Thursday, June 28, 2007

Etch T-61 and 2.6.21.5 and VMWare RTC Errors

IO Performance (Network and Disk) was attrocious for a FreeBSD 6.2 VM with the stock 2.6.18-4 Kernel that comes with Etch. Was also getting the dreaded lost interrupts errors:


Jun 28 16:26:59 franz-t61 kernel: bridge-eth1: enabled promiscuous mode
Jun 28 16:27:14 franz-t61 kernel: rtc: lost some interrupts at 2048Hz.
Jun 28 16:27:34 franz-t61 last message repeated 1000 times
Jun 28 16:27:35 franz-t61 kernel: rtc: lost some interrupts at 1024Hz.
Jun 28 16:27:41 franz-t61 last message repeated 312 times
Jun 28 16:27:41 franz-t61 kernel: rtc: lost some interrupts at 4096Hz.
Jun 28 16:28:12 franz-t61 last message repeated 1533 times
Jun 28 16:28:24 franz-t61 last message repeated 616 times
Jun 28 16:28:24 franz-t61 kernel: rtc: lost some interrupts at 2048Hz.
Jun 28 16:28:55 franz-t61 last message repeated 1521 times


Upgrading to 2.6.21.5 (and applying the any any patch) seems to helped but am still getting the errors above. But was at least able to SSH into the VM vs. hanging forever like before. Also console sound from the Thinkpad is now working which was not the case with the 2.6.20r8 gentoo. Back to work...

Wednesday, June 27, 2007

So Etch Does Do T-61 After All

So I had to get new my T-61 serviced (some HD bad sectors and of greater concern, the top PCMICA button/latch broke after only 2 days so the Aironet 352 was hard to get out). The good news is it came back today and they replaced the latch with a single button that feels more durable. And of course, replaced the drive. Door to do, a week, not too bad.

Since I didn't have a time to do the Gentoo thing again and I didn't feel like manually running ntfresize so I gave the network install a try again and copied over the org.conf I had generated on Gentoo. So the deal with the Intel X3100/965 support under X7.1 is that it works with VESA even at 1440x900, just the autoconfiguration under most shipping distributions doesn't work right now. So Debian, Ubuntu whatever should work as long as you don't do the GUI installer.

Monday, June 25, 2007

Sticky SCADA Terminology

Because the SCADA Security Community is so small, moves so slowly, and you can literally count on one-hand the folks that have technical depth in both SCADA an Security (depending on how you define either) I passively try to keep an eye on things. Dale previously blogged on the "sloppy use of SCADA" and one of the better bosts on the SCADA Mailing list revisits the issue. Although probably won't understand most of it if you are new to the field, this was definitely a good starting point which basically differentiates between DCS and SCADA based on 3 criteria
  • Closed vs. Open Loop (human vs. "computer" control)
  • Geographic Distribution (single plant or entire region)
  • Discrete vs. continuous vs. process (this I can't come up with a simple explanation)
As an outsider (speaking from experience, even having programmed PLC's, written subsets of SCADA protocol implementations, and having been privileged to have have touched the networks of a couple of electric/gas control centers) I still found it difficult to speak with authority on the system level. But this is a good starting point for folks new to the field.



Tim Fite: Fun Angry Music for Coding



So this post might have been a candidate for Angry Ruby (which is dedicated to whining about using Ruby) except that Ruby is delightful (in all sincerity) compared to dealing with several thousand lines of Bourne shell scripts that use every known flavor of grep and awk known to man. And you'd think porting them from OpenBSD to FreeBSD would be trivial. Sure. So driving home on Thursday I swore to not port another line of shell and begin the long needed port to language a not invented in the 1970s.

So besides doing a lot late night coding for the 4 days (discovering that Trader Joes energy drinks are as effective as they are economical, 99 cents!) I've started listening to Over the Counter Culture which was mentioned on the Sound Opinions Mid Year Best of 2007 sow I believe It's All Right Here got some play on NPR because my son was signing from the PG-13 version after only hearing it twice. It is quite catchy.

So besides buying Run DMC's Raising Hell (when I was a junior in high school, on a school trip to Manilla, Philippines, no doubt) and casually like some of the Beastie Boys songs that made it onto KROX over the years, I've never been a rap/hip hope listener. Just not me. However, I've really taken to this album. There are 4-5 solid tracks, which is pretty high.

Probably my favorite is In Your Hair which starts (and finishes) with these two stanzas.

A king is not a president
A roof is not a resident
The truth is not self evident
When youth is on the line

The Boss is not the boss of them
The cross is on the cross again
The crim is not a government
A crime is just a crime
The rhymes in
Hay Man are not the predictable sort you'd expect from pop hip hop:

...
Break these palms
Break these pines
Break these laws (?)
Break these lines
Break these looks
Break these lease
Break these hooks
Break this heat
Break these rocks
Break this concrete
...
Without no fuel the fire don't burn bright
Without no mule the car can't turn right
Did you hear that shit?
Let's play more Fite
Because somethings fit to change
in the furnace tonight.

Good stuff. Camouflage and I've been shot are both fairly amusing.

These songs are fairly political (predictably anti-corporate, anti-consumerism, anti-Bush-era America, etc.) but these music, rhymes, lyrics, and far from that ("stop faking butter, start faking lard!") and I figure they'll

Oh yeah the complete album is free to to download. So you have no excuse not to check it out.

Thursday, June 21, 2007

10.4.10: Another Nail Biter




Just like the last update, this one took forever and was a double-boing. My ignorance of what is going on under the scenes (while the little circular progress disc spins round and round) with OSX is thing driving me back to Linux. Fortunately, my wife is putting my Macbook to good use during the day finding Youtube gems such as William Shed and Russian Ninjas both of which were more interesting than the Purdue 9/11 Simulation which I thought was a bit of a let down.

Monday, June 18, 2007

Simple FreeBSD GEOM Disk Labels

This is something I did a month or two back, but forgot to details, so figured I'd document it this time:
  1. When you create your fileystems within the installer hit n (newfs options) and then enter -L labelname (like root, var, swap, or whatever) and then boot into your new system
  2. Edit /boot/loader.conf to include geom_label_load="YES"
  3. Modify your /etc/fstab to use /dev/ufs/label instead of the device location
One of the reasons why this is useful for is that it allows you to have the same fstab (and therefore, system image) across both IDE and SCSI builds. I"m sure there are more

Sunday, June 17, 2007

Settling on a Linux Desktop Environment for my T-61



So a brief update on getting X working on a i965 based Lenovo T-61.

I ended taking a 4th option, installing Gentoo 2007.0 (although I had to boot the minimal install CD with the nodetect option and then manually modprobe the SATA, ACPI, etc.) Using the default boot options hung the install. These were the kernel mods running. Some of these are clearly not necessary as I was shotgunning modprobe to get the drives running.

livecd drivers # lsmod
Module Size Used by
sg 19484 0
ahci 11268 0
ata_piix 8072 0
freq_table 2720 0
processor 14536 0
sata_qstor 4996 0
libata 61460 3 ahci,ata_piix,sata_qstor
ipv6 170912 14
e1000 90432 0
e100 22792 0
mii 3968 1 e100
rtc 7476 0
usbcore 78084 1

The cool thing about the Gentoo installer this time around (the last time I used Gentoo was probably in 2003) is that you can start up an SSH server and then paste all the zillion commands you need to do the install vs. typing them at the console. So it took about 2 hours to build X7.2 and then the X -configure worked automatically. As you can see it is using VESA not an Intel driver, but most importantly it did default to 1440x900. So I was happy with that.

Section "Device"
Identifier "Card0"
Driver "vesa"
VendorName "Intel Corporation"
BoardName "Mobile Integrated Graphics Controller"
BusID "PCI:0:2:0"
EndSection

Anyway as you can see from the snapshot. XFCE4.4 from gentoo is nice. Pretty much everything you need. Oh I did try OpenSUSE 10.2 which was only able to get 1027x768. But I copied over the xorg.conf from the Gentoo install and was able to get the full resolution. But the default GNOME desktop for SuSE is bloody awful. Not sure what it is trying to emulate. Vista maybe? Who knows.

So a short list of issues folks may run into:
  • Your console goes blank (actually a sickly green color) after going into X. The solution here is to use the framebuffer.
  • No sound, not like I care.
  • Of course I haven't tried at all to get the built in wireless card working. Been using an old Aironet 352.
  • No suspend, hibernate, but haven't tried and don't really care since this is more a mobile workstation
And probably more...

Friday, June 15, 2007

X.org Options For T61 (X3100/i965)

The Intel drivers in current distros (I tried Ubuntu Feisty and Debian 4.0) aren't recent enough to work on the T61, here seem to be the options (in order of preference)
  1. Build updated X drivers for an existing X install. The idea here would be to built a .deb.
  2. Use framebuffer/VESA - I was able to get an ugly 1024x768. And the console blanks out after you exit X.
  3. The latest release (7.2) appears to have support for i965. So you could build X from source.

Thursday, June 14, 2007

T61 Hardware and Linux First Impressions


I uploaded a copy of XML lshw output for my 14.1" T-61 Widescreen.

First impressions on Linux hardware compatibility
  • Feisty fails to busybox prompt (supposedly you can address this with a vga prompt of 791 but it didn't work for me. Supposedly you can do the install with the alternative iso. X Based Installers are a dumb idea anyway.
  • Debian 4.0 Installer boots just fine and network cards were detected
  • UbuntuTrinux (2.4.20 kernel) booted fine and network was detected

Back to backup up the drive prior to repartioning XP SP2.

Vista?! WTF is Vista?

Say hello to your little friend in busybox: mdev




Previously I blogged on how Linux sysfs had helped me create device files that are no longer actually on a physical filesystem. Well at least modern OS's do it that way. I think FreeBSD also does it this way, but OpenBSD definitely doesn't.

I had an inkling that Busybox had some little tool to do this but I was too lazy to look for it, and it was fun trolling /sys.

But by accident this morning I typed mdev instead of mkdev (my shell script) and I learned that the following command creates the device files for you:

mdev -s


Voila! And much faster. I had to disable my shell script by default because it sometimes took 3-4 minutes on Q on my Powerbook 12".

Saturday, June 09, 2007

I Promise, Last JXTA Blog of the Weekend

Anyone that has ever tried to use Applet-based embedded device managers (just how many times a day does my office-mate curse Bluecoat?!!) knows that the "write once, run anywhere" credo of Java is not all its cracked up to be. But it does work sometimes. And distributing a [cross-platform] stack of apps that only depends on a JVM has its advantages on having to satisfy OS package dependencies and/or scripting language dependencies (ala GEMs or Python eggs)

To that end I've built a self-contained package for playing around with JXTA that not only includes the necessary .jar's for JXTA 2.4.1 (or at least for what I've been doing so far) but also includes the latest version (1.0.0RC) of JRuby. This a good companion to the JXTA Programmer Guide which I've been going through today.

Hopefully this makes it a little easier for folks to play around with this Open Source P2P API. As bloated and complex (and probably overkill for the mysterious new security project I have in mind) as JXTA is, it was far better documented than some of the alternatives such as or P2PS and there seem to be a lot more applications out there using JXTA.

Hello JXTA (JRuby Style)

So the original Java version was 42 lines

hello is a short wrapper shellscript to set the classpath to:

$HOME/java/jxta.jar:$HOME/java/bcprov-jdk14.jar:$HOME/java/jxtaext.jar:$HOME/java/log4j.jar

and ran jruby jxtahello.rb

which is

require 'java'

include_class "net.jxta.peergroup.PeerGroup"
include_class "net.jxta.peergroup.PeerGroupFactory"
include_class "net.jxta.exception.PeerGroupException"

npg = PeerGroupFactory.newNetPeerGroup()
puts "Hello from JXTA group " + npg.getPeerGroupName().to_s
puts " Group ID = " + npg.getPeerGroupID().to_s
puts " Peer name = " + npg.getPeerName().to_s
puts " Peer ID = " + npg.getPeerID().to_s
npg.stopApp()


And when executed prints pretty much the same:


franz-g4:~/Desktop/jxta/ruby mdfranz$ ./hello
INFO 2007-06-09 15:49:55,134 NullConfigurator:::132 JXTA_HOME = file:/Users/mdfranz/Desktop/jxta/ruby/.jxta/
INFO 2007-06-09 15:49:55,305 NullConfigurator::adjustLog4JPriority:316 Log4J [user default] requested, not adjusting logging priority
INFO 2007-06-09 15:49:56,681 NullConfigurator::adjustLog4JPriority:316 Log4J [user default] requested, not adjusting logging priority

Hello from JXTA group NetPeerGroup
Group ID = urn:jxta:jxta-NetGroup
Peer name = bobo
Peer ID = urn:jxta:uuid-59616261646162614A7874615032503399A33A2EB7BB47E5BA108F6B6D2BDF3203


This probably the shortest JXTA code shows the real power of JRuby in prototyping and learning JAVA APIs.

BTW, all the JXTA examples are up at http://www.threatmind.net/jxta

Hey Collab.net, upgrade your Squids!



Hmmm. Jxta.org is down.

Hello JXTA


So I downloaded Netbeans 6.0 Milestone 9 this morning and after briefly playing around with it is new Ruby project capabilities (quite nice) I finally got a JXTA 2.4.1 Hello World app built and running. I'll probably document this better, but the main thing was getting the right libraries (.jar's) added to the Netbeans project:
  • jxta.jar jxtaext.jar
  • log4j.jar
  • bcprov-jdk14.jar
All of these were available (replace link here when JXTA site is back up) and the Netbeans project source is available here if you are interested.

franz-macbook:~/dist mdfranz$ java -jar JxtaSample.jar
Starting JXTA ....
INFO 2007-06-09 11:27:52,358 NullConfigurator:::132> JXTA_HOME = file:/Users/mdfranz/dist/.jxta/ WARN 2007-06-09 11:27:52,360 NullConfigurator::load:233> Platform Config not found : file:/Users/mdfranz/dist/.jxta/PlatformConfig INFO 2007-06-09 11:27:52,361 NullConfigurator::adjustLog4JPriority:308 Log4J logging preference not set, using defaults INFO 2007-06-09 11:27:52,362 AutomaticConfigurator::buildPlatformConfig:159> New PlatformConfig Advertisement INFO 2007-06-09 11:27:52,421 AutomaticConfigurator::buildPlatformConfig:223 HTTP advertisement missing, making a new one. INFO 2007-06-09 11:27:52,425 AutomaticConfigurator::buildPlatformConfig:305 TCP advertisement missing, making a new one. INFO 2007-06-09 11:27:52,428 AutomaticConfigurator::buildPlatformConfig:365 Relay Config advertisement missing, making a new one. INFO 2007-06-09 11:27:52,433 AutomaticConfigurator::buildPlatformConfig:405 Rdv Config advertisement missing, making a new one. INFO 2007-06-09 11:27:52,436 AutomaticConfigurator::buildPlatformConfig:430 Proxy config advertisement missing, making a new one. INFO 2007-06-09 11:27:52,438 AutomaticConfigurator::buildPlatformConfig:457 PSE Config advertisement missing, making a new one. INFO 2007-06-09 11:28:07,012 NullConfigurator::adjustLog4JPriority:316 Log4J [user default] requested, not adjusting logging priority INFO 2007-06-09 11:28:09,909 NullConfigurator::adjustLog4JPriority:316 Log4J [user default] requested, not adjusting logging priority

Hello from JXTA group
NetPeerGroup
Group ID = urn:jxta:jxta-NetGroup Peer name = moonface Peer ID = urn:jxta:uuid-59616261646162614A787461503250334C06A0908D664660BDEFCD8DF2E958E603 Good Bye ....

Stay tuned for more blogs on JXTA. And if you are wondering why the sudden interested in Juxta (that is how it is pronounced) I 'm strongly considering using it in a new Open Source Network Security Project I'll be launching this summer.

Thursday, June 07, 2007

My Next Laptop



Believe or not Hello Kitty has a dark side, so I would definitely not be ashamed to bring one of these of up to a podium at security conference although probably wouldn't appropriate if I were still a consultant. Of course my 3 year old daughter wants one and she said, "Mom will say yes or no?" Of less importance after a number of difficulties my T61 supposedly shipped today. I would have loved to get a T60, but the new models were $400-500 cheaper due to a recent sale, so I couldn't pass it up. This will be the first bleeding edge fully-Linux laptop (I may actually keep a tiny XP Pro partition on, in case I were to ever need to use WWAN card). I have only found one page on running (Debian Etch) Linux on a T61. I know already the wireless won't work. But at least it has a PC-CARD slot so I can go Aironet until the Intel 4965 cards get native (non-ndiswrapper) support.

Monday, June 04, 2007

What ever happened to CIDF?

Was it SANS 98 that I saw some slides on this? I suppose CIDF was another one of those U.S. Government-sponsored research projects (the kind that small companies salivate over and big contractors squander) that went nowhere, produced nothing tangible? There better have been a real implementation that inspired CISL and not the reverse? Oh, yeah and while you are at it, please tell me the point of RFC 4766?

Sunday, June 03, 2007

Breaking and Fixing Flash 9 on OSX

Late last week (maybe the Security Updates, or was it the Firefox upgrade?!) something broke Flash in both Safari and Firefox. On Both Intel and PPC. From the version tracker page on the subject someone suggested logging in as the root user. And doing the manual install.

This worked.

Saturday, June 02, 2007

More Debian Mea Culpa

Link
I did another Etch VMWare install this afternoon (for playing around with JXTA and besides noticing how easy it is to get an up to date JVM (add non-free to your /etc/apt/sources.list) I decided to give the disk encryption a try during the install. Amazing LUKS works out of the box. Although I did look at the documentation there would have been no need to. Enter a passphrase, watch it write random data over the disk prior to partitioning, and off you go.