2009-12-29

Free Antiviruses

I'm not a huge proponent of anti-virus. It's not that I think I won't get one. It's just that I'm usually running an OS that's not a big target for viruses. I can't even list one AV tool specifically for OS X, BSD or Linux, but I'm sure something exists. I just stick with NoScript and RequestPolicy on FireFox to keep the browser malware at bay.

With Windows 7, I figured it might be time to look into AV if for no other reason rhan to get rid of the nagging system tray icon warning me that my computer might be at risk. Then, just today, Keith posted a list of free AV solutions for Windows. I went with MS Security Essentials. It stays out of the way for the most part from what I've seen, but it's not like I've tried pulling up a bunch of Russian Serialz, Crax & w4r3z sites or any crap like that -- A move I'd consider to be asking for trouble.

I know plenty of readers are Windows users, by choice or by force (employer?)

What have you had the best luck with? What other anti-malware tools are you using for yourself or for others who already hosed their systems up?

From the comments: Apache + UserDir + Chroot on OpenBSD

In the comments on the OpenBSD 4.6 OAMP article, azhax and I hashed out how to get UserDir functioning in a chroot. I don't usually need UserDir, but it's a common configuration for multi-user systems such as those found at universities and ISPs. It's definitely worth covering.


UserDir is the configuration directive in Apache that lets you use tilde shortcuts for users' web directories. ex. http://some.server.edu/~axon/

The first thing you need to do is realize that when Apache is running in a chroot in the default OpenBSD install, Apache can't access anything outside of /var/www. The default OpenBSD apache install comes with a directory created for this: /var/www/users

First, edit /var/www/conf/httpd.conf and uncomment the "UserDir /var/www/users" line, and delete or comment out the "UserDir disabled" line. Use whatever editor you're happy with, but you may need to chmod it first, or use :w! in vi, since the file is read-only.

Then, I created a directory for my user account, gave myself ownership of the directory and created a public_html symlink to my home-directory. Keep in mind some ftp servers do not like to follow symlinks in the name of security, but SCP or SFTP might do just fine with this.

$ sudo mkdir /var/www/users/axon
$ sudo chown axon /var/www/users/axon
$ sudo ln -s /var/www/users/axon ~axon/public_html

And finally, I restarted apache. "apachectl restart" doesn't always work properly, so start it manually after stopping it with apachectl.
$ sudo apachectl stop
$ sudo /usr/sbin/httpd

Thanks go to azhax for asking how this one is done. It's definitely more involved than your average Ubuntu Server install, where only a public_html directory is needed in users' home directories and little else. If you find that most of your users will need web directories, you may want to create a script to put in /usr/local/sbin that you can run with sudo after running adduser just to make it a little easier.
#!/bin/sh
#addwebdir.sh
#syntax: addwebdir.sh [username]
mkdir /var/www/users/$1
chown $1 /var/www/users/$1
ln -s /var/www/users/$1 ~$1/public_html

2009-12-28

Windows 7 on a MacBook: Kind of a pain to install

But it's sweet once it works with all the drivers installed

Let me step back a bit. I already had a license for Win7 Home Premium upgrade. That means I had to install it on top of Windows XP or Vista. So, I had to install XP Home first, which I also had a license for. Getting XP up and running was the root of my issues.

A while back ago, Apple pushed out an EFI update that supposedly removed the necessity to use BootCamp to install Windows or any other OS, really. With a spare partition on my hard drive, I decided to clobber Ubuntu, and install Windows XP over it. That ended up trashing the entire partition table, and bricking my MacBook.

Time Machine to the rescue. 3 hours later, I had restored my OS X partition from bare-metal to a point-in-time backup where the only thing I lost was 30 minutes of browser history. In other words: it worked perfectly. 45 minutes later, XP was installed, but the boot.ini file was pointing to the wrong partition. Using the XP recovery console to attempt a repair, I had whacked my partition table. AGAIN. Wash, Rinse, Repeat.

You need XP SP2 or higher, as it turns out. I guess I should have read the entire Boot C(r)amp manual first. I used BootCamp Assistant to create the partition this time, instead of partitioning it during restoration with the OS X install CD. Once XP Home SP2 was installed, I was without any drivers. The OS X CD supposedly contains them, but it was showing up as a blank disk when inserted. I wasn't worried about video drivers, or audio, or anything other than getting it on the network so I could activate Windows and commence the upgrade to Windows 7. For that, I ended up using a Linksys USB wireless adapter (and the driver CD). Then it was home-free.

Windows 7 installed fine without a lot of problems. It had many of the drivers already built-in, including the wireless. The audio and touch-pad drivers were sub-par, though. Other things like the iSight had non-existent support. Again, the OS X DVD I have wasn't showing the drivers under Windows 7 either and the BootCamp download from Apple wouldn't even run. I finally found a BootCamp driver download on the Digiex forum. Of course, you will want to use third-party supplied drivers at your own risk, but it seems to be working pretty well.

All in all, I burned almost an entire waking day attempting to get Win7 installed on my MacBook. A good part of that was the initial install of XP. Going straight to Win7, at least once you have the drivers, is probably not too bad. I can't stress enough how important it is to have a good Time Machine backup before you start, though.

End result:


Let it never be said I'm completely bigoted when it comes to Microsoft. My wife has been using 7 for a few months, and I'm already digging it. This may be Microsoft's best Windows release since Windows 2000, which I also had plenty of good things to say about.

Time will tell as I put it through its paces, but usability is just as good as OS X now that all the drivers are working properly, and this is a rather comfortable operating system for daily use.

2009-12-22

Guest Post: Setting up a Pfsense firewall

This is a guest post by BIOSshadow. You can follow him on Twitter and at his blog, Geek Crack.

Pfsense is a free, as in speech and beer, firewall for home, business, and any other purpose you can think of. It's based on FreeBSD, so it's very stable and has a very good TCP/IP stack. It has a serious feature list.

I have to explain how little PfSense needs in the hardware department. My setup is an old desktop computer that a client gave me because it "went bad." The power supply unit blew out during a lightning storm in the middle of the night. Anyway, it's a single core Intel processor, I am not sure what speed, with 512 MB of RAM, and a 40 GB hard drive. Now the only reason I have 40 gig is because it was easier to keep in there than fight the case, and put in a 10 gig I had around. So any basic computer you have around will work. But as with any computer, the more memory the better. I will get into that later.

You will need a video card/monitor and keyboard and of course a Pfsense CD. USB keyboard will work, a PS/2 won't need to load extra drivers. After the install and a little configuring is done, you can remove the video card/monitor and the keyboard, you can do everything through the web panel or SSH connection, if you turn it on.

Now onto the setup. (Note: For the screenshots I am using VirtualBox. This for the screenshots only). When it boots up to the bootloader, you want to boot with default, either by waiting for the timer to run out or by hitting enter.



Now if you have two NICs, which I recommend, you do not need to setup VLANs, but you can. If you only have one NIC, you need to setup at least two VLANs.


Now this is one of the great things about Pfsense that I can't find anywhere else: You unplug the ethernet cables, and it askes you to plug in the LAN cable into the LAN NIC. Then it does the same for the WAN cable and NIC. Now if you want to setup a DMZ with third NIC this where it do it.



Pfsense will ask you if you want to proceed and then build the config files and startup all the daemons, like the Web Panel and others. Congrats! You have running Pfsense firewall, but everything is in memory and running from the CD. If you want run it like this then you are set, but if the power goes out you will have to set it up again using a backup config file or from scratch. If you want to install to a hard drive you will need to type "99" and hit enter to continue.


The hard drive installation is menu-driven and easy to use. If you are having issues, feel free to edit the setting and accept when done.


Select "Install PfSense" and select the hard drive you want to use. Format the disk and select "use this Geometry".








If you are lucky enough to have a muilti-processor system or are using a embedded system, select those options. Now remember this is "muilti processor" not "muilti-core processor".


Now Pfsense is installed and ready to go. Just restart it and remove the disc.


After the reboot, we will need to setup local IPs and their ranges. Unless, of course, you have a separate DHCP server, then set it up to connect to the server.


The IP settings are all up to you, I used a normal home setup for the sanity of my family (networked printers, NAS, and etc.) just remember the IP you give Pfsense, because you will need it to access the Web Panel.










Now you are all set up. You can unplug the monitor and keyboard, and other stuff were using for set up.


Now back on your computer, open up a browser and go to the IP of Pfsense. The default username is "admin" and the default password is "pfsense".


Of course, you want to change the password and if you want, you can change the username as well. To do so on the red navigation bar at the top, hover over system and click on General.


To enable SSH, which I recommend, you need to go the the Advanced section of the System Menu.


If your ISP is like mine, your MAC address is tied to the account and if you use it, you don't get access to the Internet. To edit it Go to Interfaces and then WAN.



Now you have working Pfsense firewall, have fun!


There are a few things Pfsense lacks, like a Squid proxy and A/V scanner. But it makes it up with its packages. It has quite a few packages, but remember: the more packages, processes and packets it handles, the more memory it uses and the lag increases. But they have packages for Snort, Squid, SquidGuard, and an A/V scanner.






Well there it is: a completely setup and configured Pfsense, with A/V scanning, proxy and traffic monitor.




2009-12-19

Personal Radio Serice

The United States has 4 sets of frequencies under the category of "Personal Radio Services" which any one can use with certain restrictions on power output, antenna height and location. There are three others (MICS, WMTS and GMRS) under this category however they require that you are either a medical care facility or have special permissions or certification to use.

No FCC License Required Frequency Bands:

FCC Restricted Frequencies:
I found this to be very interesting because of my involvement with amateur radio.
I also found that CB radio used to be the old 11 meter HF amateur radio band. The nice thing about HF radio is that its range is greater than line of sight due to atmospheric bounce. The FCC limits the power on most of these frequencies because in order to amplify a signal they have to take great care in not creating interference on other frequencies.

GMRS radios are readily available but require a license to use. The GMRS radio license allows for the use of repeaters and higher output. FRS and GMRS share several frequencies, the difference is that GMRS radios are allowed to broadcast at 5W instead of just 500mW.

You can find FRS/GMRS radios just about any where for under 20$, MURS radios range from
50$ to 100$, CB's range between 40$ to 100$, I couldn't find anyone selling LPRS.

Links:
CSG, Computer Support Group, Inc. and CSGNetwork.Com , "Glossary" (Accessed Dec 2009)
http://www.csgnetwork.com/

http://www.csgnetwork.com/gmrsfreqtable.html
http://www.csgnetwork.com/frsfreqtable.html
http://www.csgnetwork.com/mursfreqtable.html
http://www.csgnetwork.com/cbradiofreq.html
http://www.csgnetwork.com/lprsfreqtable.html
http://www.csgnetwork.com/micsfreqtable.html

Federal Communications Commission. " Personal Radio Services" (Accessed Dec 2009)
http://wireless.fcc.gov/services/index.htm?job=service_home&id=personal_radio

See also:
HAM it up!
http://www.h-i-r.net/2009/04/ham-it-up.html
Introduction to Proximity Cards
http://www.h-i-r.net/2008/09/introduction-to-proximity-cards.html

2009-12-16

Sci-Fi: Kourier or Deliverator?

Pardon the Snow Crash reference. Two of the main characters were "delivery folks". One, a pizza deliverator with a formidable car for such tasks. The other was a skateboard Kourier. At any rate, I both chuckled and boggled over this one.


Pizza delivery. On a skateboard. In the middle of Main Street in Kansas City, MO and right at the beginning of peak Lunch Hour. WTF?


2009-12-12

HiR's Best of 2009

Well, it's almost the end of 2009, so it's time once again for the best of HiR!

Top content
#1: Still reigning the top of the chart for the second year in a row: the DIY Lock Picks Series.

Using commonly available tools and materials such as a few pairs of pliers, a dremel or bench grinder, hack-saw blades, old windshield wipers, and even street-sweeper bristles, we went through and showed you how to make your own set of reliable lock picks and tension wrenches. Most of the hits seemed to come from Google Image Search, where people were looking for lock pick templates.


In the #2 spot this year: The Evil WiFi Series of articles.

The greedy access point stuff has been around for a while, and it's known as "karma" in the infosec industry. Digininja brought easy karma to the La Fonera with Jasager. Browser exploits are nothing new but Metasploit is boss. Hamster and Ferret were a bit of a game changer, introduced last year by Errata Security. They made it easy to import cookies from network traffic.

I'm pretty sure I'm the first one to have tied them all together into a portable system so evil and sinister that it even schooled some of the most paranoid and wary hackers at DefCon 17. I gathered more than 1,000 live session cookies from hundreds of different machines over the course of the weekend.

This was probably my favorite project of 2009. It's too bad that DefCon is the only real time I've used it on live targets. I just don't have it in me to take over a coffee shop or an office park with this rig. It'd be too easy, and morally wrong. Makes me wish I was a pentester again. I'd wreak havoc with it.

Many other outlets picked up the story. Among them: Dark Reading, Hak 5, Daily Radar and Remote-Exploit. From there, it started hitting the social bookmarking sites as well.



I don't know why, but they seem to spike on occasion from StumbleUpon. For instance, this last week, I got about 2,000 hits on the series in two days and then its hits went back down to normal again. Strange. And it's not the first "viral" spike like this in 2009. That's how the series made its way to #3.

Perhaps more people are using OpenBSD to host web-apps than I'd thought?


#4: Testing an ATX power supply - Again. It was on the 2008 list as well.

I wasn't even spot-on accurate in my article, but plenty of the information there is useful enough to get you started.

Some of our more knowledgeable readers picked up the slack and left some more really good advice in the comments of this post.

It seems to have gotten its share of traffic because ATX power supplies go out frequently, and the first place that do-it-yourselfers turn to is Google. This article is read many times per week.


#5: Open Letter from Geeks to IT Recruiters and Hiring Managers

There were tons of mixed reactions to this. Almost all non-managerial geeks cheered me on. Several hiring managers raised their glass and linked to the post. Others scoffed and told me to get a life, since there's no way I'll ever understand what it's like until I am in charge of hiring people. Some even went as far as to say I wouldn't make it as a hiring manager. What bleeds leads, and this controversial diatribe picked up some serious hits when I first put it out.


Down to #6 from our #2 spot in 2008: Tethering.

Even if it is against the terms-of-service agreement, tethering rocks and people everywhere know it! It's a fundamental way to bypass the web filter at the office, school or library, and it's a way to stay off of hostile networks at conventions like DefCon, although it by no means grants you a shield of immunity at such events. It's also great for instilling envy into my fellow transit riders when I-35 turns into a parking lot. I should probably dig out my notes from the September '09 2600 meeting, where I discussed tethering in a bit more detail.


Up two spots from last year to #7: Jornada WiFi Scanning

It's smaller than any NetBook, but more powerful than some of the ultra-tiny gadgets like the ZipIt. It's a great balance of form and function, and despite the fact that these relics have been out of production for nearly a decade, people are still searching for ways to make good use of them. This is another useful series that didn't really go viral, but people keep finding it via search.


#8: CHDK

CHDK is practically essential for anyone who owns a Canon camera. It unlocks potential that's great for HDR photography or just getting the most out of your relatively inexpensive camera.




Everyone loves a good holy war. Among geeks, few get as heated as the ones over which software is better. I tried to take a balanced approach to this one, as I'm generally an operating system agnostic. I come off as a BSD zealot sometimes, because I'd like more people give the underdog a chance once in a while.

Of the underdogs, I feel OpenBSD's probably one of the most useful, particularly for those interested in security.

DefCon is usually kind of a big deal among hackers. It's a good show every year, and this was my second year in a row. Some of the HiR crew made it to DC6, 7, 8 and 9, but we took a break. Here's hoping I can make it again next year. With Blizzcon happening the same weekend as DefCon 18 (my wife's kind of a WoW nerd) it should be interesting.


Top Referrers:
Of course, we have to thank others who found our content useful enough to link to us. The top 10 NON-Search referrers in 2009, listed in order of most referrals were:

#3: Hak5
#10: Some guy whose spanish readers really loved our whiteboard hack (wtf?)

Top HiR search terms of 2009:
This is what people searched for that landed them here one way or another. Most of these are no surprise. #9 boggles me but I know what article it refers to, I just don't know why it got searched for so often.

#1: epoch fail
#2: bsd vs. linux
#3: make your own lock picks
#4: lock pick templates
#5: jasager ferret
#6: hir
#7: information report
#8: jasager
#9: comment: a revocation certificate should follow
#10: luggage zipper pulls

It's also worth mentioning that our RSS feed is on fire lately, and those don't even count as website hits.

Open Source DJ Mixxxing. Oontz Oontz Oontz Oontz

Mixxx.

I've been playing with Mixxx for a while now. Not quite as fully-featured as some of the cheapware DJ Mix stuff that I was only able to find for Windows. Mixxx shows a lot of promise. It's open-source and cross platform. Get your dance party on!



I like the fact that I can jack an external USB sound device in and it gets recognized, so you can cue up your next track on your headphones while the main track is on the house speakers.

Yes. I have Rockell and Nine Inch Nails showing on that screen at the same time. LOL.

2009-12-11

VirtualBox tip: Disk errors? Try emulating SATA.

I had to do this to get both OpenSolaris and FreeBSD 8 working properly in VirtualBox. During boot, or occasionally during Installation, the VM would completely spaz out. The Guest OS would start dropping disk errors all over the place. Like this:


The solution ended up being easy. Detatch your VDI disk image file from the emulated IDE controller.


Create a new virtual SATA controller.


Click the stack of disks next to the new controller to browse for .VDI images


Then re-attach your exiting VDI file to the SATA controller.


This simple tweak was all that I needed. The virtual machines seem to run just fine now. If you're having trouble with some guest OSes working in VirtualBox and it appears to be related to disk errors, give this a shot. Oddly, OpenBSD, Haiku and Ubuntu have worked just fine with the default settings and emulated IDE controller. So far, OpenSolaris and OpenBSD are the only ones I've really had problems with.

2009-12-09

How to better fix the GDM "face browser" login issue

It's really not that hard. I went poking through the documentation for gdm-simple-greeter and found an option outlined called disable_user_list. It took me a bit to figure out how to disable the feature, and I broke gdm a bunch of times before googling it and finding a great post by [daten] on the Fedora forums that outlines it.

So first, if you followed my angrily-penned directions from last night, undo that with these steps:

In a terminal window, execute:
$ sudo dpkg-reconfigure gdm
(select gdm instead of xdm at the dialog box)


$ sudo /etc/init.d/xdm stop
(X11 will bail. Go ahead and login at the console prompt)

Continue as below, starting with the gconftool-2 command. You don't have to stop gdm, obviously. You can just start it.

If you didn't switch to xdm first...


Now, we can simply tell gdm to disable the user list with a lengthy gconftool-2 command. Make sure you scroll to see the whole thing:

$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/disable_user_list true

Log off. The change may not take effect until you stop and start gdm. If you still see the user list, press ctrl-alt-F1 to get to the console, log in and run the following commands:

$ sudo /etc/init.d/gdm stop
$ sudo /etc/init.d/gdm start

At that point, you should have a new, still squishy and pretty login screen without the face browser of doom.


FYI, "axon" wasn't filled in automatically, I had to type it. This is much better!