Crash Crash Crash

So I bought a new XFX X58i motherboard and a nifty Intel Core i7 CPU to go with it. It was time to upgrade my Core 2 Quad system to a faster Core i7 system and get more RAM. I had Windows XP Pro 64bit and it was finally starting to run slow after a good 2 years of processing and programming.

Friday came and I pulled apart my system and installed the new motherboard. Turned it on and ... nothing. No beeps, no POST, nothing. Worst yet, my 3ware card did not show the bios.

So I pulled out the new stuff and returned the old stuff. Turned it on.

Got past the POST and the Marvel embedded RAID controller BIOS and then again, no 3ware bios. Well, that really stinks because the 3ware card controls my RAID-1 array that contains my system data.

I called 3ware who insisted that I just RMA the 8006-2LP and get a replacement. When I talked to the tech support person, she stated that it was not possible to hook the drives up to a new 3ware card because the "old" 8006-2LP (pre-9000 series) locks the drives. Not only was I stuck with RMA'ing the card, but I had no other recourse but to wait for the RMA process to finish to recover my hard drive with all of my data on it.

Then Monday came, and Zen had taken root. I had absolved myself to waiting until Wednesday to get my data off one of the drives. I took the slave RAID member and installed Windows 7 on it (clean install). That was a smart move, as now the drives and the system is super fast again. That makes me think the 3ware card was failing long before this day.

I found a software program - Data Recovery Wizard (www.easeus.com) - for $89 that appeared to be able to pull the data off the RAID-1 member. So I did exactly that - I pulled data off that drive and after several hours (150GB of data to recover), I had the most important aspects of my old system - the Outlook PST file and some development files that I did not have under source control.

Will I buy a 3ware card again? Probably not. Now that 3ware is LSI, though, they may have finally decided to add some compatibility to their cards. It was clearly short sighted of them to not allow future compatibility with their hardware RAID cards.

3ware did offer to send me a new 8006-2LP overnight on Monday for $49. The cost of overnighting my old 8006-2LP to Huntsville? $46. It's all a wash. I won't be using the new 8006-2LP in any system, though.

XFX board - crash. Never again. Why I experiment with non-Intel motherboard vendors, I don't know. EVGA and XFX get my Big Turkey rating when it comes to hardware. They're about as reliable as Dell. BFG gets my Lame Duck rating because they refused to honor my rebate check and cost me $20!

3ware Cards - can't say that I am happy there, but I do know that they are reliable cards. Only purchase new cards in the 95xx or newer range.

I've never had a problem like this with my HP/Compaq hardware. We sure do need another premium hardware vendor like Compaq.

Niche Taxes

In the USA, it would seem that lots of writers, commentators, screen writers, and pundits are obsessed with fat or obese people. One commentator on CNN [1] writes about using a tax to control obesity.

In California, we already have a Fat Tax, it's in the form of a tax on fast foods and sugary junk foods. Yet, there are fat people in California, and most of the people who are eating at McDonalds, Wendy's, Jack, and In-N-Out are all thin or acceptably sized.

Forbes ran an article in September of 2009 discussing how a fat tax could be some kind of reformist ideology. The Forbes article mostly is concerned with raising billions of dollars to help pay for some kind of unforseen increase in socialized healthcare. It also claims that by 2015, 40% of Americans will be obese.

Seriously, how can anyone publish this stuff?

There are some level headed people out there who have some good things to say [2] in the Center for Consumer Freedom's Who Wants A Fat Tax article. There, a reference was made to a CSPI article [3] that pretty much sums up a simple position, yet not in so many words: Tax Food.

Oh wait, a general food tax? What states in the US have a general food tax? There is a comprehensive list [4] that has the food tax amount by state, as of January of 2008. That's pretty interesting. Most states do not charge any food sales taxes, and some not any sales tax.

Let's pick on Tennessee. They have a food sales tax 5.5%, and the average BMI according to the Tennessee On The Move survey: [5]

"According to the Tennessee on the Move study, the average Tennessean is overweight and nearly obese, with an average BMI score of 29.2."

Well, if this panacea Fat Tax was doing its job, then you would think that Tennesseeans would be thin and healthy. The average Tennesseean is pretty happy, though. They gave us Jack Daniels Whiskey, Elvis Presley, and FedEx Overnight Delivery.

The highest food tax rate is Mississippi, at 7%. Some data from NIH [6] suggests that in 2003, the mean BMI was 27.7, which is pretty darn high for a state with the highest food tax rate.

I could not find a comprehensive comparison of food tax rate as it relates to BMI, normalized by average salary. The BMI distribution of the typical human being is highly correlated with wage earnings (inversely apparently, according to one study regarding Food Stamp usage), and social setting. Apparently fat people beget more fat people, yet I don't believe it.

In 1998, the NIH changed the definition of "fat" to be a measure of BMI [7]. According to that change, a person with a BMI of 26 or higher is considered overweight, and at 31 they are obese.

I am apparently obese, and a fat tax would do nothing to my consumption habits. A fat tax would definitly put many people out of work, though, including an army of adolescents who sharpen their job skills while flipping burgers and asking "Do you want fries with that?" Kids without jobs leads to kids with idle hands. If you want to keep kids out of trouble, make them work, right?

I say that we need a stupid tax. People with an IQ that is over 125 should pay significantly less taxes than those with an IQ of 98. Those with 145 and above should be tax-free! Smarter people make the world easier and more fun. We also need a criminal tax, so that federal criminals on parole pay double taxes to pay back their incarceration costs and any future cost of policing them with parole agents and bounty hunters.

Let fat people be fat if they want to. If we don't, then what's next? Vulgar language tax? I don't like hearing vulgar language in public, so why not? How about vulgar dress tax? I see lots of poorly clothed teenagers and adults on the street, so maybe they should be taxed too?

Where do we stop with the over-taxing of our people. It's no wonder we have so many poor people. If we keep taxing them, what else do they have to do but eat more snickers and watch the fabricated world of TV, because they certainly can't afford to visit Disney Land when all of their money is being paid back to the government. A government that is itself obese with regulations!


[1] http://www.cnn.com/2009/POLITICS/10/05/ruiz.obesity.tax/index.html
[2] http://www.consumerfreedom.com/news_detail.cfm/headline/2336
[3] http://www.consumerfreedom.com/news_detail.cfm/headline/1412
[4] http://www.taxadmin.org/FTA/rate/sales.html
[5] http://www.utmedicalcenter.org/news/Women+and+Heart+Disease/1828.html
[6] http://www.pubmedcentral.nih.gov/articlerender.fcgi?artid=1636707
[7] http://www.cnn.com/HEALTH/9806/17/weight.guidelines/

Additional Reading:

[*] http://www.telegraph.co.uk/foodanddrink/foodanddrinknews/6169880/Fat-tax-to-hit-McDonalds-in-Essex.html
[*] http://freakonomics.blogs.nytimes.com/2009/07/29/whos-ready-for-a-fat-tax/

IPTABLES and M4

I manage high traffic web servers that are constantly under attack. To manage the security of these web servers, I need to routinely update my iptables rules, and by routinely, I mean every morning when I roll into the office.

When I searched for a solution that allowed me to dynamically define my rules with a merge option, nothing come to the forefront. There are some miscellaneous posts about using PERL and cat, but nothing really useful.

Then I remember M4. If you don't know about M4, then you should man it.

Here's what you do.

iptables.m4:


---- start ----

# Firewall configuration written by
# system-config-securitylevel
# Manual customization of this file is not
# recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
include(/root/iptables/iptables_special)
include(/root/iptables/iptables_reject)
include(/root/iptables/iptables_accept)
#
# The final rule that rejects everything
# that does not match
# the other explicit rules
#
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

----- end -----



This is the driver for the m4 process. When you want to create the iptables file, you just run:

m4 iptables.m4 > iptables

Here is a nifty script that does it all:


---- start ----

rm -f iptables
cp -f /etc/sysconfig/iptables iptables_back_`date +%Y%m%d`
m4 iptables.m4 > iptables
cp -f iptables /etc/sysconfig/
/etc/rc.d/init.d/iptables restart

---- end ----



This script will create a backup file for you so you don't clobber your current config with a bad m4 parse.

Just save that script into something like "update.x" and chmod +x on it. Then you can update components of your iptables rule file much more easily.

Quick and easy solution. No perl junk, no expensive security management software, nothing but runtime macro substitution with M4.

Rookie Mistake

I've been fighting with an ASP.NET 1 conversion to ASP.NET 2 where for some unknown reason, the Global.asax code is no longer being run. No matter what I do, including making a Global class or even embedding the code into the asax file, the Application_Start is not being invoked when the app starts. No matter though.

What I am embarassed about though is a simple mistake:

public class Foo
{
      private static Foo _Instance = new Foo();
      private static KEY = null;

      private Foo()
      {
         KEY = ConfigurationSettings.AppSettings["MyKeyValue"];
      }

      public static Foo Instance() { return(_Instance); }
}

Guess what value "Foo.KEY" has after you call Foo.Instance? Eight hours later, I finally realized why KEY is always null and the real fix is just to do the following:

public class Foo
{
      private static KEY = null;
      private static Foo _Instance = new Foo();

      private Foo()
      {
         KEY = ConfigurationSettings.AppSettings["MyKeyValue"];
      }

      public static Foo Instance() { return(_Instance); }
}

When Foo.Instance is called, the Foo static instance was being created, and the ctor was being invoked which set the value of KEY. Then the next initialization occured where the KEY = null statement was executed, and thus the KEY value was clobbered back to null.

Rookie.

Covert Communications

A recent experience with intermittent network failure started me thinking about how I could read data from a server without the NOC knowing about it. I could do this with a virus that replaces "netstat" and "syslog" and "ps" so that it never shows itself running. That's just too simple and blunt, a child could do that. No, what I wanted to do is create a method that goes undetected because it looks like a common attack that is easily thwarted and often ignored.

First, there is the ICMP ping relay attack. One way to communicate with a 3rd party covertly is to send ping packets to a server and spoof the source IP so that they are bounced to the 3rd party by the server. This way you never directly communicate with the 3rd party.

Secondly, you need to take advantage of subliminal channels [1] in network protocols. This is the super-secret spy stuff that makes this idea a reality. By utilizing a subliminal channel, I am able to send secret messages to the 3rd party, and have the message go undetected.

So now I have established a covert method of communication that can be exploited to communicate securely using some novel security methods. You can expect to make use of about 64 [2] bytes of data in the subliminal channel. You could get away with any size of data, but very large payloads would be conspicuous, so we need to limit the size of our covert channel.

The next step requires compromising the host computer. We want to subvert the NIC driver so that it handles the special ICMP packets that we are relaying through the server. The NIC driver is a special case because we can write relatively innocuous code in there that will run in kernel mode and gain access to the internal memory image. Network cards all take advantage of DMA (direct memory access), which gives them privileged access to the RAM state of the OS. A specially crafted ICMP packet would trigger our covert driver code and begin the process of relaying the RAM image of the compromised computer to a 3rd party.

For our sake, the ICMP packet is 92 bytes total. On a 1.5 Mbps channel, we can push 655360 bytes of data per second, or 7123 packets per second max. That gives us 455872 bytes of covert data per second. To image a full 1GB of RAM we have to transmit packets for 2355 seconds. Since we have to push packets to the server first, our throughput is halved, so we need 4710 seconds, or 1 hour and 18 minutes. On a 10 Mbps network, you can do the imaging in about 11 minutes. If you compromised the LAN and it was 1 Gbps, then you could image the server in 6.7 seconds.

By imaging the RAM space of the server, you could quickly gain access to passwords that have been decrypted or kept in memory. If you compromised a secure server, then you could gain access to decrypted intelligence. The vulnerability is nearly limitless because in the RAM space of the hardware, the data must be decrypted so that it is usable by the human user.

To make the exploit "real time" the imaging process would have to run in at least 1 second. To do that, a 10 Gbps network connection would be required for every 1 GB of RAM. Another approach to "real time" imaging is to use selective searching of the RAM image. The compromised NIC driver could actively search the RAM space during idle time to look for keywords that identify passwords, key intelligence information, or other opportunistic information. Once the key address spaces are known, quick imaging can ensue. Most kernel memory management do not move around data often, so tracking the location of the key data become relatively trivial.

Counterfeiting the network drivers would be trivial. The network driver engineer would only have to insert their code in the driver code and release it to the bundled disc for deployment. Once in the code base, it would be in the download as well, and would quickly disseminate to the production world. Since there would not be any way to detect such a compromise, it could easily go undetected until a thorough review of the network driver source was performed.

An open-source network driver would likely not be more secure. It was my experience that the open-source community respects the ownership of driver source and often leaves maintenance and review in the hands of the author. Hardware drivers are implicitly complex and hard to debug, and so any non-expert device driver engineer would have nearly zero chance of detecting any anomalous code.

[1] http://www.springerlink.com/content/qu26013256884354
[2] http://www.iv2-technologies.com/CovertChannels.pdf, pg 7.

Additional reading

http://archives.ece.iastate.edu/archive/00000154/01/mcpthesis.pdf
http://www.gray-world.net/cn/papers/acs2003-hiccups.pdf
http://www.nersc.gov/~scottc/papers/ICMP_Backdoor_Detection.html
http://www.s0ftpj.org/docs/covert_shells.htm
http://www.sans.org/resources/idfaq/traffic.php
http://en.wikipedia.org/wiki/Ping

TYPE 1 DIABETES DILEMMA

Stem cells are abound in medical research. Today I read an article on CNN [1] that claims blood stem cell transplantation gets Type-I diabetics off of insulin. I suppose that is good news for the countless young kids who are dealt this death sentence.

Yet, there is something more to this disease. This year, 2009, has found several research papers on the study of viral activity and Type-I diabetes [2], [3], [4], [5]. This makes me question whether or not any transfusion, transplantation, or any other replacement therapy has any merit for Type-I diabetes. No matter what you replace in the patient's body, the virus will continue to infect the new material, and the disease will continue to manifest.

What we really need to see isn't more snake-oil stem cell therapy that is costly and inconsequential, but rather real medical trials using virus-targeting therapies that are localized to the infected pancreas. These kids are doomed to an early death with this disease, and if it can be cured, and not just treated, with anti-viral medications, then why not start aggressive treatment trials?

[1] http://www.cnn.com/2009/HEALTH/04/15/stem.cells.diabetes/index.html
[2] http://www.childrenwithdiabetes.com/d_0n_120.htm
[3] http://www.ncbi.nlm.nih.gov/pubmed/11919574
[4] http://www3.interscience.wiley.com/journal/118782400/abstract?CRETRY=1&SRETRY=0
[5] http://www.sciencedaily.com/releases/2009/03/090305141639.htm
[6] http://diabetes.diabetesjournals.org/cgi/content/abstract/55/4/996

Oh The Pain

I seem to be the poster child for failed hardware. Today, my Pioneer DVD-RW DVR-112D decided to stop writing discs. From what I can tell, though, this has been going on since the day I installed this disc drive.

Pioneer admitted in 2007, just prior to my purchase of the drive, that there are some manufacturing problems with the drive. They shipped the drive because they "did not feel that a use-case existed in which the error would manifest." Well, apparently that was wrong because many a person has experienced problems with these drives.

For the last year, I've noticed that my Windows XP 64-bit has been experiencing random halts that would last for about 5 seconds. During that time, I would grumble and refine my repertoire of colorful expletives.

Today, after installing a SONY DRU-842A as a replacement, I noticed the random halting was gone. The startup time for Windows was back to its super-fast normal self. With the Pioneer in there, sometimes the Windows boot would just pause for about 15 seconds, or longer, before the splash screen, and then resume. With the SONY, it was super-fast again.

Reviewing the Windows EventViewer, I see that the Pioneer cdrom reported "An error was detected on device \Device\CdRom0 during a paging operation." I suppose that would be the first indication that something was awry with the drive. In the EventViewer, though, that is only a warning. The real error that I saw recently was "The device, \Device\CdRom0, has a bad block." That error is a real indication of death for the Pioneer CD drive.

So far I've replaced my CDROM, my motherboard, and my video card. I have a 22 inch Hanns-G HG216 waiting for install as soon as I get some screws that properly seat it into my Neo-Flex bracket. What's next? I suppose there will be a hard drive failure soon, but that's expected, so I run RAID-5 with Western Digital hard drives and a 3Ware controller.