"USB Killer" Hype

This week, there was lots of fuss about the latest generation of "USB Killer" hype. I won't link to any articles. The device looks like a USB flash drive but overvolts and reportedly bricks computers. It was announced back in March. The "2.0" version was announced recently, and the hype is back.

Here's my take:

Since the chances of running into one of these in the wild are virtually nil, I think the real lessons here are not to leave your computer unattended, and not to let strangers plug things into your computer. These are more useful security measures than refusal to plug in a stray USB stick.  These actions also defend against more attacks (e.g. evil maid, Thunderstrike, data extraction and others, not to mention outright theft of the computer.)

There are only a few extant devices in a "thumb drive" form-factor that are engineered to fry the logic board of whatever you plug it into. The people who have these devices (those who made them) probably won't leave them laying around. I know I wouldn't. They're expensive to build and re-usable. If I were up to no good, I'd want to be the one to plug it into something. Then, I'd take it out and move to the next target.

Until this class of device sees commercial availability, we all have much more nefarious things to be concerned about. In that case, prying the case off of a suspicious USB device might not be a bad idea. You wouldn't see a bank of large surface-mount capacitors taking up most of the space in a real flash drive.


OpenBSD PHP/MySQL Walk-throughs are up to date (Finally!)

First and foremost, I finally took the time to wrap my brain around OpenBSD's new relayd-based httpd. You can see the walk-through here:

While I was at it, I refreshed the guides for nginx and apache.
These should be maintained for future versions of OpenBSD going forward. Enjoy!


Raspberry Pi random host generator

Say you have a really watchful network/systems administrator that keeps a close eye on new devices being joined to the network...

You know where this is going. It's April 1st.

Toss this into /home/pi, then make it executable.

while true
  mac=`echo -n 00:03:BA; dd bs=1 count=3 if=/dev/urandom 2>/dev/null | hexdump -v -e '/1 ":%02X"'`
  newhost=`dd if=/dev/urandom bs=35 count=1 2>/dev/null | tr -dc "a-z"`
  echo $mac $newhost
  ifconfig eth0 down
  pkill dhclient
  hostname $newhost
  ifconfig eth0 hw ether $mac
  rm /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_dsa_key
  ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -P ''
  ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa -P ''
  ifconfig eth0 up
  dhclient eth0
  ip addr show eth0 | grep "inet "
  echo "Sleeping..."
  sleep 60

You can add the below line before "exit 0" line at the end of /etc/rc.local on Raspbian to make it start up at boot.  You have a random host generator that spawns a new MAC Address, random host name and new SSH keys every minute or so.

nohup /home/pi/mac.sh >> /tmp/mac.out&

A few notes:

  • This will totally hose all of your SSH host keys on the pi.  Make backups of them if they're important to you.
  • I chose an OUI (00:30:BA) that I knew would not match anything else on the target network. You may wish to do some research and change the hard-coded OUI prefix in the code above.
  • The interface fluxing will also make remote management troublesome unless you have a wireless adapter that's on a more stable network, but this can betray you, as the host keys keep changing to match the wired interfaces. 
  • I took the additional step of leaving the Pi powered on for a few minutes before attaching the ethernet cable, so that it wouldn't ever show up on the network with a Raspberry Pi MAC address, since it had time to generate a new fake address before I hooked it in.
  • There are some very simple ways to defend against something like this.
  • It goes without saying, but pranks at work can lead to disciplinary action.
Also, thanks to the target of this April Fool's day prank for giving me a few extra ideas (included here, but not in the original implementation) after catching me in the act. 


OpenBSD 5.6

OpenBSD 5.6 was released to the world today. The first things I noticed was a hint of better laptop support via an extra prompt from the installer, and the fact that they have finally ditched a functioning version of the apache fork in the base distribution, requiring users to rely on either nginx or the all-new relayd-based httpd, both of which are provided in OpenBSD 5.6. I've already updated the walk-through for OpenBSD/nginx/MySQL/PHP-FPM (ONMP Stack). As Apache is now out of the base distribution, I will transition the OAMP Stack page to cover Apache2 from the package repository. I plan on working out the details of getting MySQL/PHP working with the new httpd as well, but that could take a while.


It's a loop recorder for your network!

I haven't written here much lately. I've been swamped with work and real life.

Recently, my wife wanted me to clone one of my VMs so she could play around with running a MUD for some friends. Yes, my wife's a nerd like me. As anyone who's ever run a game server can guess, it didn't take long for the griefers to show up. She asked me to log everything going to her VM. I could have probably compiled DaemonLogger or something similar, but I decided tcpdump was more than capable enough for us.

sudo tcpdump -i eth0 -wPacketLog -W10 -C100M

Throw that in the background (or in a tmux/screen session) and enjoy a 1GB looped recording of everything you can see on the network, broken into 100MB chunks (named PacketLog0 - PacketLog9), overwriting old files as it goes. You can also add typical tcpdump filters (e.g. "tcp port 80") to the end if you want. Adjust -W to increase/decrease the number of files it saves and -C to adjust the number of MB of data kept in each file. File prefixes, as you guessed, are controlled by the -w option.

If you want to monitor your whole network, this works best if you have a span/mirror port set up, or you can make a passive network tap.

To review the contents of the saved file, use tcpdump -nvXs0 -r PacketLogN (displays the contents in Hex/Ascii side-by-side format) on the file you want. You can also use tcpdump filters here to watch specific connections, protocols and/or hosts.


OpenBSD 5.5 PHP/MySQL walk-throughs are updated

As of last night, the walk-throughs for setting up PHP/MySQL stacks on OpenBSD have been updated for OpenBSD 5.5. In November, OpenBSD is planning on dropping Apache from the base distribution, so now is the time to bone up on nginx. Don't worry, Apache will still be in the package repository (likely only apache2), but expect the Apache walk-through to have some dramatic changes later this year.

At any rate, belhold, the updated guides:


OpenBSD 5.5: It's aliiiiive!

Several mirrors are live with OpenBSD 5.5 available for download. ftp5 is my go-to.

I think the most interesting changes are crypto-signed release and package files (see signify(1) for details) and the addition of an automated unattended install (see autoinstall(8)). As always, more hardware support, some bug fixes, and interesting new features. This weekend, I'll probably make sure that our OAMP and nginx walk-throughs still work, with minor tweaks.