Monday, September 14, 2015

Changing the Kali Linux 2.0 Default Password

I could not find this documented. There is a script in /lib/live/config called 0031-root-password. It invokes the usermod command:

usermod -p ‘X014elvznJq7E’ root

which needs to be commented out and the filesystem compressed using mksquashfs. There is likely another way as well, but I have not searched for it.

Sunday, July 13, 2014

No KDE Display Manager (kdm) on RHEL7 and clones

Red Hat considers kdm to be dead. If you are trying to build a minimal installation, you'll have to substitute ldm (light display manager) for gdm. Go to or one of the other repositories and download the following files:


Then, run the following commands:
rpm -i --force desktop-backgrounds-compat*.rpm heisenbug*.rpm
yum localinstall lightdm-1.8.8*.rpm lightdm-gobject-1.8.8-1*.rpm lightdm-gtk-1.6.1-3*.rpm
systemctl disable gdm.service
systemctl enable lightdm.service

If you miss the default background, you can do this:

rpm -i --force centos-logos-70.0.6-1.el7.rpm

Monday, May 05, 2014

Fixing and Compiling OpenSSL on Ubuntu 14.04

I have been reading OpenSSL Valhalla Rampage almost daily since it was started. I began to wonder if I could incorporate some of their fixes into OpenSSL. I also wondered just how buggy OpenSSL really was. I went to and downloaded the latest tarball. I unpacked it. Since I had clang installed and it has a static source code analyzer, I changed directories into the unpacked openssl-1.0.1g directory and ran the following command:

scan-build -o /home/jbmoore/openssl-bugs make -j4

The o option tells scan-build where to send its output. Upon completion, you are given a command to run:

scan-view /home/jbmoore/openssl-bugs/2014-05-04-181351-14781-1

which displays the results in a browser.

I then modified the source files based on code snippets from OpenSSL Valhalla Rampage. I reran the scanner to see if some of the bugs disappeared and they had. When I tried to compile my changes with make test and make install, I got a linker error:

../libcrypto.a(v3_alt.o):v3_alt.c:(.text+0x2478): more undefined references to `strlcpy' follow collect2: error: ld returned 1 exit status.

I tried various things, but in the end, I had to be missing a library. Since Ubuntu 14.04 does not have ia32-libs, I went and downloaded the package ia32-libs-multiarch_20090808ubuntu36_i386.deb from the Precise repository and installed it with dpkg:

      dpkg -i ia32-libs-multiarch_20090808ubuntu36_i386.deb

which will fail. That result is fine because I knew it would fail a dependency check. I then ran apt-get -f install which installed all dependencies. There were a lot, 30-40 or more 32-bit libraries installed. By the time I had done this, I had downloaded the original Ubuntu source package, openssl-1.0.1f and modified it. So, the quick and dirty way is:

1. install ia32-libs-multiarch_20090808ubuntu36_i386.deb, then
2. apt-get source openssl, followed by
3. apt-get build-dep openssl,
4. modify the openssl source code using hints from the libressl project, and
5. apt-get -b source openssl.

You can run scan-build before and after you compile the debian packages to see how many bugs you've eliminated. This bug fix just shifted the segmentation fault from openssl to a glibc library function which tells me that glibc probably needs fixing as well. The openssl crash is triggered by the following code:

sudo echo ZW5jb2RlIG1lCg================================================================== | openssl enc -d -base64

This bug has been known for three years, and until now, it was not fixed. Kudos to the openBSD developers. I wish I knew a more elegant way to determine which library is missing, but I am still ignorant at this time. This framework will allow you to at least follow along with the libressl developers and give you an idea how to find and fix bugs in Linux programs. I should add that to do it properly, you should be making changes using either subversion or git. I just was curious about how difficult it would be. It is not really that hard provided you have all the 32-bit libraries you need to compile the openssl and libssl packages.

Tuesday, March 04, 2014

Economists Were Told Five Years Before the GFC That It Would Happen

When you read in a paper or hear someone state that nobody knew the financial world was going to explode in 2008, they are either misinformed or a liar. William White, a central banker warned them for over five years that there was trouble brewing and that it should be stopped. They refused to believe him and replied that he didn't have any model to back up his analysis.

The painting is not the object of the painting. An economic model is not the thing being modeled.  It is at best a very good approximation, and at worst, a terrible fantasy. Models have to be proven by evidence. Evidence is used to explain models as well. Evidence can exist without a model or narrative. But, models do not exist without evidence, except in economics and other forms of pseudo science. William White says that central bankers are making it up as they go and they can't even agree on what needs to be done. The funny thing is that none of them have lost their salaries or careers for ignoring clear warnings of imminent failure of their governance and policies. They've all failed upwards. May be we should make them all swear to "Do no harm" and put claw back clauses in their employment contracts in case they fail at their jobs. Of course, that would work for politicians and investment bankers as well.

Sunday, December 29, 2013

Bug in RHEL6 and clones /etc/cron.daily/0logwatch anacron script Date::Manip error

I saw the following error in root's mail on a server:

ERROR: Date::Manip unable to determine TimeZone.

Execute the following command in a shell prompt:
        perldoc Date::Manip
The section titled TIMEZONES describes valid TimeZones
and where they can be defined.

The error is due to the script itself. The solution is to add the following line to /etc/cron.daily/0logwatch:

I found the solution here.
Why is Red Hat sending out an OS with a broken cron script?

With logwatch working, you then discover a missing gnome keyring library file.
You can find what package has that file using yum provides:

yum provides /lib64/security/

Install the following package to fix those PAM errors.

yum install gnome-keyring-pam-2.28.2-8.el6_3.x86_64

Saturday, August 10, 2013

Do Spies Really Know What They Are Doing, or Is It All Make-Believe?

Check out BUGGER . This blog post is about spies

The recent revelations by the whistleblower Edward Snowden were fascinating. But they - and all the reactions to them - had one enormous assumption at their heart. That the spies know what they are doing.
It's funny, and fascinating, and sad. It is also saying that we are wasting a lot of money chasing shadows and illusions dreamed up by people who have nothing else to do.

Journalists don't make out any better either.

Up to this point Pincher had been the Defence correspondent on the Daily Express. He was successful for getting "scoops" from "inside sources" - although the historian EP Thompson said that really Chapman Pincher was:

"A kind of official urinal in which ministers and intelligence and defence chiefs could stand patiently leaking."

One finds out why some people left that world.

But it was a world that was all made-up. Le Carre - who had himself been a spy - admitted this, and described what the true reality of the spy world was:

"For a while you wondered whether the fools were pretending to be fools as some kind of deception, or whether there was a real efficient service somewhere else.

Later in my fiction, I invented one.

But alas the reality was the mediocrity. Ex-colonial policemen mingling with failed academics, failed lawyers, failed missionaries and failed debutantes gave our canteen the amorphous quality of an Old School outing on the Orient express. Everyone seemed to smell of failure."

Sunday, July 28, 2013

The World has Turned Upside Down.

U.S. Attorney General Eric Holder wrote a letter to the Russian government stating that we would not torture Eric Snowden if they turned him over to us. Professor Bill Black has a scathing post entitled Is it legal malpractice to fail to get Holder to promise not to torture your client. The U.S. of A. is supposed to be the good guys. What are we doing writing incredibly stupid letters like this to the Russians who must be laughing their asses off once they picked their lower jaws up off of the floor. Not torturing people should be implicit and assumed in any official foreign correspondence with another government. What is the world coming to?

This page is powered by Blogger. Isn't yours?