Wednesday, September 29, 2010
The Danger of Science Denial
Here's Simon Singh's take on the issue. He believes that it's a matter of trust and the fact that a lot of scientific findings go against conventional common sense, while Specter believes that people fear what they don't understand. Both dynamics are at work most likely.
Tuesday, September 28, 2010
One of Those Uh-Oh Moments - Recovering a Digital Needle From a Digital Haystack
Well, what to do. The easy way out would be to swallow my pride, rebuild the virtual machine, create a new secret key, and email the new public key to my correspondent and ask him to reencrypt the original message and resend it. The harder, but more educating, way out of the problem would be to recover the file. The data was likely still on the drive, the pointers to that data were likely gone or corrupted at best. I had nothing to lose by trying and I needed to hone my data recovery/ digital forensics skills. So, using dd and ssh via a script I wrote about six years ago, I created a bit by bit image of the virtual hard drive on another system. I loaded the image file into autopsy and the results weren't good. Autopsy would only be able to perform keyword searches on the image. The data layer really couldn't be seen or analyzed. I tried a few keyword searches, but it was futile. I called it a night at that point and went to bed.
The next morning, I decided the best approach would be to go with scalpel or some other data carver. Data carvers search for files using the file's header and footer information. Once the file is recovered, you just rename it to what you called it previously and you are good to go. Searching for "secring.gpg magic bytes, header, scalpel.conf" on Google led me nowhere. So, I generated two new public and private keys on my laptop and an Ubuntu virtual machine and compared their headers and footers. Each file had a slightly different header and footer.
I could tell you what I tried, but I'll give you the results. I created four new gpg entries in scalpel.conf, and two of them worked perfectly.
gpg with header "\x95\x03\xbe" and footer "\xb0\x02\x00\x00" --> 1 files
gpg with header "\x99\x01\x0d" and footer "\xb0\x02\x00\x03" --> 3 files
As you can see above, I could have used a longer header sequence by appending \x04\x4c or \x04\x4c\xa2 to each header sequence. The longer the sequence, the fewer results one gets. This cuts down on false positives, but it may result in no files being recovered at all. One just has to do some experimental runs with scalpel to tune the scalpel.conf configuration file. In this case, I only wanted gpg files, so I commented out every entry except the newly created gpg entries. After making a copy of the image, I split the image into 10GB files with split, i.e.
split -b 10GB livecd
which results in three 9.3GB files called xaa, xab, xac, and a 2.1GB file called xad. Running scalpel on the 30GB file resulted in an estimated 28 hour second pass scan. Narrowing the search to just gpg files and scanning 9.3GB files resulted in a complete file carving (2 passes) within 20 minutes per 9.3GB file. The gpg files were recovered from the xaa subfile.
I rebuilt the corrupted virtual machine once I had the recovered files. I created a .gnupg directory within the user's home directory and copied the pubring.gpg and secring.gpg files into that directory. Using apt-get, you can install thunderbird and the enigmail xpi plugin seamlessly:
apt-get install thunderbird enigmail gnupg (if gnupg isn't installed).
You can test gnupg like so:
gpg --list-keys (for querying keys stored in the public keyring), and
gpg --list-secret-keys (for keys stored in the secret keyring).
Then you start thunderbird and give it your name, email address, and password. It's smart enough to set up your gmail server settings for you. You just give enigmail your secret key passphrase and you can decrypt any messages encrypted using your keys.
I could have searched for the pubring.gpg using my email address since it is embedded in the public key using grep:
grep -r "firstname.lastname@example.org" /scalpelresults/
will search all of the carved files for that text expression. To eliminate carved emails, pipe the output to grep with the v option like so:
grep -r "email@example.com" /scalpelresults/ | grep -v "To: John Moore" | grep -v "From:
John Moore" | grep -v "Return-Path"
but fortunately, just browsing for the 4 files listed in the audit.txt file worked, since scalpel placed them in their own subdirectories.
Wednesday, September 22, 2010
Update (10/01/2010): F-secure has a nice Stuxnet Questions and Answers post along with a video demonstration of what Stuxnet is capable of. Two pieces of internal evidence from the reverse engineering:
1. The path statement in the compiled code, \myrtus\src\objfre_w2k_x86\i386\guava.pdb, has the words myrtus and guava. Guavas are plants of the myrtle family. They are a type of pomegranate which serves as the Jewish symbols of righteousness and fruitfulness. Is Stuxnet a weapon of righteousness targeting the servants (machines) of the enemies of Israel? In this case, is the enemy, Iran? Are we dealing with a former biologist who is now a programmer, or with someone exposed to taxonomic nomenclature who could make an inside joke?
2. The registry key created called 19790509, which is the date, May 9, 1979, which was the date Habib Elghanian was executed in Iran as a spy on what appear to be completely false charges. His death led to the mass exodus of 100,000 Jews from Iran.
Here's The Register's analysis. Symantec has released the Steuxnet Whitepaper.
A Honeypot in Action
Labels: IT Securty honeypot
Why You Should Stay in Earth Orbit When You Visit
Yves Smith Interview on The Keiser Report
Friday, September 17, 2010
VMware Workstation 6.5.4 and VMware Workstation 7 Vmmon Compilation Error Fix with Kernel 2.6.32 and 2.6.35
CC [M] /tmp/vmware-root/modules/vmmon-only/linux/iommu.o
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c: In function ‘IOMMU_SetupMMU’:
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c:156: error: implicit declaration of function ‘iommu_map_range’
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c: In function ‘IOMMUUnregisterDeviceInt’:
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c:216: warning: ignoring return value of ‘device_attach’, declared with attribute warn_unused_result
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c: In function ‘IOMMU_VMCleanup’:
/tmp/vmware-root/modules/vmmon-only/linux/iommu.c:403: error: implicit declaration of function ‘iommu_unmap_range’
make: *** [/tmp/vmware-root/modules/vmmon-only/linux/iommu.o] Error 1
make: *** [_module_/tmp/vmware-root/modules/vmmon-only] Error 2
make: Leaving directory `/usr/src/linux-headers-2.6.35-4.slh.11-aptosid-amd64'
make: *** [vmmon.ko] Error 2
I could have saved myself $70 since I got module compile issues, i.e. fatal make errors, for free with either 6.5.4 or 7.x. Fortunately, there is an easy fix documented at www.rrfx.net.
If you don't wish to visit the link, the fix by Robert Reid is documented below:
tar xvf /usr/lib/vmware/modules/source/vmmon.tar -C /tmp
perl -pi -e 's,_range,,' vmmon-only/linux/iommu.c
tar cvf /usr/lib/vmware/modules/source/vmmon.tar vmmon-only
To get VMware Workstation 6.5.4 to work on kernel 2.6.32 or above on Ubuntu 10.04 LTS, you'll need to do two things, get the installer to bypass a hang condition and patch vnetUserListener.c and pgtbl.h by adding two include statements, #include "compat_sched.h" and #include "<"linux/sched.h">", to each file:
1. chmod u+x VMware-Workstation-6.5.*.bundle
in a separate terminal run:
while true; do sudo killall -9 vmware-modconfig-console; sleep 1; done
Original documentation is here.
2. Patch vmci and vmnet documented here and here:
tar xvf /usr/lib/vmware/modules/source/vmnet.tar -C /tmp
tar xvf /usr/lib/vmware/modules/source/vmci.tar -C /tmp
perl -pi -e 's,("vnetInt.h"),\1\n#include "compat_sched.h",' vmnet-only/vnetUserListener.c
perl -pi -e 's,("compat_sched.h"),\1\n#include "<"linux/sched.h">"",' vmnet-only/vnetUserListener.c
perl -pi -e 's,("compat_page.h"),\1\n#include "compat_sched.h",' vmci-only/include/pgtbl.h
perl -pi -e 's,("compat_sched.h"),\1\n#include "<"linux/sched.h">"",' vmci-only/include/pgtbl.h
tar cvf /usr/lib/vmware/modules/source/vmnet.tar /tmp/vmnet-only
tar cvf /usr/lib/vmware/modules/source/vmci.tar /tmp/vmci-only
note: "<" and ">" should just be < and >, but blogspot.com's servers make things like header files disappear in source code.
Now run vmware-modconfig --console --install-all to finish the VMware Workstation installation.
Tuesday, September 14, 2010
The Last Thing Government Will Do
The entire show is called Global Debt Collapse
Dean Baker points out that economists are always quick to blame workers for the economy being depressed rather than the bad judgments of the economic policy makers themselves.
Before examining the argument here more closely, it is worth noting that arguments about rising structural unemployment come around during every recession. When the economy fails to produce jobs fast enough to bring down the unemployment rate economists quickly turn to blaming the workers. The problem is not that economists came up with bad policies; the problem is that workers don't have the right skills or live in the right place. This happened after each of the last four recessions.
Labels: bad American economic policies
Friday, September 10, 2010
The Economy Is Not The Weather
If you think the GOP will come to the rescue this November, better think again. The GOP helped cause this mess. The GOP ran Congress from 1994-2006. They had control of the Executive Branch from 2000-2008, and the Judicial Branch from 2000 onwards. Most Federal Reserve governors are Republicans. Many administration officials are leftovers from the Bush Administration. The Democrats are not blameless, either, but they weren't a major contributor to the mess we are in. Unfortunately, the Democrats seem to be a party divided, and the Obama Administration is itself divided. The Democratic Party's solutions have been weak or ineffective at best. Jon Stewart sums the current situation up this way:"What the Democrats do, doesn't matter!"
When Treasury fights for Wall Street which means the regulators are effectively lobbying for those they are supposed to regulate, government is divided and at odds with itself, and likely compromised, if not corrupted.
Labels: observations and opinion