing a lot more and needing fancy charge controllers to operate them safely(!), they’re also quite fragile in the short term; and in the long term they don’t survive for long.

Did you know, for example, that Li-Ion batteries decay badly when they’re fully charged? This means that if you keep your battery topped up it will lose capacity. If you leave it run down it will decay more slowly, but what’s the point of lugging a flat battery around? This characteristic makes it ideal for companies like Apple to fit into products like the iPhone. Whatever you do regarding charging the battery, your iPhone will die in a few years, forcing you to buy a new one (if you’re stupid enough).

Conventional battery technologies, like NiCd, are far more robust. You can discharge them, fast-charge them, trickle-charge them and generally abuse them. They last for years, with no need for fancy controlling electronics. Lead acid is even tougher, and has been used for decades in hundreds of millions of motor vehicles. Yes, it’s heavy but it’s cheap, there when you need it and has a very good record for not self-destructing.

Yet Boeing seems to be struggling on getting Lithium-Ion to work. They probably have a reason, but I can’t see what it is other than not wishing to back down on what’s looking like a bad decision.

FreeBSD, Wake-on-LAN and HP Microservers – WOL compatible Ethernet

I’ve been having some difficulties getting Wake-on-LAN (WOL) to work with an HP Microserver thanks to its Broadcom Ethernet adapter not doing the business with the FreeBSD drivers – setting WOL in the Microserver BIOS doesn’t have any effect. I’m pleased to report a solution that works.

The on-board Broadcom Ethernet adaptor still refuses to play ball, for reasons described in my earlier post. The pragmatic solution is to use a better supported chip set and I’ve had no difficulties with Realtek (at the low end of the market) so it was an obvious choice. Just bung a cheap Realtek-based card in and use it as a remote “on” switch – what could possibly go wrong?

First off, the HP Microserver has PCI-Express slots, but weird looking ones. I’d assumed one was PCI when I’d glanced it, but it’s a PCIe 1-channel slot with something strange behind it – possibly a second 1-channel slot. The documentation says its for a remote management card; presumably one which doesn’t need access to the back. There’s a 16-channel PCIe next to it.All very curious but irrelevant here. The point is that you’ll need a PCIe Ethernet card – a surplus 100M PCI one with a well supported, bog-standard chip, won’t do. The PCIe cards tend to be 1Gb, and are therefore not as cheap.

The first card I bought was a TP-Link TG-3458, which has standard Realtek 8168B adapter chip. Or at least mine did; I note that there is a Mk2 version out there. Mine’s definitely a revision 1.2 PCB, but if you buy one now it may have the newer chip (which is a problem – read on below). Anyway, this Mk1 card worked like a charm. On sending it the magic packet and the Microserver bursts in to life. There’s only one snag: It has a full-height bracket and the Microserver has a half-height slot, so you have to leave the card floating in its socket. This works okay as long as no one trips over the cable.

My second attempt was an Edimax EN-9260TX-E, ordered because it was (a) cheap-ish; (b) had a Realtek chip; and (c) had the all-important half-height bracket. It fitted in the Microserver all right, but refused to act on a WOL, at least to begin with…

It turns out there was a little bug-ette in the driver code (prior to 8.3 or 9.1), spotted and fixed by the maintainer about a year ago. If you want to fix it yourself the patch is here. I decided I might as well use the latest drivers rather than re-working those shipped with 8.2, so pulled them, compiled a new if_re.ko and copied it to /boot/kernel in place of the old one. It didn’t work. Ha! Was I naive!

Further investigation revealed that it was completely ignoring this kernel module, as it was using a driver compiled in to the kernel directly. There was no point having the module there, all it does is trick you in to believing that it’s installed. I only realised “my” mistake when, to my astonishment, removing the file completely didn’t disable the network interface. I solved the problem by compiling a new kernel with the built-in Realtek driver commented out, and I’m currently loading the new driver specifically in loader.conf. It works a treat. I could have changed the kernel Realtek driver, but while it’s under review it’s easier to have it loaded separately. Incidentally, the driver is for 9.1 onwards but it works fine on 9.0 so far.

The next task is to fix the Broadcom driver so it works. I may be gone some time…

Faith in Free Schools – Department of Education still hasn’t done its homework

The Department of Education has just lost in its bid to keep secret the “faith affiliation” of applicants planning to up Free Schools, and has been forced publish the figures by the Information Commissioner.It’s taken two years to get this information, and it’s interesting reading if you read them carefully.

Figures are not available for the first wave of 373 applications, but is (to an extent) for the second and third waves. I’ve been doing some number crunching.

Religion Wave 2 Wave 3 Total %
None 202 183 385 74.47%
Christian 45 21 66 12.77%
Muslim 17 18 35 6.77%
Plymouth Brethren 11 3 14 2.71%
Jewish 3 5 8 1.55%
Sikh 2 5 7 1.35%
Hindu 1 1 2 0.39%

The breakdown is a little strange. In Wave 3 the different Christian denominations are specified in some cases but left as “Christian” for others, as they all are on Wave 2. Except the Plymouth Brethren, who appear always to be separate from “Christian” for some reason in both sets of data. “Muslim” and “Islam” are also two different religions, apparently. Did the compiler of these statistics know anything about religions?

I also have my doubts about whether religion has been reported at all. We’re asked to believe schools like Noah’s Kingdom (Reading) isn’t religious. To quote from their ethos description: If life is based on human values then it is incomplete, but if we base our lives on the plan of God then we have a secure path.

It’s not just the Christians – how about  the Khalsa Science Academy in Leeds? Sounds Sikh to me! A quick look at their web site confirms my suspicions.

What about the Maharishi Free Schools? Non-faith? Yogi’s might fly! There’s even “Destiny Christian School” in Bedford that’s listed as secular. The clue should be in the name. It’s actually being proposed by “Miracle Church of God in Christ”, and part of the Christian Schools’ Trust who’s attitude to creationism is that it is science and they intend to teach it as such.

In short, a quick scan through the names on the list is enough to show any reasonable person that the published data is full of errors. Journalists like those at the BBC may have  taken them at face value, but they’re an insult to any thinking person.

Whatever you feel about so-called “Faith Schools”, having the data kept from us by Michael Gove and the Department of Education isn’t going help with an informed debate.

Wave 1+2 Freedom of Information data from DofE

Wave 3 Freedom of Information data from DofE

 

CPC charging for free delivery! Well, not quite…

CPC Farnell is great. Most of the time. They’re a well established supplier of electronic bits and pieces (components) and they’ve recently branched out in to various other items of hardware. The prices are good, the service is spot on, and they’re based in England with sensible people at the end of the ‘phone. Their catalogue and web site is best suited to professional purchasers who know what they want and can see behind the manufacturer’s marketing descriptions, but that’s just fine. They’re box shifters, but they’re very good box shifters.

Last week they had a “special offer” for free delivery, even for small orders. I needed some cables forgotten from an earlier main order, so took advantage of the offer, only to discover on the paperwork that I was nonetheless charged! Being a good company to deal with in the past, I gave them a call. Apparently some genius there made the “free delivery” offer, but the web site software knew nothing about it and has been telling everyone they’ve been hit with a handling charge ever since. I suspect their operators are getting a bit hacked off with the complaints, although they’re still professional and courteous and friendly.

So if you’re reading this, and are wondering about whether you’ve been stitched up, relax. They haven’t gone mad; their on-line ordering system is just a bit trailing-edge. I’m still happy to recommend them as a supplier. And as far as I know, they pay all their UK taxes.

 

Edward Miliband in confusion over tax

Edward Miliband had just announced he’s going to restore the 10p rate of Income Tax if anyone is stupid enough to vote for him. Interesting. He’s going to pay for it with a divisively-named “Mansion Tax” on properties worth more than £2M. This may be appealing for the numerically challenged, but does it makes sense? What are the figures  The BBC is reporting this kind of stuff without bothering to work it out.

First off, how many houses are worth more than £2M? No one really knows, but according to the Land Registry, 1,620 houses worth £2M+ were sold in 2012. Let’s say they change hands every ten years on average, so there are about 16,000. I don’t know if this is the correct figure, but hacks reporting the story aren’t even asking the this question.

How much did it cost when Gordon Brown scrapped the 10p rate of income tax?  Apparently it raised £3.5B. I’ve seen 7Bn bandied about, but £3.5Bn was the figure Alistair Darling was working with (according to reports in the Guardian at the time). So that works out at £218K tax a year per £2M house in the country. That’s more than 10% of the value of the asset. It’s not that difficult for someone in London to end up living in a £2M house but to otherwise be of limited wealth; it’s their house not their income. They certainly won’t be earning the kind of money to pay such a huge levy – they could very well be pensioners, albeit likely to have a relatively good private pension. But not that good!

So the arithmetic doesn’t work; is anything else thought through?

In Bradford today, Miliband said: “We would put right a mistake made by Gordon Brown and the last Labour government.”

Funny that. In 2008 he said of abolishing  the 10p rate, “When you make a big set of changes in the tax system, some people do lose out. That is a matter of regret. Of course it is. But overall these changes make the tax system fairer.”

So having a 10p rate of tax is unfair? Taxing an asset value is certainly unfair.  Today he’s proposed to do both.

And that’s before you start looking at the practicalities – who knows the value of a property? A lot of it is already owned by overseas companies in order to avoid disproportionate taxation anyway.

 

Lighttpd in a FreeBSD Jail (and short review)

Lighttpd is an irritatingly-named http daemon that claims to be light, compared to Apache. Okay, the authors probably have a point although this puppy seems to like dragging perl in to everything and there’s nothing minuscule about that.

I thought it might be worth a look, as Apache is a bit creaky. It’s configuration is certainly a lot simpler than httpd.conf,although strangely, you tend to end up editing the same number of lines. But is it lighter? Basically, yes. If you want the figures it’s currently running (on AMD64) a size of 16M compared to Apache httpd instances of 196M.

But we’re not comparing like for like here, as Lighttpd doesn’t have PHP; only CGI. If you’re worried about that being slow, there’s FastCGI, which basically keeps instances of the CGI program running and Lightttpd hands tasks off to an instance when they crop up. Apache can do this (there’s the inevitable mod), but most people seem happy using the built-in PHP these days so I don’t think FastCGI is very popular. It’s a pity, as I’ve always felt CGI is under-rated and I’m very comfortable passing off to programs written in ‘C’ without there being an noticeable performance issues. Using CGI to run a perl script and all that entails is horrendous, of course. But FastCGI should level the playing field and allow instances of perl or any other script language of your dreams to remain on standby in much the same way PHP currently remains on standby in Apache. That doesn’t make perl or PHP good, but it levels their use with PHP on Apache, giving you the choice. And you can also choose  high-performance ‘C’.

This is all encouraging, but  I haven’t scrapped Apache just yet. One simple problem, with no obvious solution, is the lack of support for the .htaccess file much loved by the web developers and their content management systems. Another worry for me is security. Apache might be big and confusing, but it’s been out there a long time and has a good track record (lately). If it has holes, there are a lot of people looking for them.

Lighttpd doesn’t have a security pedigree. I’m not saying it’s got problems; it’s just that it hasn’t been thrashed in the same way as Apache and I get the feeling that the development team is much smaller. Sometimes this helps, as it’s cleaner code, but it’s statistically less likely to have members adept at spotting security flaws too. I’m a bit concerned about the FastCGI servers all running on the same level, for example.

Fortunately you can mitigate a lot of security worries by running in a jail on FreeBSD (it will also chroot on Linux, giving some degree of protection). It was fairly straightforward to compile from the ports collection, but it does have quite a few dependencies. Loads of dependencies, in fact. I saw it drag m4 in for some reason! Also the installation script didn’t work for me but it’s easy enough to tweak manually (find the directory with the script and run make in it to get most of the job done). The other thing you have to remember is that it will store local configurations in /usr/local on BSD, instead of the base system directories.

To get it running you’ll need to edit  /usr/local/etc/lighttpd/lighttpd.conf, and if you’re running in a jail be sure to configure the IP addresses to bind to correctly. Don’t be fooled: There’s a line at the bottom that sets the IP address and port but you must find the entry server.bind in the middle of the file and set that to the address you’ve configured for the jail to have passed through. This double-entry a real pooh trap, especially as it tries to bind to the loopback interface and barfs with a mysterious message. Other than that, it just works – and when it’s in the jail it will happily co-exist with Apache.

I’ve got it running experimentally on a production server now, and I’ve also cross-compiled to ARM and it runs on Raspberry Pi (still on FreeBSD), but it was more fun doing that with Apache.

When I get time I’ll do a full comparison with Hiawatha.

Using ISO CD Images with Windows

When CD-R drives first turned up you needed special software to write anything – originally produced by Adaptec but soon overtaken by Nero, with NTI and Ulead having lower cost options. Now, when you get a PC it will usually come with one of the above bundled to do the job, and Microsoft has added the functionally to Windows since XP (for CD, if not DVD). Not good news for the independent producers, but Microsoft’s offering doesn’t quite make it so you do need something else.
My new Lenovo PC cable bundled with Corel Burn.Now. Corel recently bought the struggling Ulead, and this is fundamentally the same product. Unfortunately Burn.Now just doesn’t cut it – it can’t do the basics.
To duplicate a CD you need to copy all the data on it. Pretty obvious really! If you’re not copying drive-to-drive it makes sense to copy the data to a .ISO image on your hard disk. You can then transfer it to another machine, back it up or whatever, and write it to a new blank disk later. Burn.Now will create a CD from an ISO image, but if you ask it to copy a disk it uses its own weird and whacky .ixb format. Some versions of Burn.Now gave you the choice, but not with the new Corel one. This matters, because whilst everyone can write .ISO files, only Burn.Now can use .IXB.
So Burn.Now is no use. What about Microsoft’s current built-in options? You can actually write an ISO image using Windows 7 – just right-click on the file and select “Burn disc image”. Unfortunately there is no way to actually create such a file with Windows. To do this you need add Alex Feinman’s excellent ISO Recorder, which basically does the opposite: Right-click on the CD drive and select Create Image from CD/DVD.
I’ve yet to find an easy way of creating an ISO image using files and Lenovo’s Corel Burn.Now, but you can at least create a disk and then copy the ISO image off for archive and later duplication.
Unfortunately ISO Recorder doesn’t read all disks – it won’t handle Red Book for a start. This is a bit of a limitation – was Mr Feinman concerned about music piracy? Given Windows Media Player can clone everything on an Audio CD without difficult it won’t make a lot of difference.
So – Windows is its usual painful self. If you just want to simply create an image of a CD or DVD with no bells and whistles, go to UNIX where it’s been “built in” since the 1980’s (when CD-ROMs first appeared). Just use the original “dd” command:

dd if=/dev/acd0 of=my-file-name.iso bs=2048
An ISO file is simply a straight copy of the data on the disk, so this will create one for you. You can write it back using:

# burncd -f /dev/acd0 data my-file-name.iso fixate
Or
# cdrecord dev=1,2,3 my-file-name.iso

Burncd is built in to FreeBSD (and Linux, IIRC), but only works with atapi drives. In the example it assumes the CD recorder is on /dev/acd0 (actually the default).
Cdrecord works with non atapi drives to, but has to be built from ports on FreeBSD and for other platforms it’s available here http://cdrecord.berlios.de/old/private/cdrecord.html – along with lots of other good stuff. The example assumes the device is 1,2,3 – which is unlikely! Run cdrecord -scanbus to locate the parameters for your drive.

Horseburgers

A large minority of the UK population isn’t going to be at all surprised to hear horse DNA has been found in processed meat products – they’re already vegetarian/vegan or at a minimum, they choose organic meat products. The remainder either don’t know, or don’t want know. Either way, with the information on how animals are farmed widely available, I haven’t got a lot of sympathy with their current predicament.

But if you’re going to eat processed meat products, what’s so bad about horse? I’ve just been listening to an American campaigner on the radio warning that people go around the US buying old nags at auction and shipping them to Europe for food – horses that were probably pets (or from his soap-box, a race horse) and treated with drugs you wouldn’t give a farm animal such as phenylbutazone. He was particularly keen on mentioning this. Look it up – it’s an anti-inflammatory drug also given to people with arthritis and similar problems. It has side effects, including some rare but serious ones. Okay, so you wouldn’t want to dose anyone without good reason, but to get a dose from eating horse meat you’d have to literally eat the whole horse. And that would be one dose. I’m sure he was really motivated by the “horses are pets and we shouldn’t eat pets” attitude, but the BBC didn’t question his motivation at all.

So am I saying it’s okay to eat horses with phenylbutazone in their system? Well I wouldn’t eat it, but I wouldn’t eat any farmed meat, which is chocked full of legally introduced medication and kept, killed and processed in decidedly worrying conditions. Horses with shots of bute are no different to me. Think about it – if you don’t even know what species the meat is, you certainly can’t say much about where it came from. Actually finding a bit of horse in a beefburger sample changes nothing – it’s always been dodgy.

One thing you can probably say for certain is that New Labour and news media will be whipping up a bit of hysteria about this. They did it with the BSE crisis in the 1990s – remember that? Thousands will die due to eating disease contaminated meat? Of course it didn’t happen. They did it again when in power, in an over-reaction to Foot and Mouth, presumably to prevent the Conservative opposition playing the same trick on them. This is going to run and run (it’s bound to turn up everywhere following the inevitable further tests that are doubtless being considered right now).

If what’s in your meat worries you, become vegan (dairy products and eggs aren’t clean either). Otherwise, be aware that the meat processing business is pretty grim with this kind of thing going on behind the scenes all the time – and live with it. Can we have some real news now?